These guidelines show the relative power of SG appliances.

Appropriate configurations
can vary significantly from these guidelines and will depend on technical requirements.
Forward Proxy
Assumes 70% peak CPU load with complex policies, 15% SSL, ICAP, content filtering, access
logging and limited streaming content. SGOS Proxy Edition is required for forward proxy
deployments. Special rules apply for mixed use configurations, which run both forward proxy
and WAN optimization in a single appliance. For suggestions on how to handle this situation,
please refer to the Sizing Guide for WAN Optimization Deployments.
Max Internet Bandwidth
Maximum client-side throughput for ProxySG. If you do not have a proxy deployed, use your
available internet connectivity as a guide. If a proxy is in place, this number represents the client
(internal) bandwidth number. Server (Internet) utilization will typically be lower.
Employee Count
The total number of employees that use the system. Employees might have multiple desktops.
This number assumes that 100% of desktops have web connections open at any moment,
though up to 80% are used for background tasks. Adjust this number if per user Internet use is
known to differ. For limits on the number of desktops that can use the appliance concurrently,
refer to Licensed Client IPs..

Recommended Max ProxyClients Managed

Maximum number of ProxyClient instances connecting to and serviced by a Client Manager,
regardless of the features enabled on the ProxyClient (filtering, acceleration or both), at 50%
CPU utilization. Updates can be posted to all clients in a two-hour window.
Licensing
ProxySGs are licensed based on concurrent client IP addresses only. Other parameters such as
Max Internet Bandwidth and Employee Count are suggested values based on the physical
capacity of the system.
Licensed Client IPs
Licensed users are measured by the number of unique client IP addresses with open inbound TCP
connections to the ProxySG. The measurement is instantaneous and concurrent. It is not based on
the average over any time interval. The administrator can configure the ProxySG to either bypass
connections from new users when the license limit is exceeded, to delay them until another client
drops all of its connections or to attempt to accept them. The default is to accept them.
Hardware Spec
Hardware-based SSL acceleration is included on all models, except S500, which includes AESNI support in the CPU. A separate license is not required to activate SSL termination. Ports on
bypass-capable network interfaces can be configured to be bridged pairwise or to act
independently.

Copyright 2013 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are
subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource
are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 1 of 2

installation of a second power supply will provide continuous operation should one of the
power supplies fail.

EXAMPLE 1: Secure Web Gateway Project

NOTE: Include the appropriate additional options for all models:

Include the web filtering licenses for appliances that require web filtering

Include the Flash streaming licenses where appropriate

Include the Web Application Protections subscription where appropriate

Include the Cache Pulse subscription where appropriate

There is no need to purchase software SSL licenses; they are now available at no charge
on all 300, 600, 900, 9000 and S500 models, no matter when they were purchased.

Organization has 1700 employees,

all with Internet access

One Internet gateway with 30Mbps

connectivity

Requires N+1 redundancy and room

for growth (+30%)

EXAMPLE 2: Forward Proxy

Cluster
Example Forward Proxy Deployment

A customer has reached the

capacity limit of a redundant pair
of SG9000-20 appliances with
redundant AV2400-A units.
The customer will redeploy the
existing configuration to a
different site. The replacement
configuration must allow for 40%
growth over the existing
configuration.
The customer values rack space
at $2500 per rack unit per year.

The most obvious solution is to install

a pair of SG9000-30 appliances each
with two AV2400-A appliances. This
solution allows 40% growth both in
throughput and user capacity.
However, in this case, a less obvious
solution might be better: a cluster of
three SG900-45-PR appliances, each
with one AV2400-A appliance. This cluster provides several benefits:

Although the organization has 1700 employees, the fact that the customer requires room
for growth means that the SG600-35-PR is not appropriate; the customer should purchase
an SG900-10B.

Headroom: In the unlikely event of failure of an SG900-45, the two remaining SG90045 units can together handle 26,000 users at 400Mbps, the same as the SG9000-30.
Cost: the list price of the hardware for the SG900-45-PR cluster is about 15% less
than the comparable SG9000-30-PR cluster. One fewer AV appliance is required.
Less rack space: a total of six rack units are required for the SG900-based cluster
versus twelve for the SG9000-based cluster, after including ProxyAV units.
Operational cost savings: at $2500 per rack unit per year, six fewer rack units would
translate to a $75,000 reduction in operating costs over five years.
Factor the load balancing mechanism into this analysis, if appropriate.

To meet the redundancy requirement, the quote should include two of each appliance:
2 x SG900-10B-PR and 2 x AV1200-A. The appropriate AV license and service options
should be included in the quote. For further protection from failure, purchase and
Copyright 2013 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc.
Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG,
PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 2 of 2