Solution Options for the issue with ssl trust-package download-now ignoring proxy setting, with Content Analysis - Specific to CAS-S400 - For ABRCA_root Certificate Update
CAS Release : 2.4.2.1 and on CAS-S400 appliance only.
The reported issue has been confirmed to be a particular bug in which the trust package update isn't utilizing the proxy settings, therefore, if the system has no other way to reach the internet, the request will fail. The specific bug ID is NPPCAS-68847.
Specific to CAS-S400, there are multiple ways to approach this instance.
Approaching from option 1, The customer will be responsible for the external server.
If the server is the Management Center, we will require HTTP enabled. See guidance in the snippet below.
Example of settings with Management Center:
Upload the bctp package to Management Center
Note: On the URL, please, ensure to replace the "https" with "http" and the port "8082" with "8080". See sample URL
Still on the Management Center, please, ensure to reference the correct "Device Type", to be Content Analysis, for the trust package, as shown in the snippet below. This references the specific Content Analysis appliance already added on the MC, as a network device.
On Content Analysis
Putty > Login > enable > config > ssl > trust-package url <paste link from previous step> and hit the "Enter" key on the keyboard; As a reminder, please, you will need to modify it to http://<managmentcnterip>:8080/<rest of the link from MC> in order for it to work.
Then, run the CAS(config-ssl)# trust-package download-now. See a sample CAS-side implementation in the snippet below.
To clear up the confusion that appears to be present with 3.1. If the version is pre-3.1.2.2, there's no trust package update included. If 3.1.2.2 or later, it is packaged with the system. This doesn't guarantee the system won't experience a situation in which a download will be needed. However it reduces the number of systems that require it, greatly. This is the purpose for both the wording and instruction within the KB article (link provided if you need it for review).
https://knowledge.broadcom.com/external/article/207138
Furthermore, 3.1.2.2 and later do not have the issue with explicit proxy settings that you are experiencing in 2.4.x.x.
Option 3 would require alternative pathing from the explicit proxy outbound to the appliance.bluecoat.com location.