Recently I was digging into a BlueCoat ProxySG / ProxyAV setup for ICAP and noticed some things that had room for improvement. Not a major overhaul, but some things that were missed from the that just so happened to be causing a bit of an issue. Below is part of the small case study I completed to explain the options and differences between them, as well as my recommendations to management on how to proceed.

Scope: At least once a month, if not more, I would hear from the HelpDesk or network team that the proxy load balancers were alerting that the “Real Server Is Down” (can’t resolve www.google.com). This alert is often triggered when a ProxySG can no longer process HTTP requests. In many cases, a ProxySG can no longer process HTTP requests due to ICAP connections being held open to a ProxyAV, which may be waiting for the end of an infinite stream, that will never arrive. This will inevitably hold one, or many, of the ICAP connections on a ProxySG and once they are filled up, the box must be rebooted (a BlueCoat support recommendation).

This document is to provide information from and my research, as well as my recommendation as to which available option should be deployed to mitigate these issues. Conserving Scanning Resources HTTP Web objects range from very small to very large in size, and for each scanned object, a scanning resource (connection) is used on the ProxyAV. Some objects, referred to as infinite streams or slow downloads, do not have finite object ends. For example, a stock ticker is an infinite data stream that is transmitted over HTTP using a Web browser. Since the ProxyAV has a finite number of ICAP connections available at any given time, attempting to scan this type of data can potentially consume significant time and ProxyAV resources (potentially slowing other scans)—until an error is returned.

The Blue Coat logo are trademarks or registered trademarks of Symantec Corp. Or its affiliates in the U.S. And other coun- tries. Hosted Reporting License. Reports results, you can apply filters to limit the scope of the results. Informs the recipient how many times the specified threshold was exceeded. The License Type is listed as Unknown (the license could not be loaded) The machine type of a Hyper-V host is not presented as Hyper-V Server on the Web Console The Manage Groups view displays only the header and no data.

If allowed to continue, these transfers fail with one of the following ICAP error codes: • Maximum file size exceeded • Scan timeout The default configuration of the ProxyAV triggers such errors after the file size exceeds 100MB or after 800 seconds of scanning. While these settings are appropriate for other types of Web objects, they don’t work for infinite streams such as Web cams and stock tickers. To conserve system resources and prevent scanning of infinite streams, select either solution A or solution B listed below. Each solution offers a different approach and should not be used concurrently. Solution A: No-Scan Policy To enhance user satisfaction and achieve maximum performance from the ProxyAV, some customers choose not to scan data streams that are known to cause issues. One benefit of this policy is reduced load on the ProxyAV. The risk is that the exemption could potentially allow malicious content to slip viruses through unscanned.