LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Secure Web Gateway » Proxy

Usage of external CA certificates

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

WebMarshal

Question:

How can I use external CA certificate with WebMarshal?

Information:

Use of publicly trusted CA certificates in proxying end-user communications with internet systems is prohibited by some browser manufacturer rules and regulations. LevelBlue recommends the use of a self signed or enterprise CA for proxying use. If you intend to use a publicly trusted or cross signed CA certificate with this product, consult with the issuing CA to ensure your use is compliant with all current and anticipated regulations.

To import a CA certificate, you can use the Certificate Converter Tool available from the WebMarshal Download page.

Why the Status Page is not displayed in Chrome browser when using FTP over HTTP?

Mariusz Cieślak — Wed, 16 Sep 2015 09:06:27 GMT

This article applies to:

All SWG versions

Question:

Why the Status Page is not displayed in Chrome browser when using FTP over HTTP protocol? (when setting port 8080 in the proxy settings for FTP transactions on the browser side)

Reply:

The header in the GET request coming from the browser which is mandatory for activating the Status Page is the User-Agent header.

This is visible in the "Administration > System Settings > Scanning > Scanning Options" section of the SWG GUI (part of the configuration) - see the screenshot below:

Chrome browser doesn't include User-Agent header in the GET request when FTP over HTTP protocol is being used.
Please see below the comparison of the GET requests that are sent by the browsers for retrieving the same file when using Chrome and Firefox:

1) Chrome browser - no User-Agent header is included in the GET request:

2) Firefox browser - User-Agent header is included in the GET request:

Notes:

This article is applicable only when FTP over HTTP protocol is used (port 8080 for FTP transactions is set on the browser side in the proxy settings). For other protocols (e.g. HTTP etc.), the behavior is different.

How to bypass Authentication by header

Charles — Mon, 27 Apr 2015 15:17:40 GMT

This article applies to:

SWG 9.x
SWG 10.x

Question:

Some sites or programs require you to bypass Authentication in order for it to be accessed through the SWG appliance. For Example, Google Earth’s update mechanism will not allow the program to run if it cannot contact its host site, and the host site cannot be reached when using Authentication through the SWG.

Procedure:

To bypass authentication for our Google Earth example, we will bypass using the User-Agent header that Google Earth uses to access its host site.

-Navigate to Polices -> Condition Settings -> Header Fields

-Under Exclude by Headers click edit and enter the following information.

Header Name:

Condition:

Header Value:

- Save and Commit changes.

*note: in VSOS 9.0.0 you cannot add more than one user agent header name to the same Headers Field list. If you need to add more than one user agent you will need to create a separate list for each user agent entry.

-Other programs and hardware have been known to need to have authentication bypassed in order to be used. Here is the program and the Header name used to allow access.

Application	Header	Value	Expression
Google Earth	User-Agent	Regular Expression	^GoogleEarth.*
iPhone	User-Agent	Regular Expression	Apple iPhone.*
iPad	User-Agent	Regular Expression	Apple iPad.*
iTunes	User-Agent	Regular Expression	iTunes/.*
-	-	-	AppleCoreMedia/.*
Microsoft Updates	User-Agent	Equals	Windows-Update-Agent
-	-	Regular Expression	^MicrosoftBITS/.*
Adobe Flash	User-Agent	Regular Expression	^Adobe Flash Update.*

Why do some pages with cache kit enabled load slowly

ofer Kalef — Wed, 05 Feb 2014 01:17:01 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Why do some some pages load slowly with SWG caching kit installed and enabled?

Information:

Some pages/HTTP servers are poorly designed and send confirmations for every page, script, or resource request in a non-parallel manner (one after another). In this example, note the many HTTP messages "HTTP/1.0 304 Not Modified".

As you can see, the server is sending messages one after another; in this case it takes 16 seconds to load a small page with many js scripts:

HOW to fix the issue:

Because it is not an SWG related problem, you must exclude this type of site from caching; add an exception as shown below:

Does Dropbox work with SWG SSL scanning?

ofer Kalef — Sun, 24 Nov 2013 03:53:55 GMT

This article applies to:

SWG 10.x

Question:

Does Dropbox work with SWG SSL scanning?

Reply:

Yes, but the only way that drop box will work with the SWG is if SSL scanning is bypassed for Dropbox. In the dropbox help it is suggested that you create an HTTPS bypass list that you can add Dropbox to so that it will not be scanned by the SWG.

Dropbox was not designed to work with an SLL proxy. When drop box makes a connection to the client it refuses to use the OS root SSL certificates that’s provided to the drop box client (which is what the SWG uses in the event of a HTTPS connect). It then sends an encrypted alert stating that the certificate that is being served is “bad” and ends the connection.

Notes:

Drop box help:

“You have a proxy orfirewall blocking the Dropbox service Dropboxuses standard internet ports (80 and 443) to transfer data. However, manyfirewalls and security software will proactively block unauthorized or unknowninternet services. Add Dropbox to your proxy orfirewall settings as anexception to connect to the Dropbox service. “

Check or Change Trustwave Filter List Categorization

ofer Kalef — Thu, 14 Nov 2013 04:36:11 GMT

This article applies to:

SWG 10.1
SWG 10.2
SWG 11.x

Question:

How can you check the classification of a URL in the Trustwave Filter List database?

Information:

It may happen that a given link is wrongly categorized. In addition, a URL can sometimes change owner and website content.

You can check a site category in the Trustwave Filter List database, or submit a site to Trustwave if it needs to be added to the database or reviewed for a possible mistake in categorization.

Go to:

https://support.levelblue.com/m86filtercheck.asp

You can also view a list of categories and their definitions.

SWG support for HTTP HEAD requests

ofer Kalef — Tue, 24 Sep 2013 08:33:51 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Will an SWG proxy honor HTTP HEAD requests ?

Information:

An HTTP HEAD request is very similar to an HTTP GET request, the difference being that it asks the Server to return the response headers only, and not the actual resource itself.

This method is useful when the resource needs to be evaluated without actually downloading it, saving bandwidth for example.

SWG supports the HTTP HEAD method without any specific configuration changes, and by default the transactions shown below are allowed:

If needed, a custom rule may be added to the policy to block HTTP HEAD requests, using the HTTP Method condition:

This is how an SWG proxy works when an HTTP HEAD request is blocked by the policy:

How to backup SWG

ofer Kalef — Tue, 24 Sep 2013 08:31:31 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:
How do I create a backup of my SWG settings and configuration?

Procedure:
There is a feature in SWG called "Backup" (or "Rollback" in SWG version 10.x.) This feature allows you to create a backup file of your SWG where it can be saved in an alternate location (backups are not saved locally on the SWG). A backup consists of all data that an administrator can customize in the Management Console (including Policies, Settings etc.).

To create a rollback:

In SWG 10.x, navigate to Administration > Rollback > Rollback Settings

In SWG 11.x, navigate to Administration > Policy Server DB Backup > Backup Settings

From here you can configure a connection method location and scheduling for the backup. If you have any trouble in configuring the backup, click the "?" or F1 Help button to see additional information about backup settings.

Why is backup helpful? In the event of a critical system failure where the SWG is not recoverable, the SWG system can be re-imaged to its default factory settings. After it has been reset to its factory settings, the last saved backup can be applied to the system restoring the custom configuration and settings.

Note:
System backups do not include information in the LogServer database, Reports Server database (see Administration > Reports DB Backup > Backup Settings), Custom Block Messages, and Updates.

Allow (bypass) Audio Streaming through SWG

ofer Kalef — Tue, 24 Sep 2013 08:21:13 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Audio streams (e.g. Web Radio) do not work through the SWG, and there are no log entries.
I have an "Allow Streaming" rule, but audio streaming does not work and the logs don't show anything being Blocked.

Procedure:

Audio streaming formats are not included in "Allow streaming" rule by default.

In order to allow (actually, to bypass) these formats, modify the rule conditions by selecting 'Audio File' as shown below:

Incorrect Policy enforcement for Windows 7 / Windows Vista users due to the NCSI feature

ofer Kalef — Mon, 19 Aug 2013 06:35:52 GMT

This article applies to:

SWG 10.x
SWG 11.x
Users running Microsoft Windows Vista or Microsoft Windows 7

Symptoms:

Symptoms may vary depending on SWG identification implementation.

In some cases, when the user first boots into the Windows OS they get a message from Microsoft Networking with a yellow exclamation icon in the system tray.

The error message that opens is "No Internet Access".

The yellow exclamation icon goes away as soon as the user opens Internet Explorer.

Another variation is that the users are identified as Unknown Users, and as a result the incorrect security policy is enforced for such users.

This can be verified in the Web Logs view showing Authenticated User Names containing '$' signs:

Causes:

This behavior is unique to Window Vista and Windows 7 OS versions after the Network Connectivity Status Indicator (NCSI) feature was introduced in Windows Vista.
NCSI is designed to be responsive to network conditions, so it examines the connectivity of a network in a variety of ways. Once a test fails, NCSI may report an error, even if the network can actually be fully accessed.
For example, NCSI tests connectivity by trying to connect to http://www.msftncsi.com, a simple website that exists only to support the functionality of NCSI.

Try to manually visit the website http://www.msftncsi.com/ncsi.txt. You should see “Microsoft NCSI”:

A proxy server requiring user authentication won't allow it to access the Internet.

Resolution:

There are two ways to resolve this issue:

1. By bypassing *.msftncsi.com/* for Authentication purposes.

2. By modifying registry settings to disable the NCSI functionality:

- Run regedit (administrative permission is required)

- Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\

- Locate EnableActiveProbing parameter

- Allowed values: 1 - Enable NCSI, 0 - Disable NCSI

These registry settings can be distributed globally as part of the Group Policy push from the Domain Controller.

When we tunnel HTTPS, why can we block a page but not show the block page?

ofer Kalef — Sun, 28 Jul 2013 04:11:01 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

When we tunnel HTTPS traffic over HTTP (user browser has 8080 on all protocols), we can still block the HTTPS site request via URL cat and URL list, but the Block page does not display. Instead of a regular Block page, in Firefox we get "The proxy server is refusing connections". But we still see the Web log with the correct block reason.

Why can we block but not show the Block page when we tunnel HTTPS?

Reply:

This is a normal browser behavior. That is, if you look at the capture you will see that SWG is sending the 403 error page correctly.

However, the browser is rendering it differently and showing its own error message. Browsers do not apply 403 error messages over HTTPS, only over HTTP.

This is not an SWG issue, but a security feature in all browsers.

You can see this in the Firefox bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=493699#c1

and in the Chrome bug system: https://code.google.com/p/chromium/issues/detail?id=62993#c1

Web Logs show IP addresses for requested URL(s)

ofer Kalef — Sun, 28 Jul 2013 04:08:20 GMT

This article applies to:

SWG transparent implementation - WCCP, Bridge, transparent gateway
SWG 10.x
SWG 11.x

Question:

When looking in the Web Logs, why are almost all HTTPS transactions being logged for IP addresses instead of URL(s)?

Information:

With SWG implemented in Transparent Mode, URL resolution is performed by the client issuing a request, and not by the scanner.
As a result, when such a request comes in, SWG has to rely on the information sent by the client.
For HTTP traffic, SWG extracts URL information from the host header present in the HTTP GET request.
This however, is not available for SSL traffic, and as a result SWG presents IP addresses instead of URL addresses.

There is a way to obtain URL/hostname information for a request using the certificate data associated with it.
Navigate to Administration > System Settings > SWG Devices. Then under Scanning Server, go to General > Transparent Proxy Mode tab. Enable the Extract hostname from certificate option, as shown below.
This setting is present on Scanning Server only.

With this setting enabled, the logs show both IP and URL addresses per a request:

Use custom rules to bypass scanning for large files

ofer Kalef — Mon, 08 Jul 2013 02:23:38 GMT

This article applies to:

SWG 10.x
SWG 11.x

Symptoms:

Download is blocked and the following message is presented to the user:

Error Occurred
HTTP Error Status: 403 Forbidden
Error Reason: Response body too large Please contact your system administrator

Cause:

SWG proxy is limited to downloading/uploading files up to 2GB in size. This limit is configured in the Downloads tab under Administration > System Settings > SWG Devices > Scanning Server > General node:

Resolution:

If SWG proxy is expected to deal with many large files, it may help to bypass scanning for those files. This can be done by creating two additional rules in the Security Policy, as detailed below.

Both the rules make sure that the files are not scanned. The first rule allows the file to download through SWG immediately, while the second rule needs to download the file first to evaluate the content size.

It is important to position these rules properly in the policy. For better performance, place the rules below the Allow Trusted Sites and Block Blacklisted Sites rules.

First Rule

The first rule should bypass scanning for large files based on the value in the content-length header field associated with the file in the transaction.

1. Create a custom HTTP header as shown below. Set the value relevant to your SWG implementation:

Note that the content-length header value should be set in bytes.

2. Create a new rule in the policy and add the new custom header as a condition for the rule.

3. Make sure the rule Action is set to Allow and Advanced Action is set to Bypass scanning:

Second Rule

It is possible that a file in a Web transaction will not have a content-length header specified for it. As a result, the rule we just created will not bypass scanning for such file.

For this reason we need a second rule to bypass scanning for large files based on the content size value.

1. Use one of the default Content Size conditions available in the SWG OS, or create a new one to make it consistent with the rule above.

Content Size conditions are under:
Version 10.x: Policies > Condition Settings > Content Size
Version 11.x: Policies > Condition Elements > Content Size

2. Create a new rule in the policy and use Content Size as a condition for the rule.

Notes:

Important: Content-length header value is set in bytes, content-size condition value is set in kilobytes.

How to bypass Authentication by header

ofer Kalef — Mon, 17 Jun 2013 01:26:10 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Some sites or programs require you to bypass Authentication in order for it to be accessed through the SWG appliance. For example, Google Earth’s update mechanism will not allow the program to run if it cannot contact its host site, and the host site cannot be reached when using Authentication through the SWG.

Procedure:

To bypass authentication in our Google Earth example, we will use the User-Agent header that Google Earth uses to access its host site.

Navigate to Polices > Condition Settings > Header Fields.
Under Exclude by Headers, click Edit and enter the following information:

Header Name:
Condition:
Header Value:

3. Save and Commit changes.

Other programs and hardware are known to need to have authentication bypassed in order to be used. Here are the programs and the Header names used to allow access.

Application	Header	Value	Expression
Google Earth	User-Agent	Regular Expression	^GoogleEarth.*
iPhone	User-Agent	Regular Expression	Apple iPhone.*
iPad	User-Agent	Regular Expression	Apple iPad.*
iTunes	User-Agent	Regular Expression	iTunes/.*
-	-	-	AppleCoreMedia/.*
Microsoft Updates	User-Agent	Equals	Windows-Update-Agent
-	-	Regular Expression	^MicrosoftBITS/.*
Adobe Flash	User-Agent	Regular Expression	^Adobe Flash Update.*

Signing CSR request and importing certificate for the scanner

ofer Kalef — Tue, 29 Jan 2013 23:59:01 GMT

This article applies to:

SWG v10.0
SWG v10.1

Question:

This article describes detailed instructions on how to:

Generate CSR request for Scanning Server using Trustwave SWG Web interface
Submit CSR request data using MS PKI Web interface
Import certificate information into Trustwave SWG Scanning Server

Procedure:

1. Navigate to the Devices section in Trustwave SWG GUI, right-click the HTTPS module on the scanner and choose Generate Certificate option:

2. Choose CSR Certificate Type in the right pane and fill in all relevant details:

3. System responds with "Operation Succeeded" message, with the CSR request data in the background. Click OK and copy CSR data as simple text data.

4. Commit the changes. Do not create new CSR requests for other devices managed under same Policy Server.

5. Navigate to the MS-PKI Web GUI and select "Request a certificate" task:

6. Submit advanced certificate request:

7. Choose the option to submit CSR by using a base-64-encoded CMC or PKCS#10 file:

8. Paste CSR data that was copied in step 3 above.

Before submitting a request make sure Certificate Template is set to use Subordinate Certification Authority and "CA:TRUE" is set as Additional Attribute.

9. Select Base 64 encoded option and download certificate:

10. Save the certificate on your system:

11. Open this certificate using text editor and copy the data as simple text data:

12. Navigate to the Devices section in Trustwave SWG GUI, right-click the HTTPS module on the scanner and choose Import Certificate option:

13. Choose CSR Certificate Type in the right pane and paste in certificate data that was copied in step 10 above:

14. Commit changes. Certificate can now be exported from the device.

If required to sign CSR certificate for more than one scanning server, it is important to perform above steps as separate procedure for every device.

How To Exclude Web Applications From the Authentication Mechanism

Rudolf Kessler — Fri, 31 Aug 2012 07:06:10 GMT

Description
Some web applications (such as Citrix Webmeeting) get stuck due to authentication requests which can not be handled by such applications.
This article describes how to exclude them from authentication mechanism.

Symptoms
Example:
Citrix Webmeeting gets stuck, or the connection setup wizard does not succeed.

Cause
An authentication request is sent to the client in a later session stage, but the application cannot handle it correctly.

Solution
The solution is to exclude this application / site from authentication mechanism.

Drawback: The client is not authenticated or identified anymore and the policy for unknown users is applied.

1. Step: Create a list of URLs you want to exclude (It might be necessary to do a packet trace and analyze the destination URLs)

2. Step: add a condition to your authentication policy (it might be different from this example):

Note: This condition is based on URLs, basically other conditions such as header fields are also possible - it depends on the needs.

Step 3: Commit your changes

Note: This option applies also to other identification policies (IP, Basic)

Software Version
9.x

This article applies to:: NG 1000; NG 5000; NG 6000; NG 8000

This article was previously published as:

Finjan KB 1810

Allow MSC to find nearest on-premise proxy

Rudolf Kessler — Fri, 31 Aug 2012 06:50:55 GMT

This article applies to:

Mobile Security Client (MSC)
Secure Web Gateway
MS Windows

Problem Description:

When there is more than one internal (on-premise) SWG proxy, the MSC is unable to work out which one is closest. This can lead to inefficient routing of web traffic and consequently poor browsing performance.
For example, a company has two ‘main’ offices – one in NY and the other one in London. They have SWG scanners installed in both locations. They would like roaming users to use the local scanners when they are on premise. A few more ‘facts’:
- NY scanners load balancer IP – 10.0.0.2
- London scanners load balancer IP – 192.168.120.5
- Each site has its own DNS server

Prerequisits:

Separate DNS servers covering each site are needed. If only one DNS server is used this solution will not work.

Procedure:

How to make this work:

Define the following mapping in the DNS servers on both sites, so that the MSC software can detect that it is on premise:
- Hostname ON-PREMISE-HOST > 1.1.1.1
Define in NY DNS server the following mapping:
- Hostname SWG-SCANNING > 10.0.0.2
Define in London DNS server the following mapping:
- Hostname SWG-SCANNING > 192.168.120.5
In the SWG Policy Server GUI, on the Proxies (On-premise) do the following:
- Add the following line in the On-premise Proxy Details:
  - SWG-SCANNING 8080 8443
- In the Corporate Hostname enter ON-PREMISE-HOST
- In the Internal Hostname IP enter 1.1.1.1 (or click the ‘Resolve IP’ button)
Commit the SWG policy update.
Boot up the PC and allow the MSC run for a few minutes to identify and pull down its new configuration information.

Notes:

V0_1 2012-Aug-23

SFG data mechanism and the use of 'Bypassed Context Scanning List' in SWG 10.x

Rudolf Kessler — Wed, 29 Aug 2012 01:47:01 GMT

This article applies to:

SWG 10.x

Question:

SWG 10.1 comes with a new Scan Engine (Entrapper). Is the SFG Data Mechanism and the "Bypassed Context Scanning List" still in use?

Reply:

Inserting SFG Data tags to the page code was necessary in order to track and analyze a site in full context. If any problems occured with this, the solution was to add a site to the "Bypassed Context Scanning List".

SFG data is still being used in the product but in less scenarios than before. For example java scripts are no longer marked with SFG since Entrapper (the new scan engine) now does pre-fetching, however, will still add SFG tags to java applets.

Due to the above, the need for this list has dramatically decreased but we still want to keep this functionality for other scenarios in case it creates a problem in the page.

Notes:

When downloading files, status page keeps reappearing or giving a 555 internal server error at the end

Rudolf Kessler — Thu, 09 Aug 2012 04:50:05 GMT

This article applies to:

SWG 9.x , 10.x , 11.x

Symptoms:

When downloading files the download page keeps reappearing or giving a 555 internal server error at the end

Causes:

With the limited shell command config_network, check if the scanners have an interface with the IP they have in the GUI->Devices.
The problem may lie with the fact that the scanners don't have an interfacewith the IP that you see in the GUI and a load balancer is used. The scanners assume they canconnect to each other with the IP seen in the GUI.

The download with status page flow goes like this:

Client requests file, via LB, from scanner A ->scanner A starts the download and sends the status page to the client -> When download/scan is complete the scanner sends a redirect response to the client with a url pointing to the file location on the scanner and parameter with the scanner ip. -> client follows the redirect url and the LB directs it this time to scanner B -> scanner B checks if the scanner IP address in the request parameter is his IP address.
- If it is his IP address (A==B) , it returns the scanned file to the client
- If its not his IP address, it connects to that IP address (scanner A which holds the downloaded file) and streams the file back to the client.

In our test B was not A so it tried to connect to A and failed. Thiscaused the 555 - internal server error response, that was sent to theclient.

Resolution:

Two options:

Use a free network interface on each scanner to assign it the IP that we see in the GUI, in a way they can connect to each other. e.g. As a VLAN that only the scanners can see.
Disable the status page feature.

How to allow iTunes radio stations streaming contents

Rudolf Kessler — Thu, 24 May 2012 01:42:48 GMT

This article applies to:

SWG 10.x

Question:

iTunes radio stations do not function properly with default security policy. With few changes listed below you could allow these contents through SWG proxy.

Procedure:

First, it is possible that current security policy blocks initial requests for iTunes radio stations. All iTunes radio stations are being launched as PLS file, with further connection to a remote server.

This file extension is listed among M86 Recommended Forbidden File Extensions.

Review SWG web logs to validate if there are any blocks of Block Forbidden Extensions rule.

If there are no blocks of this kind, continue with below article to modify the settings to allow iTunes radio station contents.
If there are blocks of PLS file extension, make sure your security policy is set to allow PLS files.

iTunes radio stations are streaming audio contents over the web, and it have to be allowed to stream contents in the same fashion that SWG allows video streaming.

Refer to the Allow Streaming rule in your security policy and make sure that Audio File True Content Type is checked as shown below:

It is also possible that some audio streaming would be using a custom Content-Type that would have to be allowed in a different way.

1. First, find out what these Content-Types are. This could be found in a network capture collected when a proxy was requested to deliver these streams.

Refer to Notes section below to find a KB on how to collect tcpdump network captures on a SWG device:

Below example shows typical responses from the web server:

Note that SWG identifies above Content-Types as Audio File True Content Types, here it is only being used for demonstration purposes.

2. Navigate to the GUI section: Policy -> Condition Settings -> Header Fields, and create new Header Fields list, Audio Streaming, as shown below:

3. Edit this Header Fields list to include the following two entries for above Content-Types:

4. Navigate to the GUI section: Policy -> Security -> Advanced and review current security policy.

Create new rule to Allow Streaming Contents based on Content-Types, and refer to the Header Fields list created in step 3:

Just as with default Allow Streaming rule in M86 Security policies, make sure that this new rule is set with Advanced Action to Bypass Scanning and is located on top of the policy:

Save and commit the changes.

Notes:

KB - How to run tcpdump trace on SWG device - https://support.levelblue.com/kb/KnowledgebaseArticle14333.aspx

Cannot POST a file bigger than 100MB

Rudolf Kessler — Mon, 14 May 2012 02:01:49 GMT

This article applies to:

SWG 9.x
SWG 10.x

Symptoms:

Cannot POST a file bigger than 100MB
The error given is "Container Violation: Expanded file size limit exceeded"

Causes:

There is a hard-coded limit to uploads of files that match specific MIME types, or are larger than 100MB

Resolution:

The workaround is to bypass scanning on uploads to one or more specified sites:

Under Policies > Condition Settings > URL Lists, add a new List (such as "Bypassed Upload Scanning List")
In this list, add the domains that you want to allow for large uploads (such as "*.example.com/").
Save the List.
Under Policies > Security > Advanced Security policy, add a new Rule (such as "Bypass large uploads to example.com")
- Set Action to Allow
- Set Advanced Action to Bypass Scanning
- Add a new Condition with Condition Name "URL Lists", "Any of..." selected, and select your new "Bypassed Upload Scanning List".
- Add a new Condition with Condition Name "Direction", "Any of..." selected, and select "Outgoing".
Save the Rule.
For ease of reading, move the Rule near any other Allow Rules you may have.
Commit the changes, and test.

Notes:

This limitation is currently planned for review in SWG version 11.

Silverlight Streaming through SWG

Rudolf Kessler — Mon, 14 May 2012 01:58:54 GMT

This article applies to:

SWG 10.x

Symptoms:

SWG fails to pass Silverlight streams
Silverlight does not work through SWG
The SWG Status Page (displayed while downloads are being scanned) might be delivered to the Silverlight Player, but the Player may be unable to handle this page

Testing:

To determine if the status page is the issue, temporarily disable display of the status page:

In the SWG GUI, navigate to Administration > Scanning > Scanning Options
Deactivate "Enable Status Page"
Commit

Test the Silverlight player again. If the stream plays, then the player cannot handle the status page (which is sent to the client in the background).

Resolution:

To disable the status page only for this specific content:

In the SWG GUI, navigate to Administration > Scanning > Scanning Options
Activate "Enable Status Page" again
Select tab "Activate"
Under "Unless" add the following (do not delete any existing items):

Extension Is / xaml
Extension Is / xap
Extension Is / xbap

Mime Type Contains / xaml+xml
Mime Type Contains / x-silverlight-app
Mime Type Contains / x-ms-xbap
Commit

How to configure FileZilla 3.x for use with FTP Proxy

Rudolf Kessler — Fri, 02 Mar 2012 03:31:01 GMT

Question
How do I configure FileZilla Client for use with the FTP Proxy (uploaded/downloaded files scanning, Native FTP)?

Answer
In order to set FileZilla to work with FTP Proxy, the following actions need to be taken:

1) Edit -> Settings -> FTP Proxy.

2) Set Type of FTP Proxy to Custom and type:

3) Set Proxy Host to the IP Address of your Scanner/Proxy IP and Port, seperated by colon - the default port is 2121.

4) Use the FTP client normally, all FTP session will be created via the proxy (scanner).

Software Version
not related to any SWG version

This article applies to:

This article was previously published as:: Finjan KB 1684

EICAR virus file is not blocked

Rudolf Kessler — Wed, 15 Feb 2012 06:02:36 GMT

This article applies to:

SWG 10.1

Question:

I am downloading eicar virus file via SWG and it is not blocked. Why is it not blocked?

Reply:

If cache is in use then this could be the reason.

The cache used by SWG is Squid. Squid sees that the virus file size is different than what it issupposed to be (1 byte difference) and therefore strips and does notpass the file content and you get a 0 size file which isnot a virus anymore and SWG does not have to block it.
This is the correct behavior by Squid (according to RFC) even if a bit confusing.
If you stop the cache, SWG will block it because size will not be zero.

The behaviour described in this article only applies to the EICAR test virus. Actual viruses (not "0 size") are blocked correctly.

ICAP Timeout Error When Browsing Through BlueCoat Proxy

Rudolf Kessler — Fri, 10 Dec 2010 09:07:11 GMT

Description
When browsing through a BlueCoat proxy with a Finjan scanner configured as an ICAP, client timeouts occurs.

Symptoms

The following error is shown when trying to browse to a site:

ICAP Error (icap_error)

An error occurred while performing an ICAP operation: Request timed out: Timed out while waiting for a response from the ICAP server.
There could be a network problem, the ICAP service may be misconfigured, or the ICAP server may have reported an error.

For assistance, contact your network support team.

Cause
This is a result of a misconfigured default connection timeout value in the BlueCoat (That was changed in SGOS ver 5).

Solution

To resolve this please increase the connection timeout for the RESP_MOD service as follows:

Software Version
all SWG versions, but not related to

This article applies to:

SWG 3000

SWG 5000

SWG 7000

This article was previously published as:

Finjan KB 1817