Solution Options for the issue with ssl trust-package download-now ignoring proxy setting, with Content Analysis - Specific to CAS-S400 - For ABRCA_root Certificate Update

CAS Release : 2.4.2.1 and on CAS-S400 appliance only.

The reported issue has been confirmed to be a particular bug in which the trust package update isn't utilizing the proxy settings, therefore, if the system has no other way to reach the internet, the request will fail. The specific bug ID is NPPCAS-68847.

Specific to CAS-S400, there are multiple ways to approach this instance.

1. Update the trust package by downloading the trust package from http://appliance.bluecoat.com/sgos/trust_package.bctp and hosting it locally (in an external server) to update.
2. Upgrade to 3.1.2.2 or later ( we recommend 3.1.3.0).
3. Allow communication outbound outside of the explicit proxy settings

Approaching from option 1, The customer will be responsible for the external server.

If the server is the Management Center, we will require HTTP enabled. See guidance in the snippet below.

Example of settings with Management Center:

Upload the bctp package to Management Center

• Configuration > Files; Add File; Select the bctp package;
• When the upload is complete, highlight and click Copy Link. Copy the link.

Note: On the URL, please, ensure to replace the "https" with "http" and the port "8082" with "8080". See sample URL 

Still on the Management Center, please, ensure to reference the correct "Device Type", to be Content Analysis, for the trust package, as shown in the snippet below. This references the specific Content Analysis appliance already added on the MC, as a network device.

On Content Analysis

Putty > Login > enable > config > ssl > trust-package url <paste link from previous step> and hit the "Enter" key on the keyboard; As a reminder, please, you will need to modify it to http://<managmentcnterip>:8080/<rest of the link from MC> in order for it to work.

Then, run the CAS(config-ssl)# trust-package download-now. See a sample CAS-side implementation in the snippet below.

To clear up the confusion that appears to be present with 3.1. If the version is pre-3.1.2.2, there's no trust package update included. If 3.1.2.2 or later, it is packaged with the system. This doesn't guarantee the system won't experience a situation in which a download will be needed. However it reduces the number of systems that require it, greatly. This is the purpose for both the wording and instruction within the KB article (link provided if you need it for review).

https://knowledge.broadcom.com/external/article/207138

Furthermore, 3.1.2.2 and later do not have the issue with explicit proxy settings that you are experiencing in 2.4.x.x.

Option 3 would require alternative pathing from the explicit proxy outbound to the appliance.bluecoat.com location.