Documente Academic
Documente Profesional
Documente Cultură
x Release Notes
Version: SGOS 6.2.2.1 BCAAA Version 130 Release Date: 6/15/2011 Document Revision: 2.0 on 6/15/2011
Section A: "SGOS 6.2.x Reference Information" on page 3If you are a new user to SGOS 6.x, Blue Coat strongly recommends that you read this section in its entirety. The section identifies topics such as supported platforms, important upgrade information, BCAAA details, and additional requirements specific to SGOS 6.x version information. Section B: "SGOS 6.2.2.1, build 71419" on page 11 Section C: "SGOS 6.2.1.4, build 71203" on page 17 Section D: "SGOS 6.2.1.3, build 66659" on page 18 Section E: "SGOS 6.2.1.1, build 64600" on page 20 Section F: "Limitations in SGOS 6.2.x" on page 38 Section G: "SGOS 6.x Support Files and Support for Other Products" on page 39
If you are using the Blue Coat Authentication and Authorization Agent (BCAAA), SGOS 6.2.x requires BCAAA version 130 (located on the 6.2.x BlueTouch Online download page). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. You must upgrade to BCAAA version 130 before upgrading to SGOS 6.2.x. Do not upgrade SGOS unless you have first installed the compatible BCAAA version.
The Blue Coat SGOS 6.2.x Upgrade/Downgrade Guide provides the specific instructions to upgrade or downgrade BCAAA. For more information, see "About the BCAAA Upgrade/Downgrade Process" on page 8. Direct upgrade from SGOS 4.x to SGOS 6.2.x is not supported. If you are upgrading to SGOS 6.2.x from SGOS 4.x and the appliance has previously run SGOS 5.x, the 5.x configuration is applied during upgrade. You must restore the SGOS 4.x configuration settings. The Blue Coat SGOS 6.2.x Upgrade Guide contains this procedure, but continue reading these Release Notes for further upgrade information.
For SGOS 6.2.x, the oldest supported JRE is 1.5.0_15. See "Java Runtime Environment (JRE) Information" on page 9.
Product Documentation
Access the SGOS 6.2.x product documentation on BlueTouch Online: https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x
You will then receive email messages to let you know when new software releases are available for download. Click the link in the email to view the KB article. The article will provide you with the following types of information for the new release: the release number, the date the software was posted, highlights of the release, and links to related documentation and training materials.
Support
Frequently asked questions and more information about this release can be found in the Knowledge Base: https://kb.bluecoat.com Direct support questions regarding this release to:
http://www.bluecoat.com/support/contact.html
For questions or comments related directly to these Release Notes, send an e-mail to: documentation.inbox@bluecoat.com
Schedule your upgrade during off-peak hours. If you have ADN configured, upgrade the ADN ManagersPrimary manager and Backup Managerbefore upgrading the ADN nodes.
Upgrade Prerequisites
To upgrade to this release, you must first determine if your hardware platform is supported, and whether you can upgrade directly or must upgrade through an interim release. You must also familiarize yourself with potential upgrade/ downgrade issues.
Important: Before upgrading to SGOS 6.2.x, you must resolve all deprecated policy notices. This is part of the process is described in the SGOS 6.2.x Upgrade/ Downgrade Guide.
Before installing or upgrading to SGOS 6.2.x, perform the following: 1. Determine if SGOS 6.2.x is supported on your hardware platform. See "Supported ProxySG Appliance Platforms" on page 5. 2. Determine your upgrade path. See "Supported Upgrade/Downgrade Paths" on page 5. 3. Understand the BCAAA process. "Upgrading or Downgrading the BCAAA Authentication Service" on page 6.
4. Understand how licensing works. See "About SGOS 6.x Licenses" on page 9 5. Ensure that your browser has the correct JRE installed. See "Java Runtime Environment (JRE) Information" on page 9. 6. RecommendedLearn about the changes and fixes in the SGOS version you are upgrading to. See "SGOS 6.2.1.1, build 64600" on page 20. 7. RecommendedLearn about third-party product support. See Section G: "SGOS 6.x Support Files and Support for Other Products" on page 39. 8. When you are ready to upgrade a ProxySG appliance, follow the steps in the Blue Coat SGOS 6.2.x Upgrade Guide.
32-bit platforms: SG210 (except for 210-5) and SG510 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000 Virtual appliances: VA-5, VA-10, VA-15, VA-20
Note: The SG210-10 and SG210-25 can run SGOS 6.2 and later, but the SG210-5 is not supported on these SGOS releases. SGOS 6.2 provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.
Existing ProxySG VA customers can directly upgrade from SGOS 5.5 to SGOS 6.2. New ProxySG VA customers must first download and install the SGOS 5.5 Virtual Appliance Package (VAP) and then upgrade to SGOS 6.2.x. For details, refer to the ProxySG V Initial Configuration Guide: A https://bto.bluecoat.com/doc/13286
Figure 11
Upgrade Path
Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows 2000 Server Windows Server 2008 (32-bit and 64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Solaris 5.8 or 5.9 Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit)
Windows SSO:
Novell SSO:
BCAAA can run on any hardware as long as the BCAAA sizing requirements are met. When running on a virtual machine, BCAAA has been tested and certified on VMware ESX Server v3.5. The only supported directory service operating systems for the preceding authentication methods are:
Windows Server 2000 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Solaris 5.8 and 5.9 (SiteMinder and COREid only)
Note:
Vista.
120
130 SGOS 5.4.2 and later included a release of BCAAA 130 that added support for Windows Server 2008. The initial version of BCAAA 130 (which shipped with SGOS 5.4.1.x) did not support Windows Server 2008.
Install the lowest version of the BCAAA service first and the highest version of BCAAA last, allowing each version to uninstall the previous version. This process leaves behind the bcaaa.ini and bcaaa-nn.exe files for the lower version.
Notes
Only one listening port is used, no matter how many versions you have installed. The BCAAA service hands off the connection to the appropriate BCAAA version.
Installation instructions for BCAAA are located in Blue Coat SGOS 6.2 Administration Guide, BCAAA chapter. This document is accessible through your BlueTouch Online account at https://support.bluecoat.com/ documentation/pubs/view/SGOS 6.2.x
For information on support for other products, see "Support for Other Products" on page 39.
Upgrading to a SGOS 6.x license from a previous SGOS version is an important step (that also has prerequisite steps) in the software upgrade process. Refer to the Blue Coat SGOS 6.x Upgrade Guide for the Blue Coat-verified procedure.
For additional details about downloading JRE, see "Supported JRE Versions" on page 40.
10
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
"Whats New in SGOS 6.2.2.1" on page 11 "Resolved Issues in SGOS 6.2.2.1" on page 12 "Known Issues in SGOS 6.2.2.1" on page 15
The following table explains the transparent tunnel modes for various combinations of SGOS at the branch and the core.
Branch SGOS 5.4.x 5.5.x 6.1.1 6.1.2 6.1.3 6.2.1 5.4 Concentrator Regular transparent tunnel Traffic cannot be accelerated 5.5 Concentrator Regular transparent tunnel Fast transparent tunnel 6.x Concentrator Regular transparent tunnel Fast transparent tunnel
11
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419 Branch SGOS 6.1.4 6.2.2 5.4 Concentrator Regular transparent tunnel when connect-transparent enable regular is used on branch appliance 5.5 Concentrator Fast transparent tunnel 6.x Concentrator Fast transparent tunnel
connect-transparent enable
- allows transparent tunnel initiation, and - enables fast transparent tunnel initiation. - enables regular transparent tunnel
OCSP response validation error was fixed in SGOs 6.2.2.1. The ProxySG incorrectly returned an error when validating the certificate chain for the OCSP responder; the error was that the OCSP responders certificate could not be validated. The workaround was to explicitly import and trust the certificate of the CA that signed the OCSP responders certificate. The explicit trust is no longer needed if the CA that signed the OCSP responders certificate is a CA in the certificate chain for the server certificate being validated. (B# 158111). Sensitive information in ProxySG core files was fixed in SGOS 6.2.2.1. See Security Advisory SA56. (https://kb.bluecoat.com/ index?page=content&id=SA56) (B#159036).
ADN
The incorrect setting of send and receive buffers for ADN sockets led to TCP window advertisements, though there was no window update. This issue, now fixed in SGOS 6.2.2.1, manifested in the form of duplicate acknowledgements. (B#158229) Fixed software restart at 0x810002 in Process: "bdc.rtg.ma.BE5B7A10" in Process group: "PG_BDC_ROUTING" due to a heap corruption issue. (SR 2-376638652; B#160638)
12
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
Advanced URL
The Advanced URL statistics page for Core Images is fixed to correctly display Customer release instead of Internal customer release. (B#159739)
Authentication
Users can now be logged out by only providing the IP address without the user name. (B#158211) When a user group contained more than 1500 users, the group policy did not match for the users in the group due to an LDAP compare failure. (B#158246) The ProxySG no longer restarts when BCAAA doesnt respond to requests in time. (B#158684) The BCAAA Siteminder Agent no longer inserts the ? character instead of the & symbol when appending variables at the end of URLs. (B#159026) Fixed intermittent login issue with SiteMinder v6.0 SP5 where the user was sent back to the login page after entering the username and password. This issue only affected those who had disabled the Session max timeout setting on the SiteMinder server. Both SGOS and BCAAA have to be updated in order for the ProxySG to correctly handle this setting. (B#159530)
Cache Engine
Fixed the issue with high object store CPU utilization when deleting an object that was currently in use. (SR 2-375692482; B#160479)
CLI Console
The ProxySG no longer restarts due to a missing SSH configuration file that is created upon system initialization. This sometimes happened when two Directors were used to make configuration changes to the ProxySG at the same time. (B#158682)
Content Filtering
Websense URL filter database downloads now complete even when system memory is fragmented. (B#159114)
The keep-alive session is terminated after a time interval for service ticket expiration time. (B#158350)
13
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
Flash Proxy
The Blue Coat Director now properly represents the live traffic statistics for the Flash protocol. The Statistics > Protocol details > Streaming history > Current Streaming Data for the Flash protocol does not display as zero. (B#161174; SR 2377797322)
HTTP Proxy
Fixed the issue with IE8 on Windows 7, where cached objects were incorrectly flagged as requiring authentication when using Keberos connection-based authentication. (B#159128)
Management Console
The Management Console now shows the correct total streaming statistics for Windows Media. (B#158903)
SSL Proxy
ProxySG is configured to use OCSP to verify revocation status of certificates and has a CRL imported. If ProxySG received an OCSP response from a server that did not include a signing certificate, it could cause the ProxySG to reboot. This issue has been fixed in SGOS 6.2.2.1. (SR 2-369460521, B#158889)
Fixed high interface and CPU utilization that was due to a forwarding loop in a TCP connection-forwarding configuration where there was either active FTP proxy or Endpoint-Mapper configuration and the same configuration installed on two or more ProxySG appliances that are active members of the same cluster group. With the fix, wildcard listeners within the cluster are no longer announced, hence, TCP connection forwarding will not work for the Active FTP data listener or Endpoint-Mapper. (B#160563)
VPM
Installing large VPM-XML no longer causes the VPM Java applet to consume excessive memory and stall the policy installation. (B#159237)
Fixed an issue in which the ProxySG stopped processing traffic due to improper memory handling which required a restart of the device. (B#158293) Fixed ProxySG restarts in Process "RTSP_Server" when the RTSP Server worker tried to read packets from OCS while Client worker simultaneously received a PAUSE. This applied to RTSP over HTTP. (B#159154)
14
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
CLI Console
When you enter the show config command, a system restart is triggered if the accelerated PAC files contain invalid UTF8 characters. (B#161169)
DNS Proxy
When you configure a DNS server using IPv6 link-local address, the ProxySG does not respond to DNS requests. (B#158905)
Flash Proxy
Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. For example, the player displays a spinning wheel on top of the video instead of a play button. If the application has a play list, the next video will not start playing automatically; the user will have to start the next video manually. (B#158720) There may be problems caching certain video files delivered via Flash Media Server 3.0. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)
MAPI Proxy
Restart at 0x810002 in Process: "rpc.658/192.168.0.165:2475" in Keep-Alive logic when the proxy is downgraded to the batching only mode where KeepAlive is not supported. Outlook 2003 and 2000 do not have this behavior because they do not send multiple outstanding RPC Requests simultaneously. (B#161116; SR 2-374193623)
Policy
The ProxySG fails to match the policy request.header.cookie="sslallow" at CI checkpoint when apparent data type policy is present. (B#160176)
action.red(yes)
The workaround is to add a force_exception(policy_redirect, , ) action after the action.red(yes) action. This is only required when a policy condition depends on a server response, for example when high performance malware scanning is enabled. For example:
<proxy> condition=sslallow request.header.cookie="sslallow" action.rewtohttps(yes)
15
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
request.header.cookie="sslallow" action.red(yes) force_exception(policy_redirect,"","")
Having both trust-destination-mac and return-to-sender outbound enabled creates a routing issue that causes HTTP traffic to fail. The current workaround is to disable RTS outbound or to disable trust-destination-mac on the bridge. (B#158573)
VPM
The VPM IPv6 subnet evaluation for the url.address= policy does not permit certain valid IPv6 network addresses. The workaround is to create via local policy. (B#159993, SR 2-371139652)
16
Blue Coat SGOS 6.2.x Release Notes Section C: SGOS 6.2.1.4, build 71203
17
Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.1.3, build 66659
"Whats New in 6.2.1.3" on page 18 "Resolved Issues in 6.2.1.3" on page 19 "Known Issues in SGOS 6.2.1.3" on page 19
Licensing Enhancements
For SG 300, SG 600, SG 900, and SG 9000 systems, license limits for concurrent users when ADN is enabled have been raised to equal the limits when ADN is not enabled. The one exception is the 300-5 model, which still maintains limits of 30 (without ADN) and 10 (with ADN). For WAN optimization deployments, Blue Coat recommends purchasing a ProxySG model based on the maximum number of client connections it needs to support, not the maximum number of users, since the connection limit is likely to be reached first; your channel partner SE or local Blue Coat SE can assist you with WAN optimization connection counts and sizing for your specific needs.
18
Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.1.3, build 66659
Beginning May 21, Blue Coat is granting software SSL licenses for all SG 300, SG 600, SG 900, and SG 9000 systems, including systems previously sold. These licenses will be available to customers the next time their appliances connect with the Blue Coat licensing server. Rollout is scheduled to begin May 21, 2011 and will automatically take effect over the course of the following 30 days for most installed appliances. Customers wishing to enable this capability sooner can receive the updated licenses by directing their appliance to contact the licensing server any time after May 21.
SG 900/9000 no longer restarts when trying to re-allocate a host route for an IPv6 gateway route. (B#158846)
CLI Console
On multi-processor systems, the output of a CLI command sent through an SSH connection to the ProxySG no longer causes the SSH connection to hang. (B#158738, SR 2-370506110)
Content Filtering
Fixed the issue in which the ProxySG entered a state where it stopped the incremental updating of its local BCWF database. While the ProxySG was in this state, the application filtering information was unavailable. (B#159010)
CIFS Proxy
Fixed the software restart at 0x30000 in Process: "CIFS::Worker: Connection 9 (running)" when the OCS doesn't support the "NT LM 0.12" dialect. (B#159259, SR 2-371491907)
Active Session
Fixed the software restart at 0x11 in Process in "kernel.exe" at .text+0x24a89. Watchdog occurring while services admin is calling the active session module. (B#159313, SR 2-371805601, 2-371854318)
19
Blue Coat SGOS 6.2.x Release Notes Section E: SGOS 6.2.1.1, build 64600
"New WebGuide Available" "New Features in SGOS 6.2.1.1" "Resolved Issues in SGOS 6.2.1.1" on page 26 "Security Advisories" on page 30 "Known Issues in SGOS 6.2.1.x" on page 31 "Deprecations" on page 36
20
An SSL license is required for secure ADN on the Branch and the Concentrator peers. The following table illustrates which versions of Microsoft Outlook and Exchange are supported by a particular version of MAPI.
Exchange 2003 Outlook 2003 Outlook 2007* Outlook 2010* MAPI 2003 MAPI 2003 MAPI 2003 Exchange 2007 MAPI 2003 MAPI 2007 MAPI 2007 Exchange 2010* MAPI 2003 MAPI 2007 MAPI 2010
Application Filtering
With the new application filtering policy, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to allow users to post comments and chat in Facebook, but block uploading of pictures and videos. The two CPL conditions that allow you to create application filtering policy are:
url.application.name=NAME url.application.operation=OPERATION
21
where NAME is the exact spelling, spacing, and punctuation listed in the view applications CLI output, and OPERATION is the exact specification listed in the view operations output. Note that the application names and operations are NOT case sensitive. These conditions are not currently available in the VPM, so you will need to use CPL to update your existing policy file with the application filtering conditions you want to implement. This feature requires that you have a valid Blue Coat Web Filter (BCWF) license, which is available for no additional charge to current BCWF customers.
22
You can also click the help icon any of the reports or panels.
23
Report Changes
SGOS 6.2 adds granularity to the Traffic Mix report. On the ADN concentrator, the Traffic Mix report previously combined all the inbound ADN traffic into the InboundADN service or the InboundADN proxy bucket. For traffic generated in 6.2, the inbound ADN is now categorized into the various granular service or proxy buckets, but for traffic generated on prior releases, the inbound ADN is not categorized. Thus, the Traffic Mix report now shows inbound ADN traffic broken down into specific categories of traffic. In addition, the ProxySG is able to store certain report data in five-second increments over the last five minutes and 15-minute increments over the last 24 hours; this data provides increased granularity in reports. (Note that the Advanced Management Console does not currently offer reports that graph the last five minutesthese reports are available in the Blue Coat Sky UI.) As a consequence of this change, the above fine granular trend data is not available before the upgrade to SGOS 6.2 for Traffic History reports. If you view the Traffic History report for the last day, there will be no data points for the time before the upgrade.
24
With the introduction of the smtp subcommands, the following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway
25
Access Logging
Fixed internal issue where created FTP file name is not unique. (B#152506)
Authentication
LDAP authentication no longer fails with the error Could not determine full user name. (B#154899, SR 2-352888122)
Caching
Fixed the issue with stale client connections that sometimes occurred when multiple concurrent connections requested an object larger than 500KB whose response header did not contain content-length information, and was not chunked-encoded. (B#145695, SR 2-317195422) A single cache object can now be deleted via advanced URL. (B#151629, SR 2341552592)
CLI Console
Fixed the Exception: 0x40006 (CEA_OUT_OF_FREE_CACHE_BLOCKS) in Process "CEA Cache Administrator" in "" at .text+0x0. (B#149084, SR 2-330536732) The ProxySG appliance no longer closes the SSH session towards Director during the course of a session. (B#148892, SRs 2-329586429, 2-330623511, 2330669152, 2-330816212) Fixed the issue in which Web management console requests that required very large responses caused the appliance to run out of memory and restart. (B#149084, SR 2-330536732)
DNS Proxy
The links to view and delete DNS entries in the MC now work properly. (B#145809)
Event Logging
Taking a disk offline that has the main copy of the event log no longer results in an empty log. (B#141593)
26
Flash Proxy
When available bandwidth between the ProxySG appliance and OCS was insufficient, the playback experience for live streams was suboptimal. This issue has been fixed. (B#153929, SR 2-345163102) Video no longer stutters when viewing live news and other channels on www.rtve.es. (B#153921, SR 2-346602532) Fixed the issue in which a worker client connection might leak if the connection closed abruptly without finishing the initial handshake. (B#143303) The Configuration > Access Logging > General > Default Logging tab no longer displays none for Flash streaming. (B#143817) When playing audio-only live streams using version 10.1 of the Adobe Flash plugin, users no longer experience missing audio after a certain sequence of play/pause operations. (B#144180) When Flash Media Server is configured to use the AutoCloseIdleClients option, it no longer times out client connections accessing a live stream that is being split at the ProxySG. (B#141802) In a proxy chaining scenario, pausing a live stream no longer hangs the Flash application on the client end. When communicating with the Flash Media Server, if using HTTP/1.0 or nonpersistent connections, the Flash player no longer hangs. (B#152042)
HTTP Proxy
Fixed the issue in which denied requests appeared in the access log as TCP_ERR_MISS if a policy was defined to check response headers. (B#152503) YouTube videos can now be downloaded on an iPhone routed through a proxy. (B#150742, SR 2-337673439) Fixed the HTTP performance issue on the SG 9000-20. (B#151062, SR 2-339570243) The client worker no longer enters tunnel-on-error mode when both the client worker and server worker access the server socket. (B#150226, SRs 2-336369312, 2-338831809) Internet Explore 6 clients are now able to use Siebel 8 while proxied through the ProxySG appliance. (B#145241) When the ProxySG appliance has URL rewrite policy to rewrite request.header.Referer and request.header.Location, it no longer sends a Zero-chunk block twice when the response is chunk encoded data. (B#144623, SR 2-291847282) The ProxySG appliance now serves the cached copy when the client sends a request for a non-standard accept-encoding, such as x-gzip, and the object is already cached. (B#144684, SR 2-318001457)
27
IPv6
Fixed the issue that occurred when the local category database contained an IPv4 address, and the DNS lookup from the ProxySG appliance was always IPv4-only, regardless of the policy setting. (B#145286, SR 2-307821662)
Kernel
Fixed the issue with 64-bit platforms hanging while running Windows Media Streaming for video on-demand traffic. (B#152141)
When the server sends a compressed object and the ICAP server decides that the object needs to be replaced, the ProxySG appliance now sends a complete response to the client. (B#145318, SR 2-317171186)
Management Console
The advanced URL links in the Management Console now display in Firefox. (B#152185) The Proxied/Errored Sessions on the Active Sessions tab now sort correctly. (B#143988) The Configuration > Network > Adapters > Configure page now properly displays the link speed when a 10GB is installed in the ProxySG appliance. (B#145212)
Networking
The show attack-detection view connection now shows the connection count. (B#152374) For all intercepted inbound connections in a serial in-line failover configuration, the ProxySG now always replies to the client's MAC address and not the router's. (B#152461) The ProxySG appliance no longer restarts while handling fragmented and bad TCP checksum packets. (B#155873, SR 2-356001812, 2-357640952) A memory leak on the concentrator with HTTP over ADN traffic no longer causes the ProxySG appliance to restart. (B#151619, SR 2-355195770) Installing a static route or RIP route that overlaps with the interface route on the ProxySG appliance no longer cause pings to hosts on the same subnet or hosts through gateway route to fail. (B#144441) The ProxySG no longer restarts if bandwidth management was disabled while the system was under heavy load. (B#144958, SR 2-302190883) Fixed issues with bypass configuration. Setting to trigger on connect-error now works properly, and SGOS adds addresses to the dynamic bypass list. (B#145125)
28
The show configuration command now lists the mode for a failover group. (B#145609) TCP connections for misbehaving servers that do not properly close the connection no longer leave the connection open for an extended period of time. (B#145817, SR 2-320946712) Advertisements addressed to one SGRP group are not processed by other groups. With this fix, the backup ProxySG appliance no longer becomes the master when it isnt actually needed. (B#144800, SR 2-301696882)
Platform-Specific
SG9000
There is no longer a delay with the SG9000 front panel display during initial configuration. (B#137016) Fixed the configuration issue with 10GB interfaces; the CLI, Management Console, and Sky UI do not allow the speed of these interfaces to be adjusted. (B#145218)
Policy
Authentication policy checking user or realm now work reliability when ICAP is set to trickle mode. (B#148991, SR 2-327392552)
Security
BCAAA stack overflow vulnerability fixed. See Security Advisory SA55. (https://kb.bluecoat.com/index?page=content&id=SA55) Note: Because BCAAA for SGOS 6.2.x contains a security vulnerability fix, be sure to upgrade BCAAA even if you are already running version 130.
If the ProxySG appliance is not connected to the network, the restoredefaults factory-defaults operation no longer deletes the appliance factory certificate. (B#144621)
SNMP
Values for the ipNetToNetAddress entries of the ipNetTo table are now reported in the correct order, when snmpwalk or snmpget commands are run. (B#152232)
29
SSL Proxy
Using Windows 7 and IE 8 with TLS1.2, the FIN is sent back to the client; previously, the ProxySG appliance reset user connections and the OCS connection after getting the FIN from the OCS with TLS 1.2, resulting in a page cannot display error message on users screens. (B#148147, SR 2-334052225)
Streaming
In a proxy chaining deployment, there are no dangling connections after playing a VOD stream until the end of the stream through RTSP. (B#145118)
Updated Timezons.tar with the latest changes in DST for Sao Paulo, Brazil. (B#155961, SR 2-355283652)
Fixed the issue in which invalid ciphers displayed in the "Add Client Negotiated Cipher Object" window. (B#150306, SR 2-336439452) When rules are moved up and down, text in the Comments column is no longer deleted. (B#139384)
WCCP
Applying server side bandwidth management policy now functions correctly in WCCP deployments. (B#142616)
Security Advisories
To see if there are any Security Advisories that apply to the version of SGOS you are running, go to: https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS New advisories are published as security vulnerabilities are discovered and fixed.
30
ADN
A Branch peer running a release prior to SGOS 5.5.4 will not be able to form transparent tunnels with a Concentrator peer running 6.2 (or above). The Branch peer must be running SGOS 5.5.4 or higher.
Advanced URL
The Advanced URL statistics page for Core Images shows Internal customer release instead of Customer release. (B#159739; fixed in 6.2.2.1)
Authentication
The ProxySG resets when BCAAA does not respond to requests in time. (SR 2-360160382; B#156674; fixed as B#158684 in 6.2.2.1) BCAAA installs an expired CA Cert PEM. (B#148682) Users cannot be logged out by using the user-logins logout URL without providing the user name. (SR 2-355213592; B#155631; fixed in 6.2.2.1)
CIFS
The show cifs CLI command does not work if the URL contains spaces, even when the URL is enclosed in quotation marks. The workaround is to replace any spaces with %20. (B#155626)
Content Filtering
If the view applications CLI command does not display a list of the supported application names, its possible that your ProxySG has entered a state where it has stopped the incremental updating of its local BCWF database. While the ProxySG is in this state, the application filtering information is unavailable. The regular content categorization is still functional but is using a database that is not up-to-the-minute current. (B#159010fixed in SGOS 6.2.1.3) To restore the regular update cycle and the application filtering functionality, enter the following commands in the CLI:
#(config content-filter)provider bluecoat disable #(config bluecoat)purge #(config content-filter)provider bluecoat enable #(config bluecoat)download get-now
31
Since application name and operation were introduced into the bcreportermain_v1 log format with the Prowl release, use of that format by an access log may now cause CPU usage to increase by up to 5%. If this is undesirable, create a custom access log format that excludes these new fields. (B#157661)
Encrypted MAPI
Encrypted MAPI acceleration on the ProxySG has the following limitations:
Encrypted and plain MAPI traffic may be bypassed if 64-bit Exchange enterprise and Outlook clients are used. (B#156424) Outlook users must belong to the same domain as the Exchange server and the ProxySG. Multi-domain support is not available in this release. (B#158870) Outlook establishes NTLM connections with Exchange Server over Load Balanced Client Access Array solutions. NTLM connections are tunneled by the ProxySG appliance. Workaround: enable Kerberos support for Load Balanced solutions. (B#155098)
Flash Proxy
Dynamic streaming (play2) may cause video playback to stop in heavily bandwidth-constrained environments when a hierarchy of ProxySG appliances are caching the video. (B#156892, #156896) For Flash video clients that use pauses while seeking, such as Yahoo video, a ProxySG may not be able to cache content or play content from cache after a seek. (B#156268) For some Flash client/server application combinations, playback may freeze after doing a seek. To solve this problem, simply perform another seek and playback should resume. (B#157785) Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. If the video is part of a playlist, the next video might not start playing; if this happens, you can manually play the next video. (B#158720) Advanced functionality, such as stream publishing, may not work optimally through the ProxySG. The ProxySG may have problems caching certain video files delivered via FMS version 3.0.x. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)
HTTP Proxy
There is an issue downloading some YouTube objects via the ProxySG onto an iPhone. The workaround for this issue is to disable client side persistence. (B#155291)
32
When writing a policy to block a host found in an HTTP request and using the setting Trust Destination IP, some requests may not be blocked. A workaround is to use the resolved IP address for the host you want to block. (B#154935) Software restart in Process "HTTP Waiting Room" in "http.dll" at .text+0x93df7. (SR 2-358661832, 2-360499632; B#156140) When using WebFTP through the ProxySG appliance using a transparent setup with reflect client IP, FTP communications in active mode will not complete. Workaround: Use passive mode or disable reflect client IP. (B#145300) When accessing the advanced URL for the HTTP debug log and trying to delete an ICAP service, sometimes the service is not deleted. Please retry after the debug log has been downloaded fully from the browser. (B#147373) When the Clientless Limits feature is enabled and many clientless requests are in a deferred status, disabling the limit configuration might cause the ProxySG appliance to restart. To prevent, do not disable the limits when more than one thousand request are deferred. (B#143016)
ICAP
With ICAP and Patience pages both configured and downloading a file, the Save As dialog is not prompted with IE-8.0.6001.18702 and IE 7.0.5730.13. Blue Coat recommends using trickling. (B#151088)
IPv6
In an IPv6-only network (no IPv4 connections to the ProxySG appliance) with RCIP disabled, the ProxySG appliance requires the server_url.dns_lookup prefer-ipv6 policy to successfully resolve IPv6 DNS requests. (B#143668) DSCP over IPv6 is not yet supported. (B#143787)
Management Console
The Management Console (Statistics > Protocol Details > Streaming History) is not showing the correct values for Windows Media total streaming statistics. To get the accurate statistics, use the following advanced URL:
https://<ProxySG-IP>:8082/MMS/statistics
The default URL for the malware scanning policy update is not shown in the Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). You will need to type in the URL manually (https://bto.bluecoat.com/download/modules/security/SGv6/ threatprotection.tar.gz) and perform the update by clicking the Install button. Alternatively, you can update policy with the threat-protection CLI command. See the SGOS 6.2 Command Line Interface Reference for details on using this command. (B#158970)
33
MAPI Proxy
Endpoint Mapper does not restrict source IP for secondary MAPI connection interception. Workaround: add the IP address to the static bypass list. (B#154100) Encrypted MAPI connections are bypassed when Outlook generates the user name in User Principal Name format (username@domain). This issue does not occur when the user name is specified in "Down-Level Logon Name" format (domainname\username). (B#157163) Domain controllers have group policies that define the Kerberos service ticket lifetime. To decrypt/encrypt MAPI traffic, the MAPI proxy negotiates the Kerberos security context that expires after the service ticket lifetime is reached; the core ProxySG resets encrypted MAPI connections once this ticket lifetime is reached. (B#158350; fixed in SGOS 6.2.2.1)
Platform-Specific
SG210-5
The SG210-5 is not supported on SGOS 6.2 or higher because this release provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.
When installing a new license on a ProxySG 300 in trial mode to increase the limits for HTTP connections, the ProxySG appliance must be restarted before the new limits take effect. (B#153815)
SG9000
If an onboard nVidia network interface on the SG9000 platform is configured to auto-negotiate and the device it is connected to is set to 100/full, there is a possibility that the interface will lock up. Once the NIC gets into this state, a power cycle is required to get the NIC back to a functional state. This is a hardware issue nVidia has documented. To resolve this issue, reconfigure the ProxySGs NIC and the external devices NIC to auto-negotiate or to matching speed/duplex settings. Note that this is the recommended configuration for Gigabit interfaces. (B#144158, SR 2-313781541)
ProxySG VA
Under rare circumstances, the ProxySG VA can issue spurious Watchdogs exceptions. There is no unique signature to this failure the appliance will fail with HWE 0x11 and SWE 0x02. This failure usually occurs after the product has experienced a period of load, followed by a sustained idle period. (B#157534)
34
Services
During high load, a watchdog timeout may be encountered in services admin due to internal locking issues. (B#158567)
In a software bridge with two interfaces attached and Propagate Failure enabled, when one of the interfaces goes down, the other interface also goes downas seen on the device LEDs. (They do not glow for either interface.) However, the Management Console and the show bridge config CLI output show that the link is connected, even though it is not. In addition, when the CLI is reporting this misinformation, event logs will also be generated in the following format:
2011-04-22 20:55:14-00:00UTC "Interface Health Check: Interface 1:2 is up." 0 30209:1 event_logger.cpp:31
This issue is seen only on the Broadcom NICs (integrated or option). (B#154604)
An extraordinarily large connection forwarding table might cause the ProxySG appliance to stop responding to management console requests. (B#144396). For very high bandwidth-delay links using the SCPS feature, it may be necessary to manually set the ADN window size to maximize throughput. Consider manually increasing the ADN window size with satellite links that have more than 14 Mbps of available bandwidth. Note that the ProxySG needs to be restarted for the window size setting to take effect. (B#153174) On the ProxySG 9000-20, CPU3 runs at 100% due to IP fragmentation. (B#151889) Workaround: See Knowledge Base solution 3790 (https://kb.bluecoat.com/ index?page=content&id=KB3790). Link propagation on the optional Intel fiber card: One of the interface remains down while the other interface fluctuates between up and down states; this is triggered when link propagation is enabled on the fiber card and one interface that is part of the bridge losses link and the other does not. (B#150676) After executing a "restore-defaults keep-console," the bridge settings are not preserved on the ProxySG 300, 600, and 9000 platforms. (B#158649) When Bypass Keep-Alive is enabled, only the bypassed connections that are received after it is enabled apply; pre-existing connections continue to exist without sending keep-alive. (B#144923)
SOCKS Proxy
SOCKS services are unavailable on MACH5 licensed ProxySG appliance deployments. (B#152664)
35
SSL Proxy
The certificate revocation list (CRL) from Comodo (http://crl.comodo.net/ UTN-USERFirst-Hardware.crl) can cause the ProxySG to reset when doing certificate verification; Blue Coat recommends that this CRL not be loaded into the ProxySG. (B#158889)
Virtual Appliance
When the ProxySG VA is under a heavy load and has high RAM usage, the memory alarm might trigger in vCenter Server. Since the ProxySG VA has its own health monitoring system for memory state, you might want to disable the memory alarm in vCenter. (B#147090)
Installing large VPM-XML causes the VPM Java applet to consume excessive memory and stalls the policy installation. (B#157623; fixed in SGOS 6.2.2.1)
The ProxySG appliance fails to play video files with more than 200 KB SDP header. (B#152909)
Explicit/SOCKS connection through the ProxySG appliance with Yahoo 8.1 clients: file transfer are successful but no statistics representing as such. (B#141470)
Deprecations
The following CPL properties and CLI commands have been deprecated.
CPL Properties
In the ftp.server_data( ) CPL property, the port and pasv arguments have been deprecated. If you install existing policy with these arguments, they will automatically get converted to active and passive.
CLI Commands
event-log
The following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway
36
proxy-processing
The proxy processing feature was deprecated starting with SGOS v5.5. In SGOS v6.1.2, the Proxy Processing tab was removed from the Management Console, but the feature can still be configured via the CLI. Since proxy processing will be completely removed from an SGOS release in the future, Blue Coat recommends that you discontinue using this feature and deploy a separate secure web gateway to handle proxy processing. The following CLI command is deprecated:
# (config adn tunnel) proxy-processing http {enable | disable}
37
Director
Director might become unresponsive when executing a profile or restoring a backup on a ProxySG appliance. Director must be rebooted when this issue occurs.
Management Console
After you apply changes and see the message Changes were committed to the SG actually takes the ProxySG about 30 seconds to process the changes. Do not restart the ProxySG during this processing time or you may lose the changes you made.
Licensing
The product description in the licensing component may show as SGOS 5.x even after upgrading to 6.x; SGOS 5.x reflects the version that the system was manufactured with. (B#145068)
SSL/TLS
Due to security reasons, MD2 support for certificate verification has been removed from openssl by default (starting with version 0.9.8m). As a workaround, disable protocol detection from a specific website <web_addr>:
if url=<web_addr> detect_protocol(no) ((B#159333)
When multiple network IP addresses are configured on the same interface, the ProxySG uses the wrong IP address when connecting to an external device. To avoid this issue, Blue Coat recommends that customers requiring multiple IP support should use a unique interface for each subnet. (B#158585)
38
Section G: SGOS 6.x Support Files and Support for Other Products
This section lists third-party products that interact with the ProxySG appliance.
Support Files
This section provides links to files and documents referenced in the ProxySG appliance documentation set.
https://bto.bluecoat.com/doc/13282
http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-0.xsd http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-1.xsd
Microsoft Windows 2000 Pro (SP4 or later) Windows XP (SP2 or later) Windows Vista
Supported browsers means the browsers on which Blue Coat tested SGOS 6.2. Other browsers might work, but are not guaranteed by Blue Coat.
39
Notes
On the Java download page, Java naming conventions refer to JRE 5.0 and JRE 1.5 interchangeably. JRE 5.0 is the new name for JRE 1.5. Blue Coat recommends that you use Internet Explorer to download JRE because it downloads the correct version of JRE. Firefox attempts to install the latest JRE, which might not be compatible with the Management Console. When you start the ProxySG appliance Management Console for the first time after upgrading to SGOS 5.4 or later and your currently installed JRE is earlier than 1.5.0_15, your Web browser attempts to download a more current JRE. You might experience a problem downloading the latest supported JRE through the Management Console if: The browser does not support automatic download. The automatic download hangs. The Java Installer displays an error: HTTP Status Code=302 followed by a popup that Java 1.5.x cannot be downloaded.
If you experience any of these issues, enter the following URL to get to the Java download page (if the automatic download hangs, first terminate the download):
http://www.oracle.com/technetwork/java/index-jsp-141438.html
Network delays and/or slow processor speeds might affect JRE performance, slowing the display of Management Console menu selections and options. Enable the auto-detect encoding feature on your browser so that it uses the encoding specified in the console URLs. The browser does not use the autodetect encoding feature by default. If auto-detect encoding is not enabled, the browser ignores the charset header and uses the native OS language encoding for its display. If your system is running JRE 1.6_05, the VPM Help system does not display or function correctly. If you upgrade JRE from a lower version, clear the browser private data.
40
41
Reporter
This release is compatible with the following Blue Coat Reporter releases:
ProxyClient
ProxyClient versions 3.1.x, 3.2.x, and 3.3.x are compatible with SGOS 6.2. To download the latest version, refer to the Blue Coat ProxyClient Release Notes.
Anti-Malware
The Blue Coat ProxySG appliance with ProxyAV integration is a highperformance Web anti-malware solution. For more information, refer to the Blue Coat Web site. This release is compatible with Blue Coat AVOS 3.x. SGOS 6.2.x works with the following third-party implementations of ICAP:
Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0 WebWasher 5.3, build 1953; ICAP 1.0
Instant Messaging
This section details the Instant Messaging proxy support for English language versions. While some versions of AIM and Windows Live Messenger (WLM) are not officially supported, they work in most situations. Video and audio are not supported with any of the Instant Message protocols: MSN, Yahoo, AIM, and WLM.
AIM 6.5
Limited
This version was not officially tested, but full proxy support should work. See "Partially Supported IM Protocol Versions" below. AIM 6.8 is supported in explicit SOCKSv5
AIM 6.8
Yes
and HTTP/HTTPS proxy configurations only. For AIM 6.8 support, you must purchase and import a CA signed SSL certificate on the ProxySG appliance.
AIM 6.9 Windows Messenger 4.x Limited Yes This version was not officially tested, but full proxy support should work. (4.0-XP, 4.7-XP+SP2)
42
Table 1-1. IM Client Compatibility Matrix Client Version SGOS 6.x Support Comments
Windows Messenger 5.x MSN Messenger 7.0 MSN Messenger 7.5 WLM 8.0
Yes Yes Yes Yes Name changed from MSN to Windows Live Messenger (WLM); Microsoft deprecated this version in favor of WLM 8.1. In 2007, Microsoft rendered as obsolete all versions previous to 8.1 because of a security issue. Beginning November 9th, 2009, clients are required to upgrade. In 6.x, WLM 2009 is tunneled. This version is also known as version 14.0. Beginning November 9th, 2009, Messenger 2009 (version 14) users must upgrade their clients. Users who have already installed the latest version, which was released Aug 18th 2009 (Build: 14.0.8089.726), are not required to upgrade. In April 2008, Yahoo! retired these client releases. This is the last version that supports Windows 98 and Windows ME.
WLM 8.1
Yes
Yes Yes
AIM 6.x If a SOCKS proxy is configured in the client's Internet Explorer (IE) settings: SOCKS proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally. SOCKS proxy with detect protocol enabled on the ProxySG appliance: The client can log in and chat with a thirty-second delay.
43
HTTP proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally HTTP proxy with detect protocol enabled on the ProxySG appliance: The client login fails after about 30 seconds with the message Connection lost.
Transparent deployment: AIM 6.1 cannot log in if an SSL service is configured on port 443. AIM can log in, with a 30-second delay, if a TCP tunnel service is configured on port 443 with protocol detection enabled. AIM can log in if the SSL forward proxy is also enabled and the ProxySG appliance appliance's certificate is installed as the root certificate on the client's IE browser. The client can log in and chat unless the SSL connection is intercepted by the SSL forward proxy. Supported deployments, if the SSL connection is not intercepted by the SSL forward proxy include transparent/TCP tunnel on port 443, transparent/SSL proxy on port 443, and HTTP proxy or SOCKS proxy.
AIM 6.5
To deny login for AIM 6.0, 6.1 clients, and for transparent proxy deployments of AIM 6.5 and 6.8 clients, the following policy can be used:
<Proxy> DENY url.host=kdc.uas.aol.com
Policy
Ask.com has changed its SafeSearch mechanism from a cookie-based one to a query-string based mechanism. If you are using the SafeSearch policy in your network, to ensure that undesirable mature content is blocked, please update the SafeSearch policy as shown below (B#141182): Replace
; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end
44
; ; === BC_SafeSearch_Ask Rules === <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains request.header.cookie="adt=|adlt=" action.BC_SafeSearch_Ask_Cookie_Rewrite(yes) action.BC_SafeSearch_Ask_Cookie_Addition(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Cookie_Addition append(request.header.cookie, "gset:adlt=0") end define action BC_SafeSearch_Ask_Cookie_Rewrite #if release.version=5.4.. rewrite(request.header.cookie, "(.*)adt=(.*)", "$(1)adt=0$(2)") #endif rewrite(request.header.cookie, "(.*)adlt=(.*)", "$(1)adlt=0$(2)") end ; With ; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end ; ; === BC_SafeSearch_Ask Rules === Blue Coat SGOS 5.4.x Release Notes 94 <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains url.query.regex="adt=" action.BC_SafeSearch_Ask_Query_Rewrite(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Query_Rewrite rewrite(url, "(.*)adt=(.*)", "$(1)adt=0$(2)") end ; ;
45
RSA SecurID
SGOS 6.2.x supports RSA 6.0 with SecurID.
SOCKS
SGOS 6.2.x supports SOCKS v5, authentication protocol v1.
Streaming
Streaming support is limited to the following players and servers:
The ProxySG appliance supports the following versions and formats: Windows Media Player 7-12 Windows Media Server 9 Microsoft Silverlight
Important:
SGOS 6.x does not support older Windows Servers that do not support WM-HTTP when NTLM authentication is enabled. Newer Windows Clients, such as 11.x, do not support the MMS protocol. Silverlight is supported in SGOS 6.x; however, it must use WM-HTTP streaming protocol for streaming Windows content. WM-HTTP is also known as MS-WMSP.
The ProxySG appliance supports the following Real Players and Servers: RealOne Player, version 2 RealPlayer 8 and 10 RealServer 8 through 10 Helix Universal Server Helix Player 11
The ProxySG appliance supports the following versions and servers, but in pass-through mode only: QuickTime Players v7.x, 6.x, and 5.x Darwin Streaming Server 4.1.x and 3.x
Version 10.x
46
FF 3.x
WCCP
SGOS 6.2.x was tested with several releases of Cisco IOS: 12.0.7, 12.1.6E, 12.2.18. For a list of Cisco platforms that support L2 packet return, go to www.cisco.com.
47
Copyright 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Blue Coat Systems, Inc. 410 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
48