Bluecoat – Information Gathering / Preinstall Questionaire
July 3, 2022The first thing that needs to be accomplished is to gather all pertinent information regarding the install.
Here are some items that need to be looked at:
- POC information at the location level that can perform the physical tasks of rack mounting the devices, cabling and initial configuration. Make sure to get their full Rank / Name and if you can, two phone numbers. Technician does not necessarily need to have any experience with working with BlueCoats or web proxies, but they need to ensure they have working straight through CAT5 cables and a basic knowledge of their network to know where to plug the devices in.
- Ask yourself and the respective location and/or Detachment for the following and ensure to get solid POC information:
a. Who controls internal DNS for the location?
b. Who controls external DNS for the location?
c. Who controls GPO pushes for that location? - What is the current state of the IT MPS (Multipurpose Server)? This server is utilized for logging and BCAAA functionality. It is vital that we have access to this, or another server that can perform these functions solely. The location and/or Detachment may be able to assist in finding this information.
Note: Do not have the site install BCAAA on a server you do not have remote access to unless absolutely necessary.
This hinders our ability to troubleshoot/diagnose issues and gives the owner of that machine the ability to isolate internet access to the location.
- Ask the location (Active Directory/IPO) for a solid list of devices that will bypass NTLM (IWA in the newer proxies) authentication. A general rule of thumb is that if the device is not on the domain or uses a local user account not authenticated to the domain, it will need to be in this list. Remind them of all their mail relays, domain controllers, kiosks, dining facility terminals and possibly special situations like the location education offices where they have computers set up for training.
- Have the location create a security group that contains all the USER accounts of personnel with .adm, .csa and other elevated privilege accounts. Implore them to not add administrative accounts, only their respective user accounts. Typical naming standard is XXXX Proxy Exempt (with spaces) where XXXX is the locations’ geo reference code. If this cannot be found, abbreviate the location name i.e., Proxy Exempt. If the location already has this created, just use that security group. This will be used to allow those users to bypass the download extension block.
- Ask the location for any concerns or special situations that you should be aware of. They too have to create a security group to bypass blocked extensions and they also need to install BCAAA on at least one computer in their domain that you can reference in policy.
- Conduct a survey of their boundary IP space and configuration and make sure to have an understanding of the current traffic flow.
a. How do location computers point to their proxies?
Typically the location will have a GPO pushed to them to enforce the use of an explicit proxy by means of an IP or DNS name. If they push an IP, you will need to get their Active Directory admins to change that to a DNS name that points to both new proxies (DNS round robin).
b. Ensure that the external and internal switches have free ports to plug in the new proxies. Document which ports will be used so that you can pass on that information to the techs during install.
c. Look at network maps and actually check on the switches / routers which IPs are in use on the external and internal subnets. Determine free IPs on external and internal subnets that can be used for the new proxies and document those and pass that information on to the tech at the location. It’s advised to only give them the internal IP, because that is the IP that will be used for the initial configuration.
Installation of New Proxies
This is a typical step by step guide on how the install process should be performed.
As always, you will have to adapt and overcome when met with unforeseen circumstances.
- Base technician will physically rack mount and hook proxies up to power and also to internal and external switches using standard CAT5 straight through cables. Ensure that the ports labeled WAN and LAN are NOT used; this is a bridge card and can only be assigned one IP address. The ports labeled 0 and 1 are internal and external respectively.
- Login to both the external and internal switches and configure the appropriate ports in which the BlueCoats will be hooked up to. Typical configuration includes:
a. description ProxySG XXX #x
b. speed 100 (or 1000 if the switch and proxy both support it)
c. duplex full
d. no cdp neighbor
e. spanning tree portfast
f. no shut - **** REMEMBER TO SAVE RUNNING CONFIG TO STARTUP CONFIG ****
- Document where the proxies are plugged in on the Master BlueCoat List excel file in the standardization folder
- The devices will be powered on and go through their POST. Once finished, the location technician can begin initial setup. This consists of assigning the following values:
a. IP Address – this is the IP for Port 0 (Internal)
b. Subnet Mask – typically a Class C, but check on the switch/router to ensure you don’t overlap into a different network
c. Default Gateway – initially this will be assigned to the internal router (whatever the routing device is for the internal subnet), this will be changed later during configuration by INW
d. DNS – this can be set to the internal Virtual IP (VIP) of the firewall, but isn’t important for initial setup (something has to be assigned)
e. Console and Enable Password – tech can just read off the values (or send an encrypted email) of these passwords OR change them to something simple. The default passwords are randomly generated and are in this format: xxx-xxx-xxx-xxx
f. Trial Edition – ALWAYS set this to Proxy, NOT MACH5. You can only set this one time on the front panel. After initial configuration, if it must be changed to Proxy, you have to console in with a laptop, or have the location tech connect a console cable to a server we can remote desktop to.
Note that the default username is all lowercase admin.
- Upon initial configuration completion, ensure that there are rules in the Network Operations Center FW and the target locations’ FW in place to allow you to connect to the new proxies. You should only need to create new network objects and add them to the existing rule. If you are having issues connecting to the new proxies, try connecting from their location FW (via SSH). Here’s an example of how to connect via SSH from the firewall:
ssh –l admin x.x.x.x - Once connected either from your computer or from their location firewall, perform the following commands:
a. enable (just like a Cisco IOS)
b. config t
c. security username local-admin
d. security password (sets the password that allows you to login via the GUI and SSH)
e. security enable password (sets the password needed to go to enable mode in SSH) - You should now be able to connect via the management console (Web GUI) by using this URL:
https://x.x.x.x:8082 - You should be prompted to accept the certificate since it is self-signed and not from a trusted CA. You will then get a login prompt and can now login with local-admin and the password you set in the above commands.
- Ensure you are able to connect to the device via both the Web Console and SSH (to include enable mode). Verify this for all proxies that were installed; once this is done, the location technician has fulfilled their duty.
Standard Configuration
This is an abbreviated version of the BlueCoat standardization document found in the standardization folder. It is meant to assist with the configuration performed immediately after a new proxy has been installed, specifically the newer ProxySG 810 devices. Please remember to document your progress either within the Master BlueCoat List excel document or another centrally located location so everyone can see current progress. Let’s start where we left off, after the location technician has assigned the vital information such as internal IP, subnet mask, gateway and turned over the ‘keys’ (passwords). You should have changed the username to local-admin and set a password and enable password and documented that in the secure-password.
- Upon verifying connectivity and login credentials, login to the proxy using the Web GUI. Depending on the SGOS (Operating System) version loaded, you will either be greeted with a plain home page (SGOS 5.3.x the former picture) or a statistical summary (SGOS 5.4.x the latter picture):
- SGOS Upgrade: From the first SGOS type, click Management Console and it will take you to a similar screen as the second. From there:
a. Click the Maintenance tab
b. Click the Upgrade link on the left side
c. In the Upgrade actions box, click the Upload button. A new window/tab will open, click Browse… Navigate to DOB\Continuity Book\Bluecoat\Standardization\SGOS – DO NOT DELETE\ folder and select the image named proxysg_5.3.3.11_42458_810.CHK and click Open
d. Click Install and wait for it to return a message stating there were 0 errors and that the image is set to the primary OS and needs to be rebooted, this process can take up to 15 minutes depending on the connection to that location
e. Once finished uploading, go back to the first tab/window and refresh the page (either hit the refresh button in Firefox or click in the topmost whitespace in the page and hit F5). Navigate back to the Maintenance tab, then Upgrade.
f. Click the Systems tab and verify the new SGOS 5.3.3.11 is in the first slot and is the default (radio button to the far right is selected). It doesn’t have to be in slot 1, but that’s typically where it ends up
g. Click the Systems and Disks link on the far left and then click the Tasks tab.
h. Choose the radio button option for “Hardware and Software” restart and make sure that the “System to Run” drop down box is the same slot # as the new SGOS you just loaded.
i. Click Apply and wait for it to save changes and then hit OK to popup
j. Click the large Restart Now button, then click OK to the prompt and OK again
k. Wait a few minutes and eventually you will get a message saying that “Connection to the SG has been lost. The Management Console is logging out.”, it will then redirect you to the screen that says you must login again. Click that link and you should get a login prompt (if not, wait a minute or so).
l. Login to the system after it’s finished restarting and verify you are running SGSOS 5.3.11 – you’ve completed the SGOS upgrade - General Configuration: Login to the proxy and click the link for the Management Console. From there, perform the following steps:
a. Under General, click the Identification link. Give the proxy a name such as DC1-PROXY-01 (if you can, coordinate this with the ext DNS record names)
b. Click the Clock link and check “Enable NTP” if not already done and click the “Set to default” button for the Update time zone datalocation section and click Apply
c. Click the NTP tab and remove the default bluecoat time servers and replace with NTP IP used on previous proxy, or have the location provide you with an internal NTP source; click Apply - Network Configuration: Click the Network link and then:
a. Click Adapters and make sure you are selecting Adapter 0, Interface 0. Click Interface settings and manually configure Link Settings to Duplex Full and Speed to the highest the switch it’s connected to supports and then click OK
b. Perform step a.) for Adapter 1, Interface 0. VERIFY that this interface is the EXTERNAL interface (if you have to, physically check the external switch and verify MAC addresses). In addition to above steps, select “Firewall incoming traffic” radio button. This stops any connections that aren’t established inbound to that interface
c. Click OK, and then in the VLANs section, select the Physical Interface (which shouldn’t have an IP address) and click Edit
d. Click Add IP and give it the external IP address / subnet mask and click OK all the way back to the management console and click Apply if needed
e. Ensure both interfaces are up/up and have proper speed/duplex settings and then click the Routing link on the left
f. Select the Routing tab and from the drop down menu, select Text Editor and click Install
g. Copy routing table from old proxy to this window. If you don’t have a previous routing table, make these minimum entries:- x.x.x.x = Internal Router IP address
b.b.b.z = Any DMZ network the location may have (check the firewall)
y.y.y.y = External Router IP address
b.b.0.0 = Datacenter Class B address Space
- x.x.x.x = Internal Router IP address