The URL categorization feature has the following deployment requirements:
- The PacketShaper must have Internet access to connect to the WebPulse service.
- A DNS server must be configured on the PacketShaper.
- The PacketShaper hardware must have a valid support contract, although there is a 30-day grace period.
- If you want to secure access to the outside interface, do not use the secure option because the URL category feature requires access to a number of outside servers. Instead, use the list security option and add the IP addresses of the following servers to the exception list:
¦ WebPulse service points (Use the setup urlcategory show service CLI command to see the IP addresses of the servers; add the one or two fastest servers.)
¦ category map update server (sitereview.bluecoat.com)
¦ support update server (updates.bluecoat.com)
¦ heartbeat server (hb.bluecoat.com)
Note: To find the IP address associated with each of these servers, use the nslookup command (such as the dns lookup CLI command).
The URL categorization feature has the following limitations:
- Because the PacketShaper gives higher priority to flow delivery than to classification, it will never hold up flows to wait for a response from WebPulse. Therefore, the first few packets of a flow may get classified into a web or default class until WebPulse sends the URL category to the PacketShaper.
- Packet processing takes precedence over URL categorization. If the PacketShaper is under load, category requests may get queued, and some requests may be dropped.
- Behavior for asymmetrically applied redirect policies is non-deterministic for URL category-based classes since URL categorization is done out of path. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).