This article outlines the Best Practices to configure BlueCoat Proxy SG for use with Symantec Protection Engine (SPE) version 7.x
Please refer to the following areas to ensure that Best Practices are applied to the BlueCoat/Protection Engine environment.
*** Deployment ***
In proxy-enabled environments, it is recommended to deploy a minimum of two (2) Symantec Protection Engine dedicated physical servers.
Additionally, if a local filesystem AntiVirus software (such as Symantec Endpoint Protection) is installed on the same server, then all of the temporary folders used by Symantec Protection Engine must be excluded from realtime antivirus scanning.
*** New ICAP Services ***
The ICAP client configuration on the BlueCoat proxy should reflect the new services introduced in Symantec Protection Engine 7.0.x, as follows.
- New RESPMOD service: SYMCScanRespEx-AV
- New REQMOD services: SYMCScanReqEx-AV, SYMCScanReqEx-AV-URL
Below is an example of how the BlueCoat ICAP Service should be configured for SPE:
*** Reduce TIME_WAIT timeout ***
When too many socket connections are used in small amount of time, most of the connections go into TIME_WAIT state.
This behaviour may result into the unavailability of the further connections and eventually leads to an unresponsive system.
In order resolve this issue, please follow the steps below.
OS related settings for client machine only:
On RHEL systems the parameter TCP_TIME_WAIT_INTERVAL can be changed using the file /proc/sys/net/ipv4/tcp_tw_recycle . Its value is zero(disabled) by default.
- cat /proc/sys/net/ipv4/tcp_tw_recycle
- echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
Use the "ndd -get" command to see the current value and set command to specify a new value.
- ndd -get /dev/tcp tcp_time_wait_interval
- ndd -set /dev/tcp tcp_time_wait_interval 30000
*** Malformed Containers ***
Symantec Protection Engine (SPE) may consider some of the files accessed by end users as "malformed containers".
By default, SPE is configured to "block" malformed containers, therefore in certain situations, the end users may be denied the access to some web pages.
To change the behaviour, SPE can be configured to just "log only" such verdicts.
*** Minimum scanning threads ***
It is recommended to increase the number of minimum scanning threads initialised by SPE at startup. To do so, please follow the steps below:
- Stop the Symantec Scan Engine service.
- Open a command line prompt.
- Navigate to the Scan Engine install directory.
- You should see in this directory the files "xmlmodifier.jar" and "configuration.xml"
At the command line type in: java -jar xmlmodifier.jar -s //resources/system/MinThreads/@value 64 configuration.xml
- Restart the Scan Engine service to make the change effective.
*** Troubleshooting ***
Should any problem occur during the above steps, or under other circumstances where an unexpected behaviour is observed, the following steps may help understand and solve the problem:
- Collect a Process Monitor log while the problem occurs.
- Collect a TCP packet capture between the Protection Engine server and the proxy while the problem occurs.