Professional Documents
Culture Documents
Director™
Contact Information
Americas:
Blue Coat Systems Inc.
410 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®,
PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®,
Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL
WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND
DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT,
ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER
LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
ii
Americas: Rest of the World:
Blue Coat Systems, Inc. Blue Coat Systems International SARL
420 N. Mary Ave. 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland
iii
Director Configuration and Management Guide
following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the
Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the
NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You
distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as
modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use,
reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall
supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as
required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely
responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under
this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable
law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect,
special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such
Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for,
acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations,
You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and
hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or
additional liability.
Java JRE
SUN MICROSYSTEMS, INC. ("SUN") IS WILLING TO LICENSE THIS SPECIFICATION TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT
ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. PLEASE READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY. BY
DOWNLOADING THIS SPECIFICATION, YOU ACCEPT THE TERMS AND CONDITIONS OF THE AGREEMENT.
Specification: JAVA PLATFORM, STANDARD EDITION ("Specification")
Version: 6
Status: Final Release
Release: December 7, 2006
Copyright 2006 SUN MICROSYSTEMS, INC.
4150 Network Circle, Santa Clara, California 95054, U.S.A
All rights reserved.
LIMITED LICENSE GRANTS
1. License for Evaluation Purposes.
Sun hereby grants you a fully-paid, non-exclusive, non-transferable, worldwide, limited license (without the right to sublicense), under Sun's applicable
intellectual property rights to view, download, use and reproduce the Specification only for the purpose of internal evaluation. This includes (i) developing
applications intended to run on an implementation of the Specification, provided that such applications do not themselves implement any portion(s) of the
Specification, and (ii) discussing the Specification with any third party; and (iii) excerpting brief portions of the Specification in oral or written
communications which discuss the Specification provided that such excerpts do not in the aggregate constitute a significant portion of the Specification.
2. License for the Distribution of Compliant Implementations.
Sun also grants you a perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license (without the right to sublicense)
under any applicable copyrights or, subject to the provisions of subsection 4 below, patent rights it may have covering the Specification to create and/or
distribute an Independent Implementation of the Specification that: (a) fully implements the Specification including all its required interfaces and
functionality; (b) does not modify, subset, superset or otherwise extend the Licensor Name Space, or include any public or protected packages, classes, Java
interfaces, fields or methods within the Licensor Name Space other than those required/authorized by the Specification or Specifications being implemented;
and (c) passes the Technology Compatibility Kit (including satisfying the requirements of the applicable TCK Users Guide) for such Specification ("Compliant
Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside its scope. No license is granted hereunder for any
other purpose (including, for example, modifying the Specification, other than to the extent of your fair use rights, or distributing the Specification to third
parties). Also, no right, title, or interest in or to any trademarks, service marks, or trade names of Sun or Sun's licensors is granted hereunder. Java, and
Java-related logos, marks and names are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
3. Pass-through Conditions.
You need not include limitations (a)-(c) from the previous paragraph or any other particular "pass through" requirements in any license You grant concerning
the use of your Independent Implementation or products derived from it. However, except with respect to Independent Implementations (and products
derived from them) that satisfy limitations (a)-(c) from the previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any
licenses under Sun's applicable intellectual property rights; nor (b) authorize your licensees to make any claims concerning their implementation's compliance
with the Specification in question.
4. Reciprocity Concerning Patent Licenses.
a. With respect to any patent claims covered by the license granted under subparagraph 2 above that would be infringed by all technically feasible
implementations of the Specification, such license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party seeking it
iv
from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent rights which are or would be infringed by all technically feasible
implementations of the Specification to develop, distribute and use a Compliant Implementation.
b. With respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2, whether or not their infringement can be
avoided in a technically feasible manner when implementing the Specification, such license shall terminate with respect to such claims if You initiate a claim
against Sun that it has, in the course of performing its responsibilities as the Specification Lead, induced any other entity to infringe Your patent rights.
c. Also with respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2 above, where the infringement of such
claims can be avoided in a technically feasible manner when implementing the Specification such license, with respect to such claims, shall terminate if You
initiate a claim against Sun that its making, having made, using, offering to sell, selling or importing a Compliant Implementation infringes Your patent rights.
5. Definitions.
For the purposes of this Agreement: "Independent Implementation" shall mean an implementation of the Specification that neither derives from any of Sun's
source code or binary code materials nor, except with an appropriate and separate license from Sun, includes any of Sun's source code or binary code
materials; "Licensor Name Space" shall mean the public class or interface declarations whose names begin with "java", "javax", "com.sun" or their equivalents
in any subsequent naming convention adopted by Sun through the Java Community Process, or any recognized successors or replacements thereof; and
"Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide provided by Sun which corresponds to the
Specification and that was available either (i) from Sun's 120 days before the first release of Your Independent Implementation that allows its use for
commercial purposes, or (ii) more recently than 120 days from such release but against which You elect to test Your implementation of the Specification.
This Agreement will terminate immediately without notice from Sun if you breach the Agreement or act outside the scope of the licenses granted above.
DISCLAIMER OF WARRANTIES
THE SPECIFICATION IS PROVIDED "AS IS". SUN MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A
CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE CONTENTS OF THE SPECIFICATION ARE
SUITABLE FOR ANY PURPOSE. This document does not represent any commitment to release or implement any portion of the Specification in any product.
In addition, the Specification could include technical inaccuracies or typographical errors.
LIMITATION OF LIABILITY
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT
LIMITATION, LOST REVENUE, PROFITS OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES,
HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED IN ANY WAY TO YOUR HAVING,
IMPELEMENTING OR OTHERWISE USING USING THE SPECIFICATION, EVEN IF SUN AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. You will indemnify, hold harmless, and defend Sun and its licensors from any claims arising or resulting from: (i) your
use of the Specification; (ii) the use or distribution of your Java application, applet and/or implementation; and/or (iii) any claims that later versions or
releases of any Specification furnished to you are incompatible with the Specification provided to you under this license.
RESTRICTED RIGHTS LEGEND
U.S. Government: If this Specification is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at
any tier), then the Government's rights in the Software and accompanying documentation shall be only as set forth in this license; this is in accordance with 48
C.F.R. 227.7201 through 227.7202-4 (for Department of Defense (DoD) acquisitions) and with 48 C.F.R. 2.101 and 12.212 (for non-DoD acquisitions).
REPORT
If you provide Sun with any comments or suggestions concerning the Specification ("Feedback"), you hereby: (i) agree that such Feedback is provided on a
non-proprietary and non-confidential basis, and (ii) grant Sun a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable license, with the right to
sublicense through multiple levels of sublicensees, to incorporate, disclose, and use without limitation the Feedback for any purpose.
GENERAL TERMS
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. The U.N. Convention for the International Sale of
Goods and the choice of law rules of any jurisdiction will not apply.
The Specification is subject to U.S. export control laws and may be subject to export or import regulations in other countries. Licensee agrees to comply strictly
with all such laws and regulations and acknowledges that it has the responsibility to obtain such licenses to export, re-export or import as may be required
after delivery to Licensee.
This Agreement is the parties' entire agreement relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications,
proposals, conditions, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other
communication between the parties relating to its subject matter during the term of this Agreement. No modification to this Agreement will be binding, unless
in writing and signed by an authorized representative of each party.
Rev. April, 2006
PostgreSQL is released under the BSD license.
PostgreSQL Database Management System (formerly known as Postgres, then as Postgres95)
Portions Copyright (c) 1996-2008, The PostgreSQL Global Development Group
Portions Copyright (c) 1994, The Regents of the University of California
Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby
granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS"
BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
MODIFICATIONS.
JDOM.jar Copyright (C) 2000-2004 Jason Hunter & Brett McLaughlin. All rights reserved.
v
Director Configuration and Management Guide
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the disclaimer that follows these conditions in the
documentation and/or other materials provided with the distribution.
3. The name "JDOM" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact request@jdom.org.
4. Products derived from this software may not be called "JDOM", nor may "JDOM" appear in their name, without prior written permission from the JDOM
Project Management request@jdom.org.
In addition, we request (but do not require) that you include in the end-user documentation provided with the redistribution and/or in the software itself an
acknowledgement equivalent to the following:
"This product includes software developed by the JDOM Project (http://www.jdom.org/)."
Alternatively, the acknowledgment may be graphical using the logos available at http://www.jdom.org/images/logos.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM
AUTHORS OR THE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Jason Hunter
jhunter@jdom.org and Brett McLaughlin brett@jdom.org>. For more information on the JDOM Project, please see http://www.jdom.org.
JFreeChart
JFreeChart is a free (LGPL) chart library for the Java(tm) platform.
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above
copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety
in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display
the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific
prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's
Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
vi
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular
purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet
some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim
copies of this document is granted.
http://www.openldap.org/software/release/license.html
The OpenLDAP Public License Version 2.7, 7 September 2001
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under
terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF
THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software
without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a
licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure
Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my
direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose
(the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed
from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
vii
Director Configuration and Management Guide
Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific
library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible
for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any
responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com>
3) ssh-keygen was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due
credit is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original
Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
viii
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com> and Tim J. Hudson <mailto:tjh@cryptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial
purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered
by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should
be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic
software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic
related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This
product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and
put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.
ix
Director Configuration and Management Guide
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <ph10@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following
restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of
which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software
and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN
COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR
SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above
copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of
the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by
SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in
similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying,
redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended
publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to
modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with
the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
x
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon
Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Moscow
Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of
this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and others
All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission
notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT
OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to
promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder
The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact group@php.net.
xi
Director Configuration and Management Guide
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net.
You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may
also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP
Group has the right to modify the terms applicable to covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP software, freely available from
<http://www.php.net/software/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.
The Zend Engine License, version 2.00 Copyright (c) 1999-2002 Zend Technologies Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The names "Zend" and "Zend Engine" must not be used to endorse or promote products derived from this software without prior permission from Zend
Technologies Ltd. For written permission, please contact license@zend.com.
4. Zend Technologies Ltd. may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version
number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version.
You may also choose to use such covered code under the terms of any subsequent version of the license published by Zend Technologies Ltd. No one other
than Zend Technologies Ltd. has the right to modify the terms applicable to covered code created under this License.
5. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes the Zend Engine, freely available at
http://www.zend.com"
6. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"The Zend Engine is freely available at http://www.zend.com"
THIS SOFTWARE IS PROVIDED BY ZEND TECHNOLOGIES LTD. ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL ZEND TECHNOLOGIES LTD. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
TSRM (Thread Safe Resource Manager) license. Copyright (c) 1999, 2000, Andi Gutmans, Sascha Schumann, Zeev Suraski.
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither name of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Regex. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.
xii
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following
restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the
documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits
must appear in the documentation.
4. This notice may not be removed or altered.
libgd
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National
Institutes of Health.
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001 by Boutell.Com, Inc.
Portions relating to GD2 format copyright 1999, 2000 Philip Warner.
Portions relating to PNG copyright 1999, 2000 Greg Roelofs.
Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com).
Portions relating to JPEG and to color quantization copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane. This software is based in part
on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is
present in user-accessible supporting documentation._
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided "AS IS."_ The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of
merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Although their code does not appear in gd 2.0.1, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for
their prior contributions.
mail.jar
Sun Microsystems, Inc. ("Sun") ENTITLEMENT for SOFTWARE
Permitted Uses:
1. You may reproduce and use the Software for Individual, Commercial, or Research and Instructional Use for the purposes of designing, developing, testing,
and running Your applets and application("Programs").
2. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software's documentation, You may reproduce and
distribute portions of Software identified as a redistributable in the documentation ("Redistributable"), provided that:
(a) you distribute Redistributable complete and unmodified and only bundled as part of Your Programs,
(b) your Programs add significant and primary functionality to the Redistributable,
(c) you distribute Redistributable for the sole purpose of running your Programs,
(d) you do not distribute additional software intended to replace any component(s) of the Redistributable,
(e) you do not remove or alter any proprietary legends or notices contained in or on the Redistributable.
(f) you only distribute the Redistributable subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement,
and
(g) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including
attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all
Programs and/or Redistributable.
3. Java Technology Restrictions. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of,
classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention
designation.
B. Sun Microsystems, Inc. ("Sun")
SOFTWARE LICENSE AGREEMENT
READ THE TERMS OF THIS AGREEMENT ("AGREEMENT") CAREFULLY BEFORE OPENING SOFTWARE MEDIA PACKAGE. BY OPENING
SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING SOFTWARE ELECTRONICALLY,
INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT
AGREE TO ALL OF THE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF SOFTWARE
IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" (OR "EXIT") BUTTON AT THE END OF THIS AGREEMENT. IF YOU HAVE SEPARATELY
AGREED TO LICENSE TERMS ("MASTER TERMS") FOR YOUR LICENSE TO THIS SOFTWARE, THEN SECTIONS 1-5 OF THIS AGREEMENT
"SUPPLEMENTAL LICENSE TERMS") SHALL SUPPLEMENT AND SUPERSEDE THE MASTER TERMS IN RELATION TO THIS SOFTWARE.
1. Definitions.
(a) "Entitlement" means the collective set of applicable documents authorized by Sun evidencing your obligation to pay associated fees (if any) for the license,
associated Services, and the authorized scope of use of Software under this Agreement.
xiii
Director Configuration and Management Guide
(b) "Licensed Unit" means the unit of measure by which your use of Software and/or Service is licensed, as described in your Entitlement.
(c) "Permitted Use" means the licensed Software use(s) authorized in this Agreement as specified in your Entitlement. The Permitted Use for any bundled Sun
software not specified in your Entitlement will be evaluation use as provided in Section 3.
(d) "Service" means the service(s) that Sun or its delegate will provide, if any, as selected in your Entitlement and as further described in the applicable service
listings at www.sun.com/service/servicelist.
(e) "Software" means the Sun software described in your Entitlement. Also, certain software may be included for evaluation use under Section 3.
(f) "You" and "Your" means the individual or legal entity specified in the Entitlement, or for evaluation purposes, the entity performing the evaluation.
2. License Grant and Entitlement.
Subject to the terms of your Entitlement, Sun grants you a nonexclusive, nontransferable limited license to use Software for its Permitted Use for the license
term. Your Entitlement will specify (a) Software licensed, (b) the Permitted Use, (c) the license term, and (d) the Licensed Units.
Additionally, if your Entitlement includes Services,then it will also specify the (e) Service and (f) service term.
If your rights to Software or Services are limited in duration and the date such rights begin is other than the purchase date, your Entitlement will provide that
beginning date(s).
The Entitlement may be delivered to you in various ways depending on the manner in which you obtain Software and Services, for example, the Entitlement
may be provided in your receipt, invoice or your contract with Sun or authorized Sun reseller. It may also be in electronic format if you download Software.
3. Permitted Use.
As selected in your Entitlement, one or more of the following Permitted Uses will apply to your use of Software. Unless you have an Entitlement that
expressly permits it, you may not use Software for any of the other Permitted Uses. If you don't have an Entitlement, or if your Entitlement doesn't cover
additional software delivered to you, then such software is for your Evaluation Use.
(a) Evaluation Use. You may evaluate Software internally for a period of 90 days from your first use.
(b) Research and Instructional Use. You may use Software internally to design, develop and test, and also to provide instruction on such uses.
(c) Individual Use. You may use Software internally for personal, individual use.
(d) Commercial Use. You may use Software internally for your own commercial purposes.
(e) Service Provider Use. You may make Software functionality accessible (but not by providing Software itself or through outsourcing services) to
your end users in an extranet deployment, but not to your affiliated companies or to government agencies.
4. Licensed Units.
Your Permitted Use is limited to the number of Licensed Units stated in your Entitlement. If you require additional Licensed Units, you will need additional
Entitlement(s).
5. Restrictions.
(a) The copies of Software provided to you under this Agreement are licensed, not sold, to you by Sun. Sun reserves all rights not expressly granted. (b) You
may make a single archival copy of Software, but otherwise may not copy, modify, or distribute Software. However if the Sun documentation accompanying
Software lists specific portions of Software, such as header files, class libraries, reference source code, and/or redistributable files, that may be handled
differently, you may do so only as provided in the Sun documentation. (c) You may not rent, lease, lend or encumber Software. (d) Unless enforcement is
prohibited by applicable law, you may not decompile, or reverse engineer Software. (e) The terms and conditions of this Agreement will apply to any
Software updates, provided to you at Sun's discretion, that replace and/or supplement the original Software, unless such update contains a separate license.
(f) You may not publish or provide the results of any benchmark or comparison tests run on Software to any third party without the prior written consent of
Sun. (g) Software is confidential and copyrighted. (h) Unless otherwise specified, if Software is delivered with embedded or bundled software that enables
functionality of Software, you may not use such software on a stand-alone basis or use any portion of such software to interoperate with any program(s) other
than Software. (i) Software may contain programs that perform automated collection of system data and/or automated software updating services. System
data collected through such programs may be used by Sun, its subcontractors, and its service delivery partners for the purpose of providing you with remote
system services and/or improving Sun's software and systems. (j) Software is not designed, licensed or intended for use in the design, construction, operation
or maintenance of any nuclear facility and Sun and its licensors disclaim any express or implied warranty of fitness for such uses. (k) No right, title or interest
in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement.
6. Term and Termination.
The license and service term are set forth in your Entitlement(s). Your rights under this Agreement will terminate immediately without notice from Sun if you
materially breach it or take any action in derogation of Sun's and/or its licensors' rights to Software. Sun may terminate this Agreement should any Software
become, or in Sun's reasonable opinion likely to become, the subject of a claim of intellectual property infringement or trade secret misappropriation. Upon
termination, you will cease use of, and destroy, Software and confirm compliance in writing to Sun. Sections 1, 5, 6, 7, and 9-15 will survive termination of the
Agreement.
7. Java Compatibility and Open Source.
Software may contain Java technology. You may not create additional classes to, or modifications of, the Java technology, except under compatibility
requirements available under a separate agreement available at www.java.net.
Sun supports and benefits from the global community of open source developers, and thanks the community for its important contributions and open
standards-based technology, which Sun has adopted into many of its products.
Please note that portions of Software may be provided with notices and open source licenses from such communities and third parties that govern the use of
those portions, and any licenses granted hereunder do not alter any rights and obligations you may have under such open source licenses, however, the
disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all Software in this distribution.
8. Limited Warranty.
Sun warrants to you that for a period of 90 days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if
any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy
and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. Some states do not
allow limitations on certain implied warranties, so the above may not apply to you. This limited warranty gives you specific legal rights. You may have
others, which vary from state to state.
xiv
9. Disclaimer of Warranty.
UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO
THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
10. Limitation of Liability.
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF
LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount
paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. Some
states do not allow the exclusion of incidental or consequential damages, so some of the terms above may not be applicable to you.
11. Export Regulations.
All Software, documents, technical data, and any other materials delivered under this Agreement are subject to U.S. export control laws and may be subject to
export or import regulations in other countries. You agree to comply strictly with these laws and regulations and acknowledge that you have the responsibility
to obtain any licenses to export, re-export, or import as may be required after delivery to you.
12. U.S. Government Restricted Rights.
If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the
Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201
through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
13. Governing Law.
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply.
14. Severability.
If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would
frustrate the intent of the parties, in which case this Agreement will immediately terminate.
15. Integration.
This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes
all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms
of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No
modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party.
iText
MOZILLA PUBLIC LICENSE Version 1.1
1. Definitions.
1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party.
1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications.
1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that
particular Contributor.
1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions
thereof.
1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data.
1.5. "Executable" means Covered Code in any form other than Source Code.
1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A.
1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License.
1.8. "License" means this document.
1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and
all of the rights conveyed herein.
1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When
Covered Code is released as a series of files, a Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.
1.10. "Original Code" means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and
which, at the time of its release under this License is not already Covered Code governed by this License.
1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in
any patent Licensable by grantor.
1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated
interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the
Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided
the appropriate decompression or de-archiving software is widely available for no charge.
1.12. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of
this License issued under Section 6.1.
xv
Director Configuration and Management Guide
For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control"
means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than
fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
2. Source Code License.
2.1. The Initial Developer Grant. The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual
property claims:
(a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense
and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and
(b) under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or
therwise dispose of the Original Code (or portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License.
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code;
or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices.
2.2. Contributor Grant.
Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license
(a) under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and
distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code
and/or as part of a Larger Work; and
(b) under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its
Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by
that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such
combination).
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes Commercial Use of the Covered Code.
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2)
separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of
Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed
by Covered Code in the absence of Modifications made by that Contributor.
3. Distribution Obligations.
3.1. Application of License.
The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source
Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You
must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version
that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the
additional rights described in Section 3.5.
3.2. Availability of Source Code.
Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the
same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available;
and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available,
or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for
ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party.
3.3. Description of Modifications.
You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of
any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial
Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in
which You describe the origin or ownership of the Covered Code.
3.4. Intellectual Property Matters
(a) Third Party Claims.
If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor
under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party
making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made
available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take
other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new
knowledge has been obtained.
(b) Contributor APIs.
If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably
necessary to implement that API, Contributor must also include this information in the LEGAL file.
(c) Representations.
Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes that Contributor's Modifications are Contributor's
original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices.
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its
structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created
one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any
documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to
xvi
charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own
behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability
obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial
Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer.
3.6. Distribution of Executable Versions.
You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a
notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You
have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or
collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership
rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License
and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this
License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are
offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
3.7. Larger Works.
You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a
single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code.
4. Inability to Comply Due to Statute or Regulation.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or
regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect.
Such description must be included in the LEGAL file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the
extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
5. Application of this License.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code.
6. Versions of the License.
6.1. New Versions.
Netscape Communications Corporation ("Netscape") may publish revised and/or new versions of the License from time to time. Each version will be given a
distinguishing version number.
6.2. Effect of New Versions.
Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may
also choose to use such Covered Code under the terms of any subsequent version of the License published by Netscape. No one other than Netscape has the
right to modify the terms applicable to Covered Code created under this License.
6.3. Derivative Works.
If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this
License), You must (a) rename Your license so that the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar
phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license
contains terms which differ from the Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or
Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.)
7. DISCLAIMER OF WARRANTY.
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH
YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR)
ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL
PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
8. TERMINATION.
8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30
days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License.
Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive.
8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the
Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that:
(a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections
2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i)
agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii)
withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment
arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under
Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above.
(b) any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to
You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications
made by that Participant.
8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent
where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses
granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license.
8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly
granted by You or any distributor hereunder prior to termination shall survive termination.
xvii
Director Configuration and Management Guide
9. LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE,
SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF
SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR
ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM
SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO
YOU.
10. U.S. GOVERNMENT END USERS.
The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial
computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through
227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein.
11. MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision
shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent
applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an
entity chartered or registered to do business in the United States of America, any litigation relating to this License shall be subject to the jurisdiction of the
Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including
without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the
International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter
shall not apply to this License.
12. RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of
rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing
herein is intended or shall be deemed to constitute any admission of liability.
13. MULTIPLE-LICENSED CODE.
Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to
utilize portions of the Covered Code under Your choice of the NPL or the alternative licenses, if any, specified by the Initial Developer in the file described in
Exhibit A.
xviii
Contents
Document Objectives........................................................................................................................ 29
Audience ............................................................................................................................................ 29
Document Conventions ................................................................................................................... 29
Forbidden Characters ....................................................................................................................... 30
Related Documentation.................................................................................................................... 30
Getting Blue Coat Documentation ................................................................................................. 31
xix
Director Configuration and Management Guide
xx
Contents
xxi
Director Configuration and Management Guide
xxii
Contents
xxiii
Director Configuration and Management Guide
xxiv
Contents
xxv
Director Configuration and Management Guide
xxvi
Contents
xxvii
Director Configuration and Management Guide
xxviii
Preface
This preface describes who should read the Director Configuration and
Management Guide, how it is organized, and its document conventions.
This preface contains the following sections:
❐ "Document Objectives" on page 29
❐ "Audience" on page 29
❐ "Document Conventions" on page 29
❐ "Forbidden Characters" on page 30
❐ "Related Documentation" on page 30
Document Objectives
This configuration and management guide describes how to use the Blue Coat®
Director software for setting up, monitoring, and managing all aspects of
networks that use Blue Coat ProxySG™ appliances.
Audience
This guide is intended for network administrators and managers.
Document Conventions
The documentation uses the following conventions:
Convention Description
bold sans serif type Field and option labels in the Management
Console.
29
Director Configuration and Management Guide
Convention Description
Forbidden Characters
The colon (:) and question mark (?) characters cannot be used in entry fields or
parameter values unless you perform the following tasks:
❐ If you use a colon character in a field or parameter (for example, in a URL),
either enclose the entire URL in double quotation marks or escape it by
preceding it with a / character.
Examples of using a colon character in a URL:
http/://www.example.com
“http://www.example.com”
Related Documentation
The following table shows other Director documentation available from Blue
Coat:
Table 1–1 Documentation available from Blue Coat
Quick Start Guide Shipped with your Blue Coat Director appliance;
discusses how to install the Director appliance and
perform basic configuration.
Blue Coat Systems Director Describes all of the available Director command line
Command Line Interface commands.
Reference
Blue Coat Director Content Sync Discusses the Content Sync Module, which crawls a
Module Guide Web server or file system and tracking the time that
the content was last modified, and then changing the
content in the ProxySG appliances accordingly.
Note: The Content Sync Module does not ship with
Director. It is available separately. The Content Sync
Module is used in Content Distribution Network
(CDN) deployments.
30
Getting Blue Coat Documentation
To get the Director Release Notes and documentation:
1. Go to http://support.bluecoat.com, enter your BlueTouch Online user name
and password in the fields at the top of the page, and click Login.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. Click the Documentation tab.
3. On the Documentation tab page, click Director.
4. Follow the prompts on your screen to download the documentation and
Release Notes.
5. After reading the Release Notes, save them on your local computer.
31
Director Configuration and Management Guide
32
Chapter 1: Director Overview
About Director
Blue Coat® Director centrally manages and monitors multiple Blue Coat
ProxySG appliances simultaneously. Administrators can use Director to set
user and content policy, manage ProxySG appliance configurations, distribute
and control Web content, upgrade and validate SGOS software, and back up
ProxySG appliances.
Note: SGME 5.4.2.x can be used to manage appliances running SGOS version
5.4.1 and later. For up-to-date information, see the Director Release Notes.
33
Director Configuration and Management Guide
34
Chapter 1: Director Overview
Scheduling health reports and Health Reports and Performance Analysis reports
Performance Analysis reports can now be scheduled as jobs and e-mailed to
recipients you select.
XML APIs For the first time starting in this release, you can
perform the following actions using XML-based
APIs:
• Content API:
• Push content to devices
• Delete content from devices
• Revalidate content on devices
• Query content on devices
• Forwarding hosts API, which creates
forwarding host objects.
• Policy API, which enables you to create Web
Content, Web Access, and Forwarding layers.
For more information about these tasks, see the
Director API Reference.
35
Director Configuration and Management Guide
Director Terminology
The following special Director terminology is used in this manual:
❐ Security Gateway Management Edition (SGME)
❐ Device: A ProxySG appliance.
❐ Director (or Blue Coat Director): The product as a whole, encompassing the
hardware and software and all the features.
❐ Command Line Interface (CLI): A term sometimes used for the SGOS and
Director command lines.
❐ Director image file: The file containing the Director SGME software.
❐ Director Management Console: The Director user interface.
❐ Profile: A configuration operation on Director that creates a snapshot of all
configuration and policy from a source device.
❐ Overlay: A configuration operation on Director that is used to replace selected
configurations or policy on one or more ProxySG appliances.
❐ Job: A set of actions Director performs on appliances, either immediately or
scheduled in advance.
Table 1–1 Availability of Features in the Director CLI and Management Console
Archive (that is, back up) the Director configuration Yes Yes
36
Chapter 1: Director Overview
Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)
SNMP No Yes
Workgroups No Yes
Authentication No Yes
Configuration Management
Content Management
37
Director Configuration and Management Guide
Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)
Note: The Content Sync Module does not ship with Director. It is available
separately. The Content Sync Module is used in Content Distribution
Network (CDN) deployments.
38
Chapter 2: Connecting to Director
This chapter discusses how to connect to your Director appliance using the
Director Management Console. This chapter includes the following topics:
❐ "Prerequisites For Connecting to Director"
❐ "Director Configuration Defaults" on page 40
❐ "Command Line Configuration Tasks" on page 40
❐ "Options for Connecting to Director" on page 41
❐ "Generating RSA Keys for Director Communication" on page 43
❐ "Connecting to Director with the Management Console" on page 52
❐ "Configuring Browser and Mail Settings" on page 61
See also Appendix C: "Management Console Browser Details".
39
Director Configuration and Management Guide
Secure access to Director using access "Managing Security Using Access Lists"
lists on page 514
40
Chapter 2: Connecting to Director
41
Director Configuration and Management Guide
Note: Telnet disconnects after three invalid attempts to connect. There also might
be a time lag before Telnet reports on device status.
42
Chapter 2: Connecting to Director
SSH-RSA Overview
SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.
❐ Securing protocols. Many protocols require authentication at each end of the
connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA
43
Director Configuration and Management Guide
44
Chapter 2: Connecting to Director
45
Director Configuration and Management Guide
d. Click Generate.
e. Follow the prompts on your screen to generate the key pair.
f. Recommended. Enter a passphrase for your private key and confirm it in
the provided fields.
An example Puttygen window follows:
Notes:
• The entire public key must be on a single line. It it shown here on
multiple lines because of space limitations.
• The public key begins with ssh-rsa followed by one space and ends
with one or more equal signs (=). Remove additional characters from
the end of the public key, after the equal sign.
h. Paste the public key into Notepad and save it as a text file.
Later, you import this public key into Director.
i. Click Conversions > Export OpenSSH key.
This step is required to connect to the Director Management Console using
SSH-RSA. The Management Console cannot use a Puttygen-formatted
private key; it uses only OpenSSH-formatted private keys.
46
Chapter 2: Connecting to Director
j. Follow the prompts on your screen to save the exported private key to
a folder.
You will need the private key later to connect to the Director Management
Console.
3. This step applies to you only if you used a tool such as Cygwin to create your
key pair. You do not need to perform this task if you used Puttygen.
Before the public key can be imported into Director, you must remove
information like the following:
• Carriage returns
• ---- BEGIN SSH2 PUBLIC KEY ---- and ---- END SSH2 PUBLIC KEY ----
• Comments
• Commands preceded by, including, or followed by spaces (the only
exception being ssh-rsa and the space following it)
• Text following the final equal signs (==)
where
username is Director’s administrator user name, which is admin by default
public_key is your public key; you copied it to the text editor in "Importing
Your Public Key Into Director" on page 47.
A message displays only if an error occurs.
7. Disconnect from Director so you can add Director to your list of known hosts
as discussed in the next section.
47
Director Configuration and Management Guide
Putty Example
An example of adding Director to Putty’s list of known hosts follows; consult the
documentation provided with Putty for additional information.
48
Chapter 2: Connecting to Director
49
Director Configuration and Management Guide
50
Chapter 2: Connecting to Director
Host Name (or IP address) field Enter Director’s fully qualified host
name or IP address.
An example follows:
e. Click Save.
f. Click Open.
5. After you log in to the Director command line, the command prompt displays
as follows:
director >
51
Director Configuration and Management Guide
Prompt Mode
# Enable, which enables you to set more advanced
settings. By default, enable mode does not require a
password but Blue Coat recommends you create a
password.
From standard mode, enter enable to start enable
mode.
(config) # Configuration, which enables you to configure the
Director appliance.
From enable mode, enter configure to start
configuration mode.
Note:
• For information about using the Director command line to set up Director,
see Appendix A: "Administering Director" on page 493. For full
command arguments and syntax, refer to the Blue Coat Director Command
Line Interface Reference Guide.
• Commands listed in standard mode are also available in enable and
configuration modes. Most commands provided in enable mode are also
available in configuration mode.
52
Chapter 2: Connecting to Director
53
Director Configuration and Management Guide
54
Chapter 2: Connecting to Director
2. At the Login page, click SSH-Simple and enter the following information:
Field Description
User Name Enter the Director administrator user name.
Password Enter the user’s password.
Enable Password Enter the enable mode password, if any.
3. Click Proceed.
The following warning might display after you log in to the Director
Management Console:
For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61
55
Director Configuration and Management Guide
3. At the Login page, click SSH-RSA and enter the following information:
Item Description
RSA User Name Enter the Director administrator user name.
Identity file location Enter the absolute file system path to the
identity file—including the file name—or
click Browse to locate it.
The identity file is the Open SSH private key
you created for logging in to Director as
discussed in "Generating RSA Public and
Private Keys" on page 45.
The identity file is password Select this check box if you created a
protected passphrase to protect your private key (that
is, identity file).
Identity password If you selected the check box, enter the
identity file’s passphrase.
Enable password Enter the enable mode password, if any.
56
Chapter 2: Connecting to Director
4. Click Proceed.
The following warning might display after you log in to the Director
Management Console:
For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61
57
Director Configuration and Management Guide
Configuration options are categorized according to task and presented in four tab
pages.
Under Director Status, clicking More next to Auditing Policy displays the current
status of audit logging.
In SGME 5.3 and later, Director enables you to track the contents of the following
using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs
❐ Backups
58
Chapter 2: Connecting to Director
To display audit policy from the command line, enter the following command:
director (config) # show logging
Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: NULL
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 5.119403 MB
Free space: 1018.880597 MB
59
Director Configuration and Management Guide
To view the current status of a device, click the name of a device in the Devices
pane.
In the Reports pane, click Performance Analysis to generate reports available for the
first time in the SGME 5.4 release; for more information, see "Generating
Performance Analysis Reports" on page 350.
For more information about the Monitor tab page, see Chapter 10: "Monitoring
Devices".
60
Chapter 2: Connecting to Director
61
Director Configuration and Management Guide
4. In the Select Your Browser section, enter the path to your browser’s executable
in the Path To Browser field, or click Browse to locate it.
5. In the Update Your Output Settings section, enter the following information:
Item Description
Enable verbose output • If Enable verbose output is selected and the output
check box limit is set to a small value, such as 10 KB, then:
• Profile and overlay output is shown in its entirety.
• Archive and device backup output is truncated at
the value in the Limit output to field.
• If Enable verbose output is not selected (the default),
and the output limit is set to a small value, such as 10
KB, then:
• Profile and overlay output displays errors only.
• Archive configuration output is truncated at the
value in the Limit output to field.
• If Enable verbose output is not selected and the output
limit is set to a large value, all output is limited to
errors only.
Limit output to Enter a limit, in KB, for output from profiles, overlays, and
backups.
Use Defaults button Return the values in this dialog box to defaults.
The list of supported browsers for the Management Console can be found in
the Director Release Notes.
62
Chapter 2: Connecting to Director
6. Click OK.
Note the following:
• The default output limit is 5120 KB; the maximum is 1 GB. The limit is
reset to its default if you click Use Defaults.
• Backup and restore output is always errors only, regardless of the setting
of the verbose mode.
63
Director Configuration and Management Guide
Server IP field Enter your Simple Mail Transfer Protocol (SMTP) outgoing
e-mail server’s IP address or fully qualified host name.
Note: The SMTP server you specify cannot use either SSL
or TLS encryption, must be reachable by Director, and
must be able to send e-mail to all addresses to which you
wish to send reports.
Authentication check Select this check box if your SMTP server requires
box authentication.
Username field If you selected the Authentication check box, enter the
SMTP server’s user name.
64
Chapter 3: Registering Devices
This chapter discusses how to register devices with Director. Topics include:
❐ "About Device Registration"
❐ "Registration Quick Start" on page 67
❐ "About Appliance Certificates" on page 68
❐ Section A: "Prerequisite Tasks" on page 71
❐ Section B: "Getting a Director Appliance Certificate" on page 78
❐ Section C: "Setting Up Registration" on page 84
❐ Section D: "Registering Devices without Pre-Staged Device Records" on
page 86
❐ Section E: "Registering Devices with Pre-Staged Device Records" on page 97
❐ Section F: "Marking a Device As Configured" on page 110
65
Director Configuration and Management Guide
When you add a device, it initially uses the SSH Simple protocol (that is, a
user name and password is sent from the device to Director). Blue Coat
strongly recommends using the SSH-RSA protocol, which is an additional
task you must perform after you add the device.
After adding a device, you can change the communication method to SSH-
RSA using the Management Console or command line. (Changing to SSH-
RSA using the command line requires several commands.) More information
about SSH Simple and SSH-RSA can be found in "Comparing SSH Simple and
SSH-RSA" on page 66.
Notes:
❐ The registration process uses a secure HTTPS connection where Director acts
as the server and the device acts as the client.
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.
❐ The process by which Director and devices authenticate with each other is not
to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
• To connect to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.
66
Chapter 3: Registering Devices
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA
67
Director Configuration and Management Guide
Task Description
68
Chapter 3: Registering Devices
no
Get an appliance
certificate as
Does the discussed in "Getting
Can the a Device Appliance
appliance yes yes
appliance access Certificate" on page
support
the Internet? 75 (device) or "Getting
certificates?
a Director Appliance
Certificate—Internet
Access" on page 78
(Director)
no no
Figure 3–1 Process overview for getting appliance certificates for devices and Director
Note the following:
❐ You go through the same process with Director and with ProxySG appliances.
❐ If your Director appliance does not support appliance certificates, you cannot
register any devices with it, even if the devices support application
certificates.
If that is the case, skip the remainder of this chapter and continue with
Chapter 4: "Adding and Connecting to Devices".
69
Director Configuration and Management Guide
70
Director Configuration and Management Guide
Important:
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall between Director and the devices you want Director to manage.
❐ Appliances manufactured before July 2006 do not support appliance
certificates and cannot be registered with Director. If your Director
appliance does not support appliance certificates, you cannot register any
devices with it, even if the devices support appliance certificates; instead,
you must add devices to Director as discussed in Chapter 4: "Adding and
Connecting to Devices".
❐ If you attempt to register a device with that runs incompatible SGOS
version, the error Incompatible SG version displays. In that case, you
cannot register the device with Director; instead, you must add the device
to Director as discussed in Chapter 4: "Adding and Connecting to
Devices". Be aware that configuring an older device using Director profiles
and overlays can result in errors. If possible, upgrade these devices to more
recent versions.
❐ Make sure Director supports appliance certificates and has an appliance
certificate before registering devices with Director.
71
Director Configuration and Management Guide
72
Chapter 3: Registering Devices
Output Meaning
73
Director Configuration and Management Guide
Output Meaning
Result Meaning
% Certificate "appliance-key" not The device has no appliance certificate.
found Continue with "Getting Appliance
Certificates or Setting Up a Registration
Password" on page 75.
74
Chapter 3: Registering Devices
Note:
• Appliances manufactured before July 2006 do not support appliance
certificates. If you attempt to get an appliance certificate for such a
device, an error message displays; for details, see Table 3–1 on page 76.
If the appliance does not support appliance certificates, you cannot
register it with Director; instead, you must add the device as discussed
in Chapter 4: "Adding and Connecting to Devices".
• To register a device with Director, the device must have a certificate
from Blue Coat’s http://abrca.bluecoat.com/sign-manual Web site.
You cannot use another CA to generate an appliance certificate.
75
Director Configuration and Management Guide
To get an appliance certificate for a device, perform any of the following tasks:
❐ If the device can connect to the Internet, from its Management Console,
perform the following tasks:
• Click Configuration > SSL > Appliance Certificates > Request Certificate.
• Click Request appliance certificate. You are required to confirm the action.
The Blue Coat CA server does validates and signs the certificate. The
certificate is automatically placed in the appliance-key keyring. Note that
the appliance-key keyring cannot be backed up. The keyring is re-created
if it is missing at boot time.
The following table discusses error messages and their meanings:
Table 3–1 Appliance certificate error messages
❐ If the device cannot connect to the Internet, the procedure is similar to getting
a Director appliance certificate: Create a CSR on the device, go to the
abrca.bluecoat.com/sign-manual Web site to create a certificate, and import
the certificate into the device.
The details are discussed in the chapter on authenticating ProxySGs in
Advanced Networking in the ProxySG Appliance Configuration and Management
Guide.
After getting appliance certificates for all devices, continue with Section C:
"Setting Up Registration" on page 84.
76
Chapter 3: Registering Devices
77
Director Configuration and Management Guide
This command creates a new private key, creates the Certificate Signing
Request signature (CSR) for the private key, and sends the CSR to Blue Coat
to get the corresponding appliance certificate.
78
Chapter 3: Registering Devices
This command creates a CSR (if it does not already exist) and displays it. It
also creates the digital signature for the CSR, using the appliance’s private
key.
79
Director Configuration and Management Guide
An example follows:
7. Copy the CSR and the signature to your clipboard. Include the BEGIN
CERTIFICATE and END CERTIFICATE statements, as well as the BEGIN CSR
SIGNATURE and END CSR SIGNATURE statements.
80
Chapter 3: Registering Devices
An example follows:
81
Director Configuration and Management Guide
The signed certificate displays and can be pasted into Director. A sample
certificate follows:
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwgbYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxIDAeBgNV
BAoTF0JsdWUgQ29hdCBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQLExBCbHVlIENvYXQs
IEFCUkNBMRswGQYDVQQDExJhYnJjYS5ibHVlY29hdC5jb20xJDAiBgkqhkiG9w0B
CQEWFXN5c2FkbWluQGJsdWVjb2F0LmNvbTAeFw0wNzAxMjkyMDM5NDdaFw0xMjAx
MjkyMDM5NDdaMIGGMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcT
CVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3RlbXMsIEluYy4xHzAd
BgNVBAsTFkJsdWUgQ29hdCBTRzIwMCBTZXJpZXMxEzARBgNVBAMTCjA1MDUwNjAw
OTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBUmCuKSsSd+D5kJQiWu3OG
DNLCvf7SyKK5+SBCJU2iKwP5+EfiQ5JsScWJghtIo94EhdSC2zvBPQqWbZAJXN74
k/yM4w9ufjfo+G7xPYcMrGmwVBGnXbEhQkagc1FH2orINNY8SVDYVL1V4dRM+0at
YpEiBmSxipmRSMZL4kqtAgMBAAGjggLGMIICwjAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DBOBgNVHSUERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBgsr
BgEEAfElAQECAQYLKwYBBAHxJQEBAgIGCysGAQQB8SUBAQIDMB0GA1UdDgQWBBSF
NqC2ubTI7OT5j+KqCPGlSDO7DzCB6wYDVR0jBIHjMIHggBSwEYwcq1N6G1ZhpcXn
OTIu8fNe1aGBvKSBuTCBtjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExEjAQBgNVBAcTCVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3Rl
bXMsIEluYy4xGTAXBgNVBAsTEEJsdWUgQ29hdCwgQUJSQ0ExGzAZBgNVBAMTEmFi
cmNhLmJsdWVjb2F0LmNvbTEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AYmx1ZWNv
YXQuY29tggkAhmhbUPEEb60wgZ8GCCsGAQUFBwEBBIGSMIGPMEkGCCsGAQUFBzAB
hj1odHRwczovL2FicmNhLmJsdWVjb2F0LmNvbS9jZ2ktYmluL2RldmljZS1hdXRo
ZW50aWNhdGlvbi9vY3NwMEIGCCsGAQUFBzAChjZodHRwOi8vYWJyY2EuYmx1ZWNv
YXQuY29tL2RldmljZS1hdXRoZW50aWNhdGlvbi9jYS5jZ2kwSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vQ1JMLmNybDBfBgNVHSAEWDBWMFQGCisGAQQB8SUBAQEwRjBEBggrBgEF
BQcCARY4aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vcnBhLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBACIhQ7Vu6aGJBpxP255X
d2/Qw7NiVsnqOlAy913QZlieFfVATJnCeSrH+M9B/2XtnRxVT0/ZWrf4GbsdYqTF
hc9jR/IwKu6kZq32Dqo8qFU5OzbAEzT2oebB5QgwuJtHcJHggp9PS9uS27qAnGQK
OeB2bYcjWtMvTvr50iDOV69BEQz+VXos8QiZmRHLVnebQSjl3bi1w3VjBw31tCmc
clgz0SlN9ZmJdRU/PlWdNVqD4OLqcMZQ53HqcdWNEzN2uvigIb//rM7XazK7xIaq
r23/+BsZlYKAeVMq3PEmxaA2zLzO+jf79a8ZvIKrF27nNuTN7NhFL/V6pWNE1o9A
rbs=
-----END CERTIFICATE-----
82
Chapter 3: Registering Devices
83
Director Configuration and Management Guide
Notes:
❐ The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with
Director. For more information about user authentication, see the following:
• To authenticate with the Director Management Console using SSH-RSA,
see Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.
❐ If you attempt to register a device with an incompatible SGOS version, the
error Incompatible SG version displays. In that case, you must add the
device to Director as discussed in Chapter 4: "Adding and Connecting to
Devices".
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.
84
Chapter 3: Registering Devices
Registration Methods
You can set up registration in either of the following ways:
❐ "Registering Devices without Pre-Staged Device Records" on page 86
Use this method to add devices to Director on demand, which is appropriate
for smaller deployments.
❐ "Registering Devices with Pre-Staged Device Records" on page 97
Use this method to pre-stage (that is, pre-create) a basic device configuration,
which includes passwords, for all your devices on Director. This method is
appropriate if you are planning a large deployment.
85
Director Configuration and Management Guide
2. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
the Device with Director" on page 87. Administrator
3. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • Optionally change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.
86
Chapter 3: Registering Devices
87
Director Configuration and Management Guide
How do you want to set up the SG Select the option to register with
appliance? Director.
After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:
Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
88
Chapter 3: Registering Devices
Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.
Note: You are not prompted to enter a registration password if the device has an
appliance certificate.
Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
89
Director Configuration and Management Guide
Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.
90
Chapter 3: Registering Devices
Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.
6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:
Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.
91
Director Configuration and Management Guide
After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:
92
Chapter 3: Registering Devices
Console Password In the provided fields, enter and confirm enter the
admin user’s password. Character minimum length is 1;
maximum length is 64.
93
Director Configuration and Management Guide
Section Description
Note: To save your changes, you must enter a valid password in all
fields.
6. Click OK.
Related Commands
The pushpassword and front-panel-pin commands set these passwords on
both the device and the device record.
First, enter device_id submode using the following command:
director (config) # device device_id
94
Chapter 3: Registering Devices
95
Director Configuration and Management Guide
Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.
96
Director Configuration and Management Guide
97
Director Configuration and Management Guide
2. Create a partial device record on • Create a partial device record that Director
Director. contains configuration information for the Administrator
device that will be deployed. See
"Creating a Partial Device Record on
Director" on page 99.
• Configure the passwords in the device
record.
• Optionally add devices to groups as
discussed in Section A: "Setting Up and
Managing Device Groups" on page 132.
• Optionally, configure profiles and
overlays for the device. See Section C:
"Managing Profiles" on page 144 and
Section D: "Managing Overlays" on page
159.
• To optionally execute jobs to apply
profiles and overlays to devices, see
Chapter 7: "Managing Content
Collections".
3. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
Pre-Staged Devices With Director" on Administrator
page 103.
4. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • If required, change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.
This is necessary only for devices whose
partial device records did not match the
devices being registered. (For example,
you did not enter a device serial number
or you entered the wrong serial number.)
98
Chapter 3: Registering Devices
Important: If the partial device record does not contain enough information
for a match, Director creates a new device record. In that case, Director names
the device according to its host name or IP address and also replaces the
device’s admin user password, enable mode password, and front panel PIN
password with random strings known only to Director. To make sure you enter
enough information in the partial device record, see the next section.
99
Director Configuration and Management Guide
If more than one of the preceding parameters exist in the device record, all of the
parameters are matched. If any parameter fails, Director rejects the registration
request, an error message displays on the device console, the following SNMP
trap is generated:
Node name OID
blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9
Failed
100
Chapter 3: Registering Devices
Device name A friendly name for the device that identifies the
device in Director.
Front Panel PIN Four-digit PIN to configure the device using its
front LCD panel.
Important: If you do not specify a PIN, during the
registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device using its front panel,
enter a four-digit PIN. The PIN is preserved after
registration.
101
Director Configuration and Management Guide
Details about these settings are discussed in "Getting Optional Information for
the Partial Device Record" on page 101.
8. To create another partial device record, click Add Row and repeat steps 5
through 7.
9. Click Add Device(s) to save changes.
10. Optionally add the partial device records to groups as discussed in Section A:
"Setting Up and Managing Device Groups" on page 132.
11. Optionally create profiles and overlays for the devices:
• Section C: "Managing Profiles" on page 144
• Section D: "Managing Overlays" on page 159
12. Optionally create jobs to apply profiles and overlays to the device as
discussed in Chapter 7: "Managing Content Collections".
13. Register the devices as discussed in the next section.
102
Chapter 3: Registering Devices
103
Director Configuration and Management Guide
How do you want to set up the SG Select the option to register with
appliance? Director.
After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:
Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
104
Chapter 3: Registering Devices
Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.
Note: You are not prompted to enter a registration password if the device has an
appliance certificate.
Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
105
Director Configuration and Management Guide
Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
The following tasks are performed automatically after registration if you had set
them up before you registered the devices:
❐ Device records are added to groups.
❐ Jobs that apply profiles and overlays are run at their scheduled times.
Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.
106
Chapter 3: Registering Devices
Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.
6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:
Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.
107
Director Configuration and Management Guide
After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:
108
Chapter 3: Registering Devices
Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.
109
Director Configuration and Management Guide
The device moves from the Registered group to the Unassigned group.
6.
110
Chapter 3: Registering Devices
111
Director Configuration and Management Guide
112
Chapter 4: Adding and Connecting to Devices
This chapter discusses how to add devices and how to connect to them from
Director. Topics include:
❐ "About Adding Devices"
❐ "Adding Devices" on page 114
❐ "Connecting to a Device" on page 123
❐ "Changing the Authentication Protocol" on page 124
❐ "Marking a Device as Configured" on page 129
113
Director Configuration and Management Guide
Adding Devices
Use the Director Management Console’s New Device Wizard to add devices
using either of the following methods:
❐ Importing a device identification file
A device identification file is a text file that contains a comma-separated value
list f the data required to identify new devices. The New Device Wizard
includes a sample device identification file you can use as a template.
❐ Manually entering the required data
Note: If you add devices using a device identification file, you must enter data for
all fields in the correct order. Otherwise, the add device operation will fail and
errors will display.
To add a device, you must input the following data into the New Device Wizard.
Unless otherwise noted, all information is required for Director to add the device
and to communicate with the device.
Table 4–1 Required device information
Device name A friendly name for the device that identifies the
device in Director.
114
Chapter 4: Adding and Connecting to Devices
Front panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in the Installation
Guide for your ProxySG appliance, and also in
Command Line Interface Reference.
Important:
• Before running the New Device Wizard, make sure your device
identification file has a value for every field and that every value is
separated by a comma character. Otherwise, the add device operation
will fail and errors will display. For assistance, view the sample file in
the New Device Wizard.
• The comma character is reserved for delimiting fields. Do not use
comma characters in other fields, such as the comment field. Doing so
causes device creation to fail.
115
Director Configuration and Management Guide
Click to learn
more about
the format
6. Click Next.
116
Chapter 4: Adding and Connecting to Devices
117
Director Configuration and Management Guide
118
Chapter 4: Adding and Connecting to Devices
6. Place the cursor in the field in which to enter the following information and
use either the mouse or the Tab key to move between fields. Unless otherwise
noted, all information is required.
Note: Your input cannot include any of the characters listed in "Forbidden
Characters" on page 30.
Table 4–2 Adding a device manually
Field Description
Device Name A friendly name for the device that identifies the
device in Director.
Device ID A unique alphanumeric identifier for this device.
Important: The device ID cannot be changed later.
IP Address The device’s IP address.
Important: The IP address cannot be changed later.
Web Port The device’s HTTPS Console port. To find this
value, log in to the ProxySG Management Console
for the device and click Services > Management
Services. The port value displays in the right pane
in the Port column for HTTPS-Console.
Auth Port SSH port; by default, port 22.
Username Administrator user name of the device to manage.
Password Administrator’s password.
Enable Mode Password Enable mode password, if any, of the device to
manage.
Serial Console Password Serial console password, if any, of the device to
manage.
Front Panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in Command Line
Interface Reference.
Serial Number The ProxySG device’s hardware serial number,
which is printed on a label affixed to the back panel
of the device.
You can find the hardware serial number in any of
the following ways:
• Displayed on the SGOS Management Console:
• On the Home page when you first log in to
the Management Console.
• In the SGOS Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation
pane, click System and Disks.
• Using the show version command.
119
Director Configuration and Management Guide
Field Description
Registered Choose whether or not to mark the device as
registered with Director.
Note: Marking a device as Registered is not the
same as registering the device as discussed in
Chapter 3: "Registering Devices".
Note: A red border around a cell in the New Devices table indicates the data is
invalid.
8. When you are finished configuring devices, click one of the following:
• Previous to return to a previous page to change configuration information.
• Next or Last to display the Summary page.
The Summary page displays configuration about the devices you are adding
as follows:
120
Chapter 4: Adding and Connecting to Devices
The added devices display in the All or Unassigned to Group categories in the
Group pane. To assign devices to groups, see Section A: "Setting Up and
Managing Device Groups" on page 132.
This command is required only if you use a port other than the default, 22.
(config device device_id) # front-panel-pin pin
This command is required only if a front panel PIN is set on the device.
❐ Commands for SSH Simple Authentication
SSH Simple authentication means Director uses an unencrypted user name
and password to authenticate itself with the device. Because the user name
and password are not encrypted, Blue Coat strongly recommends you use
SSH-RSA authentication as discussed in the next section.
For Director to authenticate itself with a device non-securely using SSH
Simple authentication, you must enter the following commands in addition to
the commands discussed in the preceding bullet point.
(config device device_id) # auth simple password password
(config device device_id) # auth simple username username
121
Director Configuration and Management Guide
The auth simple username and auth simple password commands are
required for Director to use the device’s CLI to set up SSH-RSA
authentication.
(config device device_id) # auth rsa username director
This command gives you the choice of copying a keyring from another
device or generating a new keyring for the device.
(config device device_id) # pushkey sshv2
(config device device_id) # authtype rsa
122
Chapter 4: Adding and Connecting to Devices
Connecting to a Device
This section discusses how to connect to a device using the Management Console.
After you add a device, Director attempts to connect to it. If the connection is
unsuccessful, see the troubleshooting suggestions in Table 4–3.
To connect to a device:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.
Reason Suggestion
Director cannot reach the device If Director and the device it manages are
across firewalls that prevent
communication, Director cannot reach
the device.
To determine if this is the problem, log
in to Director and ping the device. Use
an SSH application to connect to
Director, log in with its administrator
user name and password, and enter
ping device-ip-address at the
director > prompt.
If Director cannot ping the device,
verify the device is powered on,
functioning properly, and check firewall
configurations to make sure the
networks on which the device and
Director are located can communicate
with each other.
123
Director Configuration and Management Guide
Reason Suggestion
124
Chapter 4: Adding and Connecting to Devices
Note: The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
❐ To log in to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
❐ The discussion of the aaa authentication and username commands in Chapter
3, Configuration Mode Commands, in the Blue Coat Director Command Line
Interface Reference Guide.
125
Director Configuration and Management Guide
126
Chapter 4: Adding and Connecting to Devices
6. Click SSH-RSA.
In the RSA Username field, the name director automatically displays. director
is the only user name allowed for SSH-RSA communication.
7. To generate an RSA key, click Change Key at the bottom of the dialog box.
Director can create a new SSH-RSA keypair, or you can use a keypair from
another device that is currently connected to Director.
8. Do any of the following:
a. To generate a new keypair, click Generate a new keypair.
b. To re-use a keypair, click Use a keypair from another device and enter the
device ID.
9. Click OK.
127
Director Configuration and Management Guide
An example follows:
Confirms
device uses
SSH-RSA
After successfully adding the device and changing the protocol, continue
configuring the device as discussed in Chapter 5: "Managing Device Groups,
Profiles, and Overlays".
128
Chapter 4: Adding and Connecting to Devices
The device moves from the Registered group to the Unassigned group.
129
Director Configuration and Management Guide
130
Chapter 5: Managing Device Groups, Profiles, and Overlays
131
Director Configuration and Management Guide
Note:
❐ Only 500 devices can be viewed in the Director Management Console at one
time, even if the devices are managed by different Director appliances.
❐ A summary of tasks you can perform using system groups and custom
groups can be found in "Tasks Supported by Device Groups" on page 135.
132
Chapter 5: Managing Device Groups, Profiles, and Overlays
For more information about each type of group, see the following sections:
❐ "About System Groups"
❐ "About Custom Groups" on page 135
133
Director Configuration and Management Guide
134
Chapter 5: Managing Device Groups, Profiles, and Overlays
Man- All
agement system
Console group
Model
system
groupa
OS
Version
system
groupb
Other
system
groupsc
Custom
groups
Command line
a. Specifically, you can perform these tasks on individual groups such as SG 200, 510-C, 8100-
20, and so on.
b. Specifically, you can perform these tasks on individual groups like SGOS 5.3, 4.2.7.1, and so
on.
c. Other system groups mean the following: Registered, Not Registered, and Unassigned.
135
Director Configuration and Management Guide
Where To Go Next
Continue with one of the following sections:
❐ "Adding Custom Groups"
❐ "Removing a Custom Group" on page 138
❐ "Adding Devices to a Custom Group" on page 138
136
Chapter 5: Managing Device Groups, Profiles, and Overlays
6. Click OK.
7. To create an additional group, do any of the following:
• Top-level group. Repeat the steps 1 through 4 to create a new top-level
group.
• Nested group. Click the group you just created, and right-click to add a
group that will be subordinate to the top-level group.
8. After the groups are created, drag and drop the devices into the desired
groups.
You can add a device to multiple groups.
137
Director Configuration and Management Guide
You can move a nested group to a different top-level group by dragging and
dropping, and you can change a nested group to a top-level group by
dragging it under Custom Groups.
Task Steps
To add a device from a system 1. In the Groups pane, click the system group
group to a custom group that contains the device (for example,
Unassigned).
2. Drag the device from the system group to
the desired custom group.
You are required to confirm the action.
To add a device from a custom 1. In the Groups pane, click the custom group
group to another custom group that contains the device.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.
138
Chapter 5: Managing Device Groups, Profiles, and Overlays
Task Steps
To move a device from one group 1. In the Groups pane, click the group that
to another group contains the device to move.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.
3. Click the original group.
4. Right-click the name of the device from
step 1.
5. From the pop-up menu, click Remove.
You are required to confirm the action.
This removes the device from the group,
but does not delete the device from
Director.
139
Director Configuration and Management Guide
140
Director Configuration and Management Guide
Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 5–2 Adding or editing a folder
Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Note: The folder ID cannot be changed later.
Description Enter an optional description of the folder.
6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop jobs into the desired folders as
follows:
a. From the Show list in the Configuration Library section on the
Configure tab page, click the object to put in a folder.
For example, to put a profile in a folder, from the Show list on the
Configure tab page, click Profiles or All.
141
Director Configuration and Management Guide
b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a profile or overlay to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.
Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders
contained in the folder. Any profiles or overlays contained in those folders and
subfolders are moved to the Unassigned folder; they are not deleted.
To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Optional. To display profiles or overlays before you delete their containing
folders, on the Configure tab page, in the Configuration Library section, from
the Show list, click Profiles, Overlays, or All.
4. Right-click the name of the folder to delete.
5. From the pop-up menu, click Delete.
You are required to confirm the action. After deleting the folder, any profiles
or overlays contained in the folder or subfolders move to the Unassigned
system folder; they are not deleted.
142
Chapter 5: Managing Device Groups, Profiles, and Overlays
Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id
143
Director Configuration and Management Guide
144
Chapter 5: Managing Device Groups, Profiles, and Overlays
About Profiles
This section discusses the following topics about profiles:
❐ "About Profiles and Overlays"
❐ "About Profiles and Device Settings" on page 147
145
Director Configuration and Management Guide
146
Chapter 5: Managing Device Groups, Profiles, and Overlays
147
Director Configuration and Management Guide
The keep-console option also retains the settings for all consoles (Telnet, SSH,
HTTP, and HTTPS), whether they are enabled, disabled, or deleted.
Administrative access settings retained using the restore-defaults command
with the keep-console option include:
❐ Management Console user name and password.
❐ Front panel PIN.
❐ Command line enable mode password.
❐ SSH (v1 and v2) host keys.
❐ Keyrings used by secure management services.
❐ RIP configurations.
148
Chapter 5: Managing Device Groups, Profiles, and Overlays
The following figure shows how these types of profiles display on the Configure
tab page of the Director Management Console:
Non-secure profile
Secure profile
Icon Meaning
Non-secure profile
Secure profile
Creating a Profile
Because a profile consists of settings from one device to apply to multiple device,
first select the device that serves as the profile source. A profile source must meet
all of the following requirements:
❐ Be the same hardware type and software version as the devices to which you
plan to apply the profile.
In other words, if the source is an SG210 running SGOS version 5.3.0.2, the
targets must also be SG210s running SGOS version 5.3.0.2.
Executing a profile on a device with a different hardware type or version
results in errors that might result in unpredictable behavior. (For example,
some commands might not be available in earlier SGOS versions.)
❐ Include all the settings you want to apply to other devices.
149
Director Configuration and Management Guide
❐ Blue Coat recommends all devices authenticate with Director using SSH-RSA.
If the profile source device uses SSH-RSA authentication, Director issues the
create keyring show-director command to the device, which outputs all
device keyrings. The command also outputs other commands that would
otherwise be encrypted (such as passwords and certificates).
On the other hand, if the device uses SSH Simple authentication, excludes
keyrings and encrypted settings.
See "Changing the Authentication Protocol" on page 124 for more information
about changing from SSH Simple to SSH-RSA.
150
Chapter 5: Managing Device Groups, Profiles, and Overlays
Item Description
Profile ID field Enter a unique identifier for the profile. You use
this ID when configuring the profile from the
command line.
URL option Click this option and enter the fully-qualified URL
where the information is located.
7. Click OK.
The profile displays in the Configuration Library section similarly to the
following:
151
Director Configuration and Management Guide
Editing a Profile
Blue Coat strongly recommends you edit every profile immediately after creating
it to remove or edit any commands that might cause problems on the target
device.
Examples follow:
❐ Remove commands that are not compatible with target devices
For example, remove SGOS version-specific commands. If for example you
created a profile using a source device running SGOS 5.4.1.1 and one or more
target devices run SGOS 5.2.x, remove commands that are specific to 5.4.1.1.
❐ Remove or edit commands that will fail on target devices
For example, if the source device has a bridge card but target devices do not,
remove bridging settings from the profile.
Important: Failure to edit the profile might result in the profile failing on the
device or device misconfiguration that might result in unpredictable
performance.
To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library pane, from the Show list, click Profiles.
4. If required, expand the folders containing the profile.
5. Right-click the profile.
6. From the pop-up menu, click Edit.
152
Chapter 5: Managing Device Groups, Profiles, and Overlays
7. Optional. To save a backup copy of the profile, place the cursor in the right
pane and click Control+A (select all), then paste the profile into a text editor
application and save it.
8. In the right pane, edit the commands in the profile to remove incompatible or
problematic commands.
For details about device commands, refer to Command Line Interface Reference
in the ProxySG Appliance Configuration and Management Guide.
9. Apply the profile to target devices as discussed in the next section.
153
Director Configuration and Management Guide
Executing a Profile
You can execute a profile either immediately or as part of a scheduled job. When
you execute a profile, the following tasks are performed:
1. All target devices are backed up.
If the profile causes problems, you can recover the backup of the previous
configuration as discussed in Section A: "Backing Up Devices" on page 452.
2. Director sends all selected devices the restore-defaults keep-console
command.
This command restores device defaults except settings required for console
access. The keep-console option retains the settings for all consoles (Telnet-,
SSH-, HTTP-, and HTTPS-consoles), whether they are enabled, disabled, or
deleted.
3. The profile is executed on the targets.
To execute a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
profile.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. On the configure tab page, in the Configuration Library section on the right,
expand the folders containing the profile to execute.
5. Click the name of a profile to execute.
6. Select the devices to which to apply the profile as follows:
• To apply the profile to a single device, click the name of the device in the
Devices pane.
• To apply the profile to a group, click the name of the group in the Groups
pane.
You can apply a profile to either system groups or custom groups.
Note: To execute a profile on more than one device or group, hold down the
Control key while clicking.
154
Chapter 5: Managing Device Groups, Profiles, and Overlays
For a review of secure and non-secure profiles, see "About Secure Profiles" on
page 148.
8. Click Yes to apply the profile.
155
Director Configuration and Management Guide
A dialog box displays the results of applying the profile. Carefully examine
the results for errors, which display in red text.
Use the following steps to determine if the profile executed properly:
a. Log in to the target device’s Management Console to see whether the
configuration item that caused the error succeeded.
Typical reasons configuration will not succeed include the following:
• The target device is not the same SGOS version as the source, so a
feature is not available on the target.
• The feature requires a license that does not exist on the target device.
b. Consult the following table, which shows a partial list of error
messages:
Table 5–6 Partial list of errors after executing a profile
156
Chapter 5: Managing Device Groups, Profiles, and Overlays
Copying a Profile
Copying a profile is a convenient way to create a similar profile without having to
create them from scratch.
To copy a profile:
1. Create a profile as discussed in "Creating a Profile" on page 149.
2. In the Management Console, click the Configure tab.
3. In the Configure tab page, right-click a profile in the Configuration Library
section.
4. From the pop-up menu, click Copy.
5. Enter or edit the following information:
Field Description
Profile Name Enter a unique name to identify this profile.
Profile ID Enter a unique identifier for the profile.
Description Enter an optional description of the profile.
6. Click OK.
The profile displays in the Configuration Library section.
7. Right-click the profile you just copied.
8. From the pop-up menu, click Edit.
157
Director Configuration and Management Guide
9. Change the profile as required. When you are finished editing the profile, click
OK.
For information about the options available for a profile, see "Editing a
Profile" on page 152.
10. Optionally drag the profile into a profile folder or create a new profile folder
for it as discussed in "Creating or Editing Folders" on page 140.
158
Chapter 5: Managing Device Groups, Profiles, and Overlays
Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies to devices running
different SGOS versions because those policy commands can be incompatible.
General Tips
Following are tips you can use when executing overlays:
❐ If you choose to use CLI commands in overlays, be aware that by default,
commands execute in privileged configure mode on the device. (Privileged
mode is also referred to as configuration mode.)
To execute commands that run in privileged mode, you must first exit
privileged configure mode on the device using the exit command. For
example, to update licensing immediately, enter the following commands:
exit
licensing update-key
159
Director Configuration and Management Guide
❐ You can apply an overlay immediately or you can schedule it to run later as
part of a job.
❐ Director does not check overlays for syntax, validity, or version compatibility,
so make sure overlay commands are from the same version as the targeted
device.
❐ Create a backup of the device configuration before pushing the new overlay in
case the overlay needs to be reverted.
Because a profile saves a device backup and an overlay does not, consider
exacting a simple profile on a target device before executing an overlay. In the
event of errors, you can recover the device backup and apply the overlay
again. (You can schedule a profile and an overlay in the same job.)
1. Create a profile that Create a profile for that has minimal "Creating a Profile" on
performs basic configuration; that way, you know the page 149
configuration. device’s starting configuration but
introduce a minimum number of
variables to troubleshoot in the event of
problems.
Because executing a profile first backs up
the device, you can restore from backup
later in the event of problems.
160
Director Configuration and Management Guide
2. Create an overlay that You can do this either using the device’s "Creating an Overlay" on
downloads the database. Management Console or using its page 163
command line.
If you use the command line, see the
description of the content-filter
command and subcommands in Chapter
3, Privileged Mode Configure
Commands, in Command Line Interface
Reference in the ProxySG Appliance
Configuration and Management Guide.
For example, to download the Blue Coat
Web Filtering database, use the following
commands in the overlay:
content-filter
bluecoat
download get-now
3. Create a job that executes Creating the job is straightforward; Chapter 8: "Creating,
the database-loading however, when you view the job results Scheduling, and
overlay. later, ignore timeouts. Timeout errors Managing Jobs"
when loading a large database are usually
harmless. Schedule the job during a time
when there is minimal network activity.
4. Create overlays that The tasks you perform in this step • "Creating an Overlay"
perform other database- depend on how your policies are set up. on page 163
related configuration You must create one or more overlays that • For information about
(for example, policies). configure your local policy, forward policies, refer to
policy, central policy, and VPM policies Volume 6: The Visual
that depend on the database you loaded Policy Manager and
in the preceding overlay. Advanced Policy in the
To add policies to the overlay, use ProxySG Appliance
refreshables fetched from the source Configuration and
device (that is, the device on which the Management Guide.
policies were originally created). You can • For information about
edit refreshables to add additional commands related to
commands as well. policies, refer to the
Tip: To make the process easier, create a description of the
profile from a source device that is inline command in
already configured with the desired Chapter 2, Standard
policy settings. Add selected policy CLI and Privileged Mode
commands from that profile to the Commands, in
overlay with the Using CLI option Command Line
discussed in step 8 in "Creating an Interface Reference in
Overlay" on page 163. the ProxySG Appliance
(Policy commands are grouped inside !- Configuration and
BEGIN policy and !- END policy tags; Management Guide.
commands themselves start with inline
policy.)
161
Director Configuration and Management Guide
5. Execute the profile. Executing a profile first backs up the "Executing a Profile" on
device so you can start over if necessary. page 154
As discussed earlier, Blue Coat strongly
recommends executing very simple
profiles to make troubleshooting easier in
the event of problems.
6. Execute the database- Execute the job that loads the database; You can execute the job in
loading job. you configured this job as discussed in any of the following ways:
step 3. • "Executing a Job
Note: When you view the job results, Immediately" on page
ignore timeouts. Timeouts when loading 274
a large database are usually harmless. To • Section C:
speed up the job, schedule it during a "Scheduling Jobs" on
time when there is minimal network page 274
activity.
7. Verify the database is This task can be performed manually or Chapter 2, Standard and
available and populated using an overlay that is optionally Privileged Mode
with data. executed in a job. Commands, in Command
Because the time required to load the Line Interface Reference in
database varies with the size of the the ProxySG Appliance
database, network latency, and other Configuration and
factors, use your past experience or run a Management Guide.
job periodically to check its status.
Use the following command to show the
status of the database:
show content-filter {bluecoat
| i-filter | intersafe | iwf
| local | optenet | proventia
| smartfilter | surfcontrol
| status | websense | webwasher}
8. Execute the other Execute the overlays you created as "Creating an Overlay" on
overlays. discussed in step 4. page 163
162
Chapter 5: Managing Device Groups, Profiles, and Overlays
Creating an Overlay
This section discusses how to create an overlay. Before continuing, review the
information discussed in "Important Information About Using Overlays" on page
159.
To create an overlay:
1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section on the right side of the page, from the
Show list, click Overlays.
7a
7b
7c
7d
163
Director Configuration and Management Guide
164
Chapter 5: Managing Device Groups, Profiles, and Overlays
If you changed existing WCCP settings (Configuration > Network > WCCP), after
you click Add to Overlay, the following dialog box displays:
165
Director Configuration and Management Guide
For more information about privileged mode and privileged mode configure
commands, refer to Command Line Interface Reference in the ProxySG Appliance
Configuration and Management Guide.
Note: The commands are not checked for validity or syntax.
3. When you are finished, click OK to add the commands to the overlay or click
Cancel to quit without adding the commands.
4. Continue with one of the following sections:
• "Adding to the Overlay Using the Management Console" on page 164
• "Adding to the Overlay Using Refreshables"
166
Chapter 5: Managing Device Groups, Profiles, and Overlays
The selected refreshables display in the Overlay Settings section in the right
pane.
6. Click one of the following:
• In the add or edit dialog box, click OK to save changes to the Director
overlay.
• In the Overlay Settings pane, click the name of a refreshable and click Edit
to edit the commands that add that refreshable to the overlay.
• In the Overlay Settings pane, click the name of a refreshable and click
Delete to delete that refreshable from the overlay
• In the Overlay Settings pane, click the name of a refreshable and click View
to view the commands associated with that refreshable.
167
Director Configuration and Management Guide
Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies (including VPM) to
devices running different SGOS versions because policy commands can be
incompatible in different SGOS versions.
168
Chapter 5: Managing Device Groups, Profiles, and Overlays
169
Director Configuration and Management Guide
170
Chapter 5: Managing Device Groups, Profiles, and Overlays
For more information about using the VPM graphical interface, refer to
Volume 6: The Visual Policy Manager and Advanced Policy. To learn about writing
policy, refer to Content Policy Language Guide in the Blue Coat ProxySG
Configuration and Management Guide.
171
Director Configuration and Management Guide
172
Chapter 5: Managing Device Groups, Profiles, and Overlays
b. Click Yes to fetch the refreshables and save them on the device.
173
Director Configuration and Management Guide
The Select Reference Device dialog box displays a list of available devices.
8. In the Select Reference Device dialog box, click the reference device to be the
source for the VPM settings and click OK.
9. Click Launch.
The Management Console viewer displays.
10. Click Policy > Visual Policy Manager, then click Launch.
The Blue Coat Visual Policy Manager dialog box displays settings that were
saved in the Director overlay. If there were no previous settings that were
saved in the Director overlay, the VPM dialog box is initially populated with
policy settings from the reference device.
174
Chapter 5: Managing Device Groups, Profiles, and Overlays
11. Use the VPM dialog box to make any policy changes.
Copying Overlays
Copying an overlay is a convenient way to create similar overlays without having
to create them from scratch.
To copy an overlay:
1. Create an overlay as discussed in "Creating an Overlay" on page 163.
2. In the Management Console, click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to copy.
5. Right-click the overlay.
6. From the pop-up menu, click Copy.
7. Enter or edit the following information:
Field Description
Overlay Name Enter a unique name to identify this overlay.
Overlay ID Enter a unique identifier for the overlay.
Description Enter an optional description of the overlay.
8. Click OK.
The overlay displays in the Configuration Library section.
175
Director Configuration and Management Guide
Deleting Overlays
This section discusses how to refresh or delete individual overlays.
To delete an overlay:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to delete.
5. Right-click the overlay to delete.
6. From the pop-up menu, click Delete.
You are required to confirm the action.
176
Chapter 5: Managing Device Groups, Profiles, and Overlays
177
Director Configuration and Management Guide
Function
buttons
Legend
8. Use the legend at the bottom of the dialog box to interpret the results.
9. Use the function buttons as follows:
Table 5–8 Diff Profiles dialog box function buttons
Button Meaning
Search Displays a search field so you can search for text. Diff
searching supports text searching only and not logic
like Boolean or regular expressions.
Find next Used in conjunction with the Search button to perform
the same search again.
Prev diff The cursor in the right pane moves to the previous
difference.
Next diff The cursor in the right pane moves to the next
difference.
Save as Saves the difference file in unified format, which uses
plus and minus signs to indicate differences: each line
that occurs only in the left file is preceded by a minus
sign, each line that occurs only in the right file is
preceded by a plus sign, and common lines are
preceded by a space
178
Chapter 5: Managing Device Groups, Profiles, and Overlays
where:
• context format uses an identification line for each file, containing the
filename and modification date.
• unified uses plus and minus signs to indicate differences: each line that
occurs only in the left file is preceded by a minus sign, each line that
occurs only in the right file is preceded by a plus sign, and common lines
are preceded by a space.
❐ profile_id specifies the profile’s unique identifier. You can display the list of
profile IDs available for comparison by entering the following command:
director (config) # remote-config diff unified profiles ?
first_profile_id second_profile_id
2003Nov05160651PST
2003Nov05160921PST
2003Nov05161008PST
2003Nov06113244PST
179
Director Configuration and Management Guide
180
Chapter 6: Device Administration
This chapter discusses administration tasks you can perform using Director.
Topics include:
❐ Section A: "Administration Tasks" on page 182
❐ Section B: "Search" on page 185
❐ Section C: "Upgrading Device Licenses" on page 203
❐ Section D: "Configuring a Device from Director" on page 204
181
Director Configuration and Management Guide
182
Chapter 6: Device Administration
Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132
❐ Select the devices to administer
"Selecting Devices to Administer" on page 182
Now see one of the following sections:
❐ "Reconnecting to Devices"
❐ "Rebooting Devices" on page 184
❐ "Clearing Devices’ DNS, Object, or Byte Cache" on page 184
183
Director Configuration and Management Guide
Reconnecting to Devices
Use the following steps to reconnect to devices after a temporary network outage:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reconnect
Device(s).
Rebooting Devices
Use the following steps to reboot devices:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reboot
Device(s).
You are required to confirm the action. A progress indicator displays while the
device is rebooted.
You are required to confirm the action. A progress indicator displays while the
device is rebooted.
184
Chapter 6: Device Administration
Section B: Search
Section B: Search
The Director Management Console enables you to search for the names of
devices, custom groups, custom folders, profiles, overlays, jobs, URL lists, and
regular expression lists using either exact names or by the use of wildcards. Each
object found by the search is selected in the appropriate pane in the Management
Console window. If multiple results are found, you can choose which object to
select.
This section discusses the following topics:
❐ "About Searching"
❐ "Using Search" on page 189
❐ "Using Search Results" on page 199
About Searching
This section discusses the following topics:
❐ "Ways to Perform a Search"
❐ "Basic and Advanced Searches" on page 187
Note: Pressing Control+F or clicking Actions > Find toggles the search tool on
and off. To close the search tool, press Control+F again, click Actions > Find
again, or click (close).
185
Director Configuration and Management Guide
Section B: Search
❐ On the Jobs tab page, you can search for the following objects:
• custom folders
• config jobs
• content jobs
• other jobs (that is, jobs that are not classified as config or content; for
example, jobs you create from the command line without using the
commands-type parameter, or where commands-type is other)
• custom folders
❐ On the Content tab page, you can search for the following objects:
• custom groups
• custom folders
• devices
• URL lists
• regular expression lists
Furthermore, the objects are limited by what you select from the Show list in each
tab page (with the exception of the Monitor tab page, which has no Show list). The
following figure shows an example:
186
Chapter 6: Device Administration
Section B: Search
In the example, Profiles is selected from the Show list in the Configuration Library
section on the Configure tab page. This limits the search to devices, groups, or
profiles. In this example, you cannot search for overlays. To search for overlays
and profiles, select All from the Show list.
Advanced search
Basic Search
The preceding figure shows a basic search. The following rules apply to basic
searches:
❐ Always case-sensitive
❐ One object at a time
❐ One search term at a time
❐ With no wildcard, use substring matching
❐ Wildcards:
• The asterisk character (*) can be used as a multiple-character wildcard.
• The question mark character (?) can be used as a single-character
wildcard.
More information about basic searches, including examples, can be found in
"Using Search" on page 189.
187
Director Configuration and Management Guide
Section B: Search
Advanced Search
To perform an advanced search, Control+F or click Actions > Find on any tab page
in the Director Management Console to display search options, then click More.
The following figure shows an example Find dialog box:
188
Chapter 6: Device Administration
Section B: Search
Using Search
This section discusses how to search for groups, devices, profiles, overlays, jobs,
URL lists, and regular expression lists in the Director Management Console. For
background information, see "About Searching" on page 185.
This section discusses the following topics:
❐ "Searching for Devices and Groups"
❐ "Searching for Profiles and Overlays" on page 191
❐ "Searching for Config and Content Jobs" on page 194
❐ "Searching for URL Lists and Regular Expression Lists" on page 197
4. To search for devices, the Groups pane, click System Groups > All.
Your search for devices will produce no results unless you click the All group.
5. Do any of the following:
• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description
Find field Enter the name or the ID of a group or device in the field,
using the asterisk (*) character as a wildcard. This search
is case-sensitive.
Examples:
• To search for a group that begins with Dev, enter
either Dev or Dev*.
• The search for a group that contains Dev, enter *Dev*.
189
Director Configuration and Management Guide
Section B: Search
Item Description
b. Click (Go).
c. To use search results, see "Using Search Results" on page 199.
Note: The Find dialog box displays different object types, depending on which
tab page you select and which objects are visible. For example, if you click the
Configure tab page and click All from the Show list in the Configuration Library
section, the Find dialog box has check boxes for Folders, Profiles, Overlays
object types as well.
190
Chapter 6: Device Administration
Section B: Search
Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the
check box.
Note: Model group names are case-sensitive.
c. Click Go.
d. To use search results, see "Using Search Results" on page 199.
191
Director Configuration and Management Guide
Section B: Search
4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:
b. Click (Go).
192
Chapter 6: Device Administration
Section B: Search
Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the check
box.
193
Director Configuration and Management Guide
Section B: Search
Item Description
c. Click Go.
d. To use search results, see "Using Search Results" on page 199.
194
Chapter 6: Device Administration
Section B: Search
b. Click (Go).
195
Director Configuration and Management Guide
Section B: Search
a. In the search tool at the top of the Management Console window, click
More.
196
Chapter 6: Device Administration
Section B: Search
Item Description
c. Click Go.
d. To use search results, see "Using Search Results" on page 199.
197
Director Configuration and Management Guide
Section B: Search
Item Description
b. Click (Go).
198
Chapter 6: Device Administration
Section B: Search
c. Click Go.
d. To use search results, see "Using Search Results" on page 199.
199
Director Configuration and Management Guide
Section B: Search
In the preceding example, a search for all groups that begin with Dev returned
three results.
If a search returns one or more results, the first matching object is selected in the
Management Console. In the example, the first group that begins with Dev is
selected in the Groups pane on the Configure tab page.
In the search tool, click the following buttons to select the next or previous object
returned by the search:
Previous search Next search
result result
200
Chapter 6: Device Administration
Section B: Search
The example shows a search for groups, devices, and profiles that begin with Dev.
Search results consist of four groups and one profile.
You have the following options:
❐ Select a search result in the Management Console: Click OK and the object is
selected in the Management Console.
This is useful if you want to perform an action on that object; for example, to
rename a group, click the name of a group and click OK. The group is selected
in the Management Console. Right-click the name of the group, click Edit, and
rename the group.
❐ Organize the objects in a new custom folder:
a. Click two or more search results of the same object type (for example,
two or more devices, two or more groups, and so on). Hold down the
Shift or Control key while clicking to select multiple objects.
201
Director Configuration and Management Guide
Section B: Search
b. Click Organize.
The Add New Folder dialog box displays.
c. Enter a folder name and a unique ID for the folder and click OK.
The selected objects are copied to the folder you created.
202
Director Configuration and Management Guide
203
Director Configuration and Management Guide
204
Chapter 6: Device Administration
205
Director Configuration and Management Guide
206
Chapter 7: Managing Content Collections
This chapter discusses general information about content distribution and how
to perform the following tasks:
❐ Create URL lists and regular expression lists
❐ Schedule content actions using URL lists and regular expression lists
immediately, or at a future day of the week and time of day
❐ Query a ProxySG’s object cache to determine if URLs are pre-populated
This chapter discusses the following topics:
❐ "About Content Distribution"
❐ "Managing Folders for Content Collections" on page 211
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226
207
Director Configuration and Management Guide
Note:
• ProxySGs do not spider a Web site to pre-populate all its contents. To
do that, you can use the Content Sync Module, which is discussed in
the Blue Coat Director Content Sync Module Guide.
• For a variety of reasons, certain content is not object-cacheable. For
example, Web pages that include the meta tag <META HTTP-
EQUIV="Pragma" CONTENT="no-cache"> are not cacheable. Also,
dynamically generated content might not be cacheable.
Before populating or revalidating content, verify the content is
cacheable because the content operations take time to complete and
consume CPU resources while they are executing.
Provided any of the following is true, content that is not object-
cacheable is byte cached, however:
• If there is an explicit ADN route for the origin server subnet
advertised by some other ProxySG appliance in the network.
• If there is a ProxySG in the network in the path between the branch
ProxySG and the origin server, and that ProxySG is set for
transparent tunnels.
See one of the following sections for more information about content distribution:
❐ "Managing Folders for Content Collections"
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226
208
Chapter 7: Managing Content Collections
Legend
1: The IT admin creates a list of URLs to content objects and stores it on an internal Web
server that is accessible by Director.
2: The IT admin uses Director to create a new content job that calls the list stored on the
Web server. The IT admin also creates a job schedule that populates ProxySGs’ object
caches at 12:01 am.
3: At 12:01 am, the ProxySG appliances at headquarters and the branch office receive the
content URLs and request the content from the Web server.
4: The Web server sends the content to the ProxySG appliances, which cache the objects.
5: The next morning, the company’s users access the content locally from their respective
209
Director Configuration and Management Guide
210
Chapter 7: Managing Content Collections
211
Director Configuration and Management Guide
Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 7–1 Adding or editing a folder
Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
212
Chapter 7: Managing Content Collections
Field Description
Description Enter an optional description of the folder.
6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop regular expression lists or URL
lists into the desired folders as follows:
a. From the Show list in the Content collections section on the Content tab
page, click the object to put in a folder.
For example, to put a URL list in a folder, from the Show list on the Content
tab page, click Url Lists or All.
b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a URL list or regular expression list to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.
Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any content collections contained in those folders and subfolders are
moved to the Unassigned folder; the content collections themselves are not
deleted.
To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. Optional. To display content collections before you delete their containing
folders, on the Content tab page, in the Content collections section, from the
Show list, click Regex Lists, Url Lists, or All.
213
Director Configuration and Management Guide
214
Chapter 7: Managing Content Collections
Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id
Note: Every URL must start with the protocol (also referred to as the schema);
for example, http://. URLs that start with www. or a similar prefix are not valid
and will result in job execution failure.
215
Director Configuration and Management Guide
URL List Name field Enter a name to identify the URL list object.
URL List ID field Enter a unique identifier. The URL List ID can be
a maximum of 250 characters and cannot include
the following characters: {, }, <, >, (, ), #, or $.
216
Chapter 7: Managing Content Collections
Item Description
Import from URL Click this option to import the URL list from a
text file stored on a Web server that Director can
access.
217
Director Configuration and Management Guide
218
Chapter 7: Managing Content Collections
219
Director Configuration and Management Guide
• Revalidate URL(s)
• Delete URL(s)
• Prioritize URL(s)
220
Chapter 7: Managing Content Collections
Related Command
director # content url-list url_list_id input
Note: Every regular expression must start with the protocol (also referred to as
the schema); for example, http://. URLs that start with www. or a similar prefix
are not valid and will result in job execution failure.
221
Director Configuration and Management Guide
Regex List Name field Enter a name to identify the regular expression
list object.
Regex List ID field Enter a unique identifier. The Regex List ID can
be a maximum of 250 characters and cannot
include the following characters: {, }, <, >, (, ),
#, or $.
222
Chapter 7: Managing Content Collections
Item Description
Import from local file Click this option to import the regular
expression list from a text file accessible from
this computer. Click Browse to locate the file.
Import from URL Click this option to import the regular
expression list from a text file stored on a Web
server that Director can access.
223
Director Configuration and Management Guide
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
These actions can be configured to run as follows:
❐ Immediately but not as a job
❐ As a job (which enables you to track execution) that executes:
• Immediately
• One time in the future
To schedule the job to run more than one time in the future or at scheduled
intervals, see "Content Job Action Details" on page 262 instead.
224
Chapter 7: Managing Content Collections
• Delete Regex(es)
• Prioritize Regex(es)
225
Director Configuration and Management Guide
By default, the job name and job ID are both set to a time and date
stamp in the format: YYYYMMDDHHMMSS. You can change any value you
wish. The job ID can be a maximum of 250 characters in length and
cannot include the following characters: {, }, <, >, (, ), #, or $.
• Select Execute now for an immediate push or use the month, day, year,
hour, minute, and am/pm lists to schedule a time to push the lists.
6. Click OK.
Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.
❐ If you distribute a large amount of content, query a subset of the content
collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.
For more information, see one of the following sections:
❐ Section D: "Verifying Jobs" on page 280 in Chapter 8: "Creating, Scheduling,
and Managing Jobs"
❐ "Querying URLs" on page 226
Related Command
director # content url-list url_list_id input
Querying URLs
Querying URLs allows you to verify the status of content from objects created on
Director—whether it is cached or not and URLs currently in progress of being
cached. You can use this command only for URL List and Regex List objects; not
for individual URLs or for remote URLs or regular expression lists.
226
Chapter 7: Managing Content Collections
6. In the lower left corner of the Management Console, click Query Selection.
When you click Query Selection, the Cancel Query button is available during
the time the query takes place. Clicking Cancel Query does not halt Director
from processing the query, but it does allow you to submit a new query.
After the query completes, the Show Results button becomes active.
7. Click Show Results.
Query results display similarly to the following:
Note: Percent values are rounded up; decimal values are not used. For
example, if you used a list of 30,000 URLs and 10 URLs are not in the
cache, the percent shown for in cache is displayed as 100%.
8. For each category that Director registers results, the View/Export button
displays. In this example, the two URLs in the content job were not detected in
the ProxySG appliance cache.
227
Director Configuration and Management Guide
The options at the bottom of the dialog allow you to perform different actions
using this result set.
Note: If you view URLs that are not in the device’s cache, the Delete button is
replaced by a Distribute button.
228
Chapter 7: Managing Content Collections
• Delete:
This button displays if the URLs you selected are currently in the
device’s cache. Clicking this button removes the URLs in the list from the
device’s cache.
10. Click Close.
Related Commands
director (config)# content query command command_id {concise | (detail
[status {all | failed | issued | pending | remaining | successful}
{addr-device ip_address_or_hostname | all | device device_id | group
group_id} | summary [status {all | failed | issued | pending |
remaining | successful} {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | model model | os-version
sgos_version]]
# content query in-progress {detail | summary} {addr-device
ip_address_or_hostname | all | device device_id | group group_id}
# content query info {concise | detail | summary} {url url | urls-from
url} {addr-device ip_address_or_hostname | all | device device_id |
group group_id | model model | os-version sgos_version}
# content query liveness device device_id
# content query outstanding {all {addr-device ip_address_or_hostname
device device_id | group group_id} | {regex url_regex {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{regex-list regex-list_id {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | {regexes-from url {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{url url {addr-device ip_address_or_hostname | all | device device_id
| group group_id} | {urls-from url {addr-device ip_address_or_hostname
| all | device device_id | group group_id | model model | os-version
sgos_version}}
# content query status {addr-device ip_address_or_hostname | all |
device device_id | group group_id | model model | os-version
sgos_version}
229
Director Configuration and Management Guide
230
Chapter 8: Creating, Scheduling, and Managing Jobs
Note:
• For information about content jobs, see Chapter 7: "Managing Content
Collections". Content jobs enable you to perform the following tasks:
• Distribute, revalidate, delete, or prioritize URLs and URL lists
• Revalidate, delete, or prioritize regular expression lists
• See Section C: "Managing Profiles" on page 144 for information about
profiles and overlays. See "" on page 290 for information about
upgrading and validating ProxySG appliance software.
231
Director Configuration and Management Guide
Note: The Jobs tab page provides several different methods of selecting items.
For example, to edit a job, click the name of the job and perform one of the
following tasks:
❐ Click Edit in the Jobs pane.
❐ Right-click the job and, from the pop-up menu, click Edit.
❐ Click Edit > Edit Job.
232
Chapter 8: Creating, Scheduling, and Managing Jobs
Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Description Enter an optional description of the folder.
6. Click OK.
233
Director Configuration and Management Guide
b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a job to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.
Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any profiles, overlays, jobs, or content collections contained in those
folders and subfolders are moved to the Unassigned folder; they are not deleted.
To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Optional. To display jobs before you delete their containing folders, on the Jobs
tab page, in the Job Library section, from the Show list, click Config Jobs, Content
Jobs, or All.
234
Chapter 8: Creating, Scheduling, and Managing Jobs
235
Director Configuration and Management Guide
236
Chapter 8: Creating, Scheduling, and Managing Jobs
Job ID field Enter a unique identifier for the job. Initially, the
value of the Job ID field is identical to the Job
Name field (unless the job ID is not unique).
You can change the Job Name field at any time
before you click OK; after you click OK, the Job ID
cannot be changed.
Note: The job ID can be a maximum of 250
characters in length and cannot include the
following characters: {, }, <, >, (, ), #, or $.
Enable check box This check box is selected by default. Clear the
Enable check box if you want the scheduler to
ignore this job.
Note: A job runs only if it is enabled and it is
scheduled to run at a valid time (either
immediately or by setting the job schedule as
discussed in Section C: "Scheduling Jobs" on
page 274).
10. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
237
Director Configuration and Management Guide
Note: You can click the other tab pages to add actions and a schedule without
clicking OK in the Profile tab page first.
238
Chapter 8: Creating, Scheduling, and Managing Jobs
This also adds an additional action to a job that already has one or more
actions configured for it.
239
Director Configuration and Management Guide
Action Description
Create and Upload Archive Archive (that is, back up) this Director appliance.
For more information, see "Archiving Director Using
the Management Console" on page 470.
Reboot Device Reboot the target device.
Clear Device’s Byte Cache Clear the byte cache on the target device.
Clear Device’s DNS Cache Clear the DNS cache on the target device.
Clear Device’s Object Cache Clear the object cache on the target device.
System Download Download a software version to the target device.
System Validate Validate the software version on the target device.
Issue Director CLI command Available only for jobs that were created using the Director
command line.
Enables you to edit CLI commands in a job.
240
Chapter 8: Creating, Scheduling, and Managing Jobs
241
Director Configuration and Management Guide
Overlay list (or Profile list) From the list, click the name of the overlay or
profile to push.
242
Chapter 8: Creating, Scheduling, and Managing Jobs
Item Description
Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the device that
contains the source overlay or profile.
Note: A job fails to execute if the job contains substitution variable conflicts.
The action displays in the left pane, as shown in the following example:
243
Director Configuration and Management Guide
Overlay list (or Profile list) From the list, click the name of the overlay or
profile to refresh on the device.
244
Chapter 8: Creating, Scheduling, and Managing Jobs
Item Description
245
Director Configuration and Management Guide
246
Chapter 8: Creating, Scheduling, and Managing Jobs
247
Director Configuration and Management Guide
Archive Prerequisites
Before beginning, complete the following tasks:
❐ Learn about archive types: "About Archives" on page 466
❐ Create an archive keypair: "Creating an Encryption Keypair" on page 467
❐ If this Director is part of a standby pair: "Standby Prerequisite: Make Both
Directors Standalone" on page 467
❐ Create the job: Section A: "Getting Started With Jobs" on page 232
❐ Create a job action: "Getting Started With Job Actions" on page 238
248
Chapter 8: Creating, Scheduling, and Managing Jobs
Archive Type list From the list, click the type of archive to create. For
an explanation of the options, see "About
Archives" on page 466.
With Key list Select the key to use to encrypt the archive.
For more information about archive keys, see
"Creating an Encryption Keypair" on page 467
Upload URL field Enter the URL of the external server to which to
upload the archive. The URL can optionally
include the file name. If you omit the file name, the
archive is uploaded to the external server with a
name like the following:
sgmearchive-director-all-2008.12.03-
004256.tgz
Valid URL formats follow:
scp://host//path
ftp://host/path
http://host/path
For example, to upload the archive to a directory
using the SCP protocol, enter
scp://192.168.0.50//director
For example, to upload the archive using a
different name using the FTP protocol, enter
ftp://192.168.0.50//director/
director_5.4.1.1_04-01-09.tgz
Directory and File options Select the option corresponding to the URL you
entered in the Upload URL field.
• To upload the archive to the external server
using the default name, enter a URL without a
file name and click Directory.
• To upload the archive to the external server
using a name other than the default name,
enter a URL that includes a file name and click
File.
Note: Archive file names cannot contain spaces.
249
Director Configuration and Management Guide
250
Chapter 8: Creating, Scheduling, and Managing Jobs
251
Director Configuration and Management Guide
Period list From the list, click the period of time over which to
average the data for the report:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year
252
Chapter 8: Creating, Scheduling, and Managing Jobs
Item Description
Server Port field Displays the SMTP server’s listen port. To change
this setting, click Change Mail Settings.
Username field Displays the SMTP server’s login user name (if
any). To change this setting, click Change Mail
Settings.
253
Director Configuration and Management Guide
254
Chapter 8: Creating, Scheduling, and Managing Jobs
255
Director Configuration and Management Guide
The right pane of the Job dialog box displays as follows if you select Clear
Device’s Byte Cache as the job action. (The other clear cache actions are similar.)
256
Chapter 8: Creating, Scheduling, and Managing Jobs
257
Director Configuration and Management Guide
Remote URL field The SGOS image must be placed on a Web server
to which the devices have access.
When you download system software, you have
the option of installing it from a URL similar to the
following (URLs expire after 24 hours):
https://bto.bluecoat.com/download/direct/
3577157784791669817118692320
258
Chapter 8: Creating, Scheduling, and Managing Jobs
Version field Enter the version number to match. See the note
following this table.
Target Device(s) Select the device or devices on which to validate
the SGOS version. (Use Control+click to select
multiple devices.)
259
Director Configuration and Management Guide
Do not precede the software version number with SGOS. Doing so results in an
error.
You can now:
❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280
260
Chapter 8: Creating, Scheduling, and Managing Jobs
Edit an existing CLI command 1. In the left pane, click the command to edit.
2. In the right pane, in the CLI Command field,
enter the new or changed command.
3. Click Apply.
261
Director Configuration and Management Guide
262
Chapter 8: Creating, Scheduling, and Managing Jobs
263
Director Configuration and Management Guide
264
Chapter 8: Creating, Scheduling, and Managing Jobs
The action displays in the left pane, as shown in the following example:
265
Director Configuration and Management Guide
266
Chapter 8: Creating, Scheduling, and Managing Jobs
Item Description
267
Director Configuration and Management Guide
268
Chapter 8: Creating, Scheduling, and Managing Jobs
269
Director Configuration and Management Guide
Item Description
The action displays in the left pane, as shown in the following example:
270
Chapter 8: Creating, Scheduling, and Managing Jobs
271
Director Configuration and Management Guide
272
Chapter 8: Creating, Scheduling, and Managing Jobs
273
Director Configuration and Management Guide
Note: Jobs run according to the time set on the Director appliance, which is not
necessarily the same time as the job on the computer on which the
Management Console runs. Before scheduling a job, use the standard mode
show clock command on Director to determine its time and time zone settings.
7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
274
Chapter 8: Creating, Scheduling, and Managing Jobs
8. Click Execute.
7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.
275
Director Configuration and Management Guide
9. Click Edit.
10. Click the Schedule tab.
11. On the Schedule tab page, click This is a job to be executed on.
12. From the provided lists, click the month, day, year, hour, minute, and am or
pm.
276
Chapter 8: Creating, Scheduling, and Managing Jobs
7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.
9. Click Edit.
10. Click the Schedule tab.
277
Director Configuration and Management Guide
11. On the Schedule tab page, click This is a recurring job to be executed on.
12. Perform the tasks discussed in the following table in the order shown:
Task Description
2. Select one or more day of the week Specifies which days of the week to
check boxes. execute the job.
3. Select the time of day. Specifies the time of day to execute the
job on the days of the week you
previously specified.
278
Chapter 8: Creating, Scheduling, and Managing Jobs
Related Commands
First, enter job mode using the following command:
director (config) # job jobname
This command changes the prompt to:
director (config job jobname) #
Commands available from this submode include:
director (config job jobname) # cancel
director (config job jobname) # comment
director (config job jobname) # create
director (config job jobname) date-time-pairs date_yyyy/mm/dd
time_hh:mm[:ss]
director (config job jobname) # disable
director (config job jobname) # execute
director (config job jobname) # input
director (config job jobname) # name friendly_name
director (config job jobname) # no
279
Director Configuration and Management Guide
Icon Meaning
The job has been scheduled but has not run yet.
280
Chapter 8: Creating, Scheduling, and Managing Jobs
Icon Meaning
Table 8–2 shows the meanings of the options at the bottom of the Job Queue pane.
Option Meaning
Display jobs’ next run time • Select the check box to display the next run time
for jobs scheduled in the future
• Clear the check box to display only job execution
results
Display jobs that ran in the From the list, click the length of time for which to
last display jobs that ran in the past:
• 1 day
• 7 days
• 15 days
• 30 days
• 1 year
Note: Jobs that were disabled after being executed also display in the Job
Queue.
281
Director Configuration and Management Guide
The Description pane provides additional information, including a link to the Job
Report, which lists the commands executed on the target object or device. You can
customize the job report output. The default is to show only errors. To see all
command output, you must set the output to verbose as discussed in
"Configuring Browser and Mail Settings" on page 61.
282
Chapter 8: Creating, Scheduling, and Managing Jobs
This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.
Note: If the job report is empty, see "Alternate Way to View Job Results" on
page 284.
283
Director Configuration and Management Guide
2. In the Job Library pane, if necessary, expand the folder containing the job that
has executions you want to view.
3. Click the name of the job.
4. Click Edit.
284
Chapter 8: Creating, Scheduling, and Managing Jobs
This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.
285
Director Configuration and Management Guide
286
Chapter 8: Creating, Scheduling, and Managing Jobs
To view the cause of the error, click View Job Report in the Description pane. If the
job failed because of conflicting substitution variables, the job report displays
similarly to the following:
287
Director Configuration and Management Guide
The example shows there are conflicts in substitution variables in this job that
Director could not resolve. For more information about substitution variable
conflicts, see "Rules for Resolving Conflicts" on page 297.
To manually resolve the conflict, see the next section.
288
Chapter 8: Creating, Scheduling, and Managing Jobs
The Resolve Conflict dialog box displays the conflicting variables and their
values.
13. In the Resolve Conflict dialog box, click the substitution variable value you
want to change and click Resolve Conflict.
The following figure shows an example.
289
Director Configuration and Management Guide
After you click Resolve Conflict, the Group Substitution Variables dialog box
displays for that group as shown in the following figure.
290
Chapter 9: Managing Substitution Variables
291
Director Configuration and Management Guide
292
Chapter 9: Managing Substitution Variables
The following figure shows how these variables are inherited by a group named
AustinDevGroup1, which is a child of AustinDev:
Inherited from
groups higher in
the hierarchy
In the preceding figure, the variable named DNS was inherited from Austin and
the variable DNSAlt was inherited from Austin > AustinDev.
293
Director Configuration and Management Guide
294
Chapter 9: Managing Substitution Variables
295
Director Configuration and Management Guide
296
Chapter 9: Managing Substitution Variables
Notes:
❐ The token format must be as follows: @(string).
The maximum length of string is 64 characters, alphanumeric only. If there are
any spaces, reserved characters, or special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is
a special character and cannot be used in a substitution variable.
❐ The token @ must be followed by a matching set of parentheses.
❐ If you do not want the @() token to be a substitution variable, escape it with
another @ symbol.
297
Director Configuration and Management Guide
Note:
❐ To avoid the possibility of substitution variable conflicts, assign a device to
only one group and define all substitution variables either for the device or
for the group, but not both.
❐ If a substitution variable with the same name is defined with the same
value in more than one place, there is no conflict.
298
Chapter 9: Managing Substitution Variables
In the preceding figure, all groups under Austin are in the same hierarchy and all
groups under Sunnyvale are in the same hierarchy with the following exceptions:
❐ AustinDev and AustinQA inherit variables from Austin but not from each
other.
❐ Groups nested under AustinDev inherit variables from Austin and but not
from AustinQA.
❐ SunnyvaleDev and SunnyvaleQA inherit variables from Sunnyvale but not
from each other.
299
Director Configuration and Management Guide
The top pane shows variables inherited by the device’s parent groups and the
bottom pane shows variables for the device. The substitution variable conflict is
circled.
In this example, the substitution variable defined for the device takes precedence
(that is, the variable named DNS with the value 172.16.36.60). That means that
when a profile, overlay, or job is executed, the value of the substitution variable
defined for the device is used and the other values are ignored.
300
Director Configuration and Management Guide
In the preceding example, the same variable (DNS) is defined in three places
with three different values: in the group Austin, in the group Sunnyvale and for
the device itself.
In this example, the substitution variable defined for the device takes
precedence. That means that when a profile, overlay, or job is executed, the
value of the substitution variable defined for the device is used and the other
values are ignored.
301
Director Configuration and Management Guide
Groups in which
variables are
defined
In the preceding figure, the device (named QA142) belongs to the group
AustinDevGroup1. The substitution variables are defined in the groups Austin
and AustinDev. The variables are circled in blue.
Because the group AustinDev is closer in the hierarchy than the group Austin, the
value of the variable used in the group AustinDev takes precedence. That means
that when a profile, overlay, or job is executed, the value of the substitution
variable defined for the group Sunnyvale is used and the other value is ignored.
For information about viewing and resolving substitution variable conflicts when
you execute profiles, overlays, and jobs, see one of the following sections:
❐ "Resolving Substitution Variable Conflicts" on page 297
❐ "Validating the Values of Substitution Variables" on page 320
❐ Section E: "Resolving Substitution Variable Conflicts in Jobs" on page 287
302
Chapter 9: Managing Substitution Variables
303
Director Configuration and Management Guide
Note: Usually, a profile or overlay displays results for all devices in a group
when the profile or overlay is executed on a group of devices under a banner
similar to:
+-------------------------------------------
| Output for device "name"
+-------------------------------------------
However, if the group has no substitution variables defined for it but some of
the devices in the group have substitution variables defined for them, profile
or overlay execution displays errors for the devices without substitution
variables and it displays the result of the command execution for devices with
substitution variables.
The error displays as follows:
Error: The device <name> does not have a value for the required
substitution variable variable-name.
304
Chapter 9: Managing Substitution Variables
305
Director Configuration and Management Guide
In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.
Note: The Device ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Device ID is the device’s unique identifier, and not the “friendly”
device name.
To view a device ID, on the Configure tab page of the Director Management
Console, right-click a device in the Devices pane. From the pop-up menu, click
Edit. The value of the Device ID field on the Edit Device dialog box is the ID you
must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.
306
Chapter 9: Managing Substitution Variables
An example follows:
Group ID,VarName1,VarName2,VarName3
AustinDevGroup,192.168.0.2,example.com,192.168.0.3
In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.
Note: The Group ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Group ID is the group’s unique identifier, and not the “friendly” group
name.
To view a group ID, on the Configure tab page of the Director Management
Console, right-click a custom group in the Groups pane. From the pop-up
menu, click Edit. The value of the Group ID field on the Edit Group dialog box is
the ID you must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.
307
Director Configuration and Management Guide
5. Click Next.
308
Chapter 9: Managing Substitution Variables
6. In the provided field, enter the absolute file system path to your substitution
variable file, or click Browse to locate it.
7. Click Next.
The Summary page displays information about the import.
A sample success message follows:
Successfully parsed substitution variables for 1 device(s).
309
Director Configuration and Management Guide
For additional information about substitution variables defined for groups, see
"Inheriting Substitution Variables From a Custom Group" on page 292.
This section discusses how to give a substitution variable a value in any of the
following ways:
❐ "Defining a Substitution Variable Value for a Group"
❐ "Defining a Substitution Variable Value for a Device" on page 312
310
Chapter 9: Managing Substitution Variables
An example follows.
7. Click OK.
8. At the confirmation dialog box, click Yes.
9. At the Edit Group dialog box, click OK.
311
Director Configuration and Management Guide
10. Repeat these tasks for other substitution variables to define for this group.
11. Validate the overlay as discussed in "Validating the Values of Substitution
Variables" on page 320.
312
Chapter 9: Managing Substitution Variables
313
Director Configuration and Management Guide
314
Chapter 9: Managing Substitution Variables
315
Director Configuration and Management Guide
316
Chapter 9: Managing Substitution Variables
Note: Any character other than a space before the initial @ symbol or the
ending parenthesis causes the substitution value to not be inserted. Also
review the information discussed in "Allowed Substitution Variable Formats"
on page 296.
12. In the Edit CLI dialog box, click OK to save your changes to the substitution
variable.
13. In the Edit existing Overlay dialog box, click OK to save your changes to the
overlay.
317
Director Configuration and Management Guide
318
Chapter 9: Managing Substitution Variables
To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Profiles.
4. Expand the name of the folder containing the profile.
5. Right-click the name of the profile.
6. From the pop-up menu, click Edit.
The Edit existing Profile dialog box displays, similarly to the following:
7. In the right pane, locate the command or set of commands you want to change
to a substitution variable.
319
Director Configuration and Management Guide
320
Director Configuration and Management Guide
321
Director Configuration and Management Guide
322
Chapter 9: Managing Substitution Variables
In the preceding example, a variable named DNS has been defined with
different values in two groups. The variables display in red text to indicate
that Director cannot resolve the conflicting values. The reason Director
cannot resolve the conflict is that the device inherited the variables from
groups that are not in the same hierarchy.
Before you can execute the profile or overlay, you must remove the
substitution variable or edit its value in one of the locations displayed in
the dialog box to remove the conflict, then execute the profile or overlay.
323
Director Configuration and Management Guide
• Example of no conflict:
The value of the variable displayed in the preceding dialog box will be used
when executing the profile or overlay.
324
Chapter 9: Managing Substitution Variables
325
Director Configuration and Management Guide
The Group Substitution Variables dialog box for the device or group displays.
The following figure shows an example Advanced Settings dialog box for a
group.
326
Chapter 9: Managing Substitution Variables
Task Description
8. Click OK.
9. You are required to confirm the action.
10. In the Edit dialog box, click OK.
327
Director Configuration and Management Guide
328
Chapter 10: Monitoring Devices
This chapter describes the options on the Monitor tab page and how to use
them to view device status.
This chapter discusses the following topics:
❐ "About the Monitor Tab Page" on page 329
❐ "Viewing Group and Device Status" on page 330
❐ "Managing Alerts" on page 332
❐ "Viewing Statistics" on page 348
❐ "Generating Performance Analysis Reports" on page 350
❐ "Generating Health Reports" on page 354
The Monitor tab page enables you to quickly determine the status of groups or
of individual devices. The Monitor tab page provides a quick, global view of
the health of your devices by listing the total number of alerts for all devices
and providing a summary of device health for those systems. It also enables
you to access alert and statistics information.
329
Director Configuration and Management Guide
330
Chapter 10: Monitoring Devices
331
Director Configuration and Management Guide
Managing Alerts
This section discusses the following topics:
❐ "About Alerts"
❐ "Managing Alerts" on page 338
332
Chapter 10: Monitoring Devices
About Alerts
Alerts inform you of specific device events, such as fan failures or CPU utilization
warnings. Director records a maximum of 50,000 alerts. If the 50,000 alert limit is
reached, the oldest acknowledged alerts are deleted first.
This section discusses the following topics:
❐ "Alerts Terminology"
❐ "Alert Metric Details" on page 335
Alerts Terminology
The following table discusses the meanings of commonly used terms in this
chapter.
Table 10–1 Alerts terminology
Term Meaning
Inactive alert Event that has since returned to normal and no longer
require attention.
333
Director Configuration and Management Guide
Term Meaning
334
Chapter 10: Monitoring Devices
CPU Utilization 95% / 120 seconds 80% / 120 seconds Measures the value of the
primary CPU on multi-
processor systems — not
the average of all CPU
activity.
Memory 95% / 120 seconds 90% / 120 seconds Measures memory use
Utilization and tracks when memory
resources become limited,
causing new connections
to be delayed.
Interface 90% / 120 seconds 60% / 120 seconds Measures the traffic (in
Utilization and out) on the interface
to determine if it is
approaching the
maximum capacity.
(bandwidth maximum)
License 90% / 120 seconds 80% / 120 seconds Monitors the number of
Utilization users using the ProxySG.
335
Director Configuration and Management Guide
Table 10–3 discusses metrics with thresholds that are not user configurable.
Table 10–3 Status health monitoring metrics
336
Chapter 10: Monitoring Devices
Voltage — Bus Voltage, CPU Voltage, Power Threshold states and values vary by
Supply Voltage ProxySG models
The Current Device Status row displays how many devices are in each alert
severity state currently.
The Accumulated Alerts row displays the total number of alerts stored on
Director since the last time the alerts were cleared.
337
Director Configuration and Management Guide
Managing Alerts
The Alerts dialog box enables you to view all of the alerts for the selected device
or group and allows you to filter, comment on, acknowledge, or unacknowledge
those alerts.
To manage alerts:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts in any of
the following ways:
• Select one or more devices: In the Groups pane, click the name of the
group to which the devices belong (if in doubt, click All).
In the Devices pane, click the names of the devices (to select more than one
device, hold down the Control key while clicking).
Continue with step 4.
• Select a group of devices: In the Groups pane, under Custom groups, click
the name of a group.
Continue with step 4.
4. In the Description pane, under Reports, click Alerts.
338
Chapter 10: Monitoring Devices
Filtering options
339
Director Configuration and Management Guide
Option Description
Filter alerts Filtering means to limit the alerts that display to only
those you choose. Make a selection from each list; the
selections are combined to filter the results. Examples
are shown in "Examples of Managing Alerts" on page
341.
To limit the alerts that display in the dialog box (that
is, to filter alerts), select the following options:
1. From the Metric list, click All to display alerts with
all metrics or click the name of a metric to limit the
alerts displayed to show that metric only.
For more information about alert metrics, see Table
10–2 on page 335.
2. From the Severity list, click All to display alerts
with all severities or click one of the following:
• Warning to display only alerts with a severity
of Warning.
• Critical to display only alerts with a severity of
Critical.
• Disconnected to display only alerts with a
severity of Disconnected.
3. From the State list, click All to display alerts with
all states or click one of the following:
• Active to display only alerts that are currently
in a critical or warning severity.
• Inactive to display only alerts that have since
returned to a normal severity.
4. From the Status list, click All to display alerts with
all states or click one of the following:
• Acknowledge to display only alerts that have
been previously acknowledged. You can do
this, for example, to delete acknowledged
alerts.
• Unacknowledge to display only alerts that
have not been acknowledged.
5. From the Days list, click All to display alerts from
all dates, or click a time interval to display alerts
that occurred in that time interval.
6. Click Show.
Clicking Reset returns the filters to their default
values.
7. See "Examples of Managing Alerts" on page 341.
340
Chapter 10: Monitoring Devices
Option Description
Sort alerts Click the name of a column to sort alerts by the value
of that column, in either ascending or descending
order. Clicking a column name once displays results in
ascending order; clicking the same column name
again displays results in descending order.
View details about one alert Click an alert in the lower section of the dialog box.
Alert details display in the Details section.
Add comments to selected Comments display only in the Alerts dialog box;
alerts comments are not propagated to the device.
Click one or more alerts, enter text in the Comments
field, and click Update. (To click more than one alert,
hold down the Control key while clicking.)
Unacknowledge selected Click one or more alerts and click Unacknowledge. (To
alerts click more than one alert, hold down the Control key
while clicking.)
(unacknowledged) displays in the Acknowledged
column in the Alerts dialog box for an
unacknowledged alert.
Delete selected alerts Click one or more alerts and click Delete. (To click
more than one alert, hold down the Control key while
clicking.)
You are required to confirm the deletion.
341
Director Configuration and Management Guide
342
Chapter 10: Monitoring Devices
5. To display only acknowledged alerts, make the following selections from the
Filters section of the Alerts dialog box:
• Metric list: click All.
• Severity list: click All.
• State list: click All.
• Status list: click Acknowledge.
• Days list: click any value, such as last 30 days.
The following figure shows an example:
6. Click Show.
343
Director Configuration and Management Guide
344
Chapter 10: Monitoring Devices
345
Director Configuration and Management Guide
346
Chapter 10: Monitoring Devices
5. Click Show.
The Alerts dialog box shows only acknowledged alerts.
6. Optional. Sort the alerts in order of oldest first by clicking twice on the Start
Time column.
347
Director Configuration and Management Guide
Viewing Statistics
The Manage Device page enables you to view the alerts and statistics for
individual devices. When you click the Statistics button, an instance of that
device’s ProxySG appliance Management Console Statistics tab page displays.
The Alerts tab page enables you to switch back and forth between alert and
statistics information to obtain additional details.
Note: Unlike alerts, statistics can be viewed only for individual devices.
348
Chapter 10: Monitoring Devices
The Manage Device window displays, with the Management Console of the
selected device in view.
Note: You can make configuration changes only to devices from the Configure
tab.
Related Commands
director (config) # monitoring {alerts {acknowledge {alert alert_id |
all | device device_id | group group_id} | add-comment alert alert_id
comment comment | delete {alert alert_id | all | device device_id |
group group_id} | unacknowledge {alert alert_id | all | device
device_id | group group_id}} | diagnose {device-state subcommands |
standby-state subcommands} | refresh health-state {all | device
device_id | group group_id}
349
Director Configuration and Management Guide
350
Chapter 10: Monitoring Devices
4. On the Monitor tab page, click the device or group for which you want to
generate the report.
• To generate a report for one or more devices: In the Groups pane, click the
group to which the devices belong (for example, System > All group). In the
Devices pane, click one or more devices. (To select multiple devices, hold
down the Control key while clicking.)
If you click one device, the report displays data for that device.
If you click more than one device, the report displays aggregated data for
the devices you click.
• To generate a report for a group of devices: In the Groups pane, click the
name of the group.
The report displays aggregated data for all devices in the group (except for
disconnected devices). You can click the name of any group, including
custom groups or system groups (system groups include Model and OS
Version groups).
If you click the name of a group that has no devices, the Performance
Analysis Report button is unavailable.
Note: Performance analysis reports can take a long time to generate if you
select a group with a large number of devices.
351
Director Configuration and Management Guide
The following error indicates the selected devices have not collected enough
data to display in the selected time interval and scale. To work around the
problem, choose a different device or group.
The title bar of the window displays the name of the device or group for
which the report was created (in the preceding example, the report was
created for a group named SG200).
352
Chapter 10: Monitoring Devices
Mouse-over data Place the mouse cursor on any peak of a line or area
graph (for example, Effective Throughput) to
display data for that peak.
Text field Every chart or graph in the report has a text field
you can use to make notes about the chart or graph.
Note: Line breaks you enter in the field are
removed from the report when it is generated.
Click here to preview the report Click the link to preview the report in your default
Web browser. The report displays with all
comments and charts or graphs you selected.
353
Director Configuration and Management Guide
354
Chapter 10: Monitoring Devices
355
Director Configuration and Management Guide
356
Chapter 11: Audit Logging
Director audit logging enables you to log the actions of all administrators who
perform tasks on Director. This can be useful if you need to document Director
administrator behavior for change management auditing or troubleshooting.
Auditing enables you to do the following:
❐ Authenticate using TACACS+
❐ Log of all actions performed by an administrative user
❐ Log the contents of backups, profiles, overlays, configure jobs, and content
jobs
❐ Export the generated log entries to an external server using the Secure Copy
Protocol (SCP)
Important: In Director 5.3 and later, you can no longer transfer files to a server
using an insecure protocol. The external server to which files are transferred
must support the SCP protocol.
357
Director Configuration and Management Guide
Note: Throughout the rest of this chapter, the term content jobs is intended to
include the content jobs themselves as well as any URL list or regular
expression lists they might contain. When you create, edit, or run a job with a
URL list or regular expression list, those activities are logged in the audit log.
❐ Backups
Audit logging enables administrators to track what tasks were performed by
commands that configured components in the preceding list. Administrators and
auditors can use event logging and audit logging together to determine what was
changed, who changed it, and when it was changed.
Audit logging • The contents of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The contents of an overlay, the name of the user
who executed it, and the IP address from which the
command was executed
• The contents of a device backup, the name of the
user who executed it, and the IP address from
which the command was executed
Event logging • The name of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of an overlay, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of a device backup, the name of the user
who executed it, and the IP address from which the
command was executed
358
Chapter 11: Audit Logging
The following table summarizes the main functional differences between event
logging and audit logging:
Logging type Function
359
Director Configuration and Management Guide
360
Chapter 11: Audit Logging
If you click More, a dialog box similar to the following displays more information
about audit policy:
The following figure shows an example of a Director with an audit logging policy
set to delete when the log directory is full:
361
Director Configuration and Management Guide
The icon indicates the audit log directory is full. Clicking the icon displays a
status message similar to the following:
Set Director’s log level to notice_minor "Setting the Logging Level" on page 364
362
Chapter 11: Audit Logging
363
Director Configuration and Management Guide
364
Chapter 11: Audit Logging
where url is the fully qualified URL in which to store event and audit logs. url
must be in the following format:
scp://host_or_ip//path/ username username [password password]
365
Director Configuration and Management Guide
An example follows:
director (config) # show logging
Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: 192.168.1.0
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 22.473633 KB
Free space: 1023.978053 MB
366
Chapter 11: Audit Logging
Note: Use this command only after you transfer audit logs to the external
server.
367
Director Configuration and Management Guide
368
Chapter 12: Monitoring the Health of Devices
This chapter describes the Director health monitoring feature. The health
monitoring feature enables you to use Director to remotely monitor your
ProxySG appliances. By monitoring key hardware and software metrics,
Director provides administrators with a remote view of the health of the
ProxySG appliance.
This chapter also describes how to configure Director to send ‘traps to a remote
management station when it fails or comes online.
This chapter discusses the following topics:
❐ "About Health Monitoring" on page 369
❐ "Device Health Monitoring Requirements" on page 370
❐ "About the Health Monitoring Metrics" on page 370
❐ "About Device Polling" on page 371
❐ "Health Monitoring Example" on page 371
❐ "About the Health Monitoring Device States" on page 373
❐ "About Health Monitoring Notification" on page 376
❐ "About the Health Monitoring Device States" on page 373
❐ "Changing Threshold and Notification Properties" on page 378
❐ "Getting A Quick View of ProxySG Appliance Health" on page 381
❐ "Viewing Health Monitoring Statistics" on page 381
❐ "Remotely Notifying Management Stations of Device Changes" on page 383
❐ "Troubleshooting" on page 385
369
Director Configuration and Management Guide
Note: SGME 5.1.4.x and later ignores SNMP traps sent to it by ProxySG
appliances.
If you want to configure e-mail notification for individual alert types, the
notification settings for the alert must be set on each ProxySG appliance. To set
notification properties for specific alerts on multiple devices, create a profile or
overlay that contains the settings you want and then apply the settings to your
devices. See for more information.
370
Chapter 12: Monitoring the Health of Devices
Note: You can initiate an immediate device poll by clicking Refresh in the Health
field of the Monitoring tab Description pane. For more information, see
Statistics
"About the Health Monitoring Device States" on page 373.
Polling can be slower for ProxySG appliances running SGOS releases earlier than
SGOS 5.1.4 or SGOS 4.2.4 because the entire system-resource-metrics XML is
fetched every minute, not just when a change has occurred. To make polling as
quick as possible, Blue Coat recommends that you upgrade your devices to SGOS
5.1.4.x or later or SGOS 4.2.4 or later.
371
Director Configuration and Management Guide
OK
Value
0 5 10 15 20 25 30 35 40 45 50 55 60
Time
Figure 12–1 Relationship between the threshold value and threshold interval
372
Chapter 12: Monitoring the Health of Devices
Note: You can configure Director to send end device status updates to a third-
party management station. See "Remotely Notifying Management Stations of
Device Changes" on page 383 for more information.
Warning The ProxySG appliance has one or more events that are causing it
to be in a Warning state. Note that if additional warning-level
event(s) occur, they do not cause additional traps; (however a
new critical-level event would generate a Critical trap).
Critical The ProxySG appliance has one or more events that are causing it
to be in a Critical state. Note that if additional event(s) occur, they
do not cause additional traps, (unless such events cause the
appliance to move from state Warning to state Critical).
373
Director Configuration and Management Guide
License Utilization Percentage Critical: 100%/0 For licenses that have user
Warning: 90%/0 limits, monitors the
number of users.
374
Chapter 12: Monitoring the Health of Devices
Temperature Critical:
Bus temperature High-critical
CPU temperature Warning:
High-warning
Fan Critical:
(The fan metric differs by hardware model, for Low-critical
example, CPU fan, chassis fan) Warning:
Low-warning
Voltage Critical:
Bus Voltage Critical
CPU voltage High-critical
Power Supply voltage Low-critical
Warning:
High-warning
Low-warning
375
Director Configuration and Management Guide
376
Chapter 12: Monitoring the Health of Devices
377
Director Configuration and Management Guide
Note: To avoid losing one hour’s worth of alerts when the ProxySG clock is set
back during daylight savings time, manually refresh the health statistics after the
ProxySG clock is reset.
378
Chapter 12: Monitoring the Health of Devices
Note: You cannot change the threshold values for metrics from the Status
tab page.
379
Director Configuration and Management Guide
The Edit Metric dialog box displays. (Sensor thresholds cannot be modified.)
380
Chapter 12: Monitoring the Health of Devices
381
Director Configuration and Management Guide
382
Chapter 12: Monitoring the Health of Devices
Note: Blue Coat provides a MIB defining the ProxySG appliance state-change
notifications. The MIB is written in SMI v2 and matches all of the SNMP v2c
notifications sent by Director. Director also supports the sending of SNMP v1
traps, but no SMI v1 MIB is provided (many converters are available on the
Internet). Blue Coat recommends using SNMP v2 notifications rather than SNMP
v1 traps.
383
Director Configuration and Management Guide
Note: The snmp-server enable traps command does not need to be executed to
enable the ProxySG appliance state notification feature. However, you must
enable the notifications as described in the following procedure.
3. Enter the following command to enable all device state SNMP notifications:
director (config) # snmp-server traps device-state all enable
The device-state notifications can also be enabled individually:
❐ device-state added
❐ device-state deleted
❐ device-state connected
❐ device-state disconnected
❐ device-state ok
❐ device-state warning
❐ device-state critical
❐ device-state auto-registered
❐ device-state auto-registered-failed
For example:
director (config) # snmp-server traps device-state connected enable
auto-registered device-state-auto-registered
auto-registered-failed device-state-auto-registered-failed
connected device-state-connected
critical device-state-critical
deleted device-state-deleted
384
Chapter 12: Monitoring the Health of Devices
ok device-state-ok
warning device-state-warning
Troubleshooting
If you continue to receive alerts, contact Blue Coat Support. For licensing
questions, contact Blue Coat Support Services. It is helpful to obtain a packet
capture for CPU, memory pressure (referred to as memory utilization in SGOS
5.3.x), and network interface issues, before calling Support.
385
Director Configuration and Management Guide
386
Chapter 13: Configuring Director Redundancy
387
Director Configuration and Management Guide
Requirements
To implement Director standby, you must have the following:
❐ Two Director 510 appliances
Important: The Director 510 appliances must be running the same version of
SGME.
388
Chapter 13: Configuring Director Redundancy
Terminology
Before reading further, you should familiarize yourself with the following terms.
Standby Pair
Two Director 510 appliances, one configured as a primary Director and one
configured as a secondary Director. The pair works together to achieve
redundancy.
Partner
The corresponding Director in the standby pair. The primary Director’s partner is
the secondary Director and the secondary Director’s partner is the primary
Director.
Primary Director
A Director identity. The primary Director is the device in the standby pair that
normally performs all day-to-day Director operations. All changes on the primary
Director are propagated to the secondary Director by means of the rsync utility
using a remote SSH shell.
The primary Director remotely executes shell commands on the secondary
Director to verify connectivity. The default state of the primary Director is active,
which means that it is able to perform monitoring and configuration operations.
The primary Director is the only device that can do any of the following:
❐ Initiates syncs. The secondary Director is only a passive rsync client.
❐ Connects to the secondary Director to obtain connectivity status. The
secondary Director does not initiate such checks but it does report if it has not
been queried by the primary Director.
Secondary Director
A Director identity. The secondary Director is the device in the standby pair
whose only purpose is to take over for the primary Director when a failure occurs.
The normal state of the secondary Director is reserve, which means that it cannot
perform any monitoring or configuration operations and will not accept
Management Console connections.
Only if the administrator manually configures the secondary Director to be active
does the secondary Director perform all functions previously performed by the
primary Director.
When you execute the make-secondary command, the Director reboots. To access
the secondary Director, you must log in with the standbyuser username.
389
Director Configuration and Management Guide
Sync
The process of copying all changes from one Director to its partner. This includes
changes made by administrators as well as changes to the event database and job
status. The possible status for sync is: in-sync, syncing, or retrying sync. For
more information about sync status, see "Viewing the State of the Primary or
Secondary Director" on page 398.
Standalone Director
A Director appliance that is not participating in a standby pair and therefore has
no standby identity. A standalone Director cannot participate in a standby pair
until an administrator changes its identity to primary or secondary. In other
words, unless you configure a Director appliance to be either a primary or
secondary, that Director is standalone.
Executing the make-standalone command on a primary or secondary Director
takes it out of the standby pair. Note that in this chapter, a primary or secondary
Director that has been made standalone is still referred to by its previous identity;
that is, “primary” or “secondary.”
When you execute the make-standalone command, Director reboots.
Active
The name of a Director appliance state that allows it to configure and monitor
devices. You use the active Director for all Director tasks, including remote
administration using overlays, profiles; and job creation and execution; health
monitoring; and backup and restore.
The normal state of the primary Director is active.
Reserve
The name of a secondary Director appliance state that indicates it is standing by in
the event the primary Director fails.
In the reserve state, the Director is essentially an rsync client. If the primary
Director fails, the administrator must change the secondary Director’s state to
active so it can resume service.
Absent any failures, the normal state of the secondary Director is reserve.
Inactive
The name of a primary Director appliance state that indicates the secondary
Director has become active. For example, if, while the primary Director was
powered off, the secondary was made active, the primary Director changes to the
inactive state after it reboots. Transitioning to inactive prevents simultaneous
changes to both Directors’ configurations.
If the primary and secondary Directors have different configurations, those
changes cannot be merged and you must discard the changes from one of those
configurations.
390
Chapter 13: Configuring Director Redundancy
391
Director Configuration and Management Guide
Failover Assumptions
These assumptions will help you understand the operation of the standby pair:
❐ Only administrators can alter the state of the standby pair. Consider the
following examples:
• If an administrator executes the make-standalone command on a
Director, the administrator must perform a make-primary or make-
secondary to get that Director back into the pair.
392
Chapter 13: Configuring Director Redundancy
Figure 13–1 Data Mirroring between the primary Director and secondary Director
Monitoring Connectivity
To verify that its partner is reachable and functioning normally, the primary
Director executes, every five seconds, a specific command on the secondary
Director. If the command fails 12 times in a row (that is, for one minute), the
primary Director sends an SNMP notification to any configured management
stations.
If the secondary Director is functioning normally and has not received the expected
CLI command within one minute, it sends an SNMP notification to the
management station.
Note:
• You must configure the primary Director to send the standby SNMP
notifications. For more information, see "Configuring the Standby Pair" on
page 397.
• If there are firewalls between the primary and secondary Directors, TCP
and UDP port 873 must be open for communication to succeed.
393
Director Configuration and Management Guide
394
Chapter 13: Configuring Director Redundancy
Figure 13–3 Making the secondary Director active after failure of the primary
Failure of the network link between the primary Director and secondary Director
does not trigger any automatic state transitions. During a network outage, any
changes on the primary Director are not immediately synchronized with the
secondary Director. After connectivity is restored, the primary Director then
automatically synchronizes all changes (since the last successful sync) with the
secondary Director.
No state change occurs as a result of network link failure. All state transitions
are the result of administrator intervention.
395
Director Configuration and Management Guide
Important:
• You must make both Directors in the standby pair standalone before
restoring an archive on either the primary or secondary Director. For
more information about archiving, see Chapter 15: "Backing Up
Director and Devices".
• If the secondary Director in a standby pair is reachable but is configured
to be standalone (and not secondary), the primary Director responds
slowly to login requests and, in some cases, prevents users from logging
in.
396
Chapter 13: Configuring Director Redundancy
Important: If there are firewalls between the primary and secondary Directors,
TCP and UDP port 873 must be open for communication to succeed.
You can enable the notifications individually if you desire. To get a listing of
the available standby states, enter the following command:
director (config) # snmp traps standby-state ?
397
Director Configuration and Management Guide
The secondary Director reboots and comes up in the reserve state. When
accessing the Director after the reboot, you must use the standbyuser
username.
11. Reboot the primary Director again.
Figure 13–6 Management Console standby pair identity and status Indicator
The possible standby pair identities, states, and synchronization status for the
standby pair status (as shown in the preceding figure) are described in the
following table.
Table 13–1 Possible standby pair identities, states, and synchronization status
398
Chapter 13: Configuring Director Redundancy
Table 13–1 Possible standby pair identities, states, and synchronization status
399
Director Configuration and Management Guide
400
Chapter 13: Configuring Director Redundancy
Sunnyvale 10.1.1.2 SV
401
Director Configuration and Management Guide
Sunnyvale Director:
director-sv (config) # snmp-server traps standby-state all enable
director-sv (config) # snmp-server traps device-state all enable
director-sv (config) # snmp-server host 0.0.0.0 traps version 2c
4. Configure the Los Angeles branch office Director 510 as secondary and
specified the IP address of the primary Director and the password of the SSH
connection:
director-la (config) # standby make-secondary 10.1.1.2 thunder
Configuration Notes
❐ Only two commands are allowed on the secondary, make-active and make-
standalone. This ensures that the two Director configurations are never
unsynchronized.
❐ Reserve and inactive Directors allow connections only from the standbyuser
user, regardless of any previously configured usernames. If you subsequently
break the standby pair, the username reverts to its previous setting.
❐ After the standby pair is configured, the identity of the secondary Director
cannot be changed unless the standby pair is broken by making it standalone.
❐ If by accident, both Directors were configured as primary, each primary
Director would report the opposite as misconfigured because its partner is not
secondary.
402
Chapter 13: Configuring Director Redundancy
Note: When the secondary Director is in the reserve state or the primary
Director in the inactive state, you must log in to that Director as
standbyuser.
Note: The username of the secondary reverts from standbyuser to its original
setting when the Director is made active.
When the primary Director notices that the secondary Director has been made
active, it will transition to inactive.
4. Properly shut down the primary Director. See "Shutting Down Director" on
page 522 for more information.
403
Director Configuration and Management Guide
Note: The username of the primary reverts from standbyuser to its original
setting when the Director is made active.
404
Chapter 13: Configuring Director Redundancy
Example analyzes and corrects this type of network outage in the following ways:
❐ "Determining the Root Cause"
❐ "Troubleshooting Network Failures" on page 406
405
Director Configuration and Management Guide
406
Chapter 13: Configuring Director Redundancy
407
Director Configuration and Management Guide
408
Director Configuration and Management Guide
409
Director Configuration and Management Guide
Note: The following procedure assumes that the secondary Director is acting
in reserve.
Note: After you make the primary or secondary Director standalone, you
must connect to it using the user name that was configured before you
created the standby pair. In other words, the standbyuser user name will not
work.
Important: To make sure the Directors do not get out of sync during the
upgrade process, verify all of the following:
• No configuration changes are made on Director during the software
upgrade.
• No jobs are scheduled on the secondary Director during the software
upgrade.
410
Chapter 13: Configuring Director Redundancy
15. After completing the software upgrade, make sure the primary and secondary
Directors are functioning, synchronized, and running the upgraded software
version.
411
Director Configuration and Management Guide
A synchronization from the primary Director to the secondary Director has failed.
(The primary Director will continuously retry the synchronization, but this
notification will not be sent after every successive failure).
Remediation: Because this notification is often caused by loss of reachability from
the primary Director to the secondary Director, look for a corresponding
_PartnerReachabilityLost notification.
Sync-reestablished
OID Node
1.3.6.1.4.1.3417.3.2.2.3.1.2 blueCoatDirectorStandbyChgSync
Reestablished
412
Chapter 13: Configuring Director Redundancy
Primary-backing-off-to-Inactive
OID Node
1.3.6.1.4.1.3417.3.2.2.3.2.1 blueCoatDirectorStandbyChgPrimary
BackingOffToInactive
While running in the active state, the primary Director discovered the secondary
Director in the active state. In this case, the primary Director automatically
assumes the inactive state.
Remediation: There are two common ways of getting into this condition:
1. With the primary Director in the active state and the secondary Director in the
reserve state, there was a network failure. After an administrator changes the
secondary to the active state, on the first heartbeat after the network comes
back up, the double-active condition is detected.
2. With the primary Director in the active state and the secondary Director in the
reserve state, the primary Director powers off. After an administrator changes
the secondary to active, the primary Director powers up, resulting in the
double-active condition.
In both cases, an administrator must determine which Director’s configuration
changed (if any), and decide on the set of changes to keep when the original
primary Director is made active.
Partner-config-invalid
OID Node
1.3.6.1.4.1.3417.3.2.2.3.3.1 blueCoatDirectorStandbyChgPartner
ConfigInvalid
413
Director Configuration and Management Guide
Partner-config-validated
OID Node
1.3.6.1.4.1.3417.3.2.2.3.3.2 blueCoatDirectorStandbyChgPartner
ConfigValidated
414
Chapter 13: Configuring Director Redundancy
Partner-reachability-regained
OID Node
1.3.6.1.4.1.3417.3.2.2.1.1.2 blueCoatDirectorStandbyChgPartner
ReachabilityRegained
Forced-to-Primary
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.1 blueCoatDirectorStandbyChgForcedTo
Primary
Forced-to-Secondary
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.2 blueCoatDirectorStandbyChgForcedTo
Secondary
Forced-to-StandAlone
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.3 blueCoatDirectorStandbyChgForcedTo
Standalone
415
Director Configuration and Management Guide
Forced-to-Active-State
OID Node
1.3.6.1.4.1.3417.3.2.2.2.1.4 blueCoatDirectorStandbyChgForcedTo
ActiveState
416
Chapter 14: Director Logging
Blue Coat Director logs help you to determine the nature of a problem when
you troubleshoot Director by providing information about connection issues,
configuration issues, and operating conditions.
To monitor your system, you can:
❐ Use the daily syslog to view results of commands generated by the Director
command line.
❐ Click the All Jobs for Director icon or select Content > Query Content in the
Director Management Console.
❐ Use the show commands from the Director command line.
417
Director Configuration and Management Guide
Audit logging • The contents of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The contents of an overlay, the name of the user
who executed it, and the IP address from which the
command was executed
• The contents of a device backup, the name of the
user who executed it, and the IP address from
which the command was executed
Event logging • The name of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of an overlay, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of a device backup, the name of the user
who executed it, and the IP address from which the
command was executed
The following table summarizes the main functional differences between event
logging and audit logging:
Logging type Function
418
Chapter 14: Director Logging
419
Director Configuration and Management Guide
Terms Definitions
Addr-device A command option for IP address or hostname of an ProxySG
appliance.
PIN Personal Identification Number for the front panel LCD made
up of four numeric values.
Process ID (PID) A unique identifier assigned to all processes, when they are
started. Each system has a maximum value for the PID number.
When this is reached the PID numbering is started again.
420
Chapter 14: Director Logging
Components of Director
Syslog messages are generated by the components of Director. They are explained
below:
Component Description
LCD Panel Manager Communicates with the front panel LCD and Configuration
Manager to handle the input and output via LCD. When it is
not engaged in configuring the system, LCD Panel Manager
displays information, such as the hostname and CPU
utilization.
421
Director Configuration and Management Guide
❐ Trap sink (remote host): Set the level at which remote messages are sent to
syslogd servers.
The following table lists log levels in order from most verbose to least verbose:
Table 14–2 Director log levels
422
Chapter 14: Director Logging
Note:
• Log levels not listed in Table 14–2 are reserved for internal use.
• Avoid setting log levels to a high verbosity level except temporarily for
troubleshooting purposes. Using a high verbosity level like notice or
notice_minor can degrade performance due to the number of log
messages being created.
423
Director Configuration and Management Guide
Syslog Messages
The following sections discuss selected syslog messages and their meanings:
❐ "Content Management Syslog Messages"
❐ "LCD Panel Manager Syslog Messages" on page 426
❐ "Communication Manager Syslog Messages" on page 427
❐ "Command Line Interface Syslog Messages" on page 429
❐ "Job Manager Syslog Messages" on page 430
❐ "Configuration Syslog Messages" on page 432
❐ "Configuration Management Syslog Messages" on page 433
❐ "Health Monitoring Syslog Messages" on page 437
424
Chapter 14: Director Logging
425
Director Configuration and Management Guide
426
Chapter 14: Director Logging
427
Director Configuration and Management Guide
428
Chapter 14: Director Logging
429
Director Configuration and Management Guide
Job: <job ID> execution notice This message is logged every time
issued <cmd ID> commands, the Job Manager receives a signal
now exiting while issuing commands.
Job <job ID> execution notice The output of all the commands
<execution instance> <cmd that make up the job are
ID> command. Output displayed.
<output>
430
Chapter 14: Director Logging
431
Director Configuration and Management Guide
File <filename> is not Warning The specified configuration file does not
in a supported config have the right format.
file format.
'admin' login and Warning This message appears when you reset
'enable' passwords Admin and Enable passwords.
reset
Workgroup \default\ can Warning You tried to delete the workgroup called
not be deleted. “default.” Director is shipped with
“default” as its default workgroup. You
can modify the settings of the default
workgroup but you cannot delete the
default workgroup itself.
<value> is an invalid Warning Workgroup priorities are set between 0
workgroup priority, the and 4. The highest priority level is 0. The
valid range is <0..4> default priority level assigned to content
is 4.
432
Chapter 14: Director Logging
Profile
Profile execution Notice_minor This message indicates if the backup
backup step complete during profile execution was a success.
for device <device ID> Backups for profiles are either created
<success | failure> automatically prior to each profile
application or explicitly by request.
They are stored in Director.
Importing profile Notice_minor This message notifies that Director is
<profile ID> from importing the profile with the given ID
<device ID> from the specified ProxySG appliance.
Profile execution Notice_minor This message is generated when
restore-defaults Director executes the restore-
complete for device defaults keep-console command,
<device ID> prior to applying the profile. This
command resets the specified ProxySG
appliance’s configuration, except IP
connectivity.
433
Director Configuration and Management Guide
Overlay
Applying overlay Notice_minor This message is logged when you issue
<overlay ID> to the remote-config overlay
<keyword> <device execute command. Director has sent
spec> the overlay with the given ID to the
ProxySG appliances, specified by the
device spec.
Overlay push complete Notice Director has sent the overlay to the
for device <device ID> specified ProxySG appliance.
Backup
Beginning restoration Notice_minor This message is generated when you
of backup <backup ID> enter the remote-config backup
to <device ID> restore command to the specified
ProxySG appliance. The backup
restoration process has begun.
434
Chapter 14: Director Logging
435
Director Configuration and Management Guide
436
Chapter 14: Director Logging
437
Director Configuration and Management Guide
The username <username> is A few usernames are reserved for Blue Coat
reserved for internal use. internal use. Each username on the system
must be unique. Choose another username.
Wrong password. If you forget your admin or enable password,
you can clear the old passwords by using the
password reset script.
Your user account does not have Standard privileges are level 1.
the required privilege to enter
Enable privileges are level 7.
<Standard | Enable|
Configuration> mode. Configuration privileges are level 15.
You are limited to the privilege level the
administrator assigned you.
Your privilege level has been You are limited to the privilege level the
lowered to <privilege level>. administrator assigned you.
User <username> does not exist. This message is displayed when you try to log
on to a machine using a username that does
not exit. Either you mis-typed the username or
the name has been deleted from the system.
438
Chapter 14: Director Logging
Clock
Not a valid timezone: The time zone is not a valid entry. Select another
<timezone> value. For more information on the format, refer
to the Blue Coat Director Command Line Interface
Reference.
Not a valid date string Enter the date in yyyy/mm/dd format.
Not a valid time string Enter the time in hh:mm[:ss] military format.
NTP
439
Director Configuration and Management Guide
Extraneous parameter The words that the command is rejecting are not
<parameters> would be recognized. Type the command to that point
ignored. again and enter ?.
Operation timed out. When a network connection does not respond
within a reasonable time frame, due to network
problems, this message is displayed. It also
happens when Director is waiting for response to
a command and none is forthcoming.
Type ‘device?’ for help This help message (or a variation) appears when
Unrecognized command you enter invalid commands.
‘abcdef’
Type ‘?’ for help
440
Chapter 14: Director Logging
Extraneous parameter You have typed the command correctly, but you
<parameter> would be also entered an invalid command along with it.
ignored. You can redo the command, correcting the
extraneous parameters.
Ambiguous command 's'. When you enter a valid command with invalid
Type 'show s?' for a list of arguments, you are asked to type the ? after the
possibilities. valid part of it for a set of valid options.
CLI Modes
Invalid date <date>. Please Director only recognizes dates and times
enter it in yyyy/mm/dd format. entered in the correct format. The valid format
for date is shown in the message.
Lost contact with configuration This message is displayed when Director is
subsystem, attempting busy.
reconnect...
441
Director Configuration and Management Guide
ARP
arp command failed to remove The no arp IP_address command failed.
<IP address>
Host Names
No valid hostname supplied. The command you entered requires a
hostname to execute.
Hostname: Could not set The hostname is not valid. A possible reason
hostname to <hostname> is that the hostname had illegal characters in
it. Alphanumeric characters, dash ('-') and dot
('.') are allowed in a hostname.
442
Chapter 14: Director Logging
Group <group ID> does not exist. You entered an invalid group ID when
attempting to do content management
commands. You must create the group/record
on Director before you can use it.
<group ID> has not been defined You are attempting to manage content on a
as a group. group you have not defined as a group to
Director.
There are no groups configured. Director cannot list any groups assigned to it
because you have not created any.
Group IDs can only be 250 When creating a new group, the maximum
characters long. length of any group ID is 250 characters.
Group <group name1> cannot be a Groups cannot be parents of each other.
parent of group <group name2>
because <group name2> is
already an ancestor of <group
name1>.
A group cannot be a parent of You must add the child or nested group to the
itself. parent group. You cannot add a parent to a
child.
Table 14–20 System Logging Error Messages
443
Director Configuration and Management Guide
Invalid remote file spec: The filename or the syntax is incorrect. The error
<remote spec> Must be http:/ message provides examples of correct usage.
/server[port]/[dir/]file or
ftp://user:password@server/
[dir/]file
Failed to download file The file was not downloaded. Possible reasons: the
<remote spec> server was down, you mistyped the URL you
wanted to download.
Failed to extract manifest The image is corrupted or does not contain all the
from downloaded file <file expected information.
spec>
Failed to move/delete file You can get this message for a variety of reasons:
the disk is full, permissions are not correct, the file
was attempting to overwrite a file that is read only.
Table 14–22 gJob Management Error Messages
Usage Description
Invalid day “<day>”. Valid days are You must enter the days of the week in a
Sun, Mon, Tue, Wed, Thu, Fri, or Sat. format Director understands: For example,
mon, not Monday.
For the date and time, please enter a yyyy/mm/dd and hh:mm[:ss] are the valid
date in yyyy/mm/dd format between formats for job types.
1970/1/1 and 2038/1/18 followed by a
time (hh:mm[:ss]).
Schedule IDs can only be 250 The maximum length of any job ID is 250
characters long. characters.
Report generation was cancelled since You made a request for a job report and while
the job was deleted the request was being processed, the job was
deleted.
444
Chapter 14: Director Logging
Usage Description
Minimum key size is 512 You tried to generate an SSH host key with a
key size less than 512, the minimum key size.
The default is 1024.
Maximum key size is 32768 You attempted to generate an SSH host key
with key size greater than 2048, the maximum
key size. The default is 1024.
The SSH server cannot be You have not set up SSH on your Director
started until a host key is management node.
generated. Please use the
'ssh server hostkey rsakey
generate' command.
No RSA key found for device ID You have not set up SSH-RSA for the ProxySG
<device ID> appliance. Generate an RSA key for the device
before connecting through SSH-RSA.
Invalid public key Make sure that you copied the entire public key
when you used the ssh client user
username authorized-key rsakey
command.
authtype values can only be When authenticating a password, you have two
(rsa, simple) valid options: RSA, which includes a public
and private key; and simple password
authentication, which is less secure than RSA.
Table 14–24 RADIUS Server Error Messages
Usage Description
Not a valid hostname: The hostname is not valid. Hostname should
<hostname> be a one word with no illegal characters in it.
Alphanumeric characters, dash ('-') and dot ('.')
are allowed in a hostname.
Too many radius hosts. Have There can be no more than 10 RADIUS hosts.
<number>, max is <number>
Usage Description
protocol values can only be Connection to Director to any of the ProxySG
(telnet, ssh) appliances must be via the Telnet or SSH
protocols. Other connection protocols are not
supported.
For the Web configuration port, The default Web configuration port is 8082.
please enter an integer between This value normally does not have to be
0 and 65535 changed.
445
Director Configuration and Management Guide
Usage Description
A name server (or default The only format that Director understands is
gateway) must be an IP address the dotted-quad format. That is, all IP
in dotted-quad format (e.g. addresses should be of the format
10.25.36.47) 10.25.36.47.
446
Chapter 14: Director Logging
Job Logging
Jobs are logged with the following user names and IP addresses:
❐ If a job is executed immediately from the Director Management Console or
command line, Director logs the user name of the logged-in user and the IP
address of the computer from which the Director Management Console or
command line were started.
❐ Job executions (except for immediate executions) always log the user name
director and the IP address of the computer from which the Director
Management Console or command line were started.
❐ Job creation and edit commands are logged with the user name of the logged-
in user and the IP address of the computer from which the Director
Management Console or command line were started.
The event log messages for all job commands are printed as they are executed.
These event log messages include the following:
❐ Job ID
❐ Instance ID
The instance ID is used to distinguish one execution of a recurring job from
another.
❐ User name of the person executing the command
❐ The IP address of the user's computer
447
Director Configuration and Management Guide
The following example shows the logged results of an immediate job execution
Jun 23 22:35:00 <cli.notice_minor> hostname cli[1287]:
admin@10.2.11.90: Processing command: job ab execute (Note: This
message will only be there for an immediate Job)
Jun 23 22:35:00 <schedulerd.notice_minor> hostname schedulerd:
sched@director Executing Job "ab" execution 1151102100
Jun 23 22:35:00 <runner.notice_minor> hostname runner[1288]:
sched@director:ab-1151102100: Processing command: remote-config
profile ab execute device 10.9.44.38
Jun 23 22:35:00 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying profile <pab> to cache
10.9.44.38
Jun 23 22:35:00 <runner.warn> hostname runner[1288]: sched@director:
ab-1151102100: command 1: "remote-config profile ab execute device
10.9.44.38". Output 1/1:\#% No commands to execute.\# (Note: Only the
error messages will be shown)
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying overlay <new_overlay> to group
g
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.9.44.38"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.9.44.38"
Jun 23 23:15:07 <runner.notice> hostname runner[1517]: sched@director:
ab-1151102100: Job "ab" execution 1151104506 finished running.
The job execution in the preceding example has the following properties:
Job ID ab
Username admin
448
Chapter 14: Director Logging
449
Director Configuration and Management Guide
450
Chapter 15: Backing Up Director and Devices
451
Director Configuration and Management Guide
Note: You cannot set the maximum number of backups per ProxySG appliance to
a lower number than the number of backups that already exist on Director. To set
three backups as the default, for example, you must not have more than three
backups on Director. You can manually delete the extra backups. You set the
maximum number of backups using the Director command line.
The absolute maximum number of backups is 2000, but Director Management
Console performance is significantly degraded and backup functions, such as
sorting, cannot be done.
452
Chapter 15: Backing Up Director and Devices
Creating a Backup
Backups are created two ways: automatically, immediately prior to a profile, or
manually, at the point when you need a backup. The manual backup procedure is
discussed below. To schedule a backup job, see Section C: "Scheduling Jobs" on
page 274.
453
Director Configuration and Management Guide
The Backup Manager dialog box contains a summary table and buttons to create,
view, edit, pin, unpin, delete, restore, and refresh the list of backups.
Director automatically creates a backup when you execute a profile on a specified
device. If you want to create a backup without sending a new configuration to an
ProxySG appliance, click Create below the summary table and follow the
procedure on the next page.
454
Chapter 15: Backing Up Director and Devices
455
Director Configuration and Management Guide
View Contents button Displays the backup contents in the right pane.
4. Click Close.
456
Chapter 15: Backing Up Director and Devices
457
Director Configuration and Management Guide
Restoring a Backup
If you encounter problems on an ProxySG appliance with a current configuration,
you can restore a known good configuration with a saved backup. There are
several ways to restore configurations to ProxySG appliances:
❐ With a manual, stored, time-specific backup
❐ Using a profile or an overlay
Note: You can also back up and restore the Director configuration, including
the ProxySG backups stored on Director. For more information on backing up
Director, see "Backing Up Director and Devices" on page 451.
To restore a backup:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Devices pane, click the name of the device to restore from backup.
4. In the Description section for the device, click Launch Backup Manager.
The Backup Manager dialog box displays.
5. Click the name of the backup to restore.
6. Click Restore.
7. At the confirmation dialog box, click Yes.
8. When the restore is complete, click Close.
458
Chapter 15: Backing Up Director and Devices
Deleting a Backup
Director deletes backups automatically as the number of backups reaches the
maximum number you select. You can also manually delete backups.
Related Commands
First, start remote configuration backup submode by entering the following
command:
director (config) # restore-config backup
This command changes the prompt to:
director (config remote-config backup) #
Then enter the following commands:
(config remote-config backup) # no device device_id [backup_id
{comment backup_comment | name backup_name | pin}]
(config remote-config backup) # no un-pinned
director (config remote-config backup) # restore device device_id
backup_id
459
Director Configuration and Management Guide
3. On the Configure tab page, in the Groups section, expand the group
containing the device whose backups you wish to compare.
4. In the Devices section, click the name of the device whose backups you wish
to compare.
5. Click Launch Backup Manager.
6. In the Backup Manager dialog box, in the Backups for Device section, hold
down the Control key and click two backups to compare.
A sample follows:
7. Click Diff.
460
Chapter 15: Backing Up Director and Devices
Function
buttons
Legend
8. Use the legend at the bottom of the dialog box to interpret the results.
9. Use the function buttons as follows:
Table 15–1 Diff backups dialog box function buttons
Button Meaning
Search Displays a search field so you can search for text. Diff
searching supports text searching only and not logic
like Boolean or regular expressions.
Find next Used in conjunction with the Search button to perform
the same search again.
Prev diff The cursor in the right pane moves to the previous
difference.
Next diff The cursor in the right pane moves to the next
difference.
Save as Saves the difference file in unified format, which uses
plus and minus signs to indicate differences: each line
that occurs only in the left file is preceded by a minus
sign, each line that occurs only in the right file is
preceded by a plus sign, and common lines are
preceded by a space
• context format uses an identification line for each file, containing the
filename and modification date.
461
Director Configuration and Management Guide
• unified (default) uses plus and minus signs to indicate differences. Each
line that occurs only in the left file is preceded by a minus sign, each line
that occurs only in the right file is preceded by a plus sign, and common
lines are preceded by a space.
• first_device_id indicates the hostname or IP address of the device whose
backup you want to compare; first_backup_id is the backup on the device
you want to use; second_device_id indicates the hostname or IP of the
second device (it can be the same one) you want to compare; and
second_backup_id indicates the backup you want to compare to the first
backup.
462
Chapter 15: Backing Up Director and Devices
Note: Director does not archive its IP addresses so an archive taken on one
Director appliance can be restored on another Director appliance without
changing the target Director’s IP addresses.
463
Director Configuration and Management Guide
What is a Configuration?
A configuration includes the following:
❐ Director’s network configuration (IP address, DNS servers, and so on)
❐ Profiles, overlays, jobs, groups, and devices
❐ Objects associated with profiles, overlays, jobs, and groups (for example,
substitution variables, URL lists, regular expression lists, and so on)
The following are not included in a configuration:
❐ Alerts
❐ SNMP (after restoring the archive, SNMP will be disabled and SNMP
contact information reverts to its default values)
❐ NTP
Saving a Configuration
This section discusses how to save a configuration.
To save a configuration:
From the (config) prompt, enter either of the following commands:
director (config) # configuration write
Note: You can also save an empty configuration file that contains the shipping
defaults and, optionally, the IP addresses, using the configuration new filename
[keep-console] command. The optional keep-console parameter preserves
Director’s IP addresses.
464
Chapter 15: Backing Up Director and Devices
Note: Changing configurations affects all users connected to Director using the
command line, the Management Console, and the serial console.
Note: If you do not know the name of the configuration filename to delete, enter
configuration delete ? to see the list of files that can be deleted.
465
Director Configuration and Management Guide
About Archives
You can create the following archive types:
❐ archive all—Includes configuration, event log, device backup, and job report
backup data.
Note: The following configuration settings are not preserved when you create
an archive:
• Director’s IP addresses
• SNMP (after restoring the archive, SNMP will be disabled and SNMP
contact information reverts to its default values)
• NTP
❐ archive job-report—Includes job report data only. Job reports list the job
commands as well as errors that are encountered.
Generally, archive all is recommended because it is the most comprehensive.
However, you can archive individual components separately, for example, to save
space (if some components change more often than others).
Note: The configuration archive commands are memory and disk intensive. A
temporary copy of the configuration is created before archival. Blue Coat
recommends that you purge unwanted backup and configuration files from
Director before creating an archive.
466
Chapter 15: Backing Up Director and Devices
The show subcommand creates the named key pair. For example,
467
Director Configuration and Management Guide
Note: The following error indicates you do not have the appropriate privilege
to use this command:
% Error while generating key "mykey"
Only the Director admin user can enter this command.
When prompted, enter a passphrase. Write down the passphrase. If you lose
the passphrase, you will not be able to restore the archive. After entering the
passphrase, press Enter.
The key pair displays similarly to the following:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaf+Zezts/oj3eNAxGlXnHucvr
aOSIb2htVnZb36xLZd/YpPs65678Amt1gSSo7jDjwid9cMhDT5PX/Edm3mOMBNKF
3TLZTmn1dIQpP+H3az/rP4f/yr6LOBNFFWXRCM2j8xnfGirQ65FkKmL0Xzg1ySEJ
SblQ0sMoFPUmhgrXoQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2DEC3F8EEE386BC9
Lk05OUZp7oPR/e6fd4Q3madNnkHleYD4euc6groCKuz/ZI7XfoFApkgNNDnSGUkL
LSx3hdbZaYl5YywN9HYiR+W5RWhpSMYsitZuV6aSkvgrpqxor4OloKDuoe4nFpMm
sFHXt2XphAQPE+EdiEDzAUrGEscCCpHwcb5IzGGs7xdoez4Sf0T+L8lyPuYziTP1
TCKDN2UXir5r2u7czx/AyBFsf6nLJDitu4xA7Fq+HwSiAkCd+jJkDwHhMEUqyHkg
DfK/u2y1qA887BowKeO6A95ToUIhN9CRCMo8jpFzwLO0Y5YdcWJ2K7K1SNo1FjE7
Coaph2acFatAz9nlkTZlA5JnI5VJ1m9pxtF7wZgX66Ah0g60jB5MXSilxwZkzhem
bFT53Q4J5Lxhhpd1GxxD2lfbz1Pue0qqEsbVXp55iMcaGTl3Ud6rcJbV4LMlah7H
J0UCeX4aqyReltKAseeg7HzAUrGEscCCpHCul0X9w+Eh7foAK23WCNVpeDMyzwwK
LRgd289+6l+uI+gQSFLfM8SfN123HIJKLL4d2LGTH/01spSiZt2NIsJe/CKBDBYM
cwEZwbkMN7fYv1nOQGL9c5AmafJzquVoFHnixq1YL7VDo6ajDku+1I8GzgYK8CSs
e9PxzAUrGEscCCpHh19EgBmnvs2vmMbsgkoCz0KXUeMuDL2gysf48L3YT4o/L9ln
+v1yUvORIJhAMXDYXVOdpIwjZGQG+J6NJ89uaypELRXIW2KkVt3FlzosqQpt3gk3
1N7rDDXD55CMnp51dHBxBsCaNQjHTUJJAe7lRHZBV5QpPF27emHV/Q==
-----END RSA PRIVATE KEY-----
468
Chapter 15: Backing Up Director and Devices
6. Copy the entire key pair (including all beginning and ending tags like -----
BEGIN PUBLIC KEY----- and -----END RSA PRIVATE KEY-----) and paste it into
a text editor as shown in the following example:
469
Director Configuration and Management Guide
470
Chapter 15: Backing Up Director and Devices
471
Director Configuration and Management Guide
Archive Type list From the list, click the type of archive to create. For an
explanation of the options, see "About Archives" on
page 466.
With Key list Select the key to use to encrypt the archive.
Upload URL field Enter the URL of the external server to which to upload
the archive. The URL can optionally include the file
name. If you omit the file name, the archive is
uploaded to the external server with a name like the
following:
sgmearchive-director-all-2008.12.03-
004256.tgz
Valid URL formats follow:
scp://host//path
ftp://host/path
http://host/path
For example, to upload the archive to a directory using
the SCP protocol, enter
scp://192.168.0.50//director
For example, to upload the archive using a different
name using the FTP protocol, enter
ftp://192.168.0.50//director/
director_5.4.1.1_04-01-09.tgz
Directory and File options Select the option corresponding to the URL you
entered in the Upload URL field.
• To upload the archive to the external server using
the default name, enter a URL without a file name
and click Directory.
• To upload the archive to the external server using a
name other than the default name, enter a URL
that includes a file name and click File.
Note: Archive file names cannot contain spaces.
12. Examine the options you entered and the field in the Actions tab page to make
sure everything is correct.
472
Chapter 15: Backing Up Director and Devices
An example follows.
13. When the options are set the way you want, click Apply.
14. Optionally set up a schedule for the job: Click the Schedule tab and see Section
C: "Scheduling Jobs" on page 274.
15. In the Create a new Job dialog box, click OK.
Note: To avoid problems, do not put consecutive archive actions in the same
job. Doing so might cause some actions to fail because the first archive might
not finish uploading before subsequent archive commands complete.
Workarounds include putting archive actions in different jobs and separating
archive actions in the same job with other actions.
16. To execute the job immediately, select the name of the job in the Job Library
section of the Jobs tab page and click Execute.
17. To verify the job succeeded, either check the external server to make sure the
archive was created or click the name of the job and view its status in the
Description pane.
For detailed information, view the Job Report as discussed in Section D:
"Verifying Jobs" on page 280.
473
Director Configuration and Management Guide
To create an archive, encrypt it with an archive key, and upload the archive to
an external server:
1. Use a Secure Shell (SSH) application to connect to Director as discussed in
"Using the Director Command Line" on page 38.
2. Enter enable mode.
director > enable
For the meaning of the all, config, device-backup, event-log, and job-report
parameters, see "About Archives" on page 466.
The upload current parameters are required to upload the archive file to an
external server after creating the archive. current is a reserved archive name
that can be used only for this purpose. The current archive is temporary; after
the archive is uploaded, it is deleted from Director.
474
Chapter 15: Backing Up Director and Devices
path can be the name of a directory or it can include the name of the archive
file as you want it to be stored on the external server. If path is the name of a
directory, it must end with a / character.
If you omit the file name from path, the archive is uploaded to the external
server with a name like the following:
sgmearchive-director-all-2008.12.03-004256.tgz
An example follows:
director (config)# archive all upload current
scp://192.168.0.50//director/ username director password bluecoat
The command creates an archive file and uploads it to an external server using the
SCP protocol, storing the archive in a directory named director.
For the meaning of the all, config, device-backup, event-log, and job-report
parameters, see "About Archives" on page 466.
The archive_name parameter is required and it specifies the name of the archive
file to store on this Director appliance. url must also contain the archive file
name if there is more than one archive in the directory specified by url. If
archive_name and the file name in url are different, archive_name specifies the
name of the archive that is stored on this Director.
Note: archive_name cannot contain space characters.
The username and password parameters must be used only if the external
server requires authentication.
475
Director Configuration and Management Guide
For example,
director # archive all fetch sgme_5.4.1.1_510.tgz ftp://192.168.0.50//
director-5.4.1.1-36821-3192.tgz username director password bluecoat
2. If the archive was encrypted using a key that is not stored on this Director
appliance, import the archive key using the following command:
director # archive input key keyname show
Copy the archive key from the text file and enter it at the prompt. Press
Control+D when you have entered the key. You will then be prompted for the
pass phrase you created earlier.
3. Restore the configuration.
director # archive {all | config | device-backup | event-log | job-
report} restore archive_name key keyname
Related Commands
# archive {all | config | device-backup | event-log | job-report}
delete archive_name
# archive {all | config | device-backup | event-log | job-report} fetch
archive_name url
# archive {all | config | device-backup | event-log | job-report} move
archive_name_old archive_name_new
# archive {all | config | device-backup | event-log | job-report}
upload archive_name url
# archive generate key keyname
476
Chapter 15: Backing Up Director and Devices
477
Director Configuration and Management Guide
478
Chapter 16: Upgrading Director
This chapter discusses how to upgrade or roll back (that is, downgrade) the
software on your Director 510.
Upgrading the image is a three-step process: creating an archive of the current
configuration, downloading the image file to Director, and installing the image
on Director.
This chapter discusses the following topics:
❐ Section A: "Before You Begin Your Upgrade" on page 480
❐ Section B: "Getting the SGME Software and Documentation" on page 483
❐ Section C: "Upgrading the SGME Software" on page 485
❐ Section D: "Working with Configuration Files after an Upgrade" on page
489
❐ Section D: "Working with Configuration Files after an Upgrade" on page
489
❐ Section E: "Rolling Back the SGME Software" on page 490
Note: The upgrade procedure must be performed using the command line.
You cannot use the Management Console to upgrade Director.
479
Director Configuration and Management Guide
480
Chapter 16: Upgrading Director
SGME 5.4.1.x SGOS 5.4.x and all SGOS versions supported by SGME
5.3.x
481
Director Configuration and Management Guide
482
Chapter 16: Upgrading Director
Note:
• The Direct Download Link displayed on this page cannot be used to
upgrade Director. You must download the .tgz file to your computer.
• Depending on the Web browser you used to download the software, the
file you downloaded might have square brackets in the name; for
example, Director_5[1].4.2.4_56789_510.tgz.
The presence of square brackets in the file name does not affect your
ability to upgrade the SGME software.
6. Copy the SGME image (the .tgz file) to a Web server that Director can access.
7. Copy the .tgz file to a Web server that Director can access.
8. Copy install.exe to the computer on which you will run the Director
Management Console.
When you have finished upgrading Director, start the Management Console
as discussed in "Connecting to Director with the Management Console" on
page 52.
483
Director Configuration and Management Guide
484
Chapter 16: Upgrading Director
Important: SGME 5.4.2.x supports upgrades from SGME 5.4.1.1 or later only;
in other words, before upgrading to SGME 5.4.2.x, make sure your Director
appliances runs SGME 5.4.1.1 or later.
485
Director Configuration and Management Guide
For example,
director # archive config upload ftp://192.168.0.2//uploads/sgme/
sgme_5.4.2.1_09-15-09.tgz username director password bluecoat
For additional information, see the Blue Coat Director Command Line Interface
Reference Guide.
4. Continue with the next section.
If you placed the upgrade image on an external server, enter the upgrade
package URL in one of the following formats:
http://host_or_ip/path_to_tgz
ftp://host_or_ip//path_to_tgz
scp://host_or_ip//path_to_tgz
For example,
http://wwww.example.com/SGME/Director_6.1.1.1_345678_510.tgz
486
Chapter 16: Upgrading Director
Message Meaning
Image verifies OK. The upgrade image verified
successfully so it is safe to proceed.
Image verification failed for There are errors in the upgrade image.
image-name Download the upgrade image again
before continuing with your upgrade.
Make sure the image verifies
successfully before proceeding.
Note: The name of the configuration file for your system will be different. The
preceding sample name is for your information only.
9. Write down the name of this configuration file. In the event of issues after you
upgrade, you can restore this configuration to recover return Director to its
pre-upgrade state. This includes restoring devices, alerts, jobs, and so on that
would otherwise be deleted.
10. Verify Director booted from the correct image file by re-connecting to Director
and using the show version command as follows.
director > show version
System version: 5.4.2.4
Build date: 2009/08/31 04:28:34
Build number: 345678
Platform type: 510
Build version: #35927 2009.09.15-042834
Serial number: 0000000000
487
Director Configuration and Management Guide
Verifies the validity of the specified upgrade package. Because the upgrade-
package fetch command verifies the upgrade package, this command is
useful only if you did not use the upgrade-package fetch command to
download the upgrade package.
488
Chapter 16: Upgrading Director
Important: This command should only be used if you do not plan to ever
downgrade your system.
Note: This is a global command that deletes all files in /sys/config/, sys/
encrypted-config, /local/backups/, and /local/encrypted-backups for SGME 3.x
and 4.x. SGME 5.x files are not affected.
2. Do not save these changes. That is, do not use the write memory command.
3. Reboot Director.
Director (config) # reload
489
Director Configuration and Management Guide
Note:
• Devices and jobs are lost during rollback.
• Alerts are deleted during the rollback process so rolling back a Director
that manages a large number of devices can take a long time. It can take
several hours for a rollback to finish if there are 40,000 or more alerts.
490
Director Configuration and Management Guide
491
Director Configuration and Management Guide
492
Appendix A: Administering Director
493
Director Configuration and Management Guide
494
Appendix A: Administering Director
❐ Implicit Lock Mode — Users do not have to acquire the lock because the
system automatically acquires the lock, when the user commits a
configuration change, and releases the lock as soon as the configuration is
saved. If more than one user makes changes to the configuration settings for
the same object/domain/policy, the last person submitting changes overrides
all previous modifications. The implicit lock mode is the default configuration
lock mode in SGME 5.x.
Note: Whether you are using implicit or explicit lock mode, you also acquire
the configuration lock by entering configure mode in the CLI.
495
Director Configuration and Management Guide
To make new changes, expand Director Status to acquire the lock again.
❐ If the serial console holds the lock and a hostname was defined for the
Director at boot up, the following message displays:
The configuration lock is currently held by username from
Corporate.
If the hostname is changed after the Director is booted, you must reboot the
Director to display the new hostname.
496
Appendix A: Administering Director
❐ If an SSH client holds the lock, the hostname of the client displays if one is
specified, for example:
The configuration lock is currently held by username from
abc.sv.bluecoat.com
497
Director Configuration and Management Guide
What is a Configuration?
Configuration files are saved on Director and include the following:
❐ Director’s network configuration (IP address, DNS servers, and so on)
❐ Profiles, overlays, jobs, groups, and device records
❐ Objects associated with profiles, overlays, jobs, and groups (for example,
substitution variables, URL lists, regular expression lists, and so on)
❐ SNMP server settings
❐ NTP settings
Alerts are not included in a configuration.
Unlike archives, configurations cannot be uploaded to an external server; they are
stored on Director.
498
Appendix A: Administering Director
499
Director Configuration and Management Guide
Creating a Configuration
This section discusses how to create a configuration using a previously saved
configuration. You can do this, for example, to test changes you might want to
make to devices, jobs, profiles, overlays, and so on before implementing them.
Other examples follow:
❐ Test new access lists. (Access lists are discussed in "Managing Security Using
Access Lists" on page 514.)
❐ If you have more than one privilege 15 user account, you can change another
user’s password if that password was lost.
Use caution when creating a configuration because your syntax is not validated.
To create a configuration:
1. If necessary, switch to the configuration on which you want to base the new
configuration.
For more information, see "Switching To a Saved Configuration" on page 499.
2. Enter the following command to display the configuration:
director (config)# show configuration [running]
WARNING! Use caution when editing commands that control your ability to
connect to Director (for example, Director’s IP address and default gateway).
Your values and syntax are not validated; improper network settings can
disable Director and permanently prevent you from accessing it.
Following is a partial list of these commands:
interface ether-0 ip address address / mask
ip default-gateway address
7. Enter each command from step 4 at the command line, one at a time.
500
Appendix A: Administering Director
501
Director Configuration and Management Guide
Setting Up Users
The username commands allow you to create local Director user accounts. After
the usernames are created, you can change the workgroup to further control the
users on the system.
Note: If you create a password on Director for local user accounts, that password
is kept in a local password file. However, if you have users logging in remotely or
through unsecured terminals, you can require an additional level of
authentication. For more information, see "Authenticating Users" on page 508.
For more information on creating usernames, refer to the Blue Coat Director
Command Line Interface Reference.
502
Appendix A: Administering Director
where 1 means that the user cannot enter the Enable mode, 7 indicates that the
user cannot enter Configuration mode, and 15 indicates that the user has full
administrative privileges.
3. View the users on the system.
director (config) # show usernames
Username admin
maximum permitted privilege level 15
in Workgroup "default"
Username monitor
maximum permitted privilege level 7
in Workgroup "default"
Username test1
maximum permitted privilege level 15
in Workgroup "default"
503
Director Configuration and Management Guide
Note:
❐ You can move users from the default workgroup to other workgroups. You
cannot add new user accounts to Director using the workgroup commands.
❐ Workgroups are authenticated locally. You cannot authenticate users in
workgroups using RADIUS or TACACS+, nor can you add users
authenticated by these methods to workgroups.
For more information about RADIUS and TACACS+, see "Authenticating
Users" on page 508.
Follow these steps to create a workgroup and add rules and users
1. At the (config) command prompt, create a workgroup and give it a
meaningful name.
director (config) # workgroup workgroup_id create
504
Appendix A: Administering Director
4. Set a minimum priority level for content managed by the users in the
workgroup.
Users are unable to make content more important (have a higher priority)
than the minimum level you have set. The range is between 0 and 4, with 0
meaning that users have no restrictions on setting the importance of content in
the ProxySG appliances. Negating this command returns priorities to the
default, 0, which is the highest priority.
director (config workgroup “sales”) # min-priority priority integer
5. Set up time limit rules for the workgroup to enable or disable the time-limits
range.
a. Time-limits type: The default is disallow, meaning that if no time
limits are set, all users can manage content at any time. Before you set
a time range, change the time limit type to allow to restrict users to
predefined times.
director (config workgroup “sales”) # time-limits type allow |
disallow
b. Time limits. The default is that no time limits are set, allowing all users
to manage content at any time. If the time-limits type is allow, setting a
time limit prevents users from sending content management
commands outside of the time limits established. If time limits are
established and the time-limits type is disallow, users cannot manage
content during the specified time, but can manage content at other
times.
director (config workgroup “sales”) # time-limits range hh:mm:ss-
hh:mm:ss
505
Director Configuration and Management Guide
b. Limit ProxySG appliances that workgroup users can access. If the list
exists, only ProxySG appliances and groups on the list can be accessed
by members of the workgroup.
If the group ID or device ID record does not exist, it is not created. An
error message is generated instead.
director (config workgroup “sales”) # device-limits keyword device
spec
506
Appendix A: Administering Director
10. Use the write memory command to permanently save your changes.
director (config) # write mem
507
Director Configuration and Management Guide
Authenticating Users
Possible authentication methods are local, Remote Authentication Dial-In User
Service (RADIUS), and Terminal Access Controller Access Control System Plus
(TACACS+). Local authentication is required. RADIUS and TACACS+ are
optional.
To configure RADIUS authentication, continue with the next section; to configure
TACACS+ servers, skip to "Configuring TACACS+" on page 511.
Configuring RADIUS
If the authentication request consists of the service-type as framed, RADIUS sends
back the attributes for the user in the authentication response. These attributes
can be used for authorization.
Director assigns a privilege level to match the service-type value on RADIUS.
Only the service types that are configured here are supported; access to Director is
denied if the service types do not match the mapped service types in the
configuration.
Director has the following privilege levels:
❐ Login (level 1)
❐ Enable (level 7)
❐ Configuration (level 15)
Each service type you want supported must be mapped to one of the above
privilege levels. Only three service types can be supported, one for each Director
privilege level. All other service types are ignored. If the service type found in the
mapping does not match one of the configured service types, the privilege of the
user cannot be decided and the login is rejected.
By default or on a new system, the following services types are mapped:
RADIUS Service Type Director Mapping
Login Login
NAS-Prompt Enable
Administrative Configuration
You do not need to configure service types on Director unless you want to change
the default mappings.
508
Appendix A: Administering Director
While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using RADIUS only,
you do not need to configure TACACS+.
To use RADIUS authentication, enter the following command:
director (config)# aaa authentication login default local radius
509
Director Configuration and Management Guide
where
key password Sets the authentication and encryption key for
RADIUS servers. Note that this is not a key, such as an
SSHv2 key, but a password.
The key cannot have a question mark in it (such as
xyz?) unless you first disable Director CLI help.
request- 1 - 11 Sets the RADIUS request service type. The integer
stype stands for the service type, which can be one of the
following:
1. Login
2. Framed
3. Callback Login
4. Callback Framed
5. Outbound
6. Administrative
7. NAS Prompt
8. Authenticate Only
9. Callback NAS Prompt
10. Call Check
11. Callback Administrative
response- 1 - 11 Links the RADIUS response service type and privilege
stype level. Director privilege levels are 1 (Standard mode),
7 (Enable mode), and 15 (Configuration mode). The
service types must be linked to one of the Director
levels.
retransmit integer Sets the number of retries allowed for connection to
the RADIUS servers.
timeout integer Sets the timeout value. It should be of the format nnh
nnm nns, where nn is the number, h is the hour, m is the
minute, and s is second, such as radius-server
timeout
05h 30m 10s.
510
Appendix A: Administering Director
Configuring TACACS+
This section discusses how to configure TACACS.
511
Director Configuration and Management Guide
While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using TACACS+ only,
you do not need to configure RADIUS.
To use TACACS+ authentication, enter the following command:
director (config)# aaa authentication login default local tacacs
where
• password sets the authentication and encryption key for TACACS+ servers. Note that this
is not a key, such as an SSHv2 key, but a password.
• timeout integer sets the timeout value. It should be of the format nnh nnm nns,
where nn is the number, h is the hour, m is the minute, and s is second, such as
radius-tacacs timeout 05h 30m 10s.
where
512
Appendix A: Administering Director
timeout integer Sets the timeout value. It should be of the format nnh
nnm nns, where nn is the number, h is the hour, m is
the minute, and s is second, such as radius-server
timeout
05h 30m 10s.
513
Director Configuration and Management Guide
Note: If you use SSH Simple to connect to the ProxySG appliance or to the
Director Management Console, no additional configuration is needed because
both Director and the ProxySG appliance use SSH Simple as the default
connection protocol.
514
Appendix A: Administering Director
access-list Actions
Possible actions are as follows:
❐ deny—The specified packets are dropped.
❐ permit—The specified packets are allowed.
❐ reject—The specified packets are dropped and Director returns an error code
to the sender of the packet, or respond with an ICMP unreachable message,
depending on whether matching is done on outbound or inbound traffic,
respectively.
Protocol
Enables you to selectively permit, deny, or reject traffic from the following IP
protocols (transport layer and below only):
All protocols (use the ip subcommand to specify all protocols)
❐ tcp
❐ udp
515
Director Configuration and Management Guide
516
Appendix A: Administering Director
Note: This also puts you into the access-list submode, which allows you
to use access-list commands without having to type access-list
access-list_id before each command. To edit a different access-list, just
enter the new access-list name.
For details about these options, see "About access-list Syntax" on page 515.
For example, to deny incoming TCP traffic from IP address 192.168.0.2:
director (config) # access-list deny_rule
director (config acl deny_rule) # deny tcp any host 192.168.0.2
For more information on setting up access lists, refer to the Blue Coat Director
Command Line Interface Reference.
7. Save the changes.
director (config acl access_list_name)# exit
director (config)# write memory
8. View the access list to make sure the rules you defined are correct.
Each rule is numbered.
director (config) # show access-list deny_rule
Access-list deny_rule, type "filter"
0: deny 0.0.0.0 255.255.255.255 192.168.0.2 0.0.0.0 tcp
517
Director Configuration and Management Guide
For example,
director (config) # interface ether-0
5. View information about the interface to make sure the access group is
associated (emphasis added):
director (config) # show interfaces ether-0
Interface ether-0:
Enabled: yes
IP address: 172.16.35.16/16
Speed: auto <100>
Duplex: auto <full>
Type: Ethernet
Ethernet address: 00:e0:81:76:2f:18
Inbound access-list: deny_rule
MTU size: 1500 bytes
Statistics:
Packets received: 611731
Bytes received: 45823512
Multicast packets received: 0
Input errors: 0
Packets received with bad protocol: 0
Packets received not matching filters: 0
Packets received with short frames: 0
Packets sent: 236746
Bytes sent: 25085176
Output errors: 0
Packets dropped on output: 0
Collisions: 0
Underruns: 0
518
Appendix A: Administering Director
The optional traps parameter enables SNMP traps to be sent. SNMP traps are
limited to Director startup and shutdown.
2. Specify the SNMP management station to which SNMP notifications will be
sent:
director (config)# snmp-server host hostname_or_ip traps version 2c
public
Note: If you do not save the configuration by entering the write memory
command, the changes you made are not permanent and are lost at the next
reboot.
519
Director Configuration and Management Guide
For more information on Director CLI commands to manage the SNMP server
connections, refer to the Blue Coat Director Command Line Interface Reference.
Managing Sessions
To avoid overlapping or contradictory configuration changes, you can log off
other administrators who are using the Director Management Console. Each
Management Console instance starts as a session and sessions can be terminated
whether or not you are using explicit configuration mode.
Terminating a session affects administrators logged in to the Management
Console or in configuration mode on the command line. Terminating a session
does not affect a user directly connected to Director using the serial console.
Director shows a user directly connected to the Director appliance’s serial port as
user name console.
To manage sessions:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Manage Sessions.
The Manage Sessions dialog box displays similarly to the following:
520
Appendix A: Administering Director
The following table shows the meanings of the columns in the Manage
Sessions dialog box:
Column Description
Lock State
(locked) means the user has acquired the
configuration lock in any of the following ways:
• By starting configuration mode in the CLI.
• By acquiring the lock in explicit lock mode.
For more information, see "About the
Configuration Lock" on page 494.
521
Director Configuration and Management Guide
Rebooting Director
Enter the following command to reboot Director:
director (config) # reload [force]
The optional force subcommand reboots this machine even if there are
outstanding configuration changes. These changes will then be lost.
A message similar to the following displays when Director is rebooting:
Connection closed by foreign host.
Note: You can also use an SSH application to connect to Director but you will
not get a system messages indicating that it is safe to power down.
Use the reload halt force command if you do not want to save any
configuration changes.
4. Unplug Director when the LCD panel goes blank and powers down. The
serial console displays Power down.
522
Appendix B: Replacing Director 800 With Director 510
SGME version 5.4 and later do not support the Director 800. This appendix
discusses how to replace a Director 800 with a Director 510. See the following
topics:
❐ "Procedure to Replace a Director 800"
❐ "Access List Differences" on page 525
Note: To avoid the possibility of IP address conflicts, make sure only one
Director is connected to the network at a time.
523
Director Configuration and Management Guide
8. Fetch the archive from the external server and restore it on the Director 510.
For more information, see "Retrieving and Restoring the Archive" on page
475.
Important: SGME 5.3 and later do not archive Director’s network settings;
however, SGME versions earlier than 5.3 do archive Director’s network settings.
If you are restoring an archive with SGME 5.3 or later, reconfigure Director’s
network settings using its front panel or serial console using the interface
interface_number and ip default gateway commands as discussed in the Blue
Coat Director Command Line Interface Reference Guide.
524
Appendix B: Replacing Director 800 With Director 510
525
Director Configuration and Management Guide
526
Appendix C: Management Console Browser Details
Note: Because the Blue Coat certificate is not recognized by client browsers,
during the process of connecting to the Management Console, certificate errors
display. These errors are normal and do not indicate a problem with Director.
527
Director Configuration and Management Guide
528
Appendix C: Management Console Browser Details
529
Director Configuration and Management Guide
• Windows Vista:
530
Appendix C: Management Console Browser Details
8. If you are accessing the Management Console for the first time, a message
displays as the application is downloaded to your computer:
10. You can now close the original Web browser window.
531
Director Configuration and Management Guide
3. If the preceding dialog box displays, you must click Yes to continue.
4. When prompted, log in to Director.
5. The following message displays as the JNLP application starts to download:
532
Appendix C: Management Console Browser Details
6. If you are accessing the Management Console for the first time, a message
displays as the application is downloaded to your computer:
533
Director Configuration and Management Guide
If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.
10. You can now close the original Web browser window.
534
Appendix C: Management Console Browser Details
535
Director Configuration and Management Guide
3. If you clicked I Understand the Risks, the dialog box displays similar to the
following.
536
Appendix C: Management Console Browser Details
537
Director Configuration and Management Guide
• If Director’s certificate does not display and if the other options on the
dialog box are unavailable, click Get Certificate.
• If the button is available, click Confirm Security Exception.
7. If the following dialog box displays, click Resend.
10. Click Open with, choose the default selection Java(TM) Web Start Launcher (default),
and click OK.
A certificate error displays.
538
Appendix C: Management Console Browser Details
• Windows Vista:
539
Director Configuration and Management Guide
14. You can now close the original Web browser window.
540
Appendix C: Management Console Browser Details
The next page enables you to add an exception for Director’s certificate.
541
Director Configuration and Management Guide
542
Appendix C: Management Console Browser Details
Option Description
Confirm Security Exception Click to continue connecting to Director.
• Windows Vista:
9. You are then prompted to download and run the Director Management
Console application.
10. Click Open with, choose the default selection Java(TM) Web Start Launcher (default),
and click OK.
543
Director Configuration and Management Guide
544
Appendix C: Management Console Browser Details
If a dialog box displays with the following text, see "Director RSA Fingerprint
Warning" on page 549:
WARNING - POTENTIAL SECURITY BREACH!
The Director's host key does not match the one on your local
machine.This means that either the Director's admin has changed the
host key, or you have actually connected to another computer pretending
to be the Director.
13. You can now close the original Web browser window.
545
Director Configuration and Management Guide
Safari 3
This section discusses how to set up Safari 3 to work with the Director
Management Console and discusses in detail the prompts you receive while
connecting to the Management Console.
For more information, see:
❐ "Setting Up Safari 3"
❐ "Safari 3 Connection Details" on page 546
Setting Up Safari 3
This section discusses how to set up Safari 3 for use with the Director
Management Console. These settings work on Windows XP and Windows Vista
computers.
546
Appendix C: Management Console Browser Details
You are prompted to download and run the Director Management Console
application.
4. Click Open.
The File Download dialog box displays.
5. Click Open.
A certificate warning displays.
547
Director Configuration and Management Guide
• Windows Vista:
548
Appendix C: Management Console Browser Details
For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
549
Director Configuration and Management Guide
550
Index
A C
adding policy to an overlay 171 CLI
admin user, explained 502 error messages 438
administrator activity logging authentication 445
enabling TACACS+ 362 devices 442
job logging format 447 help 440
setting the logging level 364 host names 442
TACACS+ 357 listed 438
alerts logging 443
about 332 RADIUS 445
managing 338 user directory 439
appliance certificates usernames and passwords 438
and device registration 68 FTP
getting 75 server connections, configuring 42
archive Director 463 server connections, disabling 42
archiving and uploading Director 470 overview 38
ARP, troubleshooting 442 privilege level, setting 502
audit logging troubleshooting 441
and event logging 358, 418 user account
configuring 364 managing 502
examples 359, 419 configuration
logging level 364 files, destroying 489
overflow policy 365 files, renaming 465
overview 357 files, viewing 464
related commands 366 saving 463
SCP server 364 switching files 465
TACACS+ authentication 362 configuration files
verifying settings 366 about 464
what is logged 357, 417 deleting 465
authentication commands saving 464
error messages 445 configuration lock
about 494
B breaking lock 496
back up Director 463 configuration changes, making 495
backup explicit lock mode 494
device, comparing 459 implicit lock mode 495
device, creating 453 lock mode, switching 497
device, deleting 459 switching lock modes 495
pinning device configurations 457 content
restoring device 458 distributing URLs 215, 221
distribution, about 207
551
Director Configuration and Management Guide
552
Index
553
Director Configuration and Management Guide
554
Index
555
Director Configuration and Management Guide
556