I want to stop automatic Java updates on end users' machines going through the ProxySG appliance in a transparent deployment.

I want to stop the Java application from fetching automatic updates through the ProxySG, when the user machine has checked "automatic update option enabled."

Follow these steps to stop / block automatic Java updates in a transparent ProxySG deployment. See the notes following.

1. Go to Visual policy Manager (VPM), and select Launch > add Web Access Layer (if there is no existing web access layer)
2. Under the Web access layer, click Add rule
3. Right click on Source column, and select Set > New > Request Header, configure that object as below, then click OK, and OK again

4. Right  click on the Destination column, and select Set > New > Destination Host, configure the Destination Host object as below, then click OK, and OK again

5. Right click on the Action column, and select Deny as the Action
6. Finally, click Install Policy on the visual policy manager (VPM)

Note 1: This will only work in Transparent proxySG deployment. As under explicit settings java update request will follow client machine default gateway (even though if there is proxy setting under Java network settings) . Under explicit deployment it has to be blocked form firewall / default gateway

Note 2: After following steps above, only the Java application update (automatic / manual / forced) will be blocked. The Java user agent will be allowed to go to the Internet for other regular purpose (such as to load content while the Java applet is loaded on the browser) 

Note 3: Above steps will work as long as the following behaviors remain the same for a Java application update: which uses following user agent name and destination URLs to pull the update content? if these behaviors change, the steps above need to be adjusted accordingly
 
HEAD http://javadl-esd.sun.com/update/1.7.0/sp-1.7.0_51-b13/java_sp.dll
User-Agent: JAVACLIENT