BlueCoat Web Proxy Appliances from a NetCache Users Perspective
by Rodney Campbell on Sep.04, 2006, under Security, Technology
This is a 60 second helicopter view of these appliances…
I have just completed a four day training course and hands on with the BlueCoat Web Proxy Appliances and I thought I'd give my quick impressions of the technology; based on what I've seen and played with – with particular emphasis on comparing to the Network Appliance NetCaches (which I'm already very familiar with) – I'll put those items I think are probably the most important near the top of the lists.
Note: this doesn't of course factor in any real world things like how these features perform under load, actual capacity with relevant features turned on, dealing with our specific bizarre configuration requirements, finding any particular flaw or bugs our real world users/traffic might toss up or how the support stacks up.
BlueCoat Pro's (stuff which NetCache doesn't have?):
- Supports more built-in "features"
- Content Policy Language and Visual Policy Manager – modeled on Checkpoint GUI – multiple rules in multiple layers – seems pretty extensive and powerful and VPM is obviously way easier to manage rules than text NetCache ACL rule sets
- BlueCoat Director (Centralised Management Console – central policy and config, automate device management (backups, etc))
- IM protocol support (MSN, Yahoo & AOL) (it does even seem to "recognise" this when it is tunnelled over the HTTP or SOCKS5 proxies) allowing you to specify policies on what is and isn't allowed, etc – doesn't fully support new MSN and Yahoo yet
- SSL Proxy (man-in-the-middle SSL intercept – requires SSL hardware card) – this is destination, etc configurable via policy, categorisation, etc – requires CA cert be installed on all client browsers for warning free use
- P2P protocol support (BitTorrent, eDonkey, Gnutella & FastTrack) (I expect it should also "recognise" this when it is tunelled over the HTTP or SOCKS5 proxies) allowing you to specify policies on what is and isn't allowed, etc
- Onbox Web/Content Filtering/Categorisation (BlueCoat, Smartfilter, others) + Local database (with hashed lookups – could be significant performance boost for ACLs here)
- ProxyAV – BlueCoat have their own ICAP based AV appliance (Kaspersky, Sophos, McAfee, Panda)
- Spyware Prevention (some portions require ProxyAV)
- Cisco IOS like CLI
- Role based security
- User Notifications – Exception Pages, Splash pages (show once – e.g. a daily AUP), Coaching Pages (option to continue)
- Bandwidth Management – could be especially useful for our inbound streaming events (reserving streaming bandwidth and/or limiting users)
- HTTP Compression (server side and/or client side including storing multiple variants (gzip, deflate & text) in cache)
- Able to eject/flush "sites/tree's" from the cache – unlike NetCache which can only do individual objects
- Native FTP Proxy and a generic TCP tunnel proxy
- File type matching based on (File Extensions, MIME Types and Apparent Data Type (magic headers))
- Supports more Authentication Realms including multiples of the same type (Win NT, AD, LDAP, Radius, Cert, Siteminder, COREid, Local, etc)
- Reporter – centralised reporting software (probably not capable enough to cope with our log load)
BlueCoat Con's:
- The Java applet filled Web based GUI is a big turnoff. I absolutely hate the single Java applet in the NetCache web GUI which loads as part of the default web page and invariably doesn't work in most browsers but the BlueCoat takes this to the extreme with a separate applet which has to download and run for EVERY freakin' page in the web GUI – they cannot get rid of this fast enough for me
- Still not sure if all of our existing NetCache ACL functions will translate
- Win NT/AD authentication integration seems a bit messier than with NetCache (requires installation of agent software on windows boxes in the domain)
- doesn't have equivalent of ACLstat (for optimising rule ordering)
April 11th, 2007 on 9:17 pm
Dear BlueCoat team
i understand that your PROXY server can split RTSP stream but i would like to know on normal server eg. P4 3GHZ with 2G RAM and each stream around 40 K kbps, how many streams player can server be handle?? and how much for license per server at the beginning.. just rough figure that Ok because i just doing feasibility.. Oh.. i’m in Thailand… any support over here?
thanks foe your kindness.
Saroj Suvanthararuang
Solution Specilist
January 5th, 2010 on 6:29 pm
check