policycenter release notes - symantec · use of blue coat products or software by the u.s....

PolicyCenter Release Notes

Version 9.2.3August, 2013

P/N 20-0230-923 Revision A

© 2013 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER,PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOWEVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and otherBlue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain othercountries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of BlueCoat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third partiesare the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THISDOCUMENT. BLUE COAT PRODUCTS, technical services, and any other technical data referenced in this document are subject toU.S. export control AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT ORIMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONSAND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRYOR IMPORT AFTER DELIVERY TO YOU.

Sun, Sun Microsystems, the Sun Logo and any other Sun trademarks included in this product are trademarks or registered trademarks of Oracle, Inc. in the United States and

other countries

ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright © 2008, Regents of the University of California. All rights reserved. Redistribution and use in source and binary

forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other ma-

terials provided with the distribution.

• Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software

without specific prior written permission.

U.S. Government Restricted RightsBlue Coat software comprises “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 (SEPT 1995)

and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for ac-

quisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue

Coat software is provided with “RESTRICTED RIGHTS.” Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR

252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coat’s proprietary rights in them

and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coat’s end user agreement.

Blue Coat Systems, Inc.420 N. Mary Avenue

Sunnyvale, CA 94085

http://www.bluecoat.com

Revision History

November, 2012 PolicyCenter 9.2.1

July, 2013 PolicyCenter 9.2.2

August, 2013 PolicyCenter 9.2.3

Introduction

These release notes document the changes to PolicyCenter version 9.2.3 only. If you are upgrading from an earlier version of PolicyCenter, you can learn about other new features and software changes by consulting the release notes for the versions between your current software and v9.2.3.Acrobat PDF files of all versions of release notes are available for download athttp://bto.bluecoat.com/documentation.See the following sections for specific information:

Resolved Issues in 9.2.3 .................................................................................................................................page 3

Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 ........................page 4

Upgrading to PolicyCenter Version 9.2.3.....................................................................................................page 6

Upgrade Shared Mode Units to PacketWise 9.2.3 ......................................................................................page 11

Known Issues in Version 9.2.3 .......................................................................................................................page 13

Additional Information .................................................................................................................................page 18

PolicyCenter 9.2.3 Release Notes 1

http://bto.bluecoat.com/documentation

Automatic Notification of New Software Releases

To be automatically notified when new PolicyCenter software releases are available, you can subscribe to the PolicyCenter product channel in the Knowledge Base:1. Log in to the BTO Knowledge Base (https://kb.bluecoat.com).2. In the Knowledge Base, go to: Product Information > Products > PolicyCenter

https://kb.bluecoat.com/index?page=content&cat=POLICYCENTER&channel=PRODUCT_INFORMATION

3. Click Subscribe.You will then receive email messages to let you know when new software releases are available for download. Click the link in the email to view the KB article. The article will provide you with the following types of information for the new release: the release number, the date the software was posted, highlights of the release, and links to release notes and other related documentation and training materials.

2 PolicyCenter 9.2.3 Release Notes

https://kb.bluecoat.com

https://kb.bluecoat.com/index?page=content&cat=POLICYCENTER&channel=PRODUCT_INFORMATION

Resolved Issues in 9.2.3

Resolved Issues in 9.2.3

PolicyCenter 9.2.3 does not contain any new resolved issues. For details on PacketWise resolved issues, see PacketShaper Release Notes for PacketWise 9.2.3.


Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008


When replacing your Windows 2000/2003 PolicyCenter server with a Windows 2008 server, you will want to ensure that your PolicyCenter configuration gets migrated over to the new PolicyCenter deployment. This section describes the tasks that you need to perform on both servers: the Windows 2000/2003 server that is currently running PolicyCenter and the new Windows 2008 server to which you want to migrate.

Tasks to Perform on the Windows 2000/2003 ServerYou need to upgrade the Windows 2000/2003 server to PolicyCenter 9.2.3 and then back up your configuration.1. On the core Windows 2000/2003 server, upgrade to the PolicyCenter 9.2.3 image. See “Upgrade

PolicyCenter” on page 7.2. In a command window, navigate to the C:\Blue Coat Systems\pcbackup folder.3. To back up your PolicyCenter configuration, type pcbackup <core_host> where <core_host> is the IP

address of the core directory server. This will store a time-stamped backup folder and its contents at the location \Blue Coat Systems\PcBackupData. In a multiple directory server deployment, the backup script automatically retrieves the edge DS addresses from the core server and backs up all core/edge configuration data.

4. Copy the folder of the newly backed up data to a location that the new Windows 2008 server can access.

Tasks to Perform on the Windows 2008 ServerOn the new Windows 2008 server, you need to install Sun Directory Server 7.0, install PolicyCenter 9.2.3, and restore the configuration.1. Install Sun Directory Server 7.0 and PolicyCenter 9.2.3 on the core Windows 2008 server.

Note: Refer to the PolicyCenter 9.2 Getting Started Guide for detailed instructions.

2. Copy the backup folder (from step 4 in the previous section) to the following location:\Blue Coat Systems\PcBackupDataCreate the PcBackupData folder if it does not yet exist.

3. Make sure the Windows 2008 server has the same IP address, primary DNS suffix, and gateway as the Windows 2000/2003 server it is replacing. This will ensure that the PacketShapers will be attached to the new server.

4. Before you restore backup files, you must discard PolicyCenter’s connection to the directory server and stop the PolicyCenter service on the Windows server, as described in the following steps.a. Access the PolicyCenter command-line interface and issue the command config reset to discard

PolicyCenter’s connection to the directory server.b. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >

Administrative Services > Services) c. Select the PolicyCenter service from the list of services.



d. Click the stop icon to stop the PolicyCenter service.

5. Open a command window, and navigate to the \Blue Coat Systems\pcbackup folder.6. To restore your PolicyCenter configuration, type pcrestore.

The pcrestore script searches for and restores the most recent backup in the PcBackupData folder.7. In the Windows services panel, select the PolicyCenter service from the list of services.8. Click the restart icon to restart the PolicyCenter service.9. Access the PolicyCenter command-line interface and issue the command config set localhost

<password> to reset the connection between PolicyCenter and the directory server. 10. Log in to the PolicyCenter browser interface to verify that the desired PolicyCenter configuration has

been restored.


Upgrading to PolicyCenter Version 9.2.3


Note: After upgrading to PolicyCenter 9.2.3, Blue Coat strongly recommends upgrading all of your

PacketShaper units to PacketWise 9.2.3. Units that are not upgraded will not be able to take advantage of all

the new features of PolicyCenter 9.2.3, and may report errors.

Back Up Configurations Before UpgradingAlways back up your configuration file(s) to the server before upgrading. After you install the new PolicyCenter and directory server software, you can load the backup configuration files to restore the configuration if necessary.PolicyCenter provides an easy way to perform backup and restore of PolicyCenter configurations using the pcbackup.bat and pcrestore.bat tools that are installed with PolicyCenter. This utility is located in the \pcbackup folder in the root directory of the PolicyCenter installation. These batch files run a Java utility that in turn runs Sun LDAP commands and uses the Java ldapsdk to read and write configuration data from the directory servers.

! Important: If your upgrade to PolicyCenter 9.2.3 requires that you also upgrade your directory server

software, do not use the default location to save your backup file, as the file may be lost. Copy the backup file

to the root of your install directory or to your desktop instead.

Because pcbackup.bat depends on the Sun DS Java files and LDAP utilities, you must run pcbackup.bat on a Windows server where you have already installed PolicyCenter (the core directory server).To create a backup of all PolicyCenter configurations:1. Open a command window.2. Navigate to the \pcbackup folder located on the target system (typically C:\Blue Coat Systems\pcbackup).3. To back up your PolicyCenter DS servers, type pcbackup <core_host> where <core_host> is the IP

address of the core directory server. The pcbackup utility retrieves the edge DS addresses from the core server and backs up all core/edge configuration data to LDIF files stored at C:\Blue Coat Systems\PcBackupData, in a sub-folder named with the current date and time.



Upgrade PolicyCenter

After you have backed up your PolicyCenter configurations, use the following process to upgrade to PolicyCenter 9.2.3.

Note: See “Issues When Upgrading from PC 8.x to Version 9.2” on page 13 for known issues after upgrading to

PolicyCenter 9.2.

To upgrade to PolicyCenter 9.2.3:1. Log in to the Blue Coat download site (https://bto.bluecoat.com/download) and download the

PolicyCenter 9.2.3 .zip file (for example, PolicyCenter_9.2.3_Windows.zip).2. Unzip the file contents to your Windows server.3. On the Windows server, navigate to the PolicyCenter\Windows folder, and launch the installation

wizard by running the setup.exe file. 4. Select the Update option. The Installation Wizard will stop the existing PolicyCenter service, upgrade

the PolicyCenter software, then restart the PolicyCenter service again. You will not need to go through Guided Setup again to specify settings for your PolicyCenter server.

5. If your PolicyCenter server stores cookies or temporary Internet files, remove these cookies and temporary files after installing the upgrade.

6. (Optional) If your PolicyCenter deployment replicates data between edge and core directory servers, you will need to regenerate SSL certificates for both the edge and core servers, and load the new certificate on the edge server.a. From the core PolicyCenter directory server, navigate to the folder PolicyCenter\dsssl. b. Double-click the program file certificates.exe to launch that utility. c. The utility opens in a new window and displays the following options:

■ d - display certificate information■ g - generate a new certificate■ i - initialize the certificate database■ l - load a certificate■ r - remove a certificate■ q - quit

d. To generate a new SSL certificate, type g then press Enter.e. You will be prompted to enter the hostname of the edge directory server that needs a certificate.

Note that this command requires the hostname, and not the IP address of the server, for example, myserver-gx680.

f. A new folder named after the hostname of your edge server will appear in the PolicyCenter\dsssl directory. Open this folder.

g. If the SSL certificate was generated correctly, there should be three files in the PolicyCenter\dsssl\<edge_hostname> folder: ca.crt, ssl.crt, and key3.db.

h. Copy these three individual files (but not the folder itself), and place the files directly in the PolicyCenter\dsssl folder on the edge directory server.

i. Navigate to the PolicyCenter\dsssl folder on the edge directory server, and double-click the program file certificates.exe to launch that utility.

j. The utility opens in a new window and displays the following options:■ d - display certificate information■ g - generate a new certificate■ i - initialize the certificate database


https://bto.bluecoat.com/download


■ l - load a certificate■ r - remove a certificate■ q - quit

k. To load a new SSL certificate, type L then press Enter. The certificates.exe utility will load the new certificates. If the edge server already had an SSL certificate in this location, the old certificate will be replaced with the new one.

l. If necessary, repeat this process to generate, copy, and load SSL certificates for any additional edge servers that require secure replication.

Clear Browser CacheAfter upgrading to PolicyCenter 9.2, you must clear the browser cache to see the new functionality. To clear the cache:Firefox: Tools > Clear Recent History > CacheInternet Explorer: Tools > Internet Options > General > Browsing History > Delete > Temporary Internet filesChrome: History > Clear browsing data > Empty the cacheThe steps for clearing the cache may vary, depending on which browser version you are using.

Note: You should also clear the cache after downgrading.



Restore a Configuration Backup

Use the following procedure if you need to restore a PolicyCenter configuration to a server after upgrading. Note that these steps must be performed in the order described.

Step 1: Reset PolicyCenterAccess the PolicyCenter command-line interface and issue the command config reset to discard PolicyCenter’s connection to the directory server. Close the command-line interface (and the PolicyCenter browser interface, if open also).

Step 2: Stop the PolicyCenter ServiceStop the PolicyCenter service before you restore a backup file.1. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >

Administrative Services > Services) 2. Select the Blue Coat PolicyCenter service from the list of services.3. Click the Stop Service icon to stop the PolicyCenter service.

Step 3: Run Cleantree.bat to Clean Up Old Directory Server Entries (Optional)Before restoring the configurations, you need to remove old directory server entries from each directory server; Blue Coat provides a utility to automate this process.

Note: This step is necessary only if the directory server has old DS entries. In most situations, this step can be

skipped.

Sun ONE Directory Server 5.2: For DS 5.2, the cleantree.bat file is located on the Blue Coat download site.1. Log in to the Blue Coat download site at


2. In the PolicyCenter section, locate the Tools and download the .zip file.3. Open the zip file, and extract the file cleantree.bat to the following folder:

\Program Files\Sun\mps\shared\bin4. Open a command window, and navigate to the folder:




\Program Files\Sun\mps\shared\bin5. Issue the command cleantree.bat to launch the utility and delete unnecessary entries.6. Repeat for each directory server (core and edge).

Sun Directory Server 7.0: Sun Directory Server 7.0 uses different commands to remove directory server entries than DS 5.2 does. The cleantree.bat script for DS 7.0 is packaged with the PolicyCenter zip file.1. Change to the directory where the cleantree.bat file is located:

\Program Files\Sun\DSEE.7.0.Windows-X86-zip\DSEE_ZIP_Distribution\sun-dsee7\dsee7\dsrk\bin2. Issue the command cleantree.bat to launch the utility and delete unnecessary entries. 3. Repeat for each directory server (core and edge).

Step 4: Restore the Directory Server Backup FilesThe pcrestore utility finds the most recent backup and restores it to the same core IP address and edge server addresses that the pcbackup utility discovered.For a clean restore, uninstall then reinstall the DS on the core server and each edge server, using the PolicyCenter install option Directory Server Only. You must use the same IP addresses as you did when creating the backup.To restore the directory server backup (.LDIF) files:1. Open a command window.2. Navigate to the \pcbackup folder located on the target system (typically

C:\Blue Coat Systems\pcbackup).3. To restore your PolicyCenter configuration, type pcrestore.

Step 5: Reconnect the Directory Server to the NetworkIf you disconnected your PolicyCenter directory server from the network prior to uninstalling and reinstalling the directory server software, reconnect the server to the network.

Step 6. Restart the PolicyCenter ServiceRestart the PolicyCenter service after you restore a backup file.1. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >

Administrative Services > Services) 2. Select the Blue Coat PolicyCenter service from the list of services.3. Click the Start Service icon to restart the PolicyCenter service.

Step 7: Restore the Connection Between PolicyCenter and the Directory ServerAccess the PolicyCenter command-line interface and issue the command config setup to reset the connection between PolicyCenter and the directory server. Alternatively, you may access PolicyCenter through the browser interface and complete the Guided Setup to reset the connection between PolicyCenter and the directory server. Finally, log in to the PolicyCenter browser interface to verify that the desired PolicyCenter configuration has been restored.


Upgrade Shared Mode Units to PacketWise 9.2.3


In order to best manage your PacketShapers with PolicyCenter 9.2.3, we strongly recommend you upgrade all your units to PacketWise 9.2.3. Units that are not upgraded will not be able to take advantage of all the new features of PolicyCenter 9.2.3, and may report errors.

! Important: If you upgrade a PolicyCenter deployment with multiple directory servers to PolicyCenter 9.2.3,

you must also upgrade all of your PacketShapers to PacketWise 9.2.3. PolicyCenter 9.2.3 deployments with

multiple directory servers do not support PacketShapers running earlier versions of PacketWise.

Verify Bootloader VersionBefore prescribing the PacketWise v9.2 image, you need to make sure your PacketShapers are using bootloader version 7 or higher.

! Warning: Do NOT load the image on a unit with an earlier bootloader because the PacketShaper will not be

able to boot.

To verify the bootloader version:1. Log in to each PacketShaper.2. Select Setup > image.

3. Use PolicyCenter’s file distribution feature to load the Bootloader Update plug-in (bootupdt.plg) on all units in a configuration.

After you have verified that all PacketShapers are using bootloader v7 or higher, you can safely distribute the image.

Upgrade Units via File Distribution Once you have upgraded to PolicyCenter 9.2.3, you can use PolicyCenter’s file distribution feature to obtain the latest software image from the Blue Coat download website, then install the new image on PacketShapers subscribed to PolicyCenter. For additional details, see PacketGuide. Note that this feature requires a valid support service contract.

Configure the File Distribution ServerBefore you start distributing files to individual PacketShapers, you must first configure the PolicyCenter file distribution server to retrieve the required image files. 1. Click the Setup tab.2. From the Setup Page list, select File Distribution Server.3. On the File Distribution Server setup page, click fetch executables, images and plug-ins from Blue Coat.

PolicyCenter will contact the Blue Coat website and download any available new image files.


https://bto.bluecoat.com/packetguide/9.1/nav/tasks-pc/file-dist/file-server-pc.htm


Update Units with New PacketWise ImageOnce the new PacketWise images have been downloaded to your PolicyCenter server, you must prescribe them to PolicyCenter configurations. 1. Choose the PolicyCenter configuration for the units you want to upgrade by clicking the desired

configuration in the configuration tree.2. Click the Configurations tab. The Configurations window opens.3. Click the Setup tab on the right side of the Configurations window.4. From the Setup Page list, select Image.5. Click the Prescribed Image drop-down list, and select the PacketWise 9.2.3 image. If you are upgrading

standard PacketShapers, be sure to select a standard (STD) image. Select an ISP image to upgrade PacketShaper ISP.

6. Click apply changes. A warning message about the required bootloader version will appear. 7. Read the warning message screen, and follow the instructions. See “Verify Bootloader Version” on page

11.If the image subscribe policy for the configuration is set to asap, (the default setting), the units assigned to that configuration will download the new image right away. If the image subscription policy is set to scheduled, the units will download the image at the scheduled time.

Note: On rare occasions, an upgraded PacketShaper may not immediately reconnect to the directory server.

If a recently upgraded unit displays an error stating that it cannot connect to the directory server, reboot the

PacketShaper to reset the connection.


Known Issues in Version 9.2.3


Issues When Upgrading from PC 8.x to Version 9.2The following upgrade issues are applicable only if upgrading from PC 8.x directly to PC 9.2. If you are upgrading from PC 9.1 to PC 9.2, they are not an issue. [B#173567]

After upgrading PolicyCenter from v 8.x to v9.2: • When specified in a non-unit parent configuration, the Inbound and Outbound link size values get

clamped to 1.5 Mbps, and PolicyCenter displays a configuration error. Workaround:1. Edit the parent configuration.2. Click the Setup tab and click Apply Changes. (You don’t actually have to make any changes, but

you do need to apply.)3. Commit the configuration.

• Child unit configurations lose the Inbound and Outbound link size inheritance. Workaround:1. Create a fresh parent configuration after upgrading PolicyCenter to 9.2. This configuration can be

created by using a copy of any of the child unit configurations under the original parent.

NOTE: Do NOT create the parent configuration by using a copy of the original parent configuration.a. Choose the unit configuration that best matches the parent configuration to be created. b. Using the Operations tab, create a copy of this configuration at the same level as the original

parent, and rename it as desired. Make any necessary changes to the configuration.2. Move the unit configurations under this new parent configuration.3. For each child unit configuration, select the Inbound and Outbound Link Size Inheritance

checkboxes in the Setup tab and click Apply Changes.4. Delete the original parent configuration.

BCAAA Connection IssuePolicyCenter is connected to BCAAA only while users have an active PolicyCenter session. When a user logs out of a PolicyCenter session, the PolicyCenter connection to BCAAA is also terminated. When a user logs back in to PolicyCenter, the connection to BCAAA automatically gets re-established after a short delay. Until PolicyCenter reconnects to BCAAA, you may briefly see a message that user awareness is not configured. [B#188166]

User Awareness IssueUser lists that are inherited from another PolicyCenter configuration do not show the (I) designation. However, this is just a cosmetic display issue; the list is inherited and can’t be edited or deleted. [B#181933]

GUI Allows Classes with Duplicate NamesThe PolicyCenter GUI allows the creation of classes with the same name as long as the matching rules are different. This is not an issue in the PolicyCenter CLI. [B#188180]



Large Configurations are Slow to SubscribeThe larger and more complex the traffic tree, the longer it takes to subscribe the PacketShaper to PolicyCenter using the convert option. With configurations that contain lots of partitions and matching rules, the telnet session may appear to hang until the subscription process is complete. [B#170670]

Locked File during UninstallWhen using the PolicyCenter uninstall utility, you may encounter a Locked File Detected message. If you see this message, use the Ignore option and then manually delete the BlueCoatSystems folder and its contents after the uninstall utility completes. [B#168925]

Error Displayed when Creating ReportsWhen saving a report in PolicyCenter’s Reports tab, the following message appears: Error occurred. Failed to load graphs. Despite this message, the report is actually created and can be viewed on the PacketShaper. [B#168930]

Matching Rule IssueAfter you have edited a matching rule and applied the change, you may see Error 0001. This typically happens after you have attempted to edit the rule with an invalid specification (such as duplicate matching rule). If this happens, switch to another configuration and then back to the one you were editing; this action forces PolicyCenter to read the configuration again, loading the matching rule back in memory. [B#161448]

SSL Cipher Strength Inheritance• Cipher strength re-inheritance does not always work properly. Although the Minimum SSL Cipher

Strength setting indicates that the PacketShaper is inheriting the strength setting from the parent configuration, the unit is still using the override setting. [B#145874]

• The output of the setup ssl cipherstrength show CLI command does not indicate whether the setting is inherited or overridden from the parent configuration. [B#148873]

Duplicate IDs after Copying ClassesAfter copying classes in a parent configuration and applying it to a child configuration, you may see an error that a class ID is already in use. If this happens, you can manually assign a different ID to the class using the class ID CLI command. Make sure to select an ID that is not already being used; the class services id lists the IDs that are used for built-in services. [B#144803]

Inability to Delete Backup ConfigurationBackup configurations can be deleted only if the original unit configuration has not been changed. If the original unit config is changed, the backup configuration become unresponsive; you will need to log out and log back into PolicyCenter to delete the backup configuration. This situation can be avoided if the unit configurations are placed as child configurations under a non-unit parent configuration. [SR 2-396611342; B#168990]

Configuration Issues• Occasionally PolicyCenter displays the configuration before an operation is completed. For example,

this might happen when modifying service group or URL categorization settings. If the configuration doesn’t look correct, try refreshing the browser. [B#144892]

• If you remove an override from a draft configuration, you will not see the setting reinherited from the parent configuration until you commit the draft. [B#113547]



Service Group Configuration ErrorsAfter editing a child configuration, you may see configuration errors that indicate a service appears in more than one group. (This can happen when a group is inherited from a parent configuration, and services have been moved into other local groups.)

If you mouse over the error icon, the message indicates the name of the group(s) containing the conflicting services. (Unassigned in this example.) If you open up the Unassigned group, each conflicting service is marked with a configuration error.

Moving the conflicting service back to the indicated group and applying the change may fix the errors. However, if you have multiple configuration errors in the child configuration and are unable to fix all of them, you can use the re-inherit all button to re-inherit all service groups from the parent configuration. This operation will delete all existing groups from the current configuration, including local custom groups, before inheriting the parent's service groups.

Service Group Issues• After you reset groups to their default settings, in certain situations a custom group may not be

marked as overridden when it should be. [B#127481]

• Services may not move to the Unassigned group after you delete an overridden group or check the Inherit checkbox for an overridden group. Blue Coat recommends that you use the re-inherit all command when you want to re-inherit service groups. [B#127609]

Inherited PasswordsWhen a PacketShaper is subscribed to PolicyCenter, you cannot change the PacketShaper’s passwords from inherited to local on the Security setup page. The workaround is to change the look and touch passwords and then apply the change. Although you may see an error message, the status of the touch and look passwords do change from inherited to local. [B#113257]



Browser Issues• When using Internet Explorer, you may need to turn on Compatibility View if any of the UI screens

don’t render properly.• When you open PolicyCenter with a secure connection (https), the browser indicates that there is an

issue with the security certificate; this is because PolicyCenter uses a self-signing certificate. If you get this message, you should choose the option to continue (such as Continue to this website in Internet Explorer or I understand the risks in Firefox).

• When you upgrade to PolicyCenter 9.2.3, the screen to configure PolicyCenter may not automatically appear if you are using Firefox as your default browser. If the configuration screen does not appear after installing PolicyCenter 9.2.3, open the configuration screen by opening a Firefox browser window on the PolicyCenter server, and entering localhost in the address bar. [B#113504]

• At times, when you access PolicyCenter through a secure connection, the Internet Explorer browser may unnecessarily display a dialog box with the following message: This page contains both secure and nonsecure items. Do you want to display the nonsecure items? Clicking either Yes or No on this dialog box will reload the page, but will not disable or compromise your PolicyCenter security settings. All traffic will continue to be encrypted. [B#113457]

Auto-Deployed Units May Not Display Full Config Path If you successfully auto-deploy a unit running PacketWise 9.2.3 and then issue the command unit show, the Configuration Name column in the output of this command may incorrectly display only the unit’s parent configuration, rather than displaying the unit's full configuration path. The Units table in the PolicyCenter browser interface may also display just the unit’s parent configuration in the Configuration table column. Reassign the unit to another sharable configuration to correctly display the full configuration path for the unit, including the parent configuration and the unit’s individual serial-number configuration. [B#113493]

Units May Display Errors After Migrating Between Directory Servers When you migrate a unit from the core directory server to an edge directory server, the unit may display a “timed out” error message until it updates its status entry, even though the unit has successfully changed directory servers. [B#113471]

Avoid Duplicate Class IDs by Autodiscovering Classes in Unique Locations PacketShapers generate class IDs based on the full path of the class name. When multiple units assigned to a single PolicyCenter configuration each autodiscover or create the same Inbound or Outbound traffic class (i.e. /Inbound/<discoveredclass>, Inbound/<createdclass>, or Inbound/<pathname>/<class>), these units will each create the same class ID for that traffic class. Although neither PolicyCenter nor the PacketShapers involved will report errors, if IntelligenceCenter finds the same class ID more than once on the same PacketShaper, these multiple class IDs could cause IntelligenceCenter to report incorrect data. Either delete and recreate this traffic class, or assign it a different class ID with the CLI command class id. [B#20025]

To avoid this problem, you need to configure each individual PacketShaper so that the unit’s autodiscovered traffic classes all have unique class names. This can be done by creating a traffic class based on the IP address or physical location of the unit at the configuration root, configuring the class service to match service:any, and then turning on autodiscovery within the traffic class. For example, if you had two PacketShapers named Los_Angeles and New_York that you wanted to manage via PolicyCenter, you could create the class Inbound/Los_Angeles on one unit and Inbound/New_York on the other, then turn on traffic class autodiscovery.



When both units autodiscover Inbound FTP, HTTP, DNS and WINS classes, these classes would have unique class names, and therefore unique class IDs.

Once these traffic classes have been uniquely discovered, they can be copied or moved to another location within their PolicyCenter configuration without causing duplicate class IDs. For example, the classes /Inbound/Los_Angeles/FTP and /Inbound/Los_Angeles/HTTP could be copied to the configuration root, and the autodiscovered FTP and HTTP classes deleted, resulting in the following traffic tree on both units:

The /Inbound/FTP and Inbound/HTTP classes for both PacketShapers can now be managed together, and those classes will each have a unique class ID.

PacketShaper 1/Inbound

Los_Angeles FTP HTTP DNS WINS

PacketShaper 2/Inbound

New_York FTP HTTP DNS WINS

/Inbound FTP HTTP Los_Angeles DNS WINS New_York DNS WINS


Additional Information


PolicyCenter Should Not be Installed on Server with Team InterfaceIf you have configured your server with team interfaces, you must un-team them and use a “single interface” setup before installing PolicyCenter on this server.

Prepare PacketShapers for Data ReplicationWhen migrating PacketShapers attached to a core directory server to be under an edge directory server, use the pc replication prepare command to prepare PacketShaper units for data replication before you configure the edge directory server. If your units are not correctly prepared for a multiple directory server deployment using this command, any units that remain attached to the core directory server may generate excessive replication traffic, leading to large log files, excessive network utilization, and possible directory server failure.

Downgraded Units May Not Support Secure Connections to the Directory ServerIf you connect a PacketShaper to the directory server via a secure connection and later downgrade that unit to a version of PacketWise that does not support secure LDAP, the unit may temporarily lose its connection to the directory server. To avoid this problem, first revert the unit to local mode, add the unit back to PolicyCenter without the secure connection option, and then downgrade the unit.

Reinherit Settings from Parent Configurations by Deleting Overrides or Setting Local Values to “Default”If a configuration setting is defined on both a parent configuration and a child configuration, the setting on the child configuration will override the value inherited from the parent. However, if you clear a configuration setting on a child draft configuration, that blank setting will still override the values configured on its parent configuration. To completely remove an overriding value so the child configuration can reinherit that setting from its parent configuration, you must create a draft version of the child configuration and use the PolicyCenter command-line interface to either return the setting to its default value or delete the configuration object altogether. [B#29142] For example, if you configure flow detail records (FDR) collectors on a child configuration then later clear those settings via the PolicyCenter browser interface, the child configuration will not inherit any FDR collectors defined on its parent configuration. To remove the overriding blank settings from the child configuration, create a draft of the child configuration, issue the CLI command setup flowrecords id <ID> default, then commit the draft. Once the child configuration’s FDR collector settings are reset to their default values, that child can again inherit FDR collector settings from its parent configuration.If a child configuration has different configuration settings than its parent and you want the child to reinherit a value from its parent configuration, simply delete the overriding object. As an example, suppose a PolicyCenter parent configuration has the TACACS+ accounting host 172.21.7.7 and one of its child configurations has the accounting host 172.21.7.8. If you no longer wanted a different accounting host on that child configuration, and would like the child configuration to reinherit the host from its parent, you would have to create a draft of the child configuration and then issue the command setup tacacs auth primary|secondary delete from the PolicyCenter CLI.



Xpress Tunnels are not Propagated from Parent to Child Configurations Xpress tunnels defined on a PolicyCenter sharable configuration will not be propagated to any individual unit configurations assigned to the sharable configuration. Therefore, you must create Xpress tunnels directly on your unit configurations. [B#27400]

Use PolicyCenter to configure Xpress tunnels by accessing the unit’s individual serial-number configuration and creating the tunnel there. You can also configure Xpress tunnels via the unit’s own command-line or browser interfaces.

PacketShaper Login Page Does Not Display When Unit Configuration Is Missing When a PacketShaper is missing its configuration (possibly because the unit’s configuration was inadvertently deleted from PolicyCenter) the PacketShaper login page will not display correctly. To resolve this problem, log in to the PolicyCenter CLI, and issue the command config show to display the name of the configuration to which the unit is assigned. Next, recreate a new PolicyCenter configuration with the same name as the missing configuration. [B#21733]


policycenter release notes - symantec · use of blue coat products or software by the u.s....

Documents