BCWF Downloads on ProxySG Disabled for Insecure Transport Layer Security (TLS) Versions
Article ID: 266604
Updated On:
Products
ProxySG Software - SGOS
Advanced Secure Gateway Software - ASG
Issue/Introduction
WebPulse automatically disables older, insecure versions of the Transport Layer Security (TLS) as of 2023-06-30.
In most cases, no action is required, as support for the latest TLS versions is automatically enabled when upgrading ProxySG.
However, if you are using the legacy Blue Coat Web Filter (BCWF) database or the Internet Watch Foundation (IWF) database, and TLS 1.2 and TLS 1.3 have been disabled on your appliance, you must update the set of TLS versions that the ProxySG allows.
Environment
This issue only affects:
- BCWF downloads of WebPulse data or IWF downloads.
- Appliances that have explicitly disabled newer TLS versions (for example, if an archived configuration from an earlier SG release was pushed after upgrading)
This issue does NOT affect:
- BCIS downloads of WebPulse data
- Access to WebPulse (rating server or DRTR lookups)
Resolution
Use one of the following procedures to allow the latest TLS versions to be used when communicating with WebPulse.
Verify and Enable TLS in the CLI
- Verify whether BCWF or BCIS is enabled in the CLI:
- In the CLI, enter the following command:
sg# show content-filter bluecoat - Verify that the output includes one of the following lines (below Status):
Data Source: Intelligent Services
or
Data Source: WebFilter
- If the Data Source is Intelligence Services, there is nothing more to do.
- If the Data Source is WebFilter, continue with the following step.
- In the CLI, enter the following command:
- Verify whether the required TLS versions for BCWF and IWF are installed:
- In the CLI, enter the following command:
sg# show ssl ssl-device-profile default - Verify that the output includes something similar to the following Protocol line:
Protocol: tlsv1.2 tlsv1.3 - If the output includes tlsv1.2 or tlsv1.3, there is nothing more to do.
- If both protocols are missing, continue with the following step.
- In the CLI, enter the following command:
- Enable the newer TLS versions for BCWF and IWF downloads:
- In the CLI, edit the default SSL device profile by entering the following commands:
sg# config terminal
sg# (config) ssl
sg# (config ssl) edit ssl-device-profile default - For SGOS 7.2 and later, enable TLS 1.2 and TLS 1.3 by entering the following command:
sg# (config device-profile default) protocol tlsv1.2 tlsv1.3
- In the CLI, edit the default SSL device profile by entering the following commands:
-
- For SGOS 6.5 through 7.1, enable TLS 1.2 by entering the following command:
sg# (config device-profile default) protocol tlsv1.2 - For SGOS 6.4 and earlier, upgrade to a supported SG release.
- For SGOS 6.5 through 7.1, enable TLS 1.2 by entering the following command:
Verify and Enable TLS in the Java Management Console (Java MC)
- Verify whether BCWF or BCIS is enabled in the Java MC:
- In the Java MC, select Configuration > Content Filtering > Blue Coat, and verify the Data Source setting.
- If the Data Source is set to Intelligence Services, there is nothing more to do.
- If the Data Source is set to WebFilter, continue with the following step.
- In the Java MC, select Configuration > Content Filtering > Blue Coat, and verify the Data Source setting.
- Verify whether the required TLS versions for BCWF and IWF are installed:
- Select Configuration > SSL > Device Profiles, select the default profile, and click Edit.
- In the Edit Device Profile dialog, if the SSL Protocols list includes TLSv1.2 or TLSv1.3, there is nothing more to do.
- If both protocols are missing, continue with the following step.
- Select Configuration > SSL > Device Profiles, select the default profile, and click Edit.
- Enable the newer TLS versions for BCWF downloads:
- In the Edit Device Profile dialog, opened in the preceding step, select TLSv1.2 for SSL Protocols.
- In SGOS 7.2 and later, you can optionally select TLSv1.3.
- Click OK to close the dialog, and click Apply to save the changes.
- In the Edit Device Profile dialog, opened in the preceding step, select TLSv1.2 for SSL Protocols.
Verify and Enable TLS in the SG Admin Console (SGAC)
- Verify whether BCWF or BCIS is enabled in the SGAC:
- In the SGAC, select Administration > Data and Cloud Services > Content Filtering, and click BlueCoat in the Providers Table.
- If the Data Source is set to Intelligence Services, there is nothing more to do.
- If the Data Source is set to WebFilter, continue with the following step.
- In the SGAC, select Administration > Data and Cloud Services > Content Filtering, and click BlueCoat in the Providers Table.
- Verify whether the required TLS versions for BCWF and IWF are installed:
- Select Configuration > SSL > Device Profiles, and click the default profile to edit it.
- In the Edit Device Profile dialog, if the SSL Versions list includes TLSv1.2 or TLSv1.3, there is nothing more to do.
- If both protocols are missing, continue with the following step.
- Select Configuration > SSL > Device Profiles, and click the default profile to edit it.
- Enable the newer TLS versions for BCWF downloads:
- In the Edit Device Profile dialog, opened in the preceding step, select TLSv1.2 in SSL Versions.
- In SGOS 7.2 and later, you can optionally select TLSv1.3.
- Click OK to close the edit dialog, and click Apply to save the changes.
- In the Edit Device Profile dialog, opened in the preceding step, select TLSv1.2 in SSL Versions.
Feedback
Yes
No
Powered by
