PDF of PolicyCenter Release Notes version 9.2.11
PolicyCenter Release Notes Version 9.2.11 May, 2015 P/N 20-0230-9211 Revision A © 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, technical services, and any other technical data referenced in this document are subject to U.S. export control AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Sun, Sun Microsystems, the Sun Logo and any other Sun trademarks included in this product are trademarks or registered trademarks of Oracle, Inc. in the United States and other countries ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright © 2008, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. U.S. Government Restricted Rights Blue Coat software comprises “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue Coat software is provided with “RESTRICTED RIGHTS.” Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR 252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coat’s proprietary rights in them and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coat’s end user agreement. Blue Coat Systems, Inc. 420 N. Mary Avenue Sunnyvale, CA 94085 http://www.bluecoat.com Revision History November, 2012 July, 2013 August, 2013 February, 2014 April, 2014 June, 2014 July, 2014 September, 2014 December, 2014 February, 2015 May, 2015 PolicyCenter 9.2.1 PolicyCenter 9.2.2 PolicyCenter 9.2.3 PolicyCenter 9.2.4 PolicyCenter 9.2.5 PolicyCenter 9.2.6 PolicyCenter 9.2.7 PolicyCenter 9.2.8 PolicyCenter 9.2.9 PolicyCenter 9.2.10 PolicyCenter 9.2.11 Introduction These release notes document the changes to PolicyCenter version 9.2.11 only. If you are upgrading from an earlier version of PolicyCenter, you can learn about other new features and software changes by consulting the release notes for the versions between your current software and v9.2.11. Acrobat PDF files of all versions of release notes are available for download at https://bto.bluecoat.com/documentation. See the following sections for specific information: Resolved Issues in PolicyCenter 9.2.11......................................................................................................... page 3 Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 ........................ page 4 Upgrading to PolicyCenter Version 9.2.11................................................................................................... page 6 Upgrade Shared Mode Units to PacketWise 9.2.11 .................................................................................... page 11 Known Issues in Version 9.2.11 ..................................................................................................................... page 13 Additional Information ................................................................................................................................. page 18 PolicyCenter 9.2.11 Release Notes 1 Automatic Notification of New Software Releases To be automatically notified when new PolicyCenter software releases are available, you can subscribe to the PolicyCenter RSS feed. Note: The following instructions send the RSS feed to Outlook. However, you can send the feed to Yahoo or standalone readers as well. 1. 2. 3. 4. 5. 6. 7. Go to: https://bto.bluecoat.com/support/blue-coat-support-rss-feeds Select PolicyCenter from the Products list. Copy the URL. Go to Outlook and right-click the RSS Feeds folder. Select Add a New RSS Feed. Paste in the URL and click Add. Click Yes. A new folder is created in RSS Feeds called knowledgebase - datacategory - PolicyCenter. When new PolicyCenter knowledge base articles are published, Blue Coat will send an email notification to the PolicyCenter RSS Feeds folder. The email will contain a link to the article. Release announcements will provide you with the following types of information for the new release: the release number, a link to the Downloads page on BTO, highlights of the release, and links to related documentation and training materials. 2 PolicyCenter 9.2.11 Release Notes Resolved Issues in PolicyCenter 9.2.11 Resolved Issues in PolicyCenter 9.2.11 PolicyCenter 9.2.11 contains the following resolved issues. For details on PacketWise resolved issues, see PacketShaper Release Notes for PacketWise 9.2.11. • Further enhancements were added to prevent PolicyCenter from resetting after deleting a class matching rule. Security Vulnerabilities Disabling TLS 1.0 PolicyCenter 9.2.11 addresses the vulnerability CVE-2011-3389. TLS 1.1 and 1.2 protocols are supported, and TLS 1.0 can be disabled. • PolicyCenter includes support for the new security-related system variables that disable TLS 1.0 protocol for client and server connections. The TLS 1.0 Client and TSL 1.0 Server variables can be enabled/disabled for a configuration on the Configurations > Setup > System Variables page. Note that these variables enable/disable TLS 1.0 for PacketShaper connections, not PolicyCenter; to disable TLS 1.0 for PolicyCenter connections, you must use the CLI (see next bullet). • To disable TLS 1.0 for PolicyCenter’s client and server connections, use the following CLI commands in the PolicyCenter Client: pc setup variable TLS1Client 0 pc setup variable TLS1Server 0 Note: TLS 1.0 connections are allowed by default, and must be explicitly disabled with these system variables if you don’t want to allow them. OpenSSL Upgrade OpenSSL was upgraded from 1.0.1j to 1.0.1l in PolicyCenter 9.2.11. The upgrade addresses a number of vulnerabilities. PolicyCenter is not vulnerable to all these CVEs, but they were all included in the upgrade. • ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) All versions prior to 9.2.10 are not vulnerable because EC is not used. Version 9.2.10 is vulnerable. • RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) All versions prior to 9.2.11 are vulnerable. • Bignum squaring may produce incorrect results (CVE-2014-3570) All versions prior to 9.2.11 are vulnerable. • DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) Not vulnerable. PolicyCenter does not use DTLS. • DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) Not vulnerable. PolicyCenter does not use DTLS. • no-ssl3 configuration sets method to NULL (CVE-2014-3569) Not vulnerable. OpenSSL for PolicyCenter is not built with no-ssl3. • DH client certificates accepted without verification [Server] (CVE-2015-0205) Not vulnerable. PolicyCenter does not use client certificates. • Certificate fingerprints can be modified (CVE-2014-8275) Not vulnerable. PolicyCenter does not rely on certificate fingerprints. PolicyCenter 9.2.11 Release Notes 3 Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 When replacing your Windows 2000/2003 PolicyCenter server with a Windows 2008 server, you will want to ensure that your PolicyCenter configuration gets migrated over to the new PolicyCenter deployment. This section describes the tasks that you need to perform on both servers: the Windows 2000/2003 server that is currently running PolicyCenter and the new Windows 2008 server to which you want to migrate. Tasks to Perform on the Windows 2000/2003 Server You need to upgrade the Windows 2000/2003 server to PolicyCenter 9.2.11 and then back up your configuration. 1. 2. 3. 4. On the core Windows 2000/2003 server, upgrade to the PolicyCenter 9.2.11 image. See “Upgrade PolicyCenter” on page 7. In a command window, navigate to the C:\Blue Coat Systems\pcbackup folder. To back up your PolicyCenter configuration, type pcbackup <core_host> where <core_host> is the IP address of the core directory server. This will store a time-stamped backup folder and its contents at the location \Blue Coat Systems\PcBackupData. In a multiple directory server deployment, the backup script automatically retrieves the edge DS addresses from the core server and backs up all core/edge configuration data. Copy the folder of the newly backed up data to a location that the new Windows 2008 server can access. Tasks to Perform on the Windows 2008 Server On the new Windows 2008 server, you need to install Sun Directory Server 7.0, install PolicyCenter 9.2.11, and restore the configuration. 1. Install Sun Directory Server 7.0 and PolicyCenter 9.2.11 on the core Windows 2008 server. Note: Refer to the PolicyCenter 9.2 Getting Started Guide for detailed instructions. 2. 3. 4. 4 Copy the backup folder (from step 4 in the previous section) to the following location: \Blue Coat Systems\PcBackupData Create the PcBackupData folder if it does not yet exist. Make sure the Windows 2008 server has the same IP address, primary DNS suffix, and gateway as the Windows 2000/2003 server it is replacing. This will ensure that the PacketShapers will be attached to the new server. Before you restore backup files, you must discard PolicyCenter’s connection to the directory server and stop the PolicyCenter service on the Windows server, as described in the following steps. a. Access the PolicyCenter command-line interface and issue the command config reset to discard PolicyCenter’s connection to the directory server. b. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel > Administrative Services > Services) c. Select the PolicyCenter service from the list of services. PolicyCenter 9.2.11 Release Notes Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 d. Click the stop icon to stop the PolicyCenter service. 5. 6. Open a command window, and navigate to the \Blue Coat Systems\pcbackup folder. To restore your PolicyCenter configuration, type pcrestore. The pcrestore script searches for and restores the most recent backup in the PcBackupData folder. 7. In the Windows services panel, select the PolicyCenter service from the list of services. 8. Click the restart icon to restart the PolicyCenter service. 9. Access the PolicyCenter command-line interface and issue the command config set localhost <password> to reset the connection between PolicyCenter and the directory server. 10. Log in to the PolicyCenter browser interface to verify that the desired PolicyCenter configuration has been restored. PolicyCenter 9.2.11 Release Notes 5 Upgrading to PolicyCenter Version 9.2.11 Upgrading to PolicyCenter Version 9.2.11 Note: After upgrading to PolicyCenter 9.2.11, Blue Coat strongly recommends upgrading all of your PacketShaper units to PacketWise 9.2.11. Units that are not upgraded will not be able to take advantage of all the new features of PolicyCenter 9.2.11, and may report errors. Back Up Configurations Before Upgrading Always back up your configuration file(s) to the server before upgrading. After you install the new PolicyCenter and directory server software, you can load the backup configuration files to restore the configuration if necessary. PolicyCenter provides an easy way to perform backup and restore of PolicyCenter configurations using the pcbackup.bat and pcrestore.bat tools that are installed with PolicyCenter. This utility is located in the \pcbackup folder in the root directory of the PolicyCenter installation. These batch files run a Java utility that in turn runs Sun LDAP commands and uses the Java ldapsdk to read and write configuration data from the directory servers. ! Important: If your upgrade to PolicyCenter 9.2.11 requires that you also upgrade your directory server software, do not use the default location to save your backup file, as the file may be lost. Copy the backup file to the root of your install directory or to your desktop instead. Because pcbackup.bat depends on the Sun DS Java files and LDAP utilities, you must run pcbackup.bat on a Windows server where you have already installed PolicyCenter (the core directory server). To create a backup of all PolicyCenter configurations: 1. 2. 3. Open a command window. Navigate to the \pcbackup folder located on the target system (typically C:\Blue Coat Systems\pcbackup). To back up your PolicyCenter DS servers, type pcbackup <core_host> where <core_host> is the IP address of the core directory server. The pcbackup utility retrieves the edge DS addresses from the core server and backs up all core/edge configuration data to LDIF files stored at C:\Blue Coat Systems\PcBackupData, in a sub-folder named with the current date and time. 6 PolicyCenter 9.2.11 Release Notes Upgrading to PolicyCenter Version 9.2.11 Upgrade PolicyCenter After you have backed up your PolicyCenter configurations, use the following process to upgrade to PolicyCenter 9.2.11. Note: See “Issues When Upgrading from PC 8.x to Version 9.2” on page 13 for known issues after upgrading to PolicyCenter 9.2. To upgrade to PolicyCenter 9.2.11: 1. 2. 3. 4. 5. 6. Log in to the Blue Coat download site (https://bto.bluecoat.com/downloads) and download the PolicyCenter 9.2.11 .zip file (for example, PolicyCenter_9.2.11_Windows.zip). Unzip the file contents to your Windows server. On the Windows server, navigate to the PolicyCenter\Windows folder, and launch the installation wizard by running the setup.exe file. Select the Update option. The Installation Wizard will stop the existing PolicyCenter service, upgrade the PolicyCenter software, then restart the PolicyCenter service again. You will not need to go through Guided Setup again to specify settings for your PolicyCenter server. If your PolicyCenter server stores cookies or temporary Internet files, remove these cookies and temporary files after installing the upgrade. (Optional) If your PolicyCenter deployment replicates data between edge and core directory servers, you will need to regenerate SSL certificates for both the edge and core servers, and load the new certificate on the edge server. a. From the core PolicyCenter directory server, navigate to the folder PolicyCenter\dsssl. b. Double-click the program file certificates.exe to launch that utility. c. The utility opens in a new window and displays the following options: d - display certificate information g - generate a new certificate ■ i - initialize the certificate database ■ l - load a certificate ■ r - remove a certificate ■ q - quit d. To generate a new SSL certificate, type g then press Enter. e. You will be prompted to enter the hostname of the edge directory server that needs a certificate. Note that this command requires the hostname, and not the IP address of the server, for example, myserver-gx680. f. A new folder named after the hostname of your edge server will appear in the PolicyCenter\dsssl directory. Open this folder. g. If the SSL certificate was generated correctly, there should be three files in the PolicyCenter\dsssl\<edge_hostname> folder: ca.crt, ssl.crt, and key3.db. h. Copy these three individual files (but not the folder itself), and place the files directly in the PolicyCenter\dsssl folder on the edge directory server. i. Navigate to the PolicyCenter\dsssl folder on the edge directory server, and double-click the program file certificates.exe to launch that utility. j. The utility opens in a new window and displays the following options: ■ d - display certificate information ■ g - generate a new certificate ■ i - initialize the certificate database ■ ■ PolicyCenter 9.2.11 Release Notes 7 Upgrading to PolicyCenter Version 9.2.11 l - load a certificate r - remove a certificate ■ q - quit k. To load a new SSL certificate, type L then press Enter. The certificates.exe utility will load the new certificates. If the edge server already had an SSL certificate in this location, the old certificate will be replaced with the new one. l. If necessary, repeat this process to generate, copy, and load SSL certificates for any additional edge servers that require secure replication. ■ ■ Clear Browser Cache After upgrading to PolicyCenter 9.2, you must clear the browser cache to see the new functionality. To clear the cache: Firefox: Tools > Clear Recent History > Cache Internet Explorer: Tools > Internet Options > General > Browsing History > Delete > Temporary Internet files Chrome: History > Clear browsing data > Empty the cache The steps for clearing the cache may vary, depending on which browser version you are using. Note: You should also clear the cache after downgrading. Tested Browsers Blue Coat has tested the PolicyCenter 9.2.11 browser user interface with the English version of Microsoft Internet Explorer 11 on Windows 7. Other browsers and versions may be compatible, but have not been tested with PolicyCenter 9.2.11. Note: Chrome may fail to complete HTTPS requests to the PolicyCenter UI; in such cases, an alternate browser should be used. 8 PolicyCenter 9.2.11 Release Notes Upgrading to PolicyCenter Version 9.2.11 Restore a Configuration Backup Use the following procedure if you need to restore a PolicyCenter configuration to a server after upgrading. Note that these steps must be performed in the order described. Step 1: Reset PolicyCenter Access the PolicyCenter command-line interface and issue the command config reset to discard PolicyCenter’s connection to the directory server. Close the command-line interface (and the PolicyCenter browser interface, if open also). Step 2: Stop the PolicyCenter Service Stop the PolicyCenter service before you restore a backup file. 1. 2. 3. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel > Administrative Services > Services) Select the Blue Coat PolicyCenter service from the list of services. Click the Stop Service icon to stop the PolicyCenter service. Step 3: Run Cleantree.bat to Clean Up Old Directory Server Entries (Optional) Before restoring the configurations, you need to remove old directory server entries from each directory server; Blue Coat provides a utility to automate this process. Note: This step is necessary only if the directory server has old DS entries. In most situations, this step can be skipped. Sun ONE Directory Server 5.2: For DS 5.2, the cleantree.bat file is located on the Blue Coat download site. 1. Log in to the Blue Coat download site at https://bto.bluecoat.com/downloads 2. 3. In the PolicyCenter section, locate the Tools and download the .zip file. Open the zip file, and extract the file cleantree.bat to the following folder: \Program Files\Sun\mps\shared\bin 4. Open a command window, and navigate to the folder: PolicyCenter 9.2.11 Release Notes 9 Upgrading to PolicyCenter Version 9.2.11 \Program Files\Sun\mps\shared\bin 5. 6. Issue the command cleantree.bat to launch the utility and delete unnecessary entries. Repeat for each directory server (core and edge). Sun Directory Server 7.0: Sun Directory Server 7.0 uses different commands to remove directory server entries than DS 5.2 does. The cleantree.bat script for DS 7.0 is packaged with the PolicyCenter zip file. 1. Change to the directory where the cleantree.bat file is located: \Program Files\Sun\DSEE.7.0.Windows-X86-zip\DSEE_ZIP_Distribution\sun-dsee7\dsee7\dsrk\bin 2. 3. Issue the command cleantree.bat to launch the utility and delete unnecessary entries. Repeat for each directory server (core and edge). Step 4: Restore the Directory Server Backup Files The pcrestore utility finds the most recent backup and restores it to the same core IP address and edge server addresses that the pcbackup utility discovered. For a clean restore, uninstall then reinstall the DS on the core server and each edge server, using the PolicyCenter install option Directory Server Only. You must use the same IP addresses as you did when creating the backup. To restore the directory server backup (.LDIF) files: 1. 2. 3. Open a command window. Navigate to the \pcbackup folder located on the target system (typically C:\Blue Coat Systems\pcbackup). To restore your PolicyCenter configuration, type pcrestore. Step 5: Reconnect the Directory Server to the Network If you disconnected your PolicyCenter directory server from the network prior to uninstalling and reinstalling the directory server software, reconnect the server to the network. Step 6. Restart the PolicyCenter Service Restart the PolicyCenter service after you restore a backup file. 1. 2. 3. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel > Administrative Services > Services) Select the Blue Coat PolicyCenter service from the list of services. Click the Start Service icon to restart the PolicyCenter service. Step 7: Restore the Connection Between PolicyCenter and the Directory Server Access the PolicyCenter command-line interface and issue the command config setup to reset the connection between PolicyCenter and the directory server. Alternatively, you may access PolicyCenter through the browser interface and complete the Guided Setup to reset the connection between PolicyCenter and the directory server. Finally, log in to the PolicyCenter browser interface to verify that the desired PolicyCenter configuration has been restored. 10 PolicyCenter 9.2.11 Release Notes Upgrade Shared Mode Units to PacketWise 9.2.11 Upgrade Shared Mode Units to PacketWise 9.2.11 In order to best manage your PacketShapers with PolicyCenter 9.2.11, we strongly recommend you upgrade all your units to PacketWise 9.2.11. Units that are not upgraded will not be able to take advantage of all the new features of PolicyCenter 9.2.11, and may report errors. ! Important: If you upgrade a PolicyCenter deployment with multiple directory servers to PolicyCenter 9.2.11, you must also upgrade all of your PacketShapers to PacketWise 9.2.11. PolicyCenter 9.2.11 deployments with multiple directory servers do not support PacketShapers running earlier versions of PacketWise. Verify Bootloader Version Before prescribing the PacketWise v9.2 image, you need to make sure your PacketShapers are using bootloader version 7 or higher. ! Warning: Do NOT load the image on a unit with an earlier bootloader because the PacketShaper will not be able to boot. To verify the bootloader version: 1. 2. Log in to each PacketShaper. Select Setup > image. 3. Use PolicyCenter’s file distribution feature to load the Bootloader Update plug-in (bootupdt.plg) on all units in a configuration. After you have verified that all PacketShapers are using bootloader v7 or higher, you can safely distribute the image. Upgrade Units via File Distribution Once you have upgraded to PolicyCenter 9.2.11, you can use PolicyCenter’s file distribution feature to obtain the latest software image from the Blue Coat download website, then install the new image on PacketShapers subscribed to PolicyCenter. For additional details, see PacketGuide. Note that this feature requires a valid support service contract. Configure the File Distribution Server Before you start distributing files to individual PacketShapers, you must first configure the PolicyCenter file distribution server to retrieve the required image files. 1. 2. 3. Click the Setup tab. From the Setup Page list, select File Distribution Server. On the File Distribution Server setup page, click fetch executables, images and plug-ins from Blue Coat. PolicyCenter will contact the Blue Coat website and download any available new image files. PolicyCenter 9.2.11 Release Notes 11 Upgrade Shared Mode Units to PacketWise 9.2.11 Update Units with New PacketWise Image Once the new PacketWise images have been downloaded to your PolicyCenter server, you must prescribe them to PolicyCenter configurations. 1. 2. 3. 4. 5. 6. 7. Choose the PolicyCenter configuration for the units you want to upgrade by clicking the desired configuration in the configuration tree. Click the Configurations tab. The Configurations window opens. Click the Setup tab on the right side of the Configurations window. From the Setup Page list, select Image. Click the Prescribed Image drop-down list, and select the PacketWise 9.2.11 image. If you are upgrading standard PacketShapers, be sure to select a standard (STD) image. Select an ISP image to upgrade PacketShaper ISP. Click apply changes. A warning message about the required bootloader version will appear. Read the warning message screen, and follow the instructions. See “Verify Bootloader Version” on page 11. If the image subscribe policy for the configuration is set to asap, (the default setting), the units assigned to that configuration will download the new image right away. If the image subscription policy is set to scheduled, the units will download the image at the scheduled time. Note: On rare occasions, an upgraded PacketShaper may not immediately reconnect to the directory server. If a recently upgraded unit displays an error stating that it cannot connect to the directory server, reboot the PacketShaper to reset the connection. 12 PolicyCenter 9.2.11 Release Notes Known Issues in Version 9.2.11 Known Issues in Version 9.2.11 Browser SSL Certificate Key Size Modified After Upgrading After upgrading to PolicyCenter 9.2.11, the browser’s SSL certificate RSA key changes to 2048 bit. Workaround The following steps will preserve and restore the current SSL certificate in a PolicyCenter install. 1. 2. 3. 4. 5. 6. On the PolicyCenter server, locate the file https.pem, typically under C:\BlueCoat Systems\PolicyCenter\cfg. Copy the https.pem file to a safe location (such as the Desktop). Upgrade PolicyCenter to desired version. Copy the https.pem file saved in step #2, overwriting the https.pem file in the cfg directory. Select Start > Administrative Tools > Services. Right-click Blue Coat PolicyCenter and select Restart. Issues When Upgrading from PC 8.x to Version 9.2 The following upgrade issues are applicable only if upgrading from PC 8.x directly to PC 9.2. If you are upgrading from PC 9.1 to PC 9.2, they are not an issue. [B#173567] After upgrading PolicyCenter from v 8.x to v9.2: • When specified in a non-unit parent configuration, the Inbound and Outbound link size values get clamped to 1.5 Mbps, and PolicyCenter displays a configuration error. Workaround: 1. Edit the parent configuration. 2. Click the Setup tab and click Apply Changes. (You don’t actually have to make any changes, but you do need to apply.) 3. Commit the configuration. • Child unit configurations lose the Inbound and Outbound link size inheritance. Workaround: 1. Create a fresh parent configuration after upgrading PolicyCenter to 9.2. This configuration can be created by using a copy of any of the child unit configurations under the original parent. NOTE: Do NOT create the parent configuration by using a copy of the original parent configuration. a. Choose the unit configuration that best matches the parent configuration to be created. b. Using the Operations tab, create a copy of this configuration at the same level as the original parent, and rename it as desired. Make any necessary changes to the configuration. 2. Move the unit configurations under this new parent configuration. 3. For each child unit configuration, select the Inbound and Outbound Link Size Inheritance checkboxes in the Setup tab and click Apply Changes. 4. Delete the original parent configuration. PolicyCenter 9.2.11 Release Notes 13 Known Issues in Version 9.2.11 BCAAA Connection Issue PolicyCenter is connected to BCAAA only while users have an active PolicyCenter session. When a user logs out of a PolicyCenter session, the PolicyCenter connection to BCAAA is also terminated. When a user logs back in to PolicyCenter, the connection to BCAAA automatically gets re-established after a short delay. Until PolicyCenter reconnects to BCAAA, you may briefly see a message that user awareness is not configured. User Awareness Issue User lists that are inherited from another PolicyCenter configuration do not show the (I) designation. However, this is just a cosmetic display issue; the list is inherited and can’t be edited or deleted. [B#181933] GUI Allows Classes with Duplicate Names The PolicyCenter GUI allows the creation of classes with the same name as long as the matching rules are different. This is not an issue in the PolicyCenter CLI. Large Configurations are Slow to Subscribe The larger and more complex the traffic tree, the longer it takes to subscribe the PacketShaper to PolicyCenter using the convert option. With configurations that contain lots of partitions and matching rules, the telnet session may appear to hang until the subscription process is complete. Locked File during Uninstall When using the PolicyCenter uninstall utility, you may encounter a Locked File Detected message. If you see this message, use the Ignore option and then manually delete the BlueCoatSystems folder and its contents after the uninstall utility completes. Error Displayed when Creating Reports When saving a report in PolicyCenter’s Reports tab, the following message appears: Error occurred. Failed to load graphs. Despite this message, the report is actually created and can be viewed on the PacketShaper. Matching Rule Issue After you have edited a matching rule and applied the change, you may see Error 0001. This typically happens after you have attempted to edit the rule with an invalid specification (such as duplicate matching rule). If this happens, switch to another configuration and then back to the one you were editing; this action forces PolicyCenter to read the configuration again, loading the matching rule back in memory. SSL Cipher Strength Inheritance • Cipher strength re-inheritance does not always work properly. Although the Minimum SSL Cipher Strength setting indicates that the PacketShaper is inheriting the strength setting from the parent configuration, the unit is still using the override setting. • The output of the setup ssl cipherstrength show CLI command does not indicate whether the setting is inherited or overridden from the parent configuration. Duplicate IDs after Copying Classes After copying classes in a parent configuration and applying it to a child configuration, you may see an error that a class ID is already in use. If this happens, you can manually assign a different ID to the class using the class ID CLI command. Make sure to select an ID that is not already being used; the class services id lists the IDs that are used for built-in services. 14 PolicyCenter 9.2.11 Release Notes Known Issues in Version 9.2.11 Inability to Delete Backup Configuration Backup configurations can be deleted only if the original unit configuration has not been changed. If the original unit config is changed, the backup configuration become unresponsive; you will need to log out and log back into PolicyCenter to delete the backup configuration. This situation can be avoided if the unit configurations are placed as child configurations under a non-unit parent configuration. [SR 2-396611342] Configuration Issues • Occasionally PolicyCenter displays the configuration before an operation is completed. For example, this might happen when modifying service group or URL categorization settings. If the configuration doesn’t look correct, try refreshing the browser. • If you remove an override from a draft configuration, you will not see the setting reinherited from the parent configuration until you commit the draft. Service Group Configuration Errors After editing a child configuration, you may see configuration errors that indicate a service appears in more than one group. (This can happen when a group is inherited from a parent configuration, and services have been moved into other local groups.) If you mouse over the error icon, the message indicates the name of the group(s) containing the conflicting services. (Unassigned in this example.) If you open up the Unassigned group, each conflicting service is marked with a configuration error. Moving the conflicting service back to the indicated group and applying the change may fix the errors. However, if you have multiple configuration errors in the child configuration and are unable to fix all of them, you can use the re-inherit all button to re-inherit all service groups from the parent configuration. This operation will delete all existing groups from the current configuration, including local custom groups, before inheriting the parent's service groups. PolicyCenter 9.2.11 Release Notes 15 Known Issues in Version 9.2.11 Service Group Issues • After you reset groups to their default settings, in certain situations a custom group may not be marked as overridden when it should be. • Services may not move to the Unassigned group after you delete an overridden group or check the Inherit checkbox for an overridden group. Blue Coat recommends that you use the re-inherit all command when you want to re-inherit service groups. Inherited Passwords When a PacketShaper is subscribed to PolicyCenter, you cannot change the PacketShaper’s passwords from inherited to local on the Security setup page. The workaround is to change the look and touch passwords and then apply the change. Although you may see an error message, the status of the touch and look passwords do change from inherited to local. Browser Issues • Chrome may fail to complete HTTPS requests to the PolicyCenter UI; in such cases, an alternate browser should be used. • When using Internet Explorer, you may need to turn on Compatibility View if any of the UI screens don’t render properly. • When you open PolicyCenter with a secure connection (https), the browser indicates that there is an issue with the security certificate; this is because PolicyCenter uses a self-signing certificate. If you get this message, you should choose the option to continue (such as Continue to this website in Internet Explorer or I understand the risks in Firefox). • When you upgrade to PolicyCenter 9.2.11, the screen to configure PolicyCenter may not automatically appear if you are using Firefox as your default browser. If the configuration screen does not appear after installing PolicyCenter 9.2.11, open the configuration screen by opening a Firefox browser window on the PolicyCenter server, and entering localhost in the address bar. • At times, when you access PolicyCenter through a secure connection, the Internet Explorer browser may unnecessarily display a dialog box with the following message: This page contains both secure and nonsecure items. Do you want to display the nonsecure items? Clicking either Yes or No on this dialog box will reload the page, but will not disable or compromise your PolicyCenter security settings. All traffic will continue to be encrypted. Auto-Deployed Units May Not Display Full Config Path If you successfully auto-deploy a unit running PacketWise 9.2.11 and then issue the command unit show, the Configuration Name column in the output of this command may incorrectly display only the unit’s parent configuration, rather than displaying the unit's full configuration path. The Units table in the PolicyCenter browser interface may also display just the unit’s parent configuration in the Configuration table column. Reassign the unit to another sharable configuration to correctly display the full configuration path for the unit, including the parent configuration and the unit’s individual serial-number configuration. Units May Display Errors After Migrating Between Directory Servers When you migrate a unit from the core directory server to an edge directory server, the unit may display a “timed out” error message until it updates its status entry, even though the unit has successfully changed directory servers. 16 PolicyCenter 9.2.11 Release Notes Known Issues in Version 9.2.11 Avoid Duplicate Class IDs by Autodiscovering Classes in Unique Locations PacketShapers generate class IDs based on the full path of the class name. When multiple units assigned to a single PolicyCenter configuration each autodiscover or create the same Inbound or Outbound traffic class (i.e. /Inbound/<discoveredclass>, Inbound/<createdclass>, or Inbound/<pathname>/<class>), these units will each create the same class ID for that traffic class. Although neither PolicyCenter nor the PacketShapers involved will report errors, if IntelligenceCenter finds the same class ID more than once on the same PacketShaper, these multiple class IDs could cause IntelligenceCenter to report incorrect data. Either delete and recreate this traffic class, or assign it a different class ID with the CLI command class id. To avoid this problem, you need to configure each individual PacketShaper so that the unit’s autodiscovered traffic classes all have unique class names. This can be done by creating a traffic class based on the IP address or physical location of the unit at the configuration root, configuring the class service to match service:any, and then turning on autodiscovery within the traffic class. For example, if you had two PacketShapers named Los_Angeles and New_York that you wanted to manage via PolicyCenter, you could create the class Inbound/Los_Angeles on one unit and Inbound/New_York on the other, then turn on traffic class autodiscovery. When both units autodiscover Inbound FTP, HTTP, DNS and WINS classes, these classes would have unique class names, and therefore unique class IDs. PacketShaper 1 /Inbound Los_Angeles FTP PacketShaper 2 /Inbound New_York FTP HTTP HTTP DNS DNS WINS WINS Once these traffic classes have been uniquely discovered, they can be copied or moved to another location within their PolicyCenter configuration without causing duplicate class IDs. For example, the classes /Inbound/Los_Angeles/FTP and /Inbound/Los_Angeles/HTTP could be copied to the configuration root, and the autodiscovered FTP and HTTP classes deleted, resulting in the following traffic tree on both units: /Inbound FTP HTTP Los_Angeles DNS WINS New_York DNS WINS The /Inbound/FTP and Inbound/HTTP classes for both PacketShapers can now be managed together, and those classes will each have a unique class ID. PolicyCenter 9.2.11 Release Notes 17 Additional Information Additional Information PolicyCenter Should Not be Installed on Server with Team Interface If you have configured your server with team interfaces, you must un-team them and use a “single interface” setup before installing PolicyCenter on this server. Prepare PacketShapers for Data Replication When migrating PacketShapers attached to a core directory server to be under an edge directory server, use the pc replication prepare command to prepare PacketShaper units for data replication before you configure the edge directory server. If your units are not correctly prepared for a multiple directory server deployment using this command, any units that remain attached to the core directory server may generate excessive replication traffic, leading to large log files, excessive network utilization, and possible directory server failure. Downgraded Units May Not Support Secure Connections to the Directory Server If you connect a PacketShaper to the directory server via a secure connection and later downgrade that unit to a version of PacketWise that does not support secure LDAP, the unit may temporarily lose its connection to the directory server. To avoid this problem, first revert the unit to local mode, add the unit back to PolicyCenter without the secure connection option, and then downgrade the unit. Reinherit Settings from Parent Configurations by Deleting Overrides or Setting Local Values to “Default” If a configuration setting is defined on both a parent configuration and a child configuration, the setting on the child configuration will override the value inherited from the parent. However, if you clear a configuration setting on a child draft configuration, that blank setting will still override the values configured on its parent configuration. To completely remove an overriding value so the child configuration can reinherit that setting from its parent configuration, you must create a draft version of the child configuration and use the PolicyCenter command-line interface to either return the setting to its default value or delete the configuration object altogether. For example, if you configure flow detail records (FDR) collectors on a child configuration then later clear those settings via the PolicyCenter browser interface, the child configuration will not inherit any FDR collectors defined on its parent configuration. To remove the overriding blank settings from the child configuration, create a draft of the child configuration, issue the CLI command setup flowrecords id <ID> default, then commit the draft. Once the child configuration’s FDR collector settings are reset to their default values, that child can again inherit FDR collector settings from its parent configuration. If a child configuration has different configuration settings than its parent and you want the child to reinherit a value from its parent configuration, simply delete the overriding object. As an example, suppose a PolicyCenter parent configuration has the TACACS+ accounting host 172.21.7.7 and one of its child configurations has the accounting host 172.21.7.8. If you no longer wanted a different accounting host on that child configuration, and would like the child configuration to reinherit the host from its parent, you would have to create a draft of the child configuration and then issue the command setup tacacs auth primary|secondary delete from the PolicyCenter CLI. 18 PolicyCenter 9.2.11 Release Notes Additional Information Xpress Tunnels are not Propagated from Parent to Child Configurations Xpress tunnels defined on a PolicyCenter sharable configuration will not be propagated to any individual unit configurations assigned to the sharable configuration. Therefore, you must create Xpress tunnels directly on your unit configurations. Use PolicyCenter to configure Xpress tunnels by accessing the unit’s individual serial-number configuration and creating the tunnel there. You can also configure Xpress tunnels via the unit’s own command-line or browser interfaces. PacketShaper Login Page Does Not Display When Unit Configuration Is Missing When a PacketShaper is missing its configuration (possibly because the unit’s configuration was inadvertently deleted from PolicyCenter) the PacketShaper login page will not display correctly. To resolve this problem, log in to the PolicyCenter CLI, and issue the command config show to display the name of the configuration to which the unit is assigned. Next, recreate a new PolicyCenter configuration with the same name as the missing configuration. PolicyCenter 9.2.11 Release Notes 19 Additional Information 20 PolicyCenter 9.2.11 Release Notes
© Copyright 2024