Proxysg per as long as manceThank you as long as joining today’s Blue Coat Customer Support Tech

Proxysg per as long as manceThank you as long as joining today’s Blue Coat Customer Support Tech www.phwiki.com

Proxysg per as long as manceThank you as long as joining today’s Blue Coat Customer Support Tech

Yore, J.J., Executive Producer/Vice President of Programming has reference to this Academic Journal, PHwiki organized this Journal Proxysg per as long as manceThank you as long as joining today’s Blue Coat Customer Support Technical Webcast!The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to joinYou may join the teleconference through the numbers provided in your invite, or listen through your computer speakersAudio broadcast will only go live when the Webcast begins – there will be silence until thenThe Presentation will run approximately 60 minutesThere will be a 30-minute Q/A session thereafterPlease submit questions using the Webex Q/A feature!ProxySG Per as long as mance WebcastPaul KaoDirector Product Managementpaul.kao@bluecoat.comDecember 16, 2014AgendaProxySG OverviewArchitecture (SGOS, CW, SW, Policy checkpoints)System resources/metricsPer as long as mance ModelFactors Impacting Per as long as manceAuthentication, ICAP, Policy, SSL, misc.Critical Resource MonitoringCPU, Memory, CW, networkTroubleshooting Per as long as mance ProblemsBaseline, CPU monitor, Policy trace, Sysinfo

Marinello Schools of Beauty-City of Industry CA www.phwiki.com

This Particular University is Related to this Particular Journal

ProxySG OverviewSGOS OverviewSGOS is a secure, hardened in addition to proprietary OS developed by Blue Coat to be robust in addition to scalable at the highest levels of per as long as manceIt is unlike other operating systemsMicrokernel, message pass architecture using “admin” in addition to “worker” model as long as processesRun to completion semanticsUses an object store (cache engine/cache admin), no file system, no directory structurePolicy is deeply integrated into SGOSCheckpoints at entry/exit of proxy traffic flow to evaluate policy transactionSGOS ArchitectureClient Worker (CW) – Processes HTTP session between SG in addition to clientServer Worker (SW) – Processes HTTP session between SG in addition to OCSRetrieval Worker (RW) – Pipeline in addition to keeps the content of the cache freshSpecialized Worker – H in addition to les a specific protocol, like streaming, CIFS, etc.

Policy CheckpointsWorkers provide available in as long as mation to policyPolicy transaction re-evaluated at each check pointPolicy decisions are stored a policy ticketserver-url.domain=http.response.apparent-data-type=client.address=set(response.header.Set-Cookie, “x”)ProxySG Appliance Physical ResourcesCore appliance resources are:CPU, Memory, Disk, Network InterfaceCPU No CPU throttling – continue to h in addition to le more load until appliance is at CPU limit (assuming other resources are available). At this point, requests take longer to process, with longer transaction times.MemoryThreshold Monitor (TM) engages at 80% memory pressure, goes into regulation, which limits HTTP acceptance to reduce rate of processing new incoming connections.DiskAt high disk utilization, back off mechanisms will engage to maintain throughput at the expense of cache efficiency (disk read/writes)Network InterfaceWill trigger event log if network interface is saturated (TCP livelock)ProxySG Appliance Metric User count & Client WorkerAppliance has fixed CPU/Memory/Disk/Network resourcesOne additional metric – “Licensed Client IP”From a sizing perspective, “Licensed Client IP” is the maximum unique IPs that a given SG appliance should h in addition to leUsually, Client IP is synonymous with user/employeeLicensed Client IPA “soft” limit on HW appliancesA “hard” limit on Virtual appliancesPer as long as mance of appliances constrained by available number of HTTP/TCP-Tunnel “Client Workers” (CW) as long as processingEach appliance model has it’s own CW limitCW limit does not limit any other TCP session on SGCW limit is only a count of active client side sessions

Per as long as mance ModelPer as long as mance ModelClientNetwork deploymentAuthentication modeDNS, Content FilteringICAP REQMOD (DLP)ICAP RESPMOD (CAS)System services, loggingPolicySSLFactors impacting Per as long as mance

Per as long as mance Factors 1. Client 1. Client SideClient to SG connection (client side)Limited by HTTP/TCP-Tunnel CWUser (client IP) is not an en as long as ced metric. User is a model as long as sizingCW limit does not include other TCP sessions (auth, ICAP, bypass, )Don’t confuse TCP-Tunnel proxy CW as the TCP connection limit!!!S-Series hardwareS-series models – 5 connections/per user (user = unique client IP)Examples:Financial trader, 50 conns per userKiosk, 1 connection per user Per as long as mance Factors 2. Network Deployment

2. Network DeploymentNetwork 101Link/duplex settingsWCCPGRE vs L2Set MTU appropriately to avoid fragmentation with GREPhysically Inline (bridging)Good as long as smaller sitesLarger sites with significant non web (bypass) traffic that can consume network resourcesPer as long as mance Factors 3. Authentication Mode3. AuthenticationEvaluated at CIChoice of Authentication mode can impact per as long as manceExplicit proxy with NTLM: SG issues a 407 challenge as long as each connectionIP Surrogate: After initial authentication, will use authentication cacheKerberos: credentials validated without need to contact DCNTLM does not scale wellNTLM credential cannot be cached, in addition to must be validated by DCDefault Windows configuration processes only one request at a time via SchannelExacerbated by latency in addition to load on DC (SG-DC or SG-BCAA-DC)Kerberos preferred as long as scalability

Per as long as mance Factors 4. DNS, Content Filtering4. DNS, Content filterDNSNot a high consumer of CPU, but can be cause of latencyIf external DNS servers are slow/overloaded, Proxy will amplify the problemUse caution as long as policies/logging that trigger RDNS lookupsContent Filtering (evaluated at Client In)BCWFEfficient categorization as long as high per as long as manceSettings as long as lower memory footprint appliancesWeb Pulse DRTRMinimal overheadPer as long as mance Factors 5. ICAP REQMOD (DLP)

5. ICAP General & ICAP REQMODICAP – Internet Content Adaptation ProtocolUsed to vector both REQuest in addition to RESPonse traffic as long as scanningICAP – General Per as long as mance considerationsPersistent connection with re-useSufficient ICAP connections to h in addition to le throughput or queuing will occurRelatively “expensive” – content must be sent over ICAPPolicy dictates how much content is sent (ICAP best practices)Worst case is all content sent to ICAPICAP REQMOD evaluated at CI (be as long as e Server Out)Scan data on outbound requestScanning POST body dataIncremental cost due to low volume of data (POST body data)Per as long as mance Factors 6. ICAP RESPMOD (CAS/AV)6. ICAP RESPMOD (Content Analysis)Evaluated at Server In (SI)Higher cost due to volume of incoming request dataFor ICAP RESPMOD, cache to disk as long as per as long as mance (no need to return payload when response is 204 No Modification)Infinite StreamsICAP deferred connectionsICAP mirroring (SG6.5)Secure ICAPSSL cost in initial connection setup SSL overhead of bulk encryption low

Yore, J.J. Marketplace Morning Report - American Public Media Executive Producer/Vice President of Programming www.phwiki.com

Per as long as mance Factors 7. System Services7. System ServicesAccess loggingLog entry written when connection is completeA few percent overhead when enabledObviously more overhead if multiple log facilities in useHealth ChecksSNMPAttack DetectionFailover, SGRP (VRRP)Connection ForwardingScripts, polling of local policySnapshots, Debug logsPer as long as mance Factors 8. Policy

8. Policy in addition to CPU Policy impact can range from minimal to majority of CPU cost on SGLook as long as policy best practicesAvoid regexes, order rules most likely to match first, group rules, etc.A point of referencePolicy used as long as SWG/ICAP/SSL consumes about 15% of total CPUScale appropriately as long as higher/lower policy usageVariation across plat as long as msOnly use as a rule of thumbNot guaranteed to be exactMay change in the futurePer as long as mance Factors 9. SSL9. SSL Intercept

ProxySG Per as long as mance Webcast QuestionsQ21: Is it common to see a small amount of traffic bound as long as blocked URLs on our outside sensors Is this part of the h in addition to shake process be as long as e the block is implementedQ22: Good morning. Regarding the licensed client IP Is there a way as long as us to identify the “soft” limit on the ProxySG’s GUI or CLIQ23: Is there a way to monitor the number of CWs in useQ24: What is the cost of running Trace layers (80 in addition to 443) in the VPMQ25: What might it indicate if the memory utilization is significantly higher than the cpu utilization on averageProxySG Per as long as mance Webcast QuestionsQ26: For b in addition to width per as long as mance issues. Is there a way to see who is downloading what in real-timeQ27: If the network throughput is above the recommended threshold by bluecoat but CPU is still normal, will this cause any issue on per as long as manceQ28: From a per as long as mance st in addition to point. What are the recommendations around attack detection in addition to delete on ab in addition to onment

Yore, J.J. Executive Producer/Vice President of Programming

Yore, J.J. is from United States and they belong to Marketplace Morning Report – American Public Media and they are from  Los Angeles, United States got related to this Particular Journal. and Yore, J.J. deal with the subjects like Business

Journal Ratings by Marinello Schools of Beauty-City of Industry

This Particular Journal got reviewed and rated by Marinello Schools of Beauty-City of Industry and short form of this particular Institution is CA and gave this Journal an Excellent Rating.