Why is URL categorization not working on my PacketShaper?


<< Back to Knowledge Search

Solution

Overview

Please go through the following checklist:

1. URL categorization is OFF by default—you have to turn it ON for it to work.

2. You also have to create a new class for ‘URL category: All Categories’ and enable traffic discovery on that class. Alternatively, you can enable traffic discovery on the HTTP and/or SSL classes. (Check PacketGuide for details on configuration.)

3. Make sure that your PS has proper DNS settings, and can access the Internet without any problems. Check the security settings on the PS and allow the needed IP addresses for the following sites or set outside to unsecure for testing. If you have any other security device, you have to allow the IP addresses for these servers (use nslookup to resolve the IP).

         updates.bluecoat.com
    sp.cwfservice.net
    sitereview.bluecoat.com

4. Make sure that the PS has a valid support contract. In the banner message or on the Info page, you may see something like the following:

PacketShaper support contract has expired.
WebPulse queries will stop after 12 days


or

No response from Support Server.
WebPulse queries will not work

5. If your support contract has expired, you need to renew the support contract. If you are not getting a response from the support server, then you need to check your network connectivity.

a. Make sure that you do not have a firewall or something blocking the HTTP/HTTPS/SSL queries going out from the PS.

b. If the PS has to go through an Explicit Proxy Server to go to the Internet, you will have to add the WebProxy settings on the PS and also edit the Proxy rules to allow connections to/from the PS.

In the example below, 10.9.66.12 is the proxy server and 8000 is the port it is listening on.

    LAN Switch-->PacketShaper-->Proxy--->Router-->Internet

    setup web-proxy server 10.9.66.12:8000
    setup web-proxy on|off
    setup web-proxy show
(to check the setting)

PS will do a HTTPS/SSL query to check the support contract status to updates.bluecoat.com. Make sure that you can ping updates.bluecoat.com.

Manual way of viewing or updating the support contract status:

PacketShaper# setup support update

Updating support status for this PacketShaper...DONE!

PacketShaper Support Contract Status: *** expired ***
<====== means your HTTPS query worked—it was able to get the status from the update server as expired. If there is a network connectivity issue, the status will be unknown.

Last status update was on Tue Nov 23 13:52:06 2010
Expired on Mon Oct  4 12:48:06 2010
WebPulse queries will stop after 12 days


PacketShaper# setup support update

Updating support status for this PacketShaper...DONE!
PacketShaper Support Contract Status: *** unknown ***
<====== means there is network connectivity issue; you will also notice a few seconds delay when you run the above command.

Last status update was on Tue Nov 23 14:09:03 2010
Status check failed since Mon Oct  4 12:48:06 2010
WebPulse queries will stop after 12 days


If the contract status is unknown, you need to resolve the network connectivity issue. The most common issues are due to firewall or proxy/security devices blocking the contract validation query. (Also see PS security settings.) If the PS has to go through the explicit proxy server to get to the Internet, you need to enable ‘webproxy’ on the PS and also edit the rules in the proxy to accept connections from PS.

You will have to get the packet capture on the Localhost class while you run the setup support update command and look for SSL/HTTPS packets from the PS IP address.

Note: If you are analyzing the packet trace from a Web proxied network, keep in mind that the DNS queries will go to the DNS servers, but HTTP/HTTPS packets will not go to the end server addresses; they will go to the proxy server. Therefore, you will not see the flows going to the server’s IP address that DNS resolved to. Instead, you will see it going to the proxy’s IP address. Also the request may no longer be using an SSL destination port number; it will be using the port number for the Web proxy. Applications like Wireshark may not show the connection as SSL.

6. If you have a valid support contract and still have problems, run the following command and look for any obvious errors.

    setup urlcat map-download
    setup urlcat show service
    setup urlcat update <URL>
    setup show


If you still have problems, please open a case with Blue Coat Support.
 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ1193
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      PacketShaper
Topic      Content Filtering, Installation / Configuration, Licensing, Networking
Article Number      000016619
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat