Blue Coat Systems Proxy SG Understanding Layers

Chapter 2: Managing Content Policy Language

But policy cannot determine the value of the Content-type response header until the response is

returned. The ProxySG cannot contact the server to get the response until policy determines what

hosts or gateways to route through to get there. In other words, policy must set the forward()

property. But policy cannot commit the forwarding action until the Content-type response header has

been determined. Again, since the condition is not testable until later in the request (after the time at

which the property must be set), an error is received.

Understanding Layers

Five types of layers are allowed in any policy file. The layer type determines the kinds of transaction

its rules will act upon. The token used in the header identifies the layer type.

•<Admin>—Used to define policy that controls access to the management console and the

command line. Policy is not evaluated for serial console access or SNMP traffic, however.

•<Cache>—Used to list policy rules that are evaluated during both cache and proxy transactions.

•<Exception>—Exception layers are evaluated when a proxy transaction is terminated by an

exception.

•<Forward>—Forward layers are only evaluated when the current transaction requires an

upstream connection. Forwarding policy is generally distinct and independent of other policies,

and is often used as part of maintaining network topologies.

•<Proxy>—Used to list policy rules that are evaluated during a proxy transaction.

Important: Only a subset of the conditions, properties, and actions available in the policy language is

permitted within each layer type; the remainder generate compile-time errors. The CPL

Reference for the conditions, properties, and actions describes where they can be used.

<Admin> layers hold policy that is executed by Administrator transactions. This policy is used to

specify an authentication realm; to allow or deny administrative access based on the client’s IP

address, credentials, and type of administrator access requesuested (read or write); and to perform

any additional logging for administrative access.

Important: When traffic is explicitly proxied, it arrives at the <Admin> layer with the client IP

address set to the ProxySG’s IP address; therefore, the client.address= condition is not

useful for explicitly proxied traffic.

The syntax is:

<Admin [label]> [admin_condition][admin_properties] ...

admin_content

where:

•The <Admin> layer defines the transactions evaluated against this policy, and restricts the triggers

and properties allowed in the rules used in the layer.

•The optional label, separated from the layer type by space, is a CPL User-defined Identifier.

•The optional admin_condition is a list of triggers, all of which must evaluate to true before the

layer content is evaluated. For more information on using conditions, see Chapter 3: "Condition

Reference". See also the following Layer Guards section.