Policy Center Getting Started Guide v8.5
Uploaded by
jmsnyderPolicy Center Getting Started Guide v8.5
Uploaded by
jmsnyderVersion 8.
BE
TA
PolicyCenter Getting Started Guide
P/N 20-0231-851 Revision A
Disclaimer THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OF INTELLECTUAL PROPERTY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT SHALL BLUE COAT SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS DOCUMENT, OR THE PRODUCTS DESCRIBED HEREIN, EVEN IF BLUE COAT SYSTEMS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Blue Coat Systems and its suppliers further do not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within this document, or assume liability for any incidental, indirect, special or consequential damages in connection with the furnishing, performance, or use of this document. Blue Coat Systems may make changes to this document, or to the products described herein, at any time without notice. Blue Coat Systems makes no commitment to update this document. Copyright/Trademarks/Patents Copyright 1996-2008 Packeteer, Inc. All rights reserved. Copyright 2008-2009 Blue Coat Systems, Inc. All rights reserved. PacketShaper, PacketShaper Xpress; PacketSeeker, iShaper, and iShared appliances, and PolicyCenter, PacketWise, ReportCenter, iShared, iShaper, and IntelligenceCenter software protected by, or for use under, one or more of the following U.S. Patents: 5,802,106; 6,018,516; 6,038,216; 6,046,980; 6,115,357; 6,205,120; 6,285,658; 6,298,041; 6,412,000; 6,456,630; 6,457,051; 6,460,085; 6,529,477; 6,584,083; 6,591,299; 6,654,344; 6,741,563; 6,847,983; 6,850,650; 6,854,009; 6,928,052; 6,934,255; 6,934,745; 6,970,432; 6,985,915; 7,003,572; 7,012,900; 7,013,342; 7,032,072; 7,035,474; 7,051,053; 7,054,902; 7,103,617; 7,154,416; 7,155,502; 7,203,169; 7,236,459; 7,283,468; 7,292,531; 7,324,447; 7,324,553; and 7,343,398. Other U.S. and international patents pending. Blue Coat Systems, the Blue Coat Systems logo, PacketWise, PacketSeeker, PacketShaper, PacketShaper Xpress, PolicyCenter, ReportCenter, SkyX, iShared, Mobiliti, iShaper, IntelligenceCenter, and Falcon are trademarks or registered trademarks of Blue Coat Systems, Inc. in the United States and other countries. All trademarks and registered trademarks mentioned herein are the property of their respective owners. Other product and company names used in this document are used for identification purposes only, may be trademarks of other companies, and are the property of their respective owners. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into another language without the express written consent of Blue Coat Systems, Inc. Sun, Sun Microsystems, the Sun Logo and any other Sun trademarks included in this product are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright 2008 , Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Table of Contents
Table of Contents
Table of Contents About This Guide
Transitioning to PolicyCenter ........................................................................................................................................................2 Other Resources..................................................................................................................................................................................2
Chapter 1: Understanding PolicyCenter
What are the Benefits of PolicyCenter? ......................................................................................................................................3 PacketShaper Units Operate in Shared Mode..........................................................................................................................3 Non-Sharable and Sharable Attributes.......................................................................................................................................4 Units Can Retain Their Original Configurations in PolicyCenter .......................................................................................5 Hierarchical Configurations ...................................................................................................................................................................7 Not All Configurations Inherit Values From Other Configurations ..................................................................................7 Child Configurations Allow Individual Changes .....................................................................................................................7 Units with Different Versions of PacketWise Operate Differently in PolicyCenter .....................................................8 Modifying PacketShapers in PolicyCenter ................................................................................................................................8
Chapter 2: PolicyCenter Configuration Strategies
Identify Groups of Existing Units ............................................................................................................................................... 11 Select a Configuration Strategy ................................................................................................................................................. 11 Comprehensive PolicyCenter Configuration Strategies ................................................................................................... 12 Selective Configuration Strategies............................................................................................................................................ 12 Functional Configuration Strategies ........................................................................................................................................ 13
Chapter 3: Installing PolicyCenter
Installation Requirements ................................................................................................................................................................... 16 Configure the Windows Server ......................................................................................................................................................... 18 Configure a Solaris Server ................................................................................................................................................................... 20 Install PolicyCenter and the Directory Server Software............................................................................................................ 21 Standard Deployments on a Single Windows Server......................................................................................................... 21 Large Deployments on Multiple Windows Servers............................................................................................................. 22 Large Deployments on a Windows and a Solaris Server................................................................................................... 24 Install an Edge Directory Server ........................................................................................................................................................ 27 Change the Default Administrator Password .............................................................................................................................. 29
Chapter 4: Add PacketShapers to PolicyCenter
Adding Unconfigured Units ........................................................................................................................................................ 31 Create a Comprehensive PolicyCenter Configuration.............................................................................................................. 33
Getting Started Guide 1
Table of Contents
Convert a Unit Configuration...................................................................................................................................................... 33 Create the Comprehensive Configuration ............................................................................................................................. 34 Assign the PacketShaper to its PolicyCenter Configuration............................................................................................ 34 Add and Assign Other PacketShapers to this Configuration........................................................................................... 35 Manage your Configurations ...................................................................................................................................................... 35 Create a Selective PolicyCenter Configuration............................................................................................................................ 36 Create a New PolicyCenter Configuration.............................................................................................................................. 36 Add Classes to the New Configuration.................................................................................................................................... 36 Add PacketShapers to PolicyCenter ......................................................................................................................................... 37 Assign the PacketShaper to its PolicyCenter Configuration............................................................................................ 38 Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x or Higher ............................................................................... 38 Assign a PacketShaper Running Earlier Versions of PacketWise.................................................................................... 38 Remove Local Overriding Classes.............................................................................................................................................. 39 Manage your Configurations ...................................................................................................................................................... 40 Create a Functional PolicyCenter Configuration ........................................................................................................................ 41 Create a New PolicyCenter Configuration.............................................................................................................................. 41 Add Units to PolicyCenter ............................................................................................................................................................ 41 Reassign the Unit Configurations.............................................................................................................................................. 43 Assign a Unit Running Earlier Versions of PacketWise....................................................................................................... 43
Chapter 5: Manage Users and Organizations
Create a New PolicyCenter Organization ............................................................................................................................... 45 Create New User Accounts........................................................................................................................................................... 46 Assign Configurations to an Organization............................................................................................................................. 47
Chapter 6: Best Practices
Move/Copy/Delete/Rename Operations................................................................................................................................ 49 Configuring Units for PolicyCenter Access ............................................................................................................................ 49 Unsubscribing Units ....................................................................................................................................................................... 49 Bulk Changes..................................................................................................................................................................................... 49 File Distribution Strategies........................................................................................................................................................... 49 Compatible Software ..................................................................................................................................................................... 50 DNS Name vs. IP Address.............................................................................................................................................................. 50 Initial Deployment Strategy ........................................................................................................................................................ 50 Saving Configurations ................................................................................................................................................................... 50
Chapter 7: Saving and Recovering Configurations
Back Up and Restore a Single Configuration from PolicyCenter .......................................................................................... 52 Back Up and Restore All PolicyCenter Configurations.............................................................................................................. 53 Create Backup Files......................................................................................................................................................................... 53 Restore Backup Files....................................................................................................................................................................... 53 Back Up and Restore the Entire Directory Server Tree.............................................................................................................. 57 Create a Backup of the Entire Directory Tree Configuration ........................................................................................... 57 Creating a Scheduled Backup on a Windows Server.......................................................................................................... 57 Modify the Sun ONE Backup Script........................................................................................................................................... 58 Restore a Directory Server Backup Configuration ............................................................................................................... 58
Getting Started Guide
Table of Contents
Uninstalling the Sun ONE Directory Server................................................................................................................................... 60
Chapter 8: Using the PolicyCenter Command-Line Interface
Start the Command Line Interface ............................................................................................................................................ 61 Get an Explanation for a Command ......................................................................................................................................... 61 Get Help With Syntax ..................................................................................................................................................................... 61 PolicyCenter CLI Commands....................................................................................................................................................... 62
Chapter 9: Troubleshooting
DNS Errors .......................................................................................................................................................................................... 63 TCP/IP Errors...................................................................................................................................................................................... 64 Solaris Directory Server Installation Errors ............................................................................................................................. 64 Command-Line or Browser Errors ............................................................................................................................................. 64 IIS Server Errors................................................................................................................................................................................. 65 Disable Hardware Acceleration.................................................................................................................................................. 65 Operational Error Messages......................................................................................................................................................... 65 Troubleshooting Commands............................................................................................................................................................. 67 ds sessions.......................................................................................................................................................................................... 67 ds requests......................................................................................................................................................................................... 67 banner show...................................................................................................................................................................................... 67 Additional Troubleshooting Solutions .................................................................................................................................... 67
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
Capacity Planning Depends Upon the Units PacketWise Versions.............................................................................. 69 Large Versus Small Configuration Hierarchies...................................................................................................................... 69 Recommended Platforms............................................................................................................................................................. 71
Index
Getting Started Guide
Table of Contents
Getting Started Guide
About This Guide
About This Guide
ThePolicyCenterGettingStartedGuideprovidestheinformationyouneedtoinstallPolicyCenterona Windowsserver,createconfigurations,addunitstoPolicyCenter,andassignindividualPacketShapersto differentconfigurations.ThisdocumentassumesthatyouhaveabasicunderstandingofPacketShaper functions,includingsuchconceptsastrafficclasses,policies,andpartitions. PolicyCentersupportslargedeploymentswithhundredsofPacketShapers.Thisdocumentincludes additionalinformationtohelpyouplanyourPolicyCenterconfigurationanddeployment,anddescribes specificinstallationworkflowsdesignedtooptimizeyourPolicyCentercentralizedmanagementsystem. Thefollowingtopicsarecoveredinthisdocument: Chapter1:UnderstandingPolicyCentercoversinformationyouneedtoknowbeforeyouinstall PolicyCenter,suchaswhichattributesandsettingsaresharablewithinPolicyCenterhierarchical configurations. Chapter2:PlanningPolicyCenterConfigurationsidentifiesthethreemainstrategiesformanaginga PolicyCenterconfigurationtree.Itisimportanttoconsideryourconfigurationstrategybeforeyouinstall PolicyCenter,asthesizeandcomplexityofyourPolicyCenterconfigurationtreewillhelpdeterminewhich hardwareplatformwillworkbestforyourindividualdeployment. Chapter3:PolicyCenterCapacityPlanningexplainsadditionalfactorsthatcanaffectthesizeand complexityofyourPolicyCenterdeployment,anddescribestherequiredhardwareplatformsforsmalland standardPolicyCenterinstallations. Chapter4:InstallingPolicyCenterdescribesthestepsrequiredtoinstallPolicyCenterandthedirectory serversoftwareonWindowsorSolarisservers. Chapter5:CreatingConfigurationswalksyouthroughthestepsrequiredtoaddPacketShapersandcreate yourinitialconfigurationtree. Chapter6:BestPracticeslistsvaluabletipsandhintsthatwillmakeitfasterandeasiertomanageyour PolicyCenterconfigurations. Chapter7:SavingandRecoveringConfigurationsdescribeshowtobackupandrestoreyourPolicyCenter configurations. Chapter8:UsingthePolicyCenterCommandLineInterfacegivesabriefoverviewofthePolicyCenter commandlineinterface.Forcompletedetailedinformation,seePacketGuide(moreinformationfollows). Chapter9:Troubleshootingidentifiescommonerrorsandexplainshowtofixthem.
Getting Started Guide
About This Guide
Transitioning to PolicyCenter
ThefollowingfiguredescribestherecommendedworkflowsfordeployinganewPolicyCentercentralized configurationmanagementsystem.Eachstepisdescribedindetailwithinthisdocument.
Other Resources
OnlineHelp ThePolicyCenterwebbrowserinterfacecontainscontextsensitivehelpwithsufficient detailtoassistyouinsettingupandmaintainingPolicyCenterconfigurations.Toaccesscontextsensitive help,clicktheHELPlink.Thecommandlineinterfacealsohasonlinehelp,whichprovidescommand syntaxdetails. PacketGuide IncludedwithPolicyCenterisabrowserbasedreferenceresourcecalledPacketGuide.In additiontocompletereferencematerialpertainingtotheuseofPacketWiseandPolicyCentersoftware, PacketGuidecontainsrecommendationsforsolvingcommonnetworkandapplicationproblems.Thereare threewaystoaccessPacketGuide: ClicktheDOCUMENTATIONlinkinthePolicyCenterbrowserinterface. EnterthefollowingURLinyourInternetExplorerorFirefoxbrowserwindow:
http://support.bluecoat.com/packetguide/8.5/index-pc.htm
CustomerSupport IfyouhaveatechnicalquestionaboutPolicyCenter,signintotheBlueCoatcustomer supportwebsiteusingyourBlueTouchOnlinecredentials:
http://support.bluecoat.com
BlueTouchOnlineallowsyoutomanageserviceissues,downloadsoftware,accessdocumentation,and participateinuserforums.
2 Getting Started Guide
Chapter 1: Understanding PolicyCenter
Chapter 1: Understanding PolicyCenter
SupposeanetworkmanagerinstallsasinglePacketShaperonhiscompanysnetwork.Hemayspendone percentofhistimeupdatingtheconfigurationofthatsinglePacketShaper.Thisisnotalargepercentageof hisworkweek,andsotheadditionofanotherfourPacketShapersonthenetwork(requiringanadditional fourpercentofhistimetoconfigureandupdate)isnotmuchmoredifficultforhimtomanage. Nowsupposethatsamenetworkmanagerinstalls95morePacketShapersonthenetwork.Theeffortthat previouslytookjustfivepercentofhistimewillnowdemandonehundredpercentofhisworkday,leaving himtimeforlittleelseexceptmakingeveryrequiredchangetoaPacketShaperconfiguration100different timeson100individualunits. Whatisneededisaneconomyofscale:awaytomultiplythenumberofPacketShapersonanetworkwithout multiplyingtheamountofeffortrequiredtoconfigureandmaintainthem.PolicyCenteristhesolution,enabling networkmanagerstomanagemanyPacketShaperswiththesameamountofeffortandtimeittakesto managejustafew.
What are the Benefits of PolicyCenter?
PolicyCenterisasoftwaremanagementsystemthatcanmaintainmultiplePacketShaperconfigurationson asingleserver.Becausetheconfigurationsofalltheunitsonthenetworkarestoredinasingleplace,they canbemanagedveryefficiently. MultiplePacketShaperscanbeassignedtoasinglePolicyCentersharableconfiguration,allowingthose unitstooperatewithnearlyidenticalconfigurations.Whenyoucommitchangestoasharable configuration,thechangesimmediatelyaffectallunitsassignedtothatconfiguration.Itisthiscapabilityof PolicyCenterthattrulyprovidestheeconomyofscale:onesinglechangetoaPolicyCenterconfiguration canresultinaninstantconfigurationupdateonhundredsofdifferentPacketShapers. PolicyCenteralsoallowsyouto: DeploypoliciesandpartitionsacrossmultiplePacketShapers. DistributePacketWisesoftwareupgrades,plugins,customerportalfiles,andactionfiles. ViewastatussummaryofallmanagedPacketShapers. MonitorandmanagethestatusofyourPacketShapersandnetworkwiththeadaptiveresponse feature.
PacketShaper Units Operate in Shared Mode
IndividualPacketShaperscanbeconfiguredineitherlocalmodeorsharedmode. Aunitrunninginlocalmodefunctionsindependently,andhasitsentireconfigurationstoreddirectlyonits flashdisk.OncePolicyCenterisinstalledonanetwork,PacketShapersinlocalmodecanbeconfiguredfor sharedmodeandaddedtoPolicyCentersimplybyaccessingtheunitsbrowserinterface,selectingthe PolicyCenteraccesssetuppage,thenenteringtheDNSnameofthedirectoryserverandthedirectory serverpassword. AunitconfiguredinsharedmodeisassignedtoanindividualunitconfigurationinPolicyCenterwhichthen appliessettingsfromanyparentsharableconfigurations.Whenaunitisinsharedmode,PolicyCenter continuallyandefficientlysynchronizestheunitsconfigurationonthedirectoryserverwiththe configurationfilesonthatunitsflashdisk;therefore,ifyouswitchfromsharedmodebacktolocal,(orthe networkconnectiontothePolicyCenterserverislost)theunitsconfigurationinlocalmodewillbethesame asitslastconfigurationinsharedmode.PacketShapersinsharedmodemaybereturnedtolocalmodeat anytime.
Getting Started Guide
Chapter 1: Understanding PolicyCenter
WhenaPacketShaperisinstandalone(local)mode,itoperateswithitsownindividualconfiguration uniquetothatPacketShaper.WhenaPacketShaperissettosharedmode,theunitcanoperateusinga combinationofbothasharableconfigurationandanindividualconfigurationuniquetothatunit.
Non-Sharable and Sharable Attributes
AllPacketShapers,regardlessofwhethertheyareconfiguredinlocalorsharedmode,operatewithan effectiveconfigurationthatcomprisestwokindsofattributes:nonsharableandsharable. Nonsharableattributesarethosepartsofaunitseffectiveconfigurationthatarespecifictothatone PacketShaper.ThesearecallednonsharablebecausenootherPacketShaperwillfunctioncorrectlyif configuredwithallthesamenonsharablevaluesasanotherunit.EveryPacketShaperwillhaveaunique setofnonsharableattributes,thoughmorethanoneunitcanbeindividuallyconfiguredwithsomeofthe samenonsharableattributes,suchasDNSnameortimeanddate.APacketShapersnonsharable attributesarealwaysstoredlocallyonthatunit.Althoughtheseattributescanbechangedthroughtheunits browserorcommandlineinterfaces,nonsharableattributescannotbeconfiguredormanagedthrough PolicyCenter. Aunitssharableattributesarethosepartsoftheunitsconfigurationthatcanhavevaluesincommonwith otherPacketShapers.Trafficclasses,policies,partitions,andadaptiveresponseagentsareallexamplesof sharableconfigurationattributes,becausemanydifferentunitscanhavethesametrafficclasses,orshare thesameagents.Whenaunitisinsharedmode,itinheritssharableattributesfromitsPolicyCenterparent configurations. ThefollowingPacketShaperconfigurationattributescanbepartofaPolicyCentersharableconfiguration: adaptiveresponseagents commandscheduling customerportalsettingsandfiles emailsettings eventdefinitions failoverconfiguration flowdetailrecordsettings globalXpresstunnelsettings*,including:
Compressionon/off Accelerationon/off FastStarton/off Prefetchon/off Packingon/off Tunneloptions(firewall,DiffServ,automatictunneldiscovery,MTU) Tunnelsecurity Tunnelmode Tunnelclassoverrides Tunnelserviceoverrides
*GlobalXpresssettings,tunnelmodesettings,tunnelclassoverrides,andserviceoverridesareallsharable fromaparenttoachildconfiguration.PolicyCenterallowsyoutocreateandconfigurenewtunnelsand addandremovelocalandremotehostsonindividualunitconfigurationsonly. hostlists HTTPSportdefinitions imageversion inside/outsideinterfacesettings linkspeed
4 Getting Started Guide
Chapter 1: Understanding PolicyCenter
logging loginmessage modemonconsole organizationownership passwords pluginfiles RADIUSauthenticationandaccounting servicegroups siterouter SNMPstringsanddestinationsandSNMPv3configurationtables SNTPsettings SSHsettings TACACS+authentication,authorization,andaccounting trafficclasses trafficdiscoveryon/off trafficshapingon/off unitaccessserviceprotocols WCCPsettings Thefollowingattributesarenonsharable: defaultdomain DNSserver gatewayaddress highavailability** hostsidesettings*** IPaddress/mask managementportsettings NICmodesettings standbypartner time/date/timezone watchmode Xpresstunnelhosts **Highavailabilitysettingsarenotsharablefromaparentconfigurationtoitschildconfigurations,and shouldonlybeconfiguredonanindividualunitconfigurationviaPolicyCenter. ***Onlythehostsidemanualorhostsideautosettingissharablefromaparentconfigurationtoitschild configurations.Allotherhostsidesettingsshouldonlybeconfiguredonanindividualunitconfiguration viaPolicyCenter.
Units Can Retain Their Original Configurations in PolicyCenter
AnytimeyouaddaPacketShapertoPolicyCenter,itappearsasanewindividualunitconfigurationin PolicyCenter.Thisdoesnotmeanthattheunitspreviousconfigurationislost,however. IfyouhavePacketShapersalreadyconfiguredonyournetwork,youmaywantthoseunitstoretaintheir existingworkingconfigurationsevenaftertheyhavebeenaddedtoPolicyCenter.Youcandothisby selectingtheconvertoptionasyouchangethePacketShaperfromlocalmodetosharedmode.Enablingor disablingtheconvertoptiondetermineswhatattributesandsettingswillappearintheunitsnew PolicyCenterconfiguration.
Getting Started Guide 5
Chapter 1: Understanding PolicyCenter
IfyouselecttheconvertoptionwhileaddingthePacketShapertoPolicyCenter,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterunitconfigurationwiththesamesharableattributes andvalues.BecausetheunitsPolicyCenterconfigurationwillbebaseduponitspreviouslocal configuration,theunitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyoudo notselecttheconvertoption,theunitssharableconfigurationiscleared,anditsnewPolicyCenter configurationwillhavedefaultsettingsonly. Theconvertoptionisnotavailablewhenyouinitiallyconfigureabrandnewunitfornetworkaccess, becauseanewunithasdefaultsettingsonly,andnoconfigurationattributesorvaluesthatneedtobe retained. SeealsoSelectaConfigurationStrategyonpage11andConvertaUnitConfigurationonpage33for moreinformationonusingtheconvertoption.
Getting Started Guide
Chapter 1: Understanding PolicyCenter
Hierarchical Configurations
PolicyCenterorganizesitssharableconfigurationsintohierarchieswithparentandchildconfigurations. ThekeytounderstandingPolicyCenterhierarchicalconfigurationsistorememberthetwobasicrulesof PolicyCenter: 1. 2. Parentconfigurationspasstheirattributesandsettingsalongtotheirchildconfigurationsunlessthe sameattributesarealsospecifiedwithinthechildconfiguration. Ifanattributeisspecifiedinbothaparentandchildconfiguration,thechildconfigurationwillnot inheritthesettingfromitsparent,butwillfunctionwithitsownsetting. Note:Thereisasingleexceptiontothesecondrule,whichcanoccurifyouaddaunitwithauto discoveredclassestoPolicyCenterusingtheconvertoption.Ifyoulatermovethisconfiguration underasharableparentconfiguration,thechildconfigurationsautodiscoveredtrafficclasseswillbe overriddenbythosesametrafficclassesintheparentconfiguration.Moresimplyput,atrafficclass manuallycreatedanddefinedinaparentconfigurationwilltakeprecedenceoverthesametraffic classthatwasmerelyautodiscoveredinthechildconfiguration. Withhierarchicalconfigurationgroups,aparentconfigurationcanhavemorethanonechildconfiguration, andachildconfigurationcanhavechildrenofitsown,creatingaPolicyCenterconfigurationtreewith severallevelsofdepth.PacketShaperscanbeassignedtoconfigurationsatanyleveloftheconfiguration tree.TheConfigurationstabinthebrowserinterfacelistsalloftheconfigurations,andcanalsoshowwhich unitsareassignedtoeachconfiguration.
Not All Configurations Inherit Values From Other Configurations
Aconfigurationattheverytopleveloftheconfigurationtreewillnotinheritsettingsfromanyother configuration.Therefore,ifyoucreateanewconfigurationatthetopoftheconfigurationtree,itwillhave defaultsettingsonly.WhenyouaddaunitrunningPacketWiseversion7.xorlatertoPolicyCenter,itsnew PolicyCenterunitconfigurationisalsoplacedatthetopleveloftheconfigurationtree.Becausethenew configurationwillnotinheritanynewsettingsorattributes,theunitwillcontinuetofunctionjustasitdid beforeitwasaddedtoPolicyCenter. Parentconfigurationsarealsousefulforquicklypropagatingchangestomanychildconfigurationsatonce. Ifyouhaveaconfigurationtreewithmanylevelsofchildconfigurationsbutonlyoneparent,youcan disseminatenewtrafficclasses,plugins,andsoftwareimagestoallyourunitsjustbymakingthechanges totheonetoplevelparent. Aconfigurationmayalsobebothaparentandachild.Inthiscase,thatconfigurationwillinheritsettings fromitsparent,andalsopasssettingsontoitschildconfigurations.
Child Configurations Allow Individual Changes
ChildconfigurationsarehelpfulifyouhavemultiplePacketShapersassignedtoasharableconfiguration, andwanttomakechangestosome,butnotall,oftheassignedunits.PolicyCentershierarchical configurationtreeallowsyoutocreateaseparatechildsharableconfigurationforthosePacketShapers,and makethechangestothenewchildconfiguration. Suppose,forexample,youhad20PacketShapersrunningPacketWise8.5allofwhichareassignedtoa singlesharableconfiguration,andthesecurityrequirementsforjusteightofthoseunitschanged.Youcould makeeachrequiredchangeeighttimesoneachoftheindividualunitconfigurationsoftheeightunits,or youcouldmakethechangejustoncebycreatinganewchildsharableconfigurationundertheunits existingsharableconfiguration,specifyingnewHTTPSorSSHsettingsinthechildconfiguration,andthen reassigningtheeightPacketShaperstothenewchildconfiguration.
Getting Started Guide
Chapter 1: Understanding PolicyCenter
Becausethenewchildconfigurationwillinheritallofitsotherattributesfromitsparent,all20unitswould continuetooperatewiththesametrafficclasses,policies,andpartitionsasbefore.Theonlydifference betweentheeightPacketShapersassignedtothenewchildconfigurationandthe12assignedtotheoriginal parentconfigurationwouldbethedifferentsecuritysettings.
Units with Different Versions of PacketWise Operate Differently in PolicyCenter
PacketWise 7.5.x, 8.3.x or higher PacketShapersrunningtheseversionsarenotassigneddirectlytoa sharablePolicyCenterconfiguration.Whenyouassignaunitrunningoneoftheseversionstoasharable configuration,theunitremainsattachedtoitsindividualuniqueunitconfiguration,sotheindividualunit configurationforthatPacketShaper(highlightedinblueinthefigurebelow)willappearinthe configurationtreebelowthesharableparentconfigurationtowhichitisassigned.
ThatPacketShaperinheritssettingsfromitssharableconfiguration,butalsoretainsallthesettingsfromits individualunitconfiguration.EvenifmultiplePacketShapersareassignedtothesamesharable configuration,iftheirindividualunitconfigurationshavedifferentclassesorsettings,theunitswillnot operateinanidenticalmanner.Becausetheunitisnotdirectlyassignedtoasharableconfiguration,changes madetotheindividualunitconfigurationwillnotaffectitssharableparentconfiguration.Theunitwill, however,continuetoinheritnewsettingsfromitssharableparent. PacketWise 8.0.x-8.2.x or 7.0.x-7.4.x PacketShapersrunningtheseversionscanbeassigneddirectlytoa PolicyCentersharableconfiguration,leavingbehinditsuniqueunitconfiguration.Ifyouassigntheunitto anothersharableconfiguration,theunitspreviousserialnumberconfigurationwillremaininitscurrent location.ThismakesaunitrunninganearlierversionofPacketWisebehaveverydifferentlythanaunit runningalaterversionofPacketWise,becauseanychangetothatindividualunitviaitscommandlineor browserinterfaceswillalterboththesharableconfigurationtowhichitisassigned,andallchild configurationsofthatsharableparent.
Modifying PacketShapers in PolicyCenter
WhenyouassignmultiplePacketShaperstoasharableconfiguration,youcanmodifytheseunitsby changingeithertheirsharableconfigurationortheirindividualunitconfigurations. TochangeallPacketShapersassignedtoasharableconfiguration,modifythatsharable configurationviathePolicyCentercommandlineorbrowserinterfaces.Whenyoumodifya sharableconfigurationwithmultipleassignedunits,eachunitassignedtothatconfiguration(orany ofitschildconfigurations)willinheritthechanges.Inordertomodifyasharableconfiguration,you mustfirstcreateadraftcopyofthatconfigurationandtheneditthedraftbeforecommittingthe changes. TomakeaconfigurationchangeonasinglePacketShaperrunningPacketWise7.5.x,8.3.xor higher,BlueCoatrecommendsthatyoudonotdirectlymodifytheindividualunitconfiguration. Instead,createauniqueconfigurationforthatPacketShaperandassigntheunittothatconfiguration. Thistechniquewillmakeiteasytoassigntheunittoadifferentconfigurationgroup,andifyouever needtoreplacetheunit,youcanjustassignthenewunittotheconfiguration. TomakeaconfigurationchangeonasinglePacketShaperrunningPacketWise8.0.x8.2.xor7.0.x 7.4.x,createanewchildconfigurationunderthePacketShaperssharableconfiguration,makethe requiredchangesonthenewchild,thenassignthatonePacketShapertothenewchildconfiguration. Youcaneditthesharableconfigurationdirectlywithoutfirstcreatingachildconfiguration,butthen
8 Getting Started Guide
Chapter 1: Understanding PolicyCenter
allthePacketShapersassignedtothesharableconfigurationwillupdatewithyourchangesoncethey arecommitted.Similarly,ifyoumodifyanindividualunitrunningPacketWise8.0.x8.2.xor7.4.xor earlierwhiletheunitisstillassignedtoasharableconfigurationwithotherassignedunits,the sharableconfiguration(andallitsotherassignedunits)wouldalsoupdatewiththechange.
Getting Started Guide
Chapter 1: Understanding PolicyCenter
10
Getting Started Guide
Chapter 2: PolicyCenter Configuration Strategies
Chapter 2: PolicyCenter Configuration Strategies
PolicyCentercanefficientlymanagehundredsofindividualPacketShapersbecausemanyoftheseunitscan bemanagedtogetherwithasinglesharableconfiguration. ThischapterwillhelpyouplanyourPolicyCenterconfigurationtree,anddeterminethebesthardware platformforyourPolicyCenterdeployment.BlueCoatrecommendsyouconsideryourconfiguration strategybeforeyouinstallPolicyCenter,asthesizeandcomplexityofyourconfigurationtreesmayaffect yourPolicyCenterhardwareandsoftwareplatform.
Identify Groups of Existing Units
Whenidentifyinggroupsofunitstomanagetogether,youshouldfirstconsiderthefollowing: Aunitsmodeltype.Differentmodelsofthesameproduct(PacketShaper1400,3500,and10000,for example)haveverydifferentsupportedlinksizesandsystemlimits(suchasmaximumnumberof classes).Westronglyrecommendthatyouassignunitsofonlyonemodeltypetoeachsharable configuration.Ifyoudomixmodels,besurethesmallestunitcansupportitsassignedconfiguration. PacketWisesoftware(image)version.UnitsrunningPacketWiseversion8.3orhigherhavemore complexandfullyfeaturedconfigurationsthanunitsrunningearlierPacketWiseversions.Donot assignunitsrunningPacketWise8.3orhigherandunitsrunningearlierversionsofPacketWisetothe samesharableconfiguration,asthismaytriggerconfigurationerrorsintheolderunit.
Select a Configuration Strategy
OnceyouhaveidentifiedPacketShaperswithcompatiblemodeltypesandsoftwareimages,youareready toconsideryourconfigurationstrategy.BeforeyoustartaddinggroupsofunitstoPolicyCenter,youshould askyourself:Aretheconfigurationsandtrafficclassesontheindividualunitsmostlythesame,ormostlydifferent? DoIwanttousePolicyCentertoactivelymanagemyPacketShaperconfigurations,orjusttomonitorthem? IfthePacketShapersconfigurationsaremostlythesame,youcanuseacomprehensivePolicyCenter configurationstrategyandmanageyourPacketShapersalltogetherwithasinglesharable configuration.Ifoneormoreunitsshouldvaryslightlyfromthesettingstheyinheritfromtheir sharablecomprehensiveconfiguration,youcancreateindividualdifferencesbymodifyingthe individualunitconfigurationsofPacketShapersrunningPacketWise7.5.xor8.3.xorhigher.Forunits runningotherversionsofPacketWise(8.0.x8.2.xor7.0.x7.4.x),createanewchildconfigurationand modifythatchildconfigurationbeforeassigningtheunittoit. IfthePacketShapersyouwanttogrouptogetherwillhavemoredifferencesthansimilarities,or ifyoudonotyethaveanyunitsinstalledonyournetwork,youmaywanttouseaselective PolicyCenterconfigurationstrategy.Withthisstrategy,youwillcreateaparentconfigurationthat controlsjustthemostimportanttrafficclassesorotherkeypartsoftheconfiguration,andmanage yourunitsothersettingsviatheunitsindividualconfigurations. IfyouwishtousePolicyCenteronlyasacentrallocationforviewingallyourPacketShaper configurations,youcoulduseafunctionalconfigurationstrategy,andcreateashallowconfiguration treewithasinglelevelofsharableconfigurationsthatactasfoldersfortheindividualunit configurations.Withthisstrategy,theindividualunitsconfigurationscouldbegroupedbylocation orfunctionforeasyreference,butwouldntinheritanysettingsfromtheirparentsharable configuration.Thisstrategyallowsyoutoviewinformationforallyourunitconfigurationsfrom PolicyCenter(andavoidsthecomplexitiesofconfiguringinheritableattributesandsettings),yet requiresyoutoseparatelymanageeachindividualunit.
Getting Started Guide
11
Chapter 2: PolicyCenter Configuration Strategies
Keepinmindthatthethreeconfigurationstrategiessuggestedherearejustthatsuggestions.Youcanuse justonetypeofconfigurationtomanageallyourunits,orcreatebothcomprehensiveandselective configurationsfordifferentgroupsofunits.Therestofthischapterdescribesthebenefitsofeach configurationstrategy.Itmaybehelpfultotakenotestohelpyourememberhowyouwanttoconfigure eachgroupofPacketShapersandplanyourPolicyCenterconfigurationtree.
Comprehensive PolicyCenter Configuration Strategies
Thisisthepreferredstrategywhenyouwanttomanageagroupofunitswhosetraffictreesaremostlythe same.Organizationsusingthisstrategyoftenhavebranchofficeswithverysimilartypesofnetworktraffic, eachwiththesamemodelofPacketShaper. Asanexample,imagineyouaretheITmanagerforacompanywith20nearlyidenticalbranchoffices. Althoughthereisaheavytrafficloadrunningovereachnetwork,thetypesandvolumesofnetworktraffic donotvarywidelybetweeneachbranch.Additionally,eachbranchhasconfigureditsPacketShaperwith thesametrafficclasses,andsetmanypoliciesandpartitionstoprotectthenetworktrafficthatisconsidered missioncriticaltoallbranchoffices.Becausethenetworksaresosimilar,everysignificantchangeinthe networksrequirethatall20PacketShapersbeindividuallyreconfigured.Youfindthistobetootime consuming,andwouldliketobeabletopropagateallthechangesatonce. Becausetheindividualunitsinthisexamplehavesuchsimilarconfigurations,youwouldusea comprehensivePolicyCenterconfigurationstrategytocontrolthemajorityofthetraffictreeandother sharableattributesforeachunit.Inthiscase,youmustfirstidentifyaprimaryunit,oneunitwhose configurationwillbetheusedtocreatethecomprehensiveparentconfiguration.Ifalltheunitshaveatruly identicalconfiguration,itdoesnotmatterwhichunityouselecttobetheprimaryunit.Ifthereareslight variances,selecttheunitthatisthemostrepresentativeofallothers. Note: You can still use this configuration option even if you do not yet have any PacketShapers on your network. To create your primary unit, install a single PacketShaper at a branch site, then turn on traffic discovery. After several hours, the unit should have a complete traffic tree. Forcompleteinformationoncreatingacomprehensiveconfiguration,seeCreateaComprehensive PolicyCenterConfigurationonpage33.
Selective Configuration Strategies
IfyouwanttousePolicyCentertomanagejustafewkeytrafficclassesorattributesoneachPacketShaper, youcancreateanewPolicyCenterconfigurationanddefinevaluesforjustthosemostimportanttraffic classesbeforeyouassignchildconfigurationsandunitstoit.Thisstrategyalsoworkswelliftraffictrees varywidelybetweeneachPacketShaper,oryouwanttocreateaPolicyCentersharableconfigurationthat managesonlyyourmostcriticaltrafficclassesandsettings,andnotanentiretraffictree. Asanexample,consideranorganizationwithfourbranchsites.Eachbranchsiteservesadifferentpurpose intheorganization,andasaresult,thetypesoftrafficconsideredtobemissioncriticalateachsitevaries widely: Site1(sales):WebEx,ShoutCast,Citrix,Pop3,HTTP Site2(productdevelopment):FTP,ActiveX,Citrix,Pop3,HTTP Site3(corporateheadquarters):Oracle,SAP,Citrix,Pop3,HTTP Site4(manufacturing):IPX,GRE,Citrix,Pop3,HTTP LetusalsosupposethatallfoursitesareexperiencingnetworkslowdownsasemployeesdownloadKaZaA musicfilesoffthenetwork. Becausethenetworktrafficrequirementsforeachbranchofficearesodifferent,itwouldbemostefficient tocreateaselectivePolicyCenterconfigurationthatcontrolsjustthenetworktrafficconsideredmission criticaltoallbranchsites(Citrix,Pop3,andHTTPS)andwhichalsoblockstheunwantedKaZaAtraffic. Withaselectiveconfiguration,allfourPacketShaperswouldbeaddedwiththeconvertoption,preserving theirindividualsettings.Theindividualunitconfigurationswouldthenbemovedundertheselective
12 Getting Started Guide
Chapter 2: PolicyCenter Configuration Strategies
configuration,creatingfournewchildconfigurationsundertheselectiveconfigurationparent.Asaresult, eachPacketShaperconfigurationwouldinheritthoseclassesandsettingstheyshouldallhaveincommon, yetindividualdifferencesbetweentheunitswouldnthavetobemanuallyrecreated. Whywouldntacomprehensiveconfigurationstrategyworkforthisorganization?Becauseacomprehensive configurationstrategywouldrequiretoomanyindividualchangestothechildconfigurationstobean efficientuseofPolicyCenter,orofyourtime.Thisselectiveconfigurationstrategysuggestsaddingmultiple unitswiththeconvertoption,sothetraffictreesofeachoftheunitsareretained,anddonthavetobe recreatedfromscratch.IfthisorganizationchoseinsteadtocreateacomprehensivePolicyCenter configurationbasedonthelocalconfigurationofonlyoneoftheunits,theywouldhavetomanuallyadd alltheadditionalrequiredclassesoneachchildconfiguration.Thiswouldrequiremuchmoreeffort. Forcompleteinformationoncreatingaconfigurationtreeofthistype,seeCreateaSelectivePolicyCenter Configurationonpage36.
Functional Configuration Strategies
ThoughoneofthegreatestbenefitsofPolicyCenteristheabilitytosimultaneouslyupdatemultiple PacketShapers,somenetworkadministratorsusePolicyCenteronlytomonitorindividualunits,notto managethemtogether. IfyouwanttousePolicyCenterjustasacentrallocationforviewingeachunitsconfiguration,youcan createasimpleconfigurationtreewithparentconfigurationsthatserveonlyasfolderstoidentifygroups ofunitsbyfunctionorlocation,andthenmoveeachunitsassignedconfigurationundertheappropriate parent.Thistypeofconfigurationstrategyallowsyoutomonitorandmanageallyourunitsfrom PolicyCenter,yetrequiresthateachchangetoaunitconfigurationbedoneindividually. Supposeyouhave40PacketShapersinfivedifferentareasofthecountry.Usingthisstrategy,youwould createadefaultparentconfigurationforeachlocation,thenaddthePacketShaperstoPolicyCenterwiththe convertoptionsoeachunitmaintainsitscurrentconfigurationsettings.TheunitsPolicyCenter configurationswouldthenbemovedundertheappropriateparent. Becausetheunitconfigurationswouldntinheritanysettingsfromtheirparentconfigurations,theparent configurationswouldbeusedonlytohelplocateandidentifyindividualunitswithintheconfiguration tree. Forcompleteinformationoncreatingaconfigurationtreeofthistype,seeCreateaFunctional PolicyCenterConfigurationonpage41.
Getting Started Guide
13
Chapter 2: PolicyCenter Configuration Strategies
14
Getting Started Guide
Chapter 3: Installing PolicyCenter
Chapter 3: Installing PolicyCenter
TheSunONEDirectoryServersoftwareisinstalledwithPolicyCenter,andusesLDAP(Lightweight DirectoryAccessProtocol)tocommunicatewitheachPacketShaper.Changesmadeinthedirectoryserver viaPolicyCenterorPacketShaperareupdatedinotherPacketShapersusingthepersistentsearchmechanism. Adirectoryserverhasasetcapacityforpersistentsearchesthatallowsittocommunicatewithafinite numberofPacketShapers.PacketShaperunitsrunningPacketWise7.5.x,8.3.x,orhighercancommunicate withthedirectoryservermoreefficientlythanunitsrunningearlierversionsofPacketWise.Asaresult,the relativesizeofyourdeploymentdoesnotdependexclusivelyonthenumberofunitsyouwishtomanage, butmustalsotakeintoconsiderationtheversionofsoftwarerunningontheseunitsand(possibly)the designofyourPolicyCenterconfigurationtree. Capacity Planning for PacketShapers Running PacketWise 7.5.x, 8.3.x or Higher IfallofyourPacketShaperunitsarerunningPacketWise7.5.x,8.3.xorhigher,capacityplanningisvery simple. Forfewerthan600unitsrunningPacketWise7.5.x,or8.3.xorhigher,useastandardorlarge PolicyCenterhardwareplatform(thelargeplatformsaremorescalableandcanmoreeasilyexpand tosupportadditionalunitsonedgedirectoryservers) Forextendeddeploymentswithover600unitsrunningPacketWise8.3.xorhigheronly,usealarge PolicyCenterhardwareplatformwithatleasttwoedgedirectoryservers.(Addoneadditionaledge directoryserverforeveryadditional600units.) ForadditionalinformationoncapacityplanningforPolicyCenterdeploymentswithPacketShapers runningearlierversionsofPacketWise,seeAppendixA:PolicyCenterCapacityPlanningfor Earlier Versions of PacketWise.
Getting Started Guide
15
Chapter 3: Installing PolicyCenter
Installation Requirements
Onceyouhaveidentifiedyourconfigurationstrategiesanddeploymentsize,youwillbereadytobegin configuringyourserverandinstallingPolicyCenter.BlueCoathighlyrecommendsthatyouuseadedicated systemforPolicyCenter.AlsonotethatPolicyCenterdoesnotsupportvirtualservers. BeforeinstallingPolicyCenter8.5andSunONEDirectoryServer5.2,verifythatyouhavethefollowing: ForaStandardPolicyCenterDeployment: AsingleserverrunningWindows2003ServerorWindows2000Server,StandardorEnterpriseeditions, SP1orR2,32bit 1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GBofRAM,and60GBfreedisk space ForaLargePolicyCenterDeploymentwithTwoWindowsServers: ForPolicyCenterandthecoredirectoryserver,aserverrunningWindows2003ServerorWindows 2000Server,StandardorEnterpriseeditions,SP1orR2,32bit Fortheedgedirectoryserver,aserverrunningWindows2003ServerorWindows2000Server,Standard orEnterpriseeditions,SP1orR2,32bit ForbothWindowsmachines,1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GB ofRAM,and60GBfreediskspace ForaLargePolicyCenterDeploymentwithoneWindowsServerandaSolarisServer: ForPolicyCenterandthecoredirectoryserver,aserverrunningWindows2003ServerorWindows 2000Server,StandardorEnterpriseeditions,SP1orR2,32bit Foranedgedirectoryserver,aserverrunningSolaris9orSolaris10 FortheWindowsServer,1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GBof RAM,and60GBfreediskspace FortheSolarisserver,2CPUswith1.38GHzorfasterUltraSPARCIIIiprocessors,8GBofRAM,and 2x73GBfreediskspace
Important: Large PolicyCenter deployments with both core and edge directory servers only support PacketShapers running PacketWise versions 8.3.1 or later. If your PacketShapers are running any earlier versions of PacketWise, you must upgrade them to 8.3.1 or later before you add an edge directory server to PolicyCenter.
Additional Windows Server Requirements TheWindowsserver(s)foryourPolicyCenterdeploymentalsorequire(s)thefollowing: AnNTFSfilesystem(aFATfilesystemwillnotwork) A1024x768pixelmonitorthatsupports16bitcolororbetter MicrosoftInternetExplorer6.0orlaterorFirefox2.0orlater AdministratoraccesstotheWindowsserver ADNSnamewhichcorrectlyresolvestoitsfixedIPaddress.AstaticIPaddressisrequired;the installationwillfailifTCP/IPisconfiguredforDHCP. TheWindowsserverforyourPolicyCentersoftwaremusthaveavalidnetmaskandgatewayfor eachnetworkinterface. Firewallpermissionsasneeded.ThePacketShaperunitsandPolicyCenterrunasLDAPclientsand connecttoport389onthedirectoryserver.IfPolicyCenterisconfiguredtorunasasecureLDAP client,itmustbeabletoconnecttoport636onthedirectoryserver.TheunitsusetheHTTPand HTTPSprotocolsforPolicyCentersimagedistributionfeature. YoumustbeabletoinstallPolicyCenterandSunONEsoftwaredirectlyontotheWindows2000/2003 servers.TheSunONEDirectoryServersoftwaremustbeinstalleddirectlyontothemachineon
16 Getting Started Guide
Chapter 3: Installing PolicyCenter
whichthesoftwarewillrun.PolicyCentercandetectanattempttoinstalltheSunONEDirectory Serveroveraterminalserver,anditwillautomaticallystopaninstallationoveraterminalserver. Additional Solaris Server Requirements LargedeploymentsusingbothaWindowsandaSolarisservermustuseSolarisserversthatmeetthe followingrequirements: NetworkaccesstotheWindowsserverusedinthedeployment ADNSnamewhichcorrectlyresolvestoitsfixedIPaddress.AstaticIPaddressisrequired;the installationwillfailifTCP/IPisconfiguredforDHCP. Firewallpermissionsasneeded.ThePacketShaperunitsandPolicyCenterrunasLDAPclientsand connecttoport389onthedirectoryserver.IfPolicyCenterisconfiguredtorunasasecureLDAP client,itmustbeabletoconnecttoport636onthedirectoryserver.TheunitsusetheHTTPand HTTPSprotocolsforPolicyCentersimagedistributionfeature.
Getting Started Guide
17
Chapter 3: Installing PolicyCenter
Configure the Windows Server
FollowtheproceduresinthissectiontoconfiguretheWindowsserver(s)forPolicyCenterbeforeyouinstall PolicyCenterorthedirectoryserversoftware.Notethattheseconfigurationstepsareonlyrequiredforan initialPolicyCenterinstallation.IfyouareupgradingfromapreviousversionofPolicyCenter,youwillnot needtoreconfigureyourWindowsserver. BeforeyouinstallPolicyCenter: 1. RemovefromyourserverallmonitoringservicessuchasSNMPservice,theMicrosoftInternet InformationService(IIS),oranyotherpreinstalledmonitoringservicesorwebservers. PolicyCenterchecksforthepresenceofIIS,andifitdetectsthepresenceofIISduringinstallation,itwill halttheinstallationprocedure.Anypreinstalledmonitoringservices(suchasthoseonHPservers)or HPSystemsmanagermayalsoconflictwiththeSunONEDirectoryServer,causingtheinstallationto fail.RefertoChapter9:TroubleshootingforadditionalinformationonremovinganIISserver. 2. ConfigureandverifytheDNSnameforyourserver. a. b. c. RightclicktheMyComputericonontheWindows2000/2003Serverdesktop,andthenclick Properties.ThiswillopentheSystemPropertieswindow. ClicktheNetworkIdentificationtab,thenclickthePropertiesbutton.OntheIdentificationChanges window,enterthenameanddomainforthecomputer. Clickthemorebutton,andentertheDNSsuffixfortheserver.
d. ClickOKtosavetheDNSsuffix,thenclickOKontheIdentificationChangeswindowtosaveyour networkidentificationchanges. Note: If the server already has a DNS name, use nslookup to verify the servers DNS configuration and IP address. For example, if the systems DNS name is pcserver.example.com, type this from the DOS command prompt:
nslookup pcserver.example.com
3.
Configureatimeserver.PolicyCenterreportsunitstatusmoreaccuratelyifalledgeandcoreservers areconfiguredwiththecorrecttime.YoucanensurethatyourPolicyCenterserver(s)allhavethesame timebyconfiguringthemtouseanSNTPtimeserver. TochecktoseeifaPolicyCenterserverisalreadyconfiguredforSNTP: a. b. FromthedesktopofyourPolicyCenterserver,selectStart>RuntoopenaRunWindow. EntercmdintotheOpenentryblankonthiswindow,thenclickOKtoopenacommandprompt window.
c.
Ifthecurrentdirectoryinthecommandpromptwindowisnotalreadyalocaldriveonyour PolicyCenterserver,changetoalocaldrive(forexample,C:).
d. Issuethecommandnet time /querysntp.Theoutputofthecommandshouldtellyouifthe computerisorisnotcurrentlyconfiguredtouseaspecificSNTPserver. IfthePolicyCenterserverisnotconfiguredtouseanSNTPserver,usethefollowingprocedureto configureanSNTPtimeserverforthatcomputer.
18 Getting Started Guide
Chapter 3: Installing PolicyCenter
a.
Fromthecommandpromptwindow,issuethecommand
net time /setsntp:<ip-address>where<ipaddress>istheIPaddressorDNSnameofanSNTP
server.IfyournetworkdoesnothaveitsownSNTPtimeserver,specifytheIPaddressofapublic timeserver.Alistofpublictimeserversisavailableathttp://support.ntp.org/bin/view/Servers/ WebHome. b. c. PressEnter. TosynchronizethePolicyCenterserverwiththenewtimeserver,youmuststopandthenrestart timeserviceonthePolicyCenterserver.Issuethefollowingcommands:
net stop w32time net start w32time
d. StopandthenrestartthePolicyCenterservice. IfyourPolicyCenterdeploymenthasmultipleservers,repeatthisprocedureforeachWindowsserver.
Getting Started Guide
19
Chapter 3: Installing PolicyCenter
Configure a Solaris Server
YoumustuninstallanySunONE5.2DirectoryServeralreadyontheserver,includingtheversionbundled withSolaris.YouwilllaterinstallPolicyCentersownversionofthedirectoryserverfromthePolicyCenter installationwizard. TouninstallanexistingSunONEDirectoryServer: 1. 2. 3. 4. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.(Thedefaultsettingsforbothoftheseareadmin.Ifthesedefaultsettingshavebeen changed,contactthesystemadministratorfortheUserIDandpassword.) Issuethecommandrm -rf /var/Sun toremovetheSundirectory.
5.
Configure a Solaris Server for SNTP PolicyCenterreportsunitstatusmoreaccuratelyifalledgeandcoreserversareconfiguredwiththecorrect time.YoucanensurethatyourPolicyCenterserversallhavethesametimebyconfiguringthemtousean SNTPtimeserver.RefertothedocumentationontheSunwebsiteforinformationonconfiguringaSolaris serverforSNTP.(http://docs.sun.com/app/docs)
20
Getting Started Guide
Chapter 3: Installing PolicyCenter
Install PolicyCenter and the Directory Server Software
Afteryourserversareconfigured,youarereadytoinstallthePolicyCenter8.5andSunONEDirectory Server5.2software.Theinstallationprocedurevariesaccordingtoyourselectedhardwareplatform. ForstandarddeploymentsonasingleWindowsserver,seepage21. ForlargedeploymentsonthreeWindowsservers,seepage22. ForlargedeploymentsonWindowsandSolarisservers,seepage24. ToextendanexistingPolicyCenterdeploymentbyaddinganadditionaledgedirectoryserver,see page27.
Standard Deployments on a Single Windows Server
ThefollowingprocedureinstallsbothPolicyCenterandthedirectoryserversoftwareontoasingle Windowsserver.IfyouarenotsurewhetheryoushouldinstallPolicyCenterandthedirectoryserver softwareonthesameserverorondifferentservers,refertothepreviouschapterfordetailsoncapacity planninganddeploymentsizes. 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile. TheSelectComponentswindowwillaskyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
5.
Theinstallationprogramchoosesaharddiskwithatleast4GBoffreespace(bycheckingdisksinthe orderlistedintheNTFS),thenunpacksPolicyCenter,storesthefilesinadirectory,andstepsyou throughsetup.Youarepromptedtoenterthefollowingvalues:
Prompt Number of PacketShapers to Manage Key Code & Serial Number
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat.
Getting Started Guide
21
Chapter 3: Installing PolicyCenter
Prompt Install Directory
Description The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
6.
AfterthePolicyCenteranddirectoryserversoftwarehasbeeninstalled,youwillbepromptedtologin toPolicyCenterandprovidethefollowing: DNSname(recommended)orIPaddressoftheserveryouareusingforPolicyCenter.Thedefaultis localhost(thecomputeryouareusing). Directoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az,spaces, periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsandunitsin PolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettingadirectory serverpassword. (optional)ClicktheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. ClicktheTimeZonedropdownlistandselectthetimezoneofyourPolicyCenterserver.
7.
ClicktheCommitAllSettingsbutton. ThePolicyCenteruserinterfaceappearsinyourbrowser.Fromnowon,youmayaccessthe PolicyCenterbrowserinterfacebyenteringtheDNSnameorIPaddressofthePolicyCenterserverin yourbrowsersaddresswindow. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
Large Deployments on Multiple Windows Servers
ThefollowingprocedureinstallsPolicyCenterandthecoredirectoryserverononeserver,theninstallsone ormoreedgedirectoryserversonadditionalWindowsservers. IfyouarenotsurewhetheryoushouldinstallPolicyCenterandthedirectoryserversoftwareonthesame serverorondifferentservers,refertothepreviouschapterfordetailsoncapacityplanninganddeployment sizes. 1. 2. 3. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile.
22
Getting Started Guide
Chapter 3: Installing PolicyCenter
4.
TheSelectComponentswindowwillaskyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
5.
Theinstallationprogramchoosesaharddiskwithatleast4GBoffreespace(bycheckingdisksinthe orderlistedintheNTFS),thenunpacksPolicyCenter,storesthefilesinadirectory,andstepsyou throughsetup.Youarepromptedtoenterthefollowingvalues:
Prompt Number of PacketShapers to Manage Key Code & Serial Number Install Directory
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat. The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
Next,installSunONEDirectoryServer5.2ontheadditionalWindowsserverstocreatetwo(ormore)edge servers. 1. 2. CopythePolicyCenter.zipfiletotheWindowsserverandunzipthefilecontents. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile.
Getting Started Guide
23
Chapter 3: Installing PolicyCenter
3.
TheSelectComponentswindowpromptsyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelecttheDirectoryServeronlyoption.Followtheinstallationwizardpromptstocompletethe installation.
4. 5. 6.
Onceinstallationiscomplete,repeattheabovestepstoinstalleachadditionaledgeserver. Afterthesoftwareisinstalled,logintoPolicyCenterbyenteringtheDNSnameorIPaddressofyour PolicyCenterserverinawebbrowser. ProvidethefollowinginformationintheGuidedSetupwindow: SpecifyaDNSname(recommended)orIPaddressoftheserverrunningPolicyCenterandthecore directoryserver. Defineadirectoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az, spaces,periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsand unitsinPolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettinga directoryserverpassword. (optional)EnabletheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. SelecttheTimeZoneofyourPolicyCenterserver.
7.
ClicktheCommitAllSettingsbutton. PolicyCenterappearsinyourbrowser.Fromnowon,youmayaccessthePolicyCenterbrowser interfacebyenteringtheDNSnameorIPaddressofthePolicyCenterserverinyourbrowsersaddress window. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
Large Deployments on a Windows and a Solaris Server
PolicyCenter8.5supportslargedeploymentswithPolicyCenterandthecoredirectoryserveronaWindows ServerandoneormoreedgedirectoryserversonaSolarisserver. BeforeyouinstallthePolicyCentersoftware,youmustfirstinstalltheSunONEDirectoryServersoftware ontheSolarisserver. IfyouuseFTPtotransferthePolicyCenterfilestoaSolarisserver,certaincharacterssuchas^Mmaybe placedinthefilesduringaDOStoUNIXconversion.Ifanyofthefollowingfileshavethe^Mcharactersat theendofeveryline,youmayneedtorunthedos2unixcommandonthefollowingfilesbeforestartingthe installation: certificates enablessl.ldi
24
passwordfile slapdxxxpin.txt
Getting Started Guide
Chapter 3: Installing PolicyCenter
template.ins noisefile 1. 2. 3. 4.
installds.pl
ToinstalltheSunONEDirectoryServeronaSolarisserver: LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourSolarisserver. OntheSolarisserver,loginasarootuserandnavigatetothePolicyCenter/solarisdirectory. Enterthecommandperl ./installds.plandfollowtheGuidedSetupscripttoinstalltheSunONE DirectoryServer. Note: If the installation wizard detects another directory server on the Solaris server, the installation will not continue until you have removed the existing directory server software. AfteryouhaveinstalledtheSunONEDirectoryServerontheSolarisServer,returntotheWindowsserver toinstallthePolicyCentersoftware. 1. 2. 3. CopythePolicyCenter.zipfiletoyourWindowsserverandunzipthefilecontents. NavigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallationwizardbyrunningthe setup.exefile. TheSelectComponentswindowpromptsyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
Theinstallationprogramchoosesaharddiskwithatleast4GBoffreespace(bycheckingdisksinthe orderlistedintheNTFS),thenunpacksPolicyCenter,storesthefilesinadirectory,andstepsyou throughsetup.Youarepromptedtoenterthefollowingvalues:
Prompt Number of PacketShapers to Manage Key Code & Serial Number Install Directory
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat. The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
4.
Afterthesoftwareisinstalled,logintoPolicyCenterbyenteringtheDNSnameorIPaddressofyour PolicyCenterserverinawebbrowser.
25
Getting Started Guide
Chapter 3: Installing PolicyCenter
5.
EnterthefollowinginformationintheGuidedSetupwindow: Specifyahostname(recommended)orIPaddressoftheserverrunningPolicyCenterandthecore directoryserver. Defineadirectoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az, spaces,periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsand unitsinPolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettinga directoryserverpassword. (optional)EnabletheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. SelecttheTimeZoneofyourPolicyCenterserver.
6.
ClicktheCommitAllSettingsbutton.PolicyCenterappearsinyourbrowser.Fromnowon,youmay accessthePolicyCenterbrowserinterfacebyenteringtheDNSnameorIPaddressofthePolicyCenter serverinyourbrowsersaddresswindow. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
26
Getting Started Guide
Chapter 3: Installing PolicyCenter
Install an Edge Directory Server !
Important: Large PolicyCenter deployments with both core and edge directory servers only support PacketShapers running PacketWise versions 8.3.1 or later. If your PacketShapers are running any earlier versions of PacketWise, you must upgrade them before you add an edge directory server to PolicyCenter.
Install an Edge Directory Server on a Windows Server Extendyourdeploymentbeyondthecapacityofthecoredirectoryserverbydefiningadditionaledge directoryserversthatcaneachsupportupto600PacketShapers. ToinstallaPolicyCentercoreoredgedirectoryserveronaWindowsserver: 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. NavigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallationwizardbyrunningthe setup.exefile. TheSelectComponentswindowopens.SelectDirectoryServeronly.
Note: If the installation wizard detects another directory server on the Windows server, the installation will not continue until you have removed the existing directory server software. 5. 6. 7. 8. OncetheSunONEDirectoryServersoftwarehasbeeninstalledontheserver,logintoPolicyCenter withaPolicyCenterorganizationadministratorsusernameandpasswordandclicktheSetuptab. SelecttheDirectoryServerssetupcategorytoopentheDirectoryServerswindow. ClickNew,thenentertheDNSnameorIPaddressoftheserveryoujustconfigured. (Optional)ChecktheUseSecureLDAPCommunicationscheckboxforsecuredatareplication betweentheedgeandcoreserver.ThisoptionrequiresyoutogeneratetheappropriateSSL certificatesforboththeedgeandcoreservers,andloadthecertificateontheedgeserverbeforeyou addthedirectoryserver.(Foradditionalinformationonconfiguringanedgedirectoryserver,see PacketGuide.) ClickAddtoaddthenewserver.
9.
Install an Edge Directory Server on a Solaris Server ThefollowinginstructionsdescribehowtoinstalltheSunONEDirectoryServeronaSolarisserver.Ifyou useFTPtotransferfilestoaSolarisserver,certaincharacterssuchas^Mmaybeplacedinthefilesduring aDOStoUNIXconversion.Ifanyofthefollowingfileshavethe^Mcharactersattheendofeveryline,you mayneedtorunthedos2unixcommandonthefollowingfilesbeforestartingtheinstallation. certificates enablessl.ldi template.ins
Getting Started Guide
passwordfile slapdxxxpin.txt installds.pl
noisefile
27
Chapter 3: Installing PolicyCenter
ToinstalltheSunONEDirectoryServeronaSolarisserver: 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourSolarisserver. OntheSolarisserver,loginasarootuserandnavigatetothePolicyCenter/solarisdirectory. Enterthecommandperl ./installds.plandfollowtheguidedsetupscripttoinstalltheSunONE DirectoryServer. Note: If the installation wizard detects another directory server on the Solaris server, the installation will not continue until you have removed the existing directory server software. 5. 6. 7. 8. AftertheSunONEDirectoryServersoftwarehasbeeninstalledontheserver,logintoPolicyCenter withaPolicyCenteradministratorsusernameandpassword,andclicktheSetuptab. SelecttheDirectoryServerssetupcategorytoopentheDirectoryServerswindow. ClickNew,thenentertheDNSnameorIPaddressoftheserveryoujustconfigured. (Optional)SelecttheUseSecureLDAPCommunicationscheckboxforsecuredatareplication betweentheedgeandcoreserver.ThisoptionrequiresyoutogeneratetheappropriateSSL certificatesforboththeedgeandcoreservers,andloadthecertificateontheedgeserverbeforeyou addthedirectoryserver.(Foradditionalinformationonconfiguringanedgedirectoryserver,see PacketGuide.) ClickAddtoaddthenewserver.
9.
28
Getting Started Guide
Chapter 3: Installing PolicyCenter
Change the Default Administrator Password
Start a PolicyCenter Session AfteryouhaveinstalledPolicyCenterandthedirectoryserversoftware,BlueCoatrecommendsyousecure yourPolicyCenterdeploymentimmediatelybyloggingintoPolicyCenterandresettingtheadministrators password. TostartaPolicyCentersessionfromabrowser: 1. 2. 3. Openabrowserwindow. Inthebrowseraddressfield,typelocalhost(onlyfromthePolicyCenterserveritself),ortheDNSname orIPaddressoftheserverwherePolicyCenterisinstalled(fromanymachineonthenetwork.) Enterthedefaultusernameandpassword.ThedefaultPolicyCenterusernameandpasswordareboth admin.
4.
(Recommended)ClicktheSecureLogincheckboxtoaccessPolicyCenterviaasecureHTTPSport. Note: Secure logins via HTTPS may take longer to complete than non-secure (HTTP) logins. For more details on PolicyCenter security, refer to the PacketGuide section Tasks > PolicyCenter Admin > Security.
5. 6.
ThePolicyCenterbrowserinterfaceopens. SelectUsers>Operations.Thepasswordsettingsfortheadminuseraccountappearintherightpane.
7. 8.
DeletetheplaceholderdotsandenterthenewpasswordintheNewPasswordandRetypeNew Passwordfields. ClickSet.
Getting Started Guide
29
Chapter 3: Installing PolicyCenter
YoumustlogintoPolicyCenterwiththeusernameadminandthisnewpassworduntilyoudefinenewuser accounts.Thedefaultadminuseraccountcannotbedeleted.
30
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
Chapter 4: Add PacketShapers to PolicyCenter
NowthatyouveinstalledPolicyCenter,youcanstartaddingPacketShaperunitsandcreatingadditional configurations.YoucanaddPacketShapersalreadyfunctioningonyournetwork,orunconfigured PacketShaperswhichhavebeencabledtothenetworkandpoweredon,butnotyetconfiguredwitha networkidentity.
Adding Unconfigured Units
TherearetwowaystoaddunconfiguredPacketShaperstoPolicyCenter: RuntheGuidedSetuputilityviaawebbrowserorconsoleconnectiontothePacketShaperandselect thesharedmodeconfigurationoption.(ForcompletedetailsonGuidedSetup,refertotheQuick StartGuideincludedwithyourPacketShaper,orseePacketGuide.) ConfigurethePacketShaperviathePolicyCenterautodeploymentfeature. TheautodeploymentfeatureletsyouconfigurearemotePacketShaperbyenteringintoPolicyCenteraunit name,IPaddress,subnetmask,andgatewayfortheunconfiguredunit.ThePolicyCenterautodeployment serverwillsendtheunconfiguredunititsIPaddressandotherbasicnetworksettings,andtheunitwill automaticallysubscribetoPolicyCenter. ToconfigureaunitandsubscribeittoPolicyCenterviathePolicyCenterautodeploymentfeature: 1. 2. 3. 4. 5. Connecttheunconfiguredunittothenetwork. AccessthePolicyCenterbrowserinterface,andclicktheSetuptab. FromtheSetupCategorylist,selectAutoDeploy. ClicktheaddbuttontoopentheAutoDeployUnitEntrywindow. Createanewautodeployunitentrybyfillingintheinformationforthatunit.Ifyouspecifythepath ofanexistingPolicyCenterconfiguration,theunitwillassignitselftothatconfigurationwhenit subscribestoPolicyCenter.Otherwise,theunitwillassignitselftoablankconfigurationattherootof theconfigurationtree. ClickOKtosaveyourentry.TheAutoDeployUnitEntrywindowwillclose. EnabletheautodeploymentserverbyclickingtheServerStatedropdownlistandselectingon. Clickapplychanges.
6. 7. 8.
Theautodeploymentserverwillthensendanautodeploymessagetoconfiguretheunitatthenextauto deploymentinterval.Forcompleteinformationonusingtheautodeploymentfeaturetoaddunconfigured unitstoPolicyCenter,seePacketGuide. Adding Configured PacketShapers APacketShaperthatalreadyhasconfigurednetworksettingscanbesubscribedtoPolicyCenterviathat individualunitsbrowserorcommandlineinterfaces.BlueCoatrecommendsmanuallyaddingyourfirst fewunitsandverifyingthattheyworkasexpectedbeforeyouautodeployalargenumberofunconfigured units. WhenyoufirstselectedastrategyforimplementingPolicyCenteryoushouldhavedecidedwhetheryou wishedtoconvertoneunitscurrentconfigurationintoasharablePolicyCenterconfigurationforseveral otherunits,orifyouwantedtocreateanewsharableconfigurationthatcontrolsjustafewkeyclassesand settings,whilemaintainingseparateconfigurationsforeachunitstraffictree. IfyouchosetocreateacomprehensivePolicyCenterconfiguration,refertoCreatea ComprehensivePolicyCenterConfigurationonpage33.
Getting Started Guide
31
Chapter 4: Add PacketShapers to PolicyCenter
IfyoudecidedtocreateaselectivePolicyCenterconfigurationthatcontrolsonlyasmallportionof theunitsconfigurations,refertoCreateaSelectivePolicyCenterConfigurationonpage36. IfyoudecidedtocreateafunctionalPolicyCenterconfigurationthatallowsyoutomonitoryour unitconfigurationsyetstillmanageeachoneindividually,refertoCreateaFunctionalPolicyCenter Configurationonpage41.
32
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
Create a Comprehensive PolicyCenter Configuration !
Important: Follow the steps described in this section to create a comprehensive sharable configuration that manages all (or nearly all) of each units classes and settings. For a detailed description of comprehensive PolicyCenter configurations, see Comprehensive PolicyCenter Configuration Strategies on page 12. For alternate strategies, see Chapter 2 or refer to Create a Selective PolicyCenter Configuration on page 36 or Create a Functional PolicyCenter Configuration on page 41.
Thissectiondescribeshowto: UsetheconvertconfigurationoptiontoaddaprimaryunittoPolicyCenter,thencreateanew PolicyCentersharableconfigurationbasedonthatPacketShapersoriginaltraffictreeand configurationsettings. AddadditionalunitstoPolicyCenter. Assigntheunitstotheirpropersharableconfigurations.
Convert a Unit Configuration
ToaddaPacketShapertoPolicyCenterusingtheconvertoption: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptab,andselectPolicyCenteraccessfromtheChooseSetupPagelist. ThePolicyCenterAccesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterDirectoryServerpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
4.
(OptionalforunitsrunningPacketWise7.5.xor8.3.xandlater)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitwithin thePolicyCenterUnitslist.ThesuggestednamesaretheDNSnameoftheunit(ifpresent)ortheunit serialnumber.
33
5.
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
6.
ClicktheConvertconfigurationcheckbox,sotheunitretainsitscurrentclasstreeandsettingswhenit subscribestoPolicyCenter. Note: If a PacketShaper unit is configured with Frame Relay support, you cannot use PolicyCenter to manage its Frame Relay configuration. If a unit with configured static frame routing entries is subscribed to PolicyCenter using the convert configuration option, the frame routing entries may be lost.
7.
Clickapplychangestosaveyoursettings. Note: If the web browser uses any HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
Create the Comprehensive Configuration
Changetheuniqueconfigurationforyourprimaryunitintoasharablecomprehensiveconfigurationby makingasharablecopyofthatconfigurationandgivingthatnewconfigurationadifferentname. TocopyandrenameaPolicyCenterconfiguration: 1. 2. 3. 4. 5. LogintoPolicyCenter,andclicktheConfigurationstab. Fromtheconfigurationlistintheleftpaneofthiswindow,selectthenewPolicyCenterconfiguration foryourprimaryunit. IntherightpaneofthiswindowclicktheOperationstab.TheOperationswindowappears. IntheCopyConfigurationfield,clickthedropdownlistandselecttheslash(/)tomakeanewsharable copyoftheunitconfigurationatthetopoftheconfigurationtree. Intheand(optionally)renametheConfigurationtothefollowingfield,typeanameforthenew sharableconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_,and.(period). Spacesarenotallowedintheconfigurationname. ClickCopyandRename.
6.
Assign the PacketShaper to its PolicyCenter Configuration
Theproceduretoassigntheprimaryunittothenewcomprehensiveconfigurationvaries,dependingupon theversionofsoftwarethatPacketShaperisrunning. IftheunitisrunningPacketWise7.5.x,or8.3.xorhigher,simplyassignthatunittothenew comprehensiveconfiguration. IftheunitisrunninganearlierversionofPacketWise,firstcreateanewchildconfigurationunder thecomprehensiveconfiguration,andthenassigntheunittothatchildconfiguration. Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x, or Higher ToassignaprimaryunitrunningPacketWise7.5.x,8.3.x,orhigher: 1. 2. 3. 4. 5. ClicktheUnitstabtoopentheUnitswindow. FromtheUnitslistintheleftpaneofthiswindow,selecttheprimaryunityoujustaddedto PolicyCenter. ClicktheOperationstabintherightpaneofthiswindow.TheUnitOperationswindowopens. ClicktheChangethisUnitsConfigurationtodropdownlist,andselectthecomprehensive configuration. ClickChange.
ThePacketShaperisnowassignedtothesharablecomprehensiveconfiguration,andthatPacketShapers individualunitconfigurationwillappearbelowthecomprehensiveconfigurationintheconfigurationtree. However,sincetheunitconfigurationhasallthesamesettingsasitscomprehensiveparentconfiguration,
34 Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
thoselocalunitsettingswilloverrideanychangesmadeintheparent.Inordertomanagethisunitviaits comprehensivesharableconfiguration,youmustclearthePacketShaperslocalsettings,soitcaninheritits traffictreeandsettingsfromitsparent. ToclearaPacketShapersuniqueconfiguration: 1. 2. 3. FromtheconfigurationlistintheleftpanetheConfigurationstab,selectthePolicyCenter configurationforyourprimaryunit(itsoriginalconfiguration,andnotthenewsharablecopy.) ClicktheOperationstabtodisplaytheOperationswindow. ClicktheClearbutton.
Theunitwillnowinheritfromitsparentconfigurationallofitssharablesettings. Assign a PacketShaper Running Earlier Versions of PacketWise Remember,PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xcanbeassigneddirectlytoa sharableconfiguration,leavingtheirindividualunitconfigurationsbehind.Therefore,inordertocreatea configurationtreewhereyoucanmakeindividualchangestoaunitifnecessary,youmustcreateanew childconfigurationunderthecomprehensiveconfiguration,andassigntheunittothatnewchild configuration. Note: Although you can assign a unit directly to the comprehensive configuration using the procedure described earlier, you will not be able to make changes to just that unit without modifying the comprehensive configurations and all other units assigned to it. First,createanewchildconfigurationunderthecomprehensiveconfiguration: 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. ClicktheConfigurationstab. Fromtheconfigurationlistintheleftpaneofthiswindow,selectyourcomprehensiveconfiguration. ClicktheNewbuttonbelowtheconfigurationlist. Enteranameforthenewchildconfiguration. ClickAdd. ClicktheUnitstabtoopentheUnitswindow. FromtheUnitslistintheleftpaneofthiswindow,selecttheunityoujustaddedtoPolicyCenter. ClicktheOperationstabintherightpaneofthiswindow.TheUnitOperationswindowopens. ClicktheChangethisUnitsConfigurationtodropdownlist,andselectthenewchildconfiguration. ClickChange.
Next,assigntheunittothenewchildconfiguration:
Add and Assign Other PacketShapers to this Configuration
ToaddotherPacketShapersalreadyoperatingonyournetwork,followsteps15and7oftheprocedure describedinConvertaUnitConfigurationonpage33,omittingtheconvertconfigurationoptiondescribed instep6.Theunitswillloseanyexistingtrafficclassesandsettingsandwillbeassignedtoanew PolicyCenterconfigurationwithdefaultsettingsonly. AssignunitsrunningthecomprehensiveconfigurationusingthestepsdescribedinAssignthe PacketShapertoitsPolicyCenterConfigurationonpage34.Notethatyouwillnotneedtocleartheunique unitconfigurationsforanyotherunits,becausetheywerenotcreatedwiththeconvertconfigurationoption, andthereforehavedefaultsettingsonly.
Manage your Configurations
Onceyouhavefollowedthestepsinthissectiontocreateyourinitialconfigurationtree,startcreating PolicyCenterorganizationsanduseraccounts,asdescribedinChapter6.BlueCoatalsorecommendsyou continueontoChapter7,andreviewsomeofthebestpracticesformanagingPolicyCenterconfigurations andunits.
Getting Started Guide 35
Chapter 4: Add PacketShapers to PolicyCenter
Create a Selective PolicyCenter Configuration !
Important: Follow the steps described in this section to create a selective sharable configuration that manages only a few key classes and settings for each PacketShaper assigned to that configuration. For a detailed description of selective PolicyCenter configurations, see Selective Configuration Strategies on page 12. For alternate strategies, see Chapter 2 or refer to Create a Comprehensive PolicyCenter Configuration on page 33 or Create a Functional PolicyCenter Configuration on page 41.
Thissectiondescribeshowto: Createanewselectiveconfiguration. UsetheconvertconfigurationoptiontoaddPacketShaperstoPolicyCenterwhileretainingtheunits individualtraffictrees. Reassign(ormove)theunitsconfigurationsunderthenewselectiveconfiguration. Forcethechildconfigurationstoinherittheselectiveconfigurationbyremovinganylocaloverrides ofinheritedclasses.
Create a New PolicyCenter Configuration
WhenyoufirstinstallPolicyCenter,itwillhaveonlyonesharableconfiguration,thedefaultconfiguration. ThefirststepincreatingaselectivePolicyCenterconfigurationistoaddanentirelynewconfigurationto thePolicyCenterconfigurationtree. ToaddanewconfigurationtoPolicyCenter: 1. 2. 3. ClicktheConfigurationstab.ThePolicyCenterconfigurationtreeappearsintheleftpaneofthe window. MakesuretheRoot(/)isselected. ClicktheNewbuttonbelowtheconfigurationtree.TheAddaNewConfigurationwindowappears.
4. 5.
Enteranameforthenewconfiguration.PolicyCenterconfigurationnamescanhaveupto20characters, andcanincludeaz,AZ,09,,_,and.(period.)Spacesarenotallowed. Clickadd.
Add Classes to the New Configuration
Onceyouhavefollowedtheabovestepstocreateandnameyournewselectiveconfiguration,youmust createadraftcopyofthatconfigurationsoyoucanstartdefiningsettingssuchastrafficclasses,policies, andpartitions.Afteryoucommitthechangesyoumaketothedraft,trafficclassesinthisselective configurationcanbeinheritedbyanyunitorchildconfigurationsassignedtoit. 1. 2. 3. 4. ClickthePolicyCenterConfigurationstab.TheConfigurationswindowopens. Fromtheconfigurationtreeintheleftwindowpane,clickthenameofyournewselectiveconfiguration. ClicktheEditbuttonbelowtheconfigurationtreetocreateadraftcopyofthatconfiguration. Clickclass>add,thenspecifyaclassnameandothersettingstodefineaspecifictrafficclassforyour selectiveconfiguration.
Getting Started Guide
36
Chapter 4: Add PacketShapers to PolicyCenter
5. 6.
Clickaddclasswhenyouhavefinished. (Optional)Ifyouwanttoaddapolicyand/orpartitiontotheclass,clicktheclassnameinthetraffictree, thenclickpolicyorpartition.Specifysettingsforthenewpolicyorpartition,thenclickapplychanges. Note: For more detailed information on adding classes, policies, and partitions, click the DOCUMENTATION link at the top of the browser window and refer to the information in the PacketGuide section Tasks > Classification > Create Class.
7. 8. 9.
Continuetoaddclassesuntilyouhavecompletedtheclasstreeforthisconfiguration. CommitthechangestothedraftconfigurationbyclickingtheCommitbuttonbelowtheconfiguration tree. Apopupwindowwillaskyoutoconfirmyourchanges.ClickCommitConfiguration. Note: The configuration can also contain any of the settings on the Setup tab.
Add PacketShapers to PolicyCenter
Onceyouhavedefinedthekeyclassesforyournewselectiveparentconfiguration,youwillneedtoadd PacketShaperstoPolicyCenterandmovethoseunitsconfigurationsundertheselectiveconfiguration.You arenotassigningPacketShaperstotheselectiveconfigurationdirectly,butarecreatingchildconfigurations undertheselectiveparentconfiguration.Eachunitremainsassignedtoitsownchildconfiguration. AsyouaddtheunitstoPolicyCenter,makesureyouselecttheconvertconfigurationoptionsoeachunits newPolicyCenterconfigurationwillreflecttheunitspreviouslocalmodeconfiguration.Withoutthis optionselected,theunitwillbeassignedtoaPolicyCenterconfigurationwithdefaultsettingsonly. ToaddunitstoPolicyCenter: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptabandselectPolicyCenteraccessfromtheChooseSetupPagelist.ThePolicyCenter Accesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterDirectoryServerpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
Getting Started Guide
37
Chapter 4: Add PacketShapers to PolicyCenter
4.
(OptionalforunitsrunningPacketWise7.5or8.3andabove)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitandits configurationwithinthePolicyCenterUnitslist.ThesuggestednameistheDNSnameofthe PacketShaper(ifpresent)ortheunitsserialnumber. Clicktheconvertconfigurationcheckbox.Whenyouselectthisoption,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterconfigurationwiththesameattributesandvalues. BecausethePacketShapersnewPolicyCenterconfigurationwillbebaseduponitsprevious configuration,theunitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyou donotselecttheconvertoption,thePacketShapersnewPolicyCenterconfigurationiscleared,andwill havedefaultsettingsonly. Clickapplychangestosaveyoursettings TheunitwillbesettosharedmodeandwillbesubscribedtoPolicyCenter. RepeatthesestepstoaddadditionalPacketShaperstoPolicyCenter. Note: If the web browser uses any HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
5.
6.
7. 8.
Assign the PacketShaper to its PolicyCenter Configuration
Theproceduretoassigntheprimaryunittothenewselectiveconfigurationvaries,dependinguponthe versionofsoftwarethatPacketShaperisrunning. IftheunitisrunningPacketWise7.5.x,8.3,orhigher,simplyassigntheunitsindividual configurationtothenewselectiveconfiguration. IftheunitisrunningearlierversionofPacketWise,movetheunitsindividualPolicyCenter configurationunderthenewselectiveconfiguration.
Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x or Higher
ToassignaPacketShapertoaselectivePolicyCenterconfiguration: 1. 2. 3. 4. 5. ClicktheUnitstab. FromtheUnitslistontheleftwindowpane,clicktheunittobereassigned. ClicktheOperationstabontherightwindowpane. IntheChangethisUnitsConfigurationtofield,selectthenewselectivesharableconfiguration. ClickChangetoassigntheunitconfigurationtothespecifiedsharableconfiguration.
Iftheindividualunitconfigurationhasdefinedclassesorsettingsthatoverridethesettingsinheritedfrom itsselectiveparentconfiguration,theseoverridesmustbeclearedbeforetheunitcanproperlyinherit settingsfromtheselectiveconfiguration.SeeRemoveLocalOverridingClassesonpage39.
Assign a PacketShaper Running Earlier Versions of PacketWise
PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xshouldhavetheiruniqueunitconfigurations movedunderthenewselectiveconfiguration.UnitsrunningearlierversionsofPacketWisewillleave behindtheirindividualunitconfigurationswhentheyareassigneddirectlytoasharableconfiguration,so youmustmovetheunitconfigurationundertheselectiveparentconfigurationinorderforthatunitto retainitscurrentlocalsettings. TomoveaunitconfigurationunderaselectivePolicyCenterconfiguration: 1. 2.
38
ClicktheConfigurationstab. FromtheConfigurationslistontheleftwindowpane,clicktheunitconfigurationtobemoved.
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
3. 4. 5.
ClicktheOperationstabontherightwindowpane. IntheMoveConfigurationfield,selectthenewselectiveconfiguration. (Optional)Intheand(optionally)renametheConfigurationtothefollowingfield,youmayentera newnamefortheunitconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_, and.(period).Spacesarenotallowedintheconfigurationname. ClickMove&Rename.
6.
Iftheindividualunitconfigurationhasdefinedclassesorsettingsthatoverridethesettingsinheritedfrom itsselectiveparentconfiguration,theseoverridesmustbeclearedbeforetheunitcanproperlyinherit settingsfromtheselectiveconfiguration.SeeRemoveLocalOverridingClassesonpage39.
Remove Local Overriding Classes
TheuniqueunitconfigurationforeachPacketShapernowappearsasachildconfigurationunderthe sharableparentconfiguration.Eachofthesechildconfigurationswillinheritfromtheirparent configurationanyclassesandsettingsnotalreadypresentonthechildconfiguration.Ifachild configurationalreadyhastheseclassesdefined,however,youwillhavetoremovetheselocalclassesbefore thechildconfigurationcaninherittheclassesfromitsparent. Toremoveanoverrideclass: 1. 2. 3. Ifitisnotalreadyselected,clicktheConfigurationstab. FromtheConfigurationslistintheleftwindowpane,selecttheuniqueunitconfigurationofaunit assignedtoyourselectiveconfiguration. Fromtherightwindowpane,clicktheClassTreetab.Mostofthetrafficclassnamesinthetraffictree belowappearinblack,indicatingthatthoseclasseswerecreatedonthechildconfiguration.Inherited classesappearinblue.Classesmanuallycreatedonachildconfigurationoverridethosesameclasses inheritedfromitsselectiveparentconfiguration.Therefore,theseoverridingclassesmustberemoved fromthechildconfigurationbeforethechildcaninherittheclassesdefinedintheselectiveparent configuration. ClicktheQuickCommandslinkatthebottomofthePolicyCenterwindow. SelecttheclassesyouwishtoremovefromtheAvailableClasseslistbyclickingontheclassnames. Youcanctrl+clicktoselectmultipleclassesatonce. Clickthe>buttontomovethoseclassestothelistoftargetclasses. FromtheClassCommandsdropdownlist,selectclassdelete. ClicktheRunbutton.
Toremoveoverridinglocalclassesfromachildconfiguration: 1. 2. 3. 4. 5.
Thespecifiedlocalclassesareremovedfromthechildconfiguration,whichcantheninheritthoseclasses fromitsparent.
Getting Started Guide
39
Chapter 4: Add PacketShapers to PolicyCenter
Thefigurebelowshowswhatthetraffictreeofoneoftheseunitswilllooklikeonceitsoverridesare removed.Notethepolicyandpartitioniconsthatnowappearbytheinheritedclasses.
Manage your Configurations
Onceyouhavefollowedthestepsinthesectiontocreatetheinitialconfigurationtree,youcanstartcreating PolicyCenterorganizationsanduseraccounts,asdescribedinChapter5.BlueCoatalsorecommendsyou continueontoChapter6,andreviewsomeofthebestpracticesformanagingPolicyCenterconfigurations andunits.
40
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
Create a Functional PolicyCenter Configuration !
Important: Follow the steps described in this section to create a functional configuration tree that allows you to group and monitor your PacketShapers via PolicyCenter, yet still requires you to manage each PacketShaper individually through its own browser or command-line interfaces. For a detailed description of functional PolicyCenter configurations, see Functional Configuration Strategies on page 13. For alternate strategies, see Chapter 2 or refer to Create a Comprehensive PolicyCenter Configuration on page 33 or Create a Selective PolicyCenter Configuration on page 36.
Thissectiondescribeshowto: Createanewfunctionalparentconfigurationwithdefaultsettingsonly. UsetheconvertconfigurationoptiontoaddPacketShaperstoPolicyCenterwhileretainingtheunits individualtraffictrees. Assigntheunitsconfigurationsunderthefunctionalconfiguration.
Create a New PolicyCenter Configuration
WhenyoufirstinstallPolicyCenter,itwillhaveonlythedefaultconfiguration,whichcannotberemoved orrenamed.WhenyouaddPacketShapersrunningPacketWiseversion5.x6.xtoPolicyCenter, PolicyCenteraddstheunitsnewPolicyCenterconfigurationsunderthedefaultconfiguration.Units runninglaterversionsofPacketWisehavetheirindividualunitconfigurationsappearatthetopofthe configurationtreewhentheunitisaddedtoPolicyCenter. ThefirststepincreatingafunctionalPolicyCenterconfigurationistoaddanentirelynewconfigurationto thePolicyCenterconfigurationtree. ToaddanewconfigurationtoPolicyCenter: 1. 2. 3. ClicktheConfigurationstab.ThePolicyCenterconfigurationtreeappearsintheleftpaneofthe window. MakesuretheRoot(/)isselected. ClicktheNewbuttonbelowtheconfigurationtree.TheAddaNewConfigurationwindowappears.
4. 5.
Enteranameforthenewconfiguration.PolicyCenterconfigurationnamescanhaveupto20characters, andcanincludeaz,AZ,09,,_,and.(period.)Spacesarenotallowed. ClickAdd.
Add Units to PolicyCenter
Onceyouhavecreatedafunctionalconfigurationwithdefaultsettingsonly,youwillneedtoaddunitsto PolicyCenterandmovethoseunitsconfigurationsundertheparentconfiguration.Youarenotassigning unitstotheparentconfigurationdirectly,butarecreatingchildconfigurationsundertheparent.Eachunit remainsassigneditsownchildconfiguration.
Getting Started Guide
41
Chapter 4: Add PacketShapers to PolicyCenter
Important:AsyouaddtheunitstoPolicyCenter,makesureyouselecttheconvertconfigurationoptionso eachunitsnewPolicyCenterconfigurationwillreflecttheunitspreviouslocalmodeconfiguration. Withoutthisoptionselected,theunitwillbeassignedtoaPolicyCenterconfigurationwithdefaultsettings only. ToaddunitstoPolicyCenter: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptabandselectPolicyCenteraccessfromtheChooseSetupPagelist.ThePolicyCenter Accesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterdirectoryserverpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
4.
(OptionalforunitsrunningPacketWise7.5or8.3andabove)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitandits configurationwithinthePolicyCenterUnitslist.ThesuggestednamesaretheDNSnameoftheunit(if present)ortheunitserialnumber. SelecttheConvertconfigurationcheckbox.Whenyouselectthisoption,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterconfigurationwiththesameattributesandvalues. BecausetheunitsnewPolicyCenterconfigurationwillbebaseduponitspreviousconfiguration,the unitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyoudonotselectthe convertoption,theunitsnewPolicyCenterconfigurationiscleared,andwillhavedefaultsettingsonly. Clickapplychangestosaveyoursettings. TheunitwillswitchtosharedmodeandbesubscribedtoPolicyCenter. Note: If the web browser uses an HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
5.
6.
7.
42
Getting Started Guide
Chapter 4: Add PacketShapers to PolicyCenter
8.
Repeatsteps17toaddanyadditionalunitswhoseconfigurationsshouldappearunderthesame functionalparent.
Now,youmustmovetheindividualunitconfigurationsunderthenewsharableconfigurationfolder. Thisprocedurevaries,dependingupontheversionofsoftwarethatunitisrunning. ForunitsrunningPacketWise7.5.x,8.3.x,orhigher,seeReassigntheUnitConfigurationsonpage 43. ForunitsrunningPacketWise6.x7.4.xor8.0.x8.2.x,seeAssignaUnitRunningEarlierVersionsof PacketWiseonpage43.
Reassign the Unit Configurations
NowthattheotherPacketShapershavebeenaddedtoPolicyCenter,theirconfigurationscanbereassigned toasharableconfigurationfolder. ToassignaPacketShapertoadifferentsharableconfiguration: 1. 2. 3. 4. 5. AccessthePolicyCenterbrowserinterfaceandselecttheUnitstab. IntheUnitstableintheleftwindowpane,clicktheunityouwishtoreassignandmovetoadifferent sharableconfiguration. ClicktheOperationstabintherightwindowpane. IntheChangethisUnitsConfigurationTofield,selectthenewsharableconfigurationforyourunit. ClickChange.
Assign a Unit Running Earlier Versions of PacketWise
PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xshouldhavetheiruniqueunitconfigurations movedunderthenewfunctionalconfiguration.PacketShapersrunningearlierversionsofPacketWisewill leavebehindtheirindividualunitconfigurationswhentheyareassigneddirectlytoasharable configuration,soyoumustmovetheunitconfigurationundertheselectiveparentconfigurationinorder forthatunittoretainitscurrentlocalsettings. TomoveaunitconfigurationunderasharablePolicyCenterconfiguration: 1. 2. 3. 4. 5. ClicktheConfigurationstab. FromtheConfigurationslistontheleftwindowpane,clicktheunitconfigurationtobemoved. ClicktheOperationstabontherightwindowpane. IntheMoveConfigurationfield,selectthenewselectiveconfiguration. (Optional)Intheand(optionally)renametheConfigurationtothefollowingfield,youmayentera newnamefortheunitconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_, and.(period).Spacesarenotallowedintheconfigurationname. ClickMove&Rename.
6.
Getting Started Guide
43
Chapter 4: Add PacketShapers to PolicyCenter
44
Getting Started Guide
Chapter 5: Manage Users and Organizations
Chapter 5: Manage Users and Organizations
PolicyCenterletsnetworkadministratorsdefineupto256differentorganizations(groupsofconfigurations) andalistofuserswhocanaccessthoseconfigurations. APolicyCenterorganizationdefinestheuserswhocanaccessconfigurationsassignedtotheorganization. Althoughthisfeatureisoptional,itgivesthePolicyCenteradministratortheabilitytolimitwhichusers accesswhichconfigurations.ThisfeaturealsoallowsPolicyCenteradministratorstotracktheconfiguration changesmadebyeachuser. EveryPolicyCenteruserisassignedeitheratouchrolethatallowstheusertobothviewandmodifysettings fortheirPolicyCenterconfigurations,oralookrolethatletsausermonitorbutnotmodifysettings.When userslogintothePolicyCenterconsolewiththeiruniqueusernameandpassword,theycanaccessonly thoseunitsandconfigurationsassociatedwiththeirorganization,andcanperformonlythoseoperations allowedbytheirlookortouchrole. OnlyPolicyCenteradministratorswithtouchroleaccesstothedefaultPCorganizationcanviewand manageallunitsandconfigurationsinthePolicyCenterconfigurationtree.IfyouwanteveryPolicyCenter usertohavecompleteaccesstoallPolicyCenterconfigurationsandunits,youcanmakeeveryusera PolicyCenteradministrator.However,youmayfindthatnotallusersneedsuchacompletelevelofaccess. YoucanrestrictausersaccesstoaspecificsetofPolicyCenterconfigurationsandunitsbycreatinganew organization,specifyingtheconfigurationsandunitstheusersinthatorganizationareallowedtoviewor manage,thenaddinguserstotheorganization.
Create a New PolicyCenter Organization
OnlyPolicyCenteradministratorscancreateormodifyotherPolicyCenterorganizations.Tocreatea newPolicyCenterorganization: 1. 2. LogintoPolicyCenterwithaPolicyCenteradministratorpassword. ClicktheOrgstab.(Note:IfyouarenotloggedintoPolicyCenterwithtouchaccesstothedefaultPC organization,thePolicyCenterOrgstabwillnotappearinthebrowserinterface,andthePolicyCenter commandlineinterfacewillnotenablecommandstoconfigureorganizations.) ClicktheNewOrgbuttonbelowthelistoforganizations,atthebottomoftheleftwindowpane. TheAddaNewOrganizationwindowappears.
3.
4.
Enterthenameoftheneworganization.Anorganizationnamecanbecomprisedofupto32 alphanumericcharacters,periods,underscores,anddashes.Thefirstcharacterofthenamemustbea letter.Spacesandotherspecialcharactersarenotallowed,andorganizationnamesarenotcase sensitive.
5.ClickAdd. Youcannowcreatenewuseraccountsforthisorganization,andassignconfigurationstoit.
Getting Started Guide
45
Chapter 5: Manage Users and Organizations
Create New User Accounts
PolicyCenteradministratorswithtouchroleaccesstothedefaultPCorganizationcanadduseraccountsto anyorganization,yetanyuserwithtouchroleaccesstotheirorganizationcanaddandmodifyuser accountsintheirownorganization. ToaddaPolicyCenteruseraccount: 1. 2. LogintoPolicyCenterasaPolicyCenteradministrator.(Organizationmanagerscanloginwithatouch passwordfortheirorganization). ClicktheUserstab.
3.
ClicktheNewUserbutton.TheAddaNewUsertoPolicyCenterwindowappears.
4.
EnterauniqueloginnameforthenewuserintheUserNamefield.Aloginnamecanbecomprisedof upto32alphanumericcharacters,periods,underscores,anddashes.Thefirstcharacteroftheuser namemustbealetter.Spacesandotherspecialcharactersarenotallowed,andusernamesarenotcase sensitive. EnteraloginPasswordfortheuser,thenretypethepasswordtoverifyit.Apasswordcanbeuptonine characterslongandcanincludeallprintablecharacters,includingspaces,periods,underscores,and dashes.
5.
46
Getting Started Guide
Chapter 5: Manage Users and Organizations
6. 7.
EntertheusersnameintheFirstNameandLastNamefields.Namescannothavespaces;compound nameswillrequireadashorunderscorecharacter(forexample,AnnMarieorVan_Patten). (ForPolicyCenterAdministratorsonly)IntheOrganizationdropdownlist,selecttheorganizationto whichthisnewuserwillbelong.Ifyouhavenotyetdefinedanorganizationforthisuser,firstcreate theneworganization,andthenaddtheusertotheneworganization.Youcannotswitchanexisting usertoanotherorganizationwithoutdeletingandthenrecreatingthatuseraccount. FortheRole,selecteitherLookorTouch. ClickAdd.
8. 9.
Repeatthesestepsasnecessarytoaddadditionaluserstoyourorganizations,thenassignconfigurationsto theseorganizationsusingthefollowingprocedure.
Assign Configurations to an Organization
EveryPolicyCenterconfigurationisownedbyanorganization.Organizationmanagers(userswithtouch accesstotheirorganization)canmodifytheconfigurationsassignedtotheirownorganization,while PolicyCenteradministratorscanaccessandmodifyallconfigurations.OnlyPolicyCenteradministrators canassignaconfigurationtoadifferentorganization. Toassignaconfigurationtoadifferentorganization: 1. 2. 3. LogintoPolicyCenterwithaPolicyCenteradministratorpassword. ClicktheConfigurationstab. Theleftwindowpanedisplaystheconfigurationtree.Clicktheconfigurationyouwishtoassigntoa differentorganization.
4.
ClicktheOperationstabintherightwindowpanetodisplaytheOperationspane.
5.
ClicktheChangeConfigurationOwnershipdropdownlistandselectaneworganizationforthe configuration.Bydefault,theIncludeChildConfigurationscheckboxischecked.Uncheckthisbox onlytoassignaparentconfigurationtothePCorganization,whileallowingthatparentschild configurationstoremainassignedtoanotherorganization. ClickChange.
47
6.
Getting Started Guide
Chapter 5: Manage Users and Organizations
48
Getting Started Guide
Chapter 6: Best Practices
Chapter 6: Best Practices
NowthatyouhavecreatedyourPolicyCenterconfigurationtree,takethetimetoreviewthefollowingBest PracticestipsandhintsthatwillmakemanagingyourPolicyCenterconfigurationsfasterandeasier.
Move/Copy/Delete/Rename Operations
Themove,copy,delete,andrenameoperationsinvolvewritinganddeletingdatafromthedirectory server,sotheamountoftimeittakestocompleteeachoperationcanvarygreatly. Ifanoperationisperformeduponalargebranchoftheconfigurationtreeoronmorecomplex configurations,itwillrequiremoretimeanddirectoryserverresources.Youcanimprovetheefficiencyof yourdirectoryserverbyavoidingtheseoperationsunlessrequired.
Configuring Units for PolicyCenter Access
WhenconfiguringaPacketShaperforPolicyCenteraccess,youhavetheoptiontoconverttheunitsexisting configurationintoanewPolicyCenterconfiguration,ortodeletetheunitscurrentconfigurationandassign theunittoablankconfigurationwithdefaultsettingsonly.Ifyouchoosetodeletetheunitsexisting configurationwhenyouaddtheunittoPolicyCenter,theexistingconfigurationwillbelost. Arecommendedbestpracticeistoalwayssavetheunitconfigurationbeforeitisconfiguredfor PolicyCenteraccess.UsetheCLIcommandconfigsave<filename>tosavetheunitconfiguration.Saving theunitconfigurationwillallowyoutorestoretheconfigurationinthefuture,ifnecessary,usingthe commandconfigload<filename>.
Unsubscribing Units
AlwaysunsubscribeaunitfromPolicyCenterbeforedeletingtheconfigurationtowhichtheunitis assigned.Ifyoudodeletetheconfigurationbeforetheunitisunsubscribed,theconfigurationwillbe deletedfromtheunitaswell,resultinginerrorsontheunit. ArecommendedbestpracticeistosavetheunitconfigurationbeforeitisunsubscribedfromPolicyCenter. UsetheCLIcommandconfigsave<filename>tosavetheunitconfiguration.Savingtheunitconfiguration willallowyoutorestoretheconfigurationinthefuture,usingthecommandconfigload<filename>.
Bulk Changes
Bulkconfigurationchangesinparentconfigurationswithalargenumberofunitsassignedcantakeawhile tocomplete,andoftenrequiresignificantsystemresources. Thefollowingbulkoperationsmayrequireadvancedplanning,andshouldnotbeperformedatrandom timeswithoutcarefulconsideration: Loadingaconfigurationorclasstreewith50ormoreclasses Copying,moving,andpublishingconfigurationswith50ormoreclasses Renamingconfigurations
File Distribution Strategies
ThePolicyCenterfiledistributionfeaturecandistributePacketWiseimages,plugins,actionfiles,and customerportalfilestoindividualPacketShapers.Thefollowingbestpracticesarerecommendedforthis feature: Alwaysscheduletheimage/plugin/actionfile/portalfileupdatesfortimeswhenthenetworkisless busy
Getting Started Guide 49
Chapter 6: Best Practices
Ifyouplanonupgradingaunitsimageandpluginfiles,schedulethetwoeventstooccuratthe sametime.Thiswillrequiretheunittorebootonlyonce,ascomparedtothetworebootsthatwillbe requiredifthepluginandimagefilesareupdatedseparately. Whenyoudistributefiles,makesureyourfilenamesdonothavespacesormorethaneight characters(withathreecharacterfileextension),asthiscancauseerrors.
Compatible Software
PolicyCentercanmanageunitsrunningearlierversionsofPacketWise,however,werecommendthatyou alwaysusetheversionofPacketWisereleasedwiththePolicyCentersoftware.Thisensuresthatyour PacketShaperswillbeabletotakeadvantageofanynewfeatures,andavoidstheriskofschemaerrorsin eitherPolicyCenterortheunits.
DNS Name vs. IP Address
AlwaysusethedirectoryserverDNSname(andnottheserversIPaddress)whenconfiguringthe PolicyCentersoftwareandsubscribingunitsforsharedmodeaccess.Thiswillallowyoutomigratethe directoryservertoadifferentcomputerwithoutaffectinganyoftheunits. Note: If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access the unit, unsubscribe it, then resubscribe the unit to the new IP address.
Initial Deployment Strategy
BlueCoatrecommendsthefollowinginitialdeploymentprocedure,whichwillhelpimprovethe performanceofthePolicyCenterapplicationandthedirectoryserver: 1. 2. 3. Createyourconfigurationsandconfigurationhierarchies. SubscribeyourunitstoPolicyCenter,eitherthroughtheunitsindividualbrowserinterfaces,orviathe PolicyCenterautodeploymentfeature. IfyoudidnotspecifyaPolicyCenterconfigurationforeachautodeployedunit,orifyoumanually subscribedindividualunits,assignyourunitstothedesiredconfigurationintheconfigurationtree.
Whenyouassignaunittoacompletedconfiguration,theunitreadsitsentireconfigurationallatonce.Itis lessefficienttoassignaunittoaconfigurationandthenmakemultiplechangestothatconfiguration,as thatwouldrequiretheunitstosendstatusupdatestothedirectoryserverforeverychange.
Saving Configurations
BlueCoatrecommendsmakingregularbackupsofallyourconfigurations.SeeChapter7fordetails.
50
Getting Started Guide
Chapter 7: Saving and Recovering Configurations
Chapter 7: Saving and Recovering Configurations
ThebestwaytoprotectyourPolicyCenterconfigurationsagainstaccidentallydeletedorcorruptedfilesis tocreatebackupsofyourconfigurations.Configurationbackupscanbeperformedonce,orscheduledfor regular,automatedbackups.BlueCoatstronglyrecommendsyoumakeperiodicbackupsofthe configurationsinPolicyCenter.Youshouldalsobackupyourconfigurationfile(s)totheserverbefore upgradingyourPolicyCentersoftware. Thischapterdescribeshowtocreateandrestorethefollowingtypesofbackupfiles: BackupsofasinglePolicyCenterconfiguration BackupsofallPolicyCenterconfigurations Backupfilesforanentiredirectoryserver
Getting Started Guide
51
Chapter 7: Saving and Recovering Configurations
Back Up and Restore a Single Configuration from PolicyCenter
PolicyCenterallowsyoutosavejustasingleconfigurationonyourPolicyCenterserver.Thisconfiguration canberestoredontoanyPolicyCenterserver,evenaPolicyCenterserverwithadifferentDNSnameorIP address. Tocreateabackupofaconfiguration: 1. 2. 3. AccessthePolicyCentercommandlineinterface. Selecttheconfigurationyouwanttosave,usingthecommand:
config view <cfg_path>
Savetheconfigurationusingthecommand:
config save [<cfg_path>]
Thebackupfilecanbespecifiedwithadirectory,forexample,
config save D:\tmp\ps.ldi
Ifyoudonotspecifyadirectory,thebackupfilewillbecreatedinthedirectory <install_directory>/BlueCoatSystems/PolicyCenter. TorestoreabackupofasinglePolicyCenterconfiguration,usethefollowingprocedure: 1. 2. 3. AccessthePolicyCentercommandlineinterface. SelectthePolicyCenterconfigurationyouwanttorestore,usingthecommand:
config view <cfg_path>
Loadthebackupconfigurationfileusingthecommand
config load <file>
Ifthebackupfileisnotinthedirectory<install_directory>/BlueCoatSystems/PolicyCenter,specifythe completepathofthebackupfile,forexample,
config load D:\tmp\ps.ldi
Theselectedconfigurationscurrentattributesandsettingswillbereplacedbythesettingsinthebackup file.
52
Getting Started Guide
Chapter 7: Saving and Recovering Configurations
Back Up and Restore All PolicyCenter Configurations
Create Backup Files
PolicyCenter8.5providesaneasywaytoperformbackupandrestoreofPolicyCenterconfigurationsusing thepcbackup.batandpcrestore.battoolsthatareinstalledwithPolicyCenter.ThesebatchfilesrunaJava utilitythatinturnrunsSunLDAPcommandsandusestheJavaldapsdktoreadandwriteconfiguration datafromthedirectoryservers. BackupfilescanberestoredontoanyPolicyCenterserver. BecausepcbackupdependsontheSunDSJavafilesandLDAPutilities,youmustrunpcbackupona WindowsserverwhereyouhavealreadyinstalledPolicyCenter(thecoredirectoryserver). TocreateabackupofallPolicyCenterconfigurations: 1. 2. 3. Onthecoredirectoryserver,openacommandwindow. Navigatetothe\pcbackupfolderlocatedonthetargetsystem(typicallyunderC:\BlueCoatSystems). TobackupyourPolicyCenterDSservers,typepcbackup<core_host>where<core_host>istheIP addressofthecoredirectoryserver.
ThepcbackuputilitybacksupconfigurationdatatoLDIFfilesstoredatC:\BlueCoatSystems\ PcBackupData,inasubfoldernamedwiththecurrentdateandtime.Inamultipledirectoryserver deployment,pcbackupautomaticallyretrievestheedgeDSaddressesfromthecoreserverandbacksupall core/edgeconfigurationdata.
Restore Backup Files
TherearemultiplestepstorestoringbackupfilesofPolicyCenterconfigurations: 1. 2. 3. 4. 5. 6. UninstallPolicyCenterandtheSunONEDirectoryServerfromcoreandedgeservers.(optionalfor multipledirectoryserverdeploymentsonly) ReinstallPolicyCenterandtheSunONEDirectoryServersoftwareonthoseservers.(optionalfor multipledirectoryserverdeploymentsonly) ResetPolicyCenterandstopthePolicyCenterservice. Runthecleantree.batutility.(optional) Restorebackupfiles. RestartthePolicyCenterservice.
Multiple Directory Server Deployments: Uninstall PolicyCenter and the Sun ONE Directory Server (optional) Note: This procedure is not applicable to a single directory server deployment. ToensureacleanDSsetuppriortorestoreoperation,youmaywanttouninstallandreinstallPolicyCenter andtheSunONEDirectoryServersoftwareonallcoreandedgedirectoryservers. ThestepsrequiredtouninstalltheSunONEDirectoryServervarydependinguponthetypeofserveron whichitisinstalled(WindowsorSolaris).IntheeventthatyouneedtouninstallandreinstalltheSunONE DirectoryServer,usethefollowingprocedureappropriateforyourservertype. TouninstallPolicyCenterandtheSunONEDirectoryServerfromaWindowsserver: 1. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. UsetheWindowsAdd/RemoveProgramsutility(Start>Settings>ControlPanel>Add/Remove Programs)touninstallyourexistingPolicyCentersoftware.YoumustuninstallPolicyCenterbeforeyou uninstallthedirectoryserversoftware.
53
2.
Getting Started Guide
Chapter 7: Saving and Recovering Configurations
3.
AfteruninstallingPolicyCenter,usetheWindowsAdd/RemoveProgramsutilitytouninstalltheSun ONEDirectoryServer.TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServer configurationuserIDandpassword.Thedefaultsettingsforbothoftheseareadmin. IftheSunONEuninstallutilitydoesnotremovetheSunfolderfromitsinstalldirectory,manually deleteit. AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSun ONEDirectoryServerandPolicyCenter8.5software. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe/var/Sundirectoryorsub directories,asthefilemaybelost.Savethefiletoanotherdirectoryinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps. Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.Thedefaultsettingsforbothoftheseareadmin. Issuethecommandrm -rf /var/SuntoremovetheSundirectory. AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSun ONEDirectoryServerandPolicyCenter8.5software. Note: Further detailed information on installing and uninstalling the Sun ONE Directory Server can be found on the Sun website: http://docs.sun.com/source/816-6697-10/install.html#23713
4. 5.
TouninstallSunONEDirectoryServerfromaSolarisserver: 1.
2.
3. 4. 5. 6. 7. 8.
Multiple Directory Server Deployments: Reinstall PolicyCenter and the Directory Server Software Note: This procedure is not applicable to a single directory server deployment. FollowthestepsdescribedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21to reinstallPolicyCenterandthedirectoryserversoftwareonyourcoreserver.Afterinstallation,youwillbe promptedtorunGuidedSetup.IfyouarereinstallingPolicyCenteronadifferentmachine,besuretoenter thesamehostname,DNS,andIPsettingsasyourpreviousPolicyCenterserver.Next,followthesteps describedinInstallanEdgeDirectoryServeronpage27toreinstalldirectoryserversoftwareonyour edgeservers.
Important: Do not set up data replication between the core and edge servers before you restore your backup file.
Reset PolicyCenter and Stop the PolicyCenter Service Beforeyourestorebackupfiles,youmustdiscardPolicyCentersconnectiontothedirectoryserverandstop thePolicyCenterserviceontheWindowsserver. 1. 2. 3. AccessthePolicyCentercommandlineinterfaceandissuethecommandconfig resettodiscard PolicyCentersconnectiontothedirectoryserver. AccesstheWindowsservicespanelonyourPolicyCenterserver.(Settings>ControlPanel> AdministrativeServices>Services) SelectthePolicyCenterservicefromthelistofservices.
54
Getting Started Guide
Chapter 7: Saving and Recovering Configurations
4.
ClickthestopicontostopthePolicyCenterservice.
Run Cleantree.bat to Clean Up Old Directory Server Entries (optional) Beforerestoringtheconfigurations,youneedtoremoveolddirectoryserverentriesfromeachdirectory server;BlueCoatprovidesautilitytoautomatethisprocess. Note: This step is necessary only if the directory server has old DS entries. In most situations, this step can be skipped. 1. 2. 3. LogintotheBlueCoatdownloadsiteat
https://support.bluecoat.com/download
InthePolicyCentersection,locatetheToolsanddownloadthe.zipfile. Openthezipfile,andextractthefilecleantree.battothefolder<install_directory>\Program Files\Sun\mps\shared\bin,where<install_directory>isthedirectorywhereyouinstalledtheSunOne DirectoryServersoftware. Openacommandwindow,andnavigatetothefolder: <install_directory>\ProgramFiles\Sun\mps\shared\bin Issuethecommandcleantree.battolaunchtheutilityanddeleteunnecessaryentries.
4. 5.
Restore Backup Files ThepcrestoreutilityfindsthemostrecentbackupfilesandrestoresthemtothesamecoreIPaddressand edgeserveraddressesthatthepcbackuputilitydiscovered. Torestorethedirectoryserverbackup(.LDIF)files: 1. 2. 3. Openacommandwindow. Navigatetothe\pcbackupfolderlocatedonthetargetsystem(typicallyunderC:\BlueCoatSystems). TorestoreyourPolicyCenterconfiguration,typepcrestore.
Getting Started Guide
55
Chapter 7: Saving and Recovering Configurations
Restart the PolicyCenter Service TorestartthePolicyCenterservice: 1. 2. 3. 4. IfyoudisconnectedyourPolicyCenterdirectoryserverfromthenetworkpriortouninstallingand reinstallingthedirectoryserversoftware,reconnecttheservertothenetwork. AccesstheWindowsservicespanelonyourPolicyCenterserver.(Settings>ControlPanel> AdministrativeServices>Services) SelectthePolicyCenterservicefromthelistofservices. ClicktherestarticontorestartthePolicyCenterservice.
Restore the Connection Between PolicyCenter and the Directory Server AccessthePolicyCentercommandlineinterfaceandissuethecommandconfigsetlocalhost<password> toresettheconnectionbetweenPolicyCenterandthedirectoryserver.Finally,logintothePolicyCenter browserinterfacetoverifythatthedesiredPolicyCenterconfigurationhasbeenrestored.
56
Getting Started Guide
Chapter 7: Saving and Recovering Configurations
Back Up and Restore the Entire Directory Server Tree
Create a Backup of the Entire Directory Tree Configuration
Thefollowingprocessdescribeshowtocreateasinglebackupcopyofthedirectoryservertree.Ifyoucreate backupcopiesoften,youshouldconsiderschedulingautomatedbackups.BackupfilescreatedviatheSun ONEconsolemustberestoredontoaserverwiththesameDNSnameandIPaddressastheserveronwhich theywerecreated. 1. AccesstheSunONEConsole:
FromaWindowsserver:ClickStart>Programs>SunONEServerProducts>SunONEConsole 5.2. FromaSolarisserver:Enterthecommand/var/Sun/mps/startconsole
2. 3. 4.
Entertheusernameandpassword.(Thedefaultusernameandpasswordarebothadmin.) Inthemainconsolefilewindow,expandtheWindowsserverandServerGroupdirectories.Select DirectoryServer,thenclicktheOpenbuttonintheupperrightcornerofthewindow. Thedirectoryservertaskswindowwillopen.DoubleclickBackUpDirectoryServeranddesignatea backuplocation. Note: Do not use the default location if you plan to uninstall the Sun ONE Directory Server, as the backup configuration may be lost.
5.
ClickOKtobackuptheSunONEDirectoryServerconfiguration.
Creating a Scheduled Backup on a Windows Server
ThefollowingprocedurecreatesascheduleforautomaticallycreatingbackupsofyourWindowsdirectory server,includingallPolicyCenterconfigurations: 1. Beforeyousetupautomation,youmustselectalocationforSunONEbackupdata.Bydefault,theSun ONEbackupscript,db2bak.bat,storesbackupdataintheSunONEfolder: <installdirectory>\Sun\MPS\slapd<server_name>\db2bak.bat Forexample,ifyouinstalledtheSunONEDirectoryServerontotheProgramFilesfolderintheC:drive ofaWindowsservernamedCalifornia,thelocationoftheSunONEbackupscriptwouldbe: C:\ProgramFiles\Sun\MPS\slapdCalifornia\db2bak.bat Ifyourserversdefaultlocationisacceptabletoyou,proceeddirectlytostep2,below.Otherwise,you willneedtomodifytheSunONEscripttospecifyanewlocation.SeeModifytheSunONEBackup Scriptonpage58fordetails. Note: Do not use the default location if you plan to uninstall the Sun ONE Directory Server, as the backup configuration may be lost. 2. 3. 4. Next,youmustschedulethebackupswiththeWindowsTaskScheduler:Start>Settings>Control Panel>ScheduledTasks. DoubleclicktheAddScheduledTaskicontoopentheScheduledTaskWizard. WhentheScheduledTaskWizardasksyoutoselectaprogramtorun,clicktheBrowsebutton,and navigatetoyourbackupscriptfilelocatedinthefolder<installdirectory>\SunONE\Servers\slapd <server_name>.Selectthebackupscriptfile,thenclickOpen. InthenextScheduledTaskWizardwindow,enteranameforthescheduledtask,clickaradiobutton besideoneofthelistedrunschedules,thenclickNext. IfyouselectedtheDaily,Weekly,Monthly,orOnetimeonlyscheduleinstep5,enterthetimeyouwant thebackuptostart,andselectthedays(ormonths)youwantthebackupscripttorun.ClickNextwhen youarefinished.
5. 6.
Getting Started Guide
57
Chapter 7: Saving and Recovering Configurations
Note: If you selected the When my computer starts or When I log on schedule options, the Task Wizard does not require you to specify a specific time or date. 7. 8. Enterausernameandpassword.(Thebackupscriptwillautomaticallyrunasifitwerestartedbythat user.)ClickNext. ThefinalwindowoftheScheduledTaskWizardshowstheconfiguredscheduleforthebackupscript. Reviewtheinformationtoensureitsaccuracy,thenclickFinish.
Afteryouhavedefinedthistask,theWindowsTaskSchedulerwillautomaticallycreateabackupcopyof yourconfigurationsaccordingtothescheduleyoujustcreated.Remember,thebackupwillbeinthefolder <installdirectory>\Sun\MPS\slapd<server_name>\db2bak.bat,unlessyoumodifiedthebackupscriptto selectanotherlocation.
Modify the Sun ONE Backup Script
Tospecifyacustomlocationtostoreyourbackups,youwillneedtomodifyonelineoftheSunONEdb2bak script.ItisagoodpracticetoavoidmodifyingtheoriginalinstalledSunONEscripts.Instead,modifya copyandthenrunyourcustomizedscriptinlieuoftheoriginalSunONEscript.Thefollowingisthe recommendedprocedureformakingthismodification. 1. Openatextbrowserandviewthedb2bak.batscriptinthisbrowser.TheSunONEbackupscriptis locatedintheSunONEfolder <installdirectory>\Sun\MPS\slapd<Windows_server_name>\db2bak.bat Useasaveascommandonthebrowserimmediatelytomakeacopyofthescript,suchas db2bak.custom.bat.Saveyournewcopyinthesamedirectorythatyoufoundtheoriginaldb2bak script. Findthefollowinglineinthescript:
set bakdir="<install directory>\Sun\MPS\slapd<Windows_server_name>\bak\%DATESTR%"
2.
3.
Thislinespecifiesthenameandlocationofthebackupfiles.Modifythislinetoread:
set bakdir="<new custom location>\%DATESTR%"
4.
For example, if you wanted to store your backup files in the drive T:\ds_backups, you would modify this line of the script to: set bakdir="T:\ds_backups\%DATESTR%" Saveyourmodifiedscript. Important: If the server does not have access rights to the backup files in their new location, you may not be able to restore the backup configuration directly from that location. If the procedure described in Restore a Directory Server Backup Configuration on page 58 does not restore your directory server backup file, copy the backup files to the default backup folder on your PolicyCenter server, (<install directory>\Sun ONE\Servers\slapd-<Windows_server_name>bak) and then repeat the procedure. The backup file should now appear in the drop-down list of available backups.
Restore a Directory Server Backup Configuration
TorestoreaSunONEDirectoryServerbackupconfiguration: 1. AccesstheSunONEConsole.
FromaWindowsserver:ClickStart>Programs>SunONEServerProducts>SunONEConsole 5.2. FromaSolarisserver:Enterthecommand/var/Sun/mps/startconsole
2. 3.
Entertheusernameandpassword.(Thedefaultusernameandpasswordarebothadmin.) Inthemainconsolefilewindow,expandtheWindowsserverandServerGroupdirectories.Select DirectoryServer,thenclicktheOpenbutton.Thedirectoryservertaskswindowwillopen.
Getting Started Guide
58
Chapter 7: Saving and Recovering Configurations
4. 5.
DoubleclickRestoreDirectoryServeranddesignatetheexistingbackuplocation. ClickOKtorestorethatbackupconfiguration.
Getting Started Guide
59
Chapter 7: Saving and Recovering Configurations
Uninstalling the Sun ONE Directory Server
ThestepsrequiredtouninstalltheSunONEDirectoryServervarydependingonwhetheritsinstalledon aWindowsorSolarisserver.IntheeventthatyouneedtouninstallandreinstalltheSunONEDirectory Server,usethefollowingprocedureappropriateforyourservertype. TouninstallSunONEDirectoryServerfromaWindowsserver: 1. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe<install_directory>\Sun folderorsubfolders,asthefilemaybelost.Savethefiletotherootofyourinstallationdirectory,orto theDesktopinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. UsetheWindowsAdd/RemoveProgramsutility(Start>Settings>ControlPanel>Add/Remove Programs)touninstallyourexistingPolicyCentersoftware.YoumustuninstallPolicyCenterbeforeyou uninstallthedirectoryserversoftware. AfteruninstallingPolicyCenter,usetheWindowsAdd/RemoveProgramsutilitytouninstalltheSun ONEDirectoryServer.TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServer configurationuserIDandpassword.Thedefaultsettingsforbothoftheseareadmin. IftheSunONEuninstallutilitydoesnotremovetheSunfolderfromitsinstalldirectory,youshould manuallydeleteit.
2.
3.
4.
5.
AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSunONE DirectoryServerandPolicyCenter8.5softwareandrestoreyourpreviousdirectoryserverconfiguration. TouninstallSunONEDirectoryServerfromaSolarisserver: 1. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe/var/Sundirectoryorsub directories,asthefilemaybelost.Savethefiletoanotherdirectoryinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.Thedefaultsettingsforbothoftheseareadmin. Issuethecommandrm -rf /var/SuntoremovetheSundirectory.
2.
3. 4. 5. 6. 7.
AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSunONE DirectoryServerandPolicyCenter8.5softwareandrestoreyourpreviousdirectoryserverconfiguration. Note: Further detailed information on installing and uninstalling the Sun ONE Directory Server can be found on the Sun website: http://docs.sun.com/source/816-6697-10/install.html#23713
60
Getting Started Guide
Chapter 8: Using the PolicyCenter Command-Line Interface
Chapter 8: Using the PolicyCenter Command-Line Interface
Start the Command Line Interface
ThePolicyCenterClient(commandlineinterface)allowsyoutoissuecommandsforPolicyCentersharable configurationsorunitsinsharedmode.UnlikethePolicyCenterbrowserinterface,whichcanbeaccessed fromanycomputeronyournetwork,thePolicyCenterClientcanonlybeaccessedfromthePolicyCenter server. Note: The PolicyCenter browser interface also offers a Multi-Class Quick CLI Commands utility that can issue commands to multiple traffic classes in one operation. This Quick Commands utility can add a policy or partition to multiple traffic classes at once, or turn traffic discovery on or off for one or many traffic classes with a single command. For more details on the Quick Commands utility, see PacketGuide.
AccessthePolicyCentercommandlineinterfacebyclickingStart>Programs>BlueCoatPolicyCenter> PolicyCenterClient.ThePolicyCenterClientwindowwillopen,asshown.
Get an Explanation for a Command
Foranexplanationofanyofthecommands,type
help <command name>
Forexample:
Get Help With Syntax
Forhelpwithcommandsyntax,type:
<command name> ?
Getting Started Guide
61
Chapter 8: Using the PolicyCenter Command-Line Interface
Forexample:
Ifyouenterthequestionmarkafteranincompletecommand,theCLIhelpwilllistthepossibleoptionsfor thefirstpartofthecommand.
PolicyCenter CLI Commands
BecausethePolicyCentercommandlineinterfaceisanextensionofthecommandlineinterfacefor individualPacketShapers,manyofthePolicyCenterandPacketShapercommandshavethesamesyntax andfunctionality.ForacompletelistofCLIcommandsspecifictoPolicyCenter,refertoPacketGuide,under thesectionReference>CommandLineInterfaceandlocatethePolicyCentercommandsdropdownlist. CLIcommandsthatpromptyouforconfirmationoradditionalinformationrequirearesponsetothose promptsbeforeyouendyourcommandlinesession.IfyouendtheCLIsessionwithoutrespondingtothe prompt,youmuststopandthenrestartthePolicyCenterservicebeforestartinganothersession.
62
Getting Started Guide
Chapter 9: Troubleshooting
Chapter 9: Troubleshooting
DNS Errors
OneofthemostcommonproblemsininstallingPolicyCenterresultsfromincorrectDNSsettings.If PolicyCenterisreportingDNSerrorsduringinstallation,usethefollowingproceduretocheckyourDNS settings. ForWindows2000Server: 1. 2. 3. FromtheWindows2000Serverdesktop,rightclickMyComputer,andthenclickProperties.Thiswill opentheSystemPropertieswindow. ClicktheNetworkIdentificationtab,thenclickProperties.TheIdentificationChangeswindowwill open. ClickMore.TheDNSSuffixandNetBIOSComputerNamewindowopens.
4.
EnterthePrimaryDNSsuffixofyourWindowsserver,thenclickOK.
ForWindows2003Server: 1. 2. 3. FromtheWindows2003Serverdesktop,rightclickMyComputer,andthenclickProperties.Thiswill opentheSystemPropertieswindow. ClicktheComputerNametab,thenclickChange.TheComputerNameChangeswindowwillopen. ClickMore.TheDNSSuffixandNetBIOSComputerNamewindowopens.
4.
EnterthePrimaryDNSsuffixofyourWindowsserver,thenclickOK.
Getting Started Guide
63
Chapter 9: Troubleshooting
TCP/IP Errors
PolicyCenterrequiresastaticIPaddressonitsWindowsserver.PolicyCenterdoesnotsupportDHCP installationsthePolicyCenterservermusthaveastaticIPaddressinorderfortheinstallationtocomplete. 1. FromtheWindows2000/2003ControlPanel,selectandopentheNetworkandDialupConnections folder.Rightclickthenetworkconnectionyouwanttoconfigure,andthenclickProperties.Thiswill openthePropertieswindowforthatconnection. OntheGeneraltab(foralocalareaconnection)ortheNetworkingtab(allotherconnections),select InternetProtocol(TCP/IP),andthenclickthePropertiesbutton.TheInternetProtocol(TCP/IP)Properties windowwillopen. VerifythattheUsethefollowingIPaddressradiobuttonsareselected,andthattheinformationfor theIPaddress,subnetmask,anddefaultgatewayareaccurateforyourPolicyCenterserver.
2.
3.
4.
ClickOKtosaveyourchanges.
Solaris Directory Server Installation Errors
YourSolarisserverwillnotletyouinstallthedirectoryserveriftheserveralreadyhasaSunONE5.2 Directoryinstalled,includingtheversionbundledwithSolaris.YoumustremoveanyexistingSunONE DirectoryServerbeforePolicyCentercaninstallitsownversion.Fordetails,seeUninstallingtheSunONE DirectoryServeronpage60.
Command-Line or Browser Errors
IfthePolicyCentercommandlineinterfacedoesnotstartafterinstallation,orthebrowserinterfacereports thatthepagecannotbedisplayed,checkthatthePolicyCenterserviceisrunning.Iftheservicehasstopped, restartit.IfyouareunabletorestartthePolicyCenterservice,contactBlueCoatcustomersupport.
64
Getting Started Guide
Chapter 9: Troubleshooting
IIS Server Errors
PolicyCentercannotinstallonaserverrunningIIS.UsethefollowingproceduretoremoveIISfromyour serverpriortoinstallingPolicyCenter. 1. FromtheWindowsControlPanel,clickAdd/RemovePrograms.TheAdd/RemoveProgramswindow willopen.ClicktheAdd/RemoveWindowsComponentsbutton.TheWindowsComponentsWizard opens. ClicktheInternetInformationServices(IIS)checkboxtoremovethecheckmark,thenclickNext.The wizardwillremovetheIISserver.
2.
Disable Hardware Acceleration
Insomecases,accessingtheSunONEDirectoryServerconsolewhentheserversvideocardhasHardware Accelerationenabledwillcausetheservertostopresponding.Ifyouexperiencethisproblem,rebootthe server,thenturnoffHardwareAccelerationforthevideocard.
Operational Error Messages
Thefollowingerrormessagesmayappearinthebrowserinterface: Message Install warns about terminal services Explanation The SunOne Directory Server cannot be installed over terminal services. Install the PolicyCenter software directly onto the server on which it will run. PolicyCenter installs its own web server, which will not work when another web server is already installed. Uninstall IIS or any other web server and then install PolicyCenter. These errors occur when a unit detects a problem with its assigned PolicyCenter configuration. For example, the specified link size of a class could be bigger than the maximum link on the unit.
Install warns about IIS server
Configuration error in /config_name
Getting Started Guide
65
Chapter 9: Troubleshooting
Message Your password is invalid. Please retry.
Explanation If the unit is no longer in shared mode, the directory server password will no longer work. Return the unit to shared mode. This error may also occur when a unit running PacketWise version 5.x-6.x has subscribed to PolicyCenter. These units will be assigned to a child configuration under the /default parent configuration, and may inherit a new password if one has been set in the /default parent configuration. In this case, use the touch password for the /default configuration.
The configuration has been selected but not completely applied yet. It may thus have incomplete traffic tree. Error applying this configuration
You may have selected a configuration with a large class tree. Refresh the browser to ensure that the configuration is up-to-date.
If you select the class tree of a configuration that is in error, this warning tells you that there is an error in this configuration and it should be addressed. This error can result if a configuration from a large-capacity unit with many traffic classes is applied onto a smallercapacity unit that cannot support so many classes. Either reduce the number of classes you are moving to the smaller unit, or move the configuration onto a larger-capacity unit. When changing passwords, you entered the existing password incorrectly. Try again. Either the directory server wasnt installed properly or it has stopped. Open the Services window in the Windows 2000/2003 Control Panel. Check the status of the directory server service. Start it if it is not already running. Otherwise, reinstall it. The PolicyCenter service has not automatically started (or restarted after rebooting the server). Open the Services window in the Control Panel of Windows 2000/2003. Check the status of the PolicyCenter service. Start it if it is not already running. Connection to the directory server may not be working. First, reset the connection from PolicyCenter to the directory server: 1. Select the PolicyCenter Setup tab. 2. From the list of setup pages in the right pane of this window, click Core Directory Server. 3. Click refresh directory cache. Next, reset the connection from the unit to the directory server: 1. 2. 3. 4. Log in to the unit browser interface. Select the unit Setup tab. Select PolicyCenter Access from the Choose Setup Page list. Click refresh directory cache.
Error 1158: Incorrect old password ERROR 3302: DS error binding, Can't connect to the LDAP server, Error 0x0 connecting to 127.0.0.1: Connection refused. Browser cannot establish a connection to the server, or warns that the login page cannot be found.
(No message.) A configuration in the browser interface doesnt match the configuration in the CLI interface.
PolicyCenter uninstall warns of locked files
PolicyCenter has locked the files and InstallShield is unable to delete them. Stop the PolicyCenter service and repeat the uninstallation. If the condition persists, reboot the server and repeat the procedure.
66
Getting Started Guide
Chapter 9: Troubleshooting
Troubleshooting Commands
Occasionally,aunitmayreporterrorsintheConfigurationErrorssectionofthePolicyCenter Configurationstab.Describedbelowaresomeofthecommonlyusedcommandsthatcanhelpyou troubleshoottheerrors.
ds sessions
Thedssessionscommandcanhelpyoutroubleshootthefollowingerrortypes: Memoryallocationerrors Refusedconnections Unknownerrors ThecommanddisplaysthestatusofthereadandwriteconnectionsbetweenthePacketShaperor PolicyCenterconfigurationandtheSunONEDirectoryServer.Foreachconnection,thereisanErrorsfield thatwilldescribetheLDAPerrors(ifany).
ds requests
Thedsrequestscommanddisplaysthelistsofpendingrequestsbetweentheunitorconfiguration,andthe SunONEDirectoryServer.Iftenormorerequestsremainforalongtime,therecouldbesomeproblems withthecommunicationbetweentheunitorPolicyCenterandthedirectoryserver.
banner show
ThebannershowcommanddisplaysalltheconfigurationandoperationalerrorsintheunitorPolicyCenter configuration.TheInfotabinthebrowserinterfacedisplaysthesamesetofmessages.Thiscommandcan beusedtocheckunithardwarestatus,includingdisk,powersupply,andNICstatus,aswellasto troubleshootthefollowingerrortypes: Filedistributionerrors Configurationerrors Directoryserverschemaerrors
Additional Troubleshooting Solutions
TheSunONEDirectoryServerinstallationwritesaninstalllog,andyoucancheckthislogforerrors.Ifthe installationisnotsuccessful,thelogfilescanbefoundinthefollowinglocations: OnaWindowsserver:TEMP\setup.log OnaSolarisserver:/var/sadm/install/logsor/var/tmp IfPolicyCentercrashes,itwritesaneventlogandastacktracetoafileinitshomedirectorywithaname suchaslog/0801075450.txt,thefilenamethatcorrespondstothemonthdayhourminutesecondofthecrash. Youshouldprovideanysuchfilestoyoursupportcontact. YoumayalsoobservePolicyCenterserviceeventsintheWindowseventlog. YoucanusetheWindowsControlPanelServicesmanagertoobservethestateofthePolicyCenterand DirectoryServicesdaemons,andstoporrestartthem.
Getting Started Guide
67
Chapter 9: Troubleshooting
68
Getting Started Guide
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
Capacity Planning Depends Upon the Units PacketWise Versions
Ifall(ormost)ofyourPacketShapersarerunningPacketWise8.2.xorearlier,capacityplanningisabitmore complex.RefertothissectiononlyforunitsrunningtheseearlierversionPacketWise. Chapter1describeshowaPolicyCenterconfigurationtreecanhaveseverallevelsofparentandchild configurations,withPacketShapersassignedtoconfigurationsatanylevel.TheSunONEDirectoryServer usesmorepersistentsearchestocommunicatewithaunitatalowerconfigurationlevelthanitdoesto communicatewithaunitassignedtoahighlevelconfiguration. WhenaunitisassignedtoarootlevelconfigurationatthetopofthePolicyCenterconfigurationtree,the directoryserverusesonlytwopersistentsearches:onefortheunitsconfiguration,andonefortheunit entry.Iftheunitisassignedtoasecondlevelconfiguration,thedirectoryserverthenmustusethree persistentsearches:onefortheparentconfiguration,oneforthechildconfiguration,andthethirdforthe unitentry.Iftheunitisassignedtoaconfigurationatanadditionallevelofdepth,thedirectoryservermust useanadditionalpersistentsearchtocontactthatunit.Therefore,afourthlevelunit(requiringfive persistentsearches)usesmoredirectoryserverresourcesthantwounitsassignedtoarootlevel configuration(requiringtwosearcheseach,orfourtotal). Inthefollowingexample,therearethreePacketWise7.4.0unitsdirectlyassignedtoarootlevelsharable configuration,andtwo7.4.0unitsassignedtoasecondlevelsharableconfiguration.
/California
PacketShape r 8500
www.packetee r.com STA TUS FAULT POWER CON SOLE
L INK Tx/Rx SPEED INSIDE OUTSIDE L INK Tx/Rx SPEED
PacketShape r 8500
www.packetee r.com STA TUS FAULT POWER CON SOLE
L INK Tx/Rx SPEED INSIDE OUTSIDE L INK Tx/Rx SPEED
two assigned units: 025-1000102 and 025-1000302
PacketShape r 8500
www.packetee r.com STA TUS FAULT POWER CON SOLE
L INK Tx/Rx SPEED INSIDE OUTSIDE L INK Tx/Rx SPEED
/San_Diego
one assigned unit: 025-1000303
PacketShape r 8500
www.packetee r.com STA TUS FAULT POWER CON SOLE
L INK Tx/Rx SPEED INSIDE OUTSIDE L INK Tx/Rx SPEED
/San_Francisco
one assigned unit: 025-1000404
ThetwounitsassignedtotheCaliforniaconfigurationrequiretwopersistentsearcheseach,whileSan_Diego andSan_Franciscounitseachrequirethreepersistentsearches,foratotalof10persistentsearchesforthe entireconfigurationtree.
Large Versus Small Configuration Hierarchies
Therearebenefitstobothlargeandsmallconfigurationtreehierarchies.Small(shallow)configuration hierarchieswithonlytwolevelsofparentandchildconfigurationscansupportmoreunits,butyoualso mayhavetomaintainmoreindividualconfigurations.Largerconfigurationhierarchiessupportfewerunits butcanbeeasiertomaintain,becauseyoucanmodifyaconfigurationanywherewithinthetraffictree, updatingallorjustafewofyourunitsatonce.
Getting Started Guide
69
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
Large Configuration Hierarchy Example Thefollowingconfigurationtreeisanexampleofalargerconfigurationhierarchy.Thisconfigurationtree hasfourlevelsofconfigurationswith60assignedunitseach,andthereforerequiresadirectoryserverthat cansupport1,080persistentsearches.
Config 1 Basic Traffic Tree
+ 60 units
Config 2 Basic Traffic Tree Policy to control P2P
+ 60 units
Config 3 Basic Traffic Tree Policy to control P2P Policy to protect Citrix
+ 60 units
Config 5
+ 60 units Basic Traffic Tree Policy to control P2P Policy to protect Citrix Secure logins
Config 4 Basic Traffic Tree Policy to control P2P Policy to Protect VoIP
+ 60 units
Thistraffictreewouldberelativelysimpletomaintain,asanychangestothetraffictreecanbemadejust once,attherootlevelconfiguration,andthechangeswillautomaticallypropagatetothechild configurations.Similarly,anychangestotheP2PorCitrixpoliciescouldbemadeonasingleparent configurationandwouldimmediatelyappearonthechildconfigurations. If,however,thenetworkadministratorneededtoaddanadditional15unitstoeachconfiguration,theSun ONEDirectoryServercouldnolongersupportthenumberofpersistentsearchesrequiredfora configurationtreethiscomplex. Small Configuration Hierarchy Example Abetteroptionfora375unitdeploymentwouldbeaconfigurationtreeliketheoneshownbelow,withjust twolevelsofparentandchildconfigurations.
Config 1 Basic Traffic Tree Config 2 Basic Traffic Tree Policy to control P2P
+ 75 units
+ 75 units
Config 4 Basic Traffic Tree Policy to control P2P Policy to Protect VoIP Config 3 Basic Traffic Tree Policy to control P2P Policy to protect Citrix Config 5 Basic Traffic Tree Policy to control P2P Policy to protect Citrix Secure logins
+ 75 units
+ 75 units
+ 75 units
Unlikethepreviousconfiguration,whichrequired1080persistentsearchesfor300units,thissmaller hierarchicalconfigurationrequiresonly975searchesyetsupports375units.
70
Getting Started Guide
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
Eventhoughthishierarchysupportsmoreunits,itmaybeslightlymoredifficulttomaintain.With configurations3and5atahigherlevelintheconfigurationtree,changestothetraffictreemustnowbe madeinbothrootlevelconfigurations,andchangestoP2Ppoliciesmustbemadeinallthreechild configurations.Intheprevious,largerconfiguration,thesechangesonlyhadtobemadeinaparent configuration. Sohowbigisyourdeployment?IfyouhavereviewedthetwobasicconfigurationstrategiesinChapter2 andhaveageneralideaofhowyouwilldesignyourPolicyCenterconfigurationtree,youcanusethe followingworksheettofindout.Dontworryifyoudontyetknowexactlyhowmanyunitsyouaregoing todeployorwhatyourfinalPolicyCenterconfigurationtreewilllooklikeifyouneedtoaddadditional PacketShapersorcreateadeeperconfigurationhierarchy,youcanupgradeasmallorstandarddirectory serverplatformatanytime. Note: If you do not yet know how many PacketShapers your enterprise will require or where you will be deploying them, a good resource is Deployment Topologies in PacketGuide. This guide provides PacketShaper installation, configuration and scalability advice for a variety of network topologies. Enterthevaluesoneachline,thenaddthetotalnumberofpersistentsearches
#ofPacketWise7.07.4or8.08.2unitsassignedtoalevel1(root)config.___x2= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel2config._____x3= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel3config._____x4= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel4config._____x5= Thetotalnumberofpersistentsearchesrequired= ____persistentsearches _____persistentsearches _____persistentsearches _____persistentsearches _______searches
Recommended Platforms
BlueCoathasidentifiedthreedifferenthardwareplatformsrecommendedforsmall,standard,orlarge PolicyCenterdeployments.Theseplatformssupportadirectoryserverconfigurationthatcansupportthe followingnumbersofpersistentsearches: Upto1200searches(forexample,400unitsassignedtoaleveltwoconfiguration,or240unitsas signedtoalevelfourconfiguration):Fordeploymentsofthissize,BlueCoatrecommendsusinga standardPolicyCenterhardwareplatform. 12013000searches(forexample,600unitsassignedtoalevelfourconfiguration):Fordeployments ofthissize,BlueCoatrecommendsusingalargePolicyCenterhardwareplatform. Foradditionalrequirementsanddetailedinformationonconfiguringyourserverplatform,see InstallationRequirementsonpage16.
Getting Started Guide
71
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise
72
Getting Started Guide
Index
Index
A
add unconfigured units 31 attributes non-sharable 4 sharable 4 auto-deploy PacketShapers 31 auto-discovered classes 7
D
delete 49 directory location of PolicyCenter 22, 25 directory server LDAP 15 persistent search 15 uninstall 53, 60 distribute files 3 DNS name 50 DOS to UNIX conversion 24
B
backup all PolicyCenter configuration 53 all PolicyCenter configurations 53, 57 directory server 57 directory servers 57 single PolicyCenter configuration 52 single PolicyCenter configurations 52 backup configurations 49 browser interface online help 2 bulk changes 49
E
errors command-line or browser 64 DNS 63 IIS 65 installation 64 operational error messages 65 TCP/IP 64 troubleshooting commands 67 event log 67
C
command line interface commands 61 help 61 configuration assign unit to a sharable configuration 34 backup 49, 51 create new 34 move 49 save 49, 51 configuration strategy comprehensive configurations 12 functional configurations 13 selective configurations 12 configuration tree 7 configurations assign to an organization 47 inheriting settings 7 modifying an individual PacketShaper 8 parent 7 strategies 11 Control Panel 67 copy 49
I-1
F
file distribution 49 firewall 16, 17
G
Guided Setup 31
H
hardware extended deployment platforms 15 large deployment platforms 16 standard deployment platforms 15, 16 help system 2 hierarchical configurations 7 child configurations 7 HTTPS 29
I
Install PolicyCenter 21
Index
installation additional Windows requirements 16 configure the Solaris server 20 configure the Windows server 18 edge directory server (Solaris) 27 edge directory server (Windows) 27 large deployments on two Windows servers 22 large deployments on Windows and Solaris servers 24 requirements 16, 17 standard deployments on a single Windows server 21
PolicyCenter, starting 29 port 16, 17
R
remove override classes 39 rename 49
S
save configurations 49 secure logins 29 sharable attributes 4 compression 4 shared mode 3 software upgrades, PacketWise 3 stack trace 67 Standard Deployments on a Single Windows Server 21 starting PolicyCenter 29
L
local mode 3 log event 67
N
non-sharable attributes 4 NTFS 16, 21, 23, 25
T
TCP/IP 64 traffic classes autodiscovered 7 overridden 7 troubleshooting 67
O
organizations 45 assign configurations 47 new 45 override traffic classes 39
U
unit configurations adding with the convert option 5, 33 assign a unit to a sharable configuration 34 individual unit configurations 8 retaining in PolicyCenter 5 users 45 create new user accounts 46
P
PacketGuide 2 PacketShaper add to PolicyCenter 31, 35 assign to a sharable configuration 34 model type 11 remove from PolicyCenter 49 software (image) version 11 password 29 policies 3 PolicyCenter capacity planning 15 deployment capacity 15 start a session 29
I-2
W
Windows Control Panel Services manager 67 Windows event log 67 Windows server requirements 16
You might also like
- Guidewire Studio Setup Manual: System RequirementsNo ratings yetGuidewire Studio Setup Manual: System Requirements6 pages
- PolicyCenter Data Sheet Rating ManagementNo ratings yetPolicyCenter Data Sheet Rating Management4 pages
- Guide Wire Education Claim Center Course Catalog33% (3)Guide Wire Education Claim Center Course Catalog65 pages
- Datasheet Guidewire ClaimCenter LondonMarketMessaging PDFNo ratings yetDatasheet Guidewire ClaimCenter LondonMarketMessaging PDF2 pages
- Student Workbook: Insurancesuite Analyst FundamentalsNo ratings yetStudent Workbook: Insurancesuite Analyst Fundamentals44 pages
- Guidewire Data Conversion Approach PaperNo ratings yetGuidewire Data Conversion Approach Paper5 pages
- Exam Guide Professional PolicyCenter Business AnalystNo ratings yetExam Guide Professional PolicyCenter Business Analyst4 pages
- Bluecoat Packet Shaper CLI in Print 8.4No ratings yetBluecoat Packet Shaper CLI in Print 8.4812 pages
- Windows 10 Building and Modding and Custom OSNo ratings yetWindows 10 Building and Modding and Custom OS26 pages
- 02 - Data Representation - Exercise Sheet 2 (Solutions) - 1271758327No ratings yet02 - Data Representation - Exercise Sheet 2 (Solutions) - 12717583275 pages
- Practical Malware Analysis: CH 7: Analyzing Malicious Windows ProgramsNo ratings yetPractical Malware Analysis: CH 7: Analyzing Malicious Windows Programs75 pages
- Hapus Config Router Dan Switch Lewat RommonNo ratings yetHapus Config Router Dan Switch Lewat Rommon4 pages
- Desktops in The Cloud Your Silver Bullet For Windows XP End of LifeNo ratings yetDesktops in The Cloud Your Silver Bullet For Windows XP End of Life7 pages
- Computer Science Test Part: First: Q. 1: McqsNo ratings yetComputer Science Test Part: First: Q. 1: Mcqs1 page
- Hardware-Assisted Security Enhanced Linux in Embedded Systems: A ProposalNo ratings yetHardware-Assisted Security Enhanced Linux in Embedded Systems: A Proposal7 pages
