The www.notify.bluecoat.com page times out or is inaccessible from the network.

book

Article ID: 167005

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Although www.notify.bluecoat.com is a virtual URL that the ProxySG appliance uses internally, there are scenarios where the ProxySG might contact the OCS to complete the policy evaluation.

For example: When there is a local policy rule with a condition based on an HTTP header (www.notify.bluecoat.com), the ProxySG contacts the OCS to receive a response. When the OCS is unavailable, the ProxySG returns an error message to the client because the rule failed.

 

Resolution

Check if the ICAP best practice is activated, as it is known to cause this issue. It is caused by the following CPL inside your Local Policy File:

<cache>
;    condition=__is_notify_internal response.icap_service(no)
    url.scheme=http condition=NOICAP response.icap_service(no)

Refer to 000012429 to fix this issue.

If this does not apply or if the suggested fix does not resolve the issue, try one of the two solutions proposed below:

1. Set a layer guard to skip these rules. A layer guard is automatically added to all virtual policy manager (VPM) layers. This needs to be manually changed in local policy layers. For example, to negate www.notify.bluecoat.com, set a layer guard in order to bypass policy evaluations. Otherwise, the request processes the rules in the Web Access Layer.

 

If using Local Policy, add layer guard:

<Proxy> condition=!__is_notify_internal url.domain=!"http://notify.bluecoat.com" ;  Layer Guard Rule

    condition=adobe Allow    ; Rule 1
    Deny    ; Rule 2
    policy.NotifyUser1    ; Rule 3
 

 

2. Change Notify User virtual URL to a different URL which can guarantee the user it is always available for normal browsing. Use an internal company domain as a place holder (for example: http://notify.unique.com). However, the domain needs to be valid and obtainable within the network, or at least from the ProxySG appliance. The virtual URL you choose will no longer be accessible through the ProxySG appliance. Therefore, it should be a unique domain which returns a HTTP response, but is not required for any other purpose.

Be aware that the virtual notify URL will no longer be accessible from a browser using the ProxySG appliance.