Please note that ProxyClient is End of Life and is not currently supported.
ProxyClient versions 220.127.116.11 and 18.104.22.168 and Unified Agent version 22.214.171.124952 includes a feature which requires certificate validation when connecting to the Client Manager. This feature was introduced in compliance to SA89/CVE-2015-1454: SA89: ProxyClient and Unified Agent Certificate Validation Flaw
With the introduction of this new security feature, if the Client Manager certificate is not trusted by the workstation where the ProxyClient is installed, the system displays a warning that the certificate is untrusted.
Blue Coat Proxy Client attempted to download new configuration but could not verify the configuration server.
If the user clicks "Yes" to ignore the validation failure, they should not be prompted again. However, to deploy a silent installation, import the Client Manager's certificate into the computer's certificate store before deploying ProxyClient software to workstations.
1) Download the certificate from the Client Manager.
First, make note of the certificate used for Client Manager. If you created a keyring specifically for the Client Manager, you need to export the certificate from that keyring for use in the ProxyClient deployment.
To view or set this keyring in the Client Manager, navigate (in the Management Console) to Configuration > ProxyClient > General > Client Manager:
Note: The Common Name of the certificate in the selected keyring must match the "Use host" field or the hostname from the initial client request. Otherwise, users may still get a pop-up warning regarding a hostname mismatch.
After you've set or verified the keyring selected in the Client Manager, you can download the certificate by going to the following URL of the ProxySG acting as Client Manager:
In the preceding example, x.x.x.x is the IP address of the ProxySG which acts as the Client Manager.
Note: If a specific keyring was not created for the Client Manager function and the setting is default, you only need to download the "default" certificate (shown in the screenshot), provided the common name of the certificate matches the hostname or IP address of the Client Manager.
2) Importing the Client Manager certificate into the Windows workstation certificate store. The following procedure describes the steps thar are required to install the Client Manager's certificate into the computer system's security store using the Microsoft Management Console snap-In. The configuration below is mainly intended for pre-deployment testing. Importing the Client Manager certificate to multiple systems can be automated using the Group Policy Object (GPO) method for silent installations.
To view the Certificates store on the local computer, perform the following steps:
Click Start, and then click Run.
Type "MMC.EXE" (without the quotation marks) and click OK or press enter.
Click Console in the new MMC you created, and then click Add/Remove Snap-in.
In the new window, click Add.
Highlight the Certificates snap-in, and then click Add.
Choose the Computer option and click Next.
Select Local Computer on the next screen, and then click OK.
Click Close, and then click OK.
Navigate to Trusted Root Certification Authorities/Certificates, select the Certificates folder, and then click Action, select All Tasks, and then Import.
Proceed through the prompts to navigate and import the certificate downloaded from the Client Manager.
Note: Installing the certificate through Internet Explorer does not accomplish the same goal. Doing so would place the certificate in the user certificate store. Whereas the above steps imports the certificate into the computer system certificate store where it is needed for ProxyClient access.
Please refer to Microsoft documentation for any additional deployment instructions.
See steps 1 and 2 of the following KB article as an example for creating a keyring specifically for the Client Manager: KB article 000021765
There is a known issue where, even if a user clicks "Yes" when prompted with the untrusted certificate warning, the user still continually gets prompted at Windows start up. That issue was identified as bug# 213054 and was fixed in the following versions:
ProxyClient 126.96.36.199.152943 and later ProxyClient 188.8.131.52.152409 and later Unified Agent 184.108.40.206952 and later
Imported Document ID: 000024040
Subscribing will provide email updates when this Article is updated. Login is required.