The URL categorization feature has the following deployment requirements:
The PacketShaper must have Internet access to connect to the WebPulse service.
A DNS server must be configured on the PacketShaper.
The PacketShaper hardware must have a valid support contract, although there is a 30-day grace period.
If you want to secure access to the outside interface, do not use the secure option because the URL category feature requires access to a number of outside servers. Instead, use the list security option and add the IP addresses of the following servers to the exception list:
¦ WebPulse service points (Use the setup urlcategory show service CLI command to see the IP addresses of the servers; add the one or two fastest servers.)
¦ category map update server (sitereview.bluecoat.com)
¦ support update server (updates.bluecoat.com)
¦ heartbeat server (hb.bluecoat.com)
Note: To find the IP address associated with each of these servers, use the nslookup command (such as the dns lookup CLI command).
The URL categorization feature has the following limitations:
Because the PacketShaper gives higher priority to flow delivery than to classification, it will never hold up flows to wait for a response from WebPulse. Therefore, the first few packets of a flow may get classified into a web or default class until WebPulse sends the URL category to the PacketShaper.
Packet processing takes precedence over URL categorization. If the PacketShaper is under load, category requests may get queued, and some requests may be dropped.
Behavior for asymmetrically applied redirect policies is non-deterministic for URL category-based classes since URL categorization is done out of path. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).
Imported Document ID: 000014767
Subscribing will provide email updates when this Article is updated. Login is required.