You are on page 1of 556

Blue Coat® Systems

Director™

Configuration and Management Guide

SGME Version 5.4.2.x


Director Configuration and Management Guide

Contact Information

Americas:
Blue Coat Systems Inc.
410 North Mary Ave
Sunnyvale, CA 94085-4121

Rest of the World:


Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland

http://www.bluecoat.com/support/contactsupport

http://www.bluecoat.com

For concerns or feedback about the documentation:


documentation@bluecoat.com

Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®,
PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®,
Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL
WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND
DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT,
ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER
LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ii
Americas: Rest of the World:
Blue Coat Systems, Inc. Blue Coat Systems International SARL
420 N. Mary Ave. 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland

Document Number: 231-03036


Document Revision: SGME 5.4.2.x—09/17/2009

Third Party Copyright Notices


Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in
the copyright notices below.
The following lists the copyright notices for:
JPAM and Tomcat
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For
the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and
configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object
code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is
included in or attached to the work.
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions,
annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works
shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative
Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to
submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking
systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is
conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently
incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide,
non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense,
and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer
the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or
by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory
patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in
Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent
notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent,
trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d)
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the
attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the

iii
Director Configuration and Management Guide

following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the
Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the
NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You
distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as
modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use,
reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall
supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as
required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely
responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under
this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable
law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect,
special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such
Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for,
acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations,
You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and
hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or
additional liability.
Java JRE
SUN MICROSYSTEMS, INC. ("SUN") IS WILLING TO LICENSE THIS SPECIFICATION TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT
ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. PLEASE READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY. BY
DOWNLOADING THIS SPECIFICATION, YOU ACCEPT THE TERMS AND CONDITIONS OF THE AGREEMENT.
Specification: JAVA PLATFORM, STANDARD EDITION ("Specification")
Version: 6
Status: Final Release
Release: December 7, 2006
Copyright 2006 SUN MICROSYSTEMS, INC.
4150 Network Circle, Santa Clara, California 95054, U.S.A
All rights reserved.
LIMITED LICENSE GRANTS
1. License for Evaluation Purposes.
Sun hereby grants you a fully-paid, non-exclusive, non-transferable, worldwide, limited license (without the right to sublicense), under Sun's applicable
intellectual property rights to view, download, use and reproduce the Specification only for the purpose of internal evaluation. This includes (i) developing
applications intended to run on an implementation of the Specification, provided that such applications do not themselves implement any portion(s) of the
Specification, and (ii) discussing the Specification with any third party; and (iii) excerpting brief portions of the Specification in oral or written
communications which discuss the Specification provided that such excerpts do not in the aggregate constitute a significant portion of the Specification.
2. License for the Distribution of Compliant Implementations.
Sun also grants you a perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license (without the right to sublicense)
under any applicable copyrights or, subject to the provisions of subsection 4 below, patent rights it may have covering the Specification to create and/or
distribute an Independent Implementation of the Specification that: (a) fully implements the Specification including all its required interfaces and
functionality; (b) does not modify, subset, superset or otherwise extend the Licensor Name Space, or include any public or protected packages, classes, Java
interfaces, fields or methods within the Licensor Name Space other than those required/authorized by the Specification or Specifications being implemented;
and (c) passes the Technology Compatibility Kit (including satisfying the requirements of the applicable TCK Users Guide) for such Specification ("Compliant
Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside its scope. No license is granted hereunder for any
other purpose (including, for example, modifying the Specification, other than to the extent of your fair use rights, or distributing the Specification to third
parties). Also, no right, title, or interest in or to any trademarks, service marks, or trade names of Sun or Sun's licensors is granted hereunder. Java, and
Java-related logos, marks and names are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
3. Pass-through Conditions.
You need not include limitations (a)-(c) from the previous paragraph or any other particular "pass through" requirements in any license You grant concerning
the use of your Independent Implementation or products derived from it. However, except with respect to Independent Implementations (and products
derived from them) that satisfy limitations (a)-(c) from the previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any
licenses under Sun's applicable intellectual property rights; nor (b) authorize your licensees to make any claims concerning their implementation's compliance
with the Specification in question.
4. Reciprocity Concerning Patent Licenses.
a. With respect to any patent claims covered by the license granted under subparagraph 2 above that would be infringed by all technically feasible
implementations of the Specification, such license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party seeking it

iv
from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent rights which are or would be infringed by all technically feasible
implementations of the Specification to develop, distribute and use a Compliant Implementation.
b. With respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2, whether or not their infringement can be
avoided in a technically feasible manner when implementing the Specification, such license shall terminate with respect to such claims if You initiate a claim
against Sun that it has, in the course of performing its responsibilities as the Specification Lead, induced any other entity to infringe Your patent rights.
c. Also with respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2 above, where the infringement of such
claims can be avoided in a technically feasible manner when implementing the Specification such license, with respect to such claims, shall terminate if You
initiate a claim against Sun that its making, having made, using, offering to sell, selling or importing a Compliant Implementation infringes Your patent rights.
5. Definitions.
For the purposes of this Agreement: "Independent Implementation" shall mean an implementation of the Specification that neither derives from any of Sun's
source code or binary code materials nor, except with an appropriate and separate license from Sun, includes any of Sun's source code or binary code
materials; "Licensor Name Space" shall mean the public class or interface declarations whose names begin with "java", "javax", "com.sun" or their equivalents
in any subsequent naming convention adopted by Sun through the Java Community Process, or any recognized successors or replacements thereof; and
"Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide provided by Sun which corresponds to the
Specification and that was available either (i) from Sun's 120 days before the first release of Your Independent Implementation that allows its use for
commercial purposes, or (ii) more recently than 120 days from such release but against which You elect to test Your implementation of the Specification.
This Agreement will terminate immediately without notice from Sun if you breach the Agreement or act outside the scope of the licenses granted above.
DISCLAIMER OF WARRANTIES
THE SPECIFICATION IS PROVIDED "AS IS". SUN MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A
CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE CONTENTS OF THE SPECIFICATION ARE
SUITABLE FOR ANY PURPOSE. This document does not represent any commitment to release or implement any portion of the Specification in any product.
In addition, the Specification could include technical inaccuracies or typographical errors.
LIMITATION OF LIABILITY
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT
LIMITATION, LOST REVENUE, PROFITS OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES,
HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED IN ANY WAY TO YOUR HAVING,
IMPELEMENTING OR OTHERWISE USING USING THE SPECIFICATION, EVEN IF SUN AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. You will indemnify, hold harmless, and defend Sun and its licensors from any claims arising or resulting from: (i) your
use of the Specification; (ii) the use or distribution of your Java application, applet and/or implementation; and/or (iii) any claims that later versions or
releases of any Specification furnished to you are incompatible with the Specification provided to you under this license.
RESTRICTED RIGHTS LEGEND
U.S. Government: If this Specification is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at
any tier), then the Government's rights in the Software and accompanying documentation shall be only as set forth in this license; this is in accordance with 48
C.F.R. 227.7201 through 227.7202-4 (for Department of Defense (DoD) acquisitions) and with 48 C.F.R. 2.101 and 12.212 (for non-DoD acquisitions).
REPORT
If you provide Sun with any comments or suggestions concerning the Specification ("Feedback"), you hereby: (i) agree that such Feedback is provided on a
non-proprietary and non-confidential basis, and (ii) grant Sun a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable license, with the right to
sublicense through multiple levels of sublicensees, to incorporate, disclose, and use without limitation the Feedback for any purpose.
GENERAL TERMS
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. The U.N. Convention for the International Sale of
Goods and the choice of law rules of any jurisdiction will not apply.
The Specification is subject to U.S. export control laws and may be subject to export or import regulations in other countries. Licensee agrees to comply strictly
with all such laws and regulations and acknowledges that it has the responsibility to obtain such licenses to export, re-export or import as may be required
after delivery to Licensee.
This Agreement is the parties' entire agreement relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications,
proposals, conditions, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other
communication between the parties relating to its subject matter during the term of this Agreement. No modification to this Agreement will be binding, unless
in writing and signed by an authorized representative of each party.
Rev. April, 2006
PostgreSQL is released under the BSD license.
PostgreSQL Database Management System (formerly known as Postgres, then as Postgres95)
Portions Copyright (c) 1996-2008, The PostgreSQL Global Development Group
Portions Copyright (c) 1994, The Regents of the University of California
Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby
granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS"
BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
MODIFICATIONS.
JDOM.jar Copyright (C) 2000-2004 Jason Hunter & Brett McLaughlin. All rights reserved.

v
Director Configuration and Management Guide

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the disclaimer that follows these conditions in the
documentation and/or other materials provided with the distribution.
3. The name "JDOM" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact request@jdom.org.
4. Products derived from this software may not be called "JDOM", nor may "JDOM" appear in their name, without prior written permission from the JDOM
Project Management request@jdom.org.
In addition, we request (but do not require) that you include in the end-user documentation provided with the redistribution and/or in the software itself an
acknowledgement equivalent to the following:
"This product includes software developed by the JDOM Project (http://www.jdom.org/)."
Alternatively, the acknowledgment may be graphical using the logos available at http://www.jdom.org/images/logos.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM
AUTHORS OR THE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Jason Hunter
jhunter@jdom.org and Brett McLaughlin brett@jdom.org>. For more information on the JDOM Project, please see http://www.jdom.org.
JFreeChart
JFreeChart is a free (LGPL) chart library for the Java(tm) platform.
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above
copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety
in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display
the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific
prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's
Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.

vi
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular
purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet
some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim
copies of this document is granted.
http://www.openldap.org/software/release/license.html
The OpenLDAP Public License Version 2.7, 7 September 2001
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under
terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF
THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software
without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a
licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure
Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my
direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose
(the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed
from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]

vii
Director Configuration and Management Guide

Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific
library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible
for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any
responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com>
3) ssh-keygen was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due
credit is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original
Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos

viii
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com> and Tim J. Hudson <mailto:tjh@cryptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial
purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered
by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should
be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic
software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic
related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This
product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and
put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.

ix
Director Configuration and Management Guide

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <ph10@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following
restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of
which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software
and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN
COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR
SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above
copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of
the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by
SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in
similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying,
redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended
publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to
modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with
the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology

x
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon
Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Moscow
Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of
this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and others
All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission
notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT
OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to
promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder
The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact group@php.net.

xi
Director Configuration and Management Guide

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net.
You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may
also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP
Group has the right to modify the terms applicable to covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP software, freely available from
<http://www.php.net/software/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.

The Zend Engine License, version 2.00 Copyright (c) 1999-2002 Zend Technologies Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The names "Zend" and "Zend Engine" must not be used to endorse or promote products derived from this software without prior permission from Zend
Technologies Ltd. For written permission, please contact license@zend.com.
4. Zend Technologies Ltd. may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version
number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version.
You may also choose to use such covered code under the terms of any subsequent version of the license published by Zend Technologies Ltd. No one other
than Zend Technologies Ltd. has the right to modify the terms applicable to covered code created under this License.
5. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes the Zend Engine, freely available at
http://www.zend.com"
6. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"The Zend Engine is freely available at http://www.zend.com"
THIS SOFTWARE IS PROVIDED BY ZEND TECHNOLOGIES LTD. ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL ZEND TECHNOLOGIES LTD. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

TSRM (Thread Safe Resource Manager) license. Copyright (c) 1999, 2000, Andi Gutmans, Sascha Schumann, Zeev Suraski.
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither name of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Regex. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.

xii
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following
restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the
documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits
must appear in the documentation.
4. This notice may not be removed or altered.

libgd
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National
Institutes of Health.
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001 by Boutell.Com, Inc.
Portions relating to GD2 format copyright 1999, 2000 Philip Warner.
Portions relating to PNG copyright 1999, 2000 Greg Roelofs.
Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com).
Portions relating to JPEG and to color quantization copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane. This software is based in part
on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is
present in user-accessible supporting documentation._
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided "AS IS."_ The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of
merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Although their code does not appear in gd 2.0.1, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for
their prior contributions.
mail.jar
Sun Microsystems, Inc. ("Sun") ENTITLEMENT for SOFTWARE
Permitted Uses:
1. You may reproduce and use the Software for Individual, Commercial, or Research and Instructional Use for the purposes of designing, developing, testing,
and running Your applets and application("Programs").
2. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software's documentation, You may reproduce and
distribute portions of Software identified as a redistributable in the documentation ("Redistributable"), provided that:
(a) you distribute Redistributable complete and unmodified and only bundled as part of Your Programs,
(b) your Programs add significant and primary functionality to the Redistributable,
(c) you distribute Redistributable for the sole purpose of running your Programs,
(d) you do not distribute additional software intended to replace any component(s) of the Redistributable,
(e) you do not remove or alter any proprietary legends or notices contained in or on the Redistributable.
(f) you only distribute the Redistributable subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement,
and
(g) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including
attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all
Programs and/or Redistributable.
3. Java Technology Restrictions. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of,
classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention
designation.
B. Sun Microsystems, Inc. ("Sun")
SOFTWARE LICENSE AGREEMENT
READ THE TERMS OF THIS AGREEMENT ("AGREEMENT") CAREFULLY BEFORE OPENING SOFTWARE MEDIA PACKAGE. BY OPENING
SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING SOFTWARE ELECTRONICALLY,
INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT
AGREE TO ALL OF THE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF SOFTWARE
IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" (OR "EXIT") BUTTON AT THE END OF THIS AGREEMENT. IF YOU HAVE SEPARATELY
AGREED TO LICENSE TERMS ("MASTER TERMS") FOR YOUR LICENSE TO THIS SOFTWARE, THEN SECTIONS 1-5 OF THIS AGREEMENT
"SUPPLEMENTAL LICENSE TERMS") SHALL SUPPLEMENT AND SUPERSEDE THE MASTER TERMS IN RELATION TO THIS SOFTWARE.
1. Definitions.
(a) "Entitlement" means the collective set of applicable documents authorized by Sun evidencing your obligation to pay associated fees (if any) for the license,
associated Services, and the authorized scope of use of Software under this Agreement.

xiii
Director Configuration and Management Guide

(b) "Licensed Unit" means the unit of measure by which your use of Software and/or Service is licensed, as described in your Entitlement.
(c) "Permitted Use" means the licensed Software use(s) authorized in this Agreement as specified in your Entitlement. The Permitted Use for any bundled Sun
software not specified in your Entitlement will be evaluation use as provided in Section 3.
(d) "Service" means the service(s) that Sun or its delegate will provide, if any, as selected in your Entitlement and as further described in the applicable service
listings at www.sun.com/service/servicelist.
(e) "Software" means the Sun software described in your Entitlement. Also, certain software may be included for evaluation use under Section 3.
(f) "You" and "Your" means the individual or legal entity specified in the Entitlement, or for evaluation purposes, the entity performing the evaluation.
2. License Grant and Entitlement.
Subject to the terms of your Entitlement, Sun grants you a nonexclusive, nontransferable limited license to use Software for its Permitted Use for the license
term. Your Entitlement will specify (a) Software licensed, (b) the Permitted Use, (c) the license term, and (d) the Licensed Units.
Additionally, if your Entitlement includes Services,then it will also specify the (e) Service and (f) service term.
If your rights to Software or Services are limited in duration and the date such rights begin is other than the purchase date, your Entitlement will provide that
beginning date(s).
The Entitlement may be delivered to you in various ways depending on the manner in which you obtain Software and Services, for example, the Entitlement
may be provided in your receipt, invoice or your contract with Sun or authorized Sun reseller. It may also be in electronic format if you download Software.
3. Permitted Use.
As selected in your Entitlement, one or more of the following Permitted Uses will apply to your use of Software. Unless you have an Entitlement that
expressly permits it, you may not use Software for any of the other Permitted Uses. If you don't have an Entitlement, or if your Entitlement doesn't cover
additional software delivered to you, then such software is for your Evaluation Use.
(a) Evaluation Use. You may evaluate Software internally for a period of 90 days from your first use.
(b) Research and Instructional Use. You may use Software internally to design, develop and test, and also to provide instruction on such uses.
(c) Individual Use. You may use Software internally for personal, individual use.
(d) Commercial Use. You may use Software internally for your own commercial purposes.
(e) Service Provider Use. You may make Software functionality accessible (but not by providing Software itself or through outsourcing services) to
your end users in an extranet deployment, but not to your affiliated companies or to government agencies.
4. Licensed Units.
Your Permitted Use is limited to the number of Licensed Units stated in your Entitlement. If you require additional Licensed Units, you will need additional
Entitlement(s).
5. Restrictions.
(a) The copies of Software provided to you under this Agreement are licensed, not sold, to you by Sun. Sun reserves all rights not expressly granted. (b) You
may make a single archival copy of Software, but otherwise may not copy, modify, or distribute Software. However if the Sun documentation accompanying
Software lists specific portions of Software, such as header files, class libraries, reference source code, and/or redistributable files, that may be handled
differently, you may do so only as provided in the Sun documentation. (c) You may not rent, lease, lend or encumber Software. (d) Unless enforcement is
prohibited by applicable law, you may not decompile, or reverse engineer Software. (e) The terms and conditions of this Agreement will apply to any
Software updates, provided to you at Sun's discretion, that replace and/or supplement the original Software, unless such update contains a separate license.
(f) You may not publish or provide the results of any benchmark or comparison tests run on Software to any third party without the prior written consent of
Sun. (g) Software is confidential and copyrighted. (h) Unless otherwise specified, if Software is delivered with embedded or bundled software that enables
functionality of Software, you may not use such software on a stand-alone basis or use any portion of such software to interoperate with any program(s) other
than Software. (i) Software may contain programs that perform automated collection of system data and/or automated software updating services. System
data collected through such programs may be used by Sun, its subcontractors, and its service delivery partners for the purpose of providing you with remote
system services and/or improving Sun's software and systems. (j) Software is not designed, licensed or intended for use in the design, construction, operation
or maintenance of any nuclear facility and Sun and its licensors disclaim any express or implied warranty of fitness for such uses. (k) No right, title or interest
in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement.
6. Term and Termination.
The license and service term are set forth in your Entitlement(s). Your rights under this Agreement will terminate immediately without notice from Sun if you
materially breach it or take any action in derogation of Sun's and/or its licensors' rights to Software. Sun may terminate this Agreement should any Software
become, or in Sun's reasonable opinion likely to become, the subject of a claim of intellectual property infringement or trade secret misappropriation. Upon
termination, you will cease use of, and destroy, Software and confirm compliance in writing to Sun. Sections 1, 5, 6, 7, and 9-15 will survive termination of the
Agreement.
7. Java Compatibility and Open Source.
Software may contain Java technology. You may not create additional classes to, or modifications of, the Java technology, except under compatibility
requirements available under a separate agreement available at www.java.net.
Sun supports and benefits from the global community of open source developers, and thanks the community for its important contributions and open
standards-based technology, which Sun has adopted into many of its products.
Please note that portions of Software may be provided with notices and open source licenses from such communities and third parties that govern the use of
those portions, and any licenses granted hereunder do not alter any rights and obligations you may have under such open source licenses, however, the
disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all Software in this distribution.
8. Limited Warranty.
Sun warrants to you that for a period of 90 days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if
any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy
and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. Some states do not
allow limitations on certain implied warranties, so the above may not apply to you. This limited warranty gives you specific legal rights. You may have
others, which vary from state to state.

xiv
9. Disclaimer of Warranty.
UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO
THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
10. Limitation of Liability.
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF
LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount
paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. Some
states do not allow the exclusion of incidental or consequential damages, so some of the terms above may not be applicable to you.
11. Export Regulations.
All Software, documents, technical data, and any other materials delivered under this Agreement are subject to U.S. export control laws and may be subject to
export or import regulations in other countries. You agree to comply strictly with these laws and regulations and acknowledge that you have the responsibility
to obtain any licenses to export, re-export, or import as may be required after delivery to you.
12. U.S. Government Restricted Rights.
If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the
Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201
through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
13. Governing Law.
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply.
14. Severability.
If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would
frustrate the intent of the parties, in which case this Agreement will immediately terminate.
15. Integration.
This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes
all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms
of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No
modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party.
iText
MOZILLA PUBLIC LICENSE Version 1.1
1. Definitions.
1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party.
1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications.
1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that
particular Contributor.
1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions
thereof.
1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data.
1.5. "Executable" means Covered Code in any form other than Source Code.
1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A.
1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License.
1.8. "License" means this document.
1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and
all of the rights conveyed herein.
1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When
Covered Code is released as a series of files, a Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.
1.10. "Original Code" means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and
which, at the time of its release under this License is not already Covered Code governed by this License.
1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in
any patent Licensable by grantor.
1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated
interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the
Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided
the appropriate decompression or de-archiving software is widely available for no charge.
1.12. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of
this License issued under Section 6.1.

xv
Director Configuration and Management Guide

For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control"
means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than
fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
2. Source Code License.
2.1. The Initial Developer Grant. The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual
property claims:
(a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense
and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and
(b) under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or
therwise dispose of the Original Code (or portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License.
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code;
or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices.
2.2. Contributor Grant.
Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license
(a) under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and
distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code
and/or as part of a Larger Work; and
(b) under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its
Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by
that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such
combination).
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes Commercial Use of the Covered Code.
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2)
separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of
Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed
by Covered Code in the absence of Modifications made by that Contributor.
3. Distribution Obligations.
3.1. Application of License.
The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source
Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You
must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version
that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the
additional rights described in Section 3.5.
3.2. Availability of Source Code.
Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the
same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available;
and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available,
or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for
ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party.
3.3. Description of Modifications.
You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of
any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial
Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in
which You describe the origin or ownership of the Covered Code.
3.4. Intellectual Property Matters
(a) Third Party Claims.
If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor
under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party
making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made
available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take
other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new
knowledge has been obtained.
(b) Contributor APIs.
If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably
necessary to implement that API, Contributor must also include this information in the LEGAL file.
(c) Representations.
Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes that Contributor's Modifications are Contributor's
original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices.
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its
structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created
one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any
documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to

xvi
charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own
behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability
obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial
Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer.
3.6. Distribution of Executable Versions.
You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a
notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You
have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or
collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership
rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License
and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this
License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are
offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
3.7. Larger Works.
You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a
single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code.
4. Inability to Comply Due to Statute or Regulation.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or
regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect.
Such description must be included in the LEGAL file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the
extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
5. Application of this License.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code.
6. Versions of the License.
6.1. New Versions.
Netscape Communications Corporation ("Netscape") may publish revised and/or new versions of the License from time to time. Each version will be given a
distinguishing version number.
6.2. Effect of New Versions.
Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may
also choose to use such Covered Code under the terms of any subsequent version of the License published by Netscape. No one other than Netscape has the
right to modify the terms applicable to Covered Code created under this License.
6.3. Derivative Works.
If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this
License), You must (a) rename Your license so that the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar
phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license
contains terms which differ from the Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or
Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.)
7. DISCLAIMER OF WARRANTY.
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH
YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR)
ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL
PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
8. TERMINATION.
8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30
days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License.
Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive.
8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the
Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that:
(a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections
2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i)
agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii)
withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment
arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under
Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above.
(b) any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to
You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications
made by that Participant.
8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent
where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses
granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license.
8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly
granted by You or any distributor hereunder prior to termination shall survive termination.

xvii
Director Configuration and Management Guide

9. LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE,
SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF
SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR
ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM
SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO
YOU.
10. U.S. GOVERNMENT END USERS.
The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial
computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through
227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein.
11. MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision
shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent
applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an
entity chartered or registered to do business in the United States of America, any litigation relating to this License shall be subject to the jurisdiction of the
Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including
without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the
International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter
shall not apply to this License.
12. RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of
rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing
herein is intended or shall be deemed to constitute any admission of liability.
13. MULTIPLE-LICENSED CODE.
Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to
utilize portions of the Covered Code under Your choice of the NPL or the alternative licenses, if any, specified by the Initial Developer in the file described in
Exhibit A.

xviii
Contents

Document Objectives........................................................................................................................ 29
Audience ............................................................................................................................................ 29
Document Conventions ................................................................................................................... 29
Forbidden Characters ....................................................................................................................... 30
Related Documentation.................................................................................................................... 30
Getting Blue Coat Documentation ................................................................................................. 31

Chapter 1: Director Overview


About Director................................................................................................................................... 33
About the Benefits of Director ........................................................................................................ 34
Managing and Monitoring Blue Coat ProxySG Appliances with Director.............................. 34
What’s New in This Release ............................................................................................................ 35
Director Terminology....................................................................................................................... 36
About the Director Management Console and Command Line ................................................ 36
Using the Director Management Console............................................................................... 38
Using the Director Command Line.......................................................................................... 38
About the Content Sync Module .................................................................................................... 38

Chapter 2: Connecting to Director


Prerequisites For Connecting to Director ...................................................................................... 39
Director Configuration Defaults ..................................................................................................... 40
Command Line Configuration Tasks............................................................................................. 40
Options for Connecting to Director................................................................................................ 41
Connecting to Director Using Telnet ............................................................................................. 42
Generating RSA Keys for Director Communication.................................................................... 43
SSH-RSA Overview.................................................................................................................... 43
RSA Key Task Overview ........................................................................................................... 44
Procedure to Create the SSH-RSA Connection ...................................................................... 45
Connecting to Director using SSH.................................................................................................. 50
Connecting to Director with the Management Console.............................................................. 52
Management Console Prerequisites ........................................................................................ 52
Management Console General Notes...................................................................................... 53
Starting the Management Console........................................................................................... 53
Connecting to Director Using SSH-Simple............................................................................. 54
Connecting to Director Using SSH-RSA ................................................................................. 56
About the Director Management Console .............................................................................. 58

xix
Director Configuration and Management Guide

Configuring Browser and Mail Settings........................................................................................ 61


Setting Director Browser and Output Settings ...................................................................... 61

Chapter 3: Registering Devices


About Device Registration .............................................................................................................. 65
Comparing SSH Simple and SSH-RSA ................................................................................... 66
Registration Quick Start................................................................................................................... 67
About Appliance Certificates.......................................................................................................... 68
Overview of the Registration Process............................................................................................ 69
Determining Whether Appliances Support Certificates ............................................................. 71
Getting Started With Appliance Certificates.......................................................................... 72
Confirming Whether Director Has an Appliance Certificate..................................................... 73
Confirming Whether a Device Has an Appliance Certificate .................................................... 74
Getting Appliance Certificates or Setting Up a Registration Password ................................... 75
Getting a Device Appliance Certificate................................................................................... 75
Setting Up a Director Registration Password ........................................................................ 77
Getting a Director Appliance Certificate—Internet Access........................................................ 78
Getting a Director Appliance Certificate—No Internet Access ................................................. 79
About the Registration Process....................................................................................................... 84
Registration Methods ....................................................................................................................... 85
Registering the Device with Director ...................................................................................... 87
Setting Passwords for Newly Registered Devices on Director ........................................... 92
Changing Properties of a Registered Device ................................................................................ 95
Creating a Partial Device Record on Director .............................................................................. 99
Matching Partial Device Records............................................................................................. 99
Getting Information for the Partial Device Record ............................................................. 100
Creating the Partial Device Record ....................................................................................... 102
Registering Pre-Staged Devices With Director .................................................................... 103
Changing Passwords on Pre-Staged Devices (If Required)............................................... 108
Changing Properties of a Registered Device .............................................................................. 108

Chapter 4: Adding and Connecting to Devices


About Adding Devices .................................................................................................................. 113
Adding Devices............................................................................................................................... 114
Adding a Device Using an Identification File...................................................................... 115
Adding Devices Manually ...................................................................................................... 117
Connecting to a Device .................................................................................................................. 123
Changing the Authentication Protocol........................................................................................ 124
Marking a Device as Configured.................................................................................................. 129

xx
Contents

Chapter 5: Managing Device Groups, Profiles, and Overlays


About Director Groups .................................................................................................................. 132
About System Groups ............................................................................................................. 133
About Custom Groups ............................................................................................................ 135
Tasks Supported by Device Groups ...................................................................................... 135
Where To Go Next ................................................................................................................... 136
Adding Custom Groups ................................................................................................................ 136
Removing a Custom Group .......................................................................................................... 138
Adding Devices to a Custom Group............................................................................................ 138
Creating or Editing Folders........................................................................................................... 140
Deleting Folders.............................................................................................................................. 142
Removing or Copying Profiles or Overlays In Folders............................................................. 143
Important Information About Profiles ........................................................................................ 144
Best Practice for Creating Profiles ......................................................................................... 144
Important Information About Platforms .............................................................................. 145
About Profiles.................................................................................................................................. 145
About Profiles and Overlays .................................................................................................. 145
Important Information About Profiles.................................................................................. 146
About Profiles and Device Settings ....................................................................................... 147
About Secure Profiles..................................................................................................................... 148
Creating a Profile ............................................................................................................................ 149
Editing a Profile .............................................................................................................................. 152
Executing a Profile.......................................................................................................................... 154
Copying a Profile ............................................................................................................................ 157
Refreshing or Deleting Profiles..................................................................................................... 158
Important Information About Using Overlays .......................................................................... 159
Important Information About Overlays and SGOS Versions............................................ 159
General Tips .............................................................................................................................. 159
Executing Overlays that Depend on Databases................................................................... 160
Creating an Overlay ....................................................................................................................... 163
Adding to the Overlay Using the Management Console................................................... 164
Adding to the Overlay Using the CLI ................................................................................... 166
Adding to the Overlay Using Refreshables.......................................................................... 166
Executing an Overlay Immediately ............................................................................................. 168
Adding VPM Policy to an Overlay .............................................................................................. 171
Copying Overlays........................................................................................................................... 175
Deleting Overlays ........................................................................................................................... 176

xxi
Director Configuration and Management Guide

Chapter 6: Device Administration


Selecting Devices to Administer................................................................................................... 182
Performing Administration Tasks................................................................................................ 183
Reconnecting to Devices ......................................................................................................... 184
Rebooting Devices.................................................................................................................... 184
Clearing Devices’ DNS, Object, or Byte Cache .................................................................... 184
About Searching.............................................................................................................................. 185
Ways to Perform a Search ....................................................................................................... 185
Basic and Advanced Searches ................................................................................................ 187
Using Search .................................................................................................................................... 189
Searching for Devices and Groups ........................................................................................ 189
Searching for Profiles and Overlays ...................................................................................... 191
Searching for Config and Content Jobs................................................................................. 194
Searching for URL Lists and Regular Expression Lists ...................................................... 197
Using Search Results ...................................................................................................................... 199
Using Results from a Basic Search......................................................................................... 200
Using Results from an Advanced Search ............................................................................. 201

Chapter 7: Managing Content Collections


About Content Distribution .......................................................................................................... 207
Content Distribution Use Case............................................................................................... 209
Details of URL Distribution .................................................................................................... 210
Managing Folders for Content Collections................................................................................. 211
Creating or Editing Folders .................................................................................................... 212
Deleting Folders ....................................................................................................................... 213
Removing or Copying Content Collections In Folders ...................................................... 214
Creating and Distributing URL Lists........................................................................................... 215
Creating a URL List Object ..................................................................................................... 215
Distributing, Revalidating, Deleting, or Prioritizing a URL List ...................................... 217
Creating and Distributing Regular Expression Lists................................................................. 221
Creating a Regex List Object................................................................................................... 221
Revalidating, Deleting, or Prioritizing a Regex List ........................................................... 223
Querying URLs ............................................................................................................................... 226

Chapter 8: Creating, Scheduling, and Managing Jobs


Managing Job Folders .................................................................................................................... 232
Creating or Editing Folders .................................................................................................... 233
Deleting Folders ....................................................................................................................... 234
Removing or Copying Objects In Folders ............................................................................ 235
Creating or Editing a Job and its Basic Properties ..................................................................... 236

xxii
Contents

Getting Started With Job Actions ................................................................................................. 238


Config Job Actions ................................................................................................................... 239
Content Job Actions ................................................................................................................. 240
Config Job Action Details .............................................................................................................. 241
Push Overlay or Push Profile Details.................................................................................... 242
Refresh Overlay or Refresh Profile Details........................................................................... 244
Abort or Continue on Errors Details ..................................................................................... 245
Take Backup Details ................................................................................................................ 246
Create and Upload Archive Details....................................................................................... 248
Schedule Reports Details ........................................................................................................ 251
Reboot Device Details.............................................................................................................. 254
Clear Cache Details .................................................................................................................. 255
System Download Details....................................................................................................... 257
System Validate Details........................................................................................................... 259
Issue Director CLI Command Details ................................................................................... 260
Content Job Action Details ............................................................................................................ 262
Distribute, Revalidate, or Delete URL(s) Details ................................................................. 263
Prioritize URL(s) Details ......................................................................................................... 266
Revalidate or Delete Regex(es) Details ................................................................................. 269
Prioritize Regex(es) Details..................................................................................................... 271
Executing a Job Immediately ........................................................................................................ 274
Scheduling a Job for Future Execution ........................................................................................ 275
Scheduling a Job for Recurring Execution .................................................................................. 277
Related Commands.................................................................................................................. 279
About the Job Queue and Description Panes ............................................................................. 280
Alternate Way to View Job Results ....................................................................................... 284
Verifying Backup Jobs.................................................................................................................... 286
For More Information About Substitution Variables ......................................................... 287
Viewing the Conflict in the Job Report ................................................................................. 287
Resolving the Conflicting Substitution Variable Value...................................................... 288

Chapter 9: Managing Substitution Variables


About Substitution Variables........................................................................................................ 291
Inheriting Substitution Variables From a Custom Group.................................................. 292
Allowed Substitution Variable Formats ............................................................................... 296
Example of Using Substitution Variables............................................................................. 296
Resolving Substitution Variable Conflicts............................................................................ 297

xxiii
Director Configuration and Management Guide

Creating and Implementing Substitution Variables.................................................................. 303


About Using Substitution Variables in Profiles and Overlays .......................................... 303
Creating and Importing Substitution Variable Files........................................................... 304
Defining the Value of a Substitution Variable ..................................................................... 310
Creating Substitution Variables in an Overlay .................................................................... 314
Creating Substitution Variables in a Profile......................................................................... 319
Validating the Values of Substitution Variables.................................................................. 320
Editing or Deleting Substitution Variables ................................................................................. 325

Chapter 10: Monitoring Devices


About the Monitor Tab Page......................................................................................................... 329
Viewing Group and Device Status............................................................................................... 330
Viewing Group Status ............................................................................................................. 330
Viewing Device Status............................................................................................................. 331
Viewing a Device’s SGOS Edition ......................................................................................... 332
Managing Alerts ............................................................................................................................. 332
About Alerts.............................................................................................................................. 333
Managing Alerts....................................................................................................................... 338
Viewing Statistics............................................................................................................................ 348
Generating Performance Analysis Reports................................................................................. 350
Generating Health Reports............................................................................................................ 354

Chapter 11: Audit Logging


Overview of Audit Logging.......................................................................................................... 357
About Audit Logging .............................................................................................................. 357
Comparing Event Logging and Audit Logging .................................................................. 358
Examples of Audit Logging and Event Logging................................................................. 359
For More Information About Logging.................................................................................. 360
Viewing Audit Logging Status in the Management Console .................................................. 360
Configuring Audit Logging .......................................................................................................... 362
Enabling TACACS+ Authentication ..................................................................................... 362
Setting the Logging Level ....................................................................................................... 364
Configuring the External Server ............................................................................................ 364

Chapter 12: Monitoring the Health of Devices


About Health Monitoring.............................................................................................................. 369
Device Health Monitoring Requirements ................................................................................... 370
About the Health Monitoring Metrics ......................................................................................... 370
About Device Polling ..................................................................................................................... 371
Health Monitoring Example ......................................................................................................... 371
About License Expiration Metrics ......................................................................................... 372

xxiv
Contents

About the Health Monitoring Device States............................................................................... 373


About the General Metrics...................................................................................................... 373
About the Licensing Metrics................................................................................................... 374
About the Status Metrics......................................................................................................... 375
About Health Monitoring Notification ....................................................................................... 376
Viewing a Device’s Health Monitoring Metrics......................................................................... 377
Changing Threshold and Notification Properties ..................................................................... 378
Getting A Quick View of ProxySG Appliance Health .............................................................. 381
Viewing Health Monitoring Statistics ......................................................................................... 381
Remotely Notifying Management Stations of Device Changes............................................... 383
Verifying SNMP Trap Receipt................................................................................................ 384
Troubleshooting.............................................................................................................................. 385

Chapter 13: Configuring Director Redundancy


Requirements................................................................................................................................... 388
Terminology .................................................................................................................................... 389
About the Standby Pair State ................................................................................................. 391
Failover Assumptions .................................................................................................................... 392
How Data is Mirrored.................................................................................................................... 393
Monitoring Connectivity ............................................................................................................... 393
How Failover Works ...................................................................................................................... 394
Taking a Director Out of the Pair ................................................................................................. 396
Configuring the Standby Pair ....................................................................................................... 397
Viewing the State of the Primary or Secondary Director.......................................................... 398
Making Changes on the Primary Director ........................................................................... 400
Connecting to a Non-Active Director ................................................................................... 400
Example Company’s Disaster Preparedness .............................................................................. 401
Example Procedure: Configuring the Standby Pair .................................................................. 401
Moving the Directors ..................................................................................................................... 403
Moving the Secondary Director ............................................................................................. 403
Taking the Primary Director Offline ..................................................................................... 403
Network Link Failure..................................................................................................................... 405
Determining the Root Cause .................................................................................................. 405
Troubleshooting Network Failures ....................................................................................... 406
Upgrading the Software on the Standby Pair............................................................................. 409
Software Upgrade the Easy Way: Breaking the Standby Pair........................................... 409
Software Upgrade Without Downtime................................................................................. 410
Notifications Sent Only by the Primary Director ................................................................ 412
Notifications Sent Only by the Secondary Director ............................................................ 414
Notifications Sent by the Primary or Secondary Director.................................................. 414
Notifications Caused by Administrator Action................................................................... 415

xxv
Director Configuration and Management Guide

Chapter 14: Director Logging


About Event Logging ..................................................................................................................... 417
About Audit Logging .............................................................................................................. 417
Comparing Event Logging and Audit Logging .................................................................. 418
Examples of Audit Logging and Event Logging................................................................. 419
For More Information about Logging ................................................................................... 419
Log Message Terminology ............................................................................................................ 420
Components of Director ................................................................................................................ 421
About the Syslog............................................................................................................................. 421
Syslog Log Levels..................................................................................................................... 422
Navigating Through the Syslogs ........................................................................................... 423
Syslog Messages.............................................................................................................................. 424
Content Management Syslog Messages................................................................................ 424
LCD Panel Manager Syslog Messages .................................................................................. 426
Communication Manager Syslog Messages......................................................................... 427
Command Line Interface Syslog Messages .......................................................................... 429
Job Manager Syslog Messages................................................................................................ 430
Configuration Syslog Messages ............................................................................................. 432
Configuration Management Syslog Messages..................................................................... 433
Health Monitoring Syslog Messages..................................................................................... 437
CLI Informational and Error Messages ................................................................................ 438
Interpreting Audit Details ............................................................................................................. 446
Profile, Overlay, and Backup Logging.................................................................................. 446
Job Logging ............................................................................................................................... 447
Viewing Log Files ........................................................................................................................... 448

Chapter 15: Backing Up Director and Devices


About Device Backup..................................................................................................................... 452
General Information About Device Backups ....................................................................... 452
What is Not Backed Up ........................................................................................................... 453
Creating a Backup........................................................................................................................... 453
Pinning or Unpinning a Backup................................................................................................... 457
Restoring a Backup......................................................................................................................... 458
Deleting a Backup........................................................................................................................... 459
Comparing Two Backups .............................................................................................................. 459
Saving Director’s Configuration................................................................................................... 463
What is a Configuration? ........................................................................................................ 464
Saving a Configuration............................................................................................................ 464
Changing the Active Director Configuration ...................................................................... 465
Deleting Configuration Files .................................................................................................. 465

xxvi
Contents

Archiving and Restoring the Entire Director Configuration ................................................... 466


About Archives......................................................................................................................... 466
Prerequisites for Archiving Director ..................................................................................... 467
Archiving Director Using the Management Console ......................................................... 470
Archiving Director Using the Command Line .................................................................... 474

Chapter 16: Upgrading Director


Supported Upgrade and Rollback Paths..................................................................................... 480
SGME Rollback Notes ............................................................................................................. 480
Director and SGOS Compatibility Matrix................................................................................... 481
Upgrade and Rollback Roadmap ................................................................................................. 482
Getting SGME Documentation ..................................................................................................... 484
Upgrade Prerequisite Tasks .......................................................................................................... 485
Getting the SGME Software Package........................................................................................... 486
Installing the SGME Software Package ....................................................................................... 486
Destroying Old Configuration Files After an Upgrade ............................................................ 489
Changing Director Defaults .......................................................................................................... 493
About Configuration Changes...................................................................................................... 494
About Director Configurations .............................................................................................. 494
About the Configuration Lock ............................................................................................... 494
Changing Director’s Running Configuration ...................................................................... 495
Using Director Configuration Files ....................................................................................... 498
Setting Up Users ............................................................................................................................. 502
Creating Local User Accounts................................................................................................ 502
Managing Users Who Manage Content ...................................................................................... 504
Authenticating Users...................................................................................................................... 508
Configuring RADIUS .............................................................................................................. 508
Configuring TACACS+ ........................................................................................................... 511
Determining the Connection Protocol ......................................................................................... 514
Managing Security Using Access Lists........................................................................................ 514
Creating Access Lists To Control Access.............................................................................. 515
Creating Access Groups for an Interface .............................................................................. 518
Using the SNMP Server ................................................................................................................. 519
Managing Sessions ......................................................................................................................... 520
Rebooting Director ......................................................................................................................... 522
Shutting Down Director ................................................................................................................ 522
Procedure to Replace a Director 800 ............................................................................................ 523
Access List Differences................................................................................................................... 525
About the access-list Command ............................................................................................ 525
Summarizing the Differences ................................................................................................. 525
Example Access Lists............................................................................................................... 525

xxvii
Director Configuration and Management Guide

Introduction to the Director Management Console................................................................... 527


Internet Explorer 6, 7, and 8 .......................................................................................................... 528
Setting Up Internet Explorer 6, 7, or 8................................................................................... 528
Internet Explorer 7 and 8 Connection Details...................................................................... 529
Internet Explorer 6 Connection Details................................................................................. 532
Firefox 3 and 3.5 .............................................................................................................................. 534
Setting Up Firefox 3.x (Including 3.5) ................................................................................... 534
Firefox 3.5 Connection Details ............................................................................................... 535
Firefox 3.x Connection Details ............................................................................................... 540
Safari 3 .............................................................................................................................................. 546
Setting Up Safari 3.................................................................................................................... 546
Safari 3 Connection Details..................................................................................................... 546
Director RSA Fingerprint Warning.............................................................................................. 549

xxviii
Preface

This preface describes who should read the Director Configuration and
Management Guide, how it is organized, and its document conventions.
This preface contains the following sections:
❐ "Document Objectives" on page 29
❐ "Audience" on page 29
❐ "Document Conventions" on page 29
❐ "Forbidden Characters" on page 30
❐ "Related Documentation" on page 30

Document Objectives
This configuration and management guide describes how to use the Blue Coat®
Director software for setting up, monitoring, and managing all aspects of
networks that use Blue Coat ProxySG™ appliances.

Audience
This guide is intended for network administrators and managers.

Document Conventions
The documentation uses the following conventions:
Convention Description

bold sans serif type Field and option labels in the Management
Console.

italicized type • Book titles


• Variables
• New terms

monospaced type • File and directory names


• Commands and code examples
• Text you must enter in the command line or
Management Console

monospaced bold type Literal command-line commands; that is,


commands you enter in the Director command
line exactly as written

Square brackets, as in [value] Optional command parameters

Curly braces, as in {value} Required command parameters

29
Director Configuration and Management Guide

Convention Description

Logical OR, as in value1|value2 Exclusive command parameters where only one


of the options can be specified

Forbidden Characters
The colon (:) and question mark (?) characters cannot be used in entry fields or
parameter values unless you perform the following tasks:
❐ If you use a colon character in a field or parameter (for example, in a URL),
either enclose the entire URL in double quotation marks or escape it by
preceding it with a / character.
Examples of using a colon character in a URL:
http/://www.example.com
“http://www.example.com”

❐ To use a question mark in a field or parameter (for example, in a URL), first


enter cli help disable, which causes Director to ignore the question mark
character.

Related Documentation
The following table shows other Director documentation available from Blue
Coat:
Table 1–1 Documentation available from Blue Coat

Document name Description

Quick Start Guide Shipped with your Blue Coat Director appliance;
discusses how to install the Director appliance and
perform basic configuration.

Blue Coat Systems Director Describes all of the available Director command line
Command Line Interface commands.
Reference

Blue Coat Director Content Sync Discusses the Content Sync Module, which crawls a
Module Guide Web server or file system and tracking the time that
the content was last modified, and then changing the
content in the ProxySG appliances accordingly.
Note: The Content Sync Module does not ship with
Director. It is available separately. The Content Sync
Module is used in Content Distribution Network
(CDN) deployments.

Release Notes Provides late-breaking news; updates to the product;


and known issues. To get Blue Coat documentation
and Release Notes, see the next section.

30
Getting Blue Coat Documentation
To get the Director Release Notes and documentation:
1. Go to http://support.bluecoat.com, enter your BlueTouch Online user name
and password in the fields at the top of the page, and click Login.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. Click the Documentation tab.
3. On the Documentation tab page, click Director.
4. Follow the prompts on your screen to download the documentation and
Release Notes.
5. After reading the Release Notes, save them on your local computer.

31
Director Configuration and Management Guide

32
Chapter 1: Director Overview

This chapter provides an overview of Director. It discusses benefits,


terminology, the Director Management Console, and the command line
(sometimes referred to as the command line interface or CLI).
Topics include:
❐ "About Director"
❐ "About the Benefits of Director" on page 34
❐ "Managing and Monitoring Blue Coat ProxySG Appliances with Director"
on page 34
❐ "What’s New in This Release" on page 35
❐ "Director Terminology" on page 36
❐ "About the Director Management Console and Command Line" on page 36
❐ "About the Content Sync Module" on page 38

About Director
Blue Coat® Director centrally manages and monitors multiple Blue Coat
ProxySG appliances simultaneously. Administrators can use Director to set
user and content policy, manage ProxySG appliance configurations, distribute
and control Web content, upgrade and validate SGOS software, and back up
ProxySG appliances.

Note: SGME 5.4.2.x can be used to manage appliances running SGOS version
5.4.1 and later. For up-to-date information, see the Director Release Notes.

Director is the single point of administration and monitoring for configuration


and policy management for one or more ProxySG appliances. It manages
everything from ProxySG appliance configuration to content distributed to
ProxySG appliances—including policy and license distribution.
Key configuration management features include:
❐ Configure groups of ProxySG appliances based on locations, applications,
or more.
❐ Rapidly deploy standardized configurations.
❐ Manage the scheduling of policy and configuration changes.
❐ Easily schedule incremental configuration changes to one or more ProxySG
appliances.
❐ Create and distribute policy across a system of ProxySG appliances.
❐ Back up ProxySG appliances.
❐ Compare backup files from different ProxySG appliances and restore
configuration backups to multiple ProxySG appliances.

33
Director Configuration and Management Guide

❐ Quickly monitor ProxySG appliance status, statistics, and configurations.


❐ Upgrade ProxySG appliances simultaneously.

About the Benefits of Director


Director provides the following benefits:
❐ Reduces management costs by centrally managing all ProxySG appliances.
❐ Delegates network and content control to multiple administrators.
❐ Eliminates the need to configure each remote ProxySG appliance manually.
❐ Ensures consistency when updating multiple, identical ProxySG appliances.
❐ Recovers from system problems with automated configuration snapshots and
recovery.
You can access Director using either the Director Management Console or the
command line.

Managing and Monitoring Blue Coat ProxySG Appliances with Director


Administrators can use Director to set user and content policy, manage ProxySG
appliance configurations, distribute and control all types of Web content, upgrade
and validate SGOS software, back up ProxySG appliances, and monitor the health
and performance of ProxySG appliances.

34
Chapter 1: Director Overview

What’s New in This Release


The Director 5.4.2.x release includes the following new features:
Feature Benefit

Java WebStart Management The Director Management Console is no longer a


Console separate application you must install on your
computer. Instead, you access it using a Web
browser from the following URL:
https://director_host-or-ip:8082
Starting with this release, the Director
Management Console is a Java WebStart
application. It requires JRE 1.6 update 1 or later be
installed on your computer.
In addition, the Management Console has been
redesigned to be more usable and attractive.
For a list of supported operating systems and Web
browsers, see the System Requirements section
later in the Director Release Notes.
(B#109155, 109157)

Administration Tasks in the As part of the Management Console redesign, a


Management Console new Administration Tasks panel on the
Configuration tab page enables you to:
• Reconnect devices
• Reboot devices
• Clear the object cache, byte cache, or DNS
cache on devices
• Clear ProxySG .jar files cached on the local
computer.

Scheduling health reports and Health Reports and Performance Analysis reports
Performance Analysis reports can now be scheduled as jobs and e-mailed to
recipients you select.

XML APIs For the first time starting in this release, you can
perform the following actions using XML-based
APIs:
• Content API:
• Push content to devices
• Delete content from devices
• Revalidate content on devices
• Query content on devices
• Forwarding hosts API, which creates
forwarding host objects.
• Policy API, which enables you to create Web
Content, Web Access, and Forwarding layers.
For more information about these tasks, see the
Director API Reference.

35
Director Configuration and Management Guide

Director Terminology
The following special Director terminology is used in this manual:
❐ Security Gateway Management Edition (SGME)
❐ Device: A ProxySG appliance.
❐ Director (or Blue Coat Director): The product as a whole, encompassing the
hardware and software and all the features.
❐ Command Line Interface (CLI): A term sometimes used for the SGOS and
Director command lines.
❐ Director image file: The file containing the Director SGME software.
❐ Director Management Console: The Director user interface.
❐ Profile: A configuration operation on Director that creates a snapshot of all
configuration and policy from a source device.
❐ Overlay: A configuration operation on Director that is used to replace selected
configurations or policy on one or more ProxySG appliances.
❐ Job: A set of actions Director performs on appliances, either immediately or
scheduled in advance.

About the Director Management Console and Command Line


The Director Management Console or the command line an be used to manage
ProxySG appliances. The Director Management Console provides a graphical
view, making it easier to learn Director. However, the Director Management
Console is not used for initial setup of Director.
Table 1–1 lists the features and actions that can be performed in each interface.

Table 1–1 Availability of Features in the Director CLI and Management Console

Feature Management CLI


Console

Initial Setup and Managing System Software

Director software installation, upgrade, and downgrade No Yes

Archive (that is, back up) the Director configuration Yes Yes

Device software upgrade and validation Yes Yes

Device license management Yes Yes

Global IP configuration No Yes

Network interface configuration No Yes

Search for devices, groups, jobs, profiles, overlays Yes No

Run performance analysis reports Yes No

Manage substitution variables Yes Yes

36
Chapter 1: Director Overview

Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)

Feature Management CLI


Console

Time management No Yes

LCD panel setup No Yes

SSH server No Yes

FTP and Telnet servers No Yes

SNMP No Yes

User accounts No Yes

Workgroups No Yes

Authentication No Yes

Session management Yes Yes

Event logging No Yes

Audit logging No Yes

Director standby No Yes

Director CLI state management No Yes

Archiving configuration and backups No Yes

Device health monitoring Yes Yes

Configuration Management

Enabling the explicit configuration lock No Yes

Managing folders for profiles, overlays, and jobs Yes Yes

Initial setup of Directory hierarchy—management node, Yes Yes


groups, and ProxySG appliances

Configuration management for multiple ProxySG Yes Yes


appliances

Comparison between two profiles, two overlays, or two Yes Yes


device backups

Overlay creation Yes Yes

Configuration file backups Yes Yes

Job management Yes Yes

Job querying Yes Yes

Job summary Yes Yes

Content Management

Content distribution Yes Yes

37
Director Configuration and Management Guide

Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)

Feature Management CLI


Console

Job management Yes Yes

Job querying Yes Yes

Using the Director Management Console


The Director Management Console can be used to manage one Director appliance
at a time, although you can set up connections to many Director appliances. The
Management Console is a Web-based application that runs on any system in any
Web browser listed in the Director Release Notes.

Using the Director Command Line


The Director command line enables you to set up Director, its associated ProxySG
appliances, and its users. With the exceptions noted in Table 1–1, you can perform
the same tasks in the command line as you can with the Management Console.
You can access the Director command line using either Secure Shell (SSH)—which
is recommended for security reasons—or Telnet.

About the Content Sync Module


The Content Sync Module (CSM) operates by crawling a Web server or file system
and tracking the time that the content was last modified, and then changing the
content in the ProxySG appliances accordingly.

Note: The Content Sync Module does not ship with Director. It is available
separately. The Content Sync Module is used in Content Distribution
Network (CDN) deployments.

The CSM supports:


❐ Scheduled generation of URL lists and upload of URL lists.
❐ Generated URL lists reflecting changes in content, either on request or
automatically, and upload the lists on request.
❐ Issuing of content commands to Director.
❐ Enabling of automatic content updates. CSM can watch where internal
content owners (such as HR or engineering) publish content and then tell
Director to update the ProxySG appliances.
The CSM is discussed in more detail in the Blue Coat Director Content Sync Module
manual.

38
Chapter 2: Connecting to Director

This chapter discusses how to connect to your Director appliance using the
Director Management Console. This chapter includes the following topics:
❐ "Prerequisites For Connecting to Director"
❐ "Director Configuration Defaults" on page 40
❐ "Command Line Configuration Tasks" on page 40
❐ "Options for Connecting to Director" on page 41
❐ "Generating RSA Keys for Director Communication" on page 43
❐ "Connecting to Director with the Management Console" on page 52
❐ "Configuring Browser and Mail Settings" on page 61
See also Appendix C: "Management Console Browser Details".

Prerequisites For Connecting to Director


Before you begin, rack mount the appliance, connect it to the network, and
configure it for the following:
❐ IP address and subnet mask
❐ Default gateway
❐ DNS server, if any
These tasks are discussed in the Quick Start Guide shipped with your Director
appliance.
Note: Make sure you connect to Director appliances with the matching version
of the Management Console. For example, use the Management Console 5.4.2
to connect to Director appliances running SGME 5.4.2.x, and use the
Management Console 5.4 to connect to Director appliances running SGME
5.4.x. You cannot use the Management Console 5.4.2 to manage a Director
appliance running SGME 5.2 because new features (like folders, search, and
performance analysis reports) were not available in SGME 5.2.

39
Director Configuration and Management Guide

Director Configuration Defaults


Director’s configuration is set to the following by default:
❐ Director administrator user name: admin
❐ Authentication method: local
❐ Connection protocol (connection between Director and the ProxySG
appliance): SSHv2 Simple
❐ Authentication Port: 8082 (HTTP is not supported between Director and the
device)
❐ FTP, SNMP and Telnet: disabled by default.

Command Line Configuration Tasks


Following is a partial list of tasks you should perform using Director’s
command line:
Task For more information

Enabling an external server to receive Chapter 11: "Audit Logging"


Director event and audit logs using SCP

Administering users "Setting Up Users" on page 502

Enabling the explicit configuration lock "About Configuration Changes" on


page 494

Upgrading or downgrading SGME Chapter 16: "Upgrading Director"


software

Secure access to Director using access "Managing Security Using Access Lists"
lists on page 514

Manage Director configurations "Using Director Configuration Files" on


page 498

40
Chapter 2: Connecting to Director

Options for Connecting to Director


The following tables summarize the tasks required to connect to the Director
Management Console.
Before you begin, you must perform the tasks discussed in "Prerequisites For
Connecting to Director" on page 39.
Table 2–1 Options for connecting to Director

Connection Method Description

Telnet Telnet is not secure and is therefore not a


recommended connection method. For more
information, see "Connecting to Director Using
Telnet" on page 42.

Command line, SSH Simple Although SSH using RSA-SSH is preferred,


you also have the option of using SSH-Simple,
which is not secure. After you set up Director
on the network, you can connect to the
command line using SSH Simple without any
other configuration required.

Command line, SSH-RSA The secure, recommended way to connect to


the Director command line. For more
information, see "Generating RSA Keys for
Director Communication" on page 43.

Management Console Configure Director from any computer using a


supported Web browser. For more information,
see "Connecting to Director with the
Management Console" on page 52.

41
Director Configuration and Management Guide

Connecting to Director Using Telnet


You can optionally enable Director’s Telnet server to enable a Telnet session to the
Director Management Console. Because Telnet is less secure, Director’s Telnet
server is disabled by default.
Blue Coat recommends you always connect to the Management Console using
SSH-RSA as discussed in "Generating RSA Keys for Director Communication" on
page 43.

To enable Director’s Telnet server:


1. Log in to Director using an SSH application as discussed in "Connecting to
Director using SSH" on page 50.
2. After you log in to the Director command line, the command prompt displays
as follows:
director >

3. At the prompt, enter enable.


4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configuration terminal.
6. At the director (config) # command prompt, enter the following command
to enable the Telnet server:
director (config)# telnet-management enable

7. Save the configuration.


director (config)# write memory

To disable Director’s Telnet server:


1. At the (config) command prompt, enter the following command:
director (config)# no telnet-management enable

2. Save the configuration.


Director (config)# write memory

Note: Telnet disconnects after three invalid attempts to connect. There also might
be a time lag before Telnet reports on device status.

42
Chapter 2: Connecting to Director

Generating RSA Keys for Director Communication


To create RSA keys to securely authenticate your computer with the Director
Management Console and command line using SSH-RSA, complete the tasks
discussed in this section.
To connect to the Director Management Console using SSH Simple (that is, a user
name and password), skip this section and continue with "Connecting to Director
with the Management Console" on page 52.

SSH-RSA Overview
SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.
❐ Securing protocols. Many protocols require authentication at each end of the
connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

43
Director Configuration and Management Guide

RSA Key Task Overview


To create an RSA public-private key pair with which to authenticate with Director,
you need an application that creates an RSA private key in OpenSSH format
because OpenSSH is the only format Director accepts.
Cygwin (specifically, ssh-keygen which is included in OpenSSH components that
are not part of the default installation) creates an RSA private key in that format
and Puttygen converts its private key to OpenSSH format.
Consult the documentation provided with the application you use to see if it
generates an OpenSSH private key or if it converts the private key to OpenSSH
format. (More information about Puttygen can be found in the Puttygen User
Manual.)
Blue Coat does not recommend a specific utility to generate the key pair.
The process can be summarized as follows:
1. Generate the key pair on the Windows host from which you run the Director
Management Console.
(You can also create the key pair on UNIX and copy the public and private
keys to the Windows host; however, those instructions are beyond the scope
of this document.)
2. Import your public key in to Director using its command line.
When you connect to Director using SSH to perform this task, use SSH Simple
user name and password authentication.
3. Add Director’s public key to your list of known hosts.
The tasks you perform in this step depend on your SSH application. An
example is shown in the procedure that follows; consult the documentation
provided with your SSH applications for specific details.

44
Chapter 2: Connecting to Director

Procedure to Create the SSH-RSA Connection


The procedure to create the SSH-RSA connection with Director can be divided
into the following tasks:
1. "Generating RSA Public and Private Keys"
2. "Importing Your Public Key Into Director" on page 47
3. "Adding Director to Your List of Known Hosts" on page 48

Generating RSA Public and Private Keys


The first task you must perform to authenticate with Director using SSH-RSA is to
generate an RSA key pair (that is, public and private keys) on the host you will
use to run the Management Console.

To generate RSA public and private keys:


1. If necessary, get an application like Cygwin (specifically, ssh-keygen) or
Puttygen to create the RSA key pair.
The application must be able to create an RSA private key in OpenSSH format.
Consult the documentation provided with the application you use to see if it
generates an OpenSSH private key or if it converts the private key to
OpenSSH format.
Note: Cygwin does not install the OpenSSH components like ssh-keygen by
default. For more information, see the Cygwin Package List page.
Blue Coat does not recommend a particular utility. Consult the documentation
provided with the utility you choose for specific information about it not
covered in this book.
2. Generate and save an RSA-SSH v2 key pair (that is, public and private keys)
on a machine accessible to Director using the utility.
Note: When you create the private key, you have the option of creating a
passphrase to encrypt it. Creating a passphrase is highly recommended as a
security precaution in the event your private key is stolen because without the
passphrase, your private key cannot be read.
If you do not use a passphrase, your private key can be read by anyone,
meaning another party can access Director without using any other
authentication credentials.
The procedure you use to create the key depends on the utility you use.
Following is an example only for Puttygen. If you use another utility, skip the
example and continue with Step on page 47.
For more information about Puttygen, see the Puttygen User Manual.
a. Open a DOS command prompt window.
b. Change to the folder in which you downloaded Puttygen and enter
puttygen.

c. In the Parameters section, click SSH-2 RSA.

45
Director Configuration and Management Guide

d. Click Generate.
e. Follow the prompts on your screen to generate the key pair.
f. Recommended. Enter a passphrase for your private key and confirm it in
the provided fields.
An example Puttygen window follows:

Copy the public


key from here

g. Copy the data in the Key section to the clipboard.


This is your public key. An example follows:
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEA6FiqZbBBWfimtAFqrSv94W9XpJd3CoGF1nyY3E
YxDWpI2vspLxfBoSSyojXiIPJviXoSwP0qvKQkEucM3LS5y6d7WPjJIsbGOGJtNaif
I+k451iHe0LJLGUV438Hiq4PvapcY1J4u6OEsClFSFpMke/H2JY35kpd/
fanG9yyed8=

Notes:
• The entire public key must be on a single line. It it shown here on
multiple lines because of space limitations.
• The public key begins with ssh-rsa followed by one space and ends
with one or more equal signs (=). Remove additional characters from
the end of the public key, after the equal sign.
h. Paste the public key into Notepad and save it as a text file.
Later, you import this public key into Director.
i. Click Conversions > Export OpenSSH key.
This step is required to connect to the Director Management Console using
SSH-RSA. The Management Console cannot use a Puttygen-formatted
private key; it uses only OpenSSH-formatted private keys.

46
Chapter 2: Connecting to Director

j. Follow the prompts on your screen to save the exported private key to
a folder.
You will need the private key later to connect to the Director Management
Console.
3. This step applies to you only if you used a tool such as Cygwin to create your
key pair. You do not need to perform this task if you used Puttygen.
Before the public key can be imported into Director, you must remove
information like the following:
• Carriage returns
• ---- BEGIN SSH2 PUBLIC KEY ---- and ---- END SSH2 PUBLIC KEY ----
• Comments
• Commands preceded by, including, or followed by spaces (the only
exception being ssh-rsa and the space following it)
• Text following the final equal signs (==)

Importing Your Public Key Into Director


After creating the RSA key pair as discussed in the preceding sections, you must
import your public key into Director so Director recognizes your computer as a
known host.

To import your public key into Director:


1. Use a Secure Shell (SSH) application to connect to Director.
2. Log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, import the public key into Director by
entering the following command:
ssh client user username authorized-key rsakey sshv2 public_key

where
username is Director’s administrator user name, which is admin by default
public_key is your public key; you copied it to the text editor in "Importing
Your Public Key Into Director" on page 47.
A message displays only if an error occurs.
7. Disconnect from Director so you can add Director to your list of known hosts
as discussed in the next section.

47
Director Configuration and Management Guide

Adding Director to Your List of Known Hosts


The final task to set up an SSH-RSA connection to Director is to add Director to
the lists of hosts known by the computer from which you will start the
Management Console.
The tasks you perform depend on the SSH application you use; consult its
documentation for specific details.

To add Director to your list of known hosts:


Configure your SSH application to connect to Director using RSA-SSH v2.
Consult the documentation provided with the SSH application for details.
To connect to Director using RSA-SSH v2, you must import Director’s public key
to your known hosts file. The procedure you use depends on the SSH application
you use.
Following is an example only for Putty. If you do not use Putty, ignore the
example and continue with "Connecting to Director with the Management
Console" on page 52.

Putty Example
An example of adding Director to Putty’s list of known hosts follows; consult the
documentation provided with Putty for additional information.

To add Director to Putty’s list of known hosts:


1. Start Putty.
2. Load the connection information for Director.
3. In the Category pane, click Connection > SSH > Auth.
4. In the Private key for authentication field, enter the absolute file system path to
Director’s private key file (including the file name), or click Browse to locate it.

48
Chapter 2: Connecting to Director

An example Putty window follows:

5. At the top of the Category pane, click Session.


6. Click Save to save the changes to the connection.
7. Click Open.
8. If you created a passphrase for your private key, enter it at the prompt.
An example follows; your connection information will be different,
depending on your Director administrator user name and the date on which
you created the key pair.
login as: admin
Authenticating with public key "rsa-key-20080209"
Passphrase for key "rsa-key-20080209":

9. Continue with the next section.

49
Director Configuration and Management Guide

Connecting to Director using SSH


The following procedure discusses how to access the Director command line
using a Secure Shell (SSHv2) application.

To start a Director command line session:


1. Get an SSH application.
If you use UNIX, use the ssh utility.
If you use Windows, get an application like Cygwin or Putty.
Blue Coat does not recommend a particular application; however, Windows
examples in this book are based on Putty.
2. Connect to Director using either of the following:
• UNIX: Step 3
• Windows: Step 4
3. UNIX: Connect to Director using ssh:
To connect using the UNIX ssh utility or using Windows OpenSSH software,
use the following command:
ssh -lusername host_or_ip

where username is the Director administrator user name (admin by default)


and host_or_ip is Director’s fully qualified host name or IP address.
An example follows:
Copyright (c) 1997-2009, BlueCoat Systems, Inc.
Welcome to SG-ME 5.4.1.1 #34567 2009.03.20-110141
director >

After completing these tasks, continue with step 5.


4. Windows: To connect using Putty:
a. Open a DOS command prompt window.
b. Change to the folder to which you downloaded putty.exe.
c. In the command prompt window, enter putty.

50
Chapter 2: Connecting to Director

d. In the Putty Configuration window, enter the following information:


Item Description

Host Name (or IP address) field Enter Director’s fully qualified host
name or IP address.

Port field Enter the SSH port number (the default


is 22).

Connection Type options Click SSH.

Saved Sessions field Enter a unique name to identify this


Director session.

An example follows:

e. Click Save.
f. Click Open.
5. After you log in to the Director command line, the command prompt displays
as follows:
director >

This prompt indicates you are using standard mode.


The command prompt changes to reflect the mode you are using:
Prompt Mode
> Standard, which enables you to set basic settings.
Standard mode does not require a password.
After you log in to Director, you start with standard
mode.

51
Director Configuration and Management Guide

Prompt Mode
# Enable, which enables you to set more advanced
settings. By default, enable mode does not require a
password but Blue Coat recommends you create a
password.
From standard mode, enter enable to start enable
mode.
(config) # Configuration, which enables you to configure the
Director appliance.
From enable mode, enter configure to start
configuration mode.

Note:
• For information about using the Director command line to set up Director,
see Appendix A: "Administering Director" on page 493. For full
command arguments and syntax, refer to the Blue Coat Director Command
Line Interface Reference Guide.
• Commands listed in standard mode are also available in enable and
configuration modes. Most commands provided in enable mode are also
available in configuration mode.

Connecting to Director with the Management Console


This section discusses how to connect to the Director Management Console. See
one of the following topics for more information:
❐ "Management Console Prerequisites"
❐ "Management Console General Notes" on page 53
❐ "Starting the Management Console" on page 53

Management Console Prerequisites


To run the Director Management Console, you need all of the following:
❐ Supported operating system
❐ Supported Web browser
For the latest operating system and Web browsers supported, see the Director
Release Notes.
❐ Sun Java JRE 1.6 or later
If you have not done so already, install JRE 1.6 or later from the Sun Java Web
site.
❐ Your Director appliance must have an appliance certificate
For more information, see Section B: "Getting a Director Appliance Certificate"
on page 78.

52
Chapter 2: Connecting to Director

Management Console General Notes


Note the following about the Director Management Console:
❐ Up to five users can be logged in to the Director Management Console at one
time.
❐ The Director Management Console can be used with the same version of
SGME only. In other words, The Director 5.4.2 Management Console can be
used with a Director appliance running SGME 5.4.2.
The following combinations are not expected to function properly:
• Director 5.4.2 Management Console with a Director running SGME 5.4 or
earlier.
• Director 5.4 Management Console with a Director running SGME 5.4.2.

Starting the Management Console


This section discusses how to start the Director Management Console. Before
beginning, make sure you review the following information:
❐ To authenticate with the Management Console using SSH-RSA, see
"Generating RSA Keys for Director Communication" on page 43
❐ "Management Console Prerequisites" on page 52
❐ "Management Console General Notes" on page 53

To start the Director Management Console:


1. If you have not done so already, install JRE 1.6 or later from the Sun Java Web
site.
2. Start a supported Web browser.
For a list of supported Web browsers, see the Director Release Notes.
3. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

where director_host_or_ip is the Director appliance’s fully qualified host name


or IP address.
4. Depending on the Web browser, prompts might display before you log in.
For details about these browser-specific prompts, see Appendix C:
"Management Console Browser Details".

53
Director Configuration and Management Guide

The Login page displays.

Continue with one of the following sections:


• "Connecting to Director Using SSH-Simple"
• "Connecting to Director Using SSH-RSA" on page 56

Connecting to Director Using SSH-Simple


This section discusses how to connect to Director using the SSH-Simple protocol.
To use SSH-RSA instead, skip this section and see "Connecting to Director Using
SSH-RSA" on page 56.

To connect to Director using SSH-Simple:


1. Complete the tasks discussed in "Connecting to Director with the
Management Console" on page 52.
The Login page displays as follows.

54
Chapter 2: Connecting to Director

2. At the Login page, click SSH-Simple and enter the following information:
Field Description
User Name Enter the Director administrator user name.
Password Enter the user’s password.
Enable Password Enter the enable mode password, if any.

3. Click Proceed.
The following warning might display after you log in to the Director
Management Console:

For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61

55
Director Configuration and Management Guide

Connecting to Director Using SSH-RSA


This section discusses how to connect to Director using the SSH-Simple protocol.
To use SSH-RSA instead, skip this section and see "Connecting to Director Using
SSH-RSA" on page 56.

To connect to Director using SSH-RSA:


1. Complete the tasks discussed in "Generating RSA Keys for Director
Communication" on page 43 to generate the public-private key pair to connect
to Director.
2. Complete the tasks discussed in "Connecting to Director with the
Management Console" on page 52.
The Login page displays as follows.

3. At the Login page, click SSH-RSA and enter the following information:
Item Description
RSA User Name Enter the Director administrator user name.
Identity file location Enter the absolute file system path to the
identity file—including the file name—or
click Browse to locate it.
The identity file is the Open SSH private key
you created for logging in to Director as
discussed in "Generating RSA Public and
Private Keys" on page 45.
The identity file is password Select this check box if you created a
protected passphrase to protect your private key (that
is, identity file).
Identity password If you selected the check box, enter the
identity file’s passphrase.
Enable password Enter the enable mode password, if any.

56
Chapter 2: Connecting to Director

4. Click Proceed.
The following warning might display after you log in to the Director
Management Console:

For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61

57
Director Configuration and Management Guide

About the Director Management Console


After connecting to Director, the Management Console displays.

Configuration options are categorized according to task and presented in four tab
pages.

About Director Status


If you expand Director Status at the top of the Management Console, the current
standby and audit logging status displays:

Under Director Status, clicking More next to Auditing Policy displays the current
status of audit logging.
In SGME 5.3 and later, Director enables you to track the contents of the following
using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs
❐ Backups

58
Chapter 2: Connecting to Director

Audit logging enables administrators to track what tasks were performed by


commands that configured components in the preceding list. Administrators and
auditors can use event logging and audit logging together to determine what was
changed, who changed it, and when it was changed.
The Management Console displays the current status of audit logging, including
the default auditing policy, which is one of the following:
❐ delete (Default.) Deletes audit log files from subdirectories of /local/logs/
scplogs, starting with the oldest files first.

❐ stop-logging Stops transferring log files to subdirectories of the /local/logs/


scplogs directory if uses more than 1GB less.

❐ stop-processing Stops processing any commands that trigger audit logging.


The Audit Policy Settings dialog box displays similarly to the following:

To display audit policy from the command line, enter the following command:
director (config) # show logging
Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: NULL
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 5.119403 MB
Free space: 1018.880597 MB

About the Monitor Tab Page


The Monitor tab page contains a summary of the current health status and alerts
for devices managed by Director. The top pane displays two metrics:
❐ The Current Device Status indicators show how many devices are currently
connected to Director and cumulative representative health states.
❐ The Accumulated Alerts indicators show how many total alerts are currently
detected Director. These alerts might not represent the current health state of
the device.

59
Director Configuration and Management Guide

To view the current status of a device, click the name of a device in the Devices
pane.
In the Reports pane, click Performance Analysis to generate reports available for the
first time in the SGME 5.4 release; for more information, see "Generating
Performance Analysis Reports" on page 350.
For more information about the Monitor tab page, see Chapter 10: "Monitoring
Devices".

About the Configure Tab Page


The Configure tab page enables you to create and manage groups and devices.
After you have added devices to Director, you can edit the devices (by right-
clicking the device and clicking Edit) or place them in groups. After devices are
added, you can then create profiles and overlays to manage the configuration on
your devices.
The Backup Manager enables you to create and manage the backups for every
device.
For more information about the tasks available on the Configure tab page, see
Chapter 3: "Registering Devices", Chapter 4: "Adding and Connecting to
Devices", and Chapter 5: "Managing Device Groups, Profiles, and Overlays".

About the Jobs Tab Page


The Jobs tab page enables you to execute jobs—such as applying or refreshing
overlays or profiles, doing backups, or rebooting a device—either immediately or
scheduled for a future time (and optionally recurring periodically).
You can create jobs for individual ProxySG appliances, multiple appliances, or
groups of appliances.
For more information about the tasks available on the Jobs tab page, see
Chapter 8: "Creating, Scheduling, and Managing Jobs".

About the Content Tab Page


The Content tab page enables you to identify locally-stored content lists (URLs
and regular expressions) and pre-populate ProxySG appliances with content
(push content to the cache) so users have quicker access and consume fewer
network resources. You can push the content immediately or schedule a job.
For more information about the tasks available on the Content tab page, see
Chapter 7: "Managing Content Collections".

60
Chapter 2: Connecting to Director

Configuring Browser and Mail Settings


This section discusses how to change the following settings:
❐ Director’s Web browser settings, which are used for operations like displaying
the SGOS Management Console.
These settings also enable you to specify output settings, which define the
verbosity of output displayed when you run profiles and overlays. For more
information about browser settings and options, see "Setting Director Browser
and Output Settings" .
❐ Mail settings used to optionally e-mail the reports discussed in "Generating
Performance Analysis Reports" on page 350.
For information on mail settings, see "Setting Mail Options" on page 63

Setting Director Browser and Output Settings


This section discusses how to set the following options:
❐ Choose a Web browser for the Director Management Console to use (see
"Setting Web Browser and Verbosity" )
❐ Specify output verbosity (see "Setting Web Browser and Verbosity" )
❐ E-mail options for optionally e-mailing performance analysis reports (see
"Setting Mail Options" on page 63)

Setting Web Browser and Verbosity


This section discusses how to choose a Web browser to use for operations like
running a device’s Management Console, and also how to set output verbosity for
profiles, overlays, and backups executed using the Management Console.

To configure browser and output settings:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Options.
The Options dialog box displays.

61
Director Configuration and Management Guide

3. Click the Browser Configuration tab.

4. In the Select Your Browser section, enter the path to your browser’s executable
in the Path To Browser field, or click Browse to locate it.
5. In the Update Your Output Settings section, enter the following information:
Item Description

Enable verbose output • If Enable verbose output is selected and the output
check box limit is set to a small value, such as 10 KB, then:
• Profile and overlay output is shown in its entirety.
• Archive and device backup output is truncated at
the value in the Limit output to field.
• If Enable verbose output is not selected (the default),
and the output limit is set to a small value, such as 10
KB, then:
• Profile and overlay output displays errors only.
• Archive configuration output is truncated at the
value in the Limit output to field.
• If Enable verbose output is not selected and the output
limit is set to a large value, all output is limited to
errors only.
Limit output to Enter a limit, in KB, for output from profiles, overlays, and
backups.

Use Defaults button Return the values in this dialog box to defaults.

The list of supported browsers for the Management Console can be found in
the Director Release Notes.

62
Chapter 2: Connecting to Director

6. Click OK.
Note the following:
• The default output limit is 5120 KB; the maximum is 1 GB. The limit is
reset to its default if you click Use Defaults.
• Backup and restore output is always errors only, regardless of the setting
of the verbose mode.

Setting Mail Options


This section discusses how to set e-mail options to optionally e-mail reports you
can create as discussed in "Generating Performance Analysis Reports" on page
350.
Guidelines for Simple Mail Transfer Protocol (SMTP) servers follow:
❐ You can specify an SMTP mail server by either a fully qualified host name or
IP address
❐ Make sure the SMTP server meets all of the following availability
requirements
• It must be reachable by Director
• It must be capable of sending e-mails to all addresses you specify
In other words, you can choose either a corporate server or an external,
publicly reachable SMTP server provided the server meets the preceding
requirements.
❐ SSL and Transport Layer (TLS) encryption are not supported
❐ User name/password authentication is supported

To set mail options:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Options.

63
Director Configuration and Management Guide

The Options dialog box displays.


3. Click the Mail Settings tab.

4. Enter the following information:


Item Description

Server IP field Enter your Simple Mail Transfer Protocol (SMTP) outgoing
e-mail server’s IP address or fully qualified host name.
Note: The SMTP server you specify cannot use either SSL
or TLS encryption, must be reachable by Director, and
must be able to send e-mail to all addresses to which you
wish to send reports.

Server Port field Enter the server’s port.

Authentication check Select this check box if your SMTP server requires
box authentication.

Username field If you selected the Authentication check box, enter the
SMTP server’s user name.

Password field Enter the user’s password.

64
Chapter 3: Registering Devices

This chapter discusses how to register devices with Director. Topics include:
❐ "About Device Registration"
❐ "Registration Quick Start" on page 67
❐ "About Appliance Certificates" on page 68
❐ Section A: "Prerequisite Tasks" on page 71
❐ Section B: "Getting a Director Appliance Certificate" on page 78
❐ Section C: "Setting Up Registration" on page 84
❐ Section D: "Registering Devices without Pre-Staged Device Records" on
page 86
❐ Section E: "Registering Devices with Pre-Staged Device Records" on page 97
❐ Section F: "Marking a Device As Configured" on page 110

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Device Registration


Registering ProxySG appliances (that is, devices) is an alternative to adding
devices, which is discussed in Chapter 4: "Adding and Connecting to
Devices". During registration, Director and devices use their Blue Coat
appliance certificates or a shared secret to confirm identities before exchanging
public keys over an HTTPS connection.
Registering devices has the following advantages compared to adding devices:
❐ Registration can be done in bulk using pre-staged device records, which
means the following tasks can be performed in one step:
• device records are created
• devices connect to Director
• optionally, devices are added to a group
• optionally, jobs are configured to target the devices
• optionally, profiles and overlays are targeted to the devices
❐ Even if you do not use pre-staged device records, you can register devices
in bulk so additional configuration (such as adding devices to groups) can
be performed quickly.
❐ Every device registered with Director uses the SSH-RSA protocol to
authenticate itself with Director. The SSH-RSA protocol is more secure than
SSH Simple.

65
Director Configuration and Management Guide

When you add a device, it initially uses the SSH Simple protocol (that is, a
user name and password is sent from the device to Director). Blue Coat
strongly recommends using the SSH-RSA protocol, which is an additional
task you must perform after you add the device.
After adding a device, you can change the communication method to SSH-
RSA using the Management Console or command line. (Changing to SSH-
RSA using the command line requires several commands.) More information
about SSH Simple and SSH-RSA can be found in "Comparing SSH Simple and
SSH-RSA" on page 66.
Notes:
❐ The registration process uses a secure HTTPS connection where Director acts
as the server and the device acts as the client.
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.
❐ The process by which Director and devices authenticate with each other is not
to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
• To connect to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.

Comparing SSH Simple and SSH-RSA


SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.
❐ Securing protocols. Many protocols require authentication at each end of the
connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.

66
Chapter 3: Registering Devices

The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

Registration Quick Start


This section discusses how to quickly get started registering devices if your
Director appliance and all ProxySG appliances it manages were manufactured
after July 2006. If Director and all ProxySG appliances were manufactured after
July 2006, you can assume they all have appliance certificates and are ready for
registration.
If you are not sure if all of your devices have appliance certificates, skip this
section and continue with "About Appliance Certificates" on page 68.
To complete the registration process, complete the tasks discussed in the
following table:
Task Description

1. "About the Registration Understand concepts related to registering


Process" on page 84 your ProxySG appliances with Director.

2. "Registration Methods" on Understand which registration method works


page 85 best for your deployment:
• Without pre-staged device records: Use
this method to add devices to Director on
demand, which is appropriate for smaller
deployments.
• With pre-staged device records: Use this
method to pre-stage (that is, pre-create) a
basic device configuration, which includes
passwords, for all your devices on
Director. This method is appropriate if you
are planning a large deployment.

3. Section D: "Registering Use this registration method if you have a


Devices without Pre-Staged smaller deployment and want to add devices
Device Records" on page 86 to Director on demand.

67
Director Configuration and Management Guide

Task Description

4. Section E: "Registering Devices Use this registration method if you have a


with Pre-Staged Device larger deployment and would benefit from
Records" on page 97 creating device records before registering the
devices with Director.

About Appliance Certificates


For devices to register with Director, the Director appliance must have an
appliance certificate, and each device must have either an appliance certificate or
it must use a shared secret created on Director.
An appliance certificate is an X.509 certificate that contains the hardware serial
number of a the appliance (Director or ProxySG) as the CommonName (CN) in
the subject field. Blue Coat appliances manufactured after July 2006 have
appliance certificates.

68
Chapter 3: Registering Devices

Overview of the Registration Process


The following figure shows an overview of the registration process:

Register the device as


Does the
discussed in "About the
appliance yes Registration Process"
already have a
on page 84
certificate?

no

Get an appliance
certificate as
Does the discussed in "Getting
Can the a Device Appliance
appliance yes yes
appliance access Certificate" on page
support
the Internet? 75 (device) or "Getting
certificates?
a Director Appliance
Certificate—Internet
Access" on page 78
(Director)

no no

Add the device as


discussed in Chapter 4:
"Adding and Connecting Get an appliance certificate as discussed in
to Devices" "Getting a Device Appliance Certificate" on
page 75 (device) or "Getting a Director
Appliance Certificate—No Internet Access"
on page 79

Figure 3–1 Process overview for getting appliance certificates for devices and Director
Note the following:
❐ You go through the same process with Director and with ProxySG appliances.
❐ If your Director appliance does not support appliance certificates, you cannot
register any devices with it, even if the devices support application
certificates.
If that is the case, skip the remainder of this chapter and continue with
Chapter 4: "Adding and Connecting to Devices".

69
Director Configuration and Management Guide

❐ If a device does not support appliance certificates, that device cannot be


registered with Director.
If that is the case, for that device, see Chapter 4: "Adding and Connecting to
Devices".

70
Director Configuration and Management Guide

Section A: Prerequisite Tasks


This section discusses the following tasks:
❐ "Determining Whether Appliances Support Certificates" on page 71
❐ "Confirming Whether Director Has an Appliance Certificate" on page 73
❐ "Confirming Whether a Device Has an Appliance Certificate" on page 74

Determining Whether Appliances Support Certificates


This section discusses how to determine if ProxySG appliances and Director
support appliance certificates.

Important:
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall between Director and the devices you want Director to manage.
❐ Appliances manufactured before July 2006 do not support appliance
certificates and cannot be registered with Director. If your Director
appliance does not support appliance certificates, you cannot register any
devices with it, even if the devices support appliance certificates; instead,
you must add devices to Director as discussed in Chapter 4: "Adding and
Connecting to Devices".
❐ If you attempt to register a device with that runs incompatible SGOS
version, the error Incompatible SG version displays. In that case, you
cannot register the device with Director; instead, you must add the device
to Director as discussed in Chapter 4: "Adding and Connecting to
Devices". Be aware that configuring an older device using Director profiles
and overlays can result in errors. If possible, upgrade these devices to more
recent versions.
❐ Make sure Director supports appliance certificates and has an appliance
certificate before registering devices with Director.

71
Director Configuration and Management Guide

Section A: Prerequisite Tasks

Getting Started With Appliance Certificates


To complete the tasks discussed in this section, you need the following:
❐ Appliance hardware serial numbers (optional, but recommended)
The hardware serial number is printed on a label affixed to the rear panel of
the appliance. You can also find the serial number in any of the following
ways:
• ProxySG appliance:
• Displays on the SGOS Management Console in any of the following
ways:
• On the Home page when you first log in to the Management
Console.
• In the SGOS Management Console, click the Maintenance tab. In the
right pane, click the Summary tab and in the left navigation pane,
click System and Disks.
• Using the privileged mode command show version. Refer to the
Command Line Interface Reference in the ProxySG Appliance Configuration
and Management Guide for more information about using the SGOS
command line.
• Director appliance: The show version command displays Director’s
hardware serial number.
❐ A BlueTouch login
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.

To determine whether your appliances support appliance certificates:


1. Get appliance certificates as discussed in "Getting Started With Appliance
Certificates" on page 72.
2. Go to http://www.bluecoat.com/activate.
3. When prompted, log in with your BlueTouch user name and password.
The Blue Coat Licensing Portal displays.
4. In the left navigation bar, click Appliance Certificate Verification.
5. Enter the appliance hardware serial number in the provided field and click
Submit.

A message displays to indicate whether or not the appliance supports


appliance certificates.

72
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

6. Do any of the following:


• If Director does not support appliance certificates, you cannot register any
devices with it, even if the devices support appliance certificates.
Skip the remainder of this chapter and continue with Chapter 4: "Adding
and Connecting to Devices".
• If a device does not support appliance certificates, you cannot register that
device with Director.
For that device, skip the remainder of this chapter and continue with
Chapter 4: "Adding and Connecting to Devices".
• If Director supports appliance certificates, confirm whether or not Director
already has an appliance certificate as discussed in "Confirming Whether
Director Has an Appliance Certificate" on page 73.
• If a device supports appliance certificates, confirm whether or not the
device already has an appliance certificate as discussed in "Confirming
Whether a Device Has an Appliance Certificate" on page 74.

Confirming Whether Director Has an Appliance Certificate


To confirm whether Director has an appliance certificate:
1. Use a Secure Shell (SSH) application to connect to Director.
For details, see "Using the Director Command Line" on page 38.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, enter the following command:
show ssl appliance-certificate

Examine the output for one of the following:

Output Meaning

An error message displays, such as: Director has no appliance certificate.


appliance-certificate does not Continue with one of the following
exist. Please request/import one sections:
first. • "Getting a Director Appliance
Certificate—Internet Access" on
page 78
• "Getting a Director Appliance
Certificate—No Internet Access" on
page 79

73
Director Configuration and Management Guide

Section A: Prerequisite Tasks

Output Meaning

Displays the certificate, starting with Director already has an appliance


-----BEGIN CERTIFICATE ----- certificate.
Continue with "Confirming Whether a
Device Has an Appliance Certificate" on
page 74.

7. Continue with one of the following sections:


• If Director has no appliance certificate, see "Getting a Device Appliance
Certificate" on page 75.
• If Director has an appliance certificate, continue with the next section.

Confirming Whether a Device Has an Appliance Certificate


To confirm whether a device has an appliance certificate:
1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. At the next prompt, enter enable.
4. If prompted, enter the privileged mode password.
5. At the # prompt, enter the following command:
# show ssl certificate appliance-key

One of the following displays:

Result Meaning
% Certificate "appliance-key" not The device has no appliance certificate.
found Continue with "Getting Appliance
Certificates or Setting Up a Registration
Password" on page 75.

The certificate displays, starting with The appliance has an appliance


-----BEGIN CERTIFICATE----- certificate. Continue with Section C:
"Setting Up Registration" on page 84.

74
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

6. Perform one of the following tasks:


• If all devices have appliance certificates, continue with Section C: "Setting
Up Registration" on page 84.
• If any device has no appliance certificate, continue with the next section.

Getting Appliance Certificates or Setting Up a Registration Password


If a device has no appliance certificate, you have the following options:
❐ Recommended. Get an appliance certificate for the device as discussed in
"Getting a Device Appliance Certificate" on page 75.
Appliance certificates are required to use Secure Application Delivery
Network (ADN). For detailed information about appliance certificates, see the
chapter on authenticating ProxySGs in Advanced Networking in the ProxySG
Appliance Configuration and Management Guide.
❐ Set up a registration password on Director and use this password to register
the device.
For registration purposes only, the registration password takes the place of the
appliance certificate. For more information, see "Setting Up a Director
Registration Password" on page 77.

Getting a Device Appliance Certificate


This section discusses how to get an appliance certificate for a device.

Note:
• Appliances manufactured before July 2006 do not support appliance
certificates. If you attempt to get an appliance certificate for such a
device, an error message displays; for details, see Table 3–1 on page 76.
If the appliance does not support appliance certificates, you cannot
register it with Director; instead, you must add the device as discussed
in Chapter 4: "Adding and Connecting to Devices".
• To register a device with Director, the device must have a certificate
from Blue Coat’s http://abrca.bluecoat.com/sign-manual Web site.
You cannot use another CA to generate an appliance certificate.

75
Director Configuration and Management Guide

Section A: Prerequisite Tasks

To get an appliance certificate for a device, perform any of the following tasks:
❐ If the device can connect to the Internet, from its Management Console,
perform the following tasks:
• Click Configuration > SSL > Appliance Certificates > Request Certificate.
• Click Request appliance certificate. You are required to confirm the action.
The Blue Coat CA server does validates and signs the certificate. The
certificate is automatically placed in the appliance-key keyring. Note that
the appliance-key keyring cannot be backed up. The keyring is re-created
if it is missing at boot time.
The following table discusses error messages and their meanings:
Table 3–1 Appliance certificate error messages

Error message Meaning


Request failed: Signing server The device does not support
reported error: No such serial appliance certificates, most
number serial_number. likely because it was
manufactured before July
2006.
% Request failed: Request to The device cannot connect to
signing server failed: Socket the Internet.
connect error

❐ If the device cannot connect to the Internet, the procedure is similar to getting
a Director appliance certificate: Create a CSR on the device, go to the
abrca.bluecoat.com/sign-manual Web site to create a certificate, and import
the certificate into the device.
The details are discussed in the chapter on authenticating ProxySGs in
Advanced Networking in the ProxySG Appliance Configuration and Management
Guide.
After getting appliance certificates for all devices, continue with Section C:
"Setting Up Registration" on page 84.

76
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

Setting Up a Director Registration Password


If any device to be managed by Director has no appliance certificate, you must
either create a registration password on Director or get an appliance certificate for
the device as discussed in "Getting a Device Appliance Certificate" on page 75.
This password is used as a shared secret during the registration process, in effect
taking the place of the device’s appliance certificate for the purpose of registration
only.

To create a Director registration password:


1. Use a Secure Shell (SSH) application to connect to Director.
For details, see "Using the Director Command Line" on page 38.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, enter the following command:
director (config) # ssl registration-password password

The registration password character set is a-z0-9A-Z-,. (The final dash is a


true dash.) Minimum length is 1; maximum length is 16.
7. Disconnect from Director.
8. Continue with Section C: "Setting Up Registration" on page 84.

77
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate


This section discusses the following topics:
❐ "Getting a Director Appliance Certificate—Internet Access" on page 78
❐ "Getting a Director Appliance Certificate—No Internet Access" on page 79
Blue Coat has a CA for the purpose of issuing appliance certificates. The root
certificate for the Blue Coat CA is automatically trusted by SGOS for
authenticating devices with and communicating with Director. These Blue Coat
signed certificates contain no authorization information and are valid for five
years.
The process can be summarized as follows:
1. Verify whether Director has an appliance certificate as discussed in
"Confirming Whether Director Has an Appliance Certificate" on page 73.
2. Do one of the following:
• If Director has an appliance certificate, continue with Section C: "Setting
Up Registration" on page 84.
• If Director has no appliance certificate, continue with one of the
following sections:
• "Getting a Director Appliance Certificate—Internet Access" on page
78
• "Getting a Director Appliance Certificate—No Internet Access" on
page 79

Getting a Director Appliance Certificate—Internet Access


To get a Director appliance certificate for a Director appliance that has
access to the Internet:
1. Use a Secure Shell (SSH) application to connect to Director.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. From the (config) prompt, enter:
director (config) # ssl request-appliance-certificate
Requesting certificate
Verifying certificate
Certificate verified successfully

This command creates a new private key, creates the Certificate Signing
Request signature (CSR) for the private key, and sends the CSR to Blue Coat
to get the corresponding appliance certificate.

78
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

To display the appliance certificate:


From the (config) prompt, enter:
director (config) # show ssl appliance-certificate
Skip the next section and continue with Section C: "Setting Up Registration" on
page 84.

Getting a Director Appliance Certificate—No Internet Access


To get a Director appliance certificate for a Director appliance that has no
access to the Internet:
1. Use a Secure Shell (SSH) application to connect to Director.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. From the (config) prompt, enter:
director (config) # show ssl appliance-certificate-request

This command creates a CSR (if it does not already exist) and displays it. It
also creates the digital signature for the CSR, using the appliance’s private
key.

79
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate

An example follows:

-----BEGIN CERTIFICATE REQUEST-----


MIICuDCCAaACAQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlTdW5ueXZhbGUxHDAaBgNVBAoTEydCbHVlIENvYXQgU3lzdGVtcycxEDAOBgNV
BAsTB1NHTUU1MTAxEzARBgNVBAMTCjQ3MDYxMDUyMzMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDGC0CSms4F2C4pFuHbJW0zAEJfna+54giEIW49I2qA
l9J/yAmwDhPcScd+mAJJEMdsWuUGA1UEBhMCVVMxCzXF/Wjo6B9CHTTENvAy8r2Y
JiHE5OJPXfqHDjzsnxppo54L//G3CgAsW8rI7UDsnpML8gDuQ1SXefopFPfa8WOw
RtKpU87Ma/YhTexHMmI1p+wYyOaiv/P/KpfLPyIqICvdKhMdvh3lk49u+maPLt0R
7+ljzWbJ8cD2oQvQkEmhEOMtX+rotkUT1GHJF+J5maSns8WfCkjnQ8N7NzwQAGnb
7plbhZcA4jIGvIltavCcREab3VfHlVJKn5eskNKrFKzrAgMBAAGgADANBgkqhkiG
9w0BAQUFAAOCAQEALGNLV4I6Vk5Rznq4DvLbdi7rceO8xD0e2poAjxdjFUaBXf/4
9vQMB41BdjA1f1Ic1f9a0MG6Qwm+ngJsAUJN46ZGtRRjgd5kImYveFX1+hJjg9vb
5Wp/5xEf3jWVB1EBtvqdAcSe+y8qS4/fDFs2VJv806i4oNCvzJKLmNcY7/J5++3Z
BvOThkuI5DROqA4ivN8o+ENIG98xgcsQqKnf+wGg3TKqC9x/15PcoCgxAsc6zlmU
joUgYgFNCJIGZBn2pqCgS7giHfNz2Di6LUf0ZCiOxR8p2n0fr4c1D6OmNpEB5vXH
DTUG7fyToMQITCK6vKz+oL+alQyVvDpYgNpAug==
-----END CERTIFICATE REQUEST-----
----- BEGIN CSR SIGNATURE -----
wrj98DWIUuIfiCxOcq7GnbQOjKI4S20WG3/6gzlzNaJN/pyQHwG4ehpzII+6JlY+
GKwzXmpa46Tyhkfv3HMIDBhAB31vJljNMwzjwn2Uc3AmEhd/mVBdw9U1q4UTWhzU
M8yuhbjMla3939IcwNrwIbQmEiaSRXHxUfcRYty5Q8CYZe0A8OSB8JDIHex1+E9K
ICjUBlUpz8rdeL/SxYZmwnrOTDoZ1KOz0bCbNVcjPsmZhqLwSrQwsBUXGiutjHDe
B/Hg3z0bPcvh1CNQZNv2LgSVPdPpeB6OPaSaQkuSs6WwPmeGGurSl7K0w6t/V6XL
VY93Z3Jph1FNpH7FES+pvw==
----- END CSR SIGNATURE -----

Figure 3–2 Sample CSR

7. Copy the CSR and the signature to your clipboard. Include the BEGIN
CERTIFICATE and END CERTIFICATE statements, as well as the BEGIN CSR
SIGNATURE and END CSR SIGNATURE statements.

8. Open a browser and go to the Blue Coat CA Server Web site at


http://abrca.bluecoat.com/sign-manual
9. Paste the CSR and signature into the form.

80
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

An example follows:

10. Click Generate Cert.

81
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate

The signed certificate displays and can be pasted into Director. A sample
certificate follows:

-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwgbYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxIDAeBgNV
BAoTF0JsdWUgQ29hdCBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQLExBCbHVlIENvYXQs
IEFCUkNBMRswGQYDVQQDExJhYnJjYS5ibHVlY29hdC5jb20xJDAiBgkqhkiG9w0B
CQEWFXN5c2FkbWluQGJsdWVjb2F0LmNvbTAeFw0wNzAxMjkyMDM5NDdaFw0xMjAx
MjkyMDM5NDdaMIGGMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcT
CVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3RlbXMsIEluYy4xHzAd
BgNVBAsTFkJsdWUgQ29hdCBTRzIwMCBTZXJpZXMxEzARBgNVBAMTCjA1MDUwNjAw
OTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBUmCuKSsSd+D5kJQiWu3OG
DNLCvf7SyKK5+SBCJU2iKwP5+EfiQ5JsScWJghtIo94EhdSC2zvBPQqWbZAJXN74
k/yM4w9ufjfo+G7xPYcMrGmwVBGnXbEhQkagc1FH2orINNY8SVDYVL1V4dRM+0at
YpEiBmSxipmRSMZL4kqtAgMBAAGjggLGMIICwjAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DBOBgNVHSUERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBgsr
BgEEAfElAQECAQYLKwYBBAHxJQEBAgIGCysGAQQB8SUBAQIDMB0GA1UdDgQWBBSF
NqC2ubTI7OT5j+KqCPGlSDO7DzCB6wYDVR0jBIHjMIHggBSwEYwcq1N6G1ZhpcXn
OTIu8fNe1aGBvKSBuTCBtjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExEjAQBgNVBAcTCVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3Rl
bXMsIEluYy4xGTAXBgNVBAsTEEJsdWUgQ29hdCwgQUJSQ0ExGzAZBgNVBAMTEmFi
cmNhLmJsdWVjb2F0LmNvbTEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AYmx1ZWNv
YXQuY29tggkAhmhbUPEEb60wgZ8GCCsGAQUFBwEBBIGSMIGPMEkGCCsGAQUFBzAB
hj1odHRwczovL2FicmNhLmJsdWVjb2F0LmNvbS9jZ2ktYmluL2RldmljZS1hdXRo
ZW50aWNhdGlvbi9vY3NwMEIGCCsGAQUFBzAChjZodHRwOi8vYWJyY2EuYmx1ZWNv
YXQuY29tL2RldmljZS1hdXRoZW50aWNhdGlvbi9jYS5jZ2kwSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vQ1JMLmNybDBfBgNVHSAEWDBWMFQGCisGAQQB8SUBAQEwRjBEBggrBgEF
BQcCARY4aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vcnBhLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBACIhQ7Vu6aGJBpxP255X
d2/Qw7NiVsnqOlAy913QZlieFfVATJnCeSrH+M9B/2XtnRxVT0/ZWrf4GbsdYqTF
hc9jR/IwKu6kZq32Dqo8qFU5OzbAEzT2oebB5QgwuJtHcJHggp9PS9uS27qAnGQK
OeB2bYcjWtMvTvr50iDOV69BEQz+VXos8QiZmRHLVnebQSjl3bi1w3VjBw31tCmc
clgz0SlN9ZmJdRU/PlWdNVqD4OLqcMZQ53HqcdWNEzN2uvigIb//rM7XazK7xIaq
r23/+BsZlYKAeVMq3PEmxaA2zLzO+jf79a8ZvIKrF27nNuTN7NhFL/V6pWNE1o9A
rbs=
-----END CERTIFICATE-----

82
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

To import the certificate into Director:


1. Copy the signed certificate to your clipboard. Be sure to include the BEGIN
CERTIFICATE and END CERTIFICATE statements.

2. From the (config) prompt, enter:


director (config) # ssl input appliance-certificate
Enter your certificate now.
Press Ctrl-D when finished, or Ctrl-C to abort.

3. Paste the certificate into the command window.


4. Press Control+D when you are finished.
The following message displays to indicate the import was successful:
Appliance certificate imported OK

To view the imported certificate:


To display the appliance certificate, from the (config) prompt, enter:
director (config) # show ssl appliance-certificate

83
Director Configuration and Management Guide

Section C: Setting Up Registration


This section discusses the following topics:
❐ "About the Registration Process"
❐ "Registration Methods" on page 85

About the Registration Process


Devices use their Blue Coat appliance certificates or a shared secret to confirm
identities before exchanging public keys over an HTTPS connection. If a device
has an appliance certificate, that certificate is used to establish secure
communication with Director.
If a device does not have an appliance certificate, you must either get an
appliance certificate for the device (recommended) or configure a shared secret
(a registration password configured on Director) and enter the shared secret
when registering the device to confirm identities before exchanging public
keys. For more information, see "Getting Appliance Certificates or Setting Up a
Registration Password" on page 75.
After Director and the device authenticate each other, registration is complete
and one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Notes:
❐ The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with
Director. For more information about user authentication, see the following:
• To authenticate with the Director Management Console using SSH-RSA,
see Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.
❐ If you attempt to register a device with an incompatible SGOS version, the
error Incompatible SG version displays. In that case, you must add the
device to Director as discussed in Chapter 4: "Adding and Connecting to
Devices".
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.

84
Chapter 3: Registering Devices

Section C: Setting Up Registration

Registration Methods
You can set up registration in either of the following ways:
❐ "Registering Devices without Pre-Staged Device Records" on page 86
Use this method to add devices to Director on demand, which is appropriate
for smaller deployments.
❐ "Registering Devices with Pre-Staged Device Records" on page 97
Use this method to pre-stage (that is, pre-create) a basic device configuration,
which includes passwords, for all your devices on Director. This method is
appropriate if you are planning a large deployment.

85
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records


Table 4–1 provides a high-level view of workflow tasks for registering devices
without creating pre-staged device records. It also provides a task description
and the role most suitable for performing the task.
Review this table, then read the sections that follow for detailed information
about each task.
Table 3–2 Workflow Tasks—Registering devices without pre-staged device records

Task Task Description Role

1. Prerequisites Complete the following tasks discussed Director


earlier in this chapter: Administrator
• "Prerequisite Tasks" on page 71
• "Getting Appliance Certificates or Setting
Up a Registration Password" on page 75,
if necessary
• Section B: "Getting a Director Appliance
Certificate" on page 78, if necessary

2. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
the Device with Director" on page 87. Administrator

3. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • Optionally change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.

4. Place it into a group and • Section A: "Setting Up and Managing Director


configure it using profiles and Device Groups" on page 132 Administrator
overlays. • Section C: "Managing Profiles" on page
144
• Section D: "Managing Overlays" on page
159

86
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Registering the Device with Director


After the device is installed and connected to the network, the device
administrator must configure device-specific initial settings. The procedure you
use to register the device depends, in part, on whether or not the device has been
configured. Use the following guidelines:
❐ If the device has never been configured (that is, does not have an IP address,
subnet mask, or DNS settings), see "Registering the Device Using its Serial
Setup Console" on page 87.
❐ If the device has already been configured, you have the following options:
• Register the device using its serial setup console as discussed in
"Registering the Device Using its Serial Setup Console" on page 87.
• Register the device from the command line as discussed in "Registering
the Device Using its Command Line" on page 89.
• Register the device using its Management Console as discussed in
"Registering a Device Using its Management Console" on page 106.

Registering the Device Using its Serial Setup Console


A device can be initially configured using its front panel or its serial console. Refer
to the device Installation Guide for more information. This section provides sample
information about configuring the device from its serial console.
Initial device configuration settings include:
❐ Register with Director option
❐ Device IP address
❐ Device IP subnet mask
❐ Director IP address
❐ Registration password (only if the device does not have an appliance
certificate. The device’s administrator needs to know this password and it
must be the same one configured on Director.)
❐ Device friendly name (optional; you can configure one later)
❐ Verify the Director serial number
The hardware serial number is printed on a label affixed to the rear panel of
the appliance and it is displayed using the show version detail command.

To register a device with Director using the device’s serial console:


1. Connect one end of a serial null modem cable to the ProxySG appliance’s
serial console and connect the other end to a terminal or computer.
2. Consult the documentation provided with your terminal or computer’s
communication software (such as Windows HyperTerminal) for how to start
the software and configure it.
3. Configure the terminal or computer’s communication software as follows:

87
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

• Rate: 9600 bps


• Parity: none
• Flow control: none
• Data bits: 8
• Stop bits: 1
4. Follow the prompts on your screen to connect to the device and start its setup
wizard.
The setup wizard prompts are different for different SGOS versions.
Following is a summary of the prompts and their meanings; however, the
exact verbiage displayed on the wizard might be different.

Setup wizard prompt Description

How do you want to set up the SG Select the option to register with
appliance? Director.

Director’s IP address Enter Director’s IP address.

Registration password (if prompted) You are prompted to enter a registration


password only if the appliance does not
have an appliance certificate. If
prompted, enter the registration
password you created on Director.

Appliance name Enter an optional “friendly” name to


identify the appliance.

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

88
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.

Registering the Device Using its Command Line


This section discusses how to use the device’s command line to register the device
with Director. You can use this procedure only if the device has an IP address,
subnet mask, and DNS settings.

To register a device with Director using the device’s command line:


1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. When prompted, enter enable.
4. If prompted, enter the enable mode password.
5. At the # prompt, enter the following command:
register-with-director director_ip

director_ip is Director’s IP address.


6. When prompted, enter an optional “friendly” name for the device, or press
Enter without a name to set the device name later.
7. When prompted, confirm Director’s hardware serial number.
The hardware serial number is printed on a label affixed to the rear panel of
the device. You can use the show version detail command to display the
serial number.
8. If prompted, enter the registration password.

Note: You are not prompted to enter a registration password if the device has an
appliance certificate.

9. Follow the prompts on your screen to complete the registration process.


If registration is successful, you can view the new device using either the
Management Console’s Configure tab page or using the show devices
command as discussed in Chapter 2, Standard and Enable Mode Commands,
in the Blue Coat Director Command Line Interface Reference Guide. After
registration is complete, the SG-newly-registered SNMP trap is sent.
Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.

89
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

Registering a Device Using its Management Console


This section discusses how to use the device’s Management Console to register
the device with Director. You can use this procedure only if the device has an IP
address, subnet mask, and DNS settings.

To register a device with Director using its Management Console:


1. Enter the following URL in your browser’s location or address field:
https://device_host_or_ip:port

where device_host_or_ip is the device’s fully qualified host name or IP address,


and port is its HTTPS Console port; by default, the port is 8082.
2. Log in to the device’s Management Console as an administrator.
3. Click the Maintenance tab.
4. On the Maintenance tab page, click Director Registration.
5. Enter the following information:
Table 3–3 Registering a device with Director using the device Management Console

Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.

90
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.

6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:

At the Registration Succeeded dialog box, click OK.


• The message Could not contact Director indicates either Director is not
accessible by ProxySG appliance or that Director has no appliance
certificate.
• Pre-staged device records only. The following error indicates that the
ProxySG appliance did not match the device record you created before
you registered the appliance:

Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.

91
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Setting Passwords for Newly Registered Devices on Director


After registration is complete, the device record is created on Director and the
device is set for SSH-RSA communication. During registration, the device’s
passwords were changed to random strings known only to Director. (Director
changes the admin user’s password, the enable mode password, and the front
panel PIN password.)
Perform one of the following tasks:
❐ To use the passwords assigned during registration so that only Director can
configure the device, skip the remainder of this chapter and continue with
Chapter 5: "Managing Device Groups, Profiles, and Overlays".
❐ To change the passwords so administrators and Director can use the SGOS
Management Console or command line to configure the device, complete the
remainder of the tasks discussed in this section.

To change randomly set passwords:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, right-click the new device whose passwords you
want to set.
4. From the pop-up menu, click Set Passwords.
The Enter Passwords dialog box displays.

92
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

5. Enter the new passwords:


Section Description

Enable Password In the provided fields, enter and confirm a password to


access command line enable mode on this device and
device record. Character minimum length is 1;
maximum length is 64.

Console Password In the provided fields, enter and confirm enter the
admin user’s password. Character minimum length is 1;
maximum length is 64.

93
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

Section Description

Frontpanel Pin In the provided fields, enter and confirm enter a


password to configure the device from its front panel.
The character set is 1–9; and the length is 4 characters.
To clear the front panel PIN, use either of the following
commands:
From Director, use:
director (config device device_id) # front-
panel-pin 0000
For more information, refer to Chapter 3, Configure
Mode Commands, in the Blue Coat Director Command
Line Interface Reference Guide.
From the device, use:
#(config front-panel) pin 0000
For more information, refer to Chapter 3, Privileged
Mode Configure Commands, in Command Line Interface
Reference, in the ProxySG Appliance Configuration and
Management Guide.

Note: To save your changes, you must enter a valid password in all
fields.

6. Click OK.

Related Commands
The pushpassword and front-panel-pin commands set these passwords on
both the device and the device record.
First, enter device_id submode using the following command:
director (config) # device device_id

Then enter the following commands:


director (config device device_id) # pushpassword {enable-password
password | front-panel-pin pin | password password}
director (config device device_id) # front-panel-pin pin

The enable-password and serial-console-password commands set these


passwords on the device record only.
director (config device device_id) # enable-password enable-password
director (config device device_id) # serial-console-password password

94
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Changing Properties of a Registered Device


This section discusses how to change the following properties of a device you
have already registered with Director:
❐ Serial number
❐ Serial console password
❐ Front panel PIN

To change the properties of a registered device:


1. Click the Configure tab.
2. On the Configure tab page, in the Groups pane, click the name of the group to
which the device belongs.
If you are not sure, click the All system group.
3. In the Devices pane, right-click the name of the device.
4. From the pop-up menu, click Edit.
The Edit Device dialog box displays.
5. In the Edit Device dialog box, click Advanced Settings.
The Advanced Settings dialog box displays.
6. Click the Auto Registration tab.
The Auto Registration tab page displays as follows:

95
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

7. Enter or edit the following information:


Table 3–4

Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.

96
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records


If your company is rolling out a large deployment, you should pre-stage (that
is, pre-create) records for devices to be managed by Director. This workflow
method lets you preconfigure passwords, create profiles and overlays, and
create jobs that are already associated with devices before the devices have
been registered with Director.
Pre-staging has the following advantages:
❐ Devices can be added to groups automatically.
❐ You can target profiles, overlays, and jobs at devices or groups of devices
before registering them.
❐ Jobs can apply profiles and overlays to devices after devices are registered,
automating the configuration process.
❐ If you create passwords in the device records, the passwords are preserved
after registration. (Otherwise, Director changes the passwords to random
strings known only to Director.)
Table 4–2 provides a high-level view of workflow tasks for automatically
registering devices with a Director that has pre-staged device records. It also
provides a task description and the role most suitable for performing the task.
Review this table, then read the sections that follow for detailed information
about each task.
Table 3–5 Workflow tasks—Registering devices with pre-staged device records

Task Task Description Role

1. Prerequisites Complete the following tasks discussed Director


earlier in this chapter: Administrator
• "Prerequisite Tasks" on page 71
• "Setting Up a Director Registration
Password" on page 77, if necessary
• Section B: "Getting a Director Appliance
Certificate" on page 78, if necessary

97
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Table 3–5 Workflow tasks—Registering devices with pre-staged device records

Task Task Description Role

2. Create a partial device record on • Create a partial device record that Director
Director. contains configuration information for the Administrator
device that will be deployed. See
"Creating a Partial Device Record on
Director" on page 99.
• Configure the passwords in the device
record.
• Optionally add devices to groups as
discussed in Section A: "Setting Up and
Managing Device Groups" on page 132.
• Optionally, configure profiles and
overlays for the device. See Section C:
"Managing Profiles" on page 144 and
Section D: "Managing Overlays" on page
159.
• To optionally execute jobs to apply
profiles and overlays to devices, see
Chapter 7: "Managing Content
Collections".

3. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
Pre-Staged Devices With Director" on Administrator
page 103.

4. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • If required, change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.
This is necessary only for devices whose
partial device records did not match the
devices being registered. (For example,
you did not enter a device serial number
or you entered the wrong serial number.)

98
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Creating a Partial Device Record on Director


A partial device record contains a subset of configuration information for a device
(for example, its IP address, friendly name, device ID, and hardware serial
number). When Director receives a registration request from a device, it tries to
match the information in the request with information that is contained in the
partial device record.
If there is a match between the partial device record and the device, the
passwords in the device record are pushed to the device.

Important: If the partial device record does not contain enough information
for a match, Director creates a new device record. In that case, Director names
the device according to its host name or IP address and also replaces the
device’s admin user password, enable mode password, and front panel PIN
password with random strings known only to Director. To make sure you enter
enough information in the partial device record, see the next section.

Matching Partial Device Records


Director matches information in the device record with device settings in the
following order:
1. Director matches the device’s hardware serial number with the device record
serial number.
2. If the partial device record does not include a hardware serial number,
Director performs the following tasks in the order shown:
a. If the device is configured with a host name, attempts a DNS lookup
on the host name.
b. If the device is configured with an IP address, attempts to match the IP
address.
3. If no match is found for the host name or IP address, Director attempts to
match the device “friendly” name.
If the “friendly” appliance name configured in the device record matches the
appliance name you entered when you registered the device, the device
record is matched to the device. The appliance name becomes the Device ID
and the device name is not changed.
4. If no match can be found for any of the preceding, Director creates a new
device record with the device name and device ID both being set to the
device’s host name or IP address.

99
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

If more than one of the preceding parameters exist in the device record, all of the
parameters are matched. If any parameter fails, Director rejects the registration
request, an error message displays on the device console, the following SNMP
trap is generated:
Node name OID
blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9
Failed

Getting Information for the Partial Device Record


The following tables show required and optional information for the partial
device record.

Getting Required Information for the Partial Device Record


To create a partial device record, you must input the following data into the
Director Management Console’s New Device Wizard:
Table 3–6 Required device information

Required information Description

Device name (Optional.) A friendly name for the device that


identifies the device in Director.

Device ID A unique identifier you choose for this device. If


you configure the device from the command line,
you enter its device ID. When you view the device
in the Management Console, the device displays as
device_name [device_id].
The device ID can be a maximum of 250 characters
in length and cannot include the following
characters: {, }, <, >, (, ), #, or $.

IP address The device’s IP address.

Serial number Device’s hardware serial number, which is printed


on a label affixed to the back panel of the device.
The hardware serial number is also displayed on the
SGOS Management Console in any of the following:
• On the Home page when you first log in to the
Management Console.
• In the ProxySG Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation pane,
click System and Disks.
The hardware serial number can also be found
using the privileged mode command show
version. Refer to the Command Line Interface
Reference for more information about using the
SGOS command line.

100
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Getting Optional Information for the Partial Device Record


The following table lists optional information for the device record:
Table 3–7 Optional device information

Required information Description

Device name A friendly name for the device that identifies the
device in Director.

Username Device’s administrator user name.

Password Administrator’s password.


Important: If you do not specify a password, during
the registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device by logging in to its
Management Console or command line, enter a
password. The password is preserved after
registration.

Enable mode password Password to enter enable mode on the command


line.
Important: If you do not specify a password, during
the registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device by logging in to its
Management Console or command line, enter a
password. The password is preserved after
registration.

Front Panel PIN Four-digit PIN to configure the device using its
front LCD panel.
Important: If you do not specify a PIN, during the
registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device using its front panel,
enter a four-digit PIN. The PIN is preserved after
registration.

101
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Creating the Partial Device Record


After getting the information required to create the partial device record, create
the device record using the Director Management Console as discussed in this
section.

To create a partial device record:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the lower left corner of the Configure tab page, click Add Device(s).
The New Device Wizard displays.
4. Click Next.
5. Enter the device ID in the Device ID field.
6. Enter the device’s IP address and serial number in the IP Address and Serial No
fields, respectively.
7. Optional. For you to manage the device after registration using the device’s
Management Console and command line, enter the following:
• Username
• Password
• Enable Mode Password
• Front Panel Pin

Details about these settings are discussed in "Getting Optional Information for
the Partial Device Record" on page 101.
8. To create another partial device record, click Add Row and repeat steps 5
through 7.
9. Click Add Device(s) to save changes.
10. Optionally add the partial device records to groups as discussed in Section A:
"Setting Up and Managing Device Groups" on page 132.
11. Optionally create profiles and overlays for the devices:
• Section C: "Managing Profiles" on page 144
• Section D: "Managing Overlays" on page 159
12. Optionally create jobs to apply profiles and overlays to the device as
discussed in Chapter 7: "Managing Content Collections".
13. Register the devices as discussed in the next section.

102
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Registering Pre-Staged Devices With Director


After the device is installed and connected to the network, the device
administrator must configure device-specific initial settings. The procedure you
use to register the device depends, in part, on whether or not the device has been
configured. Use the following guidelines:
❐ If the device has never been configured (that is, does not have an IP address,
subnet mask, or DNS settings), see "Registering the Device Using its Serial
Setup Console" on page 87.
❐ If the device has already been configured, you have the following options:
• Register the device using its serial setup console as discussed in
"Registering the Device Using its Serial Setup Console" on page 87.
• Register the device from the command line as discussed in "Registering
the Device Using its Command Line" on page 105.
• Register the device using its Management Console as discussed in
"Registering a Device Using its Management Console" on page 106.

Registering the Device Using its Serial Setup Console


A device can be initially configured using its front panel or its serial console. Refer
to the device Installation Guide for more information. This section provides sample
information about configuring the device from its serial console.
Initial device configuration settings include:
❐ Register with Director option
❐ Device IP address
❐ Device IP subnet mask
❐ Director IP address
❐ Registration password (only if the device does not have an appliance
certificate. The device’s administrator needs to know this password and it
must be the same one configured on Director.)
❐ Device friendly name (optional; you can configure one later)
❐ Verify the Director serial number
The hardware serial number is printed on a label affixed to the rear panel of
the appliance and it is displayed using the show version detail command.

To register a device with Director using the device’s serial console:


1. Connect one end of a serial null modem cable to the ProxySG appliance’s
serial console and connect the other end to a terminal or computer.
2. Consult the documentation provided with your terminal or computer’s
communication software (such as Windows HyperTerminal) for how to start
the software and configure it.
3. Configure the terminal or computer’s communication software as follows:

103
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

• Rate: 9600 bps


• Parity: none
• Flow control: none
• Data bits: 8
• Stop bits: 1
4. Follow the prompts on your screen to connect to the device and start its setup
wizard.
The setup wizard prompts are different for different SGOS versions.
Following is a summary of the prompts and their meanings; however, the
exact verbiage displayed on the wizard might be different.

Setup wizard prompt Description

How do you want to set up the SG Select the option to register with
appliance? Director.

Director’s IP address Enter Director’s IP address.

Registration password (if prompted) You are prompted to enter a registration


password only if the appliance does not
have an appliance certificate. If
prompted, enter the registration
password you created on Director.

Appliance name Enter an optional “friendly” name to


identify the appliance.

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

104
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.

Registering the Device Using its Command Line


This section discusses how to use the device’s command line to register the device
with Director. You can use this procedure only if the device has an IP address,
subnet mask, and DNS settings.

To register a device with Director using the device’s command line:


1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. When prompted, enter enable.
4. If prompted, enter the enable mode password.
5. At the # prompt, enter the following command:
register-with-director director_ip

director_ip is Director’s IP address.


6. When prompted, enter an optional “friendly” name for the device, or press
Enter without a name to set the device name later.
7. When prompted, confirm Director’s hardware serial number.
The hardware serial number is printed on a label affixed to the rear panel of
the device. You can use the show version detail command to display the
serial number.
8. If prompted, enter the registration password.

Note: You are not prompted to enter a registration password if the device has an
appliance certificate.

9. Follow the prompts on your screen to complete the registration process.


If registration is successful, you can view the new device using either the
Management Console’s Configure tab page or using the show devices
command as discussed in Chapter 2, Standard and Enable Mode Commands,
in the Blue Coat Director Command Line Interface Reference Guide. After
registration is complete, the SG-newly-registered SNMP trap is sent.
Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.

105
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
The following tasks are performed automatically after registration if you had set
them up before you registered the devices:
❐ Device records are added to groups.
❐ Jobs that apply profiles and overlays are run at their scheduled times.

Registering a Device Using its Management Console


This section discusses how to use the device’s Management Console to register
the device with Director. You can use this procedure only if the device has an IP
address, subnet mask, and DNS settings.

To register a device with Director using its Management Console:


1. Enter the following URL in your browser’s location or address field:
https://device_host_or_ip:port

where device_host_or_ip is the device’s fully qualified host name or IP address,


and port is its HTTPS Console port; by default, the port is 8082.
2. Log in to the device’s Management Console as an administrator.
3. Click the Maintenance tab.
4. On the Maintenance tab page, click Director Registration.
5. Enter the following information:
Table 3–8 Registering a device with Director using the device Management Console

Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.

106
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.

6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:

At the Registration Succeeded dialog box, click OK.


• The message Could not contact Director indicates either Director is not
accessible by ProxySG appliance or that Director has no appliance
certificate.
• Pre-staged device records only. The following error indicates that the
ProxySG appliance did not match the device record you created before
you registered the appliance:

Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.

107
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Changing Passwords on Pre-Staged Devices (If Required)


Provided your pre-staged device records matched the devices you registered, you
do not need to change the devices’ passwords. However, if errors displayed
indicating that device records were not matched, Director sets the following
passwords to random strings known only to Director: admin user’s password,
enable mode password, and front panel PIN.
To change passwords on those devices, see "Setting Passwords for Newly
Registered Devices on Director" on page 92.

Changing Properties of a Registered Device


This section discusses how to change the following properties of a device you
have already registered with Director:
❐ Serial number
❐ Serial console password
❐ Front panel PIN

To change the properties of a registered device:


1. Click the Configure tab.
2. On the Configure tab page, in the Groups pane, click the name of the group to
which the device belongs.
If you are not sure, click the All system group.
3. In the Devices pane, right-click the name of the device.
4. From the pop-up menu, click Edit.
The Edit Device dialog box displays.
5. In the Edit Device dialog box, click Advanced Settings.
The Advanced Settings dialog box displays.
6. Click the Auto Registration tab.

108
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

The Auto Registration tab page displays as follows:

7. Enter or edit the following information:


Table 3–9

Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.

109
Director Configuration and Management Guide

Section F: Marking a Device As Configured


This section discusses how to optionally change a device’s state to Configured,
which can assist you in remembering which devices you have pushed profiles
or overlays to. For example, after adding or registering a device, you can apply
a profile or overlay to it and then mark the device’s state as Configured.

To change a device’s state to Configured:


1. Log in to the Management Console as discussed in "Connecting to Director
with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Groups pane, click the Registered group.
4. In the Devices pane, right-click the device name.
5. From the pop-up menu, click Mark As Configured.
An example follows:

The device moves from the Registered group to the Unassigned group.
6.

110
Chapter 3: Registering Devices

Section F: Marking a Device As Configured

111
Director Configuration and Management Guide

112
Chapter 4: Adding and Connecting to Devices

This chapter discusses how to add devices and how to connect to them from
Director. Topics include:
❐ "About Adding Devices"
❐ "Adding Devices" on page 114
❐ "Connecting to a Device" on page 123
❐ "Changing the Authentication Protocol" on page 124
❐ "Marking a Device as Configured" on page 129

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Adding Devices


Adding ProxySG appliances (that is, devices) is an alternative to registering
devices, which is discussed in Chapter 3: "Registering Devices". You can add
one or more devices at a time to Director using either the Management Console
or the command line.
Adding devices differs from registering devices in the following ways:
❐ After you add a device, the device uses SSH Simple to authenticate itself
with and communicate with Director.
Blue Coat strongly recommends changing the protocol to SSH-RSA, which
is a separate, manual step.
After you register a device, however, the device uses the SSH-RSA protocol.
❐ All other configuration must be done manually after you add a device,
whereas if you register devices using pre-stage device records, you can
automatically add devices to groups; push passwords to devices; and
configure jobs to apply profiles and overlays to devices or groups of
devices.

113
Director Configuration and Management Guide

Adding Devices
Use the Director Management Console’s New Device Wizard to add devices
using either of the following methods:
❐ Importing a device identification file
A device identification file is a text file that contains a comma-separated value
list f the data required to identify new devices. The New Device Wizard
includes a sample device identification file you can use as a template.
❐ Manually entering the required data

Note: If you add devices using a device identification file, you must enter data for
all fields in the correct order. Otherwise, the add device operation will fail and
errors will display.

To add a device, you must input the following data into the New Device Wizard.
Unless otherwise noted, all information is required for Director to add the device
and to communicate with the device.
Table 4–1 Required device information

Required information Description

Device name A friendly name for the device that identifies the
device in Director.

Device ID A unique identifier for this device.


The device ID can be a maximum of 250 characters
in length and cannot include the following
characters: {, }, <, >, (, ), #, or $.

IP address The device’s IP address.

Web port The device’s HTTPS Console port. To find this


value, log in to the ProxySG Management Console
for the device and click Services > Management
Services. The port value displays in the right pane
in the Port column for HTTPS-Console.

Authentication port SSH port; by default, port 22.

User name Administrator user name of the device to manage.

Password Administrator’s password.

Enable mode password Enable mode password of the ProxySG device to


manage. By default, the enable mode password is
the same as the device’s administrator password.

Serial console password Serial console password, if any, of the ProxySG


device to manage.

114
Chapter 4: Adding and Connecting to Devices

Table 4–1 Required device information

Required information Description

Front panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in the Installation
Guide for your ProxySG appliance, and also in
Command Line Interface Reference.

Serial number Device’s hardware serial number, which is printed


on a label affixed to the back panel of the device.
The hardware serial number is displayed on the
SGOS Management Console in any of the following:
• On the Home page when you first log in to the
Management Console.
• In the ProxySG Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation pane,
click System and Disks.
The hardware serial number can also be found
using the enable mode command show version.
Refer to the Command Line Interface Reference for
more information about using the SGOS command
line.

Registered Choose whether or not to register the device with


this Director.
See one of the following sections:
❐ "Adding a Device Using an Identification File"
❐ "Adding Devices Manually" on page 117

Adding a Device Using an Identification File


This section discusses how to add a device using a device identification file—a
comma-separated value (.csv) file containing information required to add the
device. For more information about the device identification file, including an
example, start the New Device Wizard and click the link to display an example
file.

Important:
• Before running the New Device Wizard, make sure your device
identification file has a value for every field and that every value is
separated by a comma character. Otherwise, the add device operation
will fail and errors will display. For assistance, view the sample file in
the New Device Wizard.
• The comma character is reserved for delimiting fields. Do not use
comma characters in other fields, such as the comment field. Doing so
causes device creation to fail.

115
Director Configuration and Management Guide

To add a device by importing a device identification file:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, click Add Device(s).
4. Read the information that displays on the New Device Wizard and click Next.
The Import page displays as follows:

Click to learn
more about
the format

5. Select the import options:


Option Description

Click Here link Click the link to view a sample device


identification file.
Yes, import the appliance file at this location Enter the absolute path and file name of
your device information file, or click
Browse to locate it.
No. I will manually enter the information Manually enter device information.

6. Click Next.

116
Chapter 4: Adding and Connecting to Devices

The imported appliance data displays on the Summary page.

7. Click Finish to return to the Configure tab page.


The added devices display in the All or Unassigned to Group categories in the
Group pane. To assign devices to groups, see Section A: "Setting Up and
Managing Device Groups" on page 132.

Adding Devices Manually


This section discusses how to manually add one or more devices.

To manually add devices:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, click Add Device(s).
4. Read the information that displays on the New Device Wizard and click Next.

117
Director Configuration and Management Guide

The Import page displays as follows:

5. Click No and click Next.


The next page displays.

118
Chapter 4: Adding and Connecting to Devices

6. Place the cursor in the field in which to enter the following information and
use either the mouse or the Tab key to move between fields. Unless otherwise
noted, all information is required.
Note: Your input cannot include any of the characters listed in "Forbidden
Characters" on page 30.
Table 4–2 Adding a device manually

Field Description
Device Name A friendly name for the device that identifies the
device in Director.
Device ID A unique alphanumeric identifier for this device.
Important: The device ID cannot be changed later.
IP Address The device’s IP address.
Important: The IP address cannot be changed later.
Web Port The device’s HTTPS Console port. To find this
value, log in to the ProxySG Management Console
for the device and click Services > Management
Services. The port value displays in the right pane
in the Port column for HTTPS-Console.
Auth Port SSH port; by default, port 22.
Username Administrator user name of the device to manage.
Password Administrator’s password.
Enable Mode Password Enable mode password, if any, of the device to
manage.
Serial Console Password Serial console password, if any, of the device to
manage.
Front Panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in Command Line
Interface Reference.
Serial Number The ProxySG device’s hardware serial number,
which is printed on a label affixed to the back panel
of the device.
You can find the hardware serial number in any of
the following ways:
• Displayed on the SGOS Management Console:
• On the Home page when you first log in to
the Management Console.
• In the SGOS Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation
pane, click System and Disks.
• Using the show version command.

119
Director Configuration and Management Guide

Table 4–2 Adding a device manually

Field Description
Registered Choose whether or not to mark the device as
registered with Director.
Note: Marking a device as Registered is not the
same as registering the device as discussed in
Chapter 3: "Registering Devices".

Note: A red border around a cell in the New Devices table indicates the data is
invalid.

7. (Optional) Click Add Row to enter information for another device.

8. When you are finished configuring devices, click one of the following:
• Previous to return to a previous page to change configuration information.
• Next or Last to display the Summary page.
The Summary page displays configuration about the devices you are adding
as follows:

9. Click Finish to return to the Configure pane.

120
Chapter 4: Adding and Connecting to Devices

The added devices display in the All or Unassigned to Group categories in the
Group pane. To assign devices to groups, see Section A: "Setting Up and
Managing Device Groups" on page 132.

Related CLI Syntax to Add Devices


This section discusses commands you can use to add devices; however, Blue Coat
recommends using the Director Management Console to add devices to Director
for the following reasons:
❐ You can add one device at a time using the CLI, but the New Device Wizard
allows you to add multiple devices at one time.
❐ The CLI requires you to enter the device ID in every command.
director (config) # device device_id
This changes the prompt to
director (config device "device_id") #

❐ Common Authentication Commands


For Director to connect to a device, you must enter the following commands at
minimum:
(config device device_id) # address hostname_or_ip_address
(config device device_id) # enable-password enable-password
(config device device_id) # web-config port port_number
(config device device_id) # protocol sshv2 port port_number

This command is required only if you use a port other than the default, 22.
(config device device_id) # front-panel-pin pin

This command is required only if a front panel PIN is set on the device.
❐ Commands for SSH Simple Authentication
SSH Simple authentication means Director uses an unencrypted user name
and password to authenticate itself with the device. Because the user name
and password are not encrypted, Blue Coat strongly recommends you use
SSH-RSA authentication as discussed in the next section.
For Director to authenticate itself with a device non-securely using SSH
Simple authentication, you must enter the following commands in addition to
the commands discussed in the preceding bullet point.
(config device device_id) # auth simple password password
(config device device_id) # auth simple username username

121
Director Configuration and Management Guide

❐ Commands for SSH-RSA Authentication


For a device to authenticate securely with Director using SSH-RSA, you have
the following options:
• Add the device using SSH Simple authentication and upload keyrings to
the device to change it to SSH-RSA
The commands required to perform these tasks are discussed in this
section.
• Register the device with Director, which adds it and causes it to
authenticate using SSH-RSA in one step
SSH-RSA communication authenticates Director with devices using a secure
channel and private/public key cryptography. To authenticate, Director uses
a reserved user name director and a keyring stored on the device.
For Director to use SSH-RSA authentication, you must enter the following
commands in addition to the commands discussed in the bullet point about
simple authentication commands.
(config device device_id) # auth simple username username
(config device device_id) # auth simple password password

The auth simple username and auth simple password commands are
required for Director to use the device’s CLI to set up SSH-RSA
authentication.
(config device device_id) # auth rsa username director

This reserved user name is required for Director to authenticate the


device.
(config device device_id) # auth rsa key {copy device_id sshv1} |
generate sshv2}

This command gives you the choice of copying a keyring from another
device or generating a new keyring for the device.
(config device device_id) # pushkey sshv2
(config device device_id) # authtype rsa

122
Chapter 4: Adding and Connecting to Devices

Connecting to a Device
This section discusses how to connect to a device using the Management Console.
After you add a device, Director attempts to connect to it. If the connection is
unsuccessful, see the troubleshooting suggestions in Table 4–3.

To connect to a device:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.

(disconnected) displays next to the name of a device to which Director is


not currently connected.
3. In the Configure tab page, right-click the device to which to connect.
4. From the pop-up menu, click Reconnect.

If connection is successful, the icon changes to (connected).


If connection is unsuccessful, the reason displays in the Description pane,
similarly to the following:

The following table discusses common reasons for disconnection and


suggested workarounds:
Table 4–3 Troubleshooting disconnected devices

Reason Suggestion

Director cannot reach the device If Director and the device it manages are
across firewalls that prevent
communication, Director cannot reach
the device.
To determine if this is the problem, log
in to Director and ping the device. Use
an SSH application to connect to
Director, log in with its administrator
user name and password, and enter
ping device-ip-address at the
director > prompt.
If Director cannot ping the device,
verify the device is powered on,
functioning properly, and check firewall
configurations to make sure the
networks on which the device and
Director are located can communicate
with each other.

123
Director Configuration and Management Guide

Table 4–3 Troubleshooting disconnected devices

Reason Suggestion

Incorrect device setup information Incorrect information—including


missing information—can prevent
Director from communicating with a
device.
To determine if this is the problem, on
the Configure tab page, right-click the
device, and click Edit. Verify all
information about the device, including
all configured passwords and the front
panel PIN, if configured.

Device is powered off or is malfunctioning If the device is powered off or if its


connection to the network failed,
Director cannot communicate with it.
Verify all of the following:
• The device is powered on.
• The switch or router port to which
the device is connected is enabled
and functioning.
• The device’s Ethernet adapter is
functional. See the Quick Start Guide
or the Installation Guide for your
appliance to verify it is functioning
properly.

Changing the Authentication Protocol


After a device has been added to Director, you should configure the system to use
SSH-RSA to authenticate Director with the devices it manages.
SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.

124
Chapter 4: Adding and Connecting to Devices

❐ Securing protocols. Many protocols require authentication at each end of the


connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

Note: The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
❐ To log in to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
❐ The discussion of the aaa authentication and username commands in Chapter
3, Configuration Mode Commands, in the Blue Coat Director Command Line
Interface Reference Guide.

To change the protocol to SSH-RSA:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Make sure you are connected to the device for which to set the protocol.
To connect to a device, see "Connecting to a Device" on page 123.
4. On the Configure tab page, right-click the device on which to set the protocol.
5. From the pop-up menu, click Edit.

125
Director Configuration and Management Guide

The Edit Device dialog displays as follows:

126
Chapter 4: Adding and Connecting to Devices

6. Click SSH-RSA.
In the RSA Username field, the name director automatically displays. director
is the only user name allowed for SSH-RSA communication.
7. To generate an RSA key, click Change Key at the bottom of the dialog box.

Director can create a new SSH-RSA keypair, or you can use a keypair from
another device that is currently connected to Director.
8. Do any of the following:
a. To generate a new keypair, click Generate a new keypair.
b. To re-use a keypair, click Use a keypair from another device and enter the
device ID.
9. Click OK.

10. Click Push key to device.


This step causes the key to be pushed to the device. Failure to push the key
results in incomplete configuration.
11. Click OK.
12. Verify the change by seeing if SSH-RSA is listed for the device under Device
Properties in the Properties pane.

127
Director Configuration and Management Guide

An example follows:

Confirms
device uses
SSH-RSA

After successfully adding the device and changing the protocol, continue
configuring the device as discussed in Chapter 5: "Managing Device Groups,
Profiles, and Overlays".

128
Chapter 4: Adding and Connecting to Devices

Marking a Device as Configured


This section discusses how to optionally change a device’s state to Configured,
which can assist you in remembering which devices you have pushed profiles or
overlays to. For example, after adding or registering a device, you can apply a
profile or overlay to it and then mark the device’s state as Configured.

To change a device’s state to Configured:


1. Log in to the Management Console as discussed in "Connecting to Director
with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Groups pane, click the Registered group.
4. In the Devices pane, right-click the device name.
5. From the pop-up menu, click Mark As Configured.
An example follows:

The device moves from the Registered group to the Unassigned group.

129
Director Configuration and Management Guide

130
Chapter 5: Managing Device Groups, Profiles, and Overlays

This chapter discusses how to manage groups, profiles, overlays, and


substitution variables. Topics include:
❐ Section A: "Setting Up and Managing Device Groups" on page 132
❐ Section B: "Managing Folders for Profiles and Overlays" on page 140
❐ Section C: "Managing Profiles" on page 144
❐ Section D: "Managing Overlays" on page 159

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

131
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups


This section discusses Director groups, which can be used to associate devices
with similar characteristics (for example, model number, geographical location,
or function).
This section discusses the following topics:
❐ "About Director Groups"
❐ "Adding Custom Groups" on page 136
❐ "Removing a Custom Group" on page 138
❐ "Adding Devices to a Custom Group" on page 138

About Director Groups


If you have a number of ProxySG appliances that have similar characteristics,
such as configuration, location, or content requirements, you can create a group
and add the devices to the group.

Note:
❐ Only 500 devices can be viewed in the Director Management Console at one
time, even if the devices are managed by different Director appliances.
❐ A summary of tasks you can perform using system groups and custom
groups can be found in "Tasks Supported by Device Groups" on page 135.

Director supports the following types of groups:


❐ Custom groups, which you define.
❐ The following System groups:

System group type Description

All All devices added to this Director.

Unassigned All devices that do not belong to a custom group.

Registered All devices that have been registered with Director.

Not Registered All devices that have not been registered.

Model Devices grouped by model number (for example, the


SG 210 group displays all SG 210 devices).

OS Version Devices grouped by SGOS version.

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable. You cannot nest system groups, but you can
nest custom groups.

132
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

The following figure shows an example:

For more information about each type of group, see the following sections:
❐ "About System Groups"
❐ "About Custom Groups" on page 135

About System Groups


When devices are added to Director, they are placed in the All system group, a
Model group, and an OS Version group. Until the devices are assigned to a
custom group, they are also placed in the Unassigned system group.
Devices are removed from system groups only if the devices are deleted from
Director.
To add a device to a group, select the device in the All or Unassigned system
groups and drag and drop the device into the custom group of your choice.
The following figure shows an example:

133
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

Following is a brief description of each type of system group:


❐ All includes all devices Director manages.
❐ Unassigned includes only devices that have not been added to custom
groups.
❐ Registered includes devices that have been registered with Director as
discussed in Chapter 3: "Registering Devices".
Unless the device was previously added to a custom group, a device moves
from the Registered group to the Unassigned group after you mark it as
configured as discussed in Section F: "Marking a Device As Configured" on
page 110.
❐ Not Registered includes all devices that have not yet been registered with
Director.
❐ Model displays devices by model type. The figure displays several model
types (SG 200, SG 510, and so on). If you expand any node, the number of
devices of each device type displays.
The following figure shows an example of Director that manages one SG510-
10 and one SG510-B:

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable.
❐ OS Version displays devices by SGOS version. Similarly to the Model groups,
expanding a node displays the number of devices running that SGOS version.
The following figure shows an example of Director that manages one device
running SGOS 5.4.1.1 and one device running SGOS 5.4.1.3:

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable.

134
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

About Custom Groups


You can create as many custom groups as required, and groups can be nested in
other groups. When a device is assigned to a custom group, it is removed from the
Unassigned system group, but not from the All system group.
You can create custom groups before you add devices, or you can add devices
first. The two are independent of one another.

Tasks Supported by Device Groups


The following table summarizes which tasks can be performed on system and
custom groups using the Director Management Console or command line:

Method Upgrade URL lists Configure Reboot Clear Apply


license and jobs device caches profiles
Regex and
lists overlays

Man- All
agement system
Console group

Model
system
groupa
OS
Version
system
groupb

Other
system
groupsc

Custom
groups

Command line

a. Specifically, you can perform these tasks on individual groups such as SG 200, 510-C, 8100-
20, and so on.
b. Specifically, you can perform these tasks on individual groups like SGOS 5.3, 4.2.7.1, and so
on.
c. Other system groups mean the following: Registered, Not Registered, and Unassigned.

135
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

The table shows the following:


❐ The following actions can be performed on devices in any Director group
except Registered, Not Registered, and Unassigned system groups:
• Profiles and overlays can be applied
• Devices can be rebooted
• The object cache, byte cache, and DNS cache can be cleared
❐ Any task that can be performed by a configure job can be performed on the
All system group, groups in the Model system group, or groups in the OS
Version system group.
❐ URL lists and regular expression lists can be applied to the All system group,
groups in the Model system group, or groups in the OS Version system group.
❐ In addition to the preceding tasks, groups in the Model system group, or
groups in the OS Version system group enable you to:
• Upgrade device licenses
• Reboot devices
• Clear the DNS cache, the object cache, and the byte cache
❐ Custom groups and the command line enable you to perform all of the
preceding tasks on devices, either individually or in groups

Where To Go Next
Continue with one of the following sections:
❐ "Adding Custom Groups"
❐ "Removing a Custom Group" on page 138
❐ "Adding Devices to a Custom Group" on page 138

Adding Custom Groups


This section describes how to add custom groups.

To add a custom group:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Groups pane, right-click Custom Groups.

136
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

4. From the pop-up menu, click Add Group.

5. Enter the following information:


Field Description

Group Name Enter a name to identify the group.

Group ID Enter a unique identifier that will be used in


commands and displayed in the Management
Console to identify the group.
Note: The group ID cannot contain the following
characters: {, }, <, >, (, ), #, or $.

Description (Optional.) Enter an optional description for the


group.

6. Click OK.
7. To create an additional group, do any of the following:
• Top-level group. Repeat the steps 1 through 4 to create a new top-level
group.
• Nested group. Click the group you just created, and right-click to add a
group that will be subordinate to the top-level group.
8. After the groups are created, drag and drop the devices into the desired
groups.
You can add a device to multiple groups.

137
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

You can move a nested group to a different top-level group by dragging and
dropping, and you can change a nested group to a top-level group by
dragging it under Custom Groups.

Removing a Custom Group


To remove a group, right-click the group name and, from the pop-up menu, click
Delete. Any devices in the group are moved to the Unassigned group; the devices
are not deleted.

Adding Devices to a Custom Group


When you add devices, Director automatically puts them in the Unassigned
group. This section discusses how to add devices from the Unassigned group to a
custom group, and how to add devices from one custom group to another custom
group.

To add devices to custom groups:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Add the devices as discussed in Chapter 3: "Registering Devices" or
Chapter 4: "Adding and Connecting to Devices".
4. Create one or more custom groups as discussed in "Adding Custom Groups"
on page 136.
5. Do any of the following:
Table 5–1 Adding devices to groups

Task Steps

To add a device from a system 1. In the Groups pane, click the system group
group to a custom group that contains the device (for example,
Unassigned).
2. Drag the device from the system group to
the desired custom group.
You are required to confirm the action.

To add a device from a custom 1. In the Groups pane, click the custom group
group to another custom group that contains the device.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.

138
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

Table 5–1 Adding devices to groups

Task Steps

To move a device from one group 1. In the Groups pane, click the group that
to another group contains the device to move.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.
3. Click the original group.
4. Right-click the name of the device from
step 1.
5. From the pop-up menu, click Remove.
You are required to confirm the action.
This removes the device from the group,
but does not delete the device from
Director.

139
Director Configuration and Management Guide

Section B: Managing Folders for Profiles and Overlays

Section B: Managing Folders for Profiles and Overlays


This section discusses how to create folders in which to organize profiles and
overlays. Creating folders is recommended in large deployments where you
might want to organize profiles and overlays by device location, function, or
other criteria.
Note: The same folders are used for profiles, overlays, jobs, and content
collections, enabling you to create custom folders on either the Configure, Jobs, or
Content tab pages.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All profiles, overlays, or jobs belong to the All system folder, even those that
have been added to custom folders.
❐ Profiles and overlays that have not been added to a custom folder belong to
the Unassigned system folder
❐ You can create profile and overlay folders only under Custom Folders
❐ You can nest custom folders
This section discusses the following topics:
❐ "Creating or Editing Folders"
❐ "Deleting Folders" on page 142
❐ "Removing or Copying Profiles or Overlays In Folders" on page 143

Creating or Editing Folders


This section discusses how to create or edit profile or overlay folders and
subfolders.

To create or edit profile folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Right-click Custom Folders in the Configuration Library section in the right
pane.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

140
Director Configuration and Management Guide

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 5–2 Adding or editing a folder

Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Note: The folder ID cannot be changed later.
Description Enter an optional description of the folder.

6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop jobs into the desired folders as
follows:
a. From the Show list in the Configuration Library section on the
Configure tab page, click the object to put in a folder.
For example, to put a profile in a folder, from the Show list on the
Configure tab page, click Profiles or All.

141
Director Configuration and Management Guide

Section B: Managing Folders for Profiles and Overlays

b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a profile or overlay to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders
contained in the folder. Any profiles or overlays contained in those folders and
subfolders are moved to the Unassigned folder; they are not deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Optional. To display profiles or overlays before you delete their containing
folders, on the Configure tab page, in the Configuration Library section, from
the Show list, click Profiles, Overlays, or All.
4. Right-click the name of the folder to delete.
5. From the pop-up menu, click Delete.
You are required to confirm the action. After deleting the folder, any profiles
or overlays contained in the folder or subfolders move to the Unassigned
system folder; they are not deleted.

Creating, Editing, or Deleting Folders from the Command Line


First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # comment comment
director (config folder folder_id) # create
director (config folder folder_id) # name name

142
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section B: Managing Folders for Profiles and Overlays

Removing or Copying Profiles or Overlays In Folders


This section discusses how to perform the following tasks for profiles or overlays
stored in folders:
❐ Remove a profile or overlay from a custom folder and put it in the Unassigned
folder, without deleting the folder.
❐ Remove a profile or overlay from the Unassigned system folder and put it in a
custom folder.
❐ Copy a profile or overlay from one folder to another folder.

To remove or copy profiles or overlays in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. To display profiles or overlays before you remove or copy them, on the
Configure tab page, in the Configuration Library section, from the Show list,
click All.
4. Do any of the following:
• To remove the profile or overlay from the custom folder it is in now and
move it to the Unassigned system folder, right-click on the profile or
overlay and, from the pop-up menu, click Remove. You are required to
confirm the action.
• To move a profile or overlay from the Unassigned system folder to a
custom folder, click the profile or overlay and drag it to the desired custom
folder.
• To copy a profile or overlay to another custom folder, click the profile or
overlay and drag it to the desired custom folder.

Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id

143
Director Configuration and Management Guide

Section C: Managing Profiles

Section C: Managing Profiles


A profile is a set of configuration commands pulled from an existing ProxySG
appliance (the source device), saved in Director, and then applied to one or more
target devices. A profile configures one or more target devices identically to the
source device (with the exception of certain device-specific settings discussed in
"About Profiles and Device Settings" on page 147).

Important Information About Profiles


Blue Coat strongly recommends you understand all of the following before you
create a profile:
❐ "Best Practice for Creating Profiles"
❐ "Important Information About Platforms" on page 145

Best Practice for Creating Profiles


Director profiles are SGOS-version-specific and device-model-specific; executing
a profile created for a ProxySG appliance that runs a different SGOS version can
result in errors due to features that might not exist or that might have changed
between versions. (The same applies to different ProxySG models.)
A profile is a set of commands that transforms a ProxySG’s configuration from the
default for that version to its current configuration. The SGOS version value is an
integral part of a profile. In other words, the reason two identically configured
devices—one running SGOS 5.3.x and one running SGOS 5.4.x—have different
profiles is due to the fact their starting points (that is, default configurations) are
different.
This also explains why when you apply an SGOS 5.3.x profile to an SGOS 5.4.x
appliance you do not get the results you expect. The assumed starting point for
the series of commands is different and will likely result in an error when the
profile is executed.
Blue Coat recommends you use the following procedure to create and update
profiles for upgraded ProxySG appliances:
1. Create a profile for a device that runs a particular SGOS version.
For example, create a profile for an SG510 that runs SGOS 5.4.1.11.
2. After you upgrade that device, either create a new profile or refresh the
existing profile.
Continuing the example, upgrade the SG510 to SGOS 5.4.2.1 and refresh the
profile. (You can optionally create a new profile, for example, if you still need
the 5.4.1-based profile for other devices running SGOS 5.4.1.x.)
3. Upgrade other devices of the same model to the same SGOS version.
4. Execute the new profile on those devices.
Continuing the example, use the profile you created for the SG510 running
SGOS 5.4.2.1 on other SG510s that have been upgraded to 5.4.2.x only.

144
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Do not execute the profile on SG210s, SG810s, and so on.


Do not execute the profile on other SG510s running SGOS 5.3.x, SGOS 4.x, or a
later SGOS version.

Important Information About Platforms


Because of the number of hardware platforms, software versions, and
configuration options available for devices, Blue Coat strongly recommends you
create very simple profiles and use overlays to further configure devices.
For example, some Blue Coat customers create a source profile that has WCCP
settings only and configure other device settings using overlays. Another use for
profiles and overlays is to selectively apply policies to certain devices. For
example, create a profile that contains everything except policies and push that
profile to all devices. Create overlays for each set of policies you want to apply
(for example, one set of policies that for Instant Messaging content filtering and
another set of policies for Web content filtering). Selectively apply to overlays to
the desired devices.
For more information about overlays, see Section D: "Managing Overlays" on
page 159.

About Profiles
This section discusses the following topics about profiles:
❐ "About Profiles and Overlays"
❐ "About Profiles and Device Settings" on page 147

About Profiles and Overlays


Profiles work in conjunction with overlays and refreshables (filters) to configure
multiple devices the same way. Because profiles replace a device’s entire
configuration (with exceptions noted in "Settings Preserved On the Target Device"
on page 147) and overlays apply a subset of a device’s configuration, use an
overlay to change only certain configuration settings.
The following table summarizes the main differences between profiles and
overlays:
Table 5–3 Main differences between profiles and overlays

Feature Profiles Overlays

Performs a backup of the Yes No


device first

Replaces the target device’s Yes No


entire configuration

Applies a subset of device No Yes


configuration to the target

145
Director Configuration and Management Guide

Important: Because of the number of hardware platforms, software versions,


and configuration options available for devices, Blue Coat strongly
recommends you create very simple profiles and use overlays to further
configure devices.

Overlays are discussed in Section D: "Managing Overlays" on page 159.

Important Information About Profiles


Director profiles are SGOS-version-specific and device-model-specific;
executing a profile created for a ProxySG appliance that runs a different SGOS
version can result in errors due to features that might not exist or that might
have changed between versions. (The same applies to different ProxySG
models.)
A profile is a set of commands that transforms a ProxySG’s configuration from
the default for that version to its current configuration. The SGOS version value
is an integral part of a profile. In other words, the reason two identically
configured devices—one running SGOS 5.3.x and one running SGOS 5.4.x—
have different profiles is due to the fact their starting points (that is, default
configurations) are different.
This also explains why when you apply an SGOS 5.3.x profile to an SGOS 5.4.x
appliance you do not get the results you expect. The assumed starting point for
the series of commands is different and will likely result in an error when the
profile is executed.
Blue Coat recommends you use the following procedure to create and update
profiles for upgraded ProxySG appliances:
1. Create a profile for a device that runs a particular SGOS version.
For example, create a profile for an SG510 that runs SGOS 5.4.1.1.
2. After you upgrade that device, either create a new profile or refresh the
existing profile.
Continuing the example, upgrade the SG510 to SGOS 5.5.1.1 and refresh the
profile. (You can optionally create a new profile, for example, if you still
need the 5.4-based profile for other devices running SGOS 5.4.x.)
3. Upgrade other devices of the same model to the same SGOS version.
4. Execute the new profile on those devices.
Continuing the example, use the profile you created for the SG510 running
SGOS 5.5.1.1 on other SG510s that have been upgraded to 5.5.x only.
Do not execute the profile on SG210s, SG810s, and so on.
Do not execute the profile on other SG510s running SGOS 5.4.x, SGOS 4.x,
or a later SGOS version.

146
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

About Profiles and Device Settings


This section discusses which settings are preserved when a source profile is
created and which settings are removed.

Source Device Settings Removed


The following source device settings are removed when you create a profile:
❐ IP address, host name, and default gateway
❐ Passwords for the SGOS Management Console and for command line enable
mode
❐ Any command beginning with the following strings:
• interface (the entire submode)
• line-vty (the entire submode)
• accelerated-pac path or inline accelerated-pac
• security authentication-form path or inline authentication-forms
• bypass-list local-path or inline bypass-list
• ICP path
• license-key path
• policy local-path
• rip path
• socks-gateways path
• static-routes path
• WCCP path

❐ All licenses are removed, including third-party licenses like WebSense.

Settings Preserved On the Target Device


When you execute a profile, Director first issues a restore-defaults keep-
console command on the target device. This command deletes the device’s
configuration except for the following:
❐ IP interface settings, including VLAN configuration.
❐ Default gateway and static routing configuration.
❐ Virtual IP address configuration.
❐ Bridging settings.
❐ Failover group settings.
❐ Services, including services with assigned IP addresses.

147
Director Configuration and Management Guide

Section C: Managing Profiles

The keep-console option also retains the settings for all consoles (Telnet, SSH,
HTTP, and HTTPS), whether they are enabled, disabled, or deleted.
Administrative access settings retained using the restore-defaults command
with the keep-console option include:
❐ Management Console user name and password.
❐ Front panel PIN.
❐ Command line enable mode password.
❐ SSH (v1 and v2) host keys.
❐ Keyrings used by secure management services.
❐ RIP configurations.

Settings Replaced on the Target Device


The following settings are replaced on the target device:
❐ Network DNS settings.
Note: Only the DNS settings under the Network menu in the SGOS
Management Console are replaced. DNS settings used by services (such as the
DNS proxy service) are not replaced.
❐ The appliance name (in other words, the name that displays in the device’s
Management Console under General > Identification). This name is not the same
as the device’s friendly name you set up in Director.
❐ All custom service groups and associated services (that is, everything under
the Services > Proxy Services menu in the SGOS Management Console).

About Secure Profiles


A secure profile is a profile created using a source device that authenticates with
Director using SSH-RSA. This profile includes the device’s SSL keys and all other
encrypted device settings. A secure profile can be applied to a secure or a non-
secure target.
Applying a secure profile to a non-secure target does not make the target secure.
To make the target secure, configure the target to use the SSH-RSA protocol with
Director as discussed in "Changing the Authentication Protocol" on page 124.
To create a secure profile, Director uses the create keyring show-director
command, which outputs all device keyrings. The command also outputs other
commands that would otherwise be encrypted (such as passwords and
certificates).
To create a non-secure profile, Director uses the create keyring no-show
command. This command excludes keyrings and other encrypted device settings
(such as passwords and certificates).

148
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Note: A non-secure profile is a profile created using a source device that


authenticates with Director using the SSH Simple. This type of profile includes no
SSL keyrings or other encrypted device settings (such as certificates and
passwords).
If a non-secure profile is applied to a secure device, SSL keys with the show-
director attribute are lost but the keys with show attribute are overwritten.
For information on creating SSL keys with the show-director attribute, refer to
Proxies and Proxy Services in the ProxySG Appliance Configuration and Management
Guide.

The following figure shows how these types of profiles display on the Configure
tab page of the Director Management Console:
Non-secure profile

Secure profile

The following icons indicate whether or not the profile is secure:


Table 5–4 Secure and non-secure profiles

Icon Meaning

Non-secure profile

Secure profile

Creating a Profile
Because a profile consists of settings from one device to apply to multiple device,
first select the device that serves as the profile source. A profile source must meet
all of the following requirements:
❐ Be the same hardware type and software version as the devices to which you
plan to apply the profile.
In other words, if the source is an SG210 running SGOS version 5.3.0.2, the
targets must also be SG210s running SGOS version 5.3.0.2.
Executing a profile on a device with a different hardware type or version
results in errors that might result in unpredictable behavior. (For example,
some commands might not be available in earlier SGOS versions.)
❐ Include all the settings you want to apply to other devices.

149
Director Configuration and Management Guide

Section C: Managing Profiles

❐ Blue Coat recommends all devices authenticate with Director using SSH-RSA.
If the profile source device uses SSH-RSA authentication, Director issues the
create keyring show-director command to the device, which outputs all
device keyrings. The command also outputs other commands that would
otherwise be encrypted (such as passwords and certificates).
On the other hand, if the device uses SSH Simple authentication, excludes
keyrings and encrypted settings.
See "Changing the Authentication Protocol" on page 124 for more information
about changing from SSH Simple to SSH-RSA.

To create a new profile:


1. Before beginning, see "Important Information About Profiles" on page 144.
2. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
3. Click the Configure tab.
4. In the Configuration Library pane, from the Show list, click Profiles.
5. Right-click the folder in which to place the profile and click New > New Profile.
The New Profile or Edit dialog box displays similarly to the following:

150
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

6. Enter or edit the following information:


Table 5–5 Creating or editing a profile

Item Description

Profile Name field Enter a name for the profile.

Profile ID field Enter a unique identifier for the profile. You use
this ID when configuring the profile from the
command line.

Description field Enter an optional description of the profile.

Device option Click this option to select a device as the profile


source. After you click this option, the Select
Reference Device dialog box displays. Click the
source device or enter its device ID in the provided
field and click OK.

URL option Click this option and enter the fully-qualified URL
where the information is located.

7. Click OK.
The profile displays in the Configuration Library section similarly to the
following:

8. Edit the profile as discussed in the next section.

151
Director Configuration and Management Guide

Section C: Managing Profiles

Editing a Profile
Blue Coat strongly recommends you edit every profile immediately after creating
it to remove or edit any commands that might cause problems on the target
device.
Examples follow:
❐ Remove commands that are not compatible with target devices
For example, remove SGOS version-specific commands. If for example you
created a profile using a source device running SGOS 5.4.1.1 and one or more
target devices run SGOS 5.2.x, remove commands that are specific to 5.4.1.1.
❐ Remove or edit commands that will fail on target devices
For example, if the source device has a bridge card but target devices do not,
remove bridging settings from the profile.

Important: Failure to edit the profile might result in the profile failing on the
device or device misconfiguration that might result in unpredictable
performance.

To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library pane, from the Show list, click Profiles.
4. If required, expand the folders containing the profile.
5. Right-click the profile.
6. From the pop-up menu, click Edit.

152
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

The Edit dialog box displays similarly to the following:

7. Optional. To save a backup copy of the profile, place the cursor in the right
pane and click Control+A (select all), then paste the profile into a text editor
application and save it.
8. In the right pane, edit the commands in the profile to remove incompatible or
problematic commands.
For details about device commands, refer to Command Line Interface Reference
in the ProxySG Appliance Configuration and Management Guide.
9. Apply the profile to target devices as discussed in the next section.

153
Director Configuration and Management Guide

Section C: Managing Profiles

Executing a Profile
You can execute a profile either immediately or as part of a scheduled job. When
you execute a profile, the following tasks are performed:
1. All target devices are backed up.
If the profile causes problems, you can recover the backup of the previous
configuration as discussed in Section A: "Backing Up Devices" on page 452.
2. Director sends all selected devices the restore-defaults keep-console
command.
This command restores device defaults except settings required for console
access. The keep-console option retains the settings for all consoles (Telnet-,
SSH-, HTTP-, and HTTPS-consoles), whether they are enabled, disabled, or
deleted.
3. The profile is executed on the targets.

To execute a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
profile.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. On the configure tab page, in the Configuration Library section on the right,
expand the folders containing the profile to execute.
5. Click the name of a profile to execute.
6. Select the devices to which to apply the profile as follows:
• To apply the profile to a single device, click the name of the device in the
Devices pane.
• To apply the profile to a group, click the name of the group in the Groups
pane.
You can apply a profile to either system groups or custom groups.
Note: To execute a profile on more than one device or group, hold down the
Control key while clicking.

154
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

An example of executing a profile on one device follows:

7. In the lower right corner, click Execute.


You are required to confirm the action. If you are applying a non-secure
profile, the following message displays:

For a review of secure and non-secure profiles, see "About Secure Profiles" on
page 148.
8. Click Yes to apply the profile.

Note: When a profile is applied to a device, a backup of the device


configuration is performed. Click Launch Backup Manager for the device to see
details about the backup.

155
Director Configuration and Management Guide

Section C: Managing Profiles

A dialog box displays the results of applying the profile. Carefully examine
the results for errors, which display in red text.
Use the following steps to determine if the profile executed properly:
a. Log in to the target device’s Management Console to see whether the
configuration item that caused the error succeeded.
Typical reasons configuration will not succeed include the following:
• The target device is not the same SGOS version as the source, so a
feature is not available on the target.
• The feature requires a license that does not exist on the target device.
b. Consult the following table, which shows a partial list of error
messages:
Table 5–6 Partial list of errors after executing a profile

Error message Description


Invalid input detected at '^' marker • The target device does not have a
given feature enabled, such as
streaming
• A feature requires a license (such as
RealMedia streaming)
• The profile was taken from a device
with a different version number (in
other words, the command is not
available on the older device)
• The failure is harmless (for
example, setting the front panel PIN
fails with this error).
The complete error message
follows:
ip-or-hostname - Blue Coat
SG210 Series#(config)security
hashed-front-panel-pin
"$1$YbFIjrEL$lUvDC6H4plalM1iQ
a1p3T/"
^
Error: Invalid input
detected at '^' marker.

Error: Keyring "passive-attack- The default passive-attack-


protection-only-key" exists, delete protection-only-key keyring already
keyring first exists and does not need to be replaced.
Error: Certificate "passive-attack-
protection-only-key" already exists,
delete existing certificate first

156
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Table 5–6 Partial list of errors after executing a profile

Error message Description


ip-or-hostname - Blue Coat SG200 Check the target device to make sure the
Series#(config bridge name)failover bridge was created and associated with
group failover-group-ip the correct failover group.
Error: Failover group does not
exist

Commands Related to Creating, Editing, or Executing Profiles


director (config) remote-config
director (config remote-config) profile profile_id
(config remote-config profile profile_id) # comment
(config remote-config profile profile_id) # create
(config remote-config profile profile_id) # execute {addr-device
ip_address_or_hostname | all | device device_id | group group_id}
[errors-only]
(config remote-config profile profile_id) # input
(config remote-config profile profile_id) # name name

Copying a Profile
Copying a profile is a convenient way to create a similar profile without having to
create them from scratch.

To copy a profile:
1. Create a profile as discussed in "Creating a Profile" on page 149.
2. In the Management Console, click the Configure tab.
3. In the Configure tab page, right-click a profile in the Configuration Library
section.
4. From the pop-up menu, click Copy.
5. Enter or edit the following information:
Field Description
Profile Name Enter a unique name to identify this profile.
Profile ID Enter a unique identifier for the profile.
Description Enter an optional description of the profile.

6. Click OK.
The profile displays in the Configuration Library section.
7. Right-click the profile you just copied.
8. From the pop-up menu, click Edit.

157
Director Configuration and Management Guide

Section C: Managing Profiles

9. Change the profile as required. When you are finished editing the profile, click
OK.

For information about the options available for a profile, see "Editing a
Profile" on page 152.
10. Optionally drag the profile into a profile folder or create a new profile folder
for it as discussed in "Creating or Editing Folders" on page 140.

Refreshing or Deleting Profiles


You can refresh or delete individual profiles. If you are using the configuration of
a specific device as the template for your profile, use the refresh feature to update
the profile when the device configuration changes.

To refresh or delete a profile:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section on the right side of the page, expand the
profile folders containing the profile to refresh or delete.
4. Right-click the profile.
5. From the pop-up menu, click Refresh or Delete.
You are required to confirm the action.

Related CLI Syntax to Refresh or Delete a Profile


director (config) # no remote-config profile profile_id
(config remote-config profile profile_id) # refresh [device device_id
| url url]
(config remote-config profile profile_id) # refresh

158
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Section D: Managing Overlays


An overlay is a collection of one or more individual configuration settings (such as
time, WCCP, or local policy) that can be applied to one or more devices. An
overlay is designed to change settings created by a profile or to add new settings
not covered in the profile.
This section discusses the following topics:
❐ "Important Information About Using Overlays" on page 159
❐ "Creating an Overlay" on page 163
❐ "Executing an Overlay Immediately" on page 168
❐ "Adding VPM Policy to an Overlay" on page 171
❐ "Copying Overlays" on page 175
❐ "Deleting Overlays" on page 176

Important Information About Using Overlays


This section discusses information you need to understand before using overlays:
❐ "Important Information About Overlays and SGOS Versions"
❐ "General Tips" on page 159
❐ "Executing Overlays that Depend on Databases" on page 160

Important Information About Overlays and SGOS Versions


Before you execute an overlay, make sure you understand the following
information:

Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies to devices running
different SGOS versions because those policy commands can be incompatible.

General Tips
Following are tips you can use when executing overlays:
❐ If you choose to use CLI commands in overlays, be aware that by default,
commands execute in privileged configure mode on the device. (Privileged
mode is also referred to as configuration mode.)
To execute commands that run in privileged mode, you must first exit
privileged configure mode on the device using the exit command. For
example, to update licensing immediately, enter the following commands:
exit
licensing update-key

159
Director Configuration and Management Guide

Section D: Managing Overlays

❐ You can apply an overlay immediately or you can schedule it to run later as
part of a job.
❐ Director does not check overlays for syntax, validity, or version compatibility,
so make sure overlay commands are from the same version as the targeted
device.
❐ Create a backup of the device configuration before pushing the new overlay in
case the overlay needs to be reverted.
Because a profile saves a device backup and an overlay does not, consider
exacting a simple profile on a target device before executing an overlay. In the
event of errors, you can recover the device backup and apply the overlay
again. (You can schedule a profile and an overlay in the same job.)

Executing Overlays that Depend on Databases


This section discusses tasks you must perform to execute an overlay that depends
on a database (for example, to configure policies that depend on the content
filtering database). In particular, you must first download the database on the
target device and verify the database is populated with the appropriate data.
Otherwise, configuring policies that depend on data in the database will fail.
The following table provides a high-level overview of the tasks you must
perform:
Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

1. Create a profile that Create a profile for that has minimal "Creating a Profile" on
performs basic configuration; that way, you know the page 149
configuration. device’s starting configuration but
introduce a minimum number of
variables to troubleshoot in the event of
problems.
Because executing a profile first backs up
the device, you can restore from backup
later in the event of problems.

160
Director Configuration and Management Guide

Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

2. Create an overlay that You can do this either using the device’s "Creating an Overlay" on
downloads the database. Management Console or using its page 163
command line.
If you use the command line, see the
description of the content-filter
command and subcommands in Chapter
3, Privileged Mode Configure
Commands, in Command Line Interface
Reference in the ProxySG Appliance
Configuration and Management Guide.
For example, to download the Blue Coat
Web Filtering database, use the following
commands in the overlay:
content-filter
bluecoat
download get-now

3. Create a job that executes Creating the job is straightforward; Chapter 8: "Creating,
the database-loading however, when you view the job results Scheduling, and
overlay. later, ignore timeouts. Timeout errors Managing Jobs"
when loading a large database are usually
harmless. Schedule the job during a time
when there is minimal network activity.

4. Create overlays that The tasks you perform in this step • "Creating an Overlay"
perform other database- depend on how your policies are set up. on page 163
related configuration You must create one or more overlays that • For information about
(for example, policies). configure your local policy, forward policies, refer to
policy, central policy, and VPM policies Volume 6: The Visual
that depend on the database you loaded Policy Manager and
in the preceding overlay. Advanced Policy in the
To add policies to the overlay, use ProxySG Appliance
refreshables fetched from the source Configuration and
device (that is, the device on which the Management Guide.
policies were originally created). You can • For information about
edit refreshables to add additional commands related to
commands as well. policies, refer to the
Tip: To make the process easier, create a description of the
profile from a source device that is inline command in
already configured with the desired Chapter 2, Standard
policy settings. Add selected policy CLI and Privileged Mode
commands from that profile to the Commands, in
overlay with the Using CLI option Command Line
discussed in step 8 in "Creating an Interface Reference in
Overlay" on page 163. the ProxySG Appliance
(Policy commands are grouped inside !- Configuration and
BEGIN policy and !- END policy tags; Management Guide.
commands themselves start with inline
policy.)

161
Director Configuration and Management Guide

Section D: Managing Overlays

Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

5. Execute the profile. Executing a profile first backs up the "Executing a Profile" on
device so you can start over if necessary. page 154
As discussed earlier, Blue Coat strongly
recommends executing very simple
profiles to make troubleshooting easier in
the event of problems.

6. Execute the database- Execute the job that loads the database; You can execute the job in
loading job. you configured this job as discussed in any of the following ways:
step 3. • "Executing a Job
Note: When you view the job results, Immediately" on page
ignore timeouts. Timeouts when loading 274
a large database are usually harmless. To • Section C:
speed up the job, schedule it during a "Scheduling Jobs" on
time when there is minimal network page 274
activity.

7. Verify the database is This task can be performed manually or Chapter 2, Standard and
available and populated using an overlay that is optionally Privileged Mode
with data. executed in a job. Commands, in Command
Because the time required to load the Line Interface Reference in
database varies with the size of the the ProxySG Appliance
database, network latency, and other Configuration and
factors, use your past experience or run a Management Guide.
job periodically to check its status.
Use the following command to show the
status of the database:
show content-filter {bluecoat
| i-filter | intersafe | iwf
| local | optenet | proventia
| smartfilter | surfcontrol
| status | websense | webwasher}

8. Execute the other Execute the overlays you created as "Creating an Overlay" on
overlays. discussed in step 4. page 163

Continue with one of the following sections:


❐ "Creating an Overlay"
❐ "Executing an Overlay Immediately" on page 168
❐ "Adding VPM Policy to an Overlay" on page 171

162
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Creating an Overlay
This section discusses how to create an overlay. Before continuing, review the
information discussed in "Important Information About Using Overlays" on page
159.

To create an overlay:
1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section on the right side of the page, from the
Show list, click Overlays.

4. If necessary, create folders in which to store the overlays as discussed in


Section B: "Managing Folders for Profiles and Overlays" on page 140.
5. Right-click the folder in which to store the overlay.
6. From the pop-up menu, click New > Overlay.
The Create new Overlay dialog box displays.
The following figure shows the Properties section of the Create new Overlay
dialog box:

7a
7b

7c

7d

7. Configure the Overlay properties:


a. In the Overlay Name field, enter the name of the overlay.
b. In the Overlay ID field, enter a unique identifier for this overlay. You use
the Overlay ID to configure the overlay from the command line.
Note: You can later change the name of the overlay but not of the Overlay
ID.
c. (Optional) In the Description field, enter a description of the overlay.

163
Director Configuration and Management Guide

Section D: Managing Overlays

d. (Optional) Select a source device or a URL to add refreshables to the


overlay. Refreshables are whole files that reside on the device. They
contain configuration and policy options that can be pulled from a
device or URL and refreshed as part of a job.

8. In the Add to Overlay section, make the following selections:


• "Adding to the Overlay Using the Management Console"
• "Adding to the Overlay Using the CLI" on page 166
• "Adding to the Overlay Using Refreshables" on page 166

Adding to the Overlay Using the Management Console


This section discusses how to add overlay settings using the device’s
Management Console, which is useful when you do not know the required CLI
commands.

To add overlay settings using the device’s Management Console:


1. Complete the preceding tasks in this procedure.
2. In the Add to Overlay section, click Using Device Management Console and click
(Browse).
A list of available devices displays.
3. Click the name of the device.
4. Click Launch to open the target device’s Management Console.
5. Use the Management Console to choose settings to add to the overlay.
6. Click Save to Overlay Editor to add only the settings you changed to the overlay
or click Cancel to exit the Management Console without making changes.

164
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

If you changed existing WCCP settings (Configuration > Network > WCCP), after
you click Add to Overlay, the following dialog box displays:

You have the following options:


• Overwrite All:
Replace the existing WCCP settings in the overlay with the
ones you just selected.
• Discard All:
Use the existing WCCP settings in the overlay instead of the
ones you just selected.
• Resolve Conflicts: Displays the following confirmation dialog box:

You have the following options:


• Yes: Equivalent to selecting Overwrite All.
• No: Equivalent to selecting Discard All.
7. Continue with one of the following sections:
• "Adding to the Overlay Using the CLI"
• "Adding to the Overlay Using Refreshables" on page 166

165
Director Configuration and Management Guide

Section D: Managing Overlays

Adding to the Overlay Using the CLI


This section discusses how add SGOS command-line commands to an overlay.

To add commands to an overlay:


1. Complete the preceding tasks in this procedure.
2. In the Add to Overlay section, click Using CLI.
Enter the commands in the dialog box.
If you choose to use CLI commands in overlays, be aware that by default,
commands execute in privileged configure mode on the device. (Privileged
mode is also referred to as configuration mode.)
To execute commands that run in a privileged mode, first enter exit. For
example, to force a license key update, enter the following commands:
exit
licensing update-key force

For more information about privileged mode and privileged mode configure
commands, refer to Command Line Interface Reference in the ProxySG Appliance
Configuration and Management Guide.
Note: The commands are not checked for validity or syntax.
3. When you are finished, click OK to add the commands to the overlay or click
Cancel to quit without adding the commands.
4. Continue with one of the following sections:
• "Adding to the Overlay Using the Management Console" on page 164
• "Adding to the Overlay Using Refreshables"

Adding to the Overlay Using Refreshables


This section discusses how add SGOS refreshables to an overlay.

To add refreshables to an overlay:


1. Complete the preceding tasks in this procedure.
2. In the Properties section, click either the name of a device from which to get
the refreshables or enter a URL from which to get the refreshables.
3. In the Add to Overlay section, click Refreshables.
4. Select the check box next to every refreshable to add to the overlay.
5. Click Add.

166
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

The following figure shows an example:

The selected refreshables display in the Overlay Settings section in the right
pane.
6. Click one of the following:
• In the add or edit dialog box, click OK to save changes to the Director
overlay.
• In the Overlay Settings pane, click the name of a refreshable and click Edit
to edit the commands that add that refreshable to the overlay.
• In the Overlay Settings pane, click the name of a refreshable and click
Delete to delete that refreshable from the overlay
• In the Overlay Settings pane, click the name of a refreshable and click View
to view the commands associated with that refreshable.

167
Director Configuration and Management Guide

Section D: Managing Overlays

If you included Refreshables in the overlay, a confirmation dialog box similar


to the following displays:

7. Click Yes to fetch the refreshables from the device.

Commands Related to Creating and Editing Overlays


First, enter the following command to enter overlay submode:
director (config) # remote-config overlay overlay_id
This command changes the prompt to:
director (config remote-config overlay overlay_id) #
Then enter the following commands:
(config remote-config overlay overlay_id) # comment overlay_comment
(config remote-config overlay overlay_id) # copy new_overlay_id
(config remote-config overlay overlay_id) # create

Executing an Overlay Immediately


You can execute an overlay immediately or at a later date, as part of a job.

Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies (including VPM) to
devices running different SGOS versions because policy commands can be
incompatible in different SGOS versions.

168
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

To apply an overlay immediately:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section on the right side of the page, from the
Show list, click Overlays.

5. If necessary, create an overlay as discussed in "Creating an Overlay" on page


163.
6. Expand the folder containing the overlay to execute.
7. Optional. To refresh the commands in the overlay, click Actions > Refresh
Overlay.

8. Click the name of the overlay to execute.


9. Select the devices on which to execute the overlay as follows:
• To execute the overlay on a single device, click the name of the device in
the Devices column.
• To execute the profile on all devices in a group, click the name of the group
in the Groups column.
You can execute an overlay on either a system group or a custom group.
Note: To execute an overlay on more than one device or group, hold down the
Control key while clicking.

169
Director Configuration and Management Guide

Section D: Managing Overlays

The following figure shows an example of executing an overlay on multiple


devices:

10. Click Execute.


You are required to confirm the action. When completed, an Execution Results
dialog box displays.

Command to Execute an Overlay


(config remote-config overlay overlay_id) # execute addr-device
ip_address_or_hostname [errors-only]

170
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Adding VPM Policy to an Overlay


The Visual Policy Manager (VPM) is a graphical interface policy editor that is
included with the ProxySG appliance. The VPM allows you to define Web access
and resource control policies without having in-depth knowledge of Blue Coat
Content Policy Language (CPL). VPM policy is one of the refreshables that can be
added to an overlay.
In Director, you can use the VPM graphical interface from the ProxySG appliance
(instead of the command line) to create policy and apply that policy to target
devices as part of an overlay.
You can edit the VPM refreshable from the Overlay Settings editor from within
Director, or using the Management Console viewer of the selected device. You
may want to use the Overlay Settings editor if you are editing only the VPM
refreshable.
You can add a VPM section to the Overlay using any of the following methods:
❐ Use the Management Console to populate the VPM of a device and save an
edited copy of that policy file as an Overlay settings section.
❐ Add a VPM Refreshable using a source device or URL. This displays an empty
VPM policy overlay setting section that is populated if you click Refresh.

Note: Refreshing an overlay refreshes all sections that can be refreshed,


regardless of whether custom edits are made.

For more information about using the VPM graphical interface, refer to
Volume 6: The Visual Policy Manager and Advanced Policy. To learn about writing
policy, refer to Content Policy Language Guide in the Blue Coat ProxySG
Configuration and Management Guide.

To edit a VPM Settings Section using the Overlay Settings Editor:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section, from the Show list, click Overlays.
5. Expand the folder containing the overlay to edit.
6. Right-click the overlay to edit.
7. From the pop-up menu, click Edit.

171
Director Configuration and Management Guide

Section D: Managing Overlays

The Edit exiting Overlay dialog box displays.

8. In the Overlay Settings section, select VPM and click Edit.


The Blue Coat Visual Policy Manager dialog box displays, similarly to the
following:

9. Use the VPM dialog box to make any policy changes.

172
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

10. Click File > Save Policy to Overlay Editor.


The View Generated CPL dialog box displays. This dialog displays the policy
changes you just made and allows you to view the changes in the Content
Policy Language (CPL) mode.
11. When you finish viewing the policy changes, close both the CPL and VPM
dialog boxes.
12. Save changes to the overlay. Use the following methods:
a. In the Edit existing Overlay dialog box, click OK. This saves the setting
changes you made to the overlay.

b. Click Yes to fetch the refreshables and save them on the device.

To add a VPM Settings section using the Management Console viewer:


Use the Management Console viewer if you want to add VPM settings sections
along with other refreshable settings sections.
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section, from the Show list, click Overlays.
5. Right-click the overlay to edit.
6. From the pop-up menu, click Edit.
The Edit exiting Overlay dialog box displays.
7. In the Add to Overlay section, click Using Device Management Console and then
click (browse).

173
Director Configuration and Management Guide

Section D: Managing Overlays

The Select Reference Device dialog box displays a list of available devices.
8. In the Select Reference Device dialog box, click the reference device to be the
source for the VPM settings and click OK.
9. Click Launch.
The Management Console viewer displays.

10. Click Policy > Visual Policy Manager, then click Launch.
The Blue Coat Visual Policy Manager dialog box displays settings that were
saved in the Director overlay. If there were no previous settings that were
saved in the Director overlay, the VPM dialog box is initially populated with
policy settings from the reference device.

174
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

11. Use the VPM dialog box to make any policy changes.

12. Click one of the following:


• To save the changes you made, click File > Save Policy to Overlay Editor.
• To cancel without making the changes, click File > Revert to Policy on
Reference SG Appliance.

Copying Overlays
Copying an overlay is a convenient way to create similar overlays without having
to create them from scratch.

To copy an overlay:
1. Create an overlay as discussed in "Creating an Overlay" on page 163.
2. In the Management Console, click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to copy.
5. Right-click the overlay.
6. From the pop-up menu, click Copy.
7. Enter or edit the following information:
Field Description
Overlay Name Enter a unique name to identify this overlay.
Overlay ID Enter a unique identifier for the overlay.
Description Enter an optional description of the overlay.

8. Click OK.
The overlay displays in the Configuration Library section.

175
Director Configuration and Management Guide

Section D: Managing Overlays

9. Right-click the overlay you just copied.


10. From the pop-up menu, click Edit.
11. Change the overlay as required.
12. When you are finished editing the overlay, click OK.

Commands to Execute Overlays


(config remote-config overlay overlay_id) # execute addr-device
ip_address_or_hostname [errors-only]

Deleting Overlays
This section discusses how to refresh or delete individual overlays.

To delete an overlay:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to delete.
5. Right-click the overlay to delete.
6. From the pop-up menu, click Delete.
You are required to confirm the action.

Related CLI Syntax to Manage Overlays


director (config) # remote-config overlay overlay_ID
director (config remote-config overlay overlay_ID) #
director (config remote-config overlay overlay_ID) # comment comment
director (config remote-config overlay overlay_ID) # copy
new_overlay_ID
director (config remote-config overlay overlay_ID) # create
director (config remote-config overlay new_overlay_ID) # input
director (config remote-config overlay new_overlay_ID) # name name
director (config remote-config overlay new_overlay_ID) # reference
director (config remote-config overlay new_overlay_ID) # refresh

176
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section E: Comparing Profiles or Overlays

Section E: Comparing Profiles or Overlays


This section discusses how to compare two profiles or two overlays using the
Management Console.

To compare profiles or overlays:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Configuration Library section, from the
Show list, click Profiles or Overlays.

4. Expand the profile folders containing the profiles or overlays to compare.


5. Hold down the Control key while you click the two profiles or overlays to
compare.
6. Right-click either profile or overlays.
7. From the pop-up menu, click Diff.
An example follows:

177
Director Configuration and Management Guide

Section E: Comparing Profiles or Overlays

The Diff Profiles dialog box displays similarly to the following:

Function
buttons
Legend

8. Use the legend at the bottom of the dialog box to interpret the results.
9. Use the function buttons as follows:
Table 5–8 Diff Profiles dialog box function buttons

Button Meaning
Search Displays a search field so you can search for text. Diff
searching supports text searching only and not logic
like Boolean or regular expressions.
Find next Used in conjunction with the Search button to perform
the same search again.
Prev diff The cursor in the right pane moves to the previous
difference.
Next diff The cursor in the right pane moves to the next
difference.
Save as Saves the difference file in unified format, which uses
plus and minus signs to indicate differences: each line
that occurs only in the left file is preceded by a minus
sign, each line that occurs only in the right file is
preceded by a plus sign, and common lines are
preceded by a space

178
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section E: Comparing Profiles or Overlays

Commands Related to Comparing Profiles and Overlays


director (config) # remote-config diff {unified | context} overlays
first_overlay_id second_overlay_id
director (config) # remote-config diff {unified | context} profiles
first_profile_id second_profile_id

where:
• context format uses an identification line for each file, containing the
filename and modification date.
• unified uses plus and minus signs to indicate differences: each line that
occurs only in the left file is preceded by a minus sign, each line that
occurs only in the right file is preceded by a plus sign, and common lines
are preceded by a space.

Note: The only options supported are context and unified.

❐ profile_id specifies the profile’s unique identifier. You can display the list of
profile IDs available for comparison by entering the following command:
director (config) # remote-config diff unified profiles ?
first_profile_id second_profile_id
2003Nov05160651PST
2003Nov05160921PST
2003Nov05161008PST
2003Nov06113244PST

179
Director Configuration and Management Guide

Section E: Comparing Profiles or Overlays

Following is a sample comparison:

--- /local/tmp/2003Nov05160921PST Fri Apr 16 07:48:55 2004


+++ /local/tmp/2003Nov05161008PST Fri Apr 16 07:48:56 2004
@@ -1,28 +1,10 @@
!
-!
+security management display-realm "Blackbird"
security management no auto-logout-timeout
!
-access-log ;mode
-edit log im ;mode
-client-type websense
-exit
-create log "testlog"
-edit log testlog ;mode
-client-type websense
-websense-client primary 10.24.35.46 55805
-websense-client alternate 10.25.36.47 55805
-exit
-exit
-!
-services ;mode
-telnet-console ;mode
-enable 23
+forwarding ;mode
+add 10.25.36.47 80 http default
exit
-exit
-!
!
!
!

180
Chapter 6: Device Administration

This chapter discusses administration tasks you can perform using Director.
Topics include:
❐ Section A: "Administration Tasks" on page 182
❐ Section B: "Search" on page 185
❐ Section C: "Upgrading Device Licenses" on page 203
❐ Section D: "Configuring a Device from Director" on page 204

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

181
Director Configuration and Management Guide

Section A: Administration Tasks


This section discusses how to perform the following tasks on individual
devices, custom groups, or selected devices:
❐ Reconnect
❐ Reboot
❐ Clear the object cache
❐ Clear the DNS cache
❐ Clear the byte cache
Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132
To perform these tasks, you must:
1. Select the devices.
"Selecting Devices to Administer"
2. Perform administration tasks on the selected devices.
"Performing Administration Tasks" on page 183

Selecting Devices to Administer


You can administer individual devices, selected devices; or devices in custom
groups; and devices in Model or OS Version groups. You cannot perform these
tasks on devices in system groups.
Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132

To select devices to administer:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, do any of the following:

182
Chapter 6: Device Administration

Section A: Administration Tasks

• In the Devices pane, click the name of a device.


To select more than one device, hold down the Control key while clicking.
• In the Groups pane, do any of the following:
• Click the name of a custom group.
• Click the name of a Model group (for example, SG810-25).
• Click the name of an OS Version group (for example, SGOS 5.3 or SGOS
5.3.1.1).

Performing Administration Tasks


This section discusses how to perform the following tasks on selected devices:
reconnect; reboot; or clear the object, DNS, or byte cache.
The Administration Tasks section displays in the Description pane on the
Configure tab page, as shown in the following figure:

Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132
❐ Select the devices to administer
"Selecting Devices to Administer" on page 182
Now see one of the following sections:
❐ "Reconnecting to Devices"
❐ "Rebooting Devices" on page 184
❐ "Clearing Devices’ DNS, Object, or Byte Cache" on page 184

183
Director Configuration and Management Guide

Section A: Administration Tasks

Reconnecting to Devices
Use the following steps to reconnect to devices after a temporary network outage:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reconnect
Device(s).

Rebooting Devices
Use the following steps to reboot devices:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reboot
Device(s).

You are required to confirm the action. A progress indicator displays while the
device is rebooted.

Clearing Devices’ DNS, Object, or Byte Cache


Use the following steps to reboot devices:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click any of the
following:
• Clear Object Cache on Device(s)

• Clear DNS Cache on Device(s)

• Clear Byte Cache on Device(s)

You are required to confirm the action. A progress indicator displays while the
device is rebooted.

184
Chapter 6: Device Administration

Section B: Search

Section B: Search
The Director Management Console enables you to search for the names of
devices, custom groups, custom folders, profiles, overlays, jobs, URL lists, and
regular expression lists using either exact names or by the use of wildcards. Each
object found by the search is selected in the appropriate pane in the Management
Console window. If multiple results are found, you can choose which object to
select.
This section discusses the following topics:
❐ "About Searching"
❐ "Using Search" on page 189
❐ "Using Search Results" on page 199

About Searching
This section discusses the following topics:
❐ "Ways to Perform a Search"
❐ "Basic and Advanced Searches" on page 187

Ways to Perform a Search


You can perform a search by pressing Control+F or clicking Actions > Find on the
Monitor, Configure, Jobs, or Content tab pages.
The search tool displays at the top of the Management Console window as
follows:

Note: Pressing Control+F or clicking Actions > Find toggles the search tool on
and off. To close the search tool, press Control+F again, click Actions > Find
again, or click (close).

Searches are limited to objects on those tab pages as follows:


❐ On the Monitor tab page, you can search for the following objects:
• custom groups
• devices
❐ On the Configure tab page, you can search for the following objects:
• custom groups
• custom folders
• devices
• profiles
• overlays

185
Director Configuration and Management Guide

Section B: Search

❐ On the Jobs tab page, you can search for the following objects:
• custom folders
• config jobs
• content jobs
• other jobs (that is, jobs that are not classified as config or content; for
example, jobs you create from the command line without using the
commands-type parameter, or where commands-type is other)
• custom folders
❐ On the Content tab page, you can search for the following objects:
• custom groups
• custom folders
• devices
• URL lists
• regular expression lists
Furthermore, the objects are limited by what you select from the Show list in each
tab page (with the exception of the Monitor tab page, which has no Show list). The
following figure shows an example:

Available Show list


object types

186
Chapter 6: Device Administration

Section B: Search

In the example, Profiles is selected from the Show list in the Configuration Library
section on the Configure tab page. This limits the search to devices, groups, or
profiles. In this example, you cannot search for overlays. To search for overlays
and profiles, select All from the Show list.

Basic and Advanced Searches


This section discusses the differences between basic and advanced searches.
When you press Control+F or click Actions > Find on any tab page in the Director
Management Console, the following options display at the top of the
Management Console window:

Enter search term Select objects Perform search

Advanced search

See one of the following sections:


❐ "Basic Search"
❐ "Advanced Search" on page 188

Basic Search
The preceding figure shows a basic search. The following rules apply to basic
searches:
❐ Always case-sensitive
❐ One object at a time
❐ One search term at a time
❐ With no wildcard, use substring matching
❐ Wildcards:
• The asterisk character (*) can be used as a multiple-character wildcard.
• The question mark character (?) can be used as a single-character
wildcard.
More information about basic searches, including examples, can be found in
"Using Search" on page 189.

187
Director Configuration and Management Guide

Section B: Search

Advanced Search
To perform an advanced search, Control+F or click Actions > Find on any tab page
in the Director Management Console to display search options, then click More.
The following figure shows an example Find dialog box:

The following rules apply to advanced searches:


❐ You can choose case-sensitive or case-insensitive searches.
❐ You can search multiple objects at a time.
❐ You can search for one term at a time.
❐ Wildcards:
• The asterisk character (*) can be used as a multiple-character wildcard.
• The question mark character (?) can be used as a single-character
wildcard.
More information about advanced searches, including examples, can be found
in "Using Search" on page 189.

188
Chapter 6: Device Administration

Section B: Search

Using Search
This section discusses how to search for groups, devices, profiles, overlays, jobs,
URL lists, and regular expression lists in the Director Management Console. For
background information, see "About Searching" on page 185.
This section discusses the following topics:
❐ "Searching for Devices and Groups"
❐ "Searching for Profiles and Overlays" on page 191
❐ "Searching for Config and Content Jobs" on page 194
❐ "Searching for URL Lists and Regular Expression Lists" on page 197

Searching for Devices and Groups


This section discusses how to search for devices and groups. You can search for
devices and groups in any of the following tab pages in the Monitor, Configure,
and Content tab pages in the Director Management Console.

To search for devices and groups:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor, Configure, or Content tab.
3. If the search tool does not display at the top of the Management Console
window, press Control+F (find).
The search tool displays as follows:

4. To search for devices, the Groups pane, click System Groups > All.
Your search for devices will produce no results unless you click the All group.
5. Do any of the following:
• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a group or device in the field,
using the asterisk (*) character as a wildcard. This search
is case-sensitive.
Examples:
• To search for a group that begins with Dev, enter
either Dev or Dev*.
• The search for a group that contains Dev, enter *Dev*.

189
Director Configuration and Management Guide

Section B: Search

Item Description

Object list From the list, click Groups or Devices.


Note: Model group names are case-sensitive.

b. Click (Go).
c. To use search results, see "Using Search Results" on page 199.

7. Perform an advanced search:


a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

Note: The Find dialog box displays different object types, depending on which
tab page you select and which objects are visible. For example, if you click the
Configure tab page and click All from the Show list in the Configuration Library
section, the Find dialog box has check boxes for Folders, Profiles, Overlays
object types as well.

190
Chapter 6: Device Administration

Section B: Search

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a group or device in


the field, using the asterisk (*) character as a
wildcard.Examples:
• To search for a group that begins with Dev,
enter either Dev or Dev*.
• The search for a group that contains Dev, enter
*Dev*.

Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the
check box.
Note: Model group names are case-sensitive.

Type section Select the check box corresponding to each object


type to search.

Organize button Click at least two search results to create a


container in which to store them. For example,
click two or more devices and click Organize to
create a custom group in which to store the
devices.

Clear Results button Click to clear any previous search results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for Profiles and Overlays


This section discusses how to search for profiles and overlays. You can search for
profiles and overlays on the Configure tab page in the Director Management
Console.

To search for profiles and overlays:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Profiles, Overlays,
or All.
This selection determines the scope of a basic search.

191
Director Configuration and Management Guide

Section B: Search

4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a profile or


overlay in the field, using the asterisk (*)
character as a wildcard. This search is
case-sensitive.
Examples:
• To search for a profile that begins
with Proxy, enter either Proxy or
Proxy*.
• The search for a group that contains
proxy, enter *proxy*.

Object list From the list, click Profiles or Overlays.


If the desired option does not display,
try the following:
• Make sure you clicked the correct
tab page and that you selected the
correct object type to start your
search.
• Make sure you created at least one
object of the type for which you are
searching and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.

192
Chapter 6: Device Administration

Section B: Search

7. Perform an advanced search:


a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a profile or overlay in


the field, using the asterisk (*) character as a
wildcard.
Examples:
• To search for a profile that begins with Proxy,
enter Proxy*.
• The search for a group that contains proxy,
enter *proxy*.

Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the check
box.

Type section Select the check box corresponding to each object


type to search.

193
Director Configuration and Management Guide

Section B: Search

Item Description

Clear Results button Click to clear any previous search results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for Config and Content Jobs


This section discusses how to search for configuration jobs and content jobs. You
can search for jobs on the Jobs tab page in the Director Management Console.

To search for jobs:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. In the Job Library section, from the Show list, click Config Jobs, Content Jobs, or
All.

This selection determines the scope of a basic search.


4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.

194
Chapter 6: Device Administration

Section B: Search

6. Perform a basic search:


a. Enter the following information:
Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Object list From the list, click Config Jobs, Content


Jobs, or Other Jobs.
If the desired option does not display,
make sure you have created at least one
object of that type and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.


7. Perform an advanced search:

195
Director Configuration and Management Guide

Section B: Search

a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Case Sensitive check box To perform a case-sensitive search,


select the check box.
To perform a case-insensitive search,
clear the check box.

Type section Select the check box corresponding to


each object type to search.

196
Chapter 6: Device Administration

Section B: Search

Item Description

Clear Results button Click to clear any previous search


results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for URL Lists and Regular Expression Lists


This section discusses how to search for URL lists and regular expression lists.
You can search for these lists on the Content tab page in the Director Management
Console.

To search for URL lists and regular expression lists:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. In the Content Collections section, from the Show list, click Url Lists, Regex Lists,
or All.
This selection determines the scope of a basic search.
4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a list that begins with
Content, enter Content*.
• The search for a list that contains
CEO, enter *CEO*.

197
Director Configuration and Management Guide

Section B: Search

Item Description

Object list From the list, click Url Lists, or Regex


Lists.
If the desired option does not display,
make sure you have created at least one
object of that type and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.


7. Perform an advanced search:
a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

198
Chapter 6: Device Administration

Section B: Search

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a URL list or


regular expression list in the field, using
the asterisk (*) character as a wildcard.
This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Case Sensitive check box To perform a case-sensitive search,


select the check box.
To perform a case-insensitive search,
clear the check box.

Type section Select the check box corresponding to


each object type to search.

Clear Results button Click to clear any previous search


results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Using Search Results


This section discusses how to use the results of a search you performed in the
Director Management Console. Before continuing, make sure you have reviewed
the following information:
❐ "About Searching" on page 185
❐ "Using Search" on page 189
This section discusses the following topics:
❐ "Using Results from a Basic Search"
❐ "Using Results from an Advanced Search" on page 201

199
Director Configuration and Management Guide

Section B: Search

Using Results from a Basic Search


The results from a basic search display in the search tool at the top of the
Management Console window.
An example follows:

In the preceding example, a search for all groups that begin with Dev returned
three results.
If a search returns one or more results, the first matching object is selected in the
Management Console. In the example, the first group that begins with Dev is
selected in the Groups pane on the Configure tab page.
In the search tool, click the following buttons to select the next or previous object
returned by the search:
Previous search Next search
result result

The following figure shows an example:

200
Chapter 6: Device Administration

Section B: Search

Using Results from an Advanced Search


You use the results from an advanced search in almost the same way as the results
from a basic search; however, because different types of objects can be returned,
the results are displayed differently.
The results from an advanced search display in the Find dialog box. An example
follows:

The example shows a search for groups, devices, and profiles that begin with Dev.
Search results consist of four groups and one profile.
You have the following options:
❐ Select a search result in the Management Console: Click OK and the object is
selected in the Management Console.
This is useful if you want to perform an action on that object; for example, to
rename a group, click the name of a group and click OK. The group is selected
in the Management Console. Right-click the name of the group, click Edit, and
rename the group.
❐ Organize the objects in a new custom folder:
a. Click two or more search results of the same object type (for example,
two or more devices, two or more groups, and so on). Hold down the
Shift or Control key while clicking to select multiple objects.

201
Director Configuration and Management Guide

Section B: Search

b. Click Organize.
The Add New Folder dialog box displays.
c. Enter a folder name and a unique ID for the folder and click OK.
The selected objects are copied to the folder you created.

202
Director Configuration and Management Guide

Section C: Upgrading Device Licenses


This section discusses how to upgrade the license on one or more devices using
the Director Management Console. Before performing a license upgrade, you
must have the appropriate licensing for the devices you wish to upgrade.
Consult your Blue Coat representative for more information about purchasing
licenses.

To upgrade device licenses:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices whose licenses you wish to
upgrade as follows:
• Click the name of a group in the Groups pane.
• Click the name of a device in the Devices pane.
Note: To select more than one group or device, hold down the Control
key while clicking.
4. Right-click any previously selected device.
5. From the pop-up menu, click Upgrade License.
6. When prompted, enter a user name and password.
Note: The user name and password you enter are not validated.
Depending on whether or not you have previously upgraded any device
licenses, you are prompted to use an existing BlueTouch account or to enter
a BlueTouch user name or password
Messages display to indicate whether or not the upgrades were successful.

Related CLI Syntax for License Upgrade


director (config)# remote-config license-key update {addr-device
ip_address_or_hostname | all | device device_id | group group_id |
model model | os-version sgos_version}} [errors-only | username
web_power_username password web_power_password]

203
Director Configuration and Management Guide

Section D: Configuring a Device from Director


You can use Director as an alternative to the SGOS Management Console,
allowing you to make configuration changes to one or more appliances
(sequentially, not simultaneously). To make simultaneous configuration
changes to devices, use profiles and overlays as discussed earlier in this
chapter.
All the commands executed in the Manage Device window refer to the
ProxySG appliance. You cannot use Director’s content or configuration
management commands in the Manage Device window.
If you change the version of the device due to an upgrade or downgrade, re-
connect to the device attempting any subsequent operations with Director. You
must also close the Manage Device window and restart it.
You can change the user names when configuring the device, but you must
reconnect to the device using the new credentials.

To configure a device from Director:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Right-click the device you want to configure.
4. From the pop-up menu, click Configure.

204
Chapter 6: Device Administration

The device’s Management Console displays similarly to the following:

5. Make the desired changes in the Management Console.


Note: Make sure to click Apply before leaving a tab page, or the changes are
not committed.
6. When you are finished making changes, close the Manage Device window.

205
Director Configuration and Management Guide

206
Chapter 7: Managing Content Collections

This chapter discusses general information about content distribution and how
to perform the following tasks:
❐ Create URL lists and regular expression lists
❐ Schedule content actions using URL lists and regular expression lists
immediately, or at a future day of the week and time of day
❐ Query a ProxySG’s object cache to determine if URLs are pre-populated
This chapter discusses the following topics:
❐ "About Content Distribution"
❐ "Managing Folders for Content Collections" on page 211
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226

About Content Distribution


Content distribution is the means by which you can pre-populate a ProxySG’s
object cache with particular URLs. This reduces bandwidth usage during peak
hours because when users request the content during the next business day, the
content is already cached.
Director enables you to pre-populate the object cache with particular URLs
only. The object cache contains objects that are indexed by name (that is, file
name or URL). The object cache is available for specific protocols (such as
HTTP, HTTPS, FTP, CIFS, and some streaming protocols).

207
Director Configuration and Management Guide

Note:
• ProxySGs do not spider a Web site to pre-populate all its contents. To
do that, you can use the Content Sync Module, which is discussed in
the Blue Coat Director Content Sync Module Guide.
• For a variety of reasons, certain content is not object-cacheable. For
example, Web pages that include the meta tag <META HTTP-
EQUIV="Pragma" CONTENT="no-cache"> are not cacheable. Also,
dynamically generated content might not be cacheable.
Before populating or revalidating content, verify the content is
cacheable because the content operations take time to complete and
consume CPU resources while they are executing.
Provided any of the following is true, content that is not object-
cacheable is byte cached, however:
• If there is an explicit ADN route for the origin server subnet
advertised by some other ProxySG appliance in the network.
• If there is a ProxySG in the network in the path between the branch
ProxySG and the origin server, and that ProxySG is set for
transparent tunnels.

See one of the following sections for more information about content distribution:
❐ "Managing Folders for Content Collections"
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226

208
Chapter 7: Managing Content Collections

Content Distribution Use Case


It is common that an enterprise employee, such an IT administrator, is tasked with
pushing content to one or more proxies on the network. Pre-population usually
occurs during off-peak hours to avoid clogging bandwidth pipes. Examples of
mass-distributed content might be a video message from the CEO and large
information files, such as a PDF.
The IT administrator creates a URL list that contains the content URLs and stores
the list file locally. Blue Coat Director allows you to either instantly push the URL
list to target ProxySG appliances or schedule a day and time when the push
occurs.

Legend
1: The IT admin creates a list of URLs to content objects and stores it on an internal Web
server that is accessible by Director.
2: The IT admin uses Director to create a new content job that calls the list stored on the
Web server. The IT admin also creates a job schedule that populates ProxySGs’ object
caches at 12:01 am.
3: At 12:01 am, the ProxySG appliances at headquarters and the branch office receive the
content URLs and request the content from the Web server.
4: The Web server sends the content to the ProxySG appliances, which cache the objects.
5: The next morning, the company’s users access the content locally from their respective

Figure 7–1 Pre-populating process flow.


Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.

209
Director Configuration and Management Guide

❐ If you distribute a large amount of content, query a subset of the content


collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.

Details of URL Distribution


Director can process up to 500,000 URLs (except with older ProxySG models such
as the SG200), subject to the limitations discussed in this section. This number is
derived by considering the number of devices and the url-list:
Maximum number of URLs supported = m x n
In the preceding equation, m is the number of devices and n is the number of URLs
in the url-list. For example, if there are 16 devices, the url-list cannot contain
more than 31,250 URLs (16 devices * 31250 URLs = 500000 URLs). The url-list
can contain more URLs if there are fewer devices, and vice versa.
Using 500,000 URLs is subject to the following limitations:
❐ Group URLs by size (for example, group URLs that download content of less
than 1MB separately from URLs that download 10MB of content or more).
Lists of smaller URLs distribute in a shorter time than lists of longer URLs.
❐ To use 500,000 URLs in a content job, Blue Coat recommends changing the
defaults to execute one batch of 50 commands every 3 seconds.
Defaults for the Director 510 follow:
❐ Outstanding commands timeout: 10,800 seconds (that is, three hours)
❐ Completed commands timeout: 3,600 seconds (that is, one hour)
❐ Number of commands in a batch: 25
❐ Length of time between batches of commands: 10 seconds
Use the enable mode command content options throttle delay to manipulate
the number of content commands that complete per unit time.
A summary of command options follows:
director (config)# content options throttle delay delay_sec num-
commands integer
where delay_sec is the number of seconds to delay between sending batches of
content, and integer is the number of content commands to send in one batch
Note: Older ProxySG models—such as the SG200—might not function properly if
the throttle options defaults are changed from their defaults (25 commands every
10 seconds). Using these older models—because of slower processors and smaller
amounts of RAM—you should expect to process a maximum of 400,000 URLs
using the formula shown at the beginning of this section.

To view the current settings using the Management Console:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. At the bottom of the Content tab page, click Show Throttle Settings.

210
Chapter 7: Managing Content Collections

The current settings display in a dialog box.

Commands to Change Throttle Settings


director (config)# content options {throttle delay delay_sec num-
commands integer | timeout {completed-cmds seconds | outstanding-cmds
seconds}}

Managing Folders for Content Collections


This section discusses how to create folders in which to organize content
collections (that is, regular expression lists and URL lists). Creating folders is
recommended in large deployments where you might want to organize content
collections by device location, function, or other criteria.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All content collections belong to the All system folder, even those that have
been added to custom folders.
❐ Content collections that have not been added to a custom folder belong to the
Unassigned system folder
❐ You can create content collection folders only under Custom Folders
❐ You can nest custom folders

211
Director Configuration and Management Guide

This section discusses the following topics:


❐ "Creating or Editing Folders"
❐ "Deleting Folders" on page 213
❐ "Removing or Copying Content Collections In Folders" on page 214

Creating or Editing Folders


This section discusses how to create or edit content collection folders and
subfolders.

To create or edit content collection folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. Right-click Custom Folders.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 7–1 Adding or editing a folder

Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.

212
Chapter 7: Managing Content Collections

Table 7–1 Adding or editing a folder

Field Description
Description Enter an optional description of the folder.

6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop regular expression lists or URL
lists into the desired folders as follows:
a. From the Show list in the Content collections section on the Content tab
page, click the object to put in a folder.
For example, to put a URL list in a folder, from the Show list on the Content
tab page, click Url Lists or All.
b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a URL list or regular expression list to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any content collections contained in those folders and subfolders are
moved to the Unassigned folder; the content collections themselves are not
deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. Optional. To display content collections before you delete their containing
folders, on the Content tab page, in the Content collections section, from the
Show list, click Regex Lists, Url Lists, or All.

4. Right-click the name of the folder to delete.

213
Director Configuration and Management Guide

5. From the pop-up menu, click Delete.


You are required to confirm the action. After deleting the folder, any content
collections contained in the folder or subfolders move to the Unassigned
system folder.

Removing or Copying Content Collections In Folders


This section discusses how to perform the following tasks for content collections
stored in folders:
❐ Remove a content collection from a custom folder and put it in the
Unassigned folder, without deleting the folder.
❐ Remove a content collection from the Unassigned system folder and put it in a
custom folder.
❐ Copy a content collection from one folder to another folder.

To remove or copy content collections in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. To display content collections before you remove or copy them, on the
Content tab page, in the Content collections section, from the Show list, click
All.

4. Do any of the following:


• To remove the content collection from the custom folder it is in now and
move it to the Unassigned system folder, right-click on the content
collection and, from the pop-up menu, click Remove. You are required to
confirm the action.
• To move a content collection from the Unassigned system folder to a
custom folder, click the content collection and drag it to the desired
custom folder.
• To copy a content collection to another custom folder, click the content
collection and drag it to the desired custom folder.

214
Chapter 7: Managing Content Collections

Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id

Creating and Distributing URL Lists


This section discusses how to create valid URL lists to use to pre-populate
devices’ object caches and how to distribute the content.
This section discusses the following topics:
❐ "Creating a URL List Object"
❐ "Distributing, Revalidating, Deleting, or Prioritizing a URL List" on page 217

Creating a URL List Object


This section discusses how to create a URL List object, which can be used to
perform content actions on devices managed by this Director. Content actions that
can be performed using a URL List object include:
❐ Distributing URLs to the object cache of one or more devices
❐ Deleting URLs from the object cache of one or more devices
❐ Revalidating URLs in the object cache of one or more devices
❐ Prioritizing URLs in the object cache of one or more devices

To create a URL list object:


1. Create a URL list in a plain text or HTML file, with only one URL per line. For
example:
https://www.example.com/IT/content/CEOvideo0707.qt
https://www.example.com/IT/content/07annualreport.pdf
mms://www.example.com/mediafiles/AllHands.asf
mms://www.example.com/mediafiles/bond.wmv
rtsp://www.example.com/mediafiles/28k_av.rm
rtsp://www.example.com/mediafiles/TrainingVideo.rm

Note: Every URL must start with the protocol (also referred to as the schema);
for example, http://. URLs that start with www. or a similar prefix are not valid
and will result in job execution failure.

215
Director Configuration and Management Guide

2. You have the following options:


• To import the URL list to Director, save the text file on a computer that is
accessible by the Director Management Console.
• To upload the URL list to a remote Web server, make sure the Web server is
accessible by Director. The location cannot use authentication. Upload the
file using FTP or any other supported protocol.
3. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
4. Click the Content tab.
5. In the Content collections section, from the Show list, click Url Lists.
6. If necessary, create a folder in which to store the URL as discussed in "Creating
or Editing Folders" on page 212.
7. Right-click the folder in which to store the URL list.
8. From the pop-up menu, click New > New Content List > Url List.
The Create URL List dialog box displays.

9. Enter the following information:


Item Description

URL List Name field Enter a name to identify the URL list object.

URL List ID field Enter a unique identifier. The URL List ID can be
a maximum of 250 characters and cannot include
the following characters: {, }, <, >, (, ), #, or $.

216
Chapter 7: Managing Content Collections

Item Description

Description field Enter an optional description.


Import from local file Click this option to import the URL list from a
text file accessible from this computer. Click
Browse to locate the file.

Import from URL Click this option to import the URL list from a
text file stored on a Web server that Director can
access.

Other options If you are updating an existing URL list object,


click any of the following:
• Append imported entries to list: The lists
from the file or HTML are added the
existing URL list.
• Replace list with imported entries: The lists
from the file or HTML replace the existing
URL list.

10. Click Import.


Director performs validation on the list, after which the imported URLs
display in the right pane. An error displays if the URLs are not valid. (A
common error is more than one URL per line.)
You can optionally edit the URL list in the right pane to fix errors, add URLs,
or remove URLs.

11. Click OK.


The Content collections pane on the Content tab page displays the new object.

Distributing, Revalidating, Deleting, or Prioritizing a URL List


This section discusses how to perform the following tasks to individual devices,
selected devices, or to all devices in a custom group, Model group, or OS Version
group:
❐ Distribute URLs in a URL list.
❐ Delete from the object cache URLs in a URL list.
❐ Revalidate URLs in a URL list.
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.

217
Director Configuration and Management Guide

❐ Prioritize URLs in a URL list.


Determines the relative order that content is deleted from a full object cache to
make room for new content. In other words, when the object cache is full, this
setting determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Content distribute, revalidate, delete, and prioritize actions can be configured to
run as follows:
❐ Immediately but not as a job
❐ As a job (which enables you to track execution) that executes:
• Immediately
• One time in the future
To schedule the job to run more than one time in the future or at scheduled
intervals, see "Content Job Action Details" on page 262 instead.

To distribute a URL list immediately:


1. Create the URL list object as discussed in "Creating and Distributing URL
Lists" on page 215.
2. Select devices to which to distribute the URL list:
• In the Groups pane, click the name of a group.
• In the Devices pane, click the name of one or more devices. (To select more
than one device, hold down the Control key while clicking.)
3. Click Apply.

218
Chapter 7: Managing Content Collections

The Perform URL List Action dialog box displays.

219
Director Configuration and Management Guide

4. From the Action list, click any of the following:


• Distribute URL(s)

• Revalidate URL(s)

• Delete URL(s)

• Prioritize URL(s)

Priority levels range from 0 (lowest) to 7 (highest). Prioritization does the


following:
• Pre-populates important content first so devices cache high priority
content before lower priority content.
• In the event devices purge their object cache, makes sure that higher
priority content is purged after lower priority content. A device purges
its object cache for a variety of reasons, including low available disk
space.
5. Do any of the following:
• Click Apply content as an immediate action to push the list without job
tracking.
Choose this option if your user account does not have permissions to
create jobs or if you do not need job tracking.
• Click Apply content as a job to enable job tracking.
• In the Job Name and Job ID fields, accept the defaults or enter other
values.
By default, the job name and job ID are both set to a time and date
stamp in the format: YYYYMMDDHHMMSS. You can change any value you
wish. The job ID can be a maximum of 250 characters in length and
cannot include the following characters: {, }, <, >, (, ), #, or $.
• Select Execute now for an immediate push or use the month, day, year,
hour, minute, and am/pm lists to schedule a time to push the lists.
6. Click OK.
Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.
❐ If you distribute a large amount of content, query a subset of the content
collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.
For more information, see one of the following sections:

220
Chapter 7: Managing Content Collections

❐ Section D: "Verifying Jobs" on page 280 in Chapter 8: "Creating, Scheduling,


and Managing Jobs"
❐ "Querying URLs" on page 226

Related Command
director # content url-list url_list_id input

Creating and Distributing Regular Expression Lists


This section discusses how to create valid regular expression lists to use to
revalidate or delete content in devices’ object caches.
This section discusses the following topics:
❐ "Creating a Regex List Object"
❐ "Revalidating, Deleting, or Prioritizing a Regex List" on page 223

Creating a Regex List Object


Director supports Perl-compliant regular expressions. For more information, see a
regular expression resource.
This section discusses how to create a URL Regex List object (hereafter referred to
as a Regex List object), which can be used to perform content actions on devices
managed by this Director. Content actions that can be performed using a Regex
List object include:
❐ Deleting URLs from the object cache of one or more devices
❐ Revalidating URLs in the object cache of one or more devices
❐ Prioritizing URLs in the object cache of one or more devices

To create a regular expression list object:


1. Create a regular list in a plain text or HTML file, with only one regular
expression per line. For example:
https://www.example.com/IT/.*\.jpg$
https://www.example.com/IT/content/rp&rf&me&ts
mms://www.example.com/mediafiles/.*\.rm$
rtsp://www.example.com/mediafiles/a+.rm

Note: Every regular expression must start with the protocol (also referred to as
the schema); for example, http://. URLs that start with www. or a similar prefix
are not valid and will result in job execution failure.

2. You have the following options:


• To import the regular expression list to Director, save the text file on a
computer that is accessible by the Director Management Console.
• To upload the regular expression list to a remote Web server, make sure
the Web server is accessible by Director. The location cannot use
authentication. Upload the file using FTP or any other supported protocol.

221
Director Configuration and Management Guide

3. Start the Director Management Console as discussed in "Connecting to


Director with the Management Console" on page 52.
4. Click the Content tab.
5. In the Content collections section, from the Show list, click Regex Lists.
6. If necessary, create a folder in which to store the URL as discussed in "Creating
or Editing Folders" on page 212.
7. Right-click the folder in which to store the URL list.
8. From the pop-up menu, click New > New Content List > Regex List.
The Create Regex List dialog box displays.

9. Enter the following information:


Item Description

Regex List Name field Enter a name to identify the regular expression
list object.

Regex List ID field Enter a unique identifier. The Regex List ID can
be a maximum of 250 characters and cannot
include the following characters: {, }, <, >, (, ),
#, or $.

Description field Enter an optional description.

222
Chapter 7: Managing Content Collections

Item Description
Import from local file Click this option to import the regular
expression list from a text file accessible from
this computer. Click Browse to locate the file.
Import from URL Click this option to import the regular
expression list from a text file stored on a Web
server that Director can access.

Other options If you are updating an existing regular


expression list object, click any of the following:
• Append imported entries to list: The lists
from the file or HTML are added the
existing regular expression list.
• Replace list with imported entries: The lists
from the file or HTML replace the existing
regular expression list.

10. Click Import.


Director performs validation on the list, after which the imported regular
expressions display in the right pane. An error displays if the regular
expressions are not valid. (A common error is more than one regular
expression per line.)
You can optionally edit the URL list in the right pane to fix errors, add regular
expressions, or remove regular expressions.
11. Click OK.
The Content collections pane on the Content tab page displays the new object.

Revalidating, Deleting, or Prioritizing a Regex List


This section discusses how to perform the following tasks to individual devices,
selected devices, or to all devices in a custom group, Model group, or OS Version
group:
❐ Delete from the object cache URLs that match a regular expression list.
❐ Revalidate URLs that match a regular expression list.
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.
❐ Prioritize regular expressions in a regular expression list.
Updates the priority setting of objects in the object cache; objects that match
the regular expression only are updated. The priority setting determines the
relative order that content is deleted from a full object cache to make room for
new content. In other words, when the object cache is full, this setting
determines the relative order in which existing content is deleted.

223
Director Configuration and Management Guide

Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
These actions can be configured to run as follows:
❐ Immediately but not as a job
❐ As a job (which enables you to track execution) that executes:
• Immediately
• One time in the future
To schedule the job to run more than one time in the future or at scheduled
intervals, see "Content Job Action Details" on page 262 instead.

To revalidate, delete, or prioritize content using a regular expression list:


1. Create the regular expression list object as discussed in "Creating and
Distributing Regular Expression Lists" on page 221.
2. Select devices to which to distribute the regular expression list:
• In the Groups pane, click the name of a group.
• In the Devices pane, click the name of one or more devices. (To select more
than one device, hold down the Control key while clicking.)
3. Click Apply.

224
Chapter 7: Managing Content Collections

The Perform URL Regex List Action dialog box displays.

4. From the Action list, click any of the following:


• Revalidate Regex(es)

• Delete Regex(es)

• Prioritize Regex(es)

Priority levels range from 0 (lowest) to 7 (highest). Prioritization does the


following:
• Pre-populates important content first so devices cache high priority
content before lower priority content.
• In the event devices purge their object cache, makes sure that higher
priority content is purged after lower priority content. A device purges
its object cache for a variety of reasons, including low available disk
space.
5. Do any of the following:
• Click Apply content as an immediate action to push the list without job
tracking.
Choose this option if your user account does not have permissions to
create jobs or if you do not need job tracking.
• Click Apply content as a job to enable job tracking.
• In the Job Name and Job ID fields, accept the defaults or enter other
values.

225
Director Configuration and Management Guide

By default, the job name and job ID are both set to a time and date
stamp in the format: YYYYMMDDHHMMSS. You can change any value you
wish. The job ID can be a maximum of 250 characters in length and
cannot include the following characters: {, }, <, >, (, ), #, or $.
• Select Execute now for an immediate push or use the month, day, year,
hour, minute, and am/pm lists to schedule a time to push the lists.
6. Click OK.
Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.
❐ If you distribute a large amount of content, query a subset of the content
collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.
For more information, see one of the following sections:
❐ Section D: "Verifying Jobs" on page 280 in Chapter 8: "Creating, Scheduling,
and Managing Jobs"
❐ "Querying URLs" on page 226

Related Command
director # content url-list url_list_id input

Querying URLs
Querying URLs allows you to verify the status of content from objects created on
Director—whether it is cached or not and URLs currently in progress of being
cached. You can use this command only for URL List and Regex List objects; not
for individual URLs or for remote URLs or regular expression lists.

To query URLs for cached status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. In the Content collections section, from the Show list, click Url Lists.
4. Expand the folder containing the content job to query.
5. Click the content job.

226
Chapter 7: Managing Content Collections

6. In the lower left corner of the Management Console, click Query Selection.

When you click Query Selection, the Cancel Query button is available during
the time the query takes place. Clicking Cancel Query does not halt Director
from processing the query, but it does allow you to submit a new query.
After the query completes, the Show Results button becomes active.
7. Click Show Results.
Query results display similarly to the following:

Note: Percent values are rounded up; decimal values are not used. For
example, if you used a list of 30,000 URLs and 10 URLs are not in the
cache, the percent shown for in cache is displayed as 100%.

8. For each category that Director registers results, the View/Export button
displays. In this example, the two URLs in the content job were not detected in
the ProxySG appliance cache.

227
Director Configuration and Management Guide

Click View/Export to display more detailed results.

The options at the bottom of the dialog allow you to perform different actions
using this result set.

Note: If you view URLs that are not in the device’s cache, the Delete button is
replaced by a Distribute button.

9. To export the results, select a format:


• Export: Saves the URLs in the list to a text file in a local directory of your
selection.
• Save: Saves the URLs in the list as a new URL list object. This might be
useful for a set of successful taken from a larger set mixed with
unsuccessful URLs.
• Distribute:
This button displays if the URLs you selected are not in the
device’s cache. Clicking this button saves the URLs in the list as a new
content list and immediately distributes the list to the target device.

228
Chapter 7: Managing Content Collections

• Delete:
This button displays if the URLs you selected are currently in the
device’s cache. Clicking this button removes the URLs in the list from the
device’s cache.
10. Click Close.

Related Commands
director (config)# content query command command_id {concise | (detail
[status {all | failed | issued | pending | remaining | successful}
{addr-device ip_address_or_hostname | all | device device_id | group
group_id} | summary [status {all | failed | issued | pending |
remaining | successful} {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | model model | os-version
sgos_version]]
# content query in-progress {detail | summary} {addr-device
ip_address_or_hostname | all | device device_id | group group_id}
# content query info {concise | detail | summary} {url url | urls-from
url} {addr-device ip_address_or_hostname | all | device device_id |
group group_id | model model | os-version sgos_version}
# content query liveness device device_id
# content query outstanding {all {addr-device ip_address_or_hostname
device device_id | group group_id} | {regex url_regex {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{regex-list regex-list_id {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | {regexes-from url {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{url url {addr-device ip_address_or_hostname | all | device device_id
| group group_id} | {urls-from url {addr-device ip_address_or_hostname
| all | device device_id | group group_id | model model | os-version
sgos_version}}
# content query status {addr-device ip_address_or_hostname | all |
device device_id | group group_id | model model | os-version
sgos_version}

229
Director Configuration and Management Guide

230
Chapter 8: Creating, Scheduling, and Managing Jobs

Director jobs enable you to automate common or recurring tasks—for example,


applying profiles and overlays and updating SGOS system software on
devices. Jobs consist of actions that are applied to targets either immediately,
one time in the future, or on a recurring schedule. The target of a job can be a
single device, an arbitrary collection of devices, or a group of devices.
Job actions include the following:
❐ Applying or refreshing overlays
❐ Applying or refreshing profiles
❐ Backing up devices
❐ Backing up Director
❐ Rebooting devices
❐ Distribute, revalidate, delete, or prioritize URLs
❐ Revalidate, delete, or prioritize regular expression lists
❐ Clearing various caches (object, DNS, byte cache)
❐ Upgrading SGOS appliance system software
❐ Validating SGOS appliance software versions

Note:
• For information about content jobs, see Chapter 7: "Managing Content
Collections". Content jobs enable you to perform the following tasks:
• Distribute, revalidate, delete, or prioritize URLs and URL lists
• Revalidate, delete, or prioritize regular expression lists
• See Section C: "Managing Profiles" on page 144 for information about
profiles and overlays. See "" on page 290 for information about
upgrading and validating ProxySG appliance software.

This chapter discusses the following topics:


❐ Section A: "Getting Started With Jobs" on page 232
❐ Section B: "Setting Up Job Actions" on page 238
❐ Section C: "Scheduling Jobs" on page 274

231
Director Configuration and Management Guide

Section A: Getting Started With Jobs


This section discusses how to create folders in which to optionally store jobs, how
to manage folders, and how to start creating a job and defining its basic
properties. Subsequent sections in this chapter discuss how to add actions and
schedules to jobs.
This section discusses the following topics:
❐ "Managing Job Folders"
❐ "Creating or Editing a Job and its Basic Properties" on page 236

Note: The Jobs tab page provides several different methods of selecting items.
For example, to edit a job, click the name of the job and perform one of the
following tasks:
❐ Click Edit in the Jobs pane.
❐ Right-click the job and, from the pop-up menu, click Edit.
❐ Click Edit > Edit Job.

Managing Job Folders


This section discusses how to create folders in which to organize jobs. Creating
folders is recommended in large deployments where you might want to organize
jobs by device location, function, or other criteria.
Note: The same folders are used for profiles, overlays, jobs, and content
collections, enabling you to create custom folders on either the Configure, Jobs, or
Content tab pages.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All jobs belong to the All system folder, even those that have been added to
custom folders.
❐ Jobs that have not been added to a custom folder belong to the Unassigned
system folder
❐ You can create job folders only under Custom Folders
❐ You can nest custom folders
This section discusses the following topics:
❐ "Creating or Editing Folders"
❐ "Setting Up Job Actions" on page 238
❐ "Removing or Copying Objects In Folders" on page 235

232
Chapter 8: Creating, Scheduling, and Managing Jobs

Creating or Editing Folders


This section discusses how to create or edit job folders and subfolders.

To create or edit profile folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Right-click Custom Folders in the Job Library section in the right pane.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Description Enter an optional description of the folder.

6. Click OK.

233
Director Configuration and Management Guide

7. To create an additional folder, do any of the following:


• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop jobs into the desired folders as
follows:
a. In the Job Library section, from the Show list, click Config Jobs or
Content Jobs.

b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a job to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Command to Add a Job to a Folder


First, enter folder submode using the following command:
director (config) # folder folder_id
This command changes the prompt to:
director (config folder folder_id) #
Then enter the following command:
director (config folder folder_id) # job job_id

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any profiles, overlays, jobs, or content collections contained in those
folders and subfolders are moved to the Unassigned folder; they are not deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Optional. To display jobs before you delete their containing folders, on the Jobs
tab page, in the Job Library section, from the Show list, click Config Jobs, Content
Jobs, or All.

4. Right-click the name of the folder to delete.

234
Chapter 8: Creating, Scheduling, and Managing Jobs

5. From the pop-up menu, click Delete.


You are required to confirm the action. After deleting the folder, any jobs
contained in the folder or subfolders move to the Unassigned system folder.

Removing or Copying Objects In Folders


This section discusses how to perform the following tasks for jobs stored in
folders:
❐ Remove a job from a custom folder and put it in the Unassigned folder,
without deleting the folder.
❐ Remove a job from the Unassigned system folder and put it in a custom folder.
❐ Copy a job from one folder to another folder.

To remove or copy jobs in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. To display jobs before you remove or copy them, on the Jobs tab page, in the
Job Library section, from the Show list, click All.
4. Do any of the following:
• To remove the job from the custom folder it is in now and move it to the
Unassigned system folder, right-click on the job and, from the pop-up
menu, click Remove. You are required to confirm the action.
• To move a job from the Unassigned system folder to a custom folder, click
the object and drag it to the desired custom folder.
• To copy a job to another custom folder, click the object and drag it to the
desired custom folder.

235
Director Configuration and Management Guide

Creating or Editing a Job and its Basic Properties


This section discusses how to create or edit a job for one or more devices. You can
use the same procedure to edit an existing job; however, you cannot change the job
ID.

To create or edit a job:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Jobs tab.
4. On the Jobs tab page, in the Job Library section, from the Show list, click Config
Jobs, Content Jobs, or Both.

5. If necessary, create a folder in which to store the new job as discussed in


"Managing Job Folders" on page 232.
6. Right-click the folder in which to store the job.
7. New job:
From the pop-up menu, click any of the following:
• New > New Job > Config
• New > New Job > Content
The Properties tab page of the Create a new Job dialog box displays.
8. Edit an existing job:
Do any of the following:
• In the Job Library pane, click the name of the job and click Edit at the
bottom of the pane.
• In the Job Library pane, right-click the name of the job. From the pop-up
menu, click View.

236
Chapter 8: Creating, Scheduling, and Managing Jobs

The job’s properties display.

9. Enter the following information:


Item Description

Job Name field Enter a name to identify the job.

Job ID field Enter a unique identifier for the job. Initially, the
value of the Job ID field is identical to the Job
Name field (unless the job ID is not unique).
You can change the Job Name field at any time
before you click OK; after you click OK, the Job ID
cannot be changed.
Note: The job ID can be a maximum of 250
characters in length and cannot include the
following characters: {, }, <, >, (, ), #, or $.

Description field Enter an optional description.

Enable check box This check box is selected by default. Clear the
Enable check box if you want the scheduler to
ignore this job.
Note: A job runs only if it is enabled and it is
scheduled to run at a valid time (either
immediately or by setting the job schedule as
discussed in Section C: "Scheduling Jobs" on
page 274).

10. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.

237
Director Configuration and Management Guide

Section B: Setting Up Job Actions


This section discusses how to add actions to a job. Actions determine what the job
does and to which devices.
This section discusses the following topics:
❐ "Getting Started With Job Actions"
❐ "Config Job Action Details" on page 241
❐ "Content Job Action Details" on page 262

Getting Started With Job Actions


This section discusses how to get started adding actions to a job.

To add actions to a job:


1. Complete the tasks discussed in Section A: "Getting Started With Jobs" on
page 232.
2. In the Create a New Job or Edit Job dialog box, click the Actions tab.

Note: You can click the other tab pages to add actions and a schedule without
clicking OK in the Profile tab page first.

3. To add an action to a job, click New.

238
Chapter 8: Creating, Scheduling, and Managing Jobs

This also adds an additional action to a job that already has one or more
actions configured for it.

4. From the Action list, click one of the following tasks:


• For config jobs, see "Config Job Actions"
• For content jobs, see "Content Job Actions" on page 240
5. Use the same procedure to add more actions to the job.
6. After adding actions to the job, see one of the following sections:
• Section C: "Scheduling Jobs" on page 274
• Section D: "Verifying Jobs" on page 280

Config Job Actions


The following table shows the list of config job actions:
Action Description
Push Overlay Push the overlay (specified in the Object field) to the
designated target device.
Refresh Overlay Refresh the overlay (specified in the Object field)
from the designated source device.
Push Profile Push the profile (specified in the Object field) to the
designated target device.
Refresh Profile Refresh the profile (specified in the Object field) from
the designated source device.
Abort on errors Abort the job if any of the subsequent job actions fail.
Continue on errors Continue job execution even when a job action fails.
Take Backup Take a backup of the target device’s configuration.

239
Director Configuration and Management Guide

Action Description
Create and Upload Archive Archive (that is, back up) this Director appliance.
For more information, see "Archiving Director Using
the Management Console" on page 470.
Reboot Device Reboot the target device.
Clear Device’s Byte Cache Clear the byte cache on the target device.
Clear Device’s DNS Cache Clear the DNS cache on the target device.
Clear Device’s Object Cache Clear the object cache on the target device.
System Download Download a software version to the target device.
System Validate Validate the software version on the target device.
Issue Director CLI command Available only for jobs that were created using the Director
command line.
Enables you to edit CLI commands in a job.

Content Job Actions


The following table shows the list of content job actions:
Action Description
Distribute URL(s) Pre-populates a device’s object cache with URLs you
specify.
Revalidate URL(s) Checks the origin server to determine if URLs in a
device’s object cache need to be updated and if so,
updates the object cache.
Delete URL(s) Removes URLs from a device’s object cache.
Prioritize URL(s) Prioritizes URLs to be deleted from the object cache
when it becomes full.
Revalidate Regexe(s) Checks the origin server to determine if URLs that
match a regular expression need to be updated and if
so, updates the object cache.
Delete Regexe(s) Deletes from a device’s object cache URLs that match
a regular expression.
Prioritize Regexe(s) Prioritizes URLs that match a regular expression to be
deleted from the object cache when it becomes full.
Abort on Errors Abort the job if any of the subsequent job actions fail.
Continue on Errors Continue job execution even when a job action fails.

240
Chapter 8: Creating, Scheduling, and Managing Jobs

Config Job Action Details


This section discusses details about setting up actions for config jobs:
❐ "Push Overlay or Push Profile Details"
❐ "Refresh Overlay or Refresh Profile Details" on page 244
❐ "Abort or Continue on Errors Details" on page 245
❐ "Take Backup Details" on page 246
❐ "Create and Upload Archive Details" on page 248
❐ "Reboot Device Details" on page 254
❐ "Clear Cache Details" on page 255
❐ "System Download Details" on page 257
❐ "System Validate Details" on page 259
❐ "Issue Director CLI Command Details" on page 260

241
Director Configuration and Management Guide

Push Overlay or Push Profile Details


This section discusses the details of a Push Overlay or Push Profile job action,
which applies (that is, pushes) a profile to one or more devices. For more
information about profiles and overlays, see Chapter 5: "Managing Device
Groups, Profiles, and Overlays".
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Push Overlay
as the action. (Push Profile is very similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Push Overlay
• Push Profile

Overlay list (or Profile list) From the list, click the name of the overlay or
profile to push.

242
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description
Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the device that
contains the source overlay or profile.

Validate button Click to evaluate the profile or overlay for


substitution variable conflicts.
If conflicts display, see Section E: "Resolving
Substitution Variable Conflicts in Jobs" on page
287.

Apply button Click to add the action to the job.

Note: A job fails to execute if the job contains substitution variable conflicts.

The action displays in the left pane, as shown in the following example:

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.

243
Director Configuration and Management Guide

Continue with any of the following sections:


❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Refresh Overlay or Refresh Profile Details


This section discusses the details of a Refresh Overlay or Refresh Profile job
action, which reapplies a profile or overlay to selected devices. Before beginning,
see Section A: "Getting Started With Jobs" on page 232 and "Getting Started With
Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Refresh
Overlay as the action. (Refresh Profile is very similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Refresh Overlay
• Refresh Profile

Overlay list (or Profile list) From the list, click the name of the overlay or
profile to refresh on the device.

244
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

Refresh options Click any of the following:


• Use Stored Source Information—Refresh the
profile or overlay from data stored on Director
for that device.

• From Device—Click (browse), which


displays the Choose Target dialog box, then
click the device that contains the source
overlay or profile to use to refresh.
• From Remote URL—Enter the URL path to the
server that contains the source overlay or
profile.

Apply button Click to add the action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Abort or Continue on Errors Details


The actions Abort on Errors and Continue on Errors can be added to any job.
Their meanings follow:
❐ Abort on Errors: If an error occurs while performing any job action, stop the job
immediately and log the errors.
❐ Continue on Errors: Complete job execution, regardless of errors, and log the
errors in the job report.
For more information about the job report, see Section D: "Verifying Jobs" on page
280.

245
Director Configuration and Management Guide

Take Backup Details


This section discusses the details of a Take Backup job action, which backs up one
or more ProxySG devices. Before beginning, see Section A: "Getting Started With
Jobs" on page 232 and "Getting Started With Job Actions" on page 238.
To back up (that is, archive) Director, see "Create and Upload Archive Details" on
page 248 instead.
The right pane of the Job dialog box displays as follows if you select Take Backup
as the action.

Enter or edit the following information:


Item Description

Action list Click Take Backup.


Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the device to back up.
To select more than one device, hold down the
Control key while clicking.

Apply button Click to add the action to the job.

246
Chapter 8: Creating, Scheduling, and Managing Jobs

The job action displays in the left pane.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section A: "Backing Up Devices" on page 452 in Chapter 15: "Backing Up
Director and Devices", for additional details not covered here
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

247
Director Configuration and Management Guide

Create and Upload Archive Details


This section discusses the details of a Create and Upload Archive job action,
which backs up the Director appliance.
To back up ProxySG devices, see "Take Backup Details" on page 246 instead.

Archive Prerequisites
Before beginning, complete the following tasks:
❐ Learn about archive types: "About Archives" on page 466
❐ Create an archive keypair: "Creating an Encryption Keypair" on page 467
❐ If this Director is part of a standby pair: "Standby Prerequisite: Make Both
Directors Standalone" on page 467
❐ Create the job: Section A: "Getting Started With Jobs" on page 232
❐ Create a job action: "Getting Started With Job Actions" on page 238

Procedure to Archive Director


The right pane of the Job dialog box displays as follows if you select Create and
Upload Archive as the action.

248
Chapter 8: Creating, Scheduling, and Managing Jobs

Enter or edit the following information:


Item Description

Action list Click Create and Upload Archive.

Archive Type list From the list, click the type of archive to create. For
an explanation of the options, see "About
Archives" on page 466.

With Key list Select the key to use to encrypt the archive.
For more information about archive keys, see
"Creating an Encryption Keypair" on page 467

Upload URL field Enter the URL of the external server to which to
upload the archive. The URL can optionally
include the file name. If you omit the file name, the
archive is uploaded to the external server with a
name like the following:
sgmearchive-director-all-2008.12.03-
004256.tgz
Valid URL formats follow:
scp://host//path
ftp://host/path
http://host/path
For example, to upload the archive to a directory
using the SCP protocol, enter
scp://192.168.0.50//director
For example, to upload the archive using a
different name using the FTP protocol, enter
ftp://192.168.0.50//director/
director_5.4.1.1_04-01-09.tgz

Directory and File options Select the option corresponding to the URL you
entered in the Upload URL field.
• To upload the archive to the external server
using the default name, enter a URL without a
file name and click Directory.
• To upload the archive to the external server
using a name other than the default name,
enter a URL that includes a file name and click
File.
Note: Archive file names cannot contain spaces.

Username field If the external server requires authentication, enter


the user name in this field. The user name you
enter must have privileges to write to the director
you specified in the Upload URL field.

Password field Enter the user’s password.

249
Director Configuration and Management Guide

The job action displays in the left pane.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section B: "Archiving Director" on page 463 in Chapter 15: "Backing Up
Director and Devices", for additional details not covered here
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

250
Chapter 8: Creating, Scheduling, and Managing Jobs

Schedule Reports Details


This section discusses how to schedule the following types of reports to be e-
mailed:
❐ Performance Analysis Reports
Includes bandwidth savings, effective throughput, and acceleration
information available for proxies. For more details, see "Generating
Performance Analysis Reports" on page 350.
❐ Health reports
Enables you to monitor CPU and memory usage of devices. For more details,
see "Generating Health Reports" on page 354.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Schedule
Reports as the job action.

251
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click Schedule Reports

Report type Click one of the following:


• Performance Analysis
• Health Monitoring

Period list From the list, click the period of time over which to
average the data for the report:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

Scale list Performance Analysis report only.


From the list, click the units of measure to use to
scale the graphs and charts in the reports:
• Bytes
• Kilo Bytes
• Mega Bytes
• Giga Bytes

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click a single device,
multiple devices, a group. To select more than one
device, hold down the Control key while clicking.
Note: If you select more than one individual
device, a custom group is created when the report
is run. By default, the custom group is named
according to the date and time stamp when it is
created, in the format
YYYYMMDDHHMMSSS’S’S’ where S’ is
milliseconds.
If you click No in the Custom group creation dialog
box, you can enter another name for the custom
group.

From field Enter one e-mail address to appear on the From


line in the e-mail. This e-mail address is also used
to return reports to this address in the event the e-
mail failed to deliver.
E-mail addresses must be in the format
name@domain. For example,
bob.smith@example.com
Separate multiple e-mail addresses with a comma
character.

252
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

To field Enter one or more e-mail addresses to which to


send the reports.

Cc field Enter one or more e-mail addresses to copy on the


report e-mail.

Bcc field Enter one or more e-mail addresses to blind copy


on the report e-mail.

Server IP field Displays the outgoing Simple Mail Transport


Protocol (SMTP) server’s host name or IP address.
To change this setting, click Change Mail Settings.

Server Port field Displays the SMTP server’s listen port. To change
this setting, click Change Mail Settings.

Username field Displays the SMTP server’s login user name (if
any). To change this setting, click Change Mail
Settings.

Password field Displays the SMTP server’s password (if any). To


change this setting, click Change Mail Settings.
Change Mail Settings Add or change SMTP server settings. For more
information, see "Setting Mail Options" on page 63.

Apply button Click to add this action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click the Scheduling tab to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

253
Director Configuration and Management Guide

Reboot Device Details


This section discusses the details of a Reboot Device action, which reboots a
device (typically after downloading SGOS software to it as discussed in "System
Download Details" on page 257).
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Reboot
Device as the job action.

Enter or edit the following information:


Item Description

Action list Click Reboot Device


Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the devices to reboot.
To select more than one device, hold down the
Control key while clicking.

Apply button Click to add the action to the job.

254
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Clear Cache Details


This section discusses the details of any of the following job actions:
❐ Clear Device’s Byte Cache: The byte cache is a per-connection cache maintained
on a device for all of its clients. The byte cache optimizes traffic by replacing
byte sequences in data streams with smaller tokens. When byte sequences are
seen again, the token is referenced rather than sending the sequence of bytes
over the network.
❐ Clear Device’s DNS Cache:
The DNS cache is a list of host names and their
associated IP addresses stored on a device.
❐ Clear Device’s Object Cache: Caches objects that are indexed by name (that is, file
name or URL). The object cache is available for specific protocols (such as
HTTP, HTTPS, FTP, CIFS, and some streaming protocols).
Content commands can be used to pre-populate, revalidate, and delete objects
in the object cache. For more information, see "About Content Distribution" on
page 207.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.

255
Director Configuration and Management Guide

The right pane of the Job dialog box displays as follows if you select Clear
Device’s Byte Cache as the job action. (The other clear cache actions are similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Clear Device’s Byte Cache
• Clear Device’s DNS Cache
• Clear Device’s Object Cache

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click a device to clear its
cache. To select more than one device, hold down
the Control key while clicking.

Apply button Click to add the action to the job.

256
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

System Download Details


This section discusses the details of a System Download action, which downloads
SGOS system software to a device. Before beginning, see Section A: "Getting
Started With Jobs" on page 232 and "Getting Started With Job Actions" on page
238.
The right pane of the Job dialog box displays as follows if you select System
Download as the job action.

257
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click System Download

Remote URL field The SGOS image must be placed on a Web server
to which the devices have access.
When you download system software, you have
the option of installing it from a URL similar to the
following (URLs expire after 24 hours):
https://bto.bluecoat.com/download/direct/
3577157784791669817118692320

Target Device(s) Select the device or devices to which to apply the


SGOS image. (Use Control+click to select multiple
devices.)

Apply button Click to add the action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

258
Chapter 8: Creating, Scheduling, and Managing Jobs

System Validate Details


This section discusses the details of a System Validate action, which validates the
version number of SGOS software running on a device. You typically use System
Validate after downloading SGOS software to a device and rebooting it.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select System
Validate as the job action.

Enter or edit the following information:


Item Description

Action list Click System Validate

Version field Enter the version number to match. See the note
following this table.
Target Device(s) Select the device or devices on which to validate
the SGOS version. (Use Control+click to select
multiple devices.)

Apply button Click to add the action to the job.

259
Director Configuration and Management Guide

Note about the Version field:


The version number can be used to match releases, as shown in the following
table.

Version Number Matches

5.3 5.3.0.1, 5.3.0.2, 5.3.1, 5.3.2, and so on

5.2.2 5.2.2.1, 5.2.2.2, 5.2.2.3, and so on

Do not precede the software version number with SGOS. Doing so results in an
error.
You can now:
❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Issue Director CLI Command Details


This section discusses the details of an Issue Director CLI Command action, which
is a special action available only for jobs that were created or edited using the
Director command line (also referred to as the CLI). You can use this job action to
change existing CLI commands and to add additional CLI commands.
Unlike other job actions, you can add a new Issue Director CLI Command action
only to a job that had CLI commands already. If a job was created using the
Management Console and not the command line, this action is not available.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Issue Director
CLI Command as the job action.

260
Chapter 8: Creating, Scheduling, and Managing Jobs

You have the following options:


Action Description

Add a new CLI command 1. Click New.


2. From the Action list, click Issue Director CLI
command.
3. In the CLI Command field, enter the command.
4. Click Apply.

Edit an existing CLI command 1. In the left pane, click the command to edit.
2. In the right pane, in the CLI Command field,
enter the new or changed command.
3. Click Apply.

Reorder commands 1. In the left pane, click a command.


2. At the bottom of the left pane, click Move Up or
Move Down to reorder that command in the list
of commands.
3. Repeat step 2 as necessary.
4. Click OK.

Delete a command 1. In the left pane, click a command.


2. At the bottom of the left pane, click Remove.
3. Click OK.

261
Director Configuration and Management Guide

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Content Job Action Details


This section discusses details about setting up actions for content jobs:
❐ "Distribute, Revalidate, or Delete URL(s) Details"
❐ "Prioritize URL(s) Details" on page 266
❐ "Revalidate or Delete Regex(es) Details" on page 269
❐ "Prioritize Regex(es) Details" on page 271

262
Chapter 8: Creating, Scheduling, and Managing Jobs

Distribute, Revalidate, or Delete URL(s) Details


This section discusses the details of the following related job actions:
❐ Distribute URL(s)
Distributes URLs to devices (that is, pre-populates a device’s object cache with
content in the URL).
❐ Revalidate URL(s)
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.
❐ Delete URL(s)
Removes URLs from a device’s object cache.
For more information about content pre-population, see "About Content
Distribution" on page 207.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Distribute
URL(s) as the action. (The other actions are similar.)

263
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Distribute URL(s)
• Revalidate URL(s)
• Delete URL(s)

Choose URLs Click any of the following:


• From URL list: Distribute or revalidate URLs
from a URL list object that already exists on
Director. For information about creating URL
list objects, see "Creating and Distributing
URL Lists" on page 215.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of URLs.
• Single URL: Enter a single URL to distribute or
revalidate in the following format:
http[s]://www.example.com/path
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

264
Chapter 8: Creating, Scheduling, and Managing Jobs

The action displays in the left pane, as shown in the following example:

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

265
Director Configuration and Management Guide

Prioritize URL(s) Details


Determines the relative order that content is deleted from a full object cache to
make room for new content. In other words, when the object cache is full, this
setting determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Prioritize
URL(s) as the action.

Enter or edit the following information:


Item Description

Action list Click Prioritize URL(s)

266
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

Choose URLs Click any of the following:


• From URL list: Prioritize URLs from a URL
object that already exists on Director. For
information about creating URL list objects,
see "Creating and Distributing URL Lists" on
page 215.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of URLs.
• Single URL: Enter a single URL to prioritize in
the following format:
http[s]://www.example.com/path
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

267
Director Configuration and Management Guide

The action displays in the left pane, as follows.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

268
Chapter 8: Creating, Scheduling, and Managing Jobs

Revalidate or Delete Regex(es) Details


This section discusses the details of the following related job actions:
❐ Revalidate Regex(es): Deletes URLs from a device’s object cache that match
the regular expressions you choose and adds them back, in effect deleting and
repopulating the object cache.
❐ Delete Regex(es): Removes URLs from a device’s object cache that match the
regular expressions you choose.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
Director supports Perl-compatible regular expressions. For more information, see
a regular expression resource.
The right pane of the Job dialog box displays as follows if you select Revalidate
Regex(es) as the action. (Delete Regex(es) is similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Revalidate Regex(es)
• Delete Regex(es)

269
Director Configuration and Management Guide

Item Description

Choose regular expressions Click any of the following:


• From Regex list: Revalidate or delete URLs
from a Regex object that already exists on
Director. For information about creating Regex
list objects, see "Creating and Distributing
Regular Expression Lists" on page 221.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of regular expressions.
• Single Regex: Enter a single URL to or
revalidate or delete in the following format:
http[s]://www.example.com/regex
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

The action displays in the left pane, as shown in the following example:

270
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Prioritize Regex(es) Details


Updates the priority setting of objects in the object cache; objects that match
the regular expression only are updated. The priority setting determines the
relative order that content is deleted from a full object cache to make room for
new content. In other words, when the object cache is full, this setting
determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Prioritize
Regex(es) as the action.

271
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click Prioritize Regex(es)

Choose regular expressions Click any of the following:


• From Regex list: Prioritize content from a
Regex object that already exists on Director.
For information about creating Regex List
objects, see "Creating and Distributing Regular
Expression Lists" on page 221.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of regular expressions.
• Single Regex: Enter a single URL to prioritize
in the following format:
http[s]://www.example.com/regex
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

272
Chapter 8: Creating, Scheduling, and Managing Jobs

The action displays in the left pane, as follows.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

273
Director Configuration and Management Guide

Section C: Scheduling Jobs


A Director job can be scheduled in any of the following ways:
❐ Immediate execution: The job runs immediately for the selected devices as
discussed in "Executing a Job Immediately" .
❐ One or more times in the future: The job executes at future times and dates
(but not on a regularly recurring schedule) as discussed in "Scheduling a Job
for Future Execution" on page 275.
❐ Recurring execution: The job executes on a recurring schedule on the days of
the week and times of day you select as discussed in "Scheduling a Job for
Recurring Execution" on page 277.

Note: Jobs run according to the time set on the Director appliance, which is not
necessarily the same time as the job on the computer on which the
Management Console runs. Before scheduling a job, use the standard mode
show clock command on Director to determine its time and time zone settings.

Executing a Job Immediately


This section discusses how to run a job immediately. Other scheduling options
follow:
❐ "Scheduling a Job for Future Execution" on page 275
❐ "Scheduling a Job for Recurring Execution" on page 277

To execute a job immediately:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.

274
Chapter 8: Creating, Scheduling, and Managing Jobs

8. Click Execute.

The job displays in the Job Queue pane.


9. Verify the job executed properly as discussed in "Verifying Jobs" on page 280.

Scheduling a Job for Future Execution


This section discusses how to run a job one or more times in the future but not on
a regularly recurring schedule. Other scheduling options follow:
❐ "Executing a Job Immediately" on page 274
❐ "Scheduling a Job for Recurring Execution" on page 277
In the procedure that follows, start with step 1 if you have already saved the job.
Start with step 10 if you are creating the job for the first time or if you are currently
editing the job.

To schedule a job for execution in the future:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.

275
Director Configuration and Management Guide

9. Click Edit.
10. Click the Schedule tab.
11. On the Schedule tab page, click This is a job to be executed on.

12. From the provided lists, click the month, day, year, hour, minute, and am or
pm.

13. Click ( ) (add) to execute the job at the selected time.


14. (Optional.) Repeat steps 11 through 13 to add more times.
The times display in the List of Dates/List of Times section in the right pane.

15. Click OK.


The job displays in the Job Queue pane.
16. Verify the job executed properly as discussed in Section D: "Verifying Jobs" on
page 280.

276
Chapter 8: Creating, Scheduling, and Managing Jobs

Scheduling a Job for Recurring Execution


This section discusses how to run a job on a regularly recurring schedule. Other
scheduling options follow:
❐ "Executing a Job Immediately" on page 274
❐ "Scheduling a Job for Future Execution" on page 275
In the procedure that follows, start with step 1 if you have already saved the job.
Start with step 10 if you are creating the job for the first time or if you are currently
editing the job.

To schedule a job to run on a recurring schedule:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.
9. Click Edit.
10. Click the Schedule tab.

277
Director Configuration and Management Guide

11. On the Schedule tab page, click This is a recurring job to be executed on.

12. Perform the tasks discussed in the following table in the order shown:
Task Description

1. Click This is a recurring job to be Required for all recurring jobs.


executed on.

2. Select one or more day of the week Specifies which days of the week to
check boxes. execute the job.

3. Select the time of day. Specifies the time of day to execute the
job on the days of the week you
previously specified.

4. Optional. Select a start date. Select a date to begin running the


recurring job. If you do not select a date,
the job begins running at the next
available date and time.

5. Optional. Select an end date. Select a date to stop running the


recurring job. If you do not select a date,
the job continues running at the
scheduled dates and times until you
either edit the job to provide a stop date
or until you delete the job.

Schedule the recurring job.


6. Click (add job).

13. Click OK.


The job displays in the Job Queue pane.
14. Verify the job executed properly as discussed in Section D: "Verifying Jobs" on
page 280.

278
Chapter 8: Creating, Scheduling, and Managing Jobs

Related Commands
First, enter job mode using the following command:
director (config) # job jobname
This command changes the prompt to:
director (config job jobname) #
Commands available from this submode include:
director (config job jobname) # cancel
director (config job jobname) # comment
director (config job jobname) # create
director (config job jobname) date-time-pairs date_yyyy/mm/dd
time_hh:mm[:ss]
director (config job jobname) # disable
director (config job jobname) # execute
director (config job jobname) # input
director (config job jobname) # name friendly_name
director (config job jobname) # no

director (config job jobname) saved-executions number_of_reports


[force]
(config job jobname) time-of-day {absolute {start | stop} date_yyyy/
mm/dd time_hh:mm[:ss] | day {all | fri | mon | sat | sun | thu | tue |
wed | weekdays} | time time_hh:mm[:ss]}
director (config job jobname) # type {date-time-pairs | time-of-day}
Other related commands:
director (config) # job update-status
director (config) # abort-on-errors

279
Director Configuration and Management Guide

Section D: Verifying Jobs


The Job Queue and Description panes on the Jobs tab page display summary and
detailed information, respectively, about the status of jobs.
The Job Queue pane The Description pane
displays summary displays details, including
information the Job Report

This section discusses the following topics:


❐ "About the Job Queue and Description Panes"
❐ "Verifying Backup Jobs" on page 286

About the Job Queue and Description Panes


Table 8–1 shows the meanings of the indicators in the Status column of the Job
Queue pane.
Table 8–1 Job status and meanings

Icon Meaning

The job completed successfully.

Errors occurred during job execution. Click the job in


the Job Queue pane and click View Job Report in the
Description pane to see the errors.

The job has been scheduled but has not run yet.

280
Chapter 8: Creating, Scheduling, and Managing Jobs

Table 8–1 Job status and meanings

Icon Meaning

Content jobs only. The job is in progress.

Table 8–2 shows the meanings of the options at the bottom of the Job Queue pane.

Table 8–2 Job queue options

Option Meaning

Display jobs’ next run time • Select the check box to display the next run time
for jobs scheduled in the future
• Clear the check box to display only job execution
results

Display jobs that ran in the From the list, click the length of time for which to
last display jobs that ran in the past:
• 1 day
• 7 days
• 15 days
• 30 days
• 1 year

Note: Jobs that were disabled after being executed also display in the Job
Queue.

281
Director Configuration and Management Guide

The Description pane provides additional information, including a link to the Job
Report, which lists the commands executed on the target object or device. You can
customize the job report output. The default is to show only errors. To see all
command output, you must set the output to verbose as discussed in
"Configuring Browser and Mail Settings" on page 61.

To view the Job Report from the Description pane:


1. In the Job Queue pane, click the name of the job.
The page refreshes, displaying a job execution summary.
2. Click View Job Report to view the commands executed by the job.

282
Chapter 8: Creating, Scheduling, and Managing Jobs

The Job Report dialog box displays.

This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.

Note: If the job report is empty, see "Alternate Way to View Job Results" on
page 284.

3. You have the following options:


Button Description
Next Error If the job report contains errors, click to advance
to the next error.
Previous Error If the job report contains errors, click to go back
to the preceding error.
Close Close the job report.

283
Director Configuration and Management Guide

Alternate Way to View Job Results


This section discusses how to view all execution results for a particular job, which
is useful in the following circumstances:
❐ If it is a recurring job that has many executions to view.
❐ If the job report viewed from the Job Queue pane is empty.
Typically, this happens if you change the name of a job after it has executed
one or more times, in which case Director matches the job results to the Job ID
rather than the job name.

To all executions for a particular job:


1. On the Jobs tab page, in the Job Library section, from the Show list, click Config
Jobs, Content Jobs, or Both.

2. In the Job Library pane, if necessary, expand the folder containing the job that
has executions you want to view.
3. Click the name of the job.
4. Click Edit.

284
Chapter 8: Creating, Scheduling, and Managing Jobs

The Edit Job dialog box displays.


5. In the Execution History pane, click the job instance and click View Job Report.

This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.

6. You have the following options:


Button Description
Next Error If the job report contains errors, click to advance
to the next error.
Previous Error If the job report contains errors, click to go back
to the preceding error.
Close Close the job report.

285
Director Configuration and Management Guide

Verifying Backup Jobs


Use the following procedure to view the results of a backup job.

To examine the result of a backup job:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Review the job status in the Job Queue pane to make sure the backup job
executed successfully.
For more information about viewing job status, see "" on page 290.
4. Click the Configure tab.
5. In the Groups pane, expand the group containing the device whose backup
you want to view.
6. In the Devices pane, click the device.
7. Click Launch Backup Manager.
The Backup Manager displays.
8. Click the backup you want to view.
9. Click View Contents.
The backup contents display in the right pane.

286
Chapter 8: Creating, Scheduling, and Managing Jobs

Section E: Resolving Substitution Variable Conflicts in Jobs


In the event a job has conflicting values for a substitution variable, you can view
the errors using the Job Report and you have the option of manually resolving the
substitution variable conflict as discussed in the following topics:
❐ "For More Information About Substitution Variables"
❐ "Viewing the Conflict in the Job Report" on page 287
❐ "Resolving the Conflicting Substitution Variable Value" on page 288

For More Information About Substitution Variables


For more information about substitution variables and conflicts, see the following
sections:
❐ "About Substitution Variables" on page 291
❐ "Resolving Substitution Variable Conflicts" on page 297

Viewing the Conflict in the Job Report


When a job fails for any reason, an icon displays next to the name of the job in
the Job Queue pane in the Jobs tab page, similarly to the following:

To view the cause of the error, click View Job Report in the Description pane. If the
job failed because of conflicting substitution variables, the job report displays
similarly to the following:

287
Director Configuration and Management Guide

The example shows there are conflicts in substitution variables in this job that
Director could not resolve. For more information about substitution variable
conflicts, see "Rules for Resolving Conflicts" on page 297.
To manually resolve the conflict, see the next section.

Resolving the Conflicting Substitution Variable Value


If the Job Report indicates there are substitution variable conflicts that Director
could not resolve, you can resolve the conflict as discussed in this section. You
have the option of editing the value of a conflicting substitution variable, defining
a new variable for the device, or deleting a conflicting substitution variable.

To resolve substitution variable conflicts in a job:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. On the Jobs tab page, in the Job Queue pane, click the name of a job that failed
to execute.
4. In the Description pane, click View Job Report.
5. Confirm the job failed to execute because of a substitution variable conflict.
The following message confirms the failure was due to a substitution variable
conflict:
% Conflicts found, unable to apply the substitution variables.

6. In the Job Report dialog box, click Close.


7. In the Job Library section, from the Show list, click Content Jobs, Config Jobs, or
All.

8. Click the name of the job that reported the error.


9. Click Edit.
10. In the Edit Job dialog box, click the Actions tab.
11. On the Actions tab page, click the profile or overlay action that caused the
error.
12. In the right pane, click Validate.
The following figure shows an example.

288
Chapter 8: Creating, Scheduling, and Managing Jobs

The Resolve Conflict dialog box displays the conflicting variables and their
values.
13. In the Resolve Conflict dialog box, click the substitution variable value you
want to change and click Resolve Conflict.
The following figure shows an example.

In the example, there is a substitution variable conflict for a device named


AustinDev. A variable named DNS has been defined in two locations—a
group named AustinDev and a group named Austin.

289
Director Configuration and Management Guide

After you click Resolve Conflict, the Group Substitution Variables dialog box
displays for that group as shown in the following figure.

14. You now have the following options:


• Edit the variable value to remove the conflict: In the Group Specific
Substitution Variables pane, click the value in the Value field and change it
so it matches the value of the other variable.
In the preceding example, change the value of DNS to 10.107.4.60 to match
the value defined for the group AustinDev.
This action is appropriate only if devices in the group Sunnyvale should
use the same value for this variable as devices in the group Austin Dev.
• Delete the variable: In the Group Specific Substitution Variables pane,
click the variable and click Delete.
15. In the Group Substitution Variables dialog box, click OK.
16. You are required to confirm the action.
17. Follow the prompts on your screen to execute the job.

290
Chapter 9: Managing Substitution Variables

This chapter discusses how to manage groups, profiles, overlays, and


substitution variables. Topics include:
❐ "About Substitution Variables"
❐ "Creating and Implementing Substitution Variables" on page 303
❐ "Editing or Deleting Substitution Variables" on page 325

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Substitution Variables


Without substitution variables, device configuration would be difficult. To
configure devices with different values (for example, different DNS servers),
you would be required to create multiple profiles, overlays, or jobs—one for
each configuration difference. Substitution variables enable you to replace a
value on a device or group of devices without changing the profile, overlay, or
job. Substitution also enables you to replace a variable with multiple CLI
commands.
Notes:
• Substitution variables persistent across Director reboots.
• A substitution variable name can be a maximum of 64 alphanumeric
characters.
Substitution variables are name-value pairs. The name (sometimes referred to
as a token) is in the following format: @(name). The @ (at) symbol designates the
start of the token and the token must be followed by a matching set of
parentheses. name inside the parentheses is the name of the substitution
variable.
When a profile, overlay, or job is executed on a device or a group, the token is
replaced with the appropriate variable value from the device’s or group’s
configuration.
This section discusses the following topics:
❐ "Inheriting Substitution Variables From a Custom Group"
❐ "Allowed Substitution Variable Formats" on page 296
❐ "Example of Using Substitution Variables" on page 296

291
Director Configuration and Management Guide

Inheriting Substitution Variables From a Custom Group


A substitution variable can be defined for a device and for a custom group of
devices. You cannot define a substitution variable for a system group. For more
information about device groups, see "About Director Groups" on page 132.
This section discusses the following topics:
❐ "Substitution Variable Inheritance"
❐ "Simplifying Device Configuration With Substitution Variables" on page
295

Substitution Variable Inheritance


Substitution variables defined for a custom group are inherited by all devices in
that group and by all children of that group in the group hierarchy. Inheritance
always flows from parent groups to child groups.
The following figures show examples.
Suppose you nested custom groups as follows:

In the preceding figure, inheritance flows as follows:


❐ AustinDev and AustinQA inherit variables from Austin
❐ Any groups nested under AustinDev inherit variables from Austin and
from AustinDev
❐ SunnyvaleDev and SunnyvaleQA inherit variables from Sunnyvale
❐ AustinQA and AustinDev (and any groups nested under them) inherit no
variables from each other
❐ SunnvaleDev and SunnyvaleQA (and any groups nested under them)
inherit no variables from each other
To continue the example, suppose you define a substitution variable named
DNS for the group Austin and you define a substitution variable named
DNSAlt for the group AustinDev.

292
Chapter 9: Managing Substitution Variables

The following figure shows how these variables are inherited by a group named
AustinDevGroup1, which is a child of AustinDev:

Inherited from
groups higher in
the hierarchy

Defined for this


group and
inherited by
groups lower in the
hierarchy

In the preceding figure, the variable named DNS was inherited from Austin and
the variable DNSAlt was inherited from Austin > AustinDev.

293
Director Configuration and Management Guide

However, DNSAlt is not inherited by the group AustinQA because AustinQA is a


child of Austin but not of AustinDev:

Finally, the groups Sunnyvale, SunnyvaleDev and SunnyvaleQA inherit none of


the variables defined for the group Austin.
Because devices can belong to multiple groups and because you can create
substitution variables of the same name with different values in different groups
(and different devices), conflicts can occur. For information on how variable
conflicts are resolved, see "Resolving Substitution Variable Conflicts" on page 297.

294
Chapter 9: Managing Substitution Variables

Simplifying Device Configuration With Substitution Variables


To simplify how these devices are configured, put similar devices in a custom
group, define substitution variables for the group, and then execute profiles,
overlays, or jobs on the group to configure devices in a similar fashion.
Examples follow:
❐ Set up custom groups according to the domain to which ProxySG appliances
authenticate.
❐ Set up custom groups according to the functions devices perform (that is, edge
proxies, branch proxies, forward proxies, and so on).
If a particular device in a group has substitution variables defined for that device,
the set of substitution variables available to it is the union of the variables defined
for the group and for the device.
The following figure shows an example.

295
Director Configuration and Management Guide

The preceding figure shows an example of a device with two substitution


variables:
❐ Substitution variable named DNS defined for the group (named Austin) to
which the device belongs
❐ Substitution variable named DNSAlt defined for the device

Allowed Substitution Variable Formats


The following table summarizes the formats for substitution variables. Additional
information, including examples, is discussed in the remainder of this section.
Format Meaning
@(variable-name) variable-name is substituted with the
value of the variable defined for the
device.
@(variable- Enables you to selectively substitute
name1)separator@(variable- parts of IP addresses, port number
name2)separator@(variable-name- ranges, and so on.
n)
For example to substitute the last two
bytes of an IP address, use
@(SUBNET).@(ADDRESS)

@@(string) Passes @(string) as a substitution


variable. In other words, if you do not
want @(...) to be used as a substitution
variable, escape it with another @
symbol.

Example of Using Substitution Variables


For example, suppose that because of a network update, you must change the
DNS server for one or more devices. This example assumes you are configuring
the device using an overlay; using substitution variables with profiles is similar
and is discussed in detail in "Creating Substitution Variables in a Profile" on page
319.
To use substitution variables, you must perform the following tasks in any order:
❐ Replace the affected DNS server addresses in the overlay with CLI commands
like the following:
dns clear server
add server @(DNS)

@(DNS) is the name of the substitution variable.


❐ Create the value of the variable in either the device record or in a custom
group to which the device belongs.
When the overlay is applied to the target device, the @(DNS) token is replaced with
the value of the @(DNS) substitution variable.

296
Chapter 9: Managing Substitution Variables

Notes:
❐ The token format must be as follows: @(string).
The maximum length of string is 64 characters, alphanumeric only. If there are
any spaces, reserved characters, or special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is
a special character and cannot be used in a substitution variable.
❐ The token @ must be followed by a matching set of parentheses.
❐ If you do not want the @() token to be a substitution variable, escape it with
another @ symbol.

Resolving Substitution Variable Conflicts


Because substitution variables can be defined for a device and for a group, and
because a single device can belong to multiple groups, there can be conflicts. This
section discusses substitution variable conflicts in the following sections:
❐ "About Substitution Variable Conflicts"
❐ "Rules for Resolving Conflicts" on page 297
❐ "Examples of Resolving Conflicts" on page 299
Before you execute a profile or overlay, you can see substitution variable conflicts
as discussed in "Validating the Values of Substitution Variables" on page 320.

About Substitution Variable Conflicts


If the same substitution variable name is defined in more than one place with a
different value, a conflict occurs. For example, if you define a substitution variable
named DNS in a group named Group1 with value 10.107.0.62 and define a
variable named DNS and in a device named Device1 with value 172.16.45.141,
and you add Device1 in Group1, there is a conflict. The next section discusses how
Director resolves these conflicts.

Rules for Resolving Conflicts


A substitution variable conflict occurs only if a variable with the same name is
defined with different values in more than one place (for example, for two groups
to which a device belongs; or for a device and for a group to which the device
belongs). Generally, Director resolves a conflict at the device level; that is, a
substitution variable defined for a device takes precedence over a variable
inherited from a group.

297
Director Configuration and Management Guide

Note:
❐ To avoid the possibility of substitution variable conflicts, assign a device to
only one group and define all substitution variables either for the device or
for the group, but not both.
❐ If a substitution variable with the same name is defined with the same
value in more than one place, there is no conflict.

Examples of resolving substitution variable conflicts can be found in "Examples of


Resolving Conflicts" on page 299.
In the event of substitution variable conflicts, Director resolves the conflict as
follows:
❐ The substitution variable defined for the device takes precedence if any of the
following is true:
• If a device is a member of only one group and the variable is defined for
the group and for the device. For an example, see "Example 1: Substitution
Variable Defined for a Group and a Device" on page 300.
• If a device is a member of a hierarchy of groups and the variable is defined
for any higher-level group and for the device.
• If a device is a member of two or more groups not in the same hierarchy
and the variable is defined for one or more groups and for the device. For
an example, see "Example 2: Substitution Variable Defined for a Different
Group Hierarchy" on page 301.
❐ The substitution variable defined for a group takes precedence if a device is a
member of a hierarchy of groups and the variable is defined for any higher-
level group but not for the device.
In this case, the substitution variable defined for the group closest to the
device takes precedence. For an example, see "Example 3: Substitution
Variable Defined for Two Groups in a Hierarchy but Not for a Device" on page
302.
❐ Director cannot resolve a substitution variable conflict if a device is a member
of two or more groups not in the same hierarchy, and the same variable is
defined with different values for the groups but not for the device.
Conflicts cause errors executing jobs, profiles, and overlays. Profiles and
overlays with conflicts fail to execute. For jobs, you have the option to resolve
the conflict manually.

298
Chapter 9: Managing Substitution Variables

Examples of Resolving Conflicts


This section discusses some examples of substitution variable conflicts:
❐ "Group Hierarchy Used in the Examples"
❐ "Example 1: Substitution Variable Defined for a Group and a Device" on page
300
❐ "Example 2: Substitution Variable Defined for a Different Group Hierarchy"
on page 301
❐ "Example 3: Substitution Variable Defined for Two Groups in a Hierarchy but
Not for a Device" on page 302

Group Hierarchy Used in the Examples


The following figure shows the group hierarchy used in the examples in this
section:

In the preceding figure, all groups under Austin are in the same hierarchy and all
groups under Sunnyvale are in the same hierarchy with the following exceptions:
❐ AustinDev and AustinQA inherit variables from Austin but not from each
other.
❐ Groups nested under AustinDev inherit variables from Austin and but not
from AustinQA.
❐ SunnyvaleDev and SunnyvaleQA inherit variables from Sunnyvale but not
from each other.

299
Director Configuration and Management Guide

Example 1: Substitution Variable Defined for a Group and a Device


In this example, a substitution variable named DNS is defined for the group
Austin and for a device named AustinDev that is in the group AustinDevGroup1,
which inherits variables from Austin and from AustinDev:

The top pane shows variables inherited by the device’s parent groups and the
bottom pane shows variables for the device. The substitution variable conflict is
circled.
In this example, the substitution variable defined for the device takes precedence
(that is, the variable named DNS with the value 172.16.36.60). That means that
when a profile, overlay, or job is executed, the value of the substitution variable
defined for the device is used and the other values are ignored.

300
Director Configuration and Management Guide

Example 2: Substitution Variable Defined for a Different Group Hierarchy


In this example, a substitution variable named DNS is defined for a device
named Dev142 that is in the groups AustinDevGroup1 and SunnyvaleDev. A
variable named DNS is also defined in the group Austin.
The groups AustinDevGroup1 and SunnyvaleDev are not in the same
hierarchy.
In this example, the variables available to the device are the same as the
preceding example, "Example 1: Substitution Variable Defined for a Group and
a Device" on page 300:

In the preceding example, the same variable (DNS) is defined in three places
with three different values: in the group Austin, in the group Sunnyvale and for
the device itself.
In this example, the substitution variable defined for the device takes
precedence. That means that when a profile, overlay, or job is executed, the
value of the substitution variable defined for the device is used and the other
values are ignored.

301
Director Configuration and Management Guide

Example 3: Substitution Variable Defined for Two Groups in a Hierarchy


but Not for a Device
In this example, a substitution variable named DNS is defined for two groups:
Austin and AustinDev. The variable is not defined for the device named QA142,
which belongs a child of AustinDev.
AustinDev is a child of Austin so they are in the same group hierarchy.

Groups in which
variables are
defined

In the preceding figure, the device (named QA142) belongs to the group
AustinDevGroup1. The substitution variables are defined in the groups Austin
and AustinDev. The variables are circled in blue.
Because the group AustinDev is closer in the hierarchy than the group Austin, the
value of the variable used in the group AustinDev takes precedence. That means
that when a profile, overlay, or job is executed, the value of the substitution
variable defined for the group Sunnyvale is used and the other value is ignored.
For information about viewing and resolving substitution variable conflicts when
you execute profiles, overlays, and jobs, see one of the following sections:
❐ "Resolving Substitution Variable Conflicts" on page 297
❐ "Validating the Values of Substitution Variables" on page 320
❐ Section E: "Resolving Substitution Variable Conflicts in Jobs" on page 287

302
Chapter 9: Managing Substitution Variables

Creating and Implementing Substitution Variables


This section describes how to create profiles or overlays that use substitution
variables, how to create substitution variables on devices, and how to implement
a configuration change using the variables.
This section discusses the following topics:
❐ "About Using Substitution Variables in Profiles and Overlays"
❐ "Creating and Importing Substitution Variable Files" on page 304
❐ "Defining the Value of a Substitution Variable" on page 310
❐ "Creating Substitution Variables in an Overlay" on page 314
❐ "Creating Substitution Variables in a Profile" on page 319
❐ "Validating the Values of Substitution Variables" on page 320

About Using Substitution Variables in Profiles and Overlays


This section discusses general information about using substitution variables in
profiles and overlays. Because devices can either inherit values of substitution
variables from groups or variable values can be directly defined in the device
record, you must understand how values are assigned to substitution variables.
A substitution variable value defined for a device always takes precedence over
the value of a variable defined in a group (either the group to which the device
belongs or a group from which the device inherits variables from other groups).
For additional information, see "Inheriting Substitution Variables From a Custom
Group" on page 292 and "Resolving Substitution Variable Conflicts" on page 297.
To use substitution variables in profiles and overlays, you must complete the
following tasks in the order shown:
1. Optional. Create a substitution variable file and import it into Director as
discussed in "Creating and Importing Substitution Variable Files" .
2. Edit the definition of the device or group to give the substitution variable a
value as discussed in "Defining the Value of a Substitution Variable" on page
310.
3. Add the substitution variable token to a profile or overlay as discussed in one
of the following sections:
• "Creating a Profile" on page 149
• "Creating an Overlay" on page 163
4. Validate substitution variables for conflicts as discussed in "Validating the
Values of Substitution Variables" on page 320.

303
Director Configuration and Management Guide

5. Execute the profile or overlay.

Note: Usually, a profile or overlay displays results for all devices in a group
when the profile or overlay is executed on a group of devices under a banner
similar to:
+-------------------------------------------
| Output for device "name"
+-------------------------------------------
However, if the group has no substitution variables defined for it but some of
the devices in the group have substitution variables defined for them, profile
or overlay execution displays errors for the devices without substitution
variables and it displays the result of the command execution for devices with
substitution variables.
The error displays as follows:
Error: The device <name> does not have a value for the required
substitution variable variable-name.

Creating and Importing Substitution Variable Files


This section describes how to optionally create substitution variable files and
import them into Director. Substitution variable files enable you to substitute
multiple variables on multiple groups or devices at the same time, as opposed to
defining the variables and then manually changing them.
If you do not need to create substitution variable files, skip this section and
continue with "Defining the Value of a Substitution Variable" on page 310.
For general information about how substitution variables are inherited from
groups to devices, see "Inheriting Substitution Variables From a Custom Group"
on page 292. For information about how conflicts are resolved, see "Resolving
Substitution Variable Conflicts" on page 297.
Because substitution variables can be defined for devices and for groups, there are
two types of substitution variable files. These files are discussed in more detail in
the following sections:
❐ "Device Substitution Variable File Format" on page 306
❐ "Group Substitution Variable File Format" on page 306
This section discusses the following topics:
❐ "About Substitution Variable Files"
❐ "Substitution Variable File Formats" on page 305
❐ "Importing a Substitution Variable File" on page 308

304
Chapter 9: Managing Substitution Variables

About Substitution Variable Files


A substitution variable file contains the names, values, and targets of multiple
substitution variables you import into Director all at one time. This automates
and simplifies the process of implementing substitution variables for large
numbers of groups and devices.

Topics Related to Substitution Variable Files


❐ For information about substitution variable file formats, see "Substitution
Variable File Formats" on page 305.
❐ To view a sample substitution variable file, see "Viewing Example
Substitution Variable Files" on page 307.
❐ To import the substitution variable file, see "Importing a Substitution Variable
File" on page 308.
❐ For general information about substitution variables, see "About Substitution
Variables" on page 291.
❐ For general information about how devices inherit substitution variables from
groups, see "Inheriting Substitution Variables From a Custom Group" on page
292.
❐ For general implementation information, see "Example of Using Substitution
Variables" on page 296.
❐ For information on how substitution variable conflicts are resolved, see
"Resolving Substitution Variable Conflicts" on page 297.

Substitution Variable File Formats


A substitution variable file is a comma-separated list of variables and values that
starts with either a group ID or a device ID. The ID is required.
Because substitution variables can be defined for groups and for devices, see one
of the following sections for more details:
❐ "Device Substitution Variable File Format"
❐ "Group Substitution Variable File Format" on page 306
❐ "Viewing Example Substitution Variable Files" on page 307

305
Director Configuration and Management Guide

Device Substitution Variable File Format


This section discusses how to create a substitution variable file for a device.

To create a device substitution variable file:


1. Create a file in comma separated value (.csv) format using the following
guidelines:
A substitution variable file has two lines: the first line defines the variable
names and the second line defines variable values. The substitution
variable file for a device must start with the device ID.
An example follows:
Device ID,VarName1,VarName2,VarName3
AustinQA,192.168.0.2,example.com,192.168.0.3

In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.

Note: The Device ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Device ID is the device’s unique identifier, and not the “friendly”
device name.
To view a device ID, on the Configure tab page of the Director Management
Console, right-click a device in the Devices pane. From the pop-up menu, click
Edit. The value of the Device ID field on the Edit Device dialog box is the ID you
must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.

2. When you are finished, save the file.


3. Import the file into Director as discussed in "Importing a Substitution
Variable File" on page 308.

Group Substitution Variable File Format


This section discusses how to create a substitution variable file for a group.

To create a group substitution variable file:


1. Create a file in comma separated value (.csv) format using the following
guidelines:
A substitution variable file has two lines: the first line defines the variable
names and the second line defines variable values. The substitution
variable file for a group must start with the group ID.

306
Chapter 9: Managing Substitution Variables

An example follows:
Group ID,VarName1,VarName2,VarName3
AustinDevGroup,192.168.0.2,example.com,192.168.0.3

In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.

Note: The Group ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Group ID is the group’s unique identifier, and not the “friendly” group
name.
To view a group ID, on the Configure tab page of the Director Management
Console, right-click a custom group in the Groups pane. From the pop-up
menu, click Edit. The value of the Group ID field on the Edit Group dialog box is
the ID you must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.

2. When you are finished, save the file.


3. Import the file into Director as discussed in "Importing a Substitution Variable
File" on page 308.

Viewing Example Substitution Variable Files


You can view optionally an example in the Director Management Console as
follows:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.
3. Click File > Import Substitutions > Device or Group.
The Import Substitution Variables dialog box displays.
4. Click Next.
The Import page displays.
5. On the Import page, click the Click Here link to display an example.

307
Director Configuration and Management Guide

Importing a Substitution Variable File


To import a substitution variable file:
1. Create a substitution variable file as discussed in "Substitution Variable File
Formats" on page 305.
2. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
3. Click the Configure tab.
4. Click one of the following:
• File > Import Substitutions > Device
• File > Import Substitutions > Group
The Import Substitution Variables dialog box displays.

5. Click Next.

308
Chapter 9: Managing Substitution Variables

The Import page displays.

6. In the provided field, enter the absolute file system path to your substitution
variable file, or click Browse to locate it.
7. Click Next.
The Summary page displays information about the import.
A sample success message follows:
Successfully parsed substitution variables for 1 device(s).

A sample error follows:


Unable to retrieve substitution variables for the specified file.
Please make sure the file exists, and matches the format described on
the previous screen

This error can be caused by any of the following:


• You are attempting to import a device substitution variable file for a group
or vice versa (go back to Step 4 on page 308).
• There are fewer substitution variable names than substitution variable
values in your substitution variable file (click Cancel and validate the file
again as discussed in "Substitution Variable File Formats" on page 305).
• The file you are attempting to import is in the wrong format (for example,
you attempted to import a binary file). Click Prev and import the correct
file.
8. After verifying the substitution variable file as discussed in the preceding
step, click Finish.

309
Director Configuration and Management Guide

Defining the Value of a Substitution Variable


This section discusses how to give the substitution variable a value, either in a
group or in the device record. A substitution variable defined for a device always
takes precedence over a substitution variable defined for a group. In other words,
if you define the value of a substitution variable for a device, that value is always
used when executing the overlay.
Note: If you created and imported substitution variable files, skip this section
and continue with "Creating Substitution Variables in an Overlay" on page 314
or "Creating Substitution Variables in a Profile" on page 319.

For additional information about substitution variables defined for groups, see
"Inheriting Substitution Variables From a Custom Group" on page 292.
This section discusses how to give a substitution variable a value in any of the
following ways:
❐ "Defining a Substitution Variable Value for a Group"
❐ "Defining a Substitution Variable Value for a Device" on page 312

Defining a Substitution Variable Value for a Group


This section discusses how to define the value of a substitution variable for a
group. A substitution variable defined for any group to which a device belongs,
directly or indirectly, is inherited by the device. In other words, if a device belongs
to a group Austin > AustinDev > AustinDevGroup1, and a substitution variable is
defined for Austin, the device inherits that substitution variable.
The value of a substitution variable is defined either by the device record or by the
group closest in the hierarchy to which the device belongs. For more information,
see "Resolving Substitution Variable Conflicts" on page 297.
Before you execute an overlay that contains substitution variables, you should
validate the variables for conflicts as discussed in "Validating the Values of
Substitution Variables" on page 320.

To define a substitution variable for a group:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Configure tab page, in the Groups pane, right-click the name of a group.
3. From the pop-up menu, click Edit.
4. At the bottom of the Edit Group dialog box, click Substitution Variables.

310
Chapter 9: Managing Substitution Variables

An example follows.

5. In the Group Substitution Variable dialog box, click New.


The Group Substitution Variables dialog box displays.
6. In the Group Specific Substitution Variables pane, enter the following
information:
Field Description
Substitution Variable Name Enter a name for the substitution
variable. For example, DNS.
A substitution variable name can be a
maximum of 64 characters in length,
alphanumeric characters only. If there
are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ?
(question mark—reserved for command
help) or % (percent—reserved for
errors). In addition, * (asterisk) is a
special character and cannot be used in
a substitution variable.
Value Enter the variable’s value.

7. Click OK.
8. At the confirmation dialog box, click Yes.
9. At the Edit Group dialog box, click OK.

311
Director Configuration and Management Guide

10. Repeat these tasks for other substitution variables to define for this group.
11. Validate the overlay as discussed in "Validating the Values of Substitution
Variables" on page 320.

Defining a Substitution Variable Value for a Device


This section discusses how to define the value of a substitution variable for a
device. The value of a substitution variable defined for a device always takes
precedence over the value of the same variable defined for a group from which
the device inherits substitution variables. In other words, if you define the value
of a substitution variable for a device, that value is always used when executing
the overlay.
Before you execute an overlay that contains substitution variables, you should
validate the variables for conflicts as discussed in "Validating the Values of
Substitution Variables" on page 320.

To edit the definition of a device to specify a substitution variable value:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. On the Configure tab page, in the Devices pane, right-click the name of a
device.
3. From the pop-up menu, click Edit.

The Edit Device dialog box displays, similarly to the following:

4. Click Advanced Settings, located at the bottom of the dialog box.

312
Chapter 9: Managing Substitution Variables

The Advanced Settings dialog box displays, similarly to the following:

5. Click the Substitution Variables tab.


6. On the Substitution Variables tab page, click New.
7. In the Substitution Variable Name field, enter the name of the variable.
The name you enter must be the same name you created in the overlay.
8. In the Value field, enter the new configuration value.
9. Click OK.

313
Director Configuration and Management Guide

10. You are required to confirm the action.


11. Repeat these tasks for other substitution variables to define for this device.
12. Validate the overlay as discussed in "Validating the Values of Substitution
Variables" on page 320.

Creating Substitution Variables in an Overlay


This section discusses how to use substitution variables in an overlay. Following
is a summary of the process:
The procedure in this section assumes you have already created the overlay as
discussed in "Creating an Overlay" on page 163.

Adding a Property to the Overlay


This section discusses how to add a property to the overlay; this property
becomes the name of the substitution variable. In this section, the primary DNS
server is used as an example of the substitution variable value.

To add a property to the overlay:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Overlays.
4. Expand the name of the folder containing the overlay.
5. Right-click the name of the overlay.
6. From the pop-up menu, click Edit.
The Edit existing Overlay dialog box displays. The Add to Overlays section
displays as follows:

314
Chapter 9: Managing Substitution Variables

7. In the Add to Overlay section, click one of the following:


• Using Device Management Console
if you do not know the exact CLI syntax,
use the device’s Management Console to configure it as discussed in
"Adding a Property using the Management Console Viewer" .
• Using CLI if you know the exact CLI syntax for the feature, see "Adding a
Property using the Command Line" on page 318.

Adding a Property using the Management Console Viewer


This section discusses how to add a property to the overlay using the device’s
Management Console viewer. Use this method if you do not know the command
to add the property to the overlay.

To add a property using the Management Console Viewer:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Add to Overlay section, click Using Device Management Console and then
click (browse).
The Select Reference Device dialog box displays a list of available devices.
3. In the Select Reference Device dialog box, click the reference device to be the
source for the overlay settings and click OK.
4. Click Launch.
The Management Console viewer displays.
5. Select the property you wish to make into a substitution variable.

315
Director Configuration and Management Guide

For the purposes of this example, click Network > DNS.

6. Click the current DNS value and click Edit.


The Edit dialog box displays the current settings for that property; in this
example, the alternate DNS server.
7. Change the desired values.
8. In the Edit dialog box, click OK to save your changes.
9. Click Save to Overlay Editor at the bottom of the Manage Device dialog box.
10. In the Overlay settings section of the Edit existing Overlay dialog box, click
the configuration change you made (in this example, DNS) and click Edit.

316
Chapter 9: Managing Substitution Variables

The Edit CLI dialog box displays.

11. Replace the value with the new variable.


In this example, the following changes were made:
• Before add server, insert clear server to clear any existing DNS alternate
server.
• Replace the alternate server’s IP address with the substitution variable,
@(DNS).

Note: Any character other than a space before the initial @ symbol or the
ending parenthesis causes the substitution value to not be inserted. Also
review the information discussed in "Allowed Substitution Variable Formats"
on page 296.

12. In the Edit CLI dialog box, click OK to save your changes to the substitution
variable.
13. In the Edit existing Overlay dialog box, click OK to save your changes to the
overlay.

317
Director Configuration and Management Guide

Adding a Property using the Command Line


This section discusses how to add a property to the overlay using the command
line. Use this method if you know the command to add the property to the
overlay.
1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Add to Overlay section, click Using CLI.
The Add Commands to add to the Overlay dialog box displays.
3. In the Add Commands dialog box, enter the CLI syntax.
The following figure shows how to set the DNS server using the commands
dns clear server and add server @(DNS).

4. In the Add Commands dialog box, click OK.


5. In the Edit existing Overlay dialog box, click OK.
6. Continue with the next section.

318
Chapter 9: Managing Substitution Variables

Creating Substitution Variables in a Profile


This section discusses how to edit a profile to add the value of a substitution
variable.

To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Profiles.
4. Expand the name of the folder containing the profile.
5. Right-click the name of the profile.
6. From the pop-up menu, click Edit.
The Edit existing Profile dialog box displays, similarly to the following:

7. In the right pane, locate the command or set of commands you want to change
to a substitution variable.

319
Director Configuration and Management Guide

In this example, the set of commands is:


edit alternate
clear server
exit

8. Edit the commands using a substitution variable.


For example,
edit alternate
clear server
add server @(DNSAlt)

9. In the Edit existing Profile dialog box, click OK.


10. Continue with the next section.

Validating the Values of Substitution Variables


Before you execute a profile or overlay that contains substitution variables, you
should validate the variables for conflicts as discussed in this section. Substitution
variable conflicts can occur because a device might inherit two variables with the
same name from different groups, or the device might have a substitution
variable defined for the device and inherit one or more from groups.
Following is a quick overview of how Director resolves substitution variable
conflicts:
❐ A substitution variable defined for a device always takes precedence over
variables inherited by the device from groups to which it belongs.
❐ If no substitution variable is defined for a device, the variable defined in the
closest group in the hierarchy takes precedence.
❐ If a device inherits conflicting substitution variables from two or more groups
not in the same hierarchy, and no substitution variable is defined for the
device, Director cannot resolve the conflict.
For more information, see "Examples of Resolving Conflicts" on page 299.

Note: If no value is defined for a substitution variable, the substitution


variable validates successfully but the profile or overlay that contains it will
fail to execute. Before you execute a profile or overlay that contains a
substitution variable, make sure the variable has a value as discussed in
"Editing or Deleting Substitution Variables" on page 325.

This section discusses the following topics:


❐ "Prerequisites for Validating Substitution Variables"
❐ "Validating Substitution Variables" on page 321

320
Director Configuration and Management Guide

Prerequisites for Validating Substitution Variables


Before validating substitution variables, make sure you have completed the
following tasks in the order shown:
Task For more information

1. Understand concepts related to "About Substitution Variables" on page


substitution variables. 291

2. Understand how devices inherit "Inheriting Substitution Variables From


substitution variables and values a Custom Group" on page 292
from groups.

3. Understand how substitution "Resolving Substitution Variable


variable conflicts are resolved. Conflicts" on page 297

4. Create substitution variables and "Creating and Implementing


values for devices and groups. Substitution Variables" on page 303

5. Include substitution variables in "Creating Substitution Variables in a


profiles. Profile" on page 319

6. Include substitution variables in "Creating Substitution Variables in an


overlays. Overlay" on page 314

Validating Substitution Variables


This section discusses how to validate substitution variables defined for groups
and devices for conflicts.

To validate substitution variables for conflicts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Configuration Library section, from the
Show list, click Profiles, Overlays, or All.

4. Click any of the following:


• To execute the profile or overlay on a device, click the name of the
device in the Devices pane and click the name of the profile or overlay
in the Configuration Library pane.
• To execute the profile or overlay on a group, click the name of the group
in the Groups pane and click the name of the profile or overlay in the
Configuration Library pane.
5. Right-click the name of the profile or overlay.
6. From the pop-up menu, click Substitution Variables.

321
Director Configuration and Management Guide

The following figure shows an example.

7. A dialog box displays conflicts, if any, in red text.

322
Chapter 9: Managing Substitution Variables

The following figures show examples.


• Example of a conflict that Director cannot resolve:

In the preceding example, a variable named DNS has been defined with
different values in two groups. The variables display in red text to indicate
that Director cannot resolve the conflicting values. The reason Director
cannot resolve the conflict is that the device inherited the variables from
groups that are not in the same hierarchy.
Before you can execute the profile or overlay, you must remove the
substitution variable or edit its value in one of the locations displayed in
the dialog box to remove the conflict, then execute the profile or overlay.

323
Director Configuration and Management Guide

• Example of no conflict:

The value of the variable displayed in the preceding dialog box will be used
when executing the profile or overlay.

Note: If no value is defined for a substitution variable, the substitution


variable validates successfully but the profile or overlay that contains it will
fail when you execute it. Before you execute a profile or overlay that contains a
substitution variable, make sure the variable has a value as discussed in
"Editing or Deleting Substitution Variables" on page 325.

8. After resolving any conflicts, click Execute.


For additional information about executing profiles and overlays, see one of
the following sections:
• "Executing a Profile" on page 154
• "Executing an Overlay Immediately" on page 168

324
Chapter 9: Managing Substitution Variables

Editing or Deleting Substitution Variables


This section discusses how to edit or delete substitution variables defined for
devices and groups.

To edit or delete substitution variables:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, locate the device or group with variables you want
to edit or delete.
You might need to expand groups or click the All system group to locate a
particular group or device. You can also click Actions > Find and search for a
device or group as discussed in Section B: "Search" on page 185.
4. Right-click the name of the device or group.
5. From the pop-up menu, click Edit.
6. Do one of the following:
• Device: From the pop-up menu, click Advanced Settings. In the Advanced
Settings dialog box, click the Substitution Variables tab.
• Group: From the pop-up menu, click Substitution Variables.

325
Director Configuration and Management Guide

The Group Substitution Variables dialog box for the device or group displays.
The following figure shows an example Advanced Settings dialog box for a
group.

7. Do any of the following:


Task Description

Add a new substitution variable 1. Click New.


2. In the Substitution Variable Name
field, enter a name to identify the
substitution variable.
3. In the Substitution Variable Value
field, enter a value for this variable.
For more information, see "About
Substitution Variables" on page 291.

326
Chapter 9: Managing Substitution Variables

Task Description

Edit an existing substitution variable 1. In the bottom pane of the dialog


box, click either the Substitution
Variable Name or the Substitution
Variable Value field.
2. Enter a new value.

Delete an existing substitution variable 1. In the bottom pane of the dialog


box, click the variable you want to
delete.
2. Click Delete.

8. Click OK.
9. You are required to confirm the action.
10. In the Edit dialog box, click OK.

Command Related to Creating a Substitution Variable Value


First, enter device submode using the following command:
director (config) # device device_id
This command changes the prompt to:
director (config device device_id) #
Then enter the following command:
director (config device device_id) # substitution-variable name input

327
Director Configuration and Management Guide

328
Chapter 10: Monitoring Devices

This chapter describes the options on the Monitor tab page and how to use
them to view device status.
This chapter discusses the following topics:
❐ "About the Monitor Tab Page" on page 329
❐ "Viewing Group and Device Status" on page 330
❐ "Managing Alerts" on page 332
❐ "Viewing Statistics" on page 348
❐ "Generating Performance Analysis Reports" on page 350
❐ "Generating Health Reports" on page 354

About the Monitor Tab Page


After you have added devices, you can view device status using the Monitor
tab page.

The Monitor tab page enables you to quickly determine the status of groups or
of individual devices. The Monitor tab page provides a quick, global view of
the health of your devices by listing the total number of alerts for all devices
and providing a summary of device health for those systems. It also enables
you to access alert and statistics information.

329
Director Configuration and Management Guide

Viewing Group and Device Status


The Groups pane lists all of the groups, including system groups. When a group is
selected, the group’s overall status is displayed. When a device is selected, its
individual status and alerts summary is displayed in the Description pane. More
detailed information is discussed in the following sections:
❐ "Viewing Group Status"
❐ "Viewing Device Status" on page 331

Viewing Group Status


This section discusses how to view the status of all devices in a group.

To view group status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of a group.
The group’s status displays in the Description pane, as shown in the following
figure:

330
Chapter 10: Monitoring Devices

Viewing Device Status


This section discusses how to view the status of a selected device.

To view device status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of the device for which you want to
view status.
The device status displays in the Description pane, as shown in the following
figure.

The device information contains additional status information not displayed in


the group status, such as health statistics. See Chapter 12: "Monitoring the
Health of Devices" for more information about device health statistics.

331
Director Configuration and Management Guide

Viewing a Device’s SGOS Edition


This section discusses how to view whether a device runs SGOS MACH5 or Proxy
Edition. You can view information about a device’s SGOS version only by looking
at what system group it belongs to, as discussed in "About System Groups" on
page 133.

To view device SGOS edition:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of a device.
4. Scroll toward the bottom of the Description pane to display the device edition.

Managing Alerts
This section discusses the following topics:
❐ "About Alerts"
❐ "Managing Alerts" on page 338

332
Chapter 10: Monitoring Devices

About Alerts
Alerts inform you of specific device events, such as fan failures or CPU utilization
warnings. Director records a maximum of 50,000 alerts. If the 50,000 alert limit is
reached, the oldest acknowledged alerts are deleted first.
This section discusses the following topics:
❐ "Alerts Terminology"
❐ "Alert Metric Details" on page 335

Alerts Terminology
The following table discusses the meanings of commonly used terms in this
chapter.
Table 10–1 Alerts terminology

Term Meaning

Active alert An event that is currently occurring on the device and


that requires immediate attention.

Inactive alert Event that has since returned to normal and no longer
require attention.

Acknowledged alert Alert you have acknowledged with Director.


Acknowledging an alert does not correct the error
condition; acknowledging an alert makes the alert a
candidate for deletion when the maximum number of
alerts is reached.

Unacknowledged alert Alert you have not acknowledged with Director.

Alert state Alert state can be:


• All
• Active
• Inactive
See the discussion of these terms earlier in this table. The
Director Management Console enables you to filter
alerts by alert state.

Alert status Alert status can be:


• All
• Acknowledge
• Unacknowledge
See the discussion of these terms earlier in this table. The
Director Management Console enables you to filter
alerts by alert status.

333
Director Configuration and Management Guide

Table 10–1 Alerts terminology

Term Meaning

Alert severity Alert severity can be:


• All
• Warning
• Critical
• Disconnected
The Director Management Console enables you to filter
alerts by alert severity.

Alert metric Alert metric can be:


• All
• ADN Connection Status
• ADN Manager Status
• CPU Utilization
• Device Connection
• Disk Status
• Health Check Status
• Interface Utilization
• License Expiration
• License Utilization
• Memory Pressure
• Memory Utilization
• Sensor
The Director Management Console enables you to filter
alerts by alert metric.
The meanings of these metrics are discussed in "Alert
Metric Details" on page 335.

334
Chapter 10: Monitoring Devices

Alert Metric Details


Following is a summary of the meanings of the alert metrics. These metrics are
referred to as health monitoring metrics in the documentation provided with
SGOS. For additional details not covered in this section, see Managing the Blue
Coat ProxySG Appliance in the ProxySG Appliance Configuration and Management
Guide documentation set.
Table 10–2 discusses metrics with user configurable thresholds.
Table 10–2 Health monitoring metrics

Metric Default Values Notes

Critical Threshold / Warning Threshold /


Interval Interval

CPU Utilization 95% / 120 seconds 80% / 120 seconds Measures the value of the
primary CPU on multi-
processor systems — not
the average of all CPU
activity.

Memory 95% / 120 seconds 90% / 120 seconds Measures memory use
Utilization and tracks when memory
resources become limited,
causing new connections
to be delayed.

Interface 90% / 120 seconds 60% / 120 seconds Measures the traffic (in
Utilization and out) on the interface
to determine if it is
approaching the
maximum capacity.
(bandwidth maximum)

License 90% / 120 seconds 80% / 120 seconds Monitors the number of
Utilization users using the ProxySG.

License 0 days / 0 15 days / 0 Warns of impending


Expiration license expiration.
30 days / 0

335
Director Configuration and Management Guide

Table 10–3 discusses metrics with thresholds that are not user configurable.
Table 10–3 Status health monitoring metrics

Metric Threshold States and


Corresponding Values

Disk Status Critical:


Bad
Warning:
Removed
Offline
OK:
Not Present
Present

ADN Connection Status OK:


Connected
Connecting
Connection Approved
Disabled
Not Operational
Warning:
Approval Pending
Mismatching Approval Status
Partially Connected
Critical:
Disconnected
Connection Denied
See Advanced Networking for more
information about the ADN metrics.

ADN Manager Status OK:


Not a Manager
No Approvals Pending
Warning:
Approvals Pending

Health Check Status OK:


No health checks with
Severity: Warning or Critical are
failing. A health check with Severity:
No-effect might be failing.
Warning:
One or more health checks with
Severity: Warning has failed.
Critical:
One or more health checks with
Severity: Critical has failed.

336
Chapter 10: Monitoring Devices

Table 10–3 Status health monitoring metrics

Metric Threshold States and


Corresponding Values

Temperature — Motherboard and CPU Threshold states and values vary by


ProxySG models

Fan Speed Threshold states and values vary by


ProxySG models

Voltage — Bus Voltage, CPU Voltage, Power Threshold states and values vary by
Supply Voltage ProxySG models

Getting Started With Alerts


This section discusses general information you can use to get started monitoring
device alerts using the Director Management Console’s Monitor tab page.

Viewing a Summary of All Device Alerts


The top section of the Monitor tab page displays a summary view of device alerts
similar to the following.

The Current Device Status row displays how many devices are in each alert
severity state currently.
The Accumulated Alerts row displays the total number of alerts stored on
Director since the last time the alerts were cleared.

Viewing Alerts for Custom Groups of Devices


To display all alerts for a particular custom group, click the name of the group in
the Groups pane on the Monitor tab page and click Alerts.
Examples are shown "Examples of Managing Alerts" on page 341.

Viewing Alerts for Individual Devices


To display all alerts for a particular device, click the name of the device in the
Devices pane on the Monitor tab page and click Alerts. (You might need to click
the name of a group in the Groups pane first; if in doubt, click the All system
group.)
Examples are shown "Examples of Managing Alerts" on page 341.

337
Director Configuration and Management Guide

Managing Alerts
The Alerts dialog box enables you to view all of the alerts for the selected device
or group and allows you to filter, comment on, acknowledge, or unacknowledge
those alerts.

To manage alerts:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts in any of
the following ways:
• Select one or more devices: In the Groups pane, click the name of the
group to which the devices belong (if in doubt, click All).
In the Devices pane, click the names of the devices (to select more than one
device, hold down the Control key while clicking).
Continue with step 4.
• Select a group of devices: In the Groups pane, under Custom groups, click
the name of a group.
Continue with step 4.
4. In the Description pane, under Reports, click Alerts.

338
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

Filtering options

Alerts details Details about Actions


selected alert

339
Director Configuration and Management Guide

You have the following options:

Option Description

Filter alerts Filtering means to limit the alerts that display to only
those you choose. Make a selection from each list; the
selections are combined to filter the results. Examples
are shown in "Examples of Managing Alerts" on page
341.
To limit the alerts that display in the dialog box (that
is, to filter alerts), select the following options:
1. From the Metric list, click All to display alerts with
all metrics or click the name of a metric to limit the
alerts displayed to show that metric only.
For more information about alert metrics, see Table
10–2 on page 335.
2. From the Severity list, click All to display alerts
with all severities or click one of the following:
• Warning to display only alerts with a severity
of Warning.
• Critical to display only alerts with a severity of
Critical.
• Disconnected to display only alerts with a
severity of Disconnected.
3. From the State list, click All to display alerts with
all states or click one of the following:
• Active to display only alerts that are currently
in a critical or warning severity.
• Inactive to display only alerts that have since
returned to a normal severity.
4. From the Status list, click All to display alerts with
all states or click one of the following:
• Acknowledge to display only alerts that have
been previously acknowledged. You can do
this, for example, to delete acknowledged
alerts.
• Unacknowledge to display only alerts that
have not been acknowledged.
5. From the Days list, click All to display alerts from
all dates, or click a time interval to display alerts
that occurred in that time interval.
6. Click Show.
Clicking Reset returns the filters to their default
values.
7. See "Examples of Managing Alerts" on page 341.

340
Chapter 10: Monitoring Devices

Option Description

Sort alerts Click the name of a column to sort alerts by the value
of that column, in either ascending or descending
order. Clicking a column name once displays results in
ascending order; clicking the same column name
again displays results in descending order.

View details about one alert Click an alert in the lower section of the dialog box.
Alert details display in the Details section.

Select all alerts Click Select All.

Unselect all alerts Click Unselect All.

Add comments to selected Comments display only in the Alerts dialog box;
alerts comments are not propagated to the device.
Click one or more alerts, enter text in the Comments
field, and click Update. (To click more than one alert,
hold down the Control key while clicking.)

Acknowledge selected alerts Acknowledging an alert makes the alert a candidate


for deletion when the maximum number of alerts is
reached; acknowledging an alert does not solve the
issue that caused the alert.
(acknowledged) displays in the Acknowledged
column in the Alerts dialog box for an acknowledged
alert.
Click one or more alerts and click Acknowledge. (To
click more than one alert, hold down the Control key
while clicking.)

Unacknowledge selected Click one or more alerts and click Unacknowledge. (To
alerts click more than one alert, hold down the Control key
while clicking.)
(unacknowledged) displays in the Acknowledged
column in the Alerts dialog box for an
unacknowledged alert.

Delete selected alerts Click one or more alerts and click Delete. (To click
more than one alert, hold down the Control key while
clicking.)
You are required to confirm the deletion.

Examples of Managing Alerts


This section discusses the following examples:
❐ "Example 1: Filtering and Sorting Alerts"
❐ "Example 2: Acknowledging Alerts" on page 344
❐ "Example 3: Deleting Acknowledged Alerts" on page 346

341
Director Configuration and Management Guide

Example 1: Filtering and Sorting Alerts


This example shows how to filter alerts to show only acknowledged alerts and
how to sort alerts by description.

To filter and sort alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.
The Alerts dialog box displays.

4. To sort the alerts by description, click the Description column.

342
Chapter 10: Monitoring Devices

The Alerts dialog box then displays as follows.

5. To display only acknowledged alerts, make the following selections from the
Filters section of the Alerts dialog box:
• Metric list: click All.
• Severity list: click All.
• State list: click All.
• Status list: click Acknowledge.
• Days list: click any value, such as last 30 days.
The following figure shows an example:

6. Click Show.

343
Director Configuration and Management Guide

The Alerts dialog box displays only acknowledged alerts.

Example 2: Acknowledging Alerts


This example shows how to filter alerts to acknowledge alerts; if the 50,000 alert
maximum is exceeded, Director deletes the oldest acknowledged alerts first.

To filter and sort alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.

344
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

4. Optional. Sort or filter the alerts.


For example, you can sort alerts by oldest first by clicking twice on the Start
Time column.
5. Click on one or more alerts to acknowledge. (To select more than one alert,
hold down the Control key while clicking.)
6. Click Acknowledge.
You are required to confirm the action.

345
Director Configuration and Management Guide

The Alerts dialog box displays the acknowledged alerts.

indicates an acknowledged alert

indicates an unacknowledged alert


7. Optional. To delete acknowledged alerts, see the next example.

Example 3: Deleting Acknowledged Alerts


You can delete acknowledged alerts to prevent them from displaying again; also,
if the 50,000 alert limit is exceeded, Director automatically deletes the oldest
acknowledged alerts first.
In the event an error condition occurs again on a device, another alert is created so
deleting acknowledged alerts has no effect on your ability to monitor devices in
the future.

To delete acknowledged alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.

346
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

4. Filter the alerts to display only acknowledged alerts as follows:


• From the Metric list, click All.
• From the Severity list, click All.
• From the Statue list, click All.
• From the Status list, click Acknowledge.
• Days list: click any value, such as last 30 days.
The following figure shows an example.

5. Click Show.
The Alerts dialog box shows only acknowledged alerts.
6. Optional. Sort the alerts in order of oldest first by clicking twice on the Start
Time column.

347
Director Configuration and Management Guide

7. Click the alerts to delete. You have the following options:


• To select all acknowledged alerts, click Select All.
• To select a range of consecutive alerts, hold down the Shift key while
clicking.
• To select more than one alert, hold down the Control key while clicking.
8. Click Delete.
You are required to confirm the deletion.

Viewing Statistics
The Manage Device page enables you to view the alerts and statistics for
individual devices. When you click the Statistics button, an instance of that
device’s ProxySG appliance Management Console Statistics tab page displays.
The Alerts tab page enables you to switch back and forth between alert and
statistics information to obtain additional details.

Note: Unlike alerts, statistics can be viewed only for individual devices.

To view device statistics:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, from the Devices pane, click the name of a device.

4. In the Description section, in the Reports pane, click Statistics.

348
Chapter 10: Monitoring Devices

The Manage Device window displays, with the Management Console of the
selected device in view.

5. Select statistics to view.


6. (Optional.) Click the Health field status link to navigate to the health statistics.
7. (Optional.) Click the Alerts tab to review alert information.

Note: You can make configuration changes only to devices from the Configure
tab.

Related Commands
director (config) # monitoring {alerts {acknowledge {alert alert_id |
all | device device_id | group group_id} | add-comment alert alert_id
comment comment | delete {alert alert_id | all | device device_id |
group group_id} | unacknowledge {alert alert_id | all | device
device_id | group group_id}} | diagnose {device-state subcommands |
standby-state subcommands} | refresh health-state {all | device
device_id | group group_id}

349
Director Configuration and Management Guide

Generating Performance Analysis Reports


For any device that runs SGOS 5.3 or later, custom group, Model group, or OS
Version group, you can create and optionally e-mail a report that displays the
following charts:
❐ Bandwidth savings
❐ Effective throughput
❐ Overall traffic (includes amount of data transferred, gain (expressed as a
decimal), percent reduction; and the graph displays client bandwidth, server
bandwidth, and bypassed bandwidth).
❐ By proxy—client (percentage of traffic proxied by configured proxies such as
CIFS, Endpoint Mapper, MSRPC, MAPI, FTP, HTTP, HTTP forward proxy,
SSL, TCP tunnel, and Windows Media)
❐ By proxy—server (percentage of traffic proxied by configured proxies such as
CIFS, Endpoint Mapper, MSRPC, MAPI, FTP, HTTP, HTTP forward proxy,
SSL, TCP tunnel, and Windows Media)
❐ By service—client (percentage of client traffic used by configured services)
❐ By service—server (percentage of server traffic used by configured services)
❐ Traffic analysis for active services
Performance analysis data can be displayed for the following time periods:
❐ Last hour
❐ Last day
❐ Last week
❐ Last month
❐ Last year
The scale used on the graphs can be set as follows:
❐ Bytes
❐ Kilobytes
❐ Megabytes
❐ Gigabytes

To generate performance analysis reports:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optional. To e-mail reports, you must set the e-mail options discussed in
"Setting Mail Options" on page 63.
3. In the Director Management Console, click the Monitor tab.

350
Chapter 10: Monitoring Devices

4. On the Monitor tab page, click the device or group for which you want to
generate the report.
• To generate a report for one or more devices: In the Groups pane, click the
group to which the devices belong (for example, System > All group). In the
Devices pane, click one or more devices. (To select multiple devices, hold
down the Control key while clicking.)
If you click one device, the report displays data for that device.
If you click more than one device, the report displays aggregated data for
the devices you click.
• To generate a report for a group of devices: In the Groups pane, click the
name of the group.
The report displays aggregated data for all devices in the group (except for
disconnected devices). You can click the name of any group, including
custom groups or system groups (system groups include Model and OS
Version groups).
If you click the name of a group that has no devices, the Performance
Analysis Report button is unavailable.
Note: Performance analysis reports can take a long time to generate if you
select a group with a large number of devices.

5. Click Performance Analysis Report.

351
Director Configuration and Management Guide

The report displays in a new window.

The following error indicates the selected devices have not collected enough
data to display in the selected time interval and scale. To work around the
problem, choose a different device or group.

The title bar of the window displays the name of the device or group for
which the report was created (in the preceding example, the report was
created for a group named SG200).

352
Chapter 10: Monitoring Devices

6. The following table discusses options available with the report:


Option Description

Mouse-over data Place the mouse cursor on any peak of a line or area
graph (for example, Effective Throughput) to
display data for that peak.

From the list, click the time period to use to sample


data:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

From the list, click the units of measure to use to


scale the graphs and charts in the reports:
• Bytes
• Kilo Bytes
• Mega Bytes
• Giga Bytes

Select the check box next to each report you wish to


view or e-mail.
Clear the check box next to each report you do not
wish to view or e-mail.

Text field Every chart or graph in the report has a text field
you can use to make notes about the chart or graph.
Note: Line breaks you enter in the field are
removed from the report when it is generated.
Click here to preview the report Click the link to preview the report in your default
Web browser. The report displays with all
comments and charts or graphs you selected.

Email button Follow the prompts on your screen to e-mail the


report.

Close button Close the report window at any time, including


during the time report data is being collected.

353
Director Configuration and Management Guide

Generating Health Reports


The Health report is an experimental feature that enables you to view CPU usage
and memory usage for any device—either by itself or in a Model group, or OS
Version group. One graph displays per device.
Health data can be displayed for the following time periods:
❐ Last hour
❐ Last day
❐ Last week
❐ Last month
❐ Last year

To generate health reports:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optional. To e-mail reports, you must set the e-mail options discussed in
"Setting Mail Options" on page 63.
3. In the Director Management Console, click the Monitor tab.
4. On the Monitor tab page, click the device or group for which you want to
generate the report.
• To generate a report for one or more devices: In the Groups pane, click the
group to which the devices belong (for example, System > All group). In the
Devices pane, click one or more devices. (To select multiple devices, hold
down the Control key while clicking.)
One graph displays for each device.
• To generate a report for a group of devices: In the Groups pane, click the
name of the group.
One graph displays for each device.
5. Click Actions > Launch Health Report.
If you select a disconnected device, the Launch Health Report option is
unavailable.

354
Chapter 10: Monitoring Devices

6. The following table discusses options available with the report:


Option Description

From the list, click the time period to use to sample


data:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

Select the check box next to each report you wish to


view or e-mail.
Clear the check box next to each report you do not
wish to view or e-mail.
Click here to preview the report Click the link to preview the report in your default
Web browser.

Email button Follow the prompts on your screen to e-mail the


report.

Close button Close the report window at any time, including


during the time report data is being collected.

Right-click a graph If the graph lines appear to be flat:


1. Right-click a graph.
2. From the pop-up menu, click Auto Range >
Both Axes.

355
Director Configuration and Management Guide

356
Chapter 11: Audit Logging

Director audit logging enables you to log the actions of all administrators who
perform tasks on Director. This can be useful if you need to document Director
administrator behavior for change management auditing or troubleshooting.
Auditing enables you to do the following:
❐ Authenticate using TACACS+
❐ Log of all actions performed by an administrative user
❐ Log the contents of backups, profiles, overlays, configure jobs, and content
jobs
❐ Export the generated log entries to an external server using the Secure Copy
Protocol (SCP)

Important: In Director 5.3 and later, you can no longer transfer files to a server
using an insecure protocol. The external server to which files are transferred
must support the SCP protocol.

This chapter discusses the following topics:


❐ "Overview of Audit Logging"
❐ "Viewing Audit Logging Status in the Management Console" on page 360
❐ "Configuring Audit Logging" on page 362

Overview of Audit Logging


Director logs commands entered from the command line and commands
executed as the result of actions in the Management Console. If a command
returns an error, the error message is logged.
Because Director does not display success confirmation, all other commands
are assumed to have succeeded. This type of logging is referred to as event
logging. In earlier SGME releases, you had the option of transferring event logs
to a syslog server using an insecure protocol.

About Audit Logging


In the SGME 5.3 release for the first time, Director also enables you to track the
contents of the following using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs

357
Director Configuration and Management Guide

Note: Throughout the rest of this chapter, the term content jobs is intended to
include the content jobs themselves as well as any URL list or regular
expression lists they might contain. When you create, edit, or run a job with a
URL list or regular expression list, those activities are logged in the audit log.
❐ Backups
Audit logging enables administrators to track what tasks were performed by
commands that configured components in the preceding list. Administrators and
auditors can use event logging and audit logging together to determine what was
changed, who changed it, and when it was changed.

Comparing Event Logging and Audit Logging


The following table summarizes the two types of logging:
Logging type What is logged

Audit logging • The contents of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The contents of an overlay, the name of the user
who executed it, and the IP address from which the
command was executed
• The contents of a device backup, the name of the
user who executed it, and the IP address from
which the command was executed

Event logging • The name of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of an overlay, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of a device backup, the name of the user
who executed it, and the IP address from which the
command was executed

358
Chapter 11: Audit Logging

The following table summarizes the main functional differences between event
logging and audit logging:
Logging type Function

Audit logging • Stored in subdirectories of /local/logs/scplogs


(for example, the contents of backup jobs are stored
in /local/logs/scplogs/backups).
• Event logs, stored in the /var/log/messages file,
are transferred every hour to the /local/logs/
scplogs/messages directory using a cron job.
• A cron job runs every five minutes to transfer audit
logs from subdirectories of /local/logs/scplogs
to an external server using the Secure Copy
Protocol (SCP), if a server is configured.
• After the files are transferred, the logs are deleted;
however, if no external server is specified, no
transfer takes place.
After the contents of the audit log directory reach
1GB in size, the overflow policy is enacted. The
overflow policy can be set to delete the oldest log
files first (the default), to disable commands that
trigger audit logging, or to stop creating new audit
log files.

Event logging • Initially stored in /var/log/messages


• Event logs, stored in the /var/log/messages file,
are transferred every hour to the /local/logs/
scplogs/messages directory using a cronjob.
• Every five minutes, a cron job transfers the /
local/logs/scplogs/messages to an external
server using SCP, if an external server is
configured. (The same cron job transfers the audit
log files as discussed in the preceding row in this
table.)
• After the event log file is transferred, it is deleted;
however, if no external server is specified, no
transfer takes place.
Because the event log is written continually as
commands are executed, the file can grow rapidly.

Examples of Audit Logging and Event Logging


Following is a sample event log entry:
Jun 23 22:37:57 <cli.notice_minor> hostname cli[1287]: admin@0.0.0.0:
Processing command: remote-config overlay new_overlay execute device
0.0.0.1
Following is an excerpt from the beginning of an audit log for a backup job:

359
Director Configuration and Management Guide

!- Version: SGOS 5.3.0.2 Proxy Edition


!- BEGIN networking
interface 0:0 ;mode
ip-address 172.16.45.143 255.255.255.0
exit
ip-default-gateway 172.16.45.1 1 100
dns-forwarding ;mode
edit primary
clear server
add server 172.16.55.55
exit
edit alternate
clear server
exit
exit
!- END networking
<<end of excerpt>>

For More Information About Logging


❐ Audit logging is discussed in this chapter
❐ Event logging is discussed in Chapter 14: "Director Logging"

Viewing Audit Logging Status in the Management Console


When you log in to the Management Console as discussed in "Connecting to
Director with the Management Console" on page 52, expand Director Status. The
audit logging status then displays as follows:

Audit policy settings

The audit logging policy can be any of the following:


❐ delete (Default.) Deletes audit log files from subdirectories of /local/logs/
scplogs, starting with the oldest files first.

❐ stop-logging Stops transferring log files to subdirectories of the /local/logs/


scplogs directory if uses more than 1GB less.

❐ stop-processing Stops processing any commands that trigger audit logging.

360
Chapter 11: Audit Logging

If you click More, a dialog box similar to the following displays more information
about audit policy:

The following figure shows an example of a Director with an audit logging policy
set to delete when the log directory is full:

361
Director Configuration and Management Guide

The icon indicates the audit log directory is full. Clicking the icon displays a
status message similar to the following:

Configuring Audit Logging


To enable audit logging, you must perform all of the following tasks:
Table 11–1 Enabling auditing

Task For more information

Enable TACACS+ authentication • "Enabling TACACS+


Authentication" on page 362
• Description of the tacacs-server
and aaa authentication
commands in Chapter 3, Configure
Mode Commands, in the Blue Coat
Director Command Line Interface
Reference Guide

Set Director’s log level to notice_minor "Setting the Logging Level" on page 364

Configure the external server "Configuring the External Server" on


page 364

Enabling TACACS+ Authentication


Only authenticated administrators can perform audit logging tasks. To
authenticate with Director, you can either use a TACACS+ repository or
Director’s local authentication domain. If you wish to use Director’s local
authentication domain, skip this section and continue with "Setting the Logging
Level" on page 364.
You must configure TACACS+ from the Director command line. To enable
TACACS+, you must configure TACACS+ server communication and then enable
TACACS+ user authentication.

To configure TACACS+ communication:


1. Use a Secure Shell (SSH) application to connect to Director as discussed in
"Using the Director Command Line" on page 38.
2. Log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.

362
Chapter 11: Audit Logging

6. Configure the TACACS+ server and port:


director (config)# tacacs-server host hostname port port_number

where hostname is the TACACS+ server’s fully qualified host name or IP


address and port_number is the server’s listen port
7. Set the key for host communication:
director (config)# tacacs-server key shared_secret

where shared_secret is the server’s shared secret


8. Set the communication timeout:
director (config)# tacacs-server timeout numh numm nums

where timeout is the number of hours, followed by the number of minutes,


followed by the number of seconds.
For example, the following command sets the timeout at four hours and one
minute:
(config) # tacacs-server host hostname timeout 4h 1m 0s

To enable TACACS+ authentication:


The following command configures Director to first search for the user name in
TACACS+. Only if the user is not found in TACACS+, Director will search its local
user repository (local).
director (config)# aaa authentication login default tacacs+ local
User names and passwords are restricted to 16 bytes in length. If the user name is
longer than 16 bytes, the authentication or login attempt fails.

363
Director Configuration and Management Guide

Setting the Logging Level


By default, the logging level is set to notice; however, Blue Coat recommends you
change the logging level to notice_minor because it gives you the most
information about executed commands.
To confirm the logging level is set to notice_minor, use one of the following
commands:
❐ Local logging only:
director (config)# logging local notice_minor

❐ To send logging information to an external server:


director (config)# logging trap notice_minor
See Chapter 14: "Director Logging" for more information about setting logging
levels.

Configuring the External Server


This section discusses how to set up the external server to receive Director audit
logs.
Before completing the tasks discussed in this section, you must know the user
name and password of a user on the external server that has write privileges to
the directory to which to transfer Director log files. If a user does not exist, you
must create the user before continuing.
This section discusses the following tasks required to send audit logs to an
external server using SCP:
1. View the current logging settings.
2. Specify the external server’s URL.
3. Set the overflow policy, which determines what happens when audit logs
contained in subdirectories of the /local/logs/scplogs directory use more
than 1GB of space.
4. Set the logging level.
Blue Coat recommends setting both the local logging level and the trap
logging level to notice_minor. The local logging level determines the level of
detail in event logs, and the trap logging level determines the level of detail in
audit logs.
5. Verify audit logging settings.

To prepare to transfer audit logs to an external server using SCP:


1. Connect to Director using an SSH application as discussed in "Using the
Director Command Line" on page 38.
2. View the current logging status:
director # show logging

If no server is currently configured, the following messages display:

364
Chapter 11: Audit Logging

director (config) # show logging


Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: NULL
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 22.473633 KB
Free space: 1023.978053 MB

Notice also the current logging levels:


• Console logging affects only the level of detail displayed by commands
executed in the command line or Management Console. The console
logging level does not affect logs written to the file system or transferred to
an external server.
• Local logging affects the level of detail displayed in files transferred to the
external server. In the preceding example, the current level is notice and it
needs to change to notice_minor.
The logging level for an additional type of logging—trap—must also be
configured. The trap logging level determines the level of detail in audit
logs.
These tasks are discussed in step 6.
For additional details about logging levels, see "Syslog Log Levels" on
page 422.
3. Specify the external server’s URL:
director (config)# logging ip_address_or_hostname

where ip_address_or_hostname is the external server’s fully qualified host name


or IP address.
4. Set the URL to use to transfer log files:
director (config)# logging dump-contents url url

where url is the fully qualified URL in which to store event and audit logs. url
must be in the following format:
scp://host_or_ip//path/ username username [password password]

where ip_address_or_hostname is the external server’s fully qualified host name


or IP address, path is the top-level directory in which to transfer event and
audit logs, and username and password are the user name and password of a
user with write privileges to path.
Note the following:
• path must end with a / character
• username must have sufficient privileges to write to path
5. Set the overflow policy:
(config) # logging dump-contents overflow-policy {delete | stop-
logging | stop-processing}

365
Director Configuration and Management Guide

Sets policy to apply when subdirectories of the /local/logs/scplogs directory


use more than 1GB of space as one of the following:
delete (Default.) Deletes audit log files from subdirectories of /local/logs/
scplogs, starting with the oldest files first.

stop-logging Stops transferring log files to subdirectories of the /local/logs/


scplogs directory if uses more than 1GB less.

stop-processing Stops processing any commands that trigger audit logging.


6. Set the local and trap log levels to notice_minor:
director (config) # logging trap notice_minor
director (config) # logging local notice_minor

7. Verify logging settings:


director (config) # show logging

An example follows:
director (config) # show logging
Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: 192.168.1.0
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 22.473633 KB
Free space: 1023.978053 MB

8. Continue with the next section.

Using Related Audit Logging Commands


This section summarizes other commands related to audit logging.

Setting Up Access Lists


To restrict access to the external server, you can optionally create an access list to
enable the external server to communicate with Director using SCP. By default,
Director allows all IP protocols to communicate so you should perform this task
only if you have a restrictive communication policy.
For more information, see the description of the access-list command in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director Command
Line Interface Reference Guide.

366
Chapter 11: Audit Logging

Manually Clearing Audit Log Files


Optionally clear the contents of /local/logs/scplogs subdirectories:
(config) # logging dump-contents clear

Note: Use this command only after you transfer audit logs to the external
server.

Undoing Audit Logging Settings


To undo the setting for the remote server directory:
director (config) # no logging dump-contents

Commands Related to Audit Logging


(config) # logging hostname_or_ip_address
(config) # logging dump-contents {clear | overflow-policy {delete |
stop-logging | stop-processing} | url scp_server_url}
(config) # logging trap {emerg | alert | crit | err | warning | notice
| notice_minor}
(config) # logging local {warning | notice | notice_minor}

367
Director Configuration and Management Guide

368
Chapter 12: Monitoring the Health of Devices

This chapter describes the Director health monitoring feature. The health
monitoring feature enables you to use Director to remotely monitor your
ProxySG appliances. By monitoring key hardware and software metrics,
Director provides administrators with a remote view of the health of the
ProxySG appliance.
This chapter also describes how to configure Director to send ‘traps to a remote
management station when it fails or comes online.
This chapter discusses the following topics:
❐ "About Health Monitoring" on page 369
❐ "Device Health Monitoring Requirements" on page 370
❐ "About the Health Monitoring Metrics" on page 370
❐ "About Device Polling" on page 371
❐ "Health Monitoring Example" on page 371
❐ "About the Health Monitoring Device States" on page 373
❐ "About Health Monitoring Notification" on page 376
❐ "About the Health Monitoring Device States" on page 373
❐ "Changing Threshold and Notification Properties" on page 378
❐ "Getting A Quick View of ProxySG Appliance Health" on page 381
❐ "Viewing Health Monitoring Statistics" on page 381
❐ "Remotely Notifying Management Stations of Device Changes" on page 383
❐ "Troubleshooting" on page 385

About Health Monitoring


The health monitoring feature enables Director (and other third-party network
management tools) to remotely display the current state of all ProxySG
appliances monitored by it. By monitoring key hardware and software metrics,
Director can display a variety of health-related statistics—and trigger
notification if action is required.

369
Director Configuration and Management Guide

Device Health Monitoring Requirements


Before using the health monitoring feature, you should ensure that the e-mail
addresses of all persons that should be notified of health monitoring alerts are
listed in the Event log properties of the ProxySG appliance.

Note: SGME 5.1.4.x and later ignores SNMP traps sent to it by ProxySG
appliances.

If you want to configure e-mail notification for individual alert types, the
notification settings for the alert must be set on each ProxySG appliance. To set
notification properties for specific alerts on multiple devices, create a profile or
overlay that contains the settings you want and then apply the settings to your
devices. See for more information.

About the Health Monitoring Metrics


Health Monitoring allows you to set notification thresholds on various internal
metrics that track the health of a monitored system or device. Each metric has a
value and a state.
The value is obtained by periodically measuring the monitored system or device.
In some cases, the value is a percentage or a temperature measurement; in other
cases, it is a status like "Disk Present" or "Awaiting Approval".
The state indicates the severity of the metric as a health issue:
❐ OK—The monitored system or device is behaving normally.
❐ WARNING—The monitored system or device is outside typical operating
parameters and may require attention.
❐ CRITICAL—The monitored system or device is either failing, or is far outside
normal parameters, and requires immediate attention.
The current state of a metric is determined by the relationship between the value
and its monitoring thresholds. The Warning and Critical states have thresholds,
and each threshold has a corresponding interval.
All metrics begin in the OK state. If the value crosses the Warning threshold and
remains there for the threshold's specified interval, the metric transitions to the
Warning state. Similarly, if the Critical threshold is exceeded for the specified
interval, the metric transitions to the Critical state. Later (for example, if the
problem is resolved), the value may drop back down below the Warning
threshold. If the value stays below the Warning threshold longer than the
specified interval, the state returns to OK.
Every time the state changes, a notification occurs. If the value fluctuates above
and below a threshold, no state change occurs until the value stays above or
below the threshold for the specified interval.
This behavior helps to ensure that unwarranted notifications are avoided when
values vary widely without having any definite trend. You can experiment with
the thresholds and intervals until you are comfortable with the sensitivity of the
notification settings.

370
Chapter 12: Monitoring the Health of Devices

About Device Polling


Starting with SGME 5.1.4, Director no longer uses SNMP traps to determine if the
ProxySG appliance health state has changed. To ensure that the appliance state is
accurately displayed, Director polls all managed devices approximately every
minute to determine if the system-resource-metrics XML data has changed since
the last polling. Director retrieves the updated system-resource-metrics XML
only when a device state has changed, thus reducing the bandwidth load on the
network.

Note: You can initiate an immediate device poll by clicking Refresh in the Health
field of the Monitoring tab Description pane. For more information, see
Statistics
"About the Health Monitoring Device States" on page 373.

Polling can be slower for ProxySG appliances running SGOS releases earlier than
SGOS 5.1.4 or SGOS 4.2.4 because the entire system-resource-metrics XML is
fetched every minute, not just when a change has occurred. To make polling as
quick as possible, Blue Coat recommends that you upgrade your devices to SGOS
5.1.4.x or later or SGOS 4.2.4 or later.

Health Monitoring Example


The following picture shows an example. The lower horizontal line represents the
Warning threshold; the upper horizontal line is the Critical threshold. Note how
they divide the graph into bands associated with each of the three possible states.
Assume both thresholds have intervals of 20 seconds, and that the metric is
currently in the OK state.
1. At time 0, the monitored value crosses the Warning threshold. No transition
occurs yet. Later, at time 10, it crosses the critical threshold. Still, no state
change occurs, because the threshold interval has not elapsed.
2. At time 20, the value has been above the warning threshold for 20 seconds--
the specified interval. The state of the metric now changes to Warning, and a
notification is sent. Note that even though the metric is currently in the critical
range, the State is still Warning, because the value has not exceeded the
Critical threshold long enough to trigger a transition to Critical.
3. At time 25, the value drops below the Critical threshold, having been above it
for only 15 seconds. The state remains at Warning.
4. At time 30, it drops below the Warning threshold. Again the state does not
change. If the value remains below the warning threshold until time 50, then
the state will change back to OK.

371
Director Configuration and Management Guide

20 seconds above the Warning threshold a Warning notification is


sent

OK
Value

0 5 10 15 20 25 30 35 40 45 50 55 60
Time

Figure 12–1 Relationship between the threshold value and threshold interval

About License Expiration Metrics


The threshold values for license expiration metrics are set in days until expiration.
In this context, a critical threshold indicates that license expiration is imminent.
This is the only configurable metric in which the Critical threshold value should
be smaller than the Warning threshold value. For example, if you set the Warning
threshold to 45, an alert is sent when there are 45 days remaining in the license
period. The Critical threshold would be less than 45 days, for example 5 days.
For the license expiration metrics, the threshold interval is irrelevant and is set by
default to 0. You should set the Warning Threshold to a value that will give you
ample time to renew your license. By default, all license expiration metrics have a
Warning Threshold of 30 days. By default, the Critical Threshold is configured to
0, which means that a trap is immediately sent upon license expiration.

372
Chapter 12: Monitoring the Health of Devices

About the Health Monitoring Device States


The following table describes the possible health monitoring device states and
provides a corresponding description.

Note: You can configure Director to send end device status updates to a third-
party management station. See "Remotely Notifying Management Stations of
Device Changes" on page 383 for more information.

Table 12–1 Device states and descriptions

Device State Description

OK The ProxySG appliance is functioning normally. When this trap is


sent, it indicates that the ProxySG appliance is again functioning
normally. All prior conditions that caused it to be in another state
have ceased.

Warning The ProxySG appliance has one or more events that are causing it
to be in a Warning state. Note that if additional warning-level
event(s) occur, they do not cause additional traps; (however a
new critical-level event would generate a Critical trap).

Critical The ProxySG appliance has one or more events that are causing it
to be in a Critical state. Note that if additional event(s) occur, they
do not cause additional traps, (unless such events cause the
appliance to move from state Warning to state Critical).

Connected The ProxySG appliance is reachable from Director. This is the


normal state of ProxySG appliances that do not support the
Health Monitoring XML. SGOS versions earlier than 4.2.3.9 do
not support the Health Monitoring XML.

Disconnected The ProxySG appliance is no longer reachable from Director.

About the General Metrics


The following table lists the metrics displayed in the Maintenance > Health
Monitoring > General tab page. The thresholds for these metrics are user-
configurable. See "About Health Monitoring" on page 369 for information about
thresholds and alert notification.
All threshold intervals are in seconds.

Table 12–2 General Health Monitoring Metrics

Metric Units Default Notes


Thresholds/Intervals

CPU Utilization Percentage Critical: 95%/120 Measures the value of


seconds CPU 0 on multi-processor
Warning: 80%/120 systems--not the average
seconds of all CPU activity.

373
Director Configuration and Management Guide

Table 12–2 General Health Monitoring Metrics (Continued)

Memory Pressure Percentage Critical: 95%/120 Memory pressure occurs


(referred to as seconds when memory resources
Memory Utilization Warning: 90%/120 become limited, causing
in SGOS 5.3.x) seconds new connections to be
delayed.

Interface Percentage Critical: 90%/120 Measures the traffic (in


Utilization seconds and out) on the interface
Warning: 60%/120 to determine if it is
seconds approaching the
bandwidth maximum.

About the Licensing Metrics


The following table lists the metrics displayed in the Maintenance > Health
Monitoring> Licensing tab page. You can monitor User License utilization metrics
and the following license expiration metrics:
❐ SGOS Base License: Licenses not listed here are part of the SGOS base license.
❐ SSL Proxy
❐ SG Client and ProxyClient
See "About the Licensing Metrics" on page 374 for information licensing
thresholds.

Metric Units Default Thresholds/ Notes


Intervals

License Utilization Percentage Critical: 100%/0 For licenses that have user
Warning: 90%/0 limits, monitors the
number of users.

License Expiration Days Critical: 0 days/0 Warns of impending


Warning: 30 days/0 license expiration.
For license expiration
metrics, intervals are
ignored. See "About the
Licensing Metrics" on
page 374 for more
information.

374
Chapter 12: Monitoring the Health of Devices

About the Status Metrics


The following table lists the metrics displayed in the Maintenance > Health
Monitoring > Status page. The thresholds for these metrics are not user-configurable.

Metric Threshold States and


Corresponding Values

Disk status Critical:


Bad
Warning:
Removed
Offline
OK:
Not Present
Present

Temperature Critical:
Bus temperature High-critical
CPU temperature Warning:
High-warning

Fan Critical:
(The fan metric differs by hardware model, for Low-critical
example, CPU fan, chassis fan) Warning:
Low-warning

Voltage Critical:
Bus Voltage Critical
CPU voltage High-critical
Power Supply voltage Low-critical
Warning:
High-warning
Low-warning

375
Director Configuration and Management Guide

Metric Threshold States and


Corresponding Values

ADN Connection Status OK:


Connected
Connecting
Connection Approved
Disabled
Not Operational
Warning:
Approval Pending
Mismatching Approval Status
Partially Connected
Critical:
Not Connected
Connection Rejected
See Advanced Networking for more
information about the ADN metrics.

ADN Manager Status OK:


No Approvals Pending
Not Applicable
Warning:
Approvals Pending

About Health Monitoring Notification


By default, the Director polls the ProxySG appliances to determine their current
state. If the state has changed, Director updates the device status. Other types of
notification are also available. Any or all of the following types of notification can
be set:
❐ SNMP trap
Sends an SNMP trap to all configured management stations.
❐ E-mail
Sends e-mail to all persons listed in the event log properties on the device.
❐ Log
Inserts an entry into the event log on the device.

376
Chapter 12: Monitoring the Health of Devices

Viewing a Device’s Health Monitoring Metrics


Using Director, you can view the overall health of a device and specifics about the
state of its hardware, environmentals, and system resources.
See "About the General Metrics" on page 373 and "About the Status Metrics" on
page 375 for a description of these metrics.

To view a device’s health monitoring metrics:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, in the Group pane, click the name of the group that
contains the device.
The list of group members displays in the Devices pane.
4. In the Devices pane, click the name of the device whose status you want to
view.
The Health Statistics displays in the Description pane, as shown in the
following figure.

Figure 12–2 Displaying health statistics.

5. Review the current state of the metric.


The icon next to each health statistic indicates the current state of the metric:
green indicates OK, gold indicates Warning, and red indicates Critical.

377
Director Configuration and Management Guide

Note: To avoid losing one hour’s worth of alerts when the ProxySG clock is set
back during daylight savings time, manually refresh the health statistics after the
ProxySG clock is reset.

6. (Optional) Click Refresh to update the health statistics.


Clicking Refresh initiates an immediate polling of the selected device.

Changing Threshold and Notification Properties


The health monitoring threshold and notification properties are set by default.
Use the following procedure to modify the current settings.

To change the ProxySG threshold and notification properties:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, right-click the device to configure.
4. From the pop-up menu, click Configure.

The Manage Device window displays.

378
Chapter 12: Monitoring the Health of Devices

5. In the Manage Device window, click Maintenance > Health Monitoring.

6. Do any of the following:


• To change the system resource metrics, click the General tab.
• To change the hardware/environmental metrics, click the Status tab.

Note: You cannot change the threshold values for metrics from the Status
tab page.

• To change the licensing metrics, click the Licensing tab.


7. Click the name of the metric to modify.
8. Click Edit to modify the threshold and notification settings.

379
Director Configuration and Management Guide

The Edit Metric dialog box displays. (Sensor thresholds cannot be modified.)

9. Modify the threshold values.


10. Modify any of the following notification settings:
• Log adds an entry to the event log.
• Trap sends an SNMP trap to all configured management stations.
• Email sends an e-mail to the addresses listed in the event log properties.
11. In the Edit Metric dialog box, click OK.
12. Click Apply.

Related ProxySG Commands to Modify Threshold and Notification


Properties
#(config) alert threshold metric_name warning_threshold
warning_interval critical_threshold critical_interval
#(config) alert notification metric_name notification_method

380
Chapter 12: Monitoring the Health of Devices

Getting A Quick View of ProxySG Appliance Health


The Management Console uses the health monitoring metrics to display a visual
representation of the overall health state of the ProxySG. The health icon is
located in the upper right corner of the SGOS Management Console and is always
visible.
The health icon is also displayed in Director Management Console Monitor and
Configuretabs (for a device or group). When you highlight a device in the Monitor
page and click Statistics, the icon is displayed at the top left corner of the Manage
Device dialog.
System health is determined by calculating the aggregate health status of the
following metrics:
❐ CPU Utilization
❐ Memory Pressure (referred to as Memory Utilization in SGOS version 5.3.x)
❐ Network interface utilization
❐ Disk status (for all disks)
❐ License expiration
❐ License user count usage (when applicable)
❐ Sensor values (for all sensors)
The possible ProxySG appliance health states are OK, Warning, or Critical.
Clicking the health icon displays the ProxySG appliance Statistics > Health page,
which lists the current condition of the system’s health monitoring metrics, as
described in the next section.

Viewing Health Monitoring Statistics


While the health icon presents a quick view of ProxySG health, the Statistics >
Health page enables you to get more details about the current state of the ProxySG
health monitoring metrics.

To review the health monitoring statistics:


1. Navigate to the Configure tab page in the Director Management Console.
2. Select the device to configure.
3. Click Configure Device.
The Manage Device window displays.
4. In the Manage Device window, click Statistics > Health Monitoring.

381
Director Configuration and Management Guide

5. Click one of the following tabs:


• General: Displays the current state of CPU utilization, memory utilization,
and interface utilization.
• Licenses: Displays the current state of license utilization and expiration
metrics.
• Status: Displays the current state of disks, motherboard, CPU, ADN
connection status, ADN manager status, and health check status.
6. For more information, click an item and click View.
The View Metrics Detail dialog box displays.
7. Optional—To modify a metric, click its name and click Set Thresholds.
To modify the metric, see "Changing Threshold and Notification Properties"
on page 378.

Related ProxySG Command to View Health Monitoring Statistics


SGOS#(config) show system-resource-metrics
The show system-resource-metrics command lists the state of the current system
resource metrics.
Sensor notification varies by ProxySG platform. If you try to set notification for a
sensor that does not support notification, you will see the following error
message:
Sensor not supported on this platform
Depending on the ProxySG platform, the sensor metrics displayed by the show
system-resource-metrics command might differ from the sensor names listed in
the alert command output. For example, the bus-temperature sensor can be

382
Chapter 12: Monitoring the Health of Devices

shown as motherboard temperature in the show system-resources-metrics


output. If you are setting notification from the Management Console, you can
verify the sensor category by clicking the Preview button to view the CLI output.

Remotely Notifying Management Stations of Device Changes


Though Director displays the status of all managed devices, it can be helpful to
configure Director to send status updates to a third-party management station
like HP OpenView.
While you can configure your ProxySG appliances to send SNMP notifications
directly to the management station, there is no guarantee that such a notification
would be sent if the ProxySG appliance is failing or is unreachable because a
router between the data center and that appliance has failed.
Instead, Director can be used to send such notifications, since it polls the state of
each managed ProxySG appliance every minute. When you enable this feature,
Director sends a notification to all configured hosts whenever an ProxySG
appliance state change is detected. Only one notification is sent when a device
enters a new state. The notifications correspond to the following health
monitoring states:
❐ Ok
❐ Warning
❐ Critical
❐ Connected
❐ Disconnected
These health monitoring states are described in Table 12–1 on page 373.
Additionally, a single notification is sent if either of the following events occur
(these events are always initiated by an administrator):
❐ [ProxySG] Added
An administrator has added the ProxySG appliance to Director's list of known
devices.
❐ [ProxySG] Deleted
A administrator has deleted the ProxySG appliance from Director's list of
known devices.

Note: Blue Coat provides a MIB defining the ProxySG appliance state-change
notifications. The MIB is written in SMI v2 and matches all of the SNMP v2c
notifications sent by Director. Director also supports the sending of SNMP v1
traps, but no SMI v1 MIB is provided (many converters are available on the
Internet). Blue Coat recommends using SNMP v2 notifications rather than SNMP
v1 traps.

383
Director Configuration and Management Guide

To enable Director to send SNMP notifications for ProxySG appliance state


changes:

Note: The snmp-server enable traps command does not need to be executed to
enable the ProxySG appliance state notification feature. However, you must
enable the notifications as described in the following procedure.

1. Enter the following command to specify the remote management station as an


SNMP trap recipient:
director (config) # snmp-server host hostname inform community string

2. Enter the following command to specify the SNMP trap version:


director (config) # snmp-server host hostname traps version 1|2c
community string

3. Enter the following command to enable all device state SNMP notifications:
director (config) # snmp-server traps device-state all enable
The device-state notifications can also be enabled individually:
❐ device-state added
❐ device-state deleted
❐ device-state connected
❐ device-state disconnected
❐ device-state ok
❐ device-state warning
❐ device-state critical
❐ device-state auto-registered
❐ device-state auto-registered-failed
For example:
director (config) # snmp-server traps device-state connected enable

Verifying SNMP Trap Receipt


To verify that your network and management station are properly configured to
receive device-state SNMP notifications from Director, use the monitoring
diagnose device-state subcommands. These commands force Director to send
the specified SNMP notification.
The following table shows the list of subcommands and the SNMP trap to which
they correspond:
Subcommand SNMP trap
added device-state-added

auto-registered device-state-auto-registered

auto-registered-failed device-state-auto-registered-failed

connected device-state-connected

critical device-state-critical

deleted device-state-deleted

384
Chapter 12: Monitoring the Health of Devices

Subcommand SNMP trap


disconnected device-state-disconnected

ok device-state-ok

warning device-state-warning

For example, if you enter the following command:


director (config) # monitoring diagnose device-state critical
The following trap is sent to your SNMP server:
device-state-critical
When traps are sent, the varbinds in the body of the trap have the following fixed
values (the values cannot be specified or overwritten):
sgHostname = "0.0.0.0"
sgSerialNumber= "0000000000"
sgDeviceId= "test-SG-id"
sgDeviceName= "test-SG-name"

Troubleshooting
If you continue to receive alerts, contact Blue Coat Support. For licensing
questions, contact Blue Coat Support Services. It is helpful to obtain a packet
capture for CPU, memory pressure (referred to as memory utilization in SGOS
5.3.x), and network interface issues, before calling Support.

Table 12–3 Customer support and support services contact information

Blue Coat Customer 1.866.36.BCOAT (toll free in the United States)


Support E-mail: support@bluecoat.com
http://www.bluecoat.com/support/contactsupport
Blue Coat Support http://www.bluecoat.com/support/supportpolicies
Services

385
Director Configuration and Management Guide

386
Chapter 13: Configuring Director Redundancy

Director standby minimizes service disruptions caused by a network outage,


disaster, or Director failure. When a standby is deployed, the Director
configuration is mirrored to a second Director whose only function is to take
over for the first Director if a failure occurs.
The takeover is not automatic; an administrator must manually instruct the
standby Director (called the secondary) to take over the functions of the primary
Director. All configuration of the Director standby feature is performed from
the command line.
This chapter discusses the following topics:
❐ "Section A: Requirements and Terminology"on page 388
❐ "Section B: Detailed Standby Concepts"on page 392
❐ "Section C: Implementation Details"on page 396
❐ "Section D: Scenario: Implementing a Director Standby Pair"on page 401
❐ "Section E: SNMP Notifications for Director Standby"on page 412

387
Director Configuration and Management Guide

Section A: Requirements and Terminology


This section describes Director standby requirements and terminology.

Requirements
To implement Director standby, you must have the following:
❐ Two Director 510 appliances

Important: The Director 510 appliances must be running the same version of
SGME.

❐ A unique IP address for each Director appliance


❐ Approximate synchronization (ten seconds or less) of the two Director's
clocks.
One method of clock synchronization is to use NTP on both Directors.
Clock synchronization is important because if an administrator makes the
secondary active (see "Active" on page 390), jobs that were not started on
the primary Director need to start at the right time on the secondary
Director. Since it is difficult to achieve exact clock synchronization, having
the secondary Director lag behind slightly is preferred.
❐ One or more administrators with read/write privileges
❐ If there are firewalls between the primary and secondary Directors, TCP
and UDP port 873 must be open for communication to succeed
❐ A remote SNMP management station; for example, HP Openview
The management station is required to monitor the state of the Directors.
Without a management station, you will not be able to determine if one of
the Directors has failed. The SNMP Management station:
• Receives SNMP notifications from the standby pair.
• Periodically polls the Directors to ensure they are online.
See "Remotely Notifying Management Stations of Device Changes" on page
383 for more information.

388
Chapter 13: Configuring Director Redundancy

Section A: Requirements and Terminology

Terminology
Before reading further, you should familiarize yourself with the following terms.

Standby Pair
Two Director 510 appliances, one configured as a primary Director and one
configured as a secondary Director. The pair works together to achieve
redundancy.

Partner
The corresponding Director in the standby pair. The primary Director’s partner is
the secondary Director and the secondary Director’s partner is the primary
Director.

Primary Director
A Director identity. The primary Director is the device in the standby pair that
normally performs all day-to-day Director operations. All changes on the primary
Director are propagated to the secondary Director by means of the rsync utility
using a remote SSH shell.
The primary Director remotely executes shell commands on the secondary
Director to verify connectivity. The default state of the primary Director is active,
which means that it is able to perform monitoring and configuration operations.
The primary Director is the only device that can do any of the following:
❐ Initiates syncs. The secondary Director is only a passive rsync client.
❐ Connects to the secondary Director to obtain connectivity status. The
secondary Director does not initiate such checks but it does report if it has not
been queried by the primary Director.

Secondary Director
A Director identity. The secondary Director is the device in the standby pair
whose only purpose is to take over for the primary Director when a failure occurs.
The normal state of the secondary Director is reserve, which means that it cannot
perform any monitoring or configuration operations and will not accept
Management Console connections.
Only if the administrator manually configures the secondary Director to be active
does the secondary Director perform all functions previously performed by the
primary Director.
When you execute the make-secondary command, the Director reboots. To access
the secondary Director, you must log in with the standbyuser username.

389
Director Configuration and Management Guide

Section A: Requirements and Terminology

Sync
The process of copying all changes from one Director to its partner. This includes
changes made by administrators as well as changes to the event database and job
status. The possible status for sync is: in-sync, syncing, or retrying sync. For
more information about sync status, see "Viewing the State of the Primary or
Secondary Director" on page 398.

Standalone Director
A Director appliance that is not participating in a standby pair and therefore has
no standby identity. A standalone Director cannot participate in a standby pair
until an administrator changes its identity to primary or secondary. In other
words, unless you configure a Director appliance to be either a primary or
secondary, that Director is standalone.
Executing the make-standalone command on a primary or secondary Director
takes it out of the standby pair. Note that in this chapter, a primary or secondary
Director that has been made standalone is still referred to by its previous identity;
that is, “primary” or “secondary.”
When you execute the make-standalone command, Director reboots.

Active
The name of a Director appliance state that allows it to configure and monitor
devices. You use the active Director for all Director tasks, including remote
administration using overlays, profiles; and job creation and execution; health
monitoring; and backup and restore.
The normal state of the primary Director is active.

Reserve
The name of a secondary Director appliance state that indicates it is standing by in
the event the primary Director fails.
In the reserve state, the Director is essentially an rsync client. If the primary
Director fails, the administrator must change the secondary Director’s state to
active so it can resume service.
Absent any failures, the normal state of the secondary Director is reserve.

Inactive
The name of a primary Director appliance state that indicates the secondary
Director has become active. For example, if, while the primary Director was
powered off, the secondary was made active, the primary Director changes to the
inactive state after it reboots. Transitioning to inactive prevents simultaneous
changes to both Directors’ configurations.
If the primary and secondary Directors have different configurations, those
changes cannot be merged and you must discard the changes from one of those
configurations.

390
Chapter 13: Configuring Director Redundancy

Section A: Requirements and Terminology

About the Standby Pair State


This section describes the primary and secondary Director states.

Primary Director States


The primary Director can be in the states described in the following table.

Primary Director state Description

Active The state of the Director performing all


configuration and monitoring operations.

Inactive The primary Director assumes this state when the


secondary has been made active.

Standalone Not part of a standby pair.

Secondary Director States


The secondary Director can be in the states described in the following table.

Standby Director state Description

Reserve The secondary Director state when the primary


Director is active.

Active The state of the Director performing all


configuration and monitoring operations.

Standalone Not part of a standby pair.


If a Director goes offline for any reason, it resumes its prior state when it comes
back online. For example, if the primary Director was active when it went offline,
it is still active when it comes back online. (It is possible, however, that its partner
was promoted to active in the interim; in that case, the primary Director
immediately transitions to the inactive state. When the primary Director is made
active again, it will synchronize with the secondary Director’s configuration.)
Note: When the secondary Director is in the reserve state or the primary Director
in the inactive state, you must log in to that Director as the user named
standbyuser.

391
Director Configuration and Management Guide

Section B: Detailed Standby Concepts


A Director standby pair is composed of a primary Director and a secondary
Director (these identities are configured by the administrator). The normal state
of the primary Director is active, meaning that it allows configuration and
monitoring operations to be executed on it. The normal state of the secondary
Director is reserve, meaning that its only function is to mirror the configuration
and database of the primary Director so that it can take over for the primary
Director if configured to do so. Until the secondary Director is made active, no
commands or operations can be executed on it (aside from the make-active
command).

Failover Assumptions
These assumptions will help you understand the operation of the standby pair:
❐ Only administrators can alter the state of the standby pair. Consider the
following examples:
• If an administrator executes the make-standalone command on a
Director, the administrator must perform a make-primary or make-
secondary to get that Director back into the pair.

make-standalone changes the state of that Director, taking it out of the


standby pair. To get that Director back into a standby pair, you must
give it an identity using either make-primary or make-secondary.
• Suppose the primary Director fails. The administrator executes the
make-active command on the secondary Director, which changes its
identity to primary and changes its state to active.
Later, if the primary Director is rebooted, its state is inactive. To set both
Directors back to their original identities, you execute the make-active
command on the primary Director to make it active again. (This
command indirectly causes the secondary Director to revert back to the
reserve state.)
❐ There is only one automated transition.
If the primary Director notices that the secondary Director has been made
active, it automatically transitions to the inactive state. No other transitions
occur without administrator intervention.
❐ When a Director comes up, it resumes its prior state.
If a Director fails for any reason, (for example, it powers down or crashes),
that Director will resume its prior state when the condition is resolved.
For example, if the primary Director was in the active state when it failed, it
resumes the active state when it comes back online (unless the secondary
Director was made active in the interim; in that case, the primary Director
transitions to inactive).

392
Chapter 13: Configuring Director Redundancy

Section B: Detailed Standby Concepts

How Data is Mirrored


When a change is made to the primary Director, that change is immediately
propagated to the secondary Director over an SSH connection, thus ensuring
redundancy. Normally, the primary Director and secondary Director are
synchronized or are in the process of synchronizing. However, a network outage
will result in a longer-term out-of-sync condition.

Figure 13–1 Data Mirroring between the primary Director and secondary Director

Monitoring Connectivity
To verify that its partner is reachable and functioning normally, the primary
Director executes, every five seconds, a specific command on the secondary
Director. If the command fails 12 times in a row (that is, for one minute), the
primary Director sends an SNMP notification to any configured management
stations.
If the secondary Director is functioning normally and has not received the expected
CLI command within one minute, it sends an SNMP notification to the
management station.

Note:
• You must configure the primary Director to send the standby SNMP
notifications. For more information, see "Configuring the Standby Pair" on
page 397.
• If there are firewalls between the primary and secondary Directors, TCP
and UDP port 873 must be open for communication to succeed.

393
Director Configuration and Management Guide

Section B: Detailed Standby Concepts

Figure 13–2 Standby pair verification

How Failover Works


If the primary Director fails, the secondary Director notes that the expected
connectivity check has not arrived and sends an SNMP notification to all
configured management stations. While the secondary Director is fully capable of
resuming Director operations as though it were the active Director, it cannot do so
unless an administrator changes its state from reserve to active.
This manual process prevents the Directors from switching states prematurely.
For example, if the network link failed and the primary Director could not query
the secondary Director, an automated transition might make the secondary
Director active. This would result in two active Directors performing operations—
each with a different configuration.
To make the secondary Director active, an administrator must execute the make-
active command on it. After the secondary Director has been made active, it
assumes all configuration operations previously performed by the primary
Director.
When the primary Director comes back online, it asserts itself as active again, but
will immediately transition to inactive if it discovers that the secondary Director
has been made active in the interim. The only way that the primary Director can
regain active status is by manual intervention; an administrator must make it
active again by executing the make-active command on it (the secondary Director
then transitions to reserve).

394
Chapter 13: Configuring Director Redundancy

Section B: Detailed Standby Concepts

Figure 13–3 Making the secondary Director active after failure of the primary
Failure of the network link between the primary Director and secondary Director
does not trigger any automatic state transitions. During a network outage, any
changes on the primary Director are not immediately synchronized with the
secondary Director. After connectivity is restored, the primary Director then
automatically synchronizes all changes (since the last successful sync) with the
secondary Director.

No state change occurs as a result of network link failure. All state transitions
are the result of administrator intervention.

Figure 13–4 Network link failure and standby state

395
Director Configuration and Management Guide

Section C: Implementation Details


To create a standby pair, you must first decide which Director 510 is to be the
primary Director and which is to be the secondary Director.
The primary Director assumes the active state and begins normal operations
(that is, configuring and monitoring devices). The primary Director
synchronizes its state to the secondary Director (unique settings, such as the
primary Director’s IP address, are not synchronized).
The Director configured as secondary automatically assumes the reserve state
and immediately begins acting as the rsync client for the primary Director. The
secondary Director cannot be used to configure or manage devices and
Management Console connections are refused. If you try to connect to the
secondary Director’s Management Console, the following dialog box displays:

Figure 13–5 Non-active Director error dialog box

Taking a Director Out of the Pair


To perform maintenance (for example, archiving a Director), first change its
identity to Standalone using the make-standalone command.

Important:
• You must make both Directors in the standby pair standalone before
restoring an archive on either the primary or secondary Director. For
more information about archiving, see Chapter 15: "Backing Up
Director and Devices".
• If the secondary Director in a standby pair is reachable but is configured
to be standalone (and not secondary), the primary Director responds
slowly to login requests and, in some cases, prevents users from logging
in.

396
Chapter 13: Configuring Director Redundancy

Section C: Implementation Details

Configuring the Standby Pair


The standby pair can be created only using the Director command line.
During configuration, you must enable the primary Director to send the standby
SNMP notifications. These notifications are used to report the state transitions of
the standby pair. If you do not enable notifications, there is no way to determine
the current state of the standby pair, such as when a Director fails.
Note that you do not have to enable SNMP notifications on the secondary
Director. Any (or all) notifications enabled on the primary Director are
automatically enabled on the secondary Director. However, the two Directors are
not fully configured as a standby pair (and thus, do not send notifications) until
they have been configured as such, have rebooted, and are in sync.

Important: If there are firewalls between the primary and secondary Directors,
TCP and UDP port 873 must be open for communication to succeed.

To configure the standby pair:


1. Connect to the primary Director using an SSH application as discussed in
"Using the Director Command Line" on page 38.
2. When prompted, log in as an administrator.
3. Start enable mode using the following command:
director > enable

4. If prompted, enter the enable mode password.


5. Start configure mode using the following command:
director # conf t

6. Enable the standby-state SNMP notifications:


director (config) # snmp traps standby-state all enable

You can enable the notifications individually if you desire. To get a listing of
the available standby states, enter the following command:
director (config) # snmp traps standby-state ?

7. Enter the following command to make it primary:


director (config) # standby make-primary secondary_ip-or-hostname
password

The Director reboots and comes back online as primary.


8. Connect to the secondary Director using an SSH application.
9. Enable the standby-state SNMP notifications:
director (config) # snmp traps standby-state all enable

397
Director Configuration and Management Guide

Section C: Implementation Details

10. Enter the following command to make the Director secondary:


director (config) # standby make-secondary primary_ip-or-hostname
password

The secondary Director reboots and comes up in the reserve state. When
accessing the Director after the reboot, you must use the standbyuser
username.
11. Reboot the primary Director again.

Verifying the Standby Settings


You must view the standby settings on the primary Director using the following
command:
director # show standby-settings
Identity:Primary
State:Active
Partner IP:10.9.40.118
Partner State:Reserve
Sync State:In-sync
Time Last HB Recd.:Tue Mar 06 2007 09:38:04

Viewing the State of the Primary or Secondary Director


After you have configured the standby pair, the identity of both Directors and the
current synchronization status are displayed at the top of the Director
Management Console.

Figure 13–6 Management Console standby pair identity and status Indicator
The possible standby pair identities, states, and synchronization status for the
standby pair status (as shown in the preceding figure) are described in the
following table.

Table 13–1 Possible standby pair identities, states, and synchronization status

Standby Status Item Possible Values Notes

Director identity Primary OK


Secondary OK
Standalone Not part of a standby pair.

398
Chapter 13: Configuring Director Redundancy

Section C: Implementation Details

Table 13–1 Possible standby pair identities, states, and synchronization status

Standby Status Item Possible Values Notes

Partner status Primary Director GUI Reserve Secondary Director is


(partner is the operating normally.
secondary)
Unreachable Secondary Director is not
reachable or that the
network link has failed.
Misconfigured Secondary Director’s
standby settings do not
show this primary Director
as its partner.

Secondary Director Inactive Primary Director is


Management Console inactive because the
(partner is the primary) secondary was made active
while the primary Director
was down.
Unreachable Primary Director is not
reachable or that the
network link has failed.

Sync status In-sync The most recent


synchronization attempt
succeeded.
Syncing Synchronization in
process.
Retrying sync The previous
synchronization attempt
failed, retrying.

Note: If the secondary Director in a standby pair is reachable but is configured


to be standalone (and not secondary), primary Director responds slowly to
login requests and, in some cases, prevents users from logging in.

399
Director Configuration and Management Guide

Making Changes on the Primary Director


If you have configured the standby pair and are performing operations on the
primary Director, commit your changes and carefully watch the
synchronization status to make sure the changes are synchronized.
The reason for this is that if the primary Director fails before synchronization is
complete (or the network link is down), you might need to make the secondary
active and those changes will not be present on the secondary Director. By
waiting for the sync to complete, you will remember what those changes were
in the event that you need to re-create them on the secondary.
You can track your changes by enabling audit logging. For more information,
see Chapter 11: "Audit Logging".

Connecting to a Non-Active Director


The only way to connect to a reserve or inactive Director is by using the
standbyuser username. If you subsequently break the standby pair, the
username reverts to its previous setting.

400
Chapter 13: Configuring Director Redundancy

Section D: Scenario: Implementing a Director Standby Pair

Section D: Scenario: Implementing a Director Standby Pair


The following scenario illustrates basic standby concepts. Reading these scenarios
will help you understand how Director standby functions.

Example Company’s Disaster Preparedness


Example Company is a global company headquartered in Sunnyvale, California.
Example Company has hundreds of branch offices distributed throughout the
world. Because of its many ProxySG appliances, Example relies on a Director
(located in the data center) to monitor its devices and to make configuration
changes. However, Example’s executives worry about disaster preparedness.
What would happen if the data center Director failed or was destroyed? All of
Example’s Director configuration and data (from the time the last archive was
taken) would be lost and Director service would be interrupted.
To ensure Director redundancy, Example’s administrator wants to implement
Director standby. The company decided to replace their existing Director with
two Director 510s. (The Director 510 is the only platform that currently supports
Director standby.)
Example’s administrators installed the first Director in the data center in
Sunnyvale and installed the second Director in a branch office in Los Angeles.The
appliances are configured as described in the following table.

Table 13–2 The Properties of Example Company’s Standby Pair Directors

Director Location IP Address Hostname

Sunnyvale 10.1.1.2 SV

Los Angeles 20.1.1.2 LA

Example Procedure: Configuring the Standby Pair


This procedure describes the steps that Example Company’s administrators
would follow to create their standby pair.

Configuring Example company’s standby pair:


1. On the Sunnyvale Director, enable SNMP and set Example’s HP OpenView
management station as a notification recipient for device-state and standby-
state notifications.

Note: For more information about the standby-state notifications, see


"Configuring the Standby Pair" on page 397. For more information about the
device-state notifications, see "Remotely Notifying Management Stations of
Device Changes" on page 383.

401
Director Configuration and Management Guide

Section D: Scenario: Implementing a Director Standby Pair

Sunnyvale Director:
director-sv (config) # snmp-server traps standby-state all enable
director-sv (config) # snmp-server traps device-state all enable
director-sv (config) # snmp-server host 0.0.0.0 traps version 2c

In the preceding command, 0.0.0.0 is the IP address of the management


station.
2. Configure the Sunnyvale Director 510 as primary and specified the IP address
of the secondary Director and the password of the SSH connection:
director-sv (config) # standby make-primary 20.1.1.2 thunder

Where thunder is the SSH connection password.


The Sunnyvale Director reboots and comes back online as primary.
3. Configure the standby state notifications on the Los Angeles Director:
director-sv (config) # snmp-server traps standby-state all enable

4. Configure the Los Angeles branch office Director 510 as secondary and
specified the IP address of the primary Director and the password of the SSH
connection:
director-la (config) # standby make-secondary 10.1.1.2 thunder

Where thunder is the SSH connection password.


The LA Director reboots and came back up as secondary. To access the
secondary Director in the reserve state, you must use the standbyuser
username to connect to the CLI; you cannot connect to the Management
Console of a Director in the reserve or active state.
When the secondary reboots and comes online, the primary Director discovers it
and synchronizes all of its data over an SSH connection. The administrators can
verify the synchronization by opening the primary Director’s Management
Console and observing the synchronization status.

Configuration Notes
❐ Only two commands are allowed on the secondary, make-active and make-
standalone. This ensures that the two Director configurations are never
unsynchronized.
❐ Reserve and inactive Directors allow connections only from the standbyuser
user, regardless of any previously configured usernames. If you subsequently
break the standby pair, the username reverts to its previous setting.
❐ After the standby pair is configured, the identity of the secondary Director
cannot be changed unless the standby pair is broken by making it standalone.
❐ If by accident, both Directors were configured as primary, each primary
Director would report the opposite as misconfigured because its partner is not
secondary.

402
Chapter 13: Configuring Director Redundancy

Section D: Scenario: Implementing a Director Standby Pair

Moving the Directors


Later, Example Company’s Sunnyvale and Los Angeles labs are scheduled for
improvements. Example’s administrator needs to move the Directors. The
following sections describe how these moves would be accomplished.

Moving the Secondary Director


To accomplish this move, the administrator can simply take the secondary
Director offline.
After the lab improvements are complete, the secondary Director can be re-racked
and powered up; the primary Director will automatically synchronize all changes
with it.

Taking the Primary Director Offline


Taking the primary Director offline requires additional consideration because the
primary Director performs all configuration operations. Therefore, before
shutting down the primary Director, the administrator should do the following:
1. Schedule the downtime during a relatively quiet period in which no jobs or
configuration operations (or very few) are running. This minimizes the
chances that an operation will be partially completed when the primary
Director is powered-down.
2. Make sure all changes have been synchronized with the secondary by
verifying the synchronization status indicated in sync in the Management
Console.
3. Make the secondary Director active:
a. Using the standbyuser account, access the secondary Director’s CLI:
login as: standbyuser

Note: When the secondary Director is in the reserve state or the primary
Director in the inactive state, you must log in to that Director as
standbyuser.

b. Switch to enable mode:


director-la > en

c. Make the secondary Director active:


Director-la # standby make-active

Note: The username of the secondary reverts from standbyuser to its original
setting when the Director is made active.

When the primary Director notices that the secondary Director has been made
active, it will transition to inactive.
4. Properly shut down the primary Director. See "Shutting Down Director" on
page 522 for more information.

403
Director Configuration and Management Guide

Section D: Scenario: Implementing a Director Standby Pair

5. Perform the move.


6. Power up the primary Director.
7. Make the primary Director active:
a. Using the standbyuser account, access the primary Director’s CLI:
login as: standbyuser

b. Switch to enable mode:


director-sv > en

c. Enter the following command:


director-sv # standby make-active

When the primary Director is made active, it synchronizes its configuration


with the secondary Director’s.

Note: The username of the primary reverts from standbyuser to its original
setting when the Director is made active.

404
Chapter 13: Configuring Director Redundancy

Section D: Scenario: Implementing a Director Standby Pair

Network Link Failure


Later, the network link between the two Directors failed although the
administrator verified each Director is functioning, either by directly connecting
to each one using its serial port or by connecting to each one over the intranet.
Example Company’s management station receives SNMP notifications from the
primary Director and secondary Director stating that its partner was unreachable.
Because both the primary and secondary Directors were still functioning, the
administrator suspected a network failure. As expected, the management station
also showed a failure of the network link between the two Directors.

Note: If the secondary Director in a standby pair is reachable but is configured


to be standalone (and not secondary), primary Director responds slowly to
login requests and, in some cases, prevents users from logging in.

Example analyzes and corrects this type of network outage in the following ways:
❐ "Determining the Root Cause"
❐ "Troubleshooting Network Failures" on page 406

Determining the Root Cause


Assume that sync status is in-sync for a long period of time or that you have
received SNMP notifications that one Director in the standby pair has failed. This
section discusses basic tasks you can perform to determine whether the failure is
related to the Director appliance or to the network.

To determine the root cause of network problems:


1. Determine if each Director in the standby pair is functioning:
a. Ping each Director.
If Director responds to ping, connect to it and ping the other Director.
Continue with the next step regardless of ping results.
b. Use a null modem cable to connect to the Director appliance directly
using its serial port.
You can also remotely log in using an SSH application if it is reachable on
the company intranet or from some other network.

405
Director Configuration and Management Guide

Section D: Scenario: Implementing a Director Standby Pair

Note the following:


• If Director is functioning, check the other Director. If both Directors are
functioning, continue with the next step.
• If either Director is not functioning, take that Director out of the
standby pair as discussed in "Taking a Director Out of the Pair" on
page 396. While the Director is standalone, troubleshoot it to
determine the cause of the failure. When both Directors are
functioning, re-enable standby as discussed in "Configuring the
Standby Pair" on page 397 and ignore the remainder of this section.
2. If both Directors are functioning, determine if the Directors can ping each
other.
a. Log in to either Director as an administrator.
b. Enter the following command:
ping partner_ip-address

c. Log in to the other Director and enter the same command.


If ping succeeds on both Directors, the problem was likely a transient network
issue. Monitor SNMP notifications for future failures. No additional action is
required.
If ping fails on either Director or on both Directors, there is a network issue.
Continue with the next section.

Troubleshooting Network Failures


The following topics in this section discusses basic troubleshooting tasks you can
perform to recover from the network failure:
❐ "Troubleshooting Options: Standby Pair"
❐ "Troubleshooting Options: Primary Director Failure" on page 407

Troubleshooting Options: Standby Pair


Suppose you discover that, due to the nature of the network outage, the
secondary Director is able to reach more of Example’s ProxySG appliances than
the primary Director. In this case, the administrator should consider the following
options:
❐ Break the standby pair
The administrators can break the standby pair and running two standalone
Directors. However, if the long-term plan is eventually remake the standby
pair, every change made to the secondary Director must be manually recorded.
If both Directors have different configuration data, the data must be manually
synchronized. Otherwise, the primary (active) Director will overwrite the
secondary’s configuration during the automated synchronization process,
which is part of the make-primary process.

406
Chapter 13: Configuring Director Redundancy

Section D: Scenario: Implementing a Director Standby Pair

❐ Keep the standby pair


A better alternative is to keep the standby pair. If the secondary Director can
reach more devices, the administrator can shut down the primary Director
and make the secondary active. Powering down the primary Director means
there is no way simultaneous changes can be made to both Director
appliances’ configurations.
Before shutting down the primary, the administrator should wait until no jobs
are scheduled or in progress. To confirm there are no incomplete jobs, the
administrator should verify there are no empty job reports on the secondary
Director. If a job had been started on the active Director but the results had not
been synchronized with the secondary Director, there will be empty job
reports.
For more information about job reports, see Section D: "Verifying Jobs" on
page 280.

Troubleshooting Options: Primary Director Failure


If the primary Director fails, the administrator should execute the make-active
command on the secondary so that Director service is resumed as soon as
possible. The administrator must then check the secondary Director to determine
if the following situations exist:
❐ "Synchronization is complete and no jobs were in progress when the primary
Director failed"
❐ "An administrator was making changes that had not finished synchronizing at
the time the primary Director failed; no jobs were in progress" on page 407
❐ "Jobs were in progress when the primary Director failed" on page 408
❐ "Jobs were scheduled to start during the primary Director’s downtime" on
page 408

Synchronization is complete and no jobs were in progress when the


primary Director failed
In this situation, Example Company can continue to operate the secondary
Director.

An administrator was making changes that had not finished synchronizing


at the time the primary Director failed; no jobs were in progress
If an administrator was making changes when the link failed, those changes are
lost. (This is why administrators are encouraged to make sure changes are
properly synchronize before moving on to their next task.)

407
Director Configuration and Management Guide

Section D: Scenario: Implementing a Director Standby Pair

Jobs were in progress when the primary Director failed


If jobs were in progress at the time the primary Director failed, the administrator
must determine if the jobs completed and if those changes were synchronized.
The administrator can determine if the jobs completed by checking for incomplete
job reports in the secondary Director’s Management Console (Jobs tab page).
If the administrator determines that some of the jobs failed to complete, the
administrator must analyze the jobs to determine the required corrective action, if
any.
The type of corrective action depends on the job type: one-time only, idempotent,
and restartable. These three job types are defined by their contents, and not by the
software:
❐ Idempotent job: A job that will yield the same result if it is run once or many
times. For example, a job that backs up multiple devices.
Corrective action: Run the job again.
❐ One-time only job. A job that is to be executed exactly one time. For example,
a job that changes the passwords on a device. If a one-time job is re-run, it will
fail if that job has already been executed.
Corrective action: To determine if action is required, log into the remote device
and verify whether or not the one-time job has been executed.
❐ Restartable job: An idempotent job that would result in benign errors or
warnings when run a second time. For example, a job that defines five realms
would produce errors if several of those realms were already defined.
Corrective action: Re-run the job on each target ProxySG appliance and
evaluate each error to see if additional action is required.

Jobs were scheduled to start during the primary Director’s downtime


If Example Company’s administrator discovers that some jobs failed to start
because the job start time occurred after the primary failed but before the
administrator made the secondary appliance the primary, the administrator must
identify those jobs so that they can be re-run.

408
Director Configuration and Management Guide

Upgrading the Software on the Standby Pair


When Example Company decides to upgrade the software on the two Directors
in the standby pair, they can upgrade the standby pair in the following ways:
❐ Taking both Directors out of service
This is the easiest software upgrade method.
❐ Maintaining Director service
Use this method if Director service cannot be interrupted.

Software Upgrade the Easy Way: Breaking the Standby Pair


The administrator breaks the standby pair and makes both the primary and
secondary Directors standalone. Of course, this means that the Directors are
offline during the upgrade process. If the administrator uses this method, they
should ensure that no jobs are scheduled to run during the anticipated outage.
After both Directors have been upgraded, they can recreate the standby pair by
designating one Director as primary and one Director as secondary.
If you cannot interrupt service for the software to be upgraded, skip this section
and see "Software Upgrade Without Downtime" on page 410.

To upgrade the Directors by breaking the standby pair:


1. Select a time when no jobs or operations were scheduled on the primary
Director.
2. Connect to either the primary or secondary Director using an SSH
application as discussed in "Connecting to Director using SSH" on page 50.
3. Enter the following command on both primary and secondary Directors to
make each standalone:
director (config) # standby make-standalone

4. Upgrade the Directors as discussed in Chapter 16: "Upgrading Director".


5. Initialize the primary Director:
director (config) # standby make-primary secondary-ip password

6. Initialize the secondary Director:


director (config) # standby make-secondary primary-ip password

409
Director Configuration and Management Guide

Section D: Scenario: Implementing a Director Standby Pair

Software Upgrade Without Downtime


This section discusses how to upgrade the software on both the primary and
secondary Directors while making sure there is no loss of service.

To upgrade the standby pair while maintaining service:

Note: The following procedure assumes that the secondary Director is acting
in reserve.

1. Verify that both Directors are in sync.


2. Connect to the secondary Director using an SSH application as discussed in
"Connecting to Director using SSH" on page 50.
3. Change the state of the secondary Director from reserve to active.
a. Log in to the secondary Director as the standbyuser user:
login as: standbyuser

b. Switch to enable mode:


director > en

c. Make the secondary Director active:


director # standby make-active

4. Connect to the primary Director using an SSH application.


5. Make the primary Director standalone.
director # standby make-standalone

Note: After you make the primary or secondary Director standalone, you
must connect to it using the user name that was configured before you
created the standby pair. In other words, the standbyuser user name will not
work.

6. Upgrade the Director software on the primary Director as discussed in


Chapter 16: "Upgrading Director".

Important: To make sure the Directors do not get out of sync during the
upgrade process, verify all of the following:
• No configuration changes are made on Director during the software
upgrade.
• No jobs are scheduled on the secondary Director during the software
upgrade.

7. Connect to the secondary Director using an SSH application.

410
Chapter 13: Configuring Director Redundancy

Section D: Scenario: Implementing a Director Standby Pair

8. Make the secondary Director standalone.


director # standby make-standalone

9. Archive the secondary Director’s configuration as discussed in Chapter 15:


"Backing Up Director and Devices".
10. Upload the archive to a Web server.
11. Restore the archive on the primary Director.
Provided the Directors were in sync before you started, this has the effect of
upgrading the software on the primary Director.
12. Change the identity of the primary Director from standalone to primary.
director # standby make-primary secondary-ip password

13. Upgrade the software on the secondary Director.


14. Put the secondary Director in reserve.
director # standby make-secondary primary-ip password

15. After completing the software upgrade, make sure the primary and secondary
Directors are functioning, synchronized, and running the upgraded software
version.

411
Director Configuration and Management Guide

Section E: SNMP Notifications for Director Standby

Section E: SNMP Notifications for Director Standby


An SNMP notification is sent for each type of state transition in the standby pair.
All transitions that cause notifications also cause entries in the event log. Each
type of notification can also be individually enabled or disabled.
All traps in this section are in the BLUECOAT-DIRECTOR-TRAP.MIB which is available
from the Blue Coat Download web site:
1. Go to http://support.bluecoat.com and, when prompted, enter your
BlueTouch user name and password.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. At the Blue Coat Download home page, click Director.
3. At the next page, click the link corresponding to the version of Director
software you are using.
4. In the Product Files pane, click the link to download the Director MIBs.

Notifications Sent Only by the Primary Director


Sync-failed
OID Node
1.3.6.1.4.1.3417.3.2.2.3.1.1 blueCoatDirectorStandbyChgSyncFailed

A synchronization from the primary Director to the secondary Director has failed.
(The primary Director will continuously retry the synchronization, but this
notification will not be sent after every successive failure).
Remediation: Because this notification is often caused by loss of reachability from
the primary Director to the secondary Director, look for a corresponding
_PartnerReachabilityLost notification.

Sync-reestablished
OID Node
1.3.6.1.4.1.3417.3.2.2.3.1.2 blueCoatDirectorStandbyChgSync
Reestablished

After a blueCoatDirectorStandbyChgSyncFailed condition was reported, a


successive synchronization operation succeeded. (This notification is not reported
after every successful synchronization.)

412
Chapter 13: Configuring Director Redundancy

Section E: SNMP Notifications for Director Standby

Primary-backing-off-to-Inactive
OID Node
1.3.6.1.4.1.3417.3.2.2.3.2.1 blueCoatDirectorStandbyChgPrimary
BackingOffToInactive

While running in the active state, the primary Director discovered the secondary
Director in the active state. In this case, the primary Director automatically
assumes the inactive state.
Remediation: There are two common ways of getting into this condition:
1. With the primary Director in the active state and the secondary Director in the
reserve state, there was a network failure. After an administrator changes the
secondary to the active state, on the first heartbeat after the network comes
back up, the double-active condition is detected.
2. With the primary Director in the active state and the secondary Director in the
reserve state, the primary Director powers off. After an administrator changes
the secondary to active, the primary Director powers up, resulting in the
double-active condition.
In both cases, an administrator must determine which Director’s configuration
changed (if any), and decide on the set of changes to keep when the original
primary Director is made active.

Partner-config-invalid
OID Node
1.3.6.1.4.1.3417.3.2.2.3.3.1 blueCoatDirectorStandbyChgPartner
ConfigInvalid

The reason for this notification depends on the following:


❐ If the partner Director is configured as part of a pair: The primary Director
logged in to the secondary to get its heartbeat and asked the secondary
Director who it thought its primary Director was.
The secondary responded that a third Director was the primary, which meant
the secondary Director was not configured properly. The IP address of the
third Director is reported by the standbyPartnersPrimary varbind in this
notification.
❐ If the partner Director is standalone: The primary Director has found no
primary configured on the other Director, and will report 0.0.0.0 for the
varbind standbyPartnersprimary in this notification.
Remediation: An administrator must check and resolve the configuration on
either or both Directors in the pair.

413
Director Configuration and Management Guide

Partner-config-validated
OID Node
1.3.6.1.4.1.3417.3.2.2.3.3.2 blueCoatDirectorStandbyChgPartner
ConfigValidated

After reporting a blueCoatDirectorStandbyChgPartnerConfigInvalid condition,


this Director once again found that its secondary Director was correctly
configured.

Notifications Sent Only by the Secondary Director


Secondary-indirectly-forced-to-Reserve
OID Node
1.3.6.1.4.1.3417.3.2.2.4.2.1 blueCoatDirectorStandbyChgIndirectly
ForcedToReserve

The secondary Director transitioned to the reserve state in response to the


primary Director transitioning to the active state. This transition is not automatic
because administrator intervention is required on the primary Director.
Receipt of this notification confirms that the secondary Director is aware the
primary Director transitioned to active.
If the secondary Director does not report this notification immediately after the
primary Director is changed to active, the network between the two Directors
might be down, (which would be reported by a
blueCoatDirectorStandbyChgPartnerReachabilityLost notification).
In this case, administrators must use caution and avoid committing configuration
changes to both Directors. If that happens, one set of configuration changes is lost
after the standby pair is re-enabled.

Notifications Sent by the Primary or Secondary Director


Partner-reachability-lost
OID Node
1.3.6.1.4.1.3417.3.2.2.1.1.1 blueCoatDirectorStandbyChgPartner
ReachabilityLost

❐ Primary: This notification is reported by the primary Director because it failed


to log in to the secondary to check its standby status. (In other words, the
primary Director failed to receive the secondary’s heartbeat.)
❐ Secondary: This notification is reported by the secondary Director if the
secondary does not detect the primary Director log in for more than a minute.
Regardless of whether this notification is reported by the primary or secondary
Director, the notification means the network link between the two Directors is not
working properly. Any changes made on the primary Director will not by synced
to the secondary (assuming the primary is the active Director).

414
Chapter 13: Configuring Director Redundancy

Remediation: Resolve the network issues using as an example the information


discussed in "Troubleshooting Network Failures" on page 406. Make sure you do
not commit configuration changes to both the primary and second Directors at the
same time.

Partner-reachability-regained
OID Node
1.3.6.1.4.1.3417.3.2.2.1.1.2 blueCoatDirectorStandbyChgPartner
ReachabilityRegained

After a blueCoatDirectorStandbyChgPartnerReachabilityLost condition was


reported, the partner Director re-established communication with this Director.

Notifications Caused by Administrator Action


All notifications discussed in this section are reported only by the Director on
which the administrator executed the state change.

Forced-to-Primary
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.1 blueCoatDirectorStandbyChgForcedTo
Primary

An administrator entered the standby make-primary command to force a Director


to be the primary.

Forced-to-Secondary
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.2 blueCoatDirectorStandbyChgForcedTo
Secondary

An administrator entered the standby make-secondary command to force a


Director to be the secondary.

Forced-to-StandAlone
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.3 blueCoatDirectorStandbyChgForcedTo
Standalone

An administrator entered the standby make-standalone command to force a


Director to be standalone (that is, to take it out of a standby pair).

415
Director Configuration and Management Guide

Forced-to-Active-State
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.4 blueCoatDirectorStandbyChgForcedTo
ActiveState

An administrator entered the standby make-active command to force a Director


to be active.

416
Chapter 14: Director Logging

Blue Coat Director logs help you to determine the nature of a problem when
you troubleshoot Director by providing information about connection issues,
configuration issues, and operating conditions.
To monitor your system, you can:
❐ Use the daily syslog to view results of commands generated by the Director
command line.
❐ Click the All Jobs for Director icon or select Content > Query Content in the
Director Management Console.
❐ Use the show commands from the Director command line.

About Event Logging


Director logs commands entered from the command line and commands
executed as the result of actions in the Management Console. If a command
returns an error, the error message is logged.
Because Director does not display success confirmation, all other commands
are assumed to have succeeded. This type of logging is referred to as event
logging. In earlier SGME releases, you had the option of transferring event logs
to a syslog server using an insecure protocol.

About Audit Logging


In the SGME 5.3 release for the first time, Director also enables you to track the
contents of the following using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs
Note: Throughout the rest of this chapter, the term content jobs is intended
to include the content jobs themselves as well as any URL list or regular
expression lists they might contain. When you create, edit, or run a job with
a URL list or regular expression list, those activities are logged in the audit
log.
❐ Backups
Audit logging enables administrators to track what tasks were performed by
commands that configured components in the preceding list. Administrators
and auditors can use event logging and audit logging together to determine
what was changed, who changed it, and when it was changed.

417
Director Configuration and Management Guide

Comparing Event Logging and Audit Logging


The following table summarizes the two types of logging:
Logging type What is logged

Audit logging • The contents of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The contents of an overlay, the name of the user
who executed it, and the IP address from which the
command was executed
• The contents of a device backup, the name of the
user who executed it, and the IP address from
which the command was executed

Event logging • The name of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of an overlay, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of a device backup, the name of the user
who executed it, and the IP address from which the
command was executed

The following table summarizes the main functional differences between event
logging and audit logging:
Logging type Function

Audit logging • Stored in subdirectories of /local/logs/scplogs


(for example, the contents of backup jobs are stored
in /local/logs/scplogs/backups).
• Event logs, stored in the /var/log/messages file,
are transferred every hour to the /local/logs/
scplogs/messages directory using a cron job.
• A cron job runs every five minutes to transfer audit
logs from subdirectories of /local/logs/scplogs
to an external server using the Secure Copy
Protocol (SCP), if a server is configured.
• After the files are transferred, the logs are deleted;
however, if no external server is specified, no
transfer takes place.
After the contents of the audit log directory reach
1GB in size, the overflow policy is enacted. The
overflow policy can be set to delete the oldest log
files first (the default), to disable commands that
trigger audit logging, or to stop creating new audit
log files.

418
Chapter 14: Director Logging

Logging type Function

Event logging • Initially stored in /var/log/messages


• Event logs, stored in the /var/log/messages file,
are transferred every hour to the /local/logs/
scplogs/messages directory using a cronjob.
• Every five minutes, a cron job transfers the /
local/logs/scplogs/messages to an external
server using SCP, if an external server is
configured. (The same cron job transfers the audit
log files as discussed in the preceding row in this
table.)
• After the event log file is transferred, it is deleted;
however, if no external server is specified, no
transfer takes place.
Because the event log is written continually as
commands are executed, the file can grow rapidly.

Examples of Audit Logging and Event Logging


Following is a sample event log entry:
Jun 23 22:37:57 <cli.notice_minor> hostname cli[1287]: admin@0.0.0.0:
Processing command: remote-config overlay new_overlay execute device
0.0.0.1
Following is an excerpt from the beginning of an audit log for a backup job:
!- Version: SGOS 5.3.0.2 Proxy Edition
!- BEGIN networking
interface 0:0 ;mode
ip-address 172.16.45.143 255.255.255.0
exit
ip-default-gateway 172.16.45.1 1 100
dns-forwarding ;mode
edit primary
clear server
add server 172.16.55.55
exit
edit alternate
clear server
exit
exit
!- END networking
<<end of excerpt>>

For More Information about Logging


❐ Audit logging is discussed in Chapter 11: "Audit Logging"
❐ Event logging is discussed in this chapter

419
Director Configuration and Management Guide

Log Message Terminology


The terms in the following table are used frequently in log messages.
Table 14–1 Log Message Terms

Terms Definitions
Addr-device A command option for IP address or hostname of an ProxySG
appliance.

backup ID A string that uniquely identifies a backed up configuration file


within the management domain.

cmd ID A unique identifier generated by the content manager for each


command that is executed.

device ID A string that uniquely identifies an ProxySG appliance record.

device spec A group ID, device ID, or the hostname/IP address of an


ProxySG appliance.

Exponent An integer that is used with an RSA key.

Filename Name of a file. Filename should begin with an alphanumeric


character. It can contain the following characters: - (dash),
_ (underscore) or . (dot). Filenames of configuration files and
Director image files are case-insensitive.

group ID A string that uniquely identifies an ProxySG appliance group


within the management domain.

Interface number Used in network management. Interface number specifies the


number of a network interface on Director.

Job ID A string that uniquely identifies a job within the management


domain.

Keyword An ProxySG appliance, group or addr-device.

Netmask A a 32-bit mask used to divide an IP address into subnets and


specify the networks available hosts.

PIN Personal Identification Number for the front panel LCD made
up of four numeric values.

Process ID (PID) A unique identifier assigned to all processes, when they are
started. Each system has a maximum value for the PID number.
When this is reached the PID numbering is started again.

state The type of outstanding content query request (pending or in-


progress).

urls from target A file of list of URLs stored on a remote host.

420
Chapter 14: Director Logging

Components of Director
Syslog messages are generated by the components of Director. They are explained
below:
Component Description

Content Manager Responsible for handling content management commands


using the Director command line.

Configuration Manages the configuration on Director. All the processes on


Manager Director receive their configuration from the Configuration
Manager. It also enables the administrator to centrally
manage multibox configuration and OS upgrades.

LCD Panel Manager Communicates with the front panel LCD and Configuration
Manager to handle the input and output via LCD. When it is
not engaged in configuring the system, LCD Panel Manager
displays information, such as the hostname and CPU
utilization.

Communication Responsible for executing Director CLI commands on


Manager ProxySG appliances. Clients, such as Configuration Manager
and Content Manager, which send Director CLI commands to
the ProxySG appliances, communicate using the
Communication Manager.

Process Manager Manages processes that run continuously in user address


space. It detects termination of all processes that are not
requested by Process Manager. Process Manager generates a
syslog message every time a process starts or exits.

Job Manager Responsible for the execution of scheduled content and


configuration management commands.

About the Syslog


Director logs component messages by severity (also referred to as verbosity) as
discussed in more detail in "Syslog Messages" on page 424. Syslog acts as an error
manager, allowing you to view log entries at the local host and forward them to
remote hosts. Setting up a remote logging host increases the net traffic from
Director.
If Director accesses the remote logging host and the ProxySG appliances on the
same interface, extensive logging can impair the communication between the
devices and Director. Remote logging increases the activity of the Configuration
Manager and slows down its operations.

421
Director Configuration and Management Guide

Syslog Log Levels


You can set up logging verbosity levels to restrict the log messages sent to the
system log daemon (syslogd) and to the messages log (the console).
Destinations for log messages are referred to as log sinks.
❐ Console sink (the command line session): Set the level at which messages are
sent to all open command line sessions (the messages log). This is also the
level at which messages display on the terminal screen outside the log and on
the serial console.
❐ Local sink (/var/log/messages): Set the level at which messages are saved
locally. At the local sink, warning is the most verbose logging level you can
choose. If you try to choose a more verbose logging level (for example,
notice), an error message displays and the logging level resets to warning.

❐ Trap sink (remote host): Set the level at which remote messages are sent to
syslogd servers.

The following table lists log levels in order from most verbose to least verbose:
Table 14–2 Director log levels

Log level Description


notice_minor Informative messages that do not indicate an error
condition (for example, every command line
command is logged as notice_minor).
notice Informative messages about events that are of more
significance than notice_minor.
notice is the default logging level for the local sink.

warning Indicates potentially serious error conditions that


require immediate attention.
error Indicates errors between Director and external
systems (such as Web servers, SCP servers, and so on).
critical Indicates serious Director errors.
Critical messages and their descriptions are not listed
in this document. If critical messages recur, Blue Coat
recommends you copy the message exactly as it
displays and provide the error (along with the tasks
you performed when the error occurred) to Blue Coat
Support.
critical is the default logging level for the console
sink.

422
Chapter 14: Director Logging

Note:
• Log levels not listed in Table 14–2 are reserved for internal use.
• Avoid setting log levels to a high verbosity level except temporarily for
troubleshooting purposes. Using a high verbosity level like notice or
notice_minor can degrade performance due to the number of log
messages being created.

Navigating Through the Syslogs


Syslogs are generally long. Following are shortcuts to enter an interactive mode
where you can scroll through and search the syslog files:
Table 14–3 Syslog keyboard shortcut

Keyboard shortcut Description

< Places the cursor at the beginning of the file.

> Places the cursor at the end of the file.

space Page forward.

/string followed by Search forward for string.


Control

?string followed by Search backward for string.


Control
n Find the next occurrence of string in the same direction.
In other words, if you previously entered /192.168.0.5,
entering n searches forward for the next occurrence of
192.168.0.5.

Up or Down arrow Places the cursor up or down one line at a time,


respectively.
b Places the cursor at on the previous page.
q Quit

423
Director Configuration and Management Guide

Syslog Messages
The following sections discuss selected syslog messages and their meanings:
❐ "Content Management Syslog Messages"
❐ "LCD Panel Manager Syslog Messages" on page 426
❐ "Communication Manager Syslog Messages" on page 427
❐ "Command Line Interface Syslog Messages" on page 429
❐ "Job Manager Syslog Messages" on page 430
❐ "Configuration Syslog Messages" on page 432
❐ "Configuration Management Syslog Messages" on page 433
❐ "Health Monitoring Syslog Messages" on page 437

Content Management Syslog Messages


Table 14–4 lists selected syslog messages displayed by the Content Manager
component:
Table 14–4 Content Management Messages

Message Level Description


Command ID: cmd ID Removed notice_minor The internal state associated with
from the system. the specified command ID is
removed from the system. The
content query command with
the given ID will fail.
Number of URLs/Regexes for notice_minor Displays the number of URL lists
Command ID cmd ID: number or regular expression lists that are
of URLs being processed for the specified
command.
URL List <cmd ID> <URL notice_minor The message lists all URLs and
number> <URL> their positions in the URL list for
the command specified by <cmd
ID>.

Number of Device IDs for notice_minor Displays the number of ProxySG


Command ID <cmd ID>: appliances that are being used to
<number of devices> process the specified command.
Device ID List <list ID> notice_minor Displays each ProxySG appliance
<device ID> and its position in the specified
device ID list.
Command ID: <cmd ID> notice_minor Displays the command issued to
Device ID: <device ID> the specified ProxySG appliance
Command: <command string> and the associated response. If the
Response: <response
response is an error, the message
string>
is logged as a warning.
Command ID: <cmd ID> notice The specified command is
Command accepted. recognized as valid.

424
Chapter 14: Director Logging

Table 14–4 Content Management Messages (Continued)

Message Level Description


Command ID: <cmd ID> notice The command is executed
Command completed. successfully.
cmd starting (pid = notice This message is generated every
<Process ID>) time Content Manager is started.
cmd exiting (pid = notice Content Manager is terminated.
<process ID>)

Command ID: <cmd ID> warning Displays the command issued to


Device ID: <device ID> the specified ProxySG appliance
Command: <command string> and the associated error response.
Response: <error>
If the response is not an error, the
message is logged at the
notice_minor level.

Command ID: <cmd ID> No warning No ProxySG appliances available


candidate devices found for the execution of the command.
for this command. Make sure the group has ProxySG
appliances in it.
Command ID: <cmd ID> warning This message indicates that a
Device ID <device ID> is command was issued to an
not connected ProxySG appliance that was not
connected to Director, perhaps
because the device is not
functioning. If the command is of
query type, it is terminated
immediately. If the command is of
long running type, such as
distribute or revalidate, then the
command is buffered for the
configured time.
Command ID: <cmd ID> warning Invalid ProxySG appliance/
Device/Group ID <device/ group ID. This happens if the
group ID> not found device/group record was
removed while the Content
Manager waited for the urls-
from command to complete.

Command ID: <cmd ID> URL warning Download of a urls-from target


List download not failed. The reason for the failure is
successful included in the message, if
possible.
Command ID: <cmd ID> the warning A command with the specified
device went down. <cmd ID> is actively operating on
the ProxySG appliance.

425
Director Configuration and Management Guide

Table 14–4 Content Management Messages (Continued)

Message Level Description


Command ID: <cmd ID> warning At least one of the following in
Invalid URL/Regex dropped the file downloaded by the urls-
from command is invalid:
• a URL specified in the
command
• the URL list
• the regular expression list

LCD Panel Manager Syslog Messages


Table 14–5 lists selected syslog messages displayed by the LCD panel manager
component:
Table 14–5 LCD panel manager messages

Message Level Description


Processing lock/change/save notice_minor This message is generated when
of ip config: ipaddr: <ip you change network settings.
address>; netmask: <subnet The message displays the
mask> dns: <dns address> configuration information that
gateway: <gateway>
the LCD panel manager tries to
set, such as IP address, subnet
mask, DNS server address and
default gateway IP address.
LCD ready notice The LCD panel manager has
initialized the LCD panel.
Failed write because could warning Before making configuration
not get config lock changes, you must acquire the
configuration lock as discussed
in "About the Configuration
Lock" on page 494.
Acquiring the lock so a user can
modify Director using the LCD
panel means making sure no
other user owns the lock.
Failed write because warning During the time one user was
configuration was changed modifying the configuration
by another user using the LCD panel, another
user made configuration
changes.
Before you change Director’s
configuration using the LCD
panel, you must make sure no
other user is configuring
Director.

426
Chapter 14: Director Logging

Communication Manager Syslog Messages


Table 14–6 lists selected syslog messages displayed by the communication
manager component:
Table 14–6 Communication manager syslog messages

Message Level Description


Device <device ID>: notice Director is attempting to establish
attempting connection using connection with the specified
ssh. ProxySG appliance using SSH.
Device <device ID>: notice Director is attempting to establish a
attempting connection using Telnet connection with the specified
telnet. ProxySG appliance.
Device <device ID> notice Director has established a connection
connected. with the specified ProxySG
appliance.
Device <device ID>: notice Director lost connection with the
disconnected, Reason: specified ProxySG appliance for the
<error> reason stated.
Device <device ID>: could notice Director failed to write commands to
not send bytes successfully the specified ProxySG appliance.
Device Communication Daemon notice This message is generated every time
online the Communication Manager starts
up.
Device Communication Daemon notice This message is generated when the
exiting... Communication Manager exits,
resulting in the loss of the connection
between the ProxySG appliance and
Director.
Device <device ID>: warning The specified ProxySG appliance has
Incompatible device version an SGOS version that Director does
<response> not support. The version of the given
ProxySG appliance is also displayed
in the message.
Device <device ID>: enable warning The enable mode password for the
password failed. specified device is incorrect. Review
the device configuration and change
the enable mode password.
You can also change the enable mode
password on the device.
Pagination prompt detected. warning Communication Manager reset the
Resetting the connection. connection to break out of the
pagination prompt.

427
Director Configuration and Management Guide

Table 14–6 Communication manager syslog messages (Continued)

Message Level Description


Device <device ID>: Did not warning This message is generated when
get response for the Director does not receive a response
command <name> for past from the ProxySG appliance for the
<number> seconds
specified command after the
displayed number of seconds.
Device <device ID>: RSA warning SSH-RSA authentication with the
authentication failed, specified device failed for the reason
response <error> stated.
Device <device ID>: SSH warning The SSH client cannot establish a
authentication failed, connection between the specified
response <error> ProxySG appliance and Director.
Device <device ID>: warning This message is generated when the
authentication failed, Telnet client fails to establish a
password incorrect. connection between the specified
ProxySG appliance and Director. The
reason could be an incorrect
password or login name.
Device <device ID> : warning Director cannot establish an SSH
Couldn’t fork SSH process connection with the ProxySG
appliance because too many devices
are already connected to Director.
Device <device ID>: warning Director cannot establish a Telnet
Couldn’t fork Telnet connection with the ProxySG
process appliance. It is because a larger
number of devices are connected to
the Director than it can support.
Device <device ID>: Did not warning Director did not receive a response
get response while trying from the indicated device for the
to connect for past indicated amount of time.
<number> seconds

428
Chapter 14: Director Logging

Command Line Interface Syslog Messages


Table 14–7 lists selected syslog messages displayed by the command line interface
component:
Table 14–7 Command line interface syslog messages

Message Level Description


Operation aborted by notice_minor This message is logged when you
user. cancel a command or you enter
Control+C.
Processing command: notice_minor You pressed Control+D. Control+D is
<Ctrl+D> required to end input commands but
pressing Control+D on an empty line
exits the command line session.
Processing a secure notice_minor This message is generated when a
command... command, with sensitive information
such as passwords or licenses, is
processed.
Processing command notice_minor The command you entered and the
<error> <command> error are listed.
Processing command: notice_minor The command with the specified ID is
<cmd ID> recognized and is being processed.
CLI launched notice This message is generated every time
a user starts a command line session.
CLI exiting notice A user exited a command line session.
Automatically logged notice A user was automatically logged out
out due to keyboard of the command line session because
inactivity. there was no activity for 15 minutes.
Connection to host notice A user was disconnected from
lost... Director because there was no activity
for 30 minutes.
Failed to enter enable notice This message is logged when a user
mode because privilege tried and failed to enter enable mode
level was too low because the user has insufficient
privileges.
User <user name> tried notice A user with the specified user name
to enable and entered failed to enter enable mode, either
wrong password because the user has insufficient
privileges or because the user entered
the wrong enable mode password.
Entering enable mode notice A user successfully entered enable
mode.
Leaving config mode notice A user exited configuration mode,
likely because of a period of inactivity.

429
Director Configuration and Management Guide

Table 14–7 Command line interface syslog messages (Continued)

Message Level Description


Failed to enter config notice A user was unable to enter
mode because another configuration mode because the user
user had the lock did not acquire the configuration lock
as discussed in "About the
Configuration Lock" on page 494.
Entering config mode notice A user successfully entered
configuration mode.
Leaving enable mode notice A user exited enable mode and
returned to standard mode.

Job Manager Syslog Messages


Table 14–8 lists selected syslog messages displayed by the job manager
component:
Table 14–8 Job manager syslog messages

Message Level Description


Executing Job <job ID> notice_minor The specified job has started to
execution <execution execute.
instance>

Job: <job ID> execution notice This message is logged every time
issued <cmd ID> commands, the Job Manager receives a signal
now exiting while issuing commands.
Job <job ID> execution notice The output of all the commands
<execution instance> <cmd that make up the job are
ID> command. Output displayed.
<output>

Received a signal: <signal notice This message is generated when a


number> signal is received by the Job
Manager. The signal number is
also specified in the message.
Job <job ID> execution notice The specified job is completed.
<execution instance>
finished running

System time changed, notice This message is logged when the


recomputing job run time. system clock changes and the
next running time is recomputed.
Cancelling job: <job ID> notice A job that is currently executing
or already executed is cancelled.
Executing Job <job ID> notice The job with the specified ID has
execution begun execution.

430
Chapter 14: Director Logging

Table 14–8 Job manager syslog messages (Continued)

Message Level Description


Can't delete job. notice The job that you tried to delete is
Currently executing. currently running. It is deleted
after the execution is completed.
Job was marked for notice The job is deleted. It was marked
deletion, so deleting. for deletion when it was running.
Couldn't execute notice The specified job could not be
Job: <job ID> executed.

Received a SIGTERM, notice TERM signal could be sent by a


exiting. user who wants to force the Job
Manager to shut down.
Job ID: <job ID> notice The message notifies you if the
is_enabled: <true | false> specified job is enabled. The job
job type: <type> type is also included in the
message.
time-of-day list follows notice The job is automatically executed
id: <job ID> hrs:<hour> at all the specified times on all the
mins:<minute> specified days of the week, within
secs:<seconds> the constraints of the absolute
start and stop time/date. This job
type has recurrence capability.
last_run_time: <time> notice This message gives details about
next_run_time: <time> the last-run-time and the next-
current_weekday: <day of run-time of the job. It also informs
the week> you whether the job is currently
executing.
date-time-pairs list notice The job is performed only once at
follows the exact date and time specified.
id: <job ID> date-time: This job type has no recurrence
<date, time> capability.

431
Director Configuration and Management Guide

Configuration Syslog Messages


Table 14–9 lists selected syslog messages displayed by the configuration
component:
Table 14–9 Configuration syslog messages

Message Level Description


Breaking config lock Notice You have not made any configuration
due to inactivity on changes for the past 15 minutes, so you
session cli <session are logged out of Configuration mode.
number>

Tried to create invalid Warning A workgroup name is an arbitrary


name: <workgroup name> ASCII string up to 31 alphanumeric
characters long.
Tried to create invalid Warning The workspace name you tried to create
name, too long is more than 31 characters long.
Found suspicious file Warning This message is logged when a bad
<filename> with spec Director image file is found.
<spec>

File <filename> is not Warning The configuration file in use is invalid.


a valid config file.

File <filename> is not Warning The specified configuration file does not
in a supported config have the right format.
file format.

Couldn't load config Warning The specified configuration file is


file <filename>, invalid.
inconsistent file size

'admin' login and Warning This message appears when you reset
'enable' passwords Admin and Enable passwords.
reset

Workgroup \default\ can Warning You tried to delete the workgroup called
not be deleted. “default.” Director is shipped with
“default” as its default workgroup. You
can modify the settings of the default
workgroup but you cannot delete the
default workgroup itself.
<value> is an invalid Warning Workgroup priorities are set between 0
workgroup priority, the and 4. The highest priority level is 0. The
valid range is <0..4> default priority level assigned to content
is 4.

432
Chapter 14: Director Logging

Configuration Management Syslog Messages


Table 14–10 lists selected syslog messages displayed by the configuration
management component:
Table 14–10 Configuration management syslog messages

Message Level Description


CCD lost connection to Notice_minor Director lost connection with the
device <device ID> ProxySG appliance.
Device <device ID> is Notice_minor This message is received when the
now online. ProxySG appliance is reconnected to
Director.
Help Device set to Notice_minor This message is generated when you
<device ID> designate a Help Device using the
remote-config help device
command. You can set a Help Device
that can provide context-sensitive help
and command completion. You can also
save the Help Device for future
references. The Help Device is set up
until cleared.
Help Device cleared Notice_minor This message is generated when you
enter the no remote-config help
device command. You have cleared
the Help Device. The command help is
no longer available.
Device <device ID> Notice The specified ProxySG appliance has
completed command(s) completed the execution of the listed
<cmd ID> commands.

Profile
Profile execution Notice_minor This message indicates if the backup
backup step complete during profile execution was a success.
for device <device ID> Backups for profiles are either created
<success | failure> automatically prior to each profile
application or explicitly by request.
They are stored in Director.
Importing profile Notice_minor This message notifies that Director is
<profile ID> from importing the profile with the given ID
<device ID> from the specified ProxySG appliance.
Profile execution Notice_minor This message is generated when
restore-defaults Director executes the restore-
complete for device defaults keep-console command,
<device ID> prior to applying the profile. This
command resets the specified ProxySG
appliance’s configuration, except IP
connectivity.

433
Director Configuration and Management Guide

Table 14–10 Configuration management syslog messages (Continued)

Message Level Description


Failed to import Notice The profile could not be pulled from the
profile <profile ID> specified ProxySG appliance.
from device <device
ID>

Profile execute failed Notice This message is generated when the


to reboot device specified ProxySG appliance cannot be
<device ID> automatically rebooted after the
restore-defaults keep-console
command is issued. A profile execution
is complete when the ProxySG
appliance is automatically rebooted
after the profile is applied to it.
Profile execution Notice After a profile is applied to an ProxySG
rebooting device appliance, the ProxySG appliance is
automatically rebooted.
Profile execution Notice This message notifies that the profile
reboot command execution reboot command is executed
complete. successfully. The ProxySG appliance is
Device <device ID> is rebooted and back online with the new
back on line profile.
Profile execution Notice Director has applied the license key to
licensing applied to the specified ProxySG appliance
<device> through a profile execution. The
licenses get applied automatically with
the profile.
Profile configuration Notice The profile configuration commands
applied to device are applied to the specified ProxySG
<device ID> device.

Overlay
Applying overlay Notice_minor This message is logged when you issue
<overlay ID> to the remote-config overlay
<keyword> <device execute command. Director has sent
spec> the overlay with the given ID to the
ProxySG appliances, specified by the
device spec.
Overlay push complete Notice Director has sent the overlay to the
for device <device ID> specified ProxySG appliance.

Backup
Beginning restoration Notice_minor This message is generated when you
of backup <backup ID> enter the remote-config backup
to <device ID> restore command to the specified
ProxySG appliance. The backup
restoration process has begun.

434
Chapter 14: Director Logging

Table 14–10 Configuration management syslog messages (Continued)

Message Level Description


Backup restore- Notice_minor This message is generated when
defaults complete for Director executes the restore-
device <device ID> defaults keep-console command,
prior to applying the backed-up
configuration. This command resets the
specified ProxySG appliance’s
configuration, except IP connectivity.
<device ID> device Notice_minor The message shows whether the
<Pinning |Unpinning> backed-up configuration of a specified
backup <backup ID> ProxySG appliance is pinned or
unpinned. Director permanently stores
a certain number of backups per
ProxySG appliance. The pin CLI
command makes the backup
permanent in the Director. The oldest
unpinned backup is purged to make
room for the latest backup.
Deleting backup Notice_minor The specified backup is deleted from
<backup ID> from the specified ProxySG appliance either
device <device ID>: because it is the oldest unpinned
<reason>
backup or because you manually
deleted it.
Beginning to make Notice_minor This message is generated when you
backup of <keyword> issue the remote-config backup
<device spec> command to the device/ device group,
specified by the device spec. The
process of taking the snapshot of the
specified configuration has begun.
Backup restore failed Notice This message is logged when the
to reboot device specified ProxySG appliance cannot be
<device ID> automatically rebooted after the backup
restoration. Backup restoration is
complete when the backed-up
configuration is applied to the ProxySG
appliance and the ProxySG appliance is
rebooted.
Backup restore Notice The ProxySG appliance is automatically
rebooting device rebooted after the backed-up
<device ID> configuration is applied to it.
Backup restore reboot Notice This message notifies that the backup
command complete. restore command is executed
<device ID> is back on successfully. The ProxySG appliance is
line.
rebooted and back online with the
Backup configuration restored configuration.
restored to device
<device ID>

435
Director Configuration and Management Guide

Table 14–10 Configuration management syslog messages (Continued)

Message Level Description


Rotating out backup Notice Backups are time-stamped and rotated
file: <backup ID> out on a first-in, first-out basis after the
number of allowed backups per
ProxySG appliance reaches the
configured maximum. You can prevent
any specific backup from being rotated
out by “pinning” it.
Ignoring backup file Warning The remote-config backup
<directory, backup ID> command generates two files.
with no meta
One of them contains the CLI
information.
commands that reflect the backed-up
configuration. The other file stores the
meta-information about the backup,
such as whether it is pinned or not, etc.
The given warning message is logged
when a backup file without a
corresponding meta information file is
found. In that case, the backup file is
not applied to the ProxySG appliance. It
happens when the file is manually
deleted or when the Configuration
Manager crashes after writing the
backup file but before creating the meta
information file.

436
Chapter 14: Director Logging

Health Monitoring Syslog Messages


Table 14–11 lists selected syslog messages displayed by the health monitoring
component:
Table 14–11 Health monitoring syslog messages

Message Level Description


Device <id> has invalid Warning The device serial number older
serial number <serial- platforms must be 10 digits.
number>. Must be 10
digits

Could not refresh state Warning An error was encountered trying to


for device/group refresh the health state of the device/
group.
Change status for device Notice Change the state of an alert, for example
<id>/<alert-id> to <new- from unacknowledged to
state> acknowledged.
Reached maximum number Warning Reached the maximum number of alerts
of alerts, deleting (50,000), deleting the oldest.
oldest

Received an alert Warning An error was detected in the alert


without a description received from a device.
Health state for group Notice The health state for a group changed.
<id> changed from <old-
state> to <new-state>

Health state changed for Notice


device <id> from <old-
The health state for a device changed
state> to <new-state>"

Stopped snmp trap Notice Stop listening for traps.


listener

Start snmp trap listener Notice Start listening for traps.


found no matching Notice Received an alert for a device that is not
devices, drop alert managed by this Director.

437
Director Configuration and Management Guide

CLI Informational and Error Messages


The informational and error messages that follow are those you might see while
using the CLI. For error messages on:
❐ user problems: see Table 14–12 on page 438.
❐ Director management node front panel: see Table 14–13 on page 439.
❐ time management: see Table 14–14 on page 439
❐ SNMP: see Table 14–15 on page 440.
❐ CLI help commands: see Table 14–16 on page 440.
❐ configuration mode: see Table 14–17 on page 441.
❐ configuring your devices: see Table 14–18 on page 442.
❐ group management: see Table 14–19 on page 443.
❐ logging messages: see Table 14–20 on page 443.
❐ Director image file management: see Table 14–21 on page 443.
❐ content management schedules: see Table 14–22 on page 444.
❐ password authentication: see Table 14–23 on page 445.
❐ setting up RADIUS or TACACS+ servers: see Table 14–24 on page 445.

Table 14–12 User Management Error Messages

Error Message Description

Usernames and Passwords


Your account on this system was The administrator has deleted your account.
just deleted, logging off.

The username <username> is A few usernames are reserved for Blue Coat
reserved for internal use. internal use. Each username on the system
must be unique. Choose another username.
Wrong password. If you forget your admin or enable password,
you can clear the old passwords by using the
password reset script.
Your user account does not have Standard privileges are level 1.
the required privilege to enter
Enable privileges are level 7.
<Standard | Enable|
Configuration> mode. Configuration privileges are level 15.
You are limited to the privilege level the
administrator assigned you.
Your privilege level has been You are limited to the privilege level the
lowered to <privilege level>. administrator assigned you.
User <username> does not exist. This message is displayed when you try to log
on to a machine using a username that does
not exit. Either you mis-typed the username or
the name has been deleted from the system.

438
Chapter 14: Director Logging

Table 14–12 User Management Error Messages (Continued)

Error Message Description


User <username> already exists. This occurs when you try to create a user with
a username that is already in the system. Each
username must be unique.
Bad privilege value <privilege The privilege value should either be 1 (for
level> for user <username>. standard mode), 7 (enable mode), or 15 (for
Must be <1,7,15>. config mode) for this user.
No password given for enable. You have not set a password to enter Enable
mode.
Username can be at most 8 The username cannot be more than eight
characters. characters long.
Username can contain only You cannot create a username with spaces or
alphanumeric characters. wild cards, forward or backward slashes,
brackets, or periods. It also must start with a
letter.
User <username> is not allowed You do not have sufficient privileges to make
to delete this user. this change.
User <username> is not allowed You do not have sufficient privileges to make
to change settings for this this change or you have not entered enable/
user. config modes.
User Directory Management
Home dir must be <= 32 chars The name of the user’s home directory cannot
for user exceed 32 characters.
Invalid home dir: <home The path of the home directory cannot be
directory> determined.

Table 14–13 LCD Error Messages

Error Message Description


PIN should be 4 digits PIN is a four digit number.

Table 14–14 Time Management Error Messages

Error Message Description

Clock
Not a valid timezone: The time zone is not a valid entry. Select another
<timezone> value. For more information on the format, refer
to the Blue Coat Director Command Line Interface
Reference.
Not a valid date string Enter the date in yyyy/mm/dd format.
Not a valid time string Enter the time in hh:mm[:ss] military format.

NTP

439
Director Configuration and Management Guide

Table 14–14 Time Management Error Messages (Continued)

Error Message Description


Cannot have an ntp peer or Local refers to the local Director management
server with a local IP node. You must synchronize the local time with
address an external NTP peer or server.
NTP version must be between 1 This refers to the version supplied with an ntp
and 4 peer or ntp server command.
ntpd already running, cannot You issued the ntpdate hostname command
do ntpdate when the NTP server is already running.
Stop the NTP server by typing no ntp enable.
Run ntpdate hostname.
Type ntp enable.
Cannot ntpdate to a local IP You issued the ntpdate hostname command
address with an IP address that is the same as one of the
IP addresses of the Director machine. You must
synchronize the local time with an external NTP
peer or server.
No server suitable for You issued the ntpdate hostname command
synchronization found with an invalid server name. Alternatively, the
server cannot be reached or contacted.

Table 14–15 SNMP Error Messages

Error Message Description


Invalid host <hostname> You entered either an invalid hostname or an
specified invalid IP address. Alphanumeric characters,
dash ('-') and dot ('.') are allowed in a hostname.
Invalid mask length Requires a correct mask value in the format
resembling 255.255.255.0 or a mask length
such as /24.

Table 14–16 CLI Help Error Messages

Error Message Description

Extraneous parameter The words that the command is rejecting are not
<parameters> would be recognized. Type the command to that point
ignored. again and enter ?.
Operation timed out. When a network connection does not respond
within a reasonable time frame, due to network
problems, this message is displayed. It also
happens when Director is waiting for response to
a command and none is forthcoming.
Type ‘device?’ for help This help message (or a variation) appears when
Unrecognized command you enter invalid commands.
‘abcdef’
Type ‘?’ for help

440
Chapter 14: Director Logging

Table 14–16 CLI Help Error Messages (Continued) (Continued)

Error Message Description

Extraneous parameter You have typed the command correctly, but you
<parameter> would be also entered an invalid command along with it.
ignored. You can redo the command, correcting the
extraneous parameters.
Ambiguous command 's'. When you enter a valid command with invalid
Type 'show s?' for a list of arguments, you are asked to type the ? after the
possibilities. valid part of it for a set of valid options.

Table 14–17 Configuration Management Error Messages

Error Message Description

The configuration lock is not This is a result of the show configuration


currently held by anyone. lock-holder query. If you do not use the
Director for 15 minutes, the lock is released.
Your configuration lock was Only one person can hold Director’s
broken by another user. configuration lock at any time. Users can
request that the lock be given to them.
No configuration activity for You have made no configuration changes for
15 minutes, breaking lock. the past 15 minutes. You are now in Enable
mode.
No keyboard activity for 30 You are disconnected from Director because
minutes, logging out. you did not use Director for the past 30
minutes.
Not a valid IP address: <IP The IP address you entered is invalid. Check
address> the IP address.
No requests are currently You asked Director to execute a request, but it
pending. could not find the any requests.
Image verification failed. The image fetch or image verify command
was unable to verify that the image file you
downloaded to your Director management
node was a valid image file and that its
internal checksum matched the file’s contents.
(image verify is only used when you do not
use the CLI to download a Director image
file.)

CLI Modes
Invalid date <date>. Please Director only recognizes dates and times
enter it in yyyy/mm/dd format. entered in the correct format. The valid format
for date is shown in the message.
Lost contact with configuration This message is displayed when Director is
subsystem, attempting busy.
reconnect...

441
Director Configuration and Management Guide

Table 14–17 Configuration Management Error Messages (Continued)

Error Message Description

Unable to connect to Director is busy, or the configuration


configuration subsystem. subsystem is not enabled. (If the configuration
subsystem is not enabled, reboot Director.)

ARP
arp command failed to remove The no arp IP_address command failed.
<IP address>

arp command failed to add <IP The arp IP_address hardware_address


address> command failed. Check the addresses you
entered.

Host Names
No valid hostname supplied. The command you entered requires a
hostname to execute.
Hostname: Could not set The hostname is not valid. A possible reason
hostname to <hostname> is that the hostname had illegal characters in
it. Alphanumeric characters, dash ('-') and dot
('.') are allowed in a hostname.

Table 14–18 ProxySG Appliance Management Error Messages

Error Message Description


device <Device ID> does not You entered an invalid device ID.
exist.
An ProxySG appliance must be registered with
Director before it can be used.
<ID3> has not been defined You must add the ProxySG appliance record
as a device information to Director before attempting to
connect to it.
Device ID contains invalid An ProxySG appliance ID cannot contain the
characters (‘{,}’) or ‘$’ invalid characters contained in the error message.
Device IDs can only be 250 The maximum length of any ProxySG appliance
characters long. ID is 250 characters.
For the device address Only a valid hostname, such as
please enter a hostname www.bluecoat.com, is accepted. Alphanumeric
(e.g. www.bluecoat.com) characters, dash ('-') and dot ('.') are allowed in a
hostname.
There is no registered You entered an invalid ProxySG appliance IP
device with address <IP address or you have not registered the device.
address>. Note that an ProxySG appliance must be
registered with Director before it can be used.

442
Chapter 14: Director Logging

Table 14–19 Group Management Error Messages

Error Message Description

Group <group ID> does not exist. You entered an invalid group ID when
attempting to do content management
commands. You must create the group/record
on Director before you can use it.
<group ID> has not been defined You are attempting to manage content on a
as a group. group you have not defined as a group to
Director.
There are no groups configured. Director cannot list any groups assigned to it
because you have not created any.
Group IDs can only be 250 When creating a new group, the maximum
characters long. length of any group ID is 250 characters.
Group <group name1> cannot be a Groups cannot be parents of each other.
parent of group <group name2>
because <group name2> is
already an ancestor of <group
name1>.

A group cannot be a parent of You must add the child or nested group to the
itself. parent group. You cannot add a parent to a
child.
Table 14–20 System Logging Error Messages

Error Message Description


Invalid priority <log level> You entered an invalid logging priority level.
Director only accepts the terms err, warning,
notice, and notice_minor as valid logging
levels. It does not accept level numbers.
Table 14–21 Director Image File Error Messages

Error Message Description


Not a valid image file: You entered an invalid software Director image
<local spec> filename. Use the correct syntax for the image file.
local_spec is the specified file. Filenames of
image files are case-insensitive.
File does not exist: <local You entered a non-existent software Director
spec> image filename. Be sure to use the correct syntax
for the image file.
Failed to install image The image fetch command was unable to install
the image file you downloaded to your Director
management node.

443
Director Configuration and Management Guide

Table 14–21 Director Image File Error Messages (Continued)

Error Message Description


Image does not contain a The image fetch command was unable to verify
valid image. that the image file you downloaded to your
Director management node was a valid image file
and that its internal checksum matched the file’s
contents.
Could not find attribute The Director image file is corrupted or does not
<manifest attribute> in contain all the expected information. This image
manifest file file cannot be installed.
Unable to set next boot The image boot command failed.
image

Invalid remote file spec: The filename or the syntax is incorrect. The error
<remote spec> Must be http:/ message provides examples of correct usage.
/server[port]/[dir/]file or
ftp://user:password@server/
[dir/]file

Failed to download file The file was not downloaded. Possible reasons: the
<remote spec> server was down, you mistyped the URL you
wanted to download.
Failed to extract manifest The image is corrupted or does not contain all the
from downloaded file <file expected information.
spec>

Failed to move/delete file You can get this message for a variety of reasons:
the disk is full, permissions are not correct, the file
was attempting to overwrite a file that is read only.
Table 14–22 gJob Management Error Messages

Usage Description
Invalid day “<day>”. Valid days are You must enter the days of the week in a
Sun, Mon, Tue, Wed, Thu, Fri, or Sat. format Director understands: For example,
mon, not Monday.
For the date and time, please enter a yyyy/mm/dd and hh:mm[:ss] are the valid
date in yyyy/mm/dd format between formats for job types.
1970/1/1 and 2038/1/18 followed by a
time (hh:mm[:ss]).

Schedule IDs can only be 250 The maximum length of any job ID is 250
characters long. characters.
Report generation was cancelled since You made a request for a job report and while
the job was deleted the request was being processed, the job was
deleted.

444
Chapter 14: Director Logging

Table 14–23 Authentication Error Messages

Usage Description

Minimum key size is 512 You tried to generate an SSH host key with a
key size less than 512, the minimum key size.
The default is 1024.
Maximum key size is 32768 You attempted to generate an SSH host key
with key size greater than 2048, the maximum
key size. The default is 1024.
The SSH server cannot be You have not set up SSH on your Director
started until a host key is management node.
generated. Please use the
'ssh server hostkey rsakey
generate' command.

No RSA key found for device ID You have not set up SSH-RSA for the ProxySG
<device ID> appliance. Generate an RSA key for the device
before connecting through SSH-RSA.
Invalid public key Make sure that you copied the entire public key
when you used the ssh client user
username authorized-key rsakey
command.
authtype values can only be When authenticating a password, you have two
(rsa, simple) valid options: RSA, which includes a public
and private key; and simple password
authentication, which is less secure than RSA.
Table 14–24 RADIUS Server Error Messages

Usage Description
Not a valid hostname: The hostname is not valid. Hostname should
<hostname> be a one word with no illegal characters in it.
Alphanumeric characters, dash ('-') and dot ('.')
are allowed in a hostname.
Too many radius hosts. Have There can be no more than 10 RADIUS hosts.
<number>, max is <number>

Table 14–25 Miscellaneous

Usage Description
protocol values can only be Connection to Director to any of the ProxySG
(telnet, ssh) appliances must be via the Telnet or SSH
protocols. Other connection protocols are not
supported.
For the Web configuration port, The default Web configuration port is 8082.
please enter an integer between This value normally does not have to be
0 and 65535 changed.

445
Director Configuration and Management Guide

Table 14–25 Miscellaneous

Usage Description
A name server (or default The only format that Director understands is
gateway) must be an IP address the dotted-quad format. That is, all IP
in dotted-quad format (e.g. addresses should be of the format
10.25.36.47) 10.25.36.47.

A domain name must be a Do not attempt to use an IP address for a


hostname (e.g. domain name. Domain name should be of the
www.bluecoat.com) format specified in the message.

Interpreting Audit Details


This section describes the audit log details for profiles, overlays, backups, and
jobs.

Profile, Overlay, and Backup Logging


Profile, overlay, and backup commands are logged in the order they are executed
on the target devices. The event log message includes the following:
❐ User name of the person logged in to the Director Management Console or
command line who executed the command
❐ The IP address of that person’s computer (that is, the computer from which
the Director Management Console or command line was started)
❐ The name of the overlay, profile, or backup
All the event log messages for command execution are bracketed by a start and an
end event log message that includes the name of the overlay, profile, or backup;
and the device ID on which the command is executed.
The following example shows the logged results of an Overlay execution.
Jun 23 22:37:57 <cli.notice_minor> hostname cli[1287]:
admin@10.2.11.90: Processing command: remote-config overlay
new_overlay-1151102100: execute device 10.9.44.38
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90: new_overlay-1151102100: Applying overlay
<new_overlay> to cache 10.9.44.38
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90: new_overlay-1151102100: command 1: show version
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90:new_overlay-1151102100: command 2: show clock
Jun 23 22:37:57 <configd.notice> director configd: admin@10.2.11.90:
new_overlay-1151102100: Overlay push complete for device "10.9.44.38"

446
Chapter 14: Director Logging

The overlay in the preceding example has the following properties.

Property Example value

Overlay name new_overlay

Overlay execution instance 1151102100

Director host name hostname

Director IP Address directorIP

User name admin

User IP address 10.2.11.90

Job Logging
Jobs are logged with the following user names and IP addresses:
❐ If a job is executed immediately from the Director Management Console or
command line, Director logs the user name of the logged-in user and the IP
address of the computer from which the Director Management Console or
command line were started.
❐ Job executions (except for immediate executions) always log the user name
director and the IP address of the computer from which the Director
Management Console or command line were started.
❐ Job creation and edit commands are logged with the user name of the logged-
in user and the IP address of the computer from which the Director
Management Console or command line were started.
The event log messages for all job commands are printed as they are executed.
These event log messages include the following:
❐ Job ID
❐ Instance ID
The instance ID is used to distinguish one execution of a recurring job from
another.
❐ User name of the person executing the command
❐ The IP address of the user's computer

447
Director Configuration and Management Guide

The following example shows the logged results of an immediate job execution
Jun 23 22:35:00 <cli.notice_minor> hostname cli[1287]:
admin@10.2.11.90: Processing command: job ab execute (Note: This
message will only be there for an immediate Job)
Jun 23 22:35:00 <schedulerd.notice_minor> hostname schedulerd:
sched@director Executing Job "ab" execution 1151102100
Jun 23 22:35:00 <runner.notice_minor> hostname runner[1288]:
sched@director:ab-1151102100: Processing command: remote-config
profile ab execute device 10.9.44.38
Jun 23 22:35:00 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying profile <pab> to cache
10.9.44.38
Jun 23 22:35:00 <runner.warn> hostname runner[1288]: sched@director:
ab-1151102100: command 1: "remote-config profile ab execute device
10.9.44.38". Output 1/1:\#% No commands to execute.\# (Note: Only the
error messages will be shown)
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying overlay <new_overlay> to group
g
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.9.44.38"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.9.44.38"
Jun 23 23:15:07 <runner.notice> hostname runner[1517]: sched@director:
ab-1151102100: Job "ab" execution 1151104506 finished running.
The job execution in the preceding example has the following properties:

Property Example Value

Job ID ab

Job Instance 1151102100

Director Host Name hostname

Director IP Address directorIP

Username admin

Viewing Log Files


To view log files:
1. Use a Secure Shell (SSH) application to connect to Director.
2. Log in as an administrator.

448
Chapter 14: Director Logging

3. At the director > prompt, enter enable.


4. If prompted, enter the enable mode password.
5. At the director # prompt, enter the following command:
director # show syslog [archived number]

Using the command without the optional parameter enters an interactive


mode where you can scroll through the current system logs using the same
keys the UNIX less command uses. The common ones are:
• Up and Down arrow keys to move up or down one line at a time
• <space> to move down a page
• b to move up a page
• > to move to the end
• / followed by a search string and <cr> to do a forward search
• < to move to the beginning
• ? followed by a search string and <cr> to do a backward search
• n to find next occurrence of search string in same direction as last search
• q to quit

449
Director Configuration and Management Guide

450
Chapter 15: Backing Up Director and Devices

This chapter discusses the following topics:


❐ Section A: "Backing Up Devices" on page 452
❐ Section B: "Archiving Director" on page 463

451
Director Configuration and Management Guide

Section A: Backing Up Devices


This section discusses the following topics:
❐ "About Device Backup" on page 452
❐ "Creating a Backup" on page 453
❐ "Pinning or Unpinning a Backup" on page 457
❐ "Restoring a Backup" on page 458
❐ "Deleting a Backup" on page 459
❐ "Comparing Two Backups" on page 459
❐ "Archiving Director" on page 463

About Device Backup


This section discusses the following topics:
❐ "General Information About Device Backups"
❐ "What is Not Backed Up" on page 453

General Information About Device Backups


A backup consists of all ProxySG appliance configuration settings except those
listed in "What is Not Backed Up" on page 453. You can create backups either
explicitly by request or automatically prior to each profile being run. They are
stored on Director.
You can also back up both the Director configuration and ProxySG appliance
backup files. Director backup, which is referred to as archiving, is discussed in
Section B: "Archiving Director" on page 463.
Director stores a certain number of backups per ProxySG appliance (the default
is 10). These are time-stamped and rotated out on a first-in, first-out basis after
the number of allowed backups per ProxySG appliance reaches the configured
maximum. You can prevent any specific backup from being rotated out by
pinning it. This allows you to save the backup for later use.

Note: You cannot set the maximum number of backups per ProxySG appliance to
a lower number than the number of backups that already exist on Director. To set
three backups as the default, for example, you must not have more than three
backups on Director. You can manually delete the extra backups. You set the
maximum number of backups using the Director command line.
The absolute maximum number of backups is 2000, but Director Management
Console performance is significantly degraded and backup functions, such as
sorting, cannot be done.

452
Chapter 15: Backing Up Director and Devices

Section A: Backing Up Devices

What is Not Backed Up


Any show configuration command that begins with the following string is not
included in the backup:
❐ ip-default-gateway

❐ interface (the entire submode)


❐ line-vty (the entire submode)
Director does not back up any of the following ProxySG features:
❐ Content filtering database (although passwords are backed up)
❐ Access logs
❐ Event log
❐ Licenses
❐ Private key and certificate, unless they were configured using the show
keypair command

❐ The SGOS image itself

Creating a Backup
Backups are created two ways: automatically, immediately prior to a profile, or
manually, at the point when you need a backup. The manual backup procedure is
discussed below. To schedule a backup job, see Section C: "Scheduling Jobs" on
page 274.

To start the Backup Manager:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of creating the backup.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Devices pane, click the name of the device to back up.
5. In the Description section for the device, click Launch Backup Manager.

453
Director Configuration and Management Guide

Section A: Backing Up Devices

The Backup Manager dialog box displays.

The Backup Manager dialog box contains a summary table and buttons to create,
view, edit, pin, unpin, delete, restore, and refresh the list of backups.
Director automatically creates a backup when you execute a profile on a specified
device. If you want to create a backup without sending a new configuration to an
ProxySG appliance, click Create below the summary table and follow the
procedure on the next page.

454
Chapter 15: Backing Up Director and Devices

Section A: Backing Up Devices

To create a backup using the Backup Manager:


1. Click Create below the Backup Manager table.

2. At the confirmation dialog box, click Yes.

455
Director Configuration and Management Guide

Section A: Backing Up Devices

Director creates the backup.

3. You have the following options:


Item Description

Name field Enter an optional name to describe this backup and


click Save Name.
This name is added to the value displayed in the
Name column.

Description field Enter an optional description and click Save


Description. The description displays in the
Description column.

View Contents button Displays the backup contents in the right pane.

Diff button Control+click another backup and click Diff to display


the differences between the backups. For more
information about diff, see "Comparing Two Backups"
on page 459.

4. Click Close.

456
Chapter 15: Backing Up Director and Devices

Section A: Backing Up Devices

Commands Related to Device Backups


First, enter the following command to start backup submode:
director (config) # remote-config backup
This command changes the prompt to:
director (config remote-config backup) #
Then enter the following commands:
(config remote-config backup) # addr-device ip_address_or_hostname
(config remote-config backup) # all
(config remote-config backup) # [no] device device_id [backup_id
{comment backup_comment | name backup_name | pin}]
(config remote-config backup) # group group_id

Pinning or Unpinning a Backup


You can make a backup of an ProxySG configuration and keep it permanently by
pinning it. By default, backups are unpinned, and are rotated out of storage after
the maximum number of backups is reached.
The maximum number of backups per device is unlimited (the default is 10),
unless you change it using the command remote-config backups option max-
backups number. The maximum number of pinned backups is one less than the
maximum number of backups allowed.

Note: You must leave at least one backup unpinned.

To pin or unpin a backup:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Devices pane, click the name of the device whose backups you want to
pin or unpin.
4. In the Description section for the device, click Launch Backup Manager.
The Backup Manager dialog box displays.
5. Click one or more backups in the Backup Manager table. (Hold down the
Control key while clicking to choose more than one backup.)
6. Click Pin or Unpin.
7. At the confirmation dialog box, click Yes.

457
Director Configuration and Management Guide

Section A: Backing Up Devices

The Backups for Device section displays as follows.

A check mark displays in the Pinned column to indicate pinned backups.


An X displays in the Pinned column to indicate unpinned backups.
8. Click OK.

Restoring a Backup
If you encounter problems on an ProxySG appliance with a current configuration,
you can restore a known good configuration with a saved backup. There are
several ways to restore configurations to ProxySG appliances:
❐ With a manual, stored, time-specific backup
❐ Using a profile or an overlay

Note: You can also back up and restore the Director configuration, including
the ProxySG backups stored on Director. For more information on backing up
Director, see "Backing Up Director and Devices" on page 451.

When a backup is restored, the following procedure takes place:


❐ The restore-defaults command is sent over the configured protocol.
❐ After sending the restore-defaults command, the reconnection protocol is
SSH Simple.
❐ After reconnecting, the backup is applied to the ProxySG appliance; then the
connection protocol is switched to the configured protocol.

To restore a backup:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Devices pane, click the name of the device to restore from backup.
4. In the Description section for the device, click Launch Backup Manager.
The Backup Manager dialog box displays.
5. Click the name of the backup to restore.
6. Click Restore.
7. At the confirmation dialog box, click Yes.
8. When the restore is complete, click Close.

458
Chapter 15: Backing Up Director and Devices

Section A: Backing Up Devices

Deleting a Backup
Director deletes backups automatically as the number of backups reaches the
maximum number you select. You can also manually delete backups.

To delete a backup or a pinned backup:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Devices pane, click the name of the device whose backup you want to
delete.
4. In the Description section for the device, click Launch Backup Manager.
The Backup Manager dialog box displays.
5. Click the name of a backup.
6. Click Delete.
7. At the confirmation dialog box, click Yes.
8. Click Close.

Related Commands
First, start remote configuration backup submode by entering the following
command:
director (config) # restore-config backup
This command changes the prompt to:
director (config remote-config backup) #
Then enter the following commands:
(config remote-config backup) # no device device_id [backup_id
{comment backup_comment | name backup_name | pin}]
(config remote-config backup) # no un-pinned
director (config remote-config backup) # restore device device_id
backup_id

Comparing Two Backups


This section discusses how to compare the results of two backups using the
Director Management Console or command line. You compare only the results of
two backups for the same device; you cannot compare the results of backups of
different devices.

To compare two backups:


1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.

459
Director Configuration and Management Guide

Section A: Backing Up Devices

3. On the Configure tab page, in the Groups section, expand the group
containing the device whose backups you wish to compare.
4. In the Devices section, click the name of the device whose backups you wish
to compare.
5. Click Launch Backup Manager.
6. In the Backup Manager dialog box, in the Backups for Device section, hold
down the Control key and click two backups to compare.
A sample follows:

7. Click Diff.

460
Chapter 15: Backing Up Director and Devices

Section A: Backing Up Devices

A sample comparison follows:

Function
buttons

Legend

8. Use the legend at the bottom of the dialog box to interpret the results.
9. Use the function buttons as follows:
Table 15–1 Diff backups dialog box function buttons

Button Meaning
Search Displays a search field so you can search for text. Diff
searching supports text searching only and not logic
like Boolean or regular expressions.
Find next Used in conjunction with the Search button to perform
the same search again.
Prev diff The cursor in the right pane moves to the previous
difference.
Next diff The cursor in the right pane moves to the next
difference.
Save as Saves the difference file in unified format, which uses
plus and minus signs to indicate differences: each line
that occurs only in the left file is preceded by a minus
sign, each line that occurs only in the right file is
preceded by a plus sign, and common lines are
preceded by a space

Commands Related to Comparing Backups.


director (config) # remote-config diff {context | unified} backups
first_device_id first_backup_id second_device_id second_backup_id
where:

• context format uses an identification line for each file, containing the
filename and modification date.

461
Director Configuration and Management Guide

Section A: Backing Up Devices

• unified (default) uses plus and minus signs to indicate differences. Each
line that occurs only in the left file is preceded by a minus sign, each line
that occurs only in the right file is preceded by a plus sign, and common
lines are preceded by a space.
• first_device_id indicates the hostname or IP address of the device whose
backup you want to compare; first_backup_id is the backup on the device
you want to use; second_device_id indicates the hostname or IP of the
second device (it can be the same one) you want to compare; and
second_backup_id indicates the backup you want to compare to the first
backup.

--- /local/tmp/10.25.36.48-10.25.36.48-2004.04.06-180451 Wed Apr 7 21:24:25 2004


+++ /local/tmp/10.25.36.48-10.25.36.48-2004.04.06-182142 Wed Apr 7 21:24:25 2004
@@ -6,6 +6,16 @@
!
!
!
+content-filter ;mode
+download day-of-week none
+download day-of-week sun
+select-provider smartfilter
+smartfilter ;mode
+download url http://list.smartfilter.com/cgi-bin/getlist.cgi?version=4.0&file=sfcontrol
+download username test
+download password "test123"
+exit
+exit
!
ntp interval 180
!
@@ -17,11 +27,11 @@
security hashed-enable-password $1$/L3S/lX$ElR3VYQrwV4mMA7MRbxGI1
security no enforce-console-acl
-inline policy vpm-xml "end-260826895-inline"

462
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

Section B: Archiving Director


This chapter describes how to backup Director configuration and system data and
upload it to a secure location for archival purposes. It also describes how to
download and restore the configuration and data.
Director provides several different types of backups. The configuration write (or
write mem) command saves the Director configuration only. The Director archive
command enables you to back up different types of data.
This section discusses the following topics:
❐ "Saving Director’s Configuration" on page 463
❐ "Archiving and Restoring the Entire Director Configuration" on page 466

Note: Director does not archive its IP addresses so an archive taken on one
Director appliance can be restored on another Director appliance without
changing the target Director’s IP addresses.

Saving Director’s Configuration


Before starting an upgrade, you should save Director’s current configuration.
Saving the configuration is the only way to recover Director settings in the event
of a rollback. For example, if you save your SGME 5.3.1.3 configuration, upgrade
to SGME 5.4.1.1, and need to roll back later, the only way to recover all of your
settings is to save an SGME 5.3.1.3 configuration.

Note: Configurations are stored on Director; they are not archived.

This section discusses the following topics:


❐ "What is a Configuration?"
❐ "Saving a Configuration" on page 464
❐ "Changing the Active Director Configuration" on page 465
❐ "Deleting Configuration Files" on page 465

463
Director Configuration and Management Guide

What is a Configuration?
A configuration includes the following:
❐ Director’s network configuration (IP address, DNS servers, and so on)
❐ Profiles, overlays, jobs, groups, and devices
❐ Objects associated with profiles, overlays, jobs, and groups (for example,
substitution variables, URL lists, regular expression lists, and so on)
The following are not included in a configuration:
❐ Alerts
❐ SNMP (after restoring the archive, SNMP will be disabled and SNMP
contact information reverts to its default values)
❐ NTP

Saving a Configuration
This section discusses how to save a configuration.

To save a configuration:
From the (config) prompt, enter either of the following commands:
director (config) # configuration write

director (config) # configuration write to filename


where:
• write permanently saves the active configuration. (You can revert changes
made to the active configuration before they are saved to disk. After the
changes have been written to disk, you cannot revert them. To revert changes,
use the configuration revert command.)
• write to saves the active configuration to a file and makes the file the active
configuration.
• filename is the name of the configuration file.

Note: You can also save an empty configuration file that contains the shipping
defaults and, optionally, the IP addresses, using the configuration new filename
[keep-console] command. The optional keep-console parameter preserves
Director’s IP addresses.

To view configuration files already existing on Director:


director (config) # show configuration files
director (config) # show configuration files
File initial:
Size: 4.9 kilobytes
File sgme-5.3.1.2 (active):
Size: 4.9 kilobytes
Free space remaining: 25.5 gigabytes

464
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

To rename a configuration File:


director (config) # configuration move current_filename new_filename

Changing the Active Director Configuration


This section discusses how to switch to a previously saved configuration.

Note: Changing configurations affects all users connected to Director using the
command line, the Management Console, and the serial console.

Use the following command to switch to a previously saved configuration:


director (config) # configuration switch-to filename
The file becomes the active configuration, replacing the running configuration
(which is not saved). Subsequent write memory commands affect the new
configuration.

Note: The configuration switch-to command can cause an internal error on


some configurations if you switch to an empty configuration file.

Deleting Configuration Files


If an old configuration file is deleted, you can recover it only if you store it
elsewhere. You cannot roll back to an earlier release if you previously used the
configuration destroy-old-files command to remove the configuration files.

To delete unused configuration files:


From the (config) prompt, enter the following command:
director (config) # configuration delete config_filename

Note: If you do not know the name of the configuration filename to delete, enter
configuration delete ? to see the list of files that can be deleted.

465
Director Configuration and Management Guide

Section B: Archiving Director

Archiving and Restoring the Entire Director Configuration


This section discusses how to archive Director either using the command line or
using a job in the Management Console. See one of the following topics for more
information:
❐ "About Archives"
❐ "Prerequisites for Archiving Director" on page 467
❐ "Archiving Director Using the Management Console" on page 470
❐ "Archiving Director Using the Command Line" on page 474

About Archives
You can create the following archive types:
❐ archive all—Includes configuration, event log, device backup, and job report
backup data.

Note: The following configuration settings are not preserved when you create
an archive:
• Director’s IP addresses
• SNMP (after restoring the archive, SNMP will be disabled and SNMP
contact information reverts to its default values)
• NTP

❐ archive config—Includes the Director configuration files only. This archive


includes the device settings, network settings, profiles, overlays, and
scheduled job data.
❐ archive device-backup—Archives all device backups.
❐ archive event-log—Includes event log data only stored in /var/log/
messages. Director components generate these syslog entries during runtime.
The archive event-log includes all of the /var/log/ files and logs files in the
/local/log/ directory.

❐ archive job-report—Includes job report data only. Job reports list the job
commands as well as errors that are encountered.
Generally, archive all is recommended because it is the most comprehensive.
However, you can archive individual components separately, for example, to save
space (if some components change more often than others).

Note: The configuration archive commands are memory and disk intensive. A
temporary copy of the configuration is created before archival. Blue Coat
recommends that you purge unwanted backup and configuration files from
Director before creating an archive.

466
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

Prerequisites for Archiving Director


This section discusses the following prerequisite tasks, which you must complete
before archiving Director using either the Management Console or the command
line:
❐ "Before You Begin Archiving Director"
❐ "Standby Prerequisite: Make Both Directors Standalone" on page 467
❐ "Creating an Encryption Keypair" on page 467

Before You Begin Archiving Director


Make sure you have access to an HTTP, SCP, or FTP server and credentials to
upload data to it.

Standby Prerequisite: Make Both Directors Standalone


Before restoring an archive to either the primary or secondary Director in a
standby pair, you must make both Directors standalone using the make-
standalone command. After restoring the archive, make the standalone Directors
primary and secondary again using the make-primary and make-secondary
commands.
For more details, see Chapter 13: "Configuring Director Redundancy".

Creating an Encryption Keypair


You can either generate a key pair or you can input an existing public key. You
must generate the key with the show keyword so you can input it later. You must
also specify a pass phrase. Because archives are SSH-RSA encrypted, a public key
is required for archiving the Director configuration and a private key is required
for restoring the configuration.
The pass phrase is used to decrypt the private key when you restore the archive
on Director. (Zero-length passphrases are not valid.)
The Director appliance has a key named default you can use without any
additional configuration. To use the default key, skip this section and continue
with one of the following sections:
❐ "Archiving Director Using the Management Console" on page 470
❐ "Archiving Director Using the Command Line" on page 474

To create an archive key:


1. Use a Secure Shell (SSH) application to connect to Director as discussed in
"Using the Director Command Line" on page 38.
2. Enter enable mode.
director > enable

3. If prompted, enter the enable mode password.


4. Create an encryption key.
director # archive generate key keyname

The show subcommand creates the named key pair. For example,

467
Director Configuration and Management Guide

Section B: Archiving Director

director # archive generate key mykey

Note: The following error indicates you do not have the appropriate privilege
to use this command:
% Error while generating key "mykey"
Only the Director admin user can enter this command.

5. View the archive key.


director # show archive key keyname
Enter pass phrase here:

When prompted, enter a passphrase. Write down the passphrase. If you lose
the passphrase, you will not be able to restore the archive. After entering the
passphrase, press Enter.
The key pair displays similarly to the following:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaf+Zezts/oj3eNAxGlXnHucvr
aOSIb2htVnZb36xLZd/YpPs65678Amt1gSSo7jDjwid9cMhDT5PX/Edm3mOMBNKF
3TLZTmn1dIQpP+H3az/rP4f/yr6LOBNFFWXRCM2j8xnfGirQ65FkKmL0Xzg1ySEJ
SblQ0sMoFPUmhgrXoQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2DEC3F8EEE386BC9
Lk05OUZp7oPR/e6fd4Q3madNnkHleYD4euc6groCKuz/ZI7XfoFApkgNNDnSGUkL
LSx3hdbZaYl5YywN9HYiR+W5RWhpSMYsitZuV6aSkvgrpqxor4OloKDuoe4nFpMm
sFHXt2XphAQPE+EdiEDzAUrGEscCCpHwcb5IzGGs7xdoez4Sf0T+L8lyPuYziTP1
TCKDN2UXir5r2u7czx/AyBFsf6nLJDitu4xA7Fq+HwSiAkCd+jJkDwHhMEUqyHkg
DfK/u2y1qA887BowKeO6A95ToUIhN9CRCMo8jpFzwLO0Y5YdcWJ2K7K1SNo1FjE7
Coaph2acFatAz9nlkTZlA5JnI5VJ1m9pxtF7wZgX66Ah0g60jB5MXSilxwZkzhem
bFT53Q4J5Lxhhpd1GxxD2lfbz1Pue0qqEsbVXp55iMcaGTl3Ud6rcJbV4LMlah7H
J0UCeX4aqyReltKAseeg7HzAUrGEscCCpHCul0X9w+Eh7foAK23WCNVpeDMyzwwK
LRgd289+6l+uI+gQSFLfM8SfN123HIJKLL4d2LGTH/01spSiZt2NIsJe/CKBDBYM
cwEZwbkMN7fYv1nOQGL9c5AmafJzquVoFHnixq1YL7VDo6ajDku+1I8GzgYK8CSs
e9PxzAUrGEscCCpHh19EgBmnvs2vmMbsgkoCz0KXUeMuDL2gysf48L3YT4o/L9ln
+v1yUvORIJhAMXDYXVOdpIwjZGQG+J6NJ89uaypELRXIW2KkVt3FlzosqQpt3gk3
1N7rDDXD55CMnp51dHBxBsCaNQjHTUJJAe7lRHZBV5QpPF27emHV/Q==
-----END RSA PRIVATE KEY-----

468
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

6. Copy the entire key pair (including all beginning and ending tags like -----
BEGIN PUBLIC KEY----- and -----END RSA PRIVATE KEY-----) and paste it into
a text editor as shown in the following example:

7. Save the text file on your local computer.


Do not save the key on Director. You must input the key before restoring the
archive, even if you use the Director Management Console to create and
upload the archive.

469
Director Configuration and Management Guide

Section B: Archiving Director

Archiving Director Using the Management Console


The Director Management Console creates and uploads an archive to an external
server using a configuration job. Like any configuration job, you can execute it
immediately, schedule it to run one time in the future, or schedule it to run
periodically.
For more information about configuration jobs, see Chapter 7: "Managing
Content Collections".
Before you continue, make sure you review the following information:
❐ "About Archives" on page 466
❐ "Prerequisites for Archiving Director" on page 467

To create a configuration job to archive Director and upload the archive to an


external server:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Jobs tab.
3. On the Jobs tab page, in the Job Library section, from the Show list, click either
Config Jobs or All.

4. Click New > New Job > Config.


The Create New Job dialog box displays.
5. In the Create New Job dialog box, on the Properties tab page, enter a name to
identify the job in the Job Name field.
6. Enter a unique job identifier in the Job ID field.
7. Make sure the Enabled check box is selected.
8. Click the Actions tab.
9. On the Actions tab page, click New.
10. From the Actions list in the right pane, click Create and Upload Archive.

470
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

The Actions tab page displays as follows.

471
Director Configuration and Management Guide

Section B: Archiving Director

11. Enter the following information:


Item Description

Archive Type list From the list, click the type of archive to create. For an
explanation of the options, see "About Archives" on
page 466.

With Key list Select the key to use to encrypt the archive.

Upload URL field Enter the URL of the external server to which to upload
the archive. The URL can optionally include the file
name. If you omit the file name, the archive is
uploaded to the external server with a name like the
following:
sgmearchive-director-all-2008.12.03-
004256.tgz
Valid URL formats follow:
scp://host//path
ftp://host/path
http://host/path
For example, to upload the archive to a directory using
the SCP protocol, enter
scp://192.168.0.50//director
For example, to upload the archive using a different
name using the FTP protocol, enter
ftp://192.168.0.50//director/
director_5.4.1.1_04-01-09.tgz

Directory and File options Select the option corresponding to the URL you
entered in the Upload URL field.
• To upload the archive to the external server using
the default name, enter a URL without a file name
and click Directory.
• To upload the archive to the external server using a
name other than the default name, enter a URL
that includes a file name and click File.
Note: Archive file names cannot contain spaces.

Username field If the external server requires authentication, enter the


user name in this field. The user name you enter must
have privileges to write to the director you specified in
the Upload URL field.

Password field Enter the user’s password.

12. Examine the options you entered and the field in the Actions tab page to make
sure everything is correct.

472
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

An example follows.

Uploads the archive to


the server using a name
other than the default

Indicates you are


uploading to a custom
file name

Verify command syntax

13. When the options are set the way you want, click Apply.
14. Optionally set up a schedule for the job: Click the Schedule tab and see Section
C: "Scheduling Jobs" on page 274.
15. In the Create a new Job dialog box, click OK.

Note: To avoid problems, do not put consecutive archive actions in the same
job. Doing so might cause some actions to fail because the first archive might
not finish uploading before subsequent archive commands complete.
Workarounds include putting archive actions in different jobs and separating
archive actions in the same job with other actions.

16. To execute the job immediately, select the name of the job in the Job Library
section of the Jobs tab page and click Execute.
17. To verify the job succeeded, either check the external server to make sure the
archive was created or click the name of the job and view its status in the
Description pane.
For detailed information, view the Job Report as discussed in Section D:
"Verifying Jobs" on page 280.

473
Director Configuration and Management Guide

Section B: Archiving Director

Archiving Director Using the Command Line


Use the archive command to back up and restore Director configuration files,
event logs, job reports, and ProxySG appliance backups. These backups can be
archived to any accessible external server. You can create only one archive at a
time.
Before you continue, make sure you review the following information:
❐ "About Archives" on page 466
❐ "Prerequisites for Archiving Director" on page 467
This section discusses the following topics:
❐ "Creating, Encrypting, and Uploading the Archive"
❐ "Retrieving and Restoring the Archive" on page 475

Creating, Encrypting, and Uploading the Archive


This section discusses how to create an archive, encrypt it with an encryption key,
and upload it to an external server. The process discussed in this section involves
using one command. You can also create the archive and upload it to an external
using separate commands; for more information, see the Blue Coat Director
Command Line Interface Reference.

To create an archive, encrypt it with an archive key, and upload the archive to
an external server:
1. Use a Secure Shell (SSH) application to connect to Director as discussed in
"Using the Director Command Line" on page 38.
2. Enter enable mode.
director > enable

3. If prompted, enter the enable mode password.


4. At the director # prompt, enter configuration terminal.
The prompt changes to director (config)#.
5. Enter the following command:
director (config)# archive {all | config | device-backup | event-log |
job-report} {upload current url [username username password password]
{key keyname}

For the meaning of the all, config, device-backup, event-log, and job-report
parameters, see "About Archives" on page 466.
The upload current parameters are required to upload the archive file to an
external server after creating the archive. current is a reserved archive name
that can be used only for this purpose. The current archive is temporary; after
the archive is uploaded, it is deleted from Director.

474
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

Valid url formats follow:


scp://host//path
ftp://host/path
http://host/path

path can be the name of a directory or it can include the name of the archive
file as you want it to be stored on the external server. If path is the name of a
directory, it must end with a / character.
If you omit the file name from path, the archive is uploaded to the external
server with a name like the following:
sgmearchive-director-all-2008.12.03-004256.tgz

An example follows:
director (config)# archive all upload current
scp://192.168.0.50//director/ username director password bluecoat
The command creates an archive file and uploads it to an external server using the
SCP protocol, storing the archive in a directory named director.

Retrieving and Restoring the Archive


The restore command takes an archive key as input. The archive key is required to
restore the key.

Important: Before restoring an archive to either the primary or secondary


Director in a standby pair, you must make both Directors standalone using the
make-standalone command. After restoring the archive, make the standalone
Directors primary and secondary again using the make-primary and make-
secondary commands.
For more details, see Chapter 13: "Configuring Director Redundancy".

To retrieve and restore the archive:


1. Retrieve the archive file.
director # archive {all | config | device-backup | event-log | job-
report} fetch {archive_name url [username username password password]}

For the meaning of the all, config, device-backup, event-log, and job-report
parameters, see "About Archives" on page 466.
The archive_name parameter is required and it specifies the name of the archive
file to store on this Director appliance. url must also contain the archive file
name if there is more than one archive in the directory specified by url. If
archive_name and the file name in url are different, archive_name specifies the
name of the archive that is stored on this Director.
Note: archive_name cannot contain space characters.
The username and password parameters must be used only if the external
server requires authentication.

475
Director Configuration and Management Guide

Section B: Archiving Director

For example,
director # archive all fetch sgme_5.4.1.1_510.tgz ftp://192.168.0.50//
director-5.4.1.1-36821-3192.tgz username director password bluecoat

This example fetches an archive named director-5.4.1.1-36821-3192.tgz


from the FTP server 192.168.0.50 and stores it on Director as
sgme_5.4.1.1_510.tgz.

2. If the archive was encrypted using a key that is not stored on this Director
appliance, import the archive key using the following command:
director # archive input key keyname show

Copy the archive key from the text file and enter it at the prompt. Press
Control+D when you have entered the key. You will then be prompted for the
pass phrase you created earlier.
3. Restore the configuration.
director # archive {all | config | device-backup | event-log | job-
report} restore archive_name key keyname

If the archive was successfully restored, the file successfully extracted


displays.
4. Reboot Director.
director # reload [force]

Important: The following message displays if there were unsaved


configuration changes before you performed the archive:
System has unsaved config changes. Either use the "force" option, or
save the changes using "write memory".
To reboot Director with the archived configuration, do not use the write memory
command; instead, use the reload force command. Following is an
explanation of the commands:
• reload force causes Director to reboot and use the configuration that
was restored to it using the archive.
• write memory causes Director to overwrite the configuration restored to
it using the archive and to reboot using the old configuration (that is,
the configuration before the archive was restored).

Related Commands
# archive {all | config | device-backup | event-log | job-report}
delete archive_name
# archive {all | config | device-backup | event-log | job-report} fetch
archive_name url
# archive {all | config | device-backup | event-log | job-report} move
archive_name_old archive_name_new
# archive {all | config | device-backup | event-log | job-report}
upload archive_name url
# archive generate key keyname

476
Chapter 15: Backing Up Director and Devices

Section B: Archiving Director

# archive input key keyname show

477
Director Configuration and Management Guide

Section B: Archiving Director

478
Chapter 16: Upgrading Director

This chapter discusses how to upgrade or roll back (that is, downgrade) the
software on your Director 510.
Upgrading the image is a three-step process: creating an archive of the current
configuration, downloading the image file to Director, and installing the image
on Director.
This chapter discusses the following topics:
❐ Section A: "Before You Begin Your Upgrade" on page 480
❐ Section B: "Getting the SGME Software and Documentation" on page 483
❐ Section C: "Upgrading the SGME Software" on page 485
❐ Section D: "Working with Configuration Files after an Upgrade" on page
489
❐ Section D: "Working with Configuration Files after an Upgrade" on page
489
❐ Section E: "Rolling Back the SGME Software" on page 490

Note: The upgrade procedure must be performed using the command line.
You cannot use the Management Console to upgrade Director.

479
Director Configuration and Management Guide

Section A: Before You Begin Your Upgrade


This section describes important upgrade information. Read this section before
performing any upgrade.
This section discusses the following topics:
❐ "Supported Upgrade and Rollback Paths"
❐ "Director and SGOS Compatibility Matrix" on page 481

Supported Upgrade and Rollback Paths


Supported Upgrade Paths
The following table shows valid upgrade paths to SGME 5.4.2.4:
Upgrade to Upgrade from

5.4.2.4 5.4.1.1 or 5.4.1.2

5.4.1.2 5.4.1.1 only

5.4.1.1 • SGME 5.3.1.3 or later


• SGME 5.2.2.5 > 5.3.1.4 > 5.4.1.1
• SGME 5.2.2.xa > 5.3.1.3 > [5.3.1.4]b > 5.4.1.1
• SGME 4.2.2.x > 5.2.2.1 > 5.3.1.3 > [5.3.1.4]b > 5.4.1.1

5.3.1.4 SGME 5.3.1.3 or 5.2.2.5


Note: Two SGME 5.3.1.4 upgrade packages are available (one for
SGME 5.2.2.5 and one for 5.3.1.3). Make sure you choose the correct
package.

5.3.1.3 5.3.1.1 Limited Availability, 5.2.2.1, 5.2.2.2, 5.2.2.3, 5.2.2.4

a. x can be 1 through 4, but not 5


b. Optional

Supported Rollback Paths


You can roll back to the release from which you upgraded. For example, if you
upgraded from SGME 5.4.1.1 to SGME 5.4.2.4, you can roll back from 5.4.2.4 >
5.4.1.1 only.

SGME Rollback Notes


Before rolling back, make sure you understand the following:
❐ Director 510 enables you to roll back to the previously running SGME
version only.
❐ After rolling back, you must restore the Director archive you took before
upgrading to restore Director’s configuration.
More information about restoring an archive can be found in "Retrieving
and Restoring the Archive" on page 475.

480
Chapter 16: Upgrading Director

Section A: Before You Begin Your Upgrade

Director and SGOS Compatibility Matrix


Consult the following table before attempting to manage ProxySG appliances:
SGME version Manages SGOS versions....

SGME 5.4.2.x • SGOS 5.4.x and later only


• All SGOS versions supported by SGME 5.3.x

SGME 5.4.1.x SGOS 5.4.x and all SGOS versions supported by SGME
5.3.x

SGME 5.3.x SGOS 5.3.x, SGOS 5.2.x, SGOS 5.1.x


SGOS 4.2.9 and later, including 4.3.x
Limitation: You can use VPM in SGME 5.2.x and later to
push policy to devices running SGOS 4.2.x, where x > 9 or
SGOS 5.2.2.x or later only.
If a device runs SGOS 4.2.9 or earlier or 5.2.1 or earlier, use
the SGOS Management Console on each device to change
policy on the device.

SGME 5.2.1.x, 5.2.2.x SGOS 5.2.x, SGOS 5.1.x


SGOS 4.2.9 and later, including 4.3.x
Limitation: You can use VPM in SGME 5.2.x and later to
push policy to devices running SGOS 4.2.x, where x > 9 or
SGOS 5.2.2.x or later only.
If a device runs SGOS 4.2.9 or earlier or 5.2.1 or earlier, use
the SGOS Management Console on each device to change
policy on the device.

SGME 5.1.4.x SGOS 5.1.x


SGOS 4.2.9 and later, including 4.3.x
SGME 5.1.4.x supports SGOS 4.2.9 and later, but the
SGME 5.1.4 Management Console does not have the
Content tab page.

SGME 4.2.x SGOS 4.2.x releases earlier than 4.2.9


SGME 4.2.x is partially compatible with SGOS 4.2.3.x and
later. You can manage devices using legacy features, but
you cannot manage features introduced in those SGOS
releases.

481
Director Configuration and Management Guide

Section A: Before You Begin Your Upgrade

Upgrade and Rollback Roadmap


To upgrade Director:
1. Section B: "Getting the SGME Software and Documentation" on page 483
2. Section C: "Upgrading the SGME Software" on page 485
3. Section D: "Working with Configuration Files after an Upgrade" on page 489

To roll back Director:


Section E: "Rolling Back the SGME Software" on page 490

482
Chapter 16: Upgrading Director

Section B: Getting the SGME Software and Documentation

Section B: Getting the SGME Software and Documentation


This section discusses how to get the SGME software to upgrade your Director
appliance.

To get Director software:


1. Go to http://support.bluecoat.com, enter your BlueTouch Online user name
and password in the fields at the top of the page, and click Login.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. Click the Download tab.
3. On the Download tab page, click the 510 link corresponding to the version of
Director software you want to download.
4. On the next page, follow the prompts on your screen to request software for
your Director appliance.
5. Click Download Now.

Note:
• The Direct Download Link displayed on this page cannot be used to
upgrade Director. You must download the .tgz file to your computer.
• Depending on the Web browser you used to download the software, the
file you downloaded might have square brackets in the name; for
example, Director_5[1].4.2.4_56789_510.tgz.
The presence of square brackets in the file name does not affect your
ability to upgrade the SGME software.

6. Copy the SGME image (the .tgz file) to a Web server that Director can access.
7. Copy the .tgz file to a Web server that Director can access.
8. Copy install.exe to the computer on which you will run the Director
Management Console.
When you have finished upgrading Director, start the Management Console
as discussed in "Connecting to Director with the Management Console" on
page 52.

483
Director Configuration and Management Guide

9. Continue with any of the following sections:


• Section C: "Upgrading the SGME Software" on page 485
• Section D: "Working with Configuration Files after an Upgrade" on
page 489

Getting SGME Documentation


This section discusses how to get documentation and Release Notes for the
SGME release to which you are upgrading.

To get the Director Release Notes and documentation:


1. Go to http://support.bluecoat.com, enter your BlueTouch Online user
name and password in the fields at the top of the page, and click Login.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. Click the Documentation tab.
3. On the Documentation tab page, click Director.
4. Follow the prompts on your screen to download the documentation and
Release Notes.
5. After reading the Release Notes, save them on your local computer.

484
Chapter 16: Upgrading Director

Section C: Upgrading the SGME Software

Section C: Upgrading the SGME Software


The following list describes the high-level software upgrade process:
❐ Save Director’s current configuration and archive it to an external server
❐ Download the .tgz SGME software image.
❐ Install the package file.
At this point, the required re-package of the current running system is created.
You can downgrade only to this re-package.
❐ Reload or reboot the system.

Important: SGME 5.4.2.x supports upgrades from SGME 5.4.1.1 or later only;
in other words, before upgrading to SGME 5.4.2.x, make sure your Director
appliances runs SGME 5.4.1.1 or later.

Important: Before performing any software upgrade, archive the appliance as


discussed in Chapter 15: "Backing Up Director and Devices".

This section discusses the following topics:


❐ "Upgrade Prerequisite Tasks"
❐ "Getting the SGME Software Package" on page 486
❐ "Installing the SGME Software Package" on page 486
❐ "Installing the SGME Software Package" on page 486

Upgrade Prerequisite Tasks


The following procedure discusses a summary of the commands required to
create an archive and to upload it to an external server.
Use the following commands in the order shown:
1. Save any pending changes to Director’s configuration.
director (config) # write memory

2. Archive all Director components.


a. Create an archive key to encrypt the archive.
director # archive generate key {default | keyname}

b. Enter a passphrase and save the key.


director # show archive key {default | keyname}
Enter pass phrase here:

c. Create the archive.


director # archive config create name.tgz

3. Upload the archive to an external server.

485
Director Configuration and Management Guide

director # archive config upload name.tgz url username username


password password

For example,
director # archive config upload ftp://192.168.0.2//uploads/sgme/
sgme_5.4.2.1_09-15-09.tgz username director password bluecoat

For additional information, see the Blue Coat Director Command Line Interface
Reference Guide.
4. Continue with the next section.

Getting the SGME Software Package


Before starting your upgrade, get the SGME upgrade package as discussed in
Section B: "Getting the SGME Software and Documentation" on page 483.

Installing the SGME Software Package


This section discusses how to install the SGME upgrade package.

To install the upgrade package:


1. Log in to Director using a secure shell (SSH) application.
2. At the director > prompt, enter enable.
3. If prompted, enter the enable mode password.
4. At the director # prompt, enter configure terminal.
5. At the (config) command prompt on Director, download the upgrade
package using the following command:
director (config) # upgrade-package fetch url_to_upgrade-
package_.tgz_file [username username password password]

If you placed the upgrade image on an external server, enter the upgrade
package URL in one of the following formats:
http://host_or_ip/path_to_tgz
ftp://host_or_ip//path_to_tgz
scp://host_or_ip//path_to_tgz

For example,
http://wwww.example.com/SGME/Director_6.1.1.1_345678_510.tgz

Specifying a username and password in the URL is not supported.


The following messages confirm the upgrade package was fetched
successfully:
Image downloaded OK.
Image verifies OK.

6. Optional—Verify the installation package (this command is useful if you


did not use the upgrade-package fetch command line to copy the upgrade
package to local disk).
director (config) # upgrade-package verify filename

486
Chapter 16: Upgrading Director

Section C: Upgrading the SGME Software

One of the following messages displays:

Message Meaning
Image verifies OK. The upgrade image verified
successfully so it is safe to proceed.
Image verification failed for There are errors in the upgrade image.
image-name Download the upgrade image again
before continuing with your upgrade.
Make sure the image verifies
successfully before proceeding.

7. Install the new Director image file you just downloaded.


director (config) # upgrade-package install filename

8. You are required to confirm the installation.


During installation, your current Director configuration is saved and a
message similar to the following displays:
Configuration File config-5.4.1.1-2009.08.05-210215 is created

Note: The name of the configuration file for your system will be different. The
preceding sample name is for your information only.

9. Write down the name of this configuration file. In the event of issues after you
upgrade, you can restore this configuration to recover return Director to its
pre-upgrade state. This includes restoring devices, alerts, jobs, and so on that
would otherwise be deleted.
10. Verify Director booted from the correct image file by re-connecting to Director
and using the show version command as follows.
director > show version
System version: 5.4.2.4
Build date: 2009/08/31 04:28:34
Build number: 345678
Platform type: 510
Build version: #35927 2009.09.15-042834
Serial number: 0000000000

Related CLI Commands for Upgrading and Rolling Back Director


On the new Director, the image command has been replaced by the installation
command upgrade-package.
❐ The syntax of the upgrade-package command is as follows:
director (config) # upgrade-package delete filename

Deletes the specified upgrade package.


director (config) # upgrade-package fetch url username password

487
Director Configuration and Management Guide

Section C: Upgrading the SGME Software

Retrieves the upgrade-package from the specified location, places it on the


local disk with the identical filename, and verifies that it is a valid system
upgrade-package.
Enter the upgrade package URL in one of the following formats:
http://host_or_ip/path
ftp://host_or_ip//path
scp://host_or_ip//path

Specifying a username and password in the URL is not supported.


❐ director (config) # upgrade-package install filename

Installs the specified upgrade package. During installation, a snapshot of the


current OS version is packaged and saved so you can roll back to it later.
❐ director > upgrade-package rollback

Revert to the previously installed system.


❐ director (config) # configuration switch-to
config_file_created_during_upgrade

Switches your configuration back to its pre-upgrade state.


config_file_created_during_upgrade is the name of the configuration file
Director creates for you during the upgrade process.
❐ director (config) # upgrade-package verify filename

Verifies the validity of the specified upgrade package. Because the upgrade-
package fetch command verifies the upgrade package, this command is
useful only if you did not use the upgrade-package fetch command to
download the upgrade package.

488
Chapter 16: Upgrading Director

Section D: Working with Configuration Files after an Upgrade

Section D: Working with Configuration Files after an Upgrade


This section describes how to destroy or restore configuration files after an
upgrade.

Destroying Old Configuration Files After an Upgrade

Important: This command should only be used if you do not plan to ever
downgrade your system.

The destroy-old-files command is designed to make your system more secure


by deleting configuration files that store information in plaintext. However, after
this is done, any downgrade to an earlier version is done without the
configuration files and backups that previously were created in that release.
Configuration files are stored in the following locations, depending on the version
of SGME:
❐ 3.x: /sys/config and /local/backups
❐ 4.x: /sys/encrypted-config/ and /local/encrypted-backups/
❐ 5.x: /sys/v5-config and /local/encrypted-backups/

Note: This is a global command that deletes all files in /sys/config/, sys/
encrypted-config, /local/backups/, and /local/encrypted-backups for SGME 3.x
and 4.x. SGME 5.x files are not affected.

To destroy all configuration files from previous versions:


1. From the (config) prompt, enter the following commands:
director (config) # config destroy-old-files
Destroying old files makes them unavailable to downgraded systems.
Proceed to destroy? (yes or no) yes
Destroyed old files.

2. Do not save these changes. That is, do not use the write memory command.
3. Reboot Director.
Director (config) # reload

489
Director Configuration and Management Guide

Section E: Rolling Back the SGME Software


This section discusses how to roll back Director to an older SGME release. You
can roll back Director to the most recent installed package only. You cannot roll
back Director to an older image.

Note:
• Devices and jobs are lost during rollback.
• Alerts are deleted during the rollback process so rolling back a Director
that manages a large number of devices can take a long time. It can take
several hours for a rollback to finish if there are 40,000 or more alerts.

To roll back Director:


1. Enter the following command:
director > upgrade-package rollback

The following message displays:


Rollback will change the running system to the last running software
revision.
Proceed to rollback? (yes or no)

2. To proceed with the rollback, enter yes.


3. Wait several minutes for Director to roll back and reboot.
4. Close the SSH session.
5. After Director reboots, start a new SSH session and enter the following
command:
director > show version detail

Following is sample output:


SG-ME director 5.4.1.1 #45678 2008.03.31-133633 x

6. Recommended. Restore the configuration Director saved before you


upgraded.
director (config) # configuration switch-to
config_file_created_during_upgrade

To view a list of available configuration names, enter the following


command:
director (config) # show configuration

490
Director Configuration and Management Guide

491
Director Configuration and Management Guide

Section E: Rolling Back the SGME Software

492
Appendix A: Administering Director

This appendix discusses how to administer Director using the Management


Console or command line in the following topics:
❐ "Changing Director Defaults"
❐ "About Configuration Changes" on page 494
❐ "Setting Up Users" on page 502
❐ "Creating Local User Accounts" on page 502
❐ "Managing Users Who Manage Content" on page 504
❐ "Authenticating Users" on page 508
❐ "Determining the Connection Protocol" on page 514
❐ "Using the SNMP Server" on page 519
❐ "Managing Sessions" on page 520
❐ "Rebooting Director" on page 522
❐ "Shutting Down Director" on page 522

Changing Director Defaults


Defaults for Director administration are:
❐ Enabling the explicit configuration lock mode: The implicit configuration
lock mode is default in SGME 5.x. See "Obtaining the Configuration Lock
Using the Command Line" on page 497, and refer to the Blue Coat Director
Command Line Interface Reference for the CLI commands to enable the
explicit configuration lock.
❐ Adding user accounts to Director: Admin with no password is the default
and the only user account. If others will use Director and you do not want
them to have administrator privileges, you should add user accounts. See
"Creating Local User Accounts" on page 502 to add other user accounts to
Director.
❐ Changing security options from local to RADIUS or TACACS+: Local is the
default and is required. See "Authenticating Users" on page 508 for more
information.
❐ Changing the connection protocol and authentication: SSHv2 with simple
password authentication is the default. You can add RSA authentication for
more security or use Telnet.
❐ Adding Access Lists: These must be configured for each interface. See
"Managing Security Using Access Lists" on page 514.
❐ Enabling FTP and SNMP: The default for each is disabled. See "Using the
SNMP Server" on page 519 for more information.

493
Director Configuration and Management Guide

About Configuration Changes


This section discusses the following topics:
❐ "About Director Configurations" on page 494
❐ "About the Configuration Lock" on page 494
❐ "Changing Director’s Running Configuration" on page 495
❐ "Using Director Configuration Files" on page 498

About Director Configurations


Director has two kinds of configurations—the running configuration and the
saved configuration:
❐ The running configuration consists of all unsaved configuration changes to
devices. These changes include but are not limited to changes to device
records, to profiles and overlays, to backups, to jobs, and so on. (Logs that are
created by executing jobs are not part of Director’s configuration. Logs are
stored on the file system immediately after execution.)
For you to make changes to the running configuration, you must possess the
configuration lock, which is discussed in more detail in "About the
Configuration Lock" on page 494.
❐ The saved configuration is the configuration that is saved on Director. You can
save the configuration in any of the following ways:
• In the Director Management Console, click File > Save Changes, or exit the
Management Console.
• From the command line, in configure mode, enter write memory.

About the Configuration Lock


The configuration lock enforces access to Director configuration operations so that
multiple users cannot overwrite one another’s changes. It prevents multiple users
from making concurrent changes by restricting access to the write memory
operations.
While only one user can acquire and hold the configuration lock at a time, another
user with the same privileges can break the lock and acquire it. If the lock is
broken, the unsaved changes performed by the previous lock holder cannot be
recovered.
The Director Management Console has two configuration lock modes:
explicit and implicit.
❐ Explicit Lock Mode — Users must explicitly acquire the lock before making
any configuration changes. The figures in the following example, beginning
with Figure A–1 on page 495, illustrate the actions to acquire the lock, release
the lock, and break the lock in the Director Management Console.
Note: The explicit configuration lock is available only using the command
line. Refer to the discussion of the require-config-lock enable command in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director Command
Line Interface Reference.

494
Appendix A: Administering Director

❐ Implicit Lock Mode — Users do not have to acquire the lock because the
system automatically acquires the lock, when the user commits a
configuration change, and releases the lock as soon as the configuration is
saved. If more than one user makes changes to the configuration settings for
the same object/domain/policy, the last person submitting changes overrides
all previous modifications. The implicit lock mode is the default configuration
lock mode in SGME 5.x.
Note: Whether you are using implicit or explicit lock mode, you also acquire
the configuration lock by entering configure mode in the CLI.

Changing Director’s Running Configuration


To perform any action that requires a write-to-memory operation, the
configuration lock must be acquired. For example, before adding a ProxySG
appliance or group, you must acquire the configuration lock to make changes.
If the lock mode is explicit, expand Director Status and click Acquire Lock. You now
hold the configuration lock and can make configuration changes.

Click here to acquire the lock

Figure A–1 Location of Acquire Lock button.


In explicit lock mode, if the lock is not acquired before attempting configuration
changes on the Director, the Lock Error dialog box displays. To make
configuration changes, click Acquire Lock.
If you attempt to perform an action that requires the configuration lock (for
example, starting the Backup Manager), the following error displays:

Figure A–2 Lock error


After you click File > Save Changes, you can click Release Lock to enable other users
to change the running configuration. When you click File > Save Changes, the
running configuration is committed to the saved configuration. (If you release the
configuration lock before you commit the changes, the next user’s changes can
overwrite yours.)

495
Director Configuration and Management Guide

To make new changes, expand Director Status to acquire the lock again.

Click here to release the lock

Figure A–3 Location of Release Lock button.

Breaking the Lock


If the lock is currently held by another user, and you need to make configuration
changes, you can break the lock and acquire it.
Tip: To prevent loss of time and effort, and to avoid rework, Blue Coat
recommends that users practice efficient communication before breaking the
configuration lock.

Explicit Lock Mode


If the lock is held by another user, click Break Lock and acquire the lock for
yourself. When you click Break Lock, a confirmation dialog box displays.
When the lock is broken, all unsaved changes made by the previous lock holder
are lost. The previous lock holder might also forcibly break the lock to reacquire it.

Determining the Lock Holder


When the configuration lock is held by another user, the following message
displays above the tab pages in the Director Management Console:
The configuration lock is currently held by username from....
The details for the from might Director’s host name, a client’s host name, or the IP
address of the client:
❐ If the serial console holds the lock, and the Director hostname is not defined,
the following message displays:
The configuration lock is currently held by username from the
serial console.

❐ If the serial console holds the lock and a hostname was defined for the
Director at boot up, the following message displays:
The configuration lock is currently held by username from
Corporate.

If the hostname is changed after the Director is booted, you must reboot the
Director to display the new hostname.

496
Appendix A: Administering Director

❐ If an SSH client holds the lock, the hostname of the client displays if one is
specified, for example:
The configuration lock is currently held by username from
abc.sv.bluecoat.com

If a hostname is not defined, the IP address displays as follows:


The configuration lock is currently held by username from 10.0.0.18

Implicit Lock Mode


In implicit lock mode, the lock is automatically acquired when you click Apply or
Execute, and the changes are committed to the Director when you do any of the
following:
❐ Exit the Management Console
❐ In the Management Console, click File > Save Changes.
Because the system holds the lock for the shortest possible time, users do not
break the lock in this mode.
When the user interface is in the (default) implicit lock mode, the Management
Console window displays no button in its title bar, as the following figure shows:

Figure A–4 Director Management Console as it appears in implicit lock mode

Switching Lock Modes


To switch between the implicit and the explicit configuration lock modes, use the
command line as discussed in "Commands Related to the Configuration Lock" on
page 497.
Note: Before switching from implicit lock mode (default) to explicit lock mode,
make sure no one is currently changing the configuration. Click File > Manage
Sessions and see "Managing Sessions" on page 520. the explicit lock mode is
enabled before a user commits the changes, that user receives a Lock Broken
notification and all their changes are lost.

Obtaining the Configuration Lock Using the Command Line


The configuration lock must always be acquired explicitly using the configure
terminal command. For example:
director # configure terminal
When you have completed making the changes to the configuration settings
using the CLI, release the configuration lock either by using the exit command or
the no configure command. The next user might then acquire the configuration
lock, without having to break the lock.

Commands Related to the Configuration Lock


director # show require-config-lock

497
Director Configuration and Management Guide

director # show config lock-holder


director # configure terminal force
director (config) # no configure
director (config) # require-config-lock enable
director (config) # no require-config-lock enable

Using Director Configuration Files


This section discusses using Director configuration files, which contain
information about the current Director configuration. See one of the following
topics:
❐ "What is a Configuration?"
❐ "How Can Configurations Be Used?" on page 499
❐ "Saving Director’s Configuration" on page 499
❐ "Switching To a Saved Configuration" on page 499
❐ "Creating a Configuration" on page 500
❐ "Reverting the Configuration" on page 501
❐ "Restoring the Default Configuration" on page 501
❐ "Other Configuration Commands" on page 501

What is a Configuration?
Configuration files are saved on Director and include the following:
❐ Director’s network configuration (IP address, DNS servers, and so on)
❐ Profiles, overlays, jobs, groups, and device records
❐ Objects associated with profiles, overlays, jobs, and groups (for example,
substitution variables, URL lists, regular expression lists, and so on)
❐ SNMP server settings
❐ NTP settings
Alerts are not included in a configuration.
Unlike archives, configurations cannot be uploaded to an external server; they are
stored on Director.

498
Appendix A: Administering Director

How Can Configurations Be Used?


Configurations can be used in any of the following ways:
❐ To return Director to its pre-upgrade state after a rollback as discussed in
Chapter 16: "Upgrading Director".
❐ To create a new configuration from parts of an existing configuration as
discussed in "Saving Director’s Configuration" .
❐ To periodically save Director’s current configuration state.
❐ Other options discussed in "Other Configuration Commands" on page 501.

Saving Director’s Configuration


To save Director’s current configuration to a file, enter the following command:
director (config)# configuration write [to name]
With no optional parameter, this command is equivalent to write memory; it saves
Director’s configuration to a default name like initial-1.0-version, where
version is the version number corresponding to this SGME release.
Use the optional to name parameter to name the configuration file.

Switching To a Saved Configuration


Director runs on one configuration at a time, so switching to a previously saved
configuration affects all users currently logged in to Director. “All users” means
every user currently logged in to the command line, Management Console, and
serial console. Users who are not currently logged in see the changes the next time
they log in.
For example, if you switch to a configuration that has 50 devices, 100 jobs, 100
profiles, and 100 overlays from a configuration that had 55 devices, 150 jobs, 150
profiles, and 150 overlays, all currently logged in users see those changes
immediately.
To start using a previously saved configuration file, enter the following command:
director (config)# configuration switch-to name
Where name is the name of a previously saved configuration.
To view the names of previously saved configurations, enter either of the
following commands:
director (config)# configuration switch-to ?
director (config)# show configuration files

499
Director Configuration and Management Guide

Creating a Configuration
This section discusses how to create a configuration using a previously saved
configuration. You can do this, for example, to test changes you might want to
make to devices, jobs, profiles, overlays, and so on before implementing them.
Other examples follow:
❐ Test new access lists. (Access lists are discussed in "Managing Security Using
Access Lists" on page 514.)
❐ If you have more than one privilege 15 user account, you can change another
user’s password if that password was lost.
Use caution when creating a configuration because your syntax is not validated.

To create a configuration:
1. If necessary, switch to the configuration on which you want to base the new
configuration.
For more information, see "Switching To a Saved Configuration" on page 499.
2. Enter the following command to display the configuration:
director (config)# show configuration [running]

The optional running parameter displays the configuration, including changes


that have not been saved yet.
Without the optional running parameter, the command displays all saved
changes to the configuration.
3. Copy the relevant commands to a text editor.
4. Edit those commands.

WARNING! Use caution when editing commands that control your ability to
connect to Director (for example, Director’s IP address and default gateway).
Your values and syntax are not validated; improper network settings can
disable Director and permanently prevent you from accessing it.
Following is a partial list of these commands:
interface ether-0 ip address address / mask
ip default-gateway address

5. Enter the following command to create a new configuration:


director (config)# configuration new name keep-console

Important: To preserve Director’s IP address and other network settings, you


must use the keep-console parameter.

6. Enter the following command to switch to the new configuration:


director (config)# configuration switch-to name

7. Enter each command from step 4 at the command line, one at a time.

500
Appendix A: Administering Director

8. Enter the following command to save the configuration:


director (config)# configuration write

Reverting the Configuration


To undo all unsaved changes to the configuration, use the following command:
director (config)# configuration revert

Restoring the Default Configuration


In the event you must return Director to its default configuration, enter the
following commands in the order shown:
director (config)# configuration restore-factory-defaults
director (config)# reload
Wait a few minutes for Director to reboot and configure it again from the serial
console or the LCD panel as discussed in the Quick Start Guide provided with the
appliance.

Other Configuration Commands


This section briefly discusses other configuration commands.

Commands Related to Upgrade and Rollback


director (config)# configuration destroy-old-files
director (config)# configuration restore-sgme4-files
For more information about these commands, see "Destroying Old Configuration
Files After an Upgrade" on page 489.

Deleting and Renaming Configuration Files


Enter the following command to delete a configuration file:
director (config)# configuration delete name
Enter the following command to rename a configuration file:
director (config)# configuration move old-name new-name

Filtering Configuration File Commands


Enter the following commands to exclude certain commands from being displays
in a configuration:
director (config)# show configuration options exclude-devices
director (config)# show configuration options exclude-jobs
director (config)# show configuration options exclude-priorities
director (config)# show configuration options exclude-groups

501
Director Configuration and Management Guide

Setting Up Users
The username commands allow you to create local Director user accounts. After
the usernames are created, you can change the workgroup to further control the
users on the system.

Creating Local User Accounts


The default account is admin, with no password. Blue Coat recommends that the
default admin account be used to administer Director. Another account, monitor,
exists by default on Director which allows the user to view configuration changes
to the system.
You can create other accounts with different privileges and require users to use
one of those accounts instead of admin. (If you decide to create user accounts on
Director, assign a password on the admin account to prevent users from logging
on with full privileges.)
The user accounts you create can be as secure as you want them, from no
password to restricting users to one of the modes: Standard, Enable, or
Configuration. Restricting users to one of the modes is called setting the privilege
level. All user accounts, by default, have all privileges.
If the privilege level is:
❐ 1: Standard mode only is available, meaning that you can view Director logs
and the results of commands but you cannot change them.
❐ 7: Standard and Enable modes are available, meaning you can do one-time
tasks, but cannot schedule repeating tasks or configure devices or device
groups.
❐ 15 (the default): All three modes are available, including Configuration mode,
the most powerful. You can schedule jobs, manage content, and manage users.
You can also make permanent changes to Director configuration.
If the privilege level is changed during a session, the new privileges take effect
immediately.
The username commands create local user accounts on Director only. They do not
affect the accounts on remote authentication servers.

Note: If you create a password on Director for local user accounts, that password
is kept in a local password file. However, if you have users logging in remotely or
through unsecured terminals, you can require an additional level of
authentication. For more information, see "Authenticating Users" on page 508.

For more information on creating usernames, refer to the Blue Coat Director
Command Line Interface Reference.

502
Appendix A: Administering Director

To set up a user account on Director with privilege restrictions:


1. At the (config) command prompt, set the username and password. Note that
only the first eight characters of the username and password are validated.
director (config)# username username
director (config)# username username password 0 | 7 password

where 0 indicates the password to be entered is in plaintext, and 7 indicates


the password to be entered is encrypted.
To encrypt the password, perform the following tasks:
a. Enter (config) # username username password cleartext_password
b. Enter director (config) # show configuration
c. Look for output similar to the following:
username admin password 7 KW25kt7gvYupk

In this example, KW25kt7gvYupk is the password in encrypted form.


d. Enter (config) # username username password 7 encrypted_password
2. Set the privilege level.
director (config)# username username privilege 1 | 7 | 15

where 1 means that the user cannot enter the Enable mode, 7 indicates that the
user cannot enter Configuration mode, and 15 indicates that the user has full
administrative privileges.
3. View the users on the system.
director (config) # show usernames
Username admin
maximum permitted privilege level 15
in Workgroup "default"
Username monitor
maximum permitted privilege level 7
in Workgroup "default"
Username test1
maximum permitted privilege level 15
in Workgroup "default"

Note: Every user is automatically assigned to Workgroup Default. To change


the workgroup assignment, continue with the next section.

4. Save the configuration.


director (config)# write memory

503
Director Configuration and Management Guide

Managing Users Who Manage Content


You can place users who are issuing content management commands to devices
into workgroups and use the workgroups to limit the devices they can use, the
time they can send commands, or limit the priority level (importance) they can
assign to content.
Director ships with a workgroup called default, and all Director users are members
of the group until they are re-assigned to a new workgroup. If the new workgroup
is deleted, members of that group are re-assigned to the default group.
You can modify the settings of the default workgroup but you cannot delete the
default workgroup itself. By default, all users can schedule any content
commands at any time to any ProxySG appliance, and can set the priority level of
content to any setting between 0 (highest) and 4 (lowest).
Any jobs that are scheduled for a stated time are enforced using the permissions
of the default workgroup, no matter which workgroup the user belongs to.
The workgroup commands are only effective if Director users have differing
privilege levels. It is meant for users who are managing content on Director, not
managing Director itself. Only the Director administrators should have level 15
privileges with no restrictions.
You can only create and manage workgroups using the Director command. Note,
however, that all users, including those who work exclusively with the Director
Management Console, are assigned to the default workgroup unless they are
moved to another workgroup, and are subject to the rules of the workgroup
where they are assigned.

Note:
❐ You can move users from the default workgroup to other workgroups. You
cannot add new user accounts to Director using the workgroup commands.
❐ Workgroups are authenticated locally. You cannot authenticate users in
workgroups using RADIUS or TACACS+, nor can you add users
authenticated by these methods to workgroups.
For more information about RADIUS and TACACS+, see "Authenticating
Users" on page 508.

Follow these steps to create a workgroup and add rules and users
1. At the (config) command prompt, create a workgroup and give it a
meaningful name.
director (config) # workgroup workgroup_id create

where workgroup ID is an alphanumeric string that is a descriptive name,


such as sales.
2. (Optional) Enter the workgroup submode, which allows you to use workgroup
commands without having to type workgroup workgroup_id before each
command.
director (config) # workgroup sales
director (config workgroup “sales”) #

504
Appendix A: Administering Director

3. (Optional) Add a comment to the workgroup.


director (config workgroup “sales”) # comment comment

4. Set a minimum priority level for content managed by the users in the
workgroup.
Users are unable to make content more important (have a higher priority)
than the minimum level you have set. The range is between 0 and 4, with 0
meaning that users have no restrictions on setting the importance of content in
the ProxySG appliances. Negating this command returns priorities to the
default, 0, which is the highest priority.
director (config workgroup “sales”) # min-priority priority integer

5. Set up time limit rules for the workgroup to enable or disable the time-limits
range.
a. Time-limits type: The default is disallow, meaning that if no time
limits are set, all users can manage content at any time. Before you set
a time range, change the time limit type to allow to restrict users to
predefined times.
director (config workgroup “sales”) # time-limits type allow |
disallow

b. Time limits. The default is that no time limits are set, allowing all users
to manage content at any time. If the time-limits type is allow, setting a
time limit prevents users from sending content management
commands outside of the time limits established. If time limits are
established and the time-limits type is disallow, users cannot manage
content during the specified time, but can manage content at other
times.
director (config workgroup “sales”) # time-limits range hh:mm:ss-
hh:mm:ss

where the time is set using the 24-hour clock.


6. Set up ProxySG appliance rules for the workgroup.
a. Set up a device-limits type—allow or disallow—to enable or disable
ProxySG appliance lists on the workgroup. The default is disallow,
meaning that access to all ProxySG appliances is unrestricted by all
users in this workgroup. Before you add ProxySG appliances to the
workgroup, change the device-limits type to allow.
director (config workgroup “sales”) # device-limits type allow |
disallow

505
Director Configuration and Management Guide

b. Limit ProxySG appliances that workgroup users can access. If the list
exists, only ProxySG appliances and groups on the list can be accessed
by members of the workgroup.
If the group ID or device ID record does not exist, it is not created. An
error message is generated instead.
director (config workgroup “sales”) # device-limits keyword device
spec

where keyword is all, device, addr-device, or group, and device spec


indicates the following rules:
• all refers to all devices.
• device must be followed by a device ID.
• addr-device must be followed by a hostname/IP address.
• group must be followed by a group ID. Do not use an IP address.

7. Add users to the new workgroup.


This removes users from the default workgroup, since users can belong to
only one workgroup at a time. If the workgroup is later deleted, users are re-
assigned to the default workgroup. (If you delete a workgroup, assign the
workgroup members to other groups beforehand, unless you want the
workgroup members re-assigned to the default group.)
You cannot use this command in workgroup submode.
director (config workgroup “sales”) # exit
director (config) # username username workgroup member workgroup ID

8. View the workgroup you created:


director (config) # show workgroup workgroup_name
Workgroup workgroup_name:
Comment: this is a test
Minimum Priority: 4 (lower number has more priority)
Device-limits Type: allow (to send content commands to these following
Groups
& Devices:)
All Device-Groups and Devices
Time-limits Type: allow (to send content commands during these time
ranges:)
Time ranges for this Workgroup:
07:00:00-17:00:00

506
Appendix A: Administering Director

9. View the usernames to see which users are in which group:


director (config) # show usernames
Username admin
maximum permitted privilege level 15
in Workgroup "default"
Username monitor
maximum permitted privilege level 7
in Workgroup "test1"
Username test1
maximum permitted privilege level 15
in Workgroup "test1"

10. Use the write memory command to permanently save your changes.
director (config) # write mem

507
Director Configuration and Management Guide

Authenticating Users
Possible authentication methods are local, Remote Authentication Dial-In User
Service (RADIUS), and Terminal Access Controller Access Control System Plus
(TACACS+). Local authentication is required. RADIUS and TACACS+ are
optional.
To configure RADIUS authentication, continue with the next section; to configure
TACACS+ servers, skip to "Configuring TACACS+" on page 511.

Note: Because Director supports authentication using RADIUS/TACACS+, the


remote user names do not need to be configured on Director. User names and
passwords for remote users, however, are restricted to 16 bytes. If the user name is
longer, the authentication/login attempt fails.

Configuring RADIUS
If the authentication request consists of the service-type as framed, RADIUS sends
back the attributes for the user in the authentication response. These attributes
can be used for authorization.
Director assigns a privilege level to match the service-type value on RADIUS.
Only the service types that are configured here are supported; access to Director is
denied if the service types do not match the mapped service types in the
configuration.
Director has the following privilege levels:
❐ Login (level 1)
❐ Enable (level 7)
❐ Configuration (level 15)
Each service type you want supported must be mapped to one of the above
privilege levels. Only three service types can be supported, one for each Director
privilege level. All other service types are ignored. If the service type found in the
mapping does not match one of the configured service types, the privilege of the
user cannot be decided and the login is rejected.
By default or on a new system, the following services types are mapped:
RADIUS Service Type Director Mapping
Login Login
NAS-Prompt Enable
Administrative Configuration

You do not need to configure service types on Director unless you want to change
the default mappings.

508
Appendix A: Administering Director

Note: If the RADIUS service type is set to Framed, Outbound, or Authenticate-Only,


or not set at all, you will get a Login incorrect error message even if the supplied
user name and password are valid.

To configure RADIUS server authentication on Director:


1. At the (config) command prompt, specify the types of authentication you
will use.
The aaa authentication login default command enables you to use any
combination of local, RADIUS, and TACACS to authenticate and authorize
users. Use the aaa authentication login default command to determine the
order in which the repositories are searched. Local authentication must
always be searched.
Command syntax follows:
director (config)# aaa authentication login default local [radius |
tacacs]

While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using RADIUS only,
you do not need to configure TACACS+.
To use RADIUS authentication, enter the following command:
director (config)# aaa authentication login default local radius

2. Enter the following commands to configure global settings for RADIUS


servers:
director (config)# radius-server key password
director (config)# radius-server request-stype
integer_between_1_and_11
director (config)# radius-server response-stype
integer_between_1_and_11 \ privilege 1 | 7 | 15
director (config)# radius-server retransmit integer
director (config)# radius-server timeout integer

509
Director Configuration and Management Guide

where
key password Sets the authentication and encryption key for
RADIUS servers. Note that this is not a key, such as an
SSHv2 key, but a password.
The key cannot have a question mark in it (such as
xyz?) unless you first disable Director CLI help.
request- 1 - 11 Sets the RADIUS request service type. The integer
stype stands for the service type, which can be one of the
following:
1. Login
2. Framed
3. Callback Login
4. Callback Framed
5. Outbound
6. Administrative
7. NAS Prompt
8. Authenticate Only
9. Callback NAS Prompt
10. Call Check
11. Callback Administrative
response- 1 - 11 Links the RADIUS response service type and privilege
stype level. Director privilege levels are 1 (Standard mode),
7 (Enable mode), and 15 (Configuration mode). The
service types must be linked to one of the Director
levels.
retransmit integer Sets the number of retries allowed for connection to
the RADIUS servers.
timeout integer Sets the timeout value. It should be of the format nnh
nnm nns, where nn is the number, h is the hour, m is the
minute, and s is second, such as radius-server
timeout
05h 30m 10s.

3. Enter the following commands to configure a RADIUS server and override


the global defaults. If you do not need to overwrite the defaults, you do not
need to set them.
director (config)# radius-server host hostname_or_device_id
director (config)# radius-server host hostname_or_device_id acct-port
port-number
director (config)# radius-server host hostname_or_device_id auth-port
port-number
director (config)# radius-server host hostname_or_device_id key
password
director (config)# radius-server host hostname_or_device_id request-
stype \ integer_between_1_and_11
director (config)# radius-server host hostname_or_device_id response-

510
Appendix A: Administering Director

stype \ integer_between_1_and_11 privilege 1 | 7 | 15


director (config)# radius-server host hostname_or_device_id retransmit
integer
director (config)# radius-server host hostname_or_device_id timeout
integer
where
acct-port port- The default is 1813.
number

auth-port port-number The default is 1812.


key Overrides the global setting for RADIUS
servers for this system only. If you need to
change the key, you must also set the auth-
port number.
request-stype Overrides the global setting for RADIUS
servers for this system only.
response- Overrides the global setting for RADIUS
stype servers for this system only.
retransmit Overrides the global setting for RADIUS
servers for this system only.
timeout Overrides the global setting for RADIUS
servers for this system only.

4. View the configuration of the RADIUS servers.


director (config) # show radius
Radius server configuration:
Global timeout: 19800 seconds
Global number of retransmission attempts: 5
Global key: test1
Global request-stype: 3
Global privilege-response mapping:
Privilege 1 :
Privilege 7 :
Privilege 15 : 3
Server 10.25.36.47:
Accounting port: 1813
Authorization port: 1812
Timeout:
Number of retransmission attempts:
Key:
request-stype:
privilege-response mapping:
Privilege 1 :
Privilege 7 :
Privilege 15 :
director (config) #

Configuring TACACS+
This section discusses how to configure TACACS.

511
Director Configuration and Management Guide

1. At the (config) command prompt, specify the types of authentication you


will use.
The aaa authentication login default command enables you to use any
combination of local, RADIUS, and TACACS to authenticate and authorize
users. Use the aaa authentication login default command to determine the
order in which the repositories are searched. Local authentication must
always be searched.
Command syntax follows:
director (config)# aaa authentication login default local [radius |
tacacs]

While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using TACACS+ only,
you do not need to configure RADIUS.
To use TACACS+ authentication, enter the following command:
director (config)# aaa authentication login default local tacacs

2. Enter the following commands to configure global TACACS+ server settings:


Director (config)# tacacs-server key password
Director (config)# tacacs-server timeout integer

where
• password sets the authentication and encryption key for TACACS+ servers. Note that this
is not a key, such as an SSHv2 key, but a password.

• timeout integer sets the timeout value. It should be of the format nnh nnm nns,
where nn is the number, h is the hour, m is the minute, and s is second, such as
radius-tacacs timeout 05h 30m 10s.

3. Enter the following commands to configure the TACACS+ server:


director (config) # tacacs-server host hostname_or_device_id key
password
director (config) # tacacs-server host hostname_or_device_id port
port-number
director (config) # tacacs-server host hostname_or_device_id single-
connection
director (config) # tacacs-server host hostname_or_device_id timeout
integer

where

key password Sets the authentication and encryption key for


TACACS+ servers. Note that this is not a key, such as
an SSHv2 key, but a password.
port port- The default is 49. You do not need to use the port
number option unless you want to use a different port-
number.
single- Sets single-connection mode for this server. The
connection default is yes.

512
Appendix A: Administering Director

timeout integer Sets the timeout value. It should be of the format nnh
nnm nns, where nn is the number, h is the hour, m is
the minute, and s is second, such as radius-server
timeout
05h 30m 10s.

4. View the TACACS+ server configuration:


director (config)# show tacacs
TACACS+ server configuration:
Global key: test2
Global timeout: 16200 seconds
Server 10.9.17.159:
Port: 49
Timeout: 9000 seconds
Key: test3
Single connection: yes

5. Confirm that all the methods of authentication were set up.


director (config)# show aaa authentication login
Authentication methods:
1. local
2. radius
3. tacacs+

Note: TACACS+ users are allowed full authentication privileges, but


authorization is not supported with TACACS+. Authorization is supported
for local and RADIUS only.

6. Save the configuration.


Director (config)# write memory

513
Director Configuration and Management Guide

Determining the Connection Protocol


Director allows you to connect ProxySG appliances, the Management Console,
and Director appliance using the SSH Simple or SSH-RSA protocols. Director uses
SSH Simple by default.

Note: If you use SSH Simple to connect to the ProxySG appliance or to the
Director Management Console, no additional configuration is needed because
both Director and the ProxySG appliance use SSH Simple as the default
connection protocol.

For additional assistance, see one of the following sections:


❐ To use SSH-RSA to connect to the Director appliance or using either the
command line or the Director Management Console, see "Generating RSA
Keys for Director Communication" on page 43
❐ To use SSH-RSA to connect from Director to appliances it manages, see
"Changing the Authentication Protocol" on page 124

Managing Security Using Access Lists


Access lists and access groups enable you to manage security on your network
more efficiently. For example, you can prevent traffic coming from a particular IP
address or address range from reaching Director or you can disable certain
services (protocol/port combinations) for a particular interface. Access groups are
configured per interface, and, if they are present, Director checks all incoming and
outgoing packets.
Because Director assumes there is some overlap among rules in the same access
list, these lists are not checked for contradictions so use caution when setting up
access lists and access groups.
This section discusses the following topics:
❐ "Creating Access Lists To Control Access"
❐ "Creating Access Groups for an Interface" on page 518

514
Appendix A: Administering Director

Creating Access Lists To Control Access


An access list is consumed by an access group; in other words, an access list sets up
the list of access rules for an interface (for example, to deny TCP requests from a
particular network). The access list is associated with a particular interface using
an access group.
This section discusses the following topics:
❐ "About access-list Syntax"
❐ "Creating an Access List" on page 517

About access-list Syntax


This section discusses general information about the syntax of the access-list
command:
❐ "access-list Actions"
❐ "Protocol" on page 515
❐ "Source and Destination" on page 516
❐ "Port Number Matching" on page 516

access-list Actions
Possible actions are as follows:
❐ deny—The specified packets are dropped.
❐ permit—The specified packets are allowed.
❐ reject—The specified packets are dropped and Director returns an error code
to the sender of the packet, or respond with an ICMP unreachable message,
depending on whether matching is done on outbound or inbound traffic,
respectively.

Protocol
Enables you to selectively permit, deny, or reject traffic from the following IP
protocols (transport layer and below only):
All protocols (use the ip subcommand to specify all protocols)
❐ tcp
❐ udp

❐ icmp (including ICMP types)


You have the option of including ICMP message type as part of the filter.
Omitting the ICMP type means you match all ICMP message types.
To do this, enter icmp icmp_type for the protocol, where icmp_type is defined as
follows:
❐ 0 (echo-reply)
❐ 3 (unreachable)
❐ 4 (source-quench)
❐ 5 (redirect)
❐ 8 (echo)

515
Director Configuration and Management Guide

Source and Destination


Source and destination addresses can be used to selectively permit, reject, or deny
protocol traffic to and from source and destination addresses and address
wildcards.
Specify the source address first in the following format: source_ip_address
wildcard_mask. Together, they specify a network address range used to match
packets.
source_ip_address is the IP address of the source.
wildcard_mask is the opposite of a subnet mask for source_ip_address. For
example, if source_ip_address is 10.1.1.0, its subnet mask would be a Class C
mask (24-bit) mask of 255.255.255.0. wildcard_mask for this source_ip_address is
0.0.0.255.

Port Number Matching


This information applies to the UDP and TCP protocols only.
UDP and TCP access lists enable you to use port numbers as part of the access list
filter. Omitting the port number means the filter applies to all ports.
You can also use one of the following operators:
❐ gt (greater than)
❐ lt (less than)
❐ == (equal to)
❐ != (not equal to)
❐ range—destination port range, specified as the lower port number, space, and
the higher port number
For example, range 5000 6000

516
Appendix A: Administering Director

Creating an Access List


Follow these steps to create an access list and apply rules to it.
1. Use putty or another SSH application to log in to Director as the admin user.
2. At the director > prompt, enter enable.
3. If prompted, enter the enable mode password.
4. At the director # prompt, enter configure terminal.
5. At the director (config) # command prompt, create an access list name
using the following command:
director (config)# access-list access-list_id

Note: This also puts you into the access-list submode, which allows you
to use access-list commands without having to type access-list
access-list_id before each command. To edit a different access-list, just
enter the new access-list name.

6. Create access lists.


Syntax follows:
director (config acl access-list-name) # {permit | deny | reject}
ip_protocol any {any | destination_ip_address wildcard_mask | host
ip_address} [log]]

For details about these options, see "About access-list Syntax" on page 515.
For example, to deny incoming TCP traffic from IP address 192.168.0.2:
director (config) # access-list deny_rule
director (config acl deny_rule) # deny tcp any host 192.168.0.2

For more information on setting up access lists, refer to the Blue Coat Director
Command Line Interface Reference.
7. Save the changes.
director (config acl access_list_name)# exit
director (config)# write memory

8. View the access list to make sure the rules you defined are correct.
Each rule is numbered.
director (config) # show access-list deny_rule
Access-list deny_rule, type "filter"
0: deny 0.0.0.0 255.255.255.255 192.168.0.2 0.0.0.0 tcp

Note: To remove an access list, precede the command with no.

517
Director Configuration and Management Guide

Creating Access Groups for an Interface


After creating one or more access lists, you must apply the rules defined by the
lists to Director interfaces using an access group.

To associate an access list with an interface using an access group:


1. If you have not already done so, create an access list as discussed in "Creating
Access Lists To Control Access" on page 515.
2. Enter interface mode using the following command:
director (config) # interface interface_number

For example,
director (config) # interface ether-0

3. The syntax of the command to set up access groups follows:


(config interface interface_number) # ip {access-group
access_list_name {in | out}

where access_list_name is the name of the access list to associate with


interface_number, in applies the rule to inbound traffic, and out applies the rule
to outbound traffic.

Note: To remove an access group, precede the command with no.

4. Save the changes.


director (config interface interface_number) # exit
director (config)# write memory

5. View information about the interface to make sure the access group is
associated (emphasis added):
director (config) # show interfaces ether-0
Interface ether-0:
Enabled: yes
IP address: 172.16.35.16/16
Speed: auto <100>
Duplex: auto <full>
Type: Ethernet
Ethernet address: 00:e0:81:76:2f:18
Inbound access-list: deny_rule
MTU size: 1500 bytes
Statistics:
Packets received: 611731
Bytes received: 45823512
Multicast packets received: 0
Input errors: 0
Packets received with bad protocol: 0
Packets received not matching filters: 0
Packets received with short frames: 0
Packets sent: 236746
Bytes sent: 25085176
Output errors: 0
Packets dropped on output: 0
Collisions: 0
Underruns: 0

518
Appendix A: Administering Director

Using the SNMP Server


Director allows you to enable and disable Director SNMP server connections. You
can also set the:
❐ Read-only community name
If a community name is specified, this community name overrides the setting
of the snmp-server traps default-community, which is public. To clear this
override without removing the host from the list, reissue the snmp-server
host command without a community name. Community names should not
have any spaces.
❐ Contact string
❐ Specific hosts to receive SNMP notifications
❐ Location string
❐ Certain SNMP trap options
❐ Certain SNMP inform options
Director supports MIB-II RFC1213.
To enable the SNMP server:
1. At the (config) command prompt, enable SNMP connections.
director (config)# snmp-server enable [traps]

The optional traps parameter enables SNMP traps to be sent. SNMP traps are
limited to Director startup and shutdown.
2. Specify the SNMP management station to which SNMP notifications will be
sent:
director (config)# snmp-server host hostname_or_ip traps version 2c
public

3. Save the configuration.


director (config)# write memory

Note: If you do not save the configuration by entering the write memory
command, the changes you made are not permanent and are lost at the next
reboot.

To disable the SNMP server:


1. At the (config) command prompt, disable SNMP server connections.
director (config)# no snmp-server enable [traps]

2. Disable all authtraps, inform and SNMP traps.


director (config)# no snmp-server enable inform
director (config)# no snmp-server enable traps

3. Save the configuration.


director (config)# write memory

519
Director Configuration and Management Guide

For more information on Director CLI commands to manage the SNMP server
connections, refer to the Blue Coat Director Command Line Interface Reference.

Managing Sessions
To avoid overlapping or contradictory configuration changes, you can log off
other administrators who are using the Director Management Console. Each
Management Console instance starts as a session and sessions can be terminated
whether or not you are using explicit configuration mode.
Terminating a session affects administrators logged in to the Management
Console or in configuration mode on the command line. Terminating a session
does not affect a user directly connected to Director using the serial console.
Director shows a user directly connected to the Director appliance’s serial port as
user name console.

Note: Director supports a maximum of 14 simultaneous active sessions.

To manage sessions:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Manage Sessions.
The Manage Sessions dialog box displays similarly to the following:

520
Appendix A: Administering Director

The following table shows the meanings of the columns in the Manage
Sessions dialog box:

Column Description

User Name The administrator’s user name.

IP Address The IP address from which the Director


Management Console is being run.

Session Count The number of sessions for the IP address. Director


can create several sessions per Management
Console connection.

Lock State
(locked) means the user has acquired the
configuration lock in any of the following ways:
• By starting configuration mode in the CLI.
• By acquiring the lock in explicit lock mode.
For more information, see "About the
Configuration Lock" on page 494.

(unlocked) means the user has not acquired


the configuration lock.

3. Click the user whose session you want to cancel.


4. Click Logout.
A confirmation dialog box displays the result of the action.

521
Director Configuration and Management Guide

Rebooting Director
Enter the following command to reboot Director:
director (config) # reload [force]

The optional force subcommand reboots this machine even if there are
outstanding configuration changes. These changes will then be lost.
A message similar to the following displays when Director is rebooting:
Connection closed by foreign host.

Shutting Down Director


To shut down Director, use the reload halt command. Do not disconnect the
power cable to shut down Director because that can lead to unexpected failures
and database corruption.

To shut down Director:


1. Connect to the Director serial console using a null modem cable.

Note: You can also use an SSH application to connect to Director but you will
not get a system messages indicating that it is safe to power down.

2. Save Director’s configuration:


director # write memory

3. Enter the following command to shut down Director:


director # reload halt [force]

Use the reload halt force command if you do not want to save any
configuration changes.
4. Unplug Director when the LCD panel goes blank and powers down. The
serial console displays Power down.

522
Appendix B: Replacing Director 800 With Director 510

SGME version 5.4 and later do not support the Director 800. This appendix
discusses how to replace a Director 800 with a Director 510. See the following
topics:
❐ "Procedure to Replace a Director 800"
❐ "Access List Differences" on page 525

Procedure to Replace a Director 800


The procedure that follows assumes the new Director 510 appliance uses the
same network settings as the Director 800 (that is, IP address, subnet mask,
default gateway, and DNS servers, if any).

After obtaining a Director 510 appliance:


1. If necessary, upgrade your Director 800 to a release from which your
Director 510 can be upgraded to SGME 5.4.
For example, you can upgrade the Director 800 to SGME 5.3.1.3 or 5.3.1.4.
For more information, see the Blue Coat Director Configuration and
Management Guide that corresponds to the SGME version your Director 800
currently runs.
2. Using an SSH application, log in to the Director 800 as an administrator.
For more information, see "Connecting to Director using SSH" on page 50.
3. Archive the Director 800 and store the image on an external server.
For more information, see the Blue Coat Director Configuration and
Management Guide that corresponds to the SGME version your Director 800
currently runs.
4. Power on the Director 510 and connect it to the network.

Note: To avoid the possibility of IP address conflicts, make sure only one
Director is connected to the network at a time.

5. Physically disconnect the Director 800 from the network.


6. Using its front panel or serial console, configure the Director 510’s IP
address, default gateway, and DNS server (if any).
Refer to the Quick Start Guide provided with the Director 510 appliance for
more information.
7. Using an SSH application, log in to the Director 510 as an administrator.
For more information, see "Connecting to Director using SSH" on page 50.

523
Director Configuration and Management Guide

8. Fetch the archive from the external server and restore it on the Director 510.
For more information, see "Retrieving and Restoring the Archive" on page
475.

Important: SGME 5.3 and later do not archive Director’s network settings;
however, SGME versions earlier than 5.3 do archive Director’s network settings.
If you are restoring an archive with SGME 5.3 or later, reconfigure Director’s
network settings using its front panel or serial console using the interface
interface_number and ip default gateway commands as discussed in the Blue
Coat Director Command Line Interface Reference Guide.

9. Upgrade your Director 510 to SGME 5.4.


For more information, see Chapter 16: "Upgrading Director".
10. Your Director 510 is now ready to manage ProxySG appliances.

Note: Depending on the number of ProxySG devices Director manages, it


might take several minutes for Director to establish connections to all of them.

524
Appendix B: Replacing Director 800 With Director 510

Access List Differences


This section discusses differences in the access-list command between the
Director 800 and the Director 510.
This section assumes you are already familiar with access lists because you have
previously set them up on your Director 800. If you need more information about
access lists, see "Managing Security Using Access Lists" on page 514.

About the access-list Command


Access lists and access groups enable you to manage security on your network
more efficiently. For example, you can prevent traffic coming from a particular IP
address or address range from reaching Director or you can disable certain
services (protocol/port combinations) for a particular interface. Access groups are
configured per interface, and, if they are present, Director checks all incoming and
outgoing packets.
To set up an access list, use the access-list command to create the access rules
and apply the access list to a Director interface using the interface interface
access-group command.

Summarizing the Differences


By default, the Director 800 denies all traffic unless you specifically permit it
whereas the Director 510 permits all traffic unless you specifically deny it.
Therefore, after you switch from a Director 800 to a Director 510, you should
delete any permit rules and replace them with deny rules.

Example Access Lists


This section discusses some example rules and how you should change them after
you replace a Director 800 with a Director 510.

Restricting Traffic to One Source and One Destination Only


This example assumes you want to restrict traffic through Director’s ether-0
interface to one source IP (192.168.0.2) and one destination IP (172.16.45.141). For
example, the source IP address might be your workstation and the destination IP
address might be a RADIUS server Director uses to authenticate users.
To enforce this rule, enter the following commands in the order shown:
director (config)# access-list permitOne permit tcp host 192.168.0.2
host 172.16.45.141
director (config)# access-list permitOne deny ip any any
director (config)# interface ether-0 ip access-group permitOne in

525
Director Configuration and Management Guide

Replacing a Permit Rule With an Equivalent Deny Rule


This example discusses how to replace a permit rule on the Director 800 with an
equivalent deny rule on a Director 510. This is necessary because by default,
Director 800 denies all traffic that is not specifically permitted while the Director
510 permits all traffic that is not specifically denied.
In this example, assume you want to permit users in the 10.107.0.0/24 network to
connect to Director (at IP address 192.168.0.5) using an SSH application or the
Management Console. All other access to Director will be denied.
You set up an access list on Director 800 and named it allow10 and will replace it
with an access list on the Director 510 named allow10New.
Enter the following commands to dissociate the old access list from the interface
and to remove it from Director entirely:
director (config) # no interface ether-0 ip access-group in
director (config)# no access-list allow10
Enter the following command to create the new access list:
director (config) # access-list allow10New
Enter the following commands to configure the access list and associate it with
interface ether-0:
director (config acl allow10New) # permit tcp 10.107.0.0 0.0.0.255
192.168.0.5
director (config acl allow10New) # deny ip any any
director (config)# exit
director (config)# interface ether-0 ip access-group allow10New in
0.0.0.255 is a source wildcard mask, which is the opposite of a subnet mask for
source_ip_address. The preceding example allows only users in the IP address
range 10.107.0.0 to 10.107.0.255 to access Director at IP 192.168.0.5 using the TCP
protocol. All other access is denied.

526
Appendix C: Management Console Browser Details

This appendix discusses how to set up supported Web browsers to connect to


the Director Management Console and discusses in detail the tasks required to
connect to it. For information about system requirements, including operating
systems and Web browsers, see the Director Release Notes.
This appendix discusses the following topics:
❐ "Introduction to the Director Management Console"
❐ "Internet Explorer 6, 7, and 8" on page 528
❐ "Firefox 3 and 3.5" on page 534
❐ "Safari 3" on page 546

Introduction to the Director Management Console


Starting with SGME version 5.4.2, the Director is a Java Web Start application.
Web Start applications use the Java Network Launch Protocol (JNLP) to deploy
multi-platform Java-based client applications. As a result, the Director
Management Console can be accessed using any of the supported Web
browsers listed in the Director Release Notes.
Assuming you already installed JRE 1.6, Update 1 or later from Sun, the
following steps summarize the process of starting the Director Management
Console:
1. A certificate error displays.

Note: Because the Blue Coat certificate is not recognized by client browsers,
during the process of connecting to the Management Console, certificate errors
display. These errors are normal and do not indicate a problem with Director.

2. The login page displays.


3. First time only: the Management Console application downloads to the
computer.
4. The Director Management Console Java application starts.
5. You are prompted to accept Director’s certificate.
6. The Management Console displays.

Note: Depending on your Web browser’s security settings, other prompts


might display.

527
Director Configuration and Management Guide

More detailed information about each supported browser follows:


❐ "Internet Explorer 6, 7, and 8"
❐ "Firefox 3 and 3.5" on page 534
❐ "Safari 3" on page 546

Note: The information discussed in this appendix is provided for your


information only and might not be accurate for your environment. For
example, if you have a newer JRE version, the pages that display information
about downloading the Director Management Console .jnlp file might look
different.

Internet Explorer 6, 7, and 8


This section discusses how to set up Internet Explorer 6, 7, or 8 to work with the
Director Management Console and discusses in detail the prompts you receive
while connecting to the Management Console.
For more information, see:
❐ "Setting Up Internet Explorer 6, 7, or 8"
❐ "Internet Explorer 7 and 8 Connection Details" on page 529
❐ "Internet Explorer 6 Connection Details" on page 532

Setting Up Internet Explorer 6, 7, or 8


This section discusses how to set up Internet Explorer 6, 7, or 8 for use with the
Director Management Console. These settings work on Windows XP and
Windows Vista computers.

To set up Internet Explorer 6, 7, or 8 for the Director Management Console:


1. Start Internet Explorer.
2. Click Tools > Internet Options.
3. Click the Security tab.
4. In the Security level for this zone section, click one of the following:
Security setting Comment

Medium-high or lower Works without further modifications.


Custom Works only if you continue with the following
steps.
High Incompatible with the Director Management
Console. You can try to change the security setting
to Medium-high or Custom and continuing with
the following steps.

5. To use the Director Management Console with custom internet security


settings, click Custom level.

528
Appendix C: Management Console Browser Details

The Security Settings—Internet Zone dialog box displays.


6. Make the following selections:
Node Setting
Downloads For File download, click Enable
Scripting For Active scripting, click Enable

Internet Explorer 7 and 8 Connection Details


When you start the Director Management Console using Internet Explorer 7 or 8:
1. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

The certificate error page displays.

2. You must click Continue to this website (not recommended) to continue.


Depending on your Internet zone security settings, the following dialog box
might display.

3. If the preceding dialog box displays, you must click No to continue.


4. When prompted, log in to Director.

529
Director Configuration and Management Guide

5. One of the following messages displays as the JNLP application starts to


download:
• Windows XP:

• Windows Vista:

6. A certificate error displays:

7. You must click Yes to continue.


If you select the Always trust content from this publisher check box, you will not be
prompted again.

530
Appendix C: Management Console Browser Details

8. If you are accessing the Management Console for the first time, a message
displays as the application is downloaded to your computer:

The Progress Dialog displays as the Management Console establishes a


connection to Director.

9. The Director Management Console displays.


If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.

10. You can now close the original Web browser window.

531
Director Configuration and Management Guide

Internet Explorer 6 Connection Details


When you start the Director Management Console using Internet Explorer 6, the
following occurs:
1. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

The certificate error page displays.

2. You must click Yes to continue.


Depending on your Internet zone security settings, the following security
dialog box might display.

3. If the preceding dialog box displays, you must click Yes to continue.
4. When prompted, log in to Director.
5. The following message displays as the JNLP application starts to download:

532
Appendix C: Management Console Browser Details

6. If you are accessing the Management Console for the first time, a message
displays as the application is downloaded to your computer:

7. A certificate error displays:

8. You must click Yes to continue.


If you select the Always trust content from this publisher check box, you will not be
prompted again.
The Progress Dialog displays as the Management Console establishes a
connection to Director.

9. The Director Management Console displays.

533
Director Configuration and Management Guide

If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.

10. You can now close the original Web browser window.

Firefox 3 and 3.5


This section discusses how to set up Firefox 3.x (including version 3.5) to work
with the Director Management Console and discusses in detail the prompts you
receive while connecting to the Management Console.
For more information, see:
❐ "Setting Up Firefox 3.x (Including 3.5)"
❐ "Firefox 3.5 Connection Details" on page 535
❐ "Firefox 3.x Connection Details" on page 540

Setting Up Firefox 3.x (Including 3.5)


This section discusses how to set up Firefox 3.x (including version 3.5) for use
with the Director Management Console. These settings work on Windows XP and
Windows Vista computers.

To set up Firefox 3.x for the Director Management Console:


1. Start Firefox.
2. Click Tools > Options.
3. Click the Content tab.
4. Select the Enable Java check box.
5. Click OK.

534
Appendix C: Management Console Browser Details

Firefox 3.5 Connection Details


When you start the Director Management Console using Firefox 3.5, the following
occurs:
1. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

A certificate error displays:

2. You have the following options:


Option Description

Get me out of here! Click to quit without attempting to


connect to Director.
Technical Details Click to display information similar to
the following:
192.168.0.141:8082 uses an
invalid security certificate.
The certificate is not trusted
because it is self-signed.
The certificate is only valid for
Director
(Error code:
sec_error_ca_cert_invalid)
This message does not indicate an error
or security risk.
I Understand the Risks Click to continue connecting to Director.

535
Director Configuration and Management Guide

3. If you clicked I Understand the Risks, the dialog box displays similar to the
following.

4. Click Add Exception.

536
Appendix C: Management Console Browser Details

The following dialog box displays.

5. You have the following options:


Option Description

Get Certificate button Click to display Director’s certificate.

View button Click to display the certificate to make


sure it is correct. The certificate should
have the following characteristics at
minimum:
• Issued To
• CN is Director
• Serial Number is Director’s
serial number in hexadecimal
format
• Issued By
• CN is Director
• O is Blue Coat
• OU is Blue Coat
Permanently store this exception Select this check box to accept Director’s
certificate and not be prompted again.
Confirm Security Exception Click to continue connecting to Director.

6. Do any of the following:

537
Director Configuration and Management Guide

• If Director’s certificate does not display and if the other options on the
dialog box are unavailable, click Get Certificate.
• If the button is available, click Confirm Security Exception.
7. If the following dialog box displays, click Resend.

8. When prompted, log in to Director.


9.
You are then prompted to download and run the Director Management
Console application.

10. Click Open with, choose the default selection Java(TM) Web Start Launcher (default),
and click OK.
A certificate error displays.

538
Appendix C: Management Console Browser Details

11. You must click Yes to continue.


If you optionally select the Always trust content from this publisher check box, you
will not be prompted in the future.
If this is the first time you have run the Management Console on this
computer, a dialog box displays as the Management Console application is
downloaded to your computer.

12. One of the following messages displays as the Management Console is


starting:
• Windows XP:

• Windows Vista:

539
Director Configuration and Management Guide

The Progress Dialog displays as the Management Console establishes a


connection to Director.

13. The Director Management Console displays.


If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.

14. You can now close the original Web browser window.

Firefox 3.x Connection Details


When you start the Director Management Console using Firefox 3.x (where x is
less than 5), the following occurs:
1. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

The Secure Connection Failed dialog box displays.

2. You must click Or you can add an exception to continue.

540
Appendix C: Management Console Browser Details

The next page enables you to add an exception for Director’s certificate.

3. Click Add Exception.


The next page enables you to get Director’s certificate.

4. Click Get Certificate.

541
Director Configuration and Management Guide

The last page enables you to import the certificate.hYo

5. You have the following options:


Option Description

Get Certificate button Click to display information about


Director’s certificate.

View button Click to display the certificate to make


sure it is correct. The certificate should
have the following characteristics at
minimum:
• Issued To
• CN is Director
• Serial Number is Director’s
serial number in hexadecimal
format
• Issued By
• CN is Director
• O is Blue Coat
• OU is Blue Coat
Permanently store this exception Select this check box to accept Director’s
certificate and not be prompted again.

542
Appendix C: Management Console Browser Details

Option Description
Confirm Security Exception Click to continue connecting to Director.

6. Click Confirm Security Exception.


To store the exception so you are not prompted again, select the Permanently
store this exception check box.

7. When prompted, log in to Director.


8. One of the following messages displays as the JNLP application starts to
download:
• Windows XP:

• Windows Vista:

9. You are then prompted to download and run the Director Management
Console application.

10. Click Open with, choose the default selection Java(TM) Web Start Launcher (default),
and click OK.

543
Director Configuration and Management Guide

A certificate error displays.

11. You must click Yes to continue.


If you optionally select the Always trust content from this publisher check box, you
will not be prompted in the future.
If this is the first time you have run the Management Console on this
computer, a dialog box displays as the Management Console application is
downloaded to your computer.

The Progress Dialog displays as the Management Console establishes a


connection to Director.

12. The Director Management Console displays.

544
Appendix C: Management Console Browser Details

If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.

13. You can now close the original Web browser window.

545
Director Configuration and Management Guide

Safari 3
This section discusses how to set up Safari 3 to work with the Director
Management Console and discusses in detail the prompts you receive while
connecting to the Management Console.
For more information, see:
❐ "Setting Up Safari 3"
❐ "Safari 3 Connection Details" on page 546

Setting Up Safari 3
This section discusses how to set up Safari 3 for use with the Director
Management Console. These settings work on Windows XP and Windows Vista
computers.

To set up Safari 3 for the Director Management Console:


1. Start Safari.
2. Click Edit > Preferences.
3. In the horizontal navigation bar, click Security.
4. On the Security page, select the Enable Java check box.
5. Close the dialog box.

Safari 3 Connection Details


When you start the Director Management Console using Safari 3, the following
occurs:
1. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

A certificate warning displays.

2. Click Continue to log in to Director or click Show Certificate to see more


information about Director’s certificate.
3. When prompted, log in to Director.

546
Appendix C: Management Console Browser Details

You are prompted to download and run the Director Management Console
application.

4. Click Open.
The File Download dialog box displays.

5. Click Open.
A certificate warning displays.

6. You must click Yes to continue.


If this is the first time you have run the Management Console on this
computer, a dialog box displays as the Management Console application is
downloaded to your computer.

547
Director Configuration and Management Guide

7. One of the following messages displays as the Management Console is


starting:
• Windows XP:

• Windows Vista:

The Progress Dialog displays as the Management Console establishes a


connection to Director.

8. The Director Management Console displays.


If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.

9. You can now close the original Web browser window.

548
Appendix C: Management Console Browser Details

Director RSA Fingerprint Warning


The following warning might display after you log in to the Director
Management Console:

For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.

549
Director Configuration and Management Guide

550
Index

A C
adding policy to an overlay 171 CLI
admin user, explained 502 error messages 438
administrator activity logging authentication 445
enabling TACACS+ 362 devices 442
job logging format 447 help 440
setting the logging level 364 host names 442
TACACS+ 357 listed 438
alerts logging 443
about 332 RADIUS 445
managing 338 user directory 439
appliance certificates usernames and passwords 438
and device registration 68 FTP
getting 75 server connections, configuring 42
archive Director 463 server connections, disabling 42
archiving and uploading Director 470 overview 38
ARP, troubleshooting 442 privilege level, setting 502
audit logging troubleshooting 441
and event logging 358, 418 user account
configuring 364 managing 502
examples 359, 419 configuration
logging level 364 files, destroying 489
overflow policy 365 files, renaming 465
overview 357 files, viewing 464
related commands 366 saving 463
SCP server 364 switching files 465
TACACS+ authentication 362 configuration files
verifying settings 366 about 464
what is logged 357, 417 deleting 465
authentication commands saving 464
error messages 445 configuration lock
about 494
B breaking lock 496
back up Director 463 configuration changes, making 495
backup explicit lock mode 494
device, comparing 459 implicit lock mode 495
device, creating 453 lock mode, switching 497
device, deleting 459 switching lock modes 495
pinning device configurations 457 content
restoring device 458 distributing URLs 215, 221
distribution, about 207

551
Director Configuration and Management Guide

querying 226 naming 163


Content Sync Module (CSM) 38 Refreshables 164
overview 33
D profiles
delete overlay 176 applying 154
device settings 149
edition or model 332 viewing device edition 332
device error messages 442 viewing device statistics 348
device registration viewing group status 330
about 65
about the process 84 E
and appliance certificates 68 error messages
appliance certificates, determining support ARP 442
for 71 CLI 438
configuring registration password 77 CLI help 440
Director appliance certificate, determining clock 439
support for 73 host names 442
getting device an appliance certificate 75 LCD 439
getting Director appliance certificate 78 LCD front panel 439
methods 85 SNMP 440
pre-staged records, using 97 time, NTP 439
pre-staged records, without 86 troubleshooting CLI 441
process overview 69 user directory 439
resetting passwords after 92 usernames and passwords 438
SSH-RSA and SSH Simple 66
device statistics, viewing 348 F
device status 330 FTP
devices, adding 114 server connections configuring 42
diff utility, using in Management Console 177 server connections, disabling 42
Director
adding devices 114 G
alerts group search 185
managing 338 group status 330
overview 332
H
appliance certificate, determining if
health monitoring
supported 73
Connected state 373
appliance certificate, getting 78
Critical state 373
authentication protocols 124
Director 369
capabilities 34
general metrics 373
CLI overview 38
license expiration 372
configuration lock 494
licensing metrics 374
Manage Device page 348
modifying properties 378
Management Console overview 38
notification 376
monitoring 329
OK state 373
monitoring group and device status 330
requirements 370
overlays

552
Index

state descriptions 373 Refreshables 164


status metrics 375
Warning state 373 P
health report 354 partial device record 99
Performance Analysis Report 350
J ports
jobs authentication 40
about 231 registration 66
actions 239 privilege level, setting 502
GUI actions 232 profiles
verifying backup jobs 286 applying 154
comparing 177
L deleting 158
LCD error messages 439 settings 149
local user accounts, creating 502
lock holder, determining 496 R
logging RADIUS
error messages 443 defined 508
levels, setting 364 error messages 445
logging, audit. See audit logging servers, configuring 509
rebooting 231
M registering devices. See device registration
Manage Device page 348 registration password, configuring 77
Management Console
connecting to 52 S
overview 38 schedule error messages 444
monitoring search
configuring Director to send SGOS state traps advanced 188
383 basic 187
devices 185
N groups 185
NTP, error messages 439 jobs 185
overlays 185
O profiles 185
overflow policy, audit logging 365 security, managing through access lists 514
overlay SGMEOS
adding VPM policy 171 CLI overview 38
delete 176 Management Console overview 38
overlays sinks, log types 422
CLI, managing through 176 SNMP commands
deleting through Management Console 176 connections, configuring 519
executing through the Management Console connections, disabling 519
168 error messages 440
managing through Management Console 163 SNMP device-state traps 383
naming 163 SSH, authentication error messages 445
overview 159 SSH-RSA

553
Director Configuration and Management Guide

keypairs 127 resolving conflicts 297


standby validating 320
Active backoff 394
Active state 390 T
administrator actions 392 TACACS
clock synchronization 388 authentication, enabling 362
concepts 392 servers, configuring 509
configuration change recommendations 400 Telnet
configuring the pair 397 connections, configuring 42
connectivity monitoring 393 connections, disabling 42
data mirroring 393 time management commands, error messages,
failover 394 clock 439
failover assumptions 392 troubleshooting
failure ARP 442
jobs in process 408 authentication 445
unsynchronized changes 407 CLI help 440
identity 398 destroying old configuration files 489
implementation details 396 devices, error messages 442
moving Directors 403 host names 442
network outages 405 LCD error messages 439
partner LCD front panel 439
state 398 logging 443
status 399 RADIUS 445
Primary Director 389 schedule 444
remote management stations 388 SNMP 440
requirements 388 SSH 445
Secondary Director 389 time, clock 439
SNMP 394 time, NTP 439
SNMP notifications 397, 412 user directory 439
software upgrades 409 user management 438
standby pair defined 389 usernames and passwords 438
states 391, 392
supported platforms 388 U
sync user account management
definition 390 discussed 502
state 398 error messages 438
status 399 local accounts, creating 502
terminology 388 restricting privileges 502
use scenario 401
V
viewing state 398
VPM 171
substitution variables
examples 296 W
file format, devices 306 workgroups
file format, groups 306 creating 504
importing substitution variable files 304 default 504

554
Index

priority level, setting 505 saving 507


rules, setting 505 users, adding 506

555
Director Configuration and Management Guide

556

You might also like