The URL categorization feature has the following deployment requirements:

• The PacketShaper must have Internet access to connect to the WebPulse service.
• A DNS server must be configured on the PacketShaper.
• The PacketShaper hardware must have a valid support contract, although there is a 30-day grace period.
• If you want to secure access to the outside interface, do not use the secure option because the URL category feature requires access to a number of outside servers. Instead, use the list security option and add the IP addresses of the following servers to the exception list:

¦ WebPulse service points (Use the setup urlcategory show service CLI command to see the IP addresses of the servers; add the one or two fastest servers.)

¦ category map update server (sitereview.bluecoat.com)

¦ support update server (updates.bluecoat.com)

¦ heartbeat server (hb.bluecoat.com)

Note: To find the IP address associated with each of these servers, use the nslookup command (such as the dns lookup CLI command).

The URL categorization feature has the following limitations:

• Because the PacketShaper gives higher priority to flow delivery than to classification, it will never hold up flows to wait for a response from WebPulse. Therefore, the first few packets of a flow may get classified into a web or default class until WebPulse sends the URL category to the PacketShaper.
• Packet processing takes precedence over URL categorization. If the PacketShaper is under load, category requests may get queued, and some requests may be dropped.
• Behavior for asymmetrically applied redirect policies is non-deterministic for URL category-based classes since URL categorization is done out of path. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).