BlueCoat Advanced Secure Gateway

The BlueCoat ASG are a series of Proxy Appliances, sold by Symantec and commonly used for a combination of Proxy Types, such as:

  • Forward Proxy
    • HTTP/S Web Proxy to Internet
    • SOCKS Proxy to Internet
  • Reverse Proxy
    • ActiveSync Proxy to Microsoft Exchange
    • Oracle OAM Proxy to Oracle Authentication

Once you get past the fact that the Admin Panel runs Java (eww), they aren't bad boxes to configure and use; but if you're coming at these from a Networking background, be warned - everything is split-out into a different section, and not much is where you'd expect it to be.

The Scenario

My Scenario was using the Virtual IP (VIP) functionality, to offload some Reverse Proxy functionality to a downstream Appliance; which sits behind the BlueCoat to allow it to (in future) perform some DPI and other bits and pieces. I needed to create one VIP Address, but have it forward three TCP Ports/Services:

  • SOCKS (Running on TCP/80)
  • SSH (TCP/22)
  • RDP (TCP/3389)

The Proxy VIP (BlueCoat VIP) is 10.99.99.99.

The Downstream Proxy Real IP (BlueCoat Forwards/NATs to) is 10.98.1.2.

Coming from a Networking background, my mind went to NAT, VIPs and Load Balancer Groups; but BlueCoat doesn't play ball that way.

Elements to Configure

The following sections of the Admin Panel/BlueCoat Configuration need to be modified to achieve this:

  • Proxy Services
  • Forwarding Hosts
  • Forwarding Host Groups
  • Visual Policy Manager (Forwarding Layer)

So let's crack on.

Proxy Services

  1. From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Services -> Proxy Services
  2. Add your "Custom Service Groups" (mine is called "CustomGroup")
  3. Add your SOCKS/SSH/RDP Service Group elements, under the "Custom Service Groups" section
  4. Set these to "Intercept", and Source to "All" (or specific Downstream User Subnets, which should be able to access the VIP)
  5. Click "Apply" (bottom-right) when done

undefined

Forwarding Hosts

  1. From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Forwarding-> Forwarding Hosts
  2. Add your "Forwarding Hosts", one per TCP Service you want to listen to (I have three)
  3. Within each Forwarding Host, set the "Type" to "Server", and specify the relevant "TCP:" port you want to use
  4. Click "Apply" (bottom-right) when done

undefined

Forwarding Hosts Groups

  1. From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Forwarding-> Forwarding Hosts -> Forwarding Groups
  2. Define a custom Group Alias (mine is "Custom-Group") to use as the Group container for the three Forwarding Hosts you input
    1. undefined
  3. Add your Custom Hosts to the Custom Group:
    1. undefined

Visual Policy Manager (Forwarding Layer)

  1. From BlueCoat Admin Panel, navigate to Proxy -> Configuration -> Policy -> Visual Policy Manager -> Launch
  2. Within "Forwarding Layer", add an entry using your VIP Address (10.99.99.99), with a colon (:) after, and "Any" Service
    1. undefined
  3. Tie this to a new Action called "Action-CustomGroup"
    1. undefined
  4. Edit "Action-CustomGroup" to relate to the Forwarding Host Group you specified earlier (Custom-Group), and "Deny the request" if the Forwarding Host (i.e. all TCP Ports within that Group) aren't available
    1. undefined
  5. Within VPM, apply the policy to the BlueCoat ASG - navigate to File -> Install Policy on SG Appliance
  6. Party on down, we're done!

Wrapping it up

BlueCoat ASG will quite happily let you specify a collection of individual Forwarding Hosts, each with an individual TCP Port; and the VPM will then let you specify these multiple individual Forwarding Hosts - but it won't actually VIP Forward the traffic, and will fail miserably.

The above seems to be the "BlueCoat Way" of doing this, and definitely works.