SGOS 188.8.131.52 was released on April 15, 2015. To download this release and the Release Notes, log in to the BlueTouch Online (BTO)
Downloads page with your BTO credentials.
Changes in Handling Upstream HTTP Status Code 407 Challenges SGOS 184.108.40.206 introduces a default behavior change on the ProxySG appliance. Upstream 407 challenges are now blocked by default; to support the change, a new CLI command has also been added to allow you to enable upstream 407 challenges. If you choose to enable 407 challenges, you should use policy to allow them only from trusted servers.
This behavior change was implemented to address a security vulnerability with how the appliance handles 407 authentication challenges; please refer to Security Advisory
SA93 for further details. This vulnerability affects authentication in explicit proxy deployments, where enterprise credentials are at risk of being forwarded to a malicious upstream origin content server (OCS) that sends a 407 authentication challenge.
Prior to upgrading to SGOS 220.127.116.11, Blue Coat recommends that you review the following Blue Coat
Technical Alert (TA) 000024584 for important information on this vulnerability, the behavior change, and instructions for configuring the ProxySG appliance to maintain current functionality.
Important: After an upgrade to SGOS 18.104.22.168, you might have to perform additional steps to restore the required behavior. The solution you require depends on your deployment and topology; refer to the TA for steps when the ProxySG appliance is:
an explicit proxy without proxy chaining or a downstream transparent proxy with no upstream explicit proxies
a downstream explicit proxy in a proxy chain
a transparent proxy with upstream explicit proxies
If you cannot upgrade to a version with the fix, you may have to configure the proxy to address the security issue. The
TA includes solutions for these scenarios as well.
SGOS Upgrade/Downgrade documentation
(both webguide and PDF) also includes information on this behavior change.
Support for ECDHE-ECDSA Ciphers SGOS now includes the following additional ECDHE-ECDSA ciphers between the ProxySG appliance and the origin content server (OCS):
Integration with SafeNet Luna SP 3.x HSM The ProxySG appliance now supports integration with SafeNet Luna SP 3.x Hardware Security Module (HSM). An HSM provides additional security for storing cryptographic keys and certificates, which is required in some highly regulated industries. Blue Coat’s ProxySG appliance is able to use a network-attached HSM appliance to store private CA keys, and to perform digital signature operations.
Create Policy Based on Client User-Agent for HTTPS Requests The ProxySG appliance can now inspect the User-Agent header in explicit proxy HTTP CONNECT requests to determine which user agent was used to initiate the request. You can then make policy decisions based on the user agent used in a transaction.
SNMP Traps for IWA Direct If the ProxySG appliance is joined to one or more Windows domains, you can now enable SNMP traps to be notified when errors or issues occur with the domain. After enabling SNMP traps for a domain, you can specify thresholds for any latency issues, authentication failures, and Schannel issues that occur within a given period of time.
Refer to the SGOS 6.5.x release notes for information on the changes, fixes, and known issues in this release.
In addition, the following documentation was updated for this release:
SGOS Administration Guide
Content Policy Language Reference
Visual Policy Manager Reference
Command Line Interface Reference
SSL Deployment WebGuide
Refer to the Release Notes for information on known issues in this release.
Imported Document ID: 000024493
Subscribing will provide email updates when this Article is updated. Login is required.