When and why do I configure the secondary interface on the ProxyAV? 

The secondary interface on the ProxyAV is used either as a management port, redundant ICAP connection, or as both.

The optional secondary interface on the ProxyAV can be used as a backup ICAP connection to a ProxySG, a management interface or both. To do this, you'll need to configure primary interface first. After you configure access to the ProxyAV management console, you can enable the secondary interface from the Network tab in the UI.

Blue Coat recommends that you configure the primary IP address of the ProxyAV on the same subnet as the ProxySG (and ideally as physically close to each other as possible). With this in mind, the following rules apply to the secondary interface IP:

• The IP address specified for the secondary interface must be different from that of the primary interface.

• The secondary interface must be configured on a different subnet than the primary interface.

• Forwarding between interfaces is not supported.

The secondary interface must connect to a different subnet then the primary. Once this connection is online - the ProxyAV will continue to access all resources using the primary interface (via the default gateway). Traffic may arrive on the secondary interface, but will leave via the primary. If traffic has been addressed to the secondary IP, it will return with this source IP, but via the primary interface.

In order to return traffic via the secondary interface, you must configure a static route. To configure a static route, go to the  Advanced > Route Table option on the Management Console and  specify which subnets will return via the secondary interface (to the default gateway of your secondary subnet). This is useful to ensure management traffic is returned via the management interface, or for backup\specialized ICAP traffic to reach another ProxySG or IP address as needed.

An example of configuring the ProxyAV with a secondary management interface is shown below:

In this example, the static route is added as follows:

The blue line represents management traffic via a separate LAN (or VLAN) into interface 2. Because the ProxyAV appliance can only have one default gateway ( 172.16.10.1, in this example), all traffic originating from the ProxyAV will leave interface 1.

All traffic destined for the management network will exit via interface 2. Should the primary interface be unavailable, the ProxyAV is still accessible via this network.