1. No category

PolicyCenter Release Notes
Version 9.2.11
May, 2015
P/N 20-0230-9211 Revision A
© 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER,
PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW
EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other
Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other
countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue
Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties
are the property of their respective owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. BLUE COAT PRODUCTS, technical services, and any other technical data referenced in this document are subject to
U.S. export control AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR
IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS
AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,
PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY
OR IMPORT AFTER DELIVERY TO YOU.
Sun, Sun Microsystems, the Sun Logo and any other Sun trademarks included in this product are trademarks or registered trademarks of Oracle, Inc. in the United States and
other countries
ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright © 2008, Regents of the University of California. All rights reserved. Redistribution and use in source and binary
forms, with or without modification, are permitted provided that the following conditions are met:
• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
• Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software
without specific prior written permission.
U.S. Government Restricted Rights
Blue Coat software comprises “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 (SEPT 1995)
and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue
Coat software is provided with “RESTRICTED RIGHTS.” Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR
252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coat’s proprietary rights in them
and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coat’s end user agreement.
Blue Coat Systems, Inc.
420 N. Mary Avenue
Sunnyvale, CA 94085
http://www.bluecoat.com
Revision History
November, 2012
July, 2013
August, 2013
February, 2014
April, 2014
June, 2014
July, 2014
September, 2014
December, 2014
February, 2015
May, 2015
PolicyCenter 9.2.1
PolicyCenter 9.2.2
PolicyCenter 9.2.3
PolicyCenter 9.2.4
PolicyCenter 9.2.5
PolicyCenter 9.2.6
PolicyCenter 9.2.7
PolicyCenter 9.2.8
PolicyCenter 9.2.9
PolicyCenter 9.2.10
PolicyCenter 9.2.11
Introduction
These release notes document the changes to PolicyCenter version 9.2.11 only. If you are upgrading from
an earlier version of PolicyCenter, you can learn about other new features and software changes by
consulting the release notes for the versions between your current software and v9.2.11.
Acrobat PDF files of all versions of release notes are available for download at
https://bto.bluecoat.com/documentation.
See the following sections for specific information:
Resolved Issues in PolicyCenter 9.2.11......................................................................................................... page 3
Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008 ........................ page 4
Upgrading to PolicyCenter Version 9.2.11................................................................................................... page 6
Upgrade Shared Mode Units to PacketWise 9.2.11 .................................................................................... page 11
Known Issues in Version 9.2.11 ..................................................................................................................... page 13
Additional Information ................................................................................................................................. page 18
PolicyCenter 9.2.11 Release Notes
1
Automatic Notification of New Software Releases
To be automatically notified when new PolicyCenter software releases are available, you can subscribe to
the PolicyCenter RSS feed.
 Note: The following instructions send the RSS feed to Outlook. However, you can send the feed to Yahoo or
standalone readers as well.
1.
2.
3.
4.
5.
6.
7.
Go to: https://bto.bluecoat.com/support/blue-coat-support-rss-feeds
Select PolicyCenter from the Products list.
Copy the URL.
Go to Outlook and right-click the RSS Feeds folder.
Select Add a New RSS Feed.
Paste in the URL and click Add.
Click Yes. A new folder is created in RSS Feeds called knowledgebase - datacategory - PolicyCenter.
When new PolicyCenter knowledge base articles are published, Blue Coat will send an email notification
to the PolicyCenter RSS Feeds folder. The email will contain a link to the article.
Release announcements will provide you with the following types of information for the new release: the
release number, a link to the Downloads page on BTO, highlights of the release, and links to related
documentation and training materials.
2
PolicyCenter 9.2.11 Release Notes
Resolved Issues in PolicyCenter 9.2.11
Resolved Issues in PolicyCenter 9.2.11
PolicyCenter 9.2.11 contains the following resolved issues. For details on PacketWise resolved issues, see
PacketShaper Release Notes for PacketWise 9.2.11.
• Further enhancements were added to prevent PolicyCenter from resetting after deleting a class
matching rule.
Security Vulnerabilities
Disabling TLS 1.0
PolicyCenter 9.2.11 addresses the vulnerability CVE-2011-3389. TLS 1.1 and 1.2 protocols are supported,
and TLS 1.0 can be disabled.
• PolicyCenter includes support for the new security-related system variables that disable TLS 1.0
protocol for client and server connections. The TLS 1.0 Client and TSL 1.0 Server variables can be
enabled/disabled for a configuration on the Configurations > Setup > System Variables page. Note
that these variables enable/disable TLS 1.0 for PacketShaper connections, not PolicyCenter; to disable
TLS 1.0 for PolicyCenter connections, you must use the CLI (see next bullet).
• To disable TLS 1.0 for PolicyCenter’s client and server connections, use the following CLI commands
in the PolicyCenter Client:
pc setup variable TLS1Client 0
pc setup variable TLS1Server 0
 Note: TLS 1.0 connections are allowed by default, and must be explicitly disabled with these system variables
if you don’t want to allow them.
OpenSSL Upgrade
OpenSSL was upgraded from 1.0.1j to 1.0.1l in PolicyCenter 9.2.11. The upgrade addresses a number of
vulnerabilities. PolicyCenter is not vulnerable to all these CVEs, but they were all included in the upgrade.
• ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
All versions prior to 9.2.10 are not vulnerable because EC is not used. Version 9.2.10 is vulnerable.
• RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
All versions prior to 9.2.11 are vulnerable.
• Bignum squaring may produce incorrect results (CVE-2014-3570)
All versions prior to 9.2.11 are vulnerable.
• DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
Not vulnerable. PolicyCenter does not use DTLS.
• DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
Not vulnerable. PolicyCenter does not use DTLS.
• no-ssl3 configuration sets method to NULL (CVE-2014-3569)
Not vulnerable. OpenSSL for PolicyCenter is not built with no-ssl3.
• DH client certificates accepted without verification [Server] (CVE-2015-0205)
Not vulnerable. PolicyCenter does not use client certificates.
• Certificate fingerprints can be modified (CVE-2014-8275)
Not vulnerable. PolicyCenter does not rely on certificate fingerprints.
PolicyCenter 9.2.11 Release Notes
3
Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008
Migrate the PolicyCenter Configuration
from Windows 2000/2003 to Windows 2008
When replacing your Windows 2000/2003 PolicyCenter server with a Windows 2008 server, you will want
to ensure that your PolicyCenter configuration gets migrated over to the new PolicyCenter deployment.
This section describes the tasks that you need to perform on both servers: the Windows 2000/2003 server
that is currently running PolicyCenter and the new Windows 2008 server to which you want to migrate.
Tasks to Perform on the Windows 2000/2003 Server
You need to upgrade the Windows 2000/2003 server to PolicyCenter 9.2.11 and then back up your
configuration.
1.
2.
3.
4.
On the core Windows 2000/2003 server, upgrade to the PolicyCenter 9.2.11 image. See “Upgrade
PolicyCenter” on page 7.
In a command window, navigate to the C:\Blue Coat Systems\pcbackup folder.
To back up your PolicyCenter configuration, type pcbackup <core_host> where <core_host> is the IP
address of the core directory server. This will store a time-stamped backup folder and its contents at the
location \Blue Coat Systems\PcBackupData. In a multiple directory server deployment, the backup script
automatically retrieves the edge DS addresses from the core server and backs up all core/edge
configuration data.
Copy the folder of the newly backed up data to a location that the new Windows 2008 server can access.
Tasks to Perform on the Windows 2008 Server
On the new Windows 2008 server, you need to install Sun Directory Server 7.0, install PolicyCenter 9.2.11,
and restore the configuration.
1.
Install Sun Directory Server 7.0 and PolicyCenter 9.2.11 on the core Windows 2008 server.
 Note: Refer to the PolicyCenter 9.2 Getting Started Guide for detailed instructions.
2.
3.
4.
4
Copy the backup folder (from step 4 in the previous section) to the following location:
\Blue Coat Systems\PcBackupData
Create the PcBackupData folder if it does not yet exist.
Make sure the Windows 2008 server has the same IP address, primary DNS suffix, and gateway as the
Windows 2000/2003 server it is replacing. This will ensure that the PacketShapers will be attached to
the new server.
Before you restore backup files, you must discard PolicyCenter’s connection to the directory server and
stop the PolicyCenter service on the Windows server, as described in the following steps.
a. Access the PolicyCenter command-line interface and issue the command config reset to discard
PolicyCenter’s connection to the directory server.
b. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >
Administrative Services > Services)
c. Select the PolicyCenter service from the list of services.
PolicyCenter 9.2.11 Release Notes
Migrate the PolicyCenter Configuration from Windows 2000/2003 to Windows 2008
d. Click the stop icon to stop the PolicyCenter service.
5.
6.
Open a command window, and navigate to the \Blue Coat Systems\pcbackup folder.
To restore your PolicyCenter configuration, type pcrestore.
The pcrestore script searches for and restores the most recent backup in the PcBackupData folder.
7. In the Windows services panel, select the PolicyCenter service from the list of services.
8. Click the restart icon to restart the PolicyCenter service.
9. Access the PolicyCenter command-line interface and issue the command config set localhost
<password> to reset the connection between PolicyCenter and the directory server.
10. Log in to the PolicyCenter browser interface to verify that the desired PolicyCenter configuration has
been restored.
PolicyCenter 9.2.11 Release Notes
5
Upgrading to PolicyCenter Version 9.2.11
Upgrading to PolicyCenter Version 9.2.11
 Note: After upgrading to PolicyCenter 9.2.11, Blue Coat strongly recommends upgrading all of your
PacketShaper units to PacketWise 9.2.11. Units that are not upgraded will not be able to take advantage of all
the new features of PolicyCenter 9.2.11, and may report errors.
Back Up Configurations Before Upgrading
Always back up your configuration file(s) to the server before upgrading. After you install the new
PolicyCenter and directory server software, you can load the backup configuration files to restore the
configuration if necessary.
PolicyCenter provides an easy way to perform backup and restore of PolicyCenter configurations using the
pcbackup.bat and pcrestore.bat tools that are installed with PolicyCenter. This utility is located in the
\pcbackup folder in the root directory of the PolicyCenter installation. These batch files run a Java utility
that in turn runs Sun LDAP commands and uses the Java ldapsdk to read and write configuration data from
the directory servers.
!
Important: If your upgrade to PolicyCenter 9.2.11 requires that you also upgrade your directory server
software, do not use the default location to save your backup file, as the file may be lost. Copy the backup file
to the root of your install directory or to your desktop instead.
Because pcbackup.bat depends on the Sun DS Java files and LDAP utilities, you must run pcbackup.bat on
a Windows server where you have already installed PolicyCenter (the core directory server).
To create a backup of all PolicyCenter configurations:
1.
2.
3.
Open a command window.
Navigate to the \pcbackup folder located on the target system (typically C:\Blue Coat Systems\pcbackup).
To back up your PolicyCenter DS servers, type pcbackup <core_host> where <core_host> is the IP
address of the core directory server.
The pcbackup utility retrieves the edge DS addresses from the core server and backs up all core/edge
configuration data to LDIF files stored at C:\Blue Coat Systems\PcBackupData, in a sub-folder named with
the current date and time.
6
PolicyCenter 9.2.11 Release Notes
Upgrading to PolicyCenter Version 9.2.11
Upgrade PolicyCenter
After you have backed up your PolicyCenter configurations, use the following process to upgrade to
PolicyCenter 9.2.11.
 Note: See “Issues When Upgrading from PC 8.x to Version 9.2” on page 13 for known issues after upgrading to
PolicyCenter 9.2.
To upgrade to PolicyCenter 9.2.11:
1.
2.
3.
4.
5.
6.
Log in to the Blue Coat download site (https://bto.bluecoat.com/downloads) and download the
PolicyCenter 9.2.11 .zip file (for example, PolicyCenter_9.2.11_Windows.zip).
Unzip the file contents to your Windows server.
On the Windows server, navigate to the PolicyCenter\Windows folder, and launch the installation
wizard by running the setup.exe file.
Select the Update option. The Installation Wizard will stop the existing PolicyCenter service, upgrade
the PolicyCenter software, then restart the PolicyCenter service again. You will not need to go through
Guided Setup again to specify settings for your PolicyCenter server.
If your PolicyCenter server stores cookies or temporary Internet files, remove these cookies and
temporary files after installing the upgrade.
(Optional) If your PolicyCenter deployment replicates data between edge and core directory
servers, you will need to regenerate SSL certificates for both the edge and core servers, and load
the new certificate on the edge server.
a. From the core PolicyCenter directory server, navigate to the folder PolicyCenter\dsssl.
b. Double-click the program file certificates.exe to launch that utility.
c. The utility opens in a new window and displays the following options:
d - display certificate information
g - generate a new certificate
■
i - initialize the certificate database
■
l - load a certificate
■
r - remove a certificate
■
q - quit
d. To generate a new SSL certificate, type g then press Enter.
e. You will be prompted to enter the hostname of the edge directory server that needs a certificate.
Note that this command requires the hostname, and not the IP address of the server, for example,
myserver-gx680.
f. A new folder named after the hostname of your edge server will appear in the PolicyCenter\dsssl
directory. Open this folder.
g. If the SSL certificate was generated correctly, there should be three files in the
PolicyCenter\dsssl\<edge_hostname> folder: ca.crt, ssl.crt, and key3.db.
h. Copy these three individual files (but not the folder itself), and place the files directly in the
PolicyCenter\dsssl folder on the edge directory server.
i. Navigate to the PolicyCenter\dsssl folder on the edge directory server, and double-click the
program file certificates.exe to launch that utility.
j. The utility opens in a new window and displays the following options:
■
d - display certificate information
■
g - generate a new certificate
■
i - initialize the certificate database
■
■
PolicyCenter 9.2.11 Release Notes
7
Upgrading to PolicyCenter Version 9.2.11
l - load a certificate
r - remove a certificate
■
q - quit
k. To load a new SSL certificate, type L then press Enter. The certificates.exe utility will load the new
certificates. If the edge server already had an SSL certificate in this location, the old certificate will
be replaced with the new one.
l. If necessary, repeat this process to generate, copy, and load SSL certificates for any additional edge
servers that require secure replication.
■
■
Clear Browser Cache
After upgrading to PolicyCenter 9.2, you must clear the browser cache to see the new functionality. To clear
the cache:
Firefox: Tools > Clear Recent History > Cache
Internet Explorer: Tools > Internet Options > General > Browsing History > Delete > Temporary Internet
files
Chrome: History > Clear browsing data > Empty the cache
The steps for clearing the cache may vary, depending on which browser version you are using.
 Note: You should also clear the cache after downgrading.
Tested Browsers
Blue Coat has tested the PolicyCenter 9.2.11 browser user interface with the English version of Microsoft
Internet Explorer 11 on Windows 7.
Other browsers and versions may be compatible, but have not been tested with PolicyCenter 9.2.11.
 Note: Chrome may fail to complete HTTPS requests to the PolicyCenter UI; in such cases, an alternate browser
should be used.
8
PolicyCenter 9.2.11 Release Notes
Upgrading to PolicyCenter Version 9.2.11
Restore a Configuration Backup
Use the following procedure if you need to restore a PolicyCenter configuration to a server after upgrading.
Note that these steps must be performed in the order described.
Step 1: Reset PolicyCenter
Access the PolicyCenter command-line interface and issue the command config reset to discard
PolicyCenter’s connection to the directory server. Close the command-line interface (and the PolicyCenter
browser interface, if open also).
Step 2: Stop the PolicyCenter Service
Stop the PolicyCenter service before you restore a backup file.
1.
2.
3.
Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >
Administrative Services > Services)
Select the Blue Coat PolicyCenter service from the list of services.
Click the Stop Service icon to stop the PolicyCenter service.
Step 3: Run Cleantree.bat to Clean Up Old Directory Server Entries (Optional)
Before restoring the configurations, you need to remove old directory server entries from each directory
server; Blue Coat provides a utility to automate this process.
 Note: This step is necessary only if the directory server has old DS entries. In most situations, this step can be
skipped.
Sun ONE Directory Server 5.2: For DS 5.2, the cleantree.bat file is located on the Blue Coat download site.
1.
Log in to the Blue Coat download site at
https://bto.bluecoat.com/downloads
2.
3.
In the PolicyCenter section, locate the Tools and download the .zip file.
Open the zip file, and extract the file cleantree.bat to the following folder:
\Program Files\Sun\mps\shared\bin
4.
Open a command window, and navigate to the folder:
PolicyCenter 9.2.11 Release Notes
9
Upgrading to PolicyCenter Version 9.2.11
\Program Files\Sun\mps\shared\bin
5.
6.
Issue the command cleantree.bat to launch the utility and delete unnecessary entries.
Repeat for each directory server (core and edge).
Sun Directory Server 7.0: Sun Directory Server 7.0 uses different commands to remove directory server
entries than DS 5.2 does. The cleantree.bat script for DS 7.0 is packaged with the PolicyCenter zip file.
1.
Change to the directory where the cleantree.bat file is located:
\Program Files\Sun\DSEE.7.0.Windows-X86-zip\DSEE_ZIP_Distribution\sun-dsee7\dsee7\dsrk\bin
2.
3.
Issue the command cleantree.bat to launch the utility and delete unnecessary entries.
Repeat for each directory server (core and edge).
Step 4: Restore the Directory Server Backup Files
The pcrestore utility finds the most recent backup and restores it to the same core IP address and edge
server addresses that the pcbackup utility discovered.
For a clean restore, uninstall then reinstall the DS on the core server and each edge server, using the
PolicyCenter install option Directory Server Only. You must use the same IP addresses as you did when
creating the backup.
To restore the directory server backup (.LDIF) files:
1.
2.
3.
Open a command window.
Navigate to the \pcbackup folder located on the target system (typically
C:\Blue Coat Systems\pcbackup).
To restore your PolicyCenter configuration, type pcrestore.
Step 5: Reconnect the Directory Server to the Network
If you disconnected your PolicyCenter directory server from the network prior to uninstalling and
reinstalling the directory server software, reconnect the server to the network.
Step 6. Restart the PolicyCenter Service
Restart the PolicyCenter service after you restore a backup file.
1.
2.
3.
Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel >
Administrative Services > Services)
Select the Blue Coat PolicyCenter service from the list of services.
Click the Start Service icon to restart the PolicyCenter service.
Step 7: Restore the Connection Between PolicyCenter and the Directory Server
Access the PolicyCenter command-line interface and issue the command config setup to reset the
connection between PolicyCenter and the directory server. Alternatively, you may access PolicyCenter
through the browser interface and complete the Guided Setup to reset the connection between PolicyCenter
and the directory server. Finally, log in to the PolicyCenter browser interface to verify that the desired
PolicyCenter configuration has been restored.
10
PolicyCenter 9.2.11 Release Notes
Upgrade Shared Mode Units to PacketWise 9.2.11
Upgrade Shared Mode Units to PacketWise 9.2.11
In order to best manage your PacketShapers with PolicyCenter 9.2.11, we strongly recommend you
upgrade all your units to PacketWise 9.2.11. Units that are not upgraded will not be able to take advantage
of all the new features of PolicyCenter 9.2.11, and may report errors.
!
Important: If you upgrade a PolicyCenter deployment with multiple directory servers to PolicyCenter 9.2.11,
you must also upgrade all of your PacketShapers to PacketWise 9.2.11. PolicyCenter 9.2.11 deployments with
multiple directory servers do not support PacketShapers running earlier versions of PacketWise.
Verify Bootloader Version
Before prescribing the PacketWise v9.2 image, you need to make sure your PacketShapers are using
bootloader version 7 or higher.
!
Warning: Do NOT load the image on a unit with an earlier bootloader because the PacketShaper will not be
able to boot.
To verify the bootloader version:
1.
2.
Log in to each PacketShaper.
Select Setup > image.
3.
Use PolicyCenter’s file distribution feature to load the Bootloader Update plug-in (bootupdt.plg) on all
units in a configuration.
After you have verified that all PacketShapers are using bootloader v7 or higher, you can safely distribute
the image.
Upgrade Units via File Distribution
Once you have upgraded to PolicyCenter 9.2.11, you can use PolicyCenter’s file distribution feature to
obtain the latest software image from the Blue Coat download website, then install the new image on
PacketShapers subscribed to PolicyCenter. For additional details, see PacketGuide. Note that this feature
requires a valid support service contract.
Configure the File Distribution Server
Before you start distributing files to individual PacketShapers, you must first configure the PolicyCenter
file distribution server to retrieve the required image files.
1.
2.
3.
Click the Setup tab.
From the Setup Page list, select File Distribution Server.
On the File Distribution Server setup page, click fetch executables, images and plug-ins from Blue Coat.
PolicyCenter will contact the Blue Coat website and download any available new image files.
PolicyCenter 9.2.11 Release Notes
11
Upgrade Shared Mode Units to PacketWise 9.2.11
Update Units with New PacketWise Image
Once the new PacketWise images have been downloaded to your PolicyCenter server, you must prescribe
them to PolicyCenter configurations.
1.
2.
3.
4.
5.
6.
7.
Choose the PolicyCenter configuration for the units you want to upgrade by clicking the desired
configuration in the configuration tree.
Click the Configurations tab. The Configurations window opens.
Click the Setup tab on the right side of the Configurations window.
From the Setup Page list, select Image.
Click the Prescribed Image drop-down list, and select the PacketWise 9.2.11 image. If you are
upgrading standard PacketShapers, be sure to select a standard (STD) image. Select an ISP image to
upgrade PacketShaper ISP.
Click apply changes. A warning message about the required bootloader version will appear.
Read the warning message screen, and follow the instructions. See “Verify Bootloader Version” on page
11.
If the image subscribe policy for the configuration is set to asap, (the default setting), the units assigned
to that configuration will download the new image right away. If the image subscription policy is set
to scheduled, the units will download the image at the scheduled time.
 Note: On rare occasions, an upgraded PacketShaper may not immediately reconnect to the directory server.
If a recently upgraded unit displays an error stating that it cannot connect to the directory server, reboot the
PacketShaper to reset the connection.
12
PolicyCenter 9.2.11 Release Notes
Known Issues in Version 9.2.11
Known Issues in Version 9.2.11
Browser SSL Certificate Key Size Modified After Upgrading
After upgrading to PolicyCenter 9.2.11, the browser’s SSL certificate RSA key changes to 2048 bit.
Workaround
The following steps will preserve and restore the current SSL certificate in a PolicyCenter install.
1.
2.
3.
4.
5.
6.
On the PolicyCenter server, locate the file https.pem, typically under C:\BlueCoat
Systems\PolicyCenter\cfg.
Copy the https.pem file to a safe location (such as the Desktop).
Upgrade PolicyCenter to desired version.
Copy the https.pem file saved in step #2, overwriting the https.pem file in the cfg directory.
Select Start > Administrative Tools > Services.
Right-click Blue Coat PolicyCenter and select Restart.
Issues When Upgrading from PC 8.x to Version 9.2
The following upgrade issues are applicable only if upgrading from PC 8.x directly to PC 9.2. If you are
upgrading from PC 9.1 to PC 9.2, they are not an issue. [B#173567]
After upgrading PolicyCenter from v 8.x to v9.2:
• When specified in a non-unit parent configuration, the Inbound and Outbound link size values get
clamped to 1.5 Mbps, and PolicyCenter displays a configuration error. Workaround:
1. Edit the parent configuration.
2. Click the Setup tab and click Apply Changes. (You don’t actually have to make any changes, but
you do need to apply.)
3. Commit the configuration.
• Child unit configurations lose the Inbound and Outbound link size inheritance. Workaround:
1. Create a fresh parent configuration after upgrading PolicyCenter to 9.2. This configuration can be
created by using a copy of any of the child unit configurations under the original parent.
NOTE: Do NOT create the parent configuration by using a copy of the original parent
configuration.
a. Choose the unit configuration that best matches the parent configuration to be created.
b. Using the Operations tab, create a copy of this configuration at the same level as the original
parent, and rename it as desired. Make any necessary changes to the configuration.
2. Move the unit configurations under this new parent configuration.
3. For each child unit configuration, select the Inbound and Outbound Link Size Inheritance
checkboxes in the Setup tab and click Apply Changes.
4. Delete the original parent configuration.
PolicyCenter 9.2.11 Release Notes
13
Known Issues in Version 9.2.11
BCAAA Connection Issue
PolicyCenter is connected to BCAAA only while users have an active PolicyCenter session. When a user
logs out of a PolicyCenter session, the PolicyCenter connection to BCAAA is also terminated. When a user
logs back in to PolicyCenter, the connection to BCAAA automatically gets re-established after a short delay.
Until PolicyCenter reconnects to BCAAA, you may briefly see a message that user awareness is not
configured.
User Awareness Issue
User lists that are inherited from another PolicyCenter configuration do not show the (I) designation.
However, this is just a cosmetic display issue; the list is inherited and can’t be edited or deleted. [B#181933]
GUI Allows Classes with Duplicate Names
The PolicyCenter GUI allows the creation of classes with the same name as long as the matching rules are
different. This is not an issue in the PolicyCenter CLI.
Large Configurations are Slow to Subscribe
The larger and more complex the traffic tree, the longer it takes to subscribe the PacketShaper to
PolicyCenter using the convert option. With configurations that contain lots of partitions and matching
rules, the telnet session may appear to hang until the subscription process is complete.
Locked File during Uninstall
When using the PolicyCenter uninstall utility, you may encounter a Locked File Detected message. If you see
this message, use the Ignore option and then manually delete the BlueCoatSystems folder and its contents
after the uninstall utility completes.
Error Displayed when Creating Reports
When saving a report in PolicyCenter’s Reports tab, the following message appears: Error occurred. Failed to
load graphs. Despite this message, the report is actually created and can be viewed on the PacketShaper.
Matching Rule Issue
After you have edited a matching rule and applied the change, you may see Error 0001. This typically
happens after you have attempted to edit the rule with an invalid specification (such as duplicate matching
rule). If this happens, switch to another configuration and then back to the one you were editing; this action
forces PolicyCenter to read the configuration again, loading the matching rule back in memory.
SSL Cipher Strength Inheritance
• Cipher strength re-inheritance does not always work properly. Although the Minimum SSL Cipher
Strength setting indicates that the PacketShaper is inheriting the strength setting from the parent
configuration, the unit is still using the override setting.
• The output of the setup ssl cipherstrength show CLI command does not indicate whether the setting
is inherited or overridden from the parent configuration.
Duplicate IDs after Copying Classes
After copying classes in a parent configuration and applying it to a child configuration, you may see an
error that a class ID is already in use. If this happens, you can manually assign a different ID to the class
using the class ID CLI command. Make sure to select an ID that is not already being used; the class services
id lists the IDs that are used for built-in services.
14
PolicyCenter 9.2.11 Release Notes
Known Issues in Version 9.2.11
Inability to Delete Backup Configuration
Backup configurations can be deleted only if the original unit configuration has not been changed. If the
original unit config is changed, the backup configuration become unresponsive; you will need to log out
and log back into PolicyCenter to delete the backup configuration. This situation can be avoided if the unit
configurations are placed as child configurations under a non-unit parent configuration.
[SR 2-396611342]
Configuration Issues
• Occasionally PolicyCenter displays the configuration before an operation is completed. For example,
this might happen when modifying service group or URL categorization settings. If the
configuration doesn’t look correct, try refreshing the browser.
• If you remove an override from a draft configuration, you will not see the setting reinherited from
the parent configuration until you commit the draft.
Service Group Configuration Errors
After editing a child configuration, you may see configuration errors that indicate a service appears in more
than one group. (This can happen when a group is inherited from a parent configuration, and services have
been moved into other local groups.)
If you mouse over the error icon, the message indicates the name of the group(s) containing the conflicting
services. (Unassigned in this example.) If you open up the Unassigned group, each conflicting service is
marked with a configuration error.
Moving the conflicting service back to the indicated group and applying the change may fix the errors.
However, if you have multiple configuration errors in the child configuration and are unable to fix all of
them, you can use the re-inherit all button to re-inherit all service groups from the parent configuration.
This operation will delete all existing groups from the current configuration, including local custom
groups, before inheriting the parent's service groups.
PolicyCenter 9.2.11 Release Notes
15
Known Issues in Version 9.2.11
Service Group Issues
• After you reset groups to their default settings, in certain situations a custom group may not be
marked as overridden when it should be.
• Services may not move to the Unassigned group after you delete an overridden group or check the
Inherit checkbox for an overridden group. Blue Coat recommends that you use the re-inherit all
command when you want to re-inherit service groups.
Inherited Passwords
When a PacketShaper is subscribed to PolicyCenter, you cannot change the PacketShaper’s passwords from
inherited to local on the Security setup page. The workaround is to change the look and touch passwords
and then apply the change. Although you may see an error message, the status of the touch and look
passwords do change from inherited to local.
Browser Issues
• Chrome may fail to complete HTTPS requests to the PolicyCenter UI; in such cases, an alternate
browser should be used.
• When using Internet Explorer, you may need to turn on Compatibility View if any of the UI screens
don’t render properly.
• When you open PolicyCenter with a secure connection (https), the browser indicates that there is an
issue with the security certificate; this is because PolicyCenter uses a self-signing certificate. If you
get this message, you should choose the option to continue (such as Continue to this website in Internet
Explorer or I understand the risks in Firefox).
• When you upgrade to PolicyCenter 9.2.11, the screen to configure PolicyCenter may not
automatically appear if you are using Firefox as your default browser. If the configuration screen
does not appear after installing PolicyCenter 9.2.11, open the configuration screen by opening a
Firefox browser window on the PolicyCenter server, and entering localhost in the address bar.
• At times, when you access PolicyCenter through a secure connection, the Internet Explorer browser
may unnecessarily display a dialog box with the following message: This page contains both secure and
nonsecure items. Do you want to display the nonsecure items? Clicking either Yes or No on this dialog box
will reload the page, but will not disable or compromise your PolicyCenter security settings. All
traffic will continue to be encrypted.
Auto-Deployed Units May Not Display Full Config Path
If you successfully auto-deploy a unit running PacketWise 9.2.11 and then issue the command unit show,
the Configuration Name column in the output of this command may incorrectly display only the unit’s parent
configuration, rather than displaying the unit's full configuration path. The Units table in the PolicyCenter
browser interface may also display just the unit’s parent configuration in the Configuration table column.
Reassign the unit to another sharable configuration to correctly display the full configuration path for the
unit, including the parent configuration and the unit’s individual serial-number configuration.
Units May Display Errors After Migrating Between Directory Servers
When you migrate a unit from the core directory server to an edge directory server, the unit may display a
“timed out” error message until it updates its status entry, even though the unit has successfully changed
directory servers.
16
PolicyCenter 9.2.11 Release Notes
Known Issues in Version 9.2.11
Avoid Duplicate Class IDs by Autodiscovering Classes in Unique Locations
PacketShapers generate class IDs based on the full path of the class name. When multiple units assigned to
a single PolicyCenter configuration each autodiscover or create the same Inbound or Outbound traffic class
(i.e. /Inbound/<discoveredclass>, Inbound/<createdclass>, or Inbound/<pathname>/<class>), these units will each
create the same class ID for that traffic class. Although neither PolicyCenter nor the PacketShapers involved
will report errors, if IntelligenceCenter finds the same class ID more than once on the same PacketShaper,
these multiple class IDs could cause IntelligenceCenter to report incorrect data. Either delete and recreate
this traffic class, or assign it a different class ID with the CLI command class id.
To avoid this problem, you need to configure each individual PacketShaper so that the unit’s
autodiscovered traffic classes all have unique class names. This can be done by creating a traffic class based
on the IP address or physical location of the unit at the configuration root, configuring the class service to
match service:any, and then turning on autodiscovery within the traffic class. For example, if you had two
PacketShapers named Los_Angeles and New_York that you wanted to manage via PolicyCenter, you could
create the class Inbound/Los_Angeles on one unit and Inbound/New_York on the other, then turn on traffic
class autodiscovery.
When both units autodiscover Inbound FTP, HTTP, DNS and WINS classes, these classes would have
unique class names, and therefore unique class IDs.
PacketShaper 1
/Inbound
Los_Angeles
FTP
PacketShaper 2
/Inbound
New_York
FTP
HTTP
HTTP
DNS
DNS
WINS
WINS
Once these traffic classes have been uniquely discovered, they can be copied or moved to another location
within their PolicyCenter configuration without causing duplicate class IDs. For example, the classes
/Inbound/Los_Angeles/FTP and /Inbound/Los_Angeles/HTTP could be copied to the configuration root, and
the autodiscovered FTP and HTTP classes deleted, resulting in the following traffic tree on both units:
/Inbound
FTP
HTTP
Los_Angeles
DNS
WINS
New_York
DNS
WINS
The /Inbound/FTP and Inbound/HTTP classes for both PacketShapers can now be managed together, and
those classes will each have a unique class ID.
PolicyCenter 9.2.11 Release Notes
17
Additional Information
Additional Information
PolicyCenter Should Not be Installed on Server with Team Interface
If you have configured your server with team interfaces, you must un-team them and use a “single
interface” setup before installing PolicyCenter on this server.
Prepare PacketShapers for Data Replication
When migrating PacketShapers attached to a core directory server to be under an edge directory server, use
the pc replication prepare command to prepare PacketShaper units for data replication before you configure
the edge directory server. If your units are not correctly prepared for a multiple directory server
deployment using this command, any units that remain attached to the core directory server may generate
excessive replication traffic, leading to large log files, excessive network utilization, and possible directory
server failure.
Downgraded Units May Not Support Secure Connections to the Directory Server
If you connect a PacketShaper to the directory server via a secure connection and later downgrade that unit
to a version of PacketWise that does not support secure LDAP, the unit may temporarily lose its connection
to the directory server. To avoid this problem, first revert the unit to local mode, add the unit back to
PolicyCenter without the secure connection option, and then downgrade the unit.
Reinherit Settings from Parent Configurations by Deleting Overrides or Setting Local
Values to “Default”
If a configuration setting is defined on both a parent configuration and a child configuration, the setting on
the child configuration will override the value inherited from the parent. However, if you clear a
configuration setting on a child draft configuration, that blank setting will still override the values
configured on its parent configuration. To completely remove an overriding value so the child
configuration can reinherit that setting from its parent configuration, you must create a draft version of the
child configuration and use the PolicyCenter command-line interface to either return the setting to its
default value or delete the configuration object altogether.
For example, if you configure flow detail records (FDR) collectors on a child configuration then later clear
those settings via the PolicyCenter browser interface, the child configuration will not inherit any FDR
collectors defined on its parent configuration. To remove the overriding blank settings from the child
configuration, create a draft of the child configuration, issue the CLI command setup flowrecords id
<ID> default, then commit the draft. Once the child configuration’s FDR collector settings are reset to their
default values, that child can again inherit FDR collector settings from its parent configuration.
If a child configuration has different configuration settings than its parent and you want the child to
reinherit a value from its parent configuration, simply delete the overriding object.
As an example, suppose a PolicyCenter parent configuration has the TACACS+ accounting host 172.21.7.7
and one of its child configurations has the accounting host 172.21.7.8. If you no longer wanted a different
accounting host on that child configuration, and would like the child configuration to reinherit the host
from its parent, you would have to create a draft of the child configuration and then issue the command
setup tacacs auth primary|secondary delete from the PolicyCenter CLI.
18
PolicyCenter 9.2.11 Release Notes
Additional Information
Xpress Tunnels are not Propagated from Parent to Child Configurations
Xpress tunnels defined on a PolicyCenter sharable configuration will not be propagated to any individual
unit configurations assigned to the sharable configuration. Therefore, you must create Xpress tunnels
directly on your unit configurations.
Use PolicyCenter to configure Xpress tunnels by accessing the unit’s individual serial-number
configuration and creating the tunnel there. You can also configure Xpress tunnels via the unit’s own
command-line or browser interfaces.
PacketShaper Login Page Does Not Display When Unit Configuration Is Missing
When a PacketShaper is missing its configuration (possibly because the unit’s configuration was
inadvertently deleted from PolicyCenter) the PacketShaper login page will not display correctly. To resolve
this problem, log in to the PolicyCenter CLI, and issue the command config show to display the name of
the configuration to which the unit is assigned. Next, recreate a new PolicyCenter configuration with the
same name as the missing configuration.
PolicyCenter 9.2.11 Release Notes
19
Additional Information
20
PolicyCenter 9.2.11 Release Notes