Blue Coat Systems Proxy SG manual Understanding Layers, Admin Layers

Chapter 2: Managing Content Policy Language

But policy cannot determine the value of the Content-type response header until the response is returned. The ProxySG cannot contact the server to get the response until policy determines what hosts or gateways to route through to get there. In other words, policy must set the forward() property. But policy cannot commit the forwarding action until the Content-type response header has been determined. Again, since the condition is not testable until later in the request (after the time at which the property must be set), an error is received.

Understanding Layers

Five types of layers are allowed in any policy file. The layer type determines the kinds of transaction its rules will act upon. The token used in the header identifies the layer type.

•<Admin>—Used to define policy that controls access to the management console and the command line. Policy is not evaluated for serial console access or SNMP traffic, however.

•<Cache>—Used to list policy rules that are evaluated during both cache and proxy transactions.

•<Exception>—Exception layers are evaluated when a proxy transaction is terminated by an exception.

•<Forward>—Forward layers are only evaluated when the current transaction requires an upstream connection. Forwarding policy is generally distinct and independent of other policies, and is often used as part of maintaining network topologies.

•<Proxy>—Used to list policy rules that are evaluated during a proxy transaction.

Important: Only a subset of the conditions, properties, and actions available in the policy language is permitted within each layer type; the remainder generate compile-time errors. The CPL Reference for the conditions, properties, and actions describes where they can be used.

<Admin> Layers

<Admin> layers hold policy that is executed by Administrator transactions. This policy is used to specify an authentication realm; to allow or deny administrative access based on the client’s IP address, credentials, and type of administrator access requesuested (read or write); and to perform any additional logging for administrative access.

Important: When traffic is explicitly proxied, it arrives at the <Admin> layer with the client IP address set to the ProxySG’s IP address; therefore, the client.address= condition is not useful for explicitly proxied traffic.

The syntax is:

<Admin [label]> [admin_condition][admin_properties] ...

admin_content

where:

•The <Admin> layer defines the transactions evaluated against this policy, and restricts the triggers and properties allowed in the rules used in the layer.

•The optional label, separated from the layer type by space, is a CPL User-defined Identifier.

•The optional admin_condition is a list of triggers, all of which must evaluate to true before the layer content is evaluated. For more information on using conditions, see Chapter 3: "Condition Reference". See also the following Layer Guards section.

37