Policy Center Getting Started Guide v8.5

Version 8.
BE
TA
PolicyCenter Getting Started Guide
P/N 20-0231-851 Revision A
Disclaimer THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OF INTELLECTUAL PROPERTY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT SHALL BLUE COAT SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS DOCUMENT, OR THE PRODUCTS DESCRIBED HEREIN, EVEN IF BLUE COAT SYSTEMS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Blue Coat Systems and its suppliers further do not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within this document, or assume liability for any incidental, indirect, special or consequential damages in connection with the furnishing, performance, or use of this document. Blue Coat Systems may make changes to this document, or to the products described herein, at any time without notice. Blue Coat Systems makes no commitment to update this document. Copyright/Trademarks/Patents Copyright 1996-2008 Packeteer, Inc. All rights reserved. Copyright 2008-2009 Blue Coat Systems, Inc. All rights reserved. PacketShaper, PacketShaper Xpress; PacketSeeker, iShaper, and iShared appliances, and PolicyCenter, PacketWise, ReportCenter, iShared, iShaper, and IntelligenceCenter software protected by, or for use under, one or more of the following U.S. Patents: 5,802,106; 6,018,516; 6,038,216; 6,046,980; 6,115,357; 6,205,120; 6,285,658; 6,298,041; 6,412,000; 6,456,630; 6,457,051; 6,460,085; 6,529,477; 6,584,083; 6,591,299; 6,654,344; 6,741,563; 6,847,983; 6,850,650; 6,854,009; 6,928,052; 6,934,255; 6,934,745; 6,970,432; 6,985,915; 7,003,572; 7,012,900; 7,013,342; 7,032,072; 7,035,474; 7,051,053; 7,054,902; 7,103,617; 7,154,416; 7,155,502; 7,203,169; 7,236,459; 7,283,468; 7,292,531; 7,324,447; 7,324,553; and 7,343,398. Other U.S. and international patents pending. Blue Coat Systems, the Blue Coat Systems logo, PacketWise, PacketSeeker, PacketShaper, PacketShaper Xpress, PolicyCenter, ReportCenter, SkyX, iShared, Mobiliti, iShaper, IntelligenceCenter, and Falcon are trademarks or registered trademarks of Blue Coat Systems, Inc. in the United States and other countries. All trademarks and registered trademarks mentioned herein are the property of their respective owners. Other product and company names used in this document are used for identification purposes only, may be trademarks of other companies, and are the property of their respective owners. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into another language without the express written consent of Blue Coat Systems, Inc. Sun, Sun Microsystems, the Sun Logo and any other Sun trademarks included in this product are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright 2008 , Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Table of Contents
Table of Contents
Table of Contents About This Guide

Transitioning to PolicyCenter ........................................................................................................................................................2 Other Resources..................................................................................................................................................................................2
Chapter 1: Understanding PolicyCenter

What are the Benefits of PolicyCenter? ......................................................................................................................................3 PacketShaper Units Operate in Shared Mode..........................................................................................................................3 Non-Sharable and Sharable Attributes.......................................................................................................................................4 Units Can Retain Their Original Configurations in PolicyCenter .......................................................................................5 Hierarchical Configurations ...................................................................................................................................................................7 Not All Configurations Inherit Values From Other Configurations ..................................................................................7 Child Configurations Allow Individual Changes .....................................................................................................................7 Units with Different Versions of PacketWise Operate Differently in PolicyCenter .....................................................8 Modifying PacketShapers in PolicyCenter ................................................................................................................................8
Chapter 2: PolicyCenter Configuration Strategies

Identify Groups of Existing Units ............................................................................................................................................... 11 Select a Configuration Strategy ................................................................................................................................................. 11 Comprehensive PolicyCenter Configuration Strategies ................................................................................................... 12 Selective Configuration Strategies............................................................................................................................................ 12 Functional Configuration Strategies ........................................................................................................................................ 13
Chapter 3: Installing PolicyCenter

Installation Requirements ................................................................................................................................................................... 16 Configure the Windows Server ......................................................................................................................................................... 18 Configure a Solaris Server ................................................................................................................................................................... 20 Install PolicyCenter and the Directory Server Software............................................................................................................ 21 Standard Deployments on a Single Windows Server......................................................................................................... 21 Large Deployments on Multiple Windows Servers............................................................................................................. 22 Large Deployments on a Windows and a Solaris Server................................................................................................... 24 Install an Edge Directory Server ........................................................................................................................................................ 27 Change the Default Administrator Password .............................................................................................................................. 29
Chapter 4: Add PacketShapers to PolicyCenter

Adding Unconfigured Units ........................................................................................................................................................ 31 Create a Comprehensive PolicyCenter Configuration.............................................................................................................. 33
Getting Started Guide 1
Table of Contents
Convert a Unit Configuration...................................................................................................................................................... 33 Create the Comprehensive Configuration ............................................................................................................................. 34 Assign the PacketShaper to its PolicyCenter Configuration............................................................................................ 34 Add and Assign Other PacketShapers to this Configuration........................................................................................... 35 Manage your Configurations ...................................................................................................................................................... 35 Create a Selective PolicyCenter Configuration............................................................................................................................ 36 Create a New PolicyCenter Configuration.............................................................................................................................. 36 Add Classes to the New Configuration.................................................................................................................................... 36 Add PacketShapers to PolicyCenter ......................................................................................................................................... 37 Assign the PacketShaper to its PolicyCenter Configuration............................................................................................ 38 Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x or Higher ............................................................................... 38 Assign a PacketShaper Running Earlier Versions of PacketWise.................................................................................... 38 Remove Local Overriding Classes.............................................................................................................................................. 39 Manage your Configurations ...................................................................................................................................................... 40 Create a Functional PolicyCenter Configuration ........................................................................................................................ 41 Create a New PolicyCenter Configuration.............................................................................................................................. 41 Add Units to PolicyCenter ............................................................................................................................................................ 41 Reassign the Unit Configurations.............................................................................................................................................. 43 Assign a Unit Running Earlier Versions of PacketWise....................................................................................................... 43
Chapter 5: Manage Users and Organizations

Create a New PolicyCenter Organization ............................................................................................................................... 45 Create New User Accounts........................................................................................................................................................... 46 Assign Configurations to an Organization............................................................................................................................. 47
Chapter 6: Best Practices

Move/Copy/Delete/Rename Operations................................................................................................................................ 49 Configuring Units for PolicyCenter Access ............................................................................................................................ 49 Unsubscribing Units ....................................................................................................................................................................... 49 Bulk Changes..................................................................................................................................................................................... 49 File Distribution Strategies........................................................................................................................................................... 49 Compatible Software ..................................................................................................................................................................... 50 DNS Name vs. IP Address.............................................................................................................................................................. 50 Initial Deployment Strategy ........................................................................................................................................................ 50 Saving Configurations ................................................................................................................................................................... 50
Chapter 7: Saving and Recovering Configurations

Back Up and Restore a Single Configuration from PolicyCenter .......................................................................................... 52 Back Up and Restore All PolicyCenter Configurations.............................................................................................................. 53 Create Backup Files......................................................................................................................................................................... 53 Restore Backup Files....................................................................................................................................................................... 53 Back Up and Restore the Entire Directory Server Tree.............................................................................................................. 57 Create a Backup of the Entire Directory Tree Configuration ........................................................................................... 57 Creating a Scheduled Backup on a Windows Server.......................................................................................................... 57 Modify the Sun ONE Backup Script........................................................................................................................................... 58 Restore a Directory Server Backup Configuration ............................................................................................................... 58
Getting Started Guide
Table of Contents
Uninstalling the Sun ONE Directory Server................................................................................................................................... 60
Chapter 8: Using the PolicyCenter Command-Line Interface

Start the Command Line Interface ............................................................................................................................................ 61 Get an Explanation for a Command ......................................................................................................................................... 61 Get Help With Syntax ..................................................................................................................................................................... 61 PolicyCenter CLI Commands....................................................................................................................................................... 62
Chapter 9: Troubleshooting
DNS Errors .......................................................................................................................................................................................... 63 TCP/IP Errors...................................................................................................................................................................................... 64 Solaris Directory Server Installation Errors ............................................................................................................................. 64 Command-Line or Browser Errors ............................................................................................................................................. 64 IIS Server Errors................................................................................................................................................................................. 65 Disable Hardware Acceleration.................................................................................................................................................. 65 Operational Error Messages......................................................................................................................................................... 65 Troubleshooting Commands............................................................................................................................................................. 67 ds sessions.......................................................................................................................................................................................... 67 ds requests......................................................................................................................................................................................... 67 banner show...................................................................................................................................................................................... 67 Additional Troubleshooting Solutions .................................................................................................................................... 67
Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise

Capacity Planning Depends Upon the Units PacketWise Versions.............................................................................. 69 Large Versus Small Configuration Hierarchies...................................................................................................................... 69 Recommended Platforms............................................................................................................................................................. 71
Index
Table of Contents
About This Guide
About This Guide
ThePolicyCenterGettingStartedGuideprovidestheinformationyouneedtoinstallPolicyCenterona Windowsserver,createconfigurations,addunitstoPolicyCenter,andassignindividualPacketShapersto differentconfigurations.ThisdocumentassumesthatyouhaveabasicunderstandingofPacketShaper functions,includingsuchconceptsastrafficclasses,policies,andpartitions. PolicyCentersupportslargedeploymentswithhundredsofPacketShapers.Thisdocumentincludes additionalinformationtohelpyouplanyourPolicyCenterconfigurationanddeployment,anddescribes specificinstallationworkflowsdesignedtooptimizeyourPolicyCentercentralizedmanagementsystem. Thefollowingtopicsarecoveredinthisdocument: Chapter1:UnderstandingPolicyCentercoversinformationyouneedtoknowbeforeyouinstall PolicyCenter,suchaswhichattributesandsettingsaresharablewithinPolicyCenterhierarchical configurations. Chapter2:PlanningPolicyCenterConfigurationsidentifiesthethreemainstrategiesformanaginga PolicyCenterconfigurationtree.Itisimportanttoconsideryourconfigurationstrategybeforeyouinstall PolicyCenter,asthesizeandcomplexityofyourPolicyCenterconfigurationtreewillhelpdeterminewhich hardwareplatformwillworkbestforyourindividualdeployment. Chapter3:PolicyCenterCapacityPlanningexplainsadditionalfactorsthatcanaffectthesizeand complexityofyourPolicyCenterdeployment,anddescribestherequiredhardwareplatformsforsmalland standardPolicyCenterinstallations. Chapter4:InstallingPolicyCenterdescribesthestepsrequiredtoinstallPolicyCenterandthedirectory serversoftwareonWindowsorSolarisservers. Chapter5:CreatingConfigurationswalksyouthroughthestepsrequiredtoaddPacketShapersandcreate yourinitialconfigurationtree. Chapter6:BestPracticeslistsvaluabletipsandhintsthatwillmakeitfasterandeasiertomanageyour PolicyCenterconfigurations. Chapter7:SavingandRecoveringConfigurationsdescribeshowtobackupandrestoreyourPolicyCenter configurations. Chapter8:UsingthePolicyCenterCommandLineInterfacegivesabriefoverviewofthePolicyCenter commandlineinterface.Forcompletedetailedinformation,seePacketGuide(moreinformationfollows). Chapter9:Troubleshootingidentifiescommonerrorsandexplainshowtofixthem.
About This Guide
Transitioning to PolicyCenter
ThefollowingfiguredescribestherecommendedworkflowsfordeployinganewPolicyCentercentralized configurationmanagementsystem.Eachstepisdescribedindetailwithinthisdocument.
Other Resources
OnlineHelp ThePolicyCenterwebbrowserinterfacecontainscontextsensitivehelpwithsufficient detailtoassistyouinsettingupandmaintainingPolicyCenterconfigurations.Toaccesscontextsensitive help,clicktheHELPlink.Thecommandlineinterfacealsohasonlinehelp,whichprovidescommand syntaxdetails. PacketGuide IncludedwithPolicyCenterisabrowserbasedreferenceresourcecalledPacketGuide.In additiontocompletereferencematerialpertainingtotheuseofPacketWiseandPolicyCentersoftware, PacketGuidecontainsrecommendationsforsolvingcommonnetworkandapplicationproblems.Thereare threewaystoaccessPacketGuide: ClicktheDOCUMENTATIONlinkinthePolicyCenterbrowserinterface. EnterthefollowingURLinyourInternetExplorerorFirefoxbrowserwindow:
http://support.bluecoat.com/packetguide/8.5/index-pc.htm
CustomerSupport IfyouhaveatechnicalquestionaboutPolicyCenter,signintotheBlueCoatcustomer supportwebsiteusingyourBlueTouchOnlinecredentials:

http://support.bluecoat.com
BlueTouchOnlineallowsyoutomanageserviceissues,downloadsoftware,accessdocumentation,and participateinuserforums.
2 Getting Started Guide
SupposeanetworkmanagerinstallsasinglePacketShaperonhiscompanysnetwork.Hemayspendone percentofhistimeupdatingtheconfigurationofthatsinglePacketShaper.Thisisnotalargepercentageof hisworkweek,andsotheadditionofanotherfourPacketShapersonthenetwork(requiringanadditional fourpercentofhistimetoconfigureandupdate)isnotmuchmoredifficultforhimtomanage. Nowsupposethatsamenetworkmanagerinstalls95morePacketShapersonthenetwork.Theeffortthat previouslytookjustfivepercentofhistimewillnowdemandonehundredpercentofhisworkday,leaving himtimeforlittleelseexceptmakingeveryrequiredchangetoaPacketShaperconfiguration100different timeson100individualunits. Whatisneededisaneconomyofscale:awaytomultiplythenumberofPacketShapersonanetworkwithout multiplyingtheamountofeffortrequiredtoconfigureandmaintainthem.PolicyCenteristhesolution,enabling networkmanagerstomanagemanyPacketShaperswiththesameamountofeffortandtimeittakesto managejustafew.
What are the Benefits of PolicyCenter?

PolicyCenterisasoftwaremanagementsystemthatcanmaintainmultiplePacketShaperconfigurationson asingleserver.Becausetheconfigurationsofalltheunitsonthenetworkarestoredinasingleplace,they canbemanagedveryefficiently. MultiplePacketShaperscanbeassignedtoasinglePolicyCentersharableconfiguration,allowingthose unitstooperatewithnearlyidenticalconfigurations.Whenyoucommitchangestoasharable configuration,thechangesimmediatelyaffectallunitsassignedtothatconfiguration.Itisthiscapabilityof PolicyCenterthattrulyprovidestheeconomyofscale:onesinglechangetoaPolicyCenterconfiguration canresultinaninstantconfigurationupdateonhundredsofdifferentPacketShapers. PolicyCenteralsoallowsyouto: DeploypoliciesandpartitionsacrossmultiplePacketShapers. DistributePacketWisesoftwareupgrades,plugins,customerportalfiles,andactionfiles. ViewastatussummaryofallmanagedPacketShapers. MonitorandmanagethestatusofyourPacketShapersandnetworkwiththeadaptiveresponse feature.
PacketShaper Units Operate in Shared Mode

IndividualPacketShaperscanbeconfiguredineitherlocalmodeorsharedmode. Aunitrunninginlocalmodefunctionsindependently,andhasitsentireconfigurationstoreddirectlyonits flashdisk.OncePolicyCenterisinstalledonanetwork,PacketShapersinlocalmodecanbeconfiguredfor sharedmodeandaddedtoPolicyCentersimplybyaccessingtheunitsbrowserinterface,selectingthe PolicyCenteraccesssetuppage,thenenteringtheDNSnameofthedirectoryserverandthedirectory serverpassword. AunitconfiguredinsharedmodeisassignedtoanindividualunitconfigurationinPolicyCenterwhichthen appliessettingsfromanyparentsharableconfigurations.Whenaunitisinsharedmode,PolicyCenter continuallyandefficientlysynchronizestheunitsconfigurationonthedirectoryserverwiththe configurationfilesonthatunitsflashdisk;therefore,ifyouswitchfromsharedmodebacktolocal,(orthe networkconnectiontothePolicyCenterserverislost)theunitsconfigurationinlocalmodewillbethesame asitslastconfigurationinsharedmode.PacketShapersinsharedmodemaybereturnedtolocalmodeat anytime.
WhenaPacketShaperisinstandalone(local)mode,itoperateswithitsownindividualconfiguration uniquetothatPacketShaper.WhenaPacketShaperissettosharedmode,theunitcanoperateusinga combinationofbothasharableconfigurationandanindividualconfigurationuniquetothatunit.
Non-Sharable and Sharable Attributes

AllPacketShapers,regardlessofwhethertheyareconfiguredinlocalorsharedmode,operatewithan effectiveconfigurationthatcomprisestwokindsofattributes:nonsharableandsharable. Nonsharableattributesarethosepartsofaunitseffectiveconfigurationthatarespecifictothatone PacketShaper.ThesearecallednonsharablebecausenootherPacketShaperwillfunctioncorrectlyif configuredwithallthesamenonsharablevaluesasanotherunit.EveryPacketShaperwillhaveaunique setofnonsharableattributes,thoughmorethanoneunitcanbeindividuallyconfiguredwithsomeofthe samenonsharableattributes,suchasDNSnameortimeanddate.APacketShapersnonsharable attributesarealwaysstoredlocallyonthatunit.Althoughtheseattributescanbechangedthroughtheunits browserorcommandlineinterfaces,nonsharableattributescannotbeconfiguredormanagedthrough PolicyCenter. Aunitssharableattributesarethosepartsoftheunitsconfigurationthatcanhavevaluesincommonwith otherPacketShapers.Trafficclasses,policies,partitions,andadaptiveresponseagentsareallexamplesof sharableconfigurationattributes,becausemanydifferentunitscanhavethesametrafficclasses,orshare thesameagents.Whenaunitisinsharedmode,itinheritssharableattributesfromitsPolicyCenterparent configurations. ThefollowingPacketShaperconfigurationattributescanbepartofaPolicyCentersharableconfiguration: adaptiveresponseagents commandscheduling customerportalsettingsandfiles emailsettings eventdefinitions failoverconfiguration flowdetailrecordsettings globalXpresstunnelsettings*,including:

Compressionon/off Accelerationon/off FastStarton/off Prefetchon/off Packingon/off Tunneloptions(firewall,DiffServ,automatictunneldiscovery,MTU) Tunnelsecurity Tunnelmode Tunnelclassoverrides Tunnelserviceoverrides
*GlobalXpresssettings,tunnelmodesettings,tunnelclassoverrides,andserviceoverridesareallsharable fromaparenttoachildconfiguration.PolicyCenterallowsyoutocreateandconfigurenewtunnelsand addandremovelocalandremotehostsonindividualunitconfigurationsonly. hostlists HTTPSportdefinitions imageversion inside/outsideinterfacesettings linkspeed

logging loginmessage modemonconsole organizationownership passwords pluginfiles RADIUSauthenticationandaccounting servicegroups siterouter SNMPstringsanddestinationsandSNMPv3configurationtables SNTPsettings SSHsettings TACACS+authentication,authorization,andaccounting trafficclasses trafficdiscoveryon/off trafficshapingon/off unitaccessserviceprotocols WCCPsettings Thefollowingattributesarenonsharable: defaultdomain DNSserver gatewayaddress highavailability** hostsidesettings*** IPaddress/mask managementportsettings NICmodesettings standbypartner time/date/timezone watchmode Xpresstunnelhosts **Highavailabilitysettingsarenotsharablefromaparentconfigurationtoitschildconfigurations,and shouldonlybeconfiguredonanindividualunitconfigurationviaPolicyCenter. ***Onlythehostsidemanualorhostsideautosettingissharablefromaparentconfigurationtoitschild configurations.Allotherhostsidesettingsshouldonlybeconfiguredonanindividualunitconfiguration viaPolicyCenter.
Units Can Retain Their Original Configurations in PolicyCenter

AnytimeyouaddaPacketShapertoPolicyCenter,itappearsasanewindividualunitconfigurationin PolicyCenter.Thisdoesnotmeanthattheunitspreviousconfigurationislost,however. IfyouhavePacketShapersalreadyconfiguredonyournetwork,youmaywantthoseunitstoretaintheir existingworkingconfigurationsevenaftertheyhavebeenaddedtoPolicyCenter.Youcandothisby selectingtheconvertoptionasyouchangethePacketShaperfromlocalmodetosharedmode.Enablingor disablingtheconvertoptiondetermineswhatattributesandsettingswillappearintheunitsnew PolicyCenterconfiguration.
IfyouselecttheconvertoptionwhileaddingthePacketShapertoPolicyCenter,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterunitconfigurationwiththesamesharableattributes andvalues.BecausetheunitsPolicyCenterconfigurationwillbebaseduponitspreviouslocal configuration,theunitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyoudo notselecttheconvertoption,theunitssharableconfigurationiscleared,anditsnewPolicyCenter configurationwillhavedefaultsettingsonly. Theconvertoptionisnotavailablewhenyouinitiallyconfigureabrandnewunitfornetworkaccess, becauseanewunithasdefaultsettingsonly,andnoconfigurationattributesorvaluesthatneedtobe retained. SeealsoSelectaConfigurationStrategyonpage11andConvertaUnitConfigurationonpage33for moreinformationonusingtheconvertoption.
Hierarchical Configurations
PolicyCenterorganizesitssharableconfigurationsintohierarchieswithparentandchildconfigurations. ThekeytounderstandingPolicyCenterhierarchicalconfigurationsistorememberthetwobasicrulesof PolicyCenter: 1. 2. Parentconfigurationspasstheirattributesandsettingsalongtotheirchildconfigurationsunlessthe sameattributesarealsospecifiedwithinthechildconfiguration. Ifanattributeisspecifiedinbothaparentandchildconfiguration,thechildconfigurationwillnot inheritthesettingfromitsparent,butwillfunctionwithitsownsetting. Note:Thereisasingleexceptiontothesecondrule,whichcanoccurifyouaddaunitwithauto discoveredclassestoPolicyCenterusingtheconvertoption.Ifyoulatermovethisconfiguration underasharableparentconfiguration,thechildconfigurationsautodiscoveredtrafficclasseswillbe overriddenbythosesametrafficclassesintheparentconfiguration.Moresimplyput,atrafficclass manuallycreatedanddefinedinaparentconfigurationwilltakeprecedenceoverthesametraffic classthatwasmerelyautodiscoveredinthechildconfiguration. Withhierarchicalconfigurationgroups,aparentconfigurationcanhavemorethanonechildconfiguration, andachildconfigurationcanhavechildrenofitsown,creatingaPolicyCenterconfigurationtreewith severallevelsofdepth.PacketShaperscanbeassignedtoconfigurationsatanyleveloftheconfiguration tree.TheConfigurationstabinthebrowserinterfacelistsalloftheconfigurations,andcanalsoshowwhich unitsareassignedtoeachconfiguration.
Not All Configurations Inherit Values From Other Configurations

Aconfigurationattheverytopleveloftheconfigurationtreewillnotinheritsettingsfromanyother configuration.Therefore,ifyoucreateanewconfigurationatthetopoftheconfigurationtree,itwillhave defaultsettingsonly.WhenyouaddaunitrunningPacketWiseversion7.xorlatertoPolicyCenter,itsnew PolicyCenterunitconfigurationisalsoplacedatthetopleveloftheconfigurationtree.Becausethenew configurationwillnotinheritanynewsettingsorattributes,theunitwillcontinuetofunctionjustasitdid beforeitwasaddedtoPolicyCenter. Parentconfigurationsarealsousefulforquicklypropagatingchangestomanychildconfigurationsatonce. Ifyouhaveaconfigurationtreewithmanylevelsofchildconfigurationsbutonlyoneparent,youcan disseminatenewtrafficclasses,plugins,andsoftwareimagestoallyourunitsjustbymakingthechanges totheonetoplevelparent. Aconfigurationmayalsobebothaparentandachild.Inthiscase,thatconfigurationwillinheritsettings fromitsparent,andalsopasssettingsontoitschildconfigurations.
Child Configurations Allow Individual Changes

ChildconfigurationsarehelpfulifyouhavemultiplePacketShapersassignedtoasharableconfiguration, andwanttomakechangestosome,butnotall,oftheassignedunits.PolicyCentershierarchical configurationtreeallowsyoutocreateaseparatechildsharableconfigurationforthosePacketShapers,and makethechangestothenewchildconfiguration. Suppose,forexample,youhad20PacketShapersrunningPacketWise8.5allofwhichareassignedtoa singlesharableconfiguration,andthesecurityrequirementsforjusteightofthoseunitschanged.Youcould makeeachrequiredchangeeighttimesoneachoftheindividualunitconfigurationsoftheeightunits,or youcouldmakethechangejustoncebycreatinganewchildsharableconfigurationundertheunits existingsharableconfiguration,specifyingnewHTTPSorSSHsettingsinthechildconfiguration,andthen reassigningtheeightPacketShaperstothenewchildconfiguration.
Becausethenewchildconfigurationwillinheritallofitsotherattributesfromitsparent,all20unitswould continuetooperatewiththesametrafficclasses,policies,andpartitionsasbefore.Theonlydifference betweentheeightPacketShapersassignedtothenewchildconfigurationandthe12assignedtotheoriginal parentconfigurationwouldbethedifferentsecuritysettings.
Units with Different Versions of PacketWise Operate Differently in PolicyCenter

PacketWise 7.5.x, 8.3.x or higher PacketShapersrunningtheseversionsarenotassigneddirectlytoa sharablePolicyCenterconfiguration.Whenyouassignaunitrunningoneoftheseversionstoasharable configuration,theunitremainsattachedtoitsindividualuniqueunitconfiguration,sotheindividualunit configurationforthatPacketShaper(highlightedinblueinthefigurebelow)willappearinthe configurationtreebelowthesharableparentconfigurationtowhichitisassigned.
ThatPacketShaperinheritssettingsfromitssharableconfiguration,butalsoretainsallthesettingsfromits individualunitconfiguration.EvenifmultiplePacketShapersareassignedtothesamesharable configuration,iftheirindividualunitconfigurationshavedifferentclassesorsettings,theunitswillnot operateinanidenticalmanner.Becausetheunitisnotdirectlyassignedtoasharableconfiguration,changes madetotheindividualunitconfigurationwillnotaffectitssharableparentconfiguration.Theunitwill, however,continuetoinheritnewsettingsfromitssharableparent. PacketWise 8.0.x-8.2.x or 7.0.x-7.4.x PacketShapersrunningtheseversionscanbeassigneddirectlytoa PolicyCentersharableconfiguration,leavingbehinditsuniqueunitconfiguration.Ifyouassigntheunitto anothersharableconfiguration,theunitspreviousserialnumberconfigurationwillremaininitscurrent location.ThismakesaunitrunninganearlierversionofPacketWisebehaveverydifferentlythanaunit runningalaterversionofPacketWise,becauseanychangetothatindividualunitviaitscommandlineor browserinterfaceswillalterboththesharableconfigurationtowhichitisassigned,andallchild configurationsofthatsharableparent.
Modifying PacketShapers in PolicyCenter

WhenyouassignmultiplePacketShaperstoasharableconfiguration,youcanmodifytheseunitsby changingeithertheirsharableconfigurationortheirindividualunitconfigurations. TochangeallPacketShapersassignedtoasharableconfiguration,modifythatsharable configurationviathePolicyCentercommandlineorbrowserinterfaces.Whenyoumodifya sharableconfigurationwithmultipleassignedunits,eachunitassignedtothatconfiguration(orany ofitschildconfigurations)willinheritthechanges.Inordertomodifyasharableconfiguration,you mustfirstcreateadraftcopyofthatconfigurationandtheneditthedraftbeforecommittingthe changes. TomakeaconfigurationchangeonasinglePacketShaperrunningPacketWise7.5.x,8.3.xor higher,BlueCoatrecommendsthatyoudonotdirectlymodifytheindividualunitconfiguration. Instead,createauniqueconfigurationforthatPacketShaperandassigntheunittothatconfiguration. Thistechniquewillmakeiteasytoassigntheunittoadifferentconfigurationgroup,andifyouever needtoreplacetheunit,youcanjustassignthenewunittotheconfiguration. TomakeaconfigurationchangeonasinglePacketShaperrunningPacketWise8.0.x8.2.xor7.0.x 7.4.x,createanewchildconfigurationunderthePacketShaperssharableconfiguration,makethe requiredchangesonthenewchild,thenassignthatonePacketShapertothenewchildconfiguration. Youcaneditthesharableconfigurationdirectlywithoutfirstcreatingachildconfiguration,butthen
allthePacketShapersassignedtothesharableconfigurationwillupdatewithyourchangesoncethey arecommitted.Similarly,ifyoumodifyanindividualunitrunningPacketWise8.0.x8.2.xor7.4.xor earlierwhiletheunitisstillassignedtoasharableconfigurationwithotherassignedunits,the sharableconfiguration(andallitsotherassignedunits)wouldalsoupdatewiththechange.
10
PolicyCentercanefficientlymanagehundredsofindividualPacketShapersbecausemanyoftheseunitscan bemanagedtogetherwithasinglesharableconfiguration. ThischapterwillhelpyouplanyourPolicyCenterconfigurationtree,anddeterminethebesthardware platformforyourPolicyCenterdeployment.BlueCoatrecommendsyouconsideryourconfiguration strategybeforeyouinstallPolicyCenter,asthesizeandcomplexityofyourconfigurationtreesmayaffect yourPolicyCenterhardwareandsoftwareplatform.
Identify Groups of Existing Units

Whenidentifyinggroupsofunitstomanagetogether,youshouldfirstconsiderthefollowing: Aunitsmodeltype.Differentmodelsofthesameproduct(PacketShaper1400,3500,and10000,for example)haveverydifferentsupportedlinksizesandsystemlimits(suchasmaximumnumberof classes).Westronglyrecommendthatyouassignunitsofonlyonemodeltypetoeachsharable configuration.Ifyoudomixmodels,besurethesmallestunitcansupportitsassignedconfiguration. PacketWisesoftware(image)version.UnitsrunningPacketWiseversion8.3orhigherhavemore complexandfullyfeaturedconfigurationsthanunitsrunningearlierPacketWiseversions.Donot assignunitsrunningPacketWise8.3orhigherandunitsrunningearlierversionsofPacketWisetothe samesharableconfiguration,asthismaytriggerconfigurationerrorsintheolderunit.
Select a Configuration Strategy

OnceyouhaveidentifiedPacketShaperswithcompatiblemodeltypesandsoftwareimages,youareready toconsideryourconfigurationstrategy.BeforeyoustartaddinggroupsofunitstoPolicyCenter,youshould askyourself:Aretheconfigurationsandtrafficclassesontheindividualunitsmostlythesame,ormostlydifferent? DoIwanttousePolicyCentertoactivelymanagemyPacketShaperconfigurations,orjusttomonitorthem? IfthePacketShapersconfigurationsaremostlythesame,youcanuseacomprehensivePolicyCenter configurationstrategyandmanageyourPacketShapersalltogetherwithasinglesharable configuration.Ifoneormoreunitsshouldvaryslightlyfromthesettingstheyinheritfromtheir sharablecomprehensiveconfiguration,youcancreateindividualdifferencesbymodifyingthe individualunitconfigurationsofPacketShapersrunningPacketWise7.5.xor8.3.xorhigher.Forunits runningotherversionsofPacketWise(8.0.x8.2.xor7.0.x7.4.x),createanewchildconfigurationand modifythatchildconfigurationbeforeassigningtheunittoit. IfthePacketShapersyouwanttogrouptogetherwillhavemoredifferencesthansimilarities,or ifyoudonotyethaveanyunitsinstalledonyournetwork,youmaywanttouseaselective PolicyCenterconfigurationstrategy.Withthisstrategy,youwillcreateaparentconfigurationthat controlsjustthemostimportanttrafficclassesorotherkeypartsoftheconfiguration,andmanage yourunitsothersettingsviatheunitsindividualconfigurations. IfyouwishtousePolicyCenteronlyasacentrallocationforviewingallyourPacketShaper configurations,youcoulduseafunctionalconfigurationstrategy,andcreateashallowconfiguration treewithasinglelevelofsharableconfigurationsthatactasfoldersfortheindividualunit configurations.Withthisstrategy,theindividualunitsconfigurationscouldbegroupedbylocation orfunctionforeasyreference,butwouldntinheritanysettingsfromtheirparentsharable configuration.Thisstrategyallowsyoutoviewinformationforallyourunitconfigurationsfrom PolicyCenter(andavoidsthecomplexitiesofconfiguringinheritableattributesandsettings),yet requiresyoutoseparatelymanageeachindividualunit.
11
Keepinmindthatthethreeconfigurationstrategiessuggestedherearejustthatsuggestions.Youcanuse justonetypeofconfigurationtomanageallyourunits,orcreatebothcomprehensiveandselective configurationsfordifferentgroupsofunits.Therestofthischapterdescribesthebenefitsofeach configurationstrategy.Itmaybehelpfultotakenotestohelpyourememberhowyouwanttoconfigure eachgroupofPacketShapersandplanyourPolicyCenterconfigurationtree.
Comprehensive PolicyCenter Configuration Strategies

Thisisthepreferredstrategywhenyouwanttomanageagroupofunitswhosetraffictreesaremostlythe same.Organizationsusingthisstrategyoftenhavebranchofficeswithverysimilartypesofnetworktraffic, eachwiththesamemodelofPacketShaper. Asanexample,imagineyouaretheITmanagerforacompanywith20nearlyidenticalbranchoffices. Althoughthereisaheavytrafficloadrunningovereachnetwork,thetypesandvolumesofnetworktraffic donotvarywidelybetweeneachbranch.Additionally,eachbranchhasconfigureditsPacketShaperwith thesametrafficclasses,andsetmanypoliciesandpartitionstoprotectthenetworktrafficthatisconsidered missioncriticaltoallbranchoffices.Becausethenetworksaresosimilar,everysignificantchangeinthe networksrequirethatall20PacketShapersbeindividuallyreconfigured.Youfindthistobetootime consuming,andwouldliketobeabletopropagateallthechangesatonce. Becausetheindividualunitsinthisexamplehavesuchsimilarconfigurations,youwouldusea comprehensivePolicyCenterconfigurationstrategytocontrolthemajorityofthetraffictreeandother sharableattributesforeachunit.Inthiscase,youmustfirstidentifyaprimaryunit,oneunitwhose configurationwillbetheusedtocreatethecomprehensiveparentconfiguration.Ifalltheunitshaveatruly identicalconfiguration,itdoesnotmatterwhichunityouselecttobetheprimaryunit.Ifthereareslight variances,selecttheunitthatisthemostrepresentativeofallothers. Note: You can still use this configuration option even if you do not yet have any PacketShapers on your network. To create your primary unit, install a single PacketShaper at a branch site, then turn on traffic discovery. After several hours, the unit should have a complete traffic tree. Forcompleteinformationoncreatingacomprehensiveconfiguration,seeCreateaComprehensive PolicyCenterConfigurationonpage33.
Selective Configuration Strategies

IfyouwanttousePolicyCentertomanagejustafewkeytrafficclassesorattributesoneachPacketShaper, youcancreateanewPolicyCenterconfigurationanddefinevaluesforjustthosemostimportanttraffic classesbeforeyouassignchildconfigurationsandunitstoit.Thisstrategyalsoworkswelliftraffictrees varywidelybetweeneachPacketShaper,oryouwanttocreateaPolicyCentersharableconfigurationthat managesonlyyourmostcriticaltrafficclassesandsettings,andnotanentiretraffictree. Asanexample,consideranorganizationwithfourbranchsites.Eachbranchsiteservesadifferentpurpose intheorganization,andasaresult,thetypesoftrafficconsideredtobemissioncriticalateachsitevaries widely: Site1(sales):WebEx,ShoutCast,Citrix,Pop3,HTTP Site2(productdevelopment):FTP,ActiveX,Citrix,Pop3,HTTP Site3(corporateheadquarters):Oracle,SAP,Citrix,Pop3,HTTP Site4(manufacturing):IPX,GRE,Citrix,Pop3,HTTP LetusalsosupposethatallfoursitesareexperiencingnetworkslowdownsasemployeesdownloadKaZaA musicfilesoffthenetwork. Becausethenetworktrafficrequirementsforeachbranchofficearesodifferent,itwouldbemostefficient tocreateaselectivePolicyCenterconfigurationthatcontrolsjustthenetworktrafficconsideredmission criticaltoallbranchsites(Citrix,Pop3,andHTTPS)andwhichalsoblockstheunwantedKaZaAtraffic. Withaselectiveconfiguration,allfourPacketShaperswouldbeaddedwiththeconvertoption,preserving theirindividualsettings.Theindividualunitconfigurationswouldthenbemovedundertheselective
configuration,creatingfournewchildconfigurationsundertheselectiveconfigurationparent.Asaresult, eachPacketShaperconfigurationwouldinheritthoseclassesandsettingstheyshouldallhaveincommon, yetindividualdifferencesbetweentheunitswouldnthavetobemanuallyrecreated. Whywouldntacomprehensiveconfigurationstrategyworkforthisorganization?Becauseacomprehensive configurationstrategywouldrequiretoomanyindividualchangestothechildconfigurationstobean efficientuseofPolicyCenter,orofyourtime.Thisselectiveconfigurationstrategysuggestsaddingmultiple unitswiththeconvertoption,sothetraffictreesofeachoftheunitsareretained,anddonthavetobe recreatedfromscratch.IfthisorganizationchoseinsteadtocreateacomprehensivePolicyCenter configurationbasedonthelocalconfigurationofonlyoneoftheunits,theywouldhavetomanuallyadd alltheadditionalrequiredclassesoneachchildconfiguration.Thiswouldrequiremuchmoreeffort. Forcompleteinformationoncreatingaconfigurationtreeofthistype,seeCreateaSelectivePolicyCenter Configurationonpage36.
Functional Configuration Strategies

ThoughoneofthegreatestbenefitsofPolicyCenteristheabilitytosimultaneouslyupdatemultiple PacketShapers,somenetworkadministratorsusePolicyCenteronlytomonitorindividualunits,notto managethemtogether. IfyouwanttousePolicyCenterjustasacentrallocationforviewingeachunitsconfiguration,youcan createasimpleconfigurationtreewithparentconfigurationsthatserveonlyasfolderstoidentifygroups ofunitsbyfunctionorlocation,andthenmoveeachunitsassignedconfigurationundertheappropriate parent.Thistypeofconfigurationstrategyallowsyoutomonitorandmanageallyourunitsfrom PolicyCenter,yetrequiresthateachchangetoaunitconfigurationbedoneindividually. Supposeyouhave40PacketShapersinfivedifferentareasofthecountry.Usingthisstrategy,youwould createadefaultparentconfigurationforeachlocation,thenaddthePacketShaperstoPolicyCenterwiththe convertoptionsoeachunitmaintainsitscurrentconfigurationsettings.TheunitsPolicyCenter configurationswouldthenbemovedundertheappropriateparent. Becausetheunitconfigurationswouldntinheritanysettingsfromtheirparentconfigurations,theparent configurationswouldbeusedonlytohelplocateandidentifyindividualunitswithintheconfiguration tree. Forcompleteinformationoncreatingaconfigurationtreeofthistype,seeCreateaFunctional PolicyCenterConfigurationonpage41.
13
14
TheSunONEDirectoryServersoftwareisinstalledwithPolicyCenter,andusesLDAP(Lightweight DirectoryAccessProtocol)tocommunicatewitheachPacketShaper.Changesmadeinthedirectoryserver viaPolicyCenterorPacketShaperareupdatedinotherPacketShapersusingthepersistentsearchmechanism. Adirectoryserverhasasetcapacityforpersistentsearchesthatallowsittocommunicatewithafinite numberofPacketShapers.PacketShaperunitsrunningPacketWise7.5.x,8.3.x,orhighercancommunicate withthedirectoryservermoreefficientlythanunitsrunningearlierversionsofPacketWise.Asaresult,the relativesizeofyourdeploymentdoesnotdependexclusivelyonthenumberofunitsyouwishtomanage, butmustalsotakeintoconsiderationtheversionofsoftwarerunningontheseunitsand(possibly)the designofyourPolicyCenterconfigurationtree. Capacity Planning for PacketShapers Running PacketWise 7.5.x, 8.3.x or Higher IfallofyourPacketShaperunitsarerunningPacketWise7.5.x,8.3.xorhigher,capacityplanningisvery simple. Forfewerthan600unitsrunningPacketWise7.5.x,or8.3.xorhigher,useastandardorlarge PolicyCenterhardwareplatform(thelargeplatformsaremorescalableandcanmoreeasilyexpand tosupportadditionalunitsonedgedirectoryservers) Forextendeddeploymentswithover600unitsrunningPacketWise8.3.xorhigheronly,usealarge PolicyCenterhardwareplatformwithatleasttwoedgedirectoryservers.(Addoneadditionaledge directoryserverforeveryadditional600units.) ForadditionalinformationoncapacityplanningforPolicyCenterdeploymentswithPacketShapers runningearlierversionsofPacketWise,seeAppendixA:PolicyCenterCapacityPlanningfor Earlier Versions of PacketWise.
15
Installation Requirements
Onceyouhaveidentifiedyourconfigurationstrategiesanddeploymentsize,youwillbereadytobegin configuringyourserverandinstallingPolicyCenter.BlueCoathighlyrecommendsthatyouuseadedicated systemforPolicyCenter.AlsonotethatPolicyCenterdoesnotsupportvirtualservers. BeforeinstallingPolicyCenter8.5andSunONEDirectoryServer5.2,verifythatyouhavethefollowing: ForaStandardPolicyCenterDeployment: AsingleserverrunningWindows2003ServerorWindows2000Server,StandardorEnterpriseeditions, SP1orR2,32bit 1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GBofRAM,and60GBfreedisk space ForaLargePolicyCenterDeploymentwithTwoWindowsServers: ForPolicyCenterandthecoredirectoryserver,aserverrunningWindows2003ServerorWindows 2000Server,StandardorEnterpriseeditions,SP1orR2,32bit Fortheedgedirectoryserver,aserverrunningWindows2003ServerorWindows2000Server,Standard orEnterpriseeditions,SP1orR2,32bit ForbothWindowsmachines,1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GB ofRAM,and60GBfreediskspace ForaLargePolicyCenterDeploymentwithoneWindowsServerandaSolarisServer: ForPolicyCenterandthecoredirectoryserver,aserverrunningWindows2003ServerorWindows 2000Server,StandardorEnterpriseeditions,SP1orR2,32bit Foranedgedirectoryserver,aserverrunningSolaris9orSolaris10 FortheWindowsServer,1(or2)CPUswith3GHzOpteronor3GHzCore2Duoprocessors,4GBof RAM,and60GBfreediskspace FortheSolarisserver,2CPUswith1.38GHzorfasterUltraSPARCIIIiprocessors,8GBofRAM,and 2x73GBfreediskspace
Important: Large PolicyCenter deployments with both core and edge directory servers only support PacketShapers running PacketWise versions 8.3.1 or later. If your PacketShapers are running any earlier versions of PacketWise, you must upgrade them to 8.3.1 or later before you add an edge directory server to PolicyCenter.
Additional Windows Server Requirements TheWindowsserver(s)foryourPolicyCenterdeploymentalsorequire(s)thefollowing: AnNTFSfilesystem(aFATfilesystemwillnotwork) A1024x768pixelmonitorthatsupports16bitcolororbetter MicrosoftInternetExplorer6.0orlaterorFirefox2.0orlater AdministratoraccesstotheWindowsserver ADNSnamewhichcorrectlyresolvestoitsfixedIPaddress.AstaticIPaddressisrequired;the installationwillfailifTCP/IPisconfiguredforDHCP. TheWindowsserverforyourPolicyCentersoftwaremusthaveavalidnetmaskandgatewayfor eachnetworkinterface. Firewallpermissionsasneeded.ThePacketShaperunitsandPolicyCenterrunasLDAPclientsand connecttoport389onthedirectoryserver.IfPolicyCenterisconfiguredtorunasasecureLDAP client,itmustbeabletoconnecttoport636onthedirectoryserver.TheunitsusetheHTTPand HTTPSprotocolsforPolicyCentersimagedistributionfeature. YoumustbeabletoinstallPolicyCenterandSunONEsoftwaredirectlyontotheWindows2000/2003 servers.TheSunONEDirectoryServersoftwaremustbeinstalleddirectlyontothemachineon
whichthesoftwarewillrun.PolicyCentercandetectanattempttoinstalltheSunONEDirectory Serveroveraterminalserver,anditwillautomaticallystopaninstallationoveraterminalserver. Additional Solaris Server Requirements LargedeploymentsusingbothaWindowsandaSolarisservermustuseSolarisserversthatmeetthe followingrequirements: NetworkaccesstotheWindowsserverusedinthedeployment ADNSnamewhichcorrectlyresolvestoitsfixedIPaddress.AstaticIPaddressisrequired;the installationwillfailifTCP/IPisconfiguredforDHCP. Firewallpermissionsasneeded.ThePacketShaperunitsandPolicyCenterrunasLDAPclientsand connecttoport389onthedirectoryserver.IfPolicyCenterisconfiguredtorunasasecureLDAP client,itmustbeabletoconnecttoport636onthedirectoryserver.TheunitsusetheHTTPand HTTPSprotocolsforPolicyCentersimagedistributionfeature.
17
Configure the Windows Server

FollowtheproceduresinthissectiontoconfiguretheWindowsserver(s)forPolicyCenterbeforeyouinstall PolicyCenterorthedirectoryserversoftware.Notethattheseconfigurationstepsareonlyrequiredforan initialPolicyCenterinstallation.IfyouareupgradingfromapreviousversionofPolicyCenter,youwillnot needtoreconfigureyourWindowsserver. BeforeyouinstallPolicyCenter: 1. RemovefromyourserverallmonitoringservicessuchasSNMPservice,theMicrosoftInternet InformationService(IIS),oranyotherpreinstalledmonitoringservicesorwebservers. PolicyCenterchecksforthepresenceofIIS,andifitdetectsthepresenceofIISduringinstallation,itwill halttheinstallationprocedure.Anypreinstalledmonitoringservices(suchasthoseonHPservers)or HPSystemsmanagermayalsoconflictwiththeSunONEDirectoryServer,causingtheinstallationto fail.RefertoChapter9:TroubleshootingforadditionalinformationonremovinganIISserver. 2. ConfigureandverifytheDNSnameforyourserver. a. b. c. RightclicktheMyComputericonontheWindows2000/2003Serverdesktop,andthenclick Properties.ThiswillopentheSystemPropertieswindow. ClicktheNetworkIdentificationtab,thenclickthePropertiesbutton.OntheIdentificationChanges window,enterthenameanddomainforthecomputer. Clickthemorebutton,andentertheDNSsuffixfortheserver.
d. ClickOKtosavetheDNSsuffix,thenclickOKontheIdentificationChangeswindowtosaveyour networkidentificationchanges. Note: If the server already has a DNS name, use nslookup to verify the servers DNS configuration and IP address. For example, if the systems DNS name is pcserver.example.com, type this from the DOS command prompt:
nslookup pcserver.example.com
3.
Configureatimeserver.PolicyCenterreportsunitstatusmoreaccuratelyifalledgeandcoreservers areconfiguredwiththecorrecttime.YoucanensurethatyourPolicyCenterserver(s)allhavethesame timebyconfiguringthemtouseanSNTPtimeserver. TochecktoseeifaPolicyCenterserverisalreadyconfiguredforSNTP: a. b. FromthedesktopofyourPolicyCenterserver,selectStart>RuntoopenaRunWindow. EntercmdintotheOpenentryblankonthiswindow,thenclickOKtoopenacommandprompt window.
c.
Ifthecurrentdirectoryinthecommandpromptwindowisnotalreadyalocaldriveonyour PolicyCenterserver,changetoalocaldrive(forexample,C:).
d. Issuethecommandnet time /querysntp.Theoutputofthecommandshouldtellyouifthe computerisorisnotcurrentlyconfiguredtouseaspecificSNTPserver. IfthePolicyCenterserverisnotconfiguredtouseanSNTPserver,usethefollowingprocedureto configureanSNTPtimeserverforthatcomputer.

a.
Fromthecommandpromptwindow,issuethecommand
net time /setsntp:<ip-address>where<ipaddress>istheIPaddressorDNSnameofanSNTP
server.IfyournetworkdoesnothaveitsownSNTPtimeserver,specifytheIPaddressofapublic timeserver.Alistofpublictimeserversisavailableathttp://support.ntp.org/bin/view/Servers/ WebHome. b. c. PressEnter. TosynchronizethePolicyCenterserverwiththenewtimeserver,youmuststopandthenrestart timeserviceonthePolicyCenterserver.Issuethefollowingcommands:

net stop w32time net start w32time
d. StopandthenrestartthePolicyCenterservice. IfyourPolicyCenterdeploymenthasmultipleservers,repeatthisprocedureforeachWindowsserver.
19
Configure a Solaris Server

YoumustuninstallanySunONE5.2DirectoryServeralreadyontheserver,includingtheversionbundled withSolaris.YouwilllaterinstallPolicyCentersownversionofthedirectoryserverfromthePolicyCenter installationwizard. TouninstallanexistingSunONEDirectoryServer: 1. 2. 3. 4. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.(Thedefaultsettingsforbothoftheseareadmin.Ifthesedefaultsettingshavebeen changed,contactthesystemadministratorfortheUserIDandpassword.) Issuethecommandrm -rf /var/Sun toremovetheSundirectory.
5.
Configure a Solaris Server for SNTP PolicyCenterreportsunitstatusmoreaccuratelyifalledgeandcoreserversareconfiguredwiththecorrect time.YoucanensurethatyourPolicyCenterserversallhavethesametimebyconfiguringthemtousean SNTPtimeserver.RefertothedocumentationontheSunwebsiteforinformationonconfiguringaSolaris serverforSNTP.(http://docs.sun.com/app/docs)
20
Install PolicyCenter and the Directory Server Software

Afteryourserversareconfigured,youarereadytoinstallthePolicyCenter8.5andSunONEDirectory Server5.2software.Theinstallationprocedurevariesaccordingtoyourselectedhardwareplatform. ForstandarddeploymentsonasingleWindowsserver,seepage21. ForlargedeploymentsonthreeWindowsservers,seepage22. ForlargedeploymentsonWindowsandSolarisservers,seepage24. ToextendanexistingPolicyCenterdeploymentbyaddinganadditionaledgedirectoryserver,see page27.
Standard Deployments on a Single Windows Server

ThefollowingprocedureinstallsbothPolicyCenterandthedirectoryserversoftwareontoasingle Windowsserver.IfyouarenotsurewhetheryoushouldinstallPolicyCenterandthedirectoryserver softwareonthesameserverorondifferentservers,refertothepreviouschapterfordetailsoncapacity planninganddeploymentsizes. 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile. TheSelectComponentswindowwillaskyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
5.
Theinstallationprogramchoosesaharddiskwithatleast4GBoffreespace(bycheckingdisksinthe orderlistedintheNTFS),thenunpacksPolicyCenter,storesthefilesinadirectory,andstepsyou throughsetup.Youarepromptedtoenterthefollowingvalues:
Prompt Number of PacketShapers to Manage Key Code & Serial Number
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat.
21
Prompt Install Directory
Description The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
6.
AfterthePolicyCenteranddirectoryserversoftwarehasbeeninstalled,youwillbepromptedtologin toPolicyCenterandprovidethefollowing: DNSname(recommended)orIPaddressoftheserveryouareusingforPolicyCenter.Thedefaultis localhost(thecomputeryouareusing). Directoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az,spaces, periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsandunitsin PolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettingadirectory serverpassword. (optional)ClicktheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. ClicktheTimeZonedropdownlistandselectthetimezoneofyourPolicyCenterserver.
7.
ClicktheCommitAllSettingsbutton. ThePolicyCenteruserinterfaceappearsinyourbrowser.Fromnowon,youmayaccessthe PolicyCenterbrowserinterfacebyenteringtheDNSnameorIPaddressofthePolicyCenterserverin yourbrowsersaddresswindow. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
Large Deployments on Multiple Windows Servers

ThefollowingprocedureinstallsPolicyCenterandthecoredirectoryserverononeserver,theninstallsone ormoreedgedirectoryserversonadditionalWindowsservers. IfyouarenotsurewhetheryoushouldinstallPolicyCenterandthedirectoryserversoftwareonthesame serverorondifferentservers,refertothepreviouschapterfordetailsoncapacityplanninganddeployment sizes. 1. 2. 3. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile.
22
4.
TheSelectComponentswindowwillaskyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
5.
Prompt Number of PacketShapers to Manage Key Code & Serial Number Install Directory
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat. The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
Next,installSunONEDirectoryServer5.2ontheadditionalWindowsserverstocreatetwo(ormore)edge servers. 1. 2. CopythePolicyCenter.zipfiletotheWindowsserverandunzipthefilecontents. OntheWindowsserver,navigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallation wizardbyrunningthesetup.exefile.
23
3.
TheSelectComponentswindowpromptsyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelecttheDirectoryServeronlyoption.Followtheinstallationwizardpromptstocompletethe installation.
4. 5. 6.
Onceinstallationiscomplete,repeattheabovestepstoinstalleachadditionaledgeserver. Afterthesoftwareisinstalled,logintoPolicyCenterbyenteringtheDNSnameorIPaddressofyour PolicyCenterserverinawebbrowser. ProvidethefollowinginformationintheGuidedSetupwindow: SpecifyaDNSname(recommended)orIPaddressoftheserverrunningPolicyCenterandthecore directoryserver. Defineadirectoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az, spaces,periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsand unitsinPolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettinga directoryserverpassword. (optional)EnabletheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. SelecttheTimeZoneofyourPolicyCenterserver.
7.
ClicktheCommitAllSettingsbutton. PolicyCenterappearsinyourbrowser.Fromnowon,youmayaccessthePolicyCenterbrowser interfacebyenteringtheDNSnameorIPaddressofthePolicyCenterserverinyourbrowsersaddress window. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
Large Deployments on a Windows and a Solaris Server

PolicyCenter8.5supportslargedeploymentswithPolicyCenterandthecoredirectoryserveronaWindows ServerandoneormoreedgedirectoryserversonaSolarisserver. BeforeyouinstallthePolicyCentersoftware,youmustfirstinstalltheSunONEDirectoryServersoftware ontheSolarisserver. IfyouuseFTPtotransferthePolicyCenterfilestoaSolarisserver,certaincharacterssuchas^Mmaybe placedinthefilesduringaDOStoUNIXconversion.Ifanyofthefollowingfileshavethe^Mcharactersat theendofeveryline,youmayneedtorunthedos2unixcommandonthefollowingfilesbeforestartingthe installation: certificates enablessl.ldi
24
passwordfile slapdxxxpin.txt
template.ins noisefile 1. 2. 3. 4.
installds.pl
ToinstalltheSunONEDirectoryServeronaSolarisserver: LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourSolarisserver. OntheSolarisserver,loginasarootuserandnavigatetothePolicyCenter/solarisdirectory. Enterthecommandperl ./installds.plandfollowtheGuidedSetupscripttoinstalltheSunONE DirectoryServer. Note: If the installation wizard detects another directory server on the Solaris server, the installation will not continue until you have removed the existing directory server software. AfteryouhaveinstalledtheSunONEDirectoryServerontheSolarisServer,returntotheWindowsserver toinstallthePolicyCentersoftware. 1. 2. 3. CopythePolicyCenter.zipfiletoyourWindowsserverandunzipthefilecontents. NavigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallationwizardbyrunningthe setup.exefile. TheSelectComponentswindowpromptsyoutoselectthePolicyCentercomponentsyouwanttoinstall. SelectthePolicyCenterandCoreDirectoryServeroption.
Prompt Number of PacketShapers to Manage Key Code & Serial Number Install Directory
Description The maximum number of PacketShapers supported by your PolicyCenter license. You will receive these numbers in an email from Blue Coat. The default directory is \Blue Coat Systems\PolicyCenter. To install the files in a different directory, type the complete path.
4.
Afterthesoftwareisinstalled,logintoPolicyCenterbyenteringtheDNSnameorIPaddressofyour PolicyCenterserverinawebbrowser.
25
5.
EnterthefollowinginformationintheGuidedSetupwindow: Specifyahostname(recommended)orIPaddressoftheserverrunningPolicyCenterandthecore directoryserver. Defineadirectoryserverpasswordupto64alphanumericcharacterslong,including09,AZ,az, spaces,periods,underscores,anddashes.Thispasswordgivesyouaccesstoallconfigurationsand unitsinPolicyCenter.Ifyouloseyourpassword,refertoPacketGuidefordetailsonresettinga directoryserverpassword. (optional)EnabletheSecureConnectioncheckboxtoestablishasecureLDAPSconnectionbetween PolicyCenterandthedirectoryserver. SelecttheTimeZoneofyourPolicyCenterserver.
6.
ClicktheCommitAllSettingsbutton.PolicyCenterappearsinyourbrowser.Fromnowon,youmay accessthePolicyCenterbrowserinterfacebyenteringtheDNSnameorIPaddressofthePolicyCenter serverinyourbrowsersaddresswindow. Important: When you install PolicyCenter, the software will already have defined a single touch user with the user name of admin and a password of admin. Blue Coat strongly suggests you change the pre-configured password for the admin user as soon as possible, as a person with malicious intent could easily guess those credentials. See Change the Default Administrator Password on page 29.
26
Install an Edge Directory Server !

Important: Large PolicyCenter deployments with both core and edge directory servers only support PacketShapers running PacketWise versions 8.3.1 or later. If your PacketShapers are running any earlier versions of PacketWise, you must upgrade them before you add an edge directory server to PolicyCenter.
Install an Edge Directory Server on a Windows Server Extendyourdeploymentbeyondthecapacityofthecoredirectoryserverbydefiningadditionaledge directoryserversthatcaneachsupportupto600PacketShapers. ToinstallaPolicyCentercoreoredgedirectoryserveronaWindowsserver: 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourWindowsserver. NavigatetothePolicyCenter\Windowsfolder,andlaunchtheinstallationwizardbyrunningthe setup.exefile. TheSelectComponentswindowopens.SelectDirectoryServeronly.
Note: If the installation wizard detects another directory server on the Windows server, the installation will not continue until you have removed the existing directory server software. 5. 6. 7. 8. OncetheSunONEDirectoryServersoftwarehasbeeninstalledontheserver,logintoPolicyCenter withaPolicyCenterorganizationadministratorsusernameandpasswordandclicktheSetuptab. SelecttheDirectoryServerssetupcategorytoopentheDirectoryServerswindow. ClickNew,thenentertheDNSnameorIPaddressoftheserveryoujustconfigured. (Optional)ChecktheUseSecureLDAPCommunicationscheckboxforsecuredatareplication betweentheedgeandcoreserver.ThisoptionrequiresyoutogeneratetheappropriateSSL certificatesforboththeedgeandcoreservers,andloadthecertificateontheedgeserverbeforeyou addthedirectoryserver.(Foradditionalinformationonconfiguringanedgedirectoryserver,see PacketGuide.) ClickAddtoaddthenewserver.
9.
Install an Edge Directory Server on a Solaris Server ThefollowinginstructionsdescribehowtoinstalltheSunONEDirectoryServeronaSolarisserver.Ifyou useFTPtotransferfilestoaSolarisserver,certaincharacterssuchas^Mmaybeplacedinthefilesduring aDOStoUNIXconversion.Ifanyofthefollowingfileshavethe^Mcharactersattheendofeveryline,you mayneedtorunthedos2unixcommandonthefollowingfilesbeforestartingtheinstallation. certificates enablessl.ldi template.ins
passwordfile slapdxxxpin.txt installds.pl
noisefile
27
ToinstalltheSunONEDirectoryServeronaSolarisserver: 1. 2. 3. 4. LogintotheBlueCoatdownloadsite(https://support.bluecoat.com/download)anddownload thePolicyCenter8.5.zipfile(forexample,PolicyCenter_8.5.1_Windows.zip). UnzipthefilecontentstoyourSolarisserver. OntheSolarisserver,loginasarootuserandnavigatetothePolicyCenter/solarisdirectory. Enterthecommandperl ./installds.plandfollowtheguidedsetupscripttoinstalltheSunONE DirectoryServer. Note: If the installation wizard detects another directory server on the Solaris server, the installation will not continue until you have removed the existing directory server software. 5. 6. 7. 8. AftertheSunONEDirectoryServersoftwarehasbeeninstalledontheserver,logintoPolicyCenter withaPolicyCenteradministratorsusernameandpassword,andclicktheSetuptab. SelecttheDirectoryServerssetupcategorytoopentheDirectoryServerswindow. ClickNew,thenentertheDNSnameorIPaddressoftheserveryoujustconfigured. (Optional)SelecttheUseSecureLDAPCommunicationscheckboxforsecuredatareplication betweentheedgeandcoreserver.ThisoptionrequiresyoutogeneratetheappropriateSSL certificatesforboththeedgeandcoreservers,andloadthecertificateontheedgeserverbeforeyou addthedirectoryserver.(Foradditionalinformationonconfiguringanedgedirectoryserver,see PacketGuide.) ClickAddtoaddthenewserver.
9.
28
Change the Default Administrator Password

Start a PolicyCenter Session AfteryouhaveinstalledPolicyCenterandthedirectoryserversoftware,BlueCoatrecommendsyousecure yourPolicyCenterdeploymentimmediatelybyloggingintoPolicyCenterandresettingtheadministrators password. TostartaPolicyCentersessionfromabrowser: 1. 2. 3. Openabrowserwindow. Inthebrowseraddressfield,typelocalhost(onlyfromthePolicyCenterserveritself),ortheDNSname orIPaddressoftheserverwherePolicyCenterisinstalled(fromanymachineonthenetwork.) Enterthedefaultusernameandpassword.ThedefaultPolicyCenterusernameandpasswordareboth admin.
4.
(Recommended)ClicktheSecureLogincheckboxtoaccessPolicyCenterviaasecureHTTPSport. Note: Secure logins via HTTPS may take longer to complete than non-secure (HTTP) logins. For more details on PolicyCenter security, refer to the PacketGuide section Tasks > PolicyCenter Admin > Security.
5. 6.
ThePolicyCenterbrowserinterfaceopens. SelectUsers>Operations.Thepasswordsettingsfortheadminuseraccountappearintherightpane.
7. 8.
DeletetheplaceholderdotsandenterthenewpasswordintheNewPasswordandRetypeNew Passwordfields. ClickSet.
29
YoumustlogintoPolicyCenterwiththeusernameadminandthisnewpassworduntilyoudefinenewuser accounts.Thedefaultadminuseraccountcannotbedeleted.
30
NowthatyouveinstalledPolicyCenter,youcanstartaddingPacketShaperunitsandcreatingadditional configurations.YoucanaddPacketShapersalreadyfunctioningonyournetwork,orunconfigured PacketShaperswhichhavebeencabledtothenetworkandpoweredon,butnotyetconfiguredwitha networkidentity.
Adding Unconfigured Units

TherearetwowaystoaddunconfiguredPacketShaperstoPolicyCenter: RuntheGuidedSetuputilityviaawebbrowserorconsoleconnectiontothePacketShaperandselect thesharedmodeconfigurationoption.(ForcompletedetailsonGuidedSetup,refertotheQuick StartGuideincludedwithyourPacketShaper,orseePacketGuide.) ConfigurethePacketShaperviathePolicyCenterautodeploymentfeature. TheautodeploymentfeatureletsyouconfigurearemotePacketShaperbyenteringintoPolicyCenteraunit name,IPaddress,subnetmask,andgatewayfortheunconfiguredunit.ThePolicyCenterautodeployment serverwillsendtheunconfiguredunititsIPaddressandotherbasicnetworksettings,andtheunitwill automaticallysubscribetoPolicyCenter. ToconfigureaunitandsubscribeittoPolicyCenterviathePolicyCenterautodeploymentfeature: 1. 2. 3. 4. 5. Connecttheunconfiguredunittothenetwork. AccessthePolicyCenterbrowserinterface,andclicktheSetuptab. FromtheSetupCategorylist,selectAutoDeploy. ClicktheaddbuttontoopentheAutoDeployUnitEntrywindow. Createanewautodeployunitentrybyfillingintheinformationforthatunit.Ifyouspecifythepath ofanexistingPolicyCenterconfiguration,theunitwillassignitselftothatconfigurationwhenit subscribestoPolicyCenter.Otherwise,theunitwillassignitselftoablankconfigurationattherootof theconfigurationtree. ClickOKtosaveyourentry.TheAutoDeployUnitEntrywindowwillclose. EnabletheautodeploymentserverbyclickingtheServerStatedropdownlistandselectingon. Clickapplychanges.
6. 7. 8.
Theautodeploymentserverwillthensendanautodeploymessagetoconfiguretheunitatthenextauto deploymentinterval.Forcompleteinformationonusingtheautodeploymentfeaturetoaddunconfigured unitstoPolicyCenter,seePacketGuide. Adding Configured PacketShapers APacketShaperthatalreadyhasconfigurednetworksettingscanbesubscribedtoPolicyCenterviathat individualunitsbrowserorcommandlineinterfaces.BlueCoatrecommendsmanuallyaddingyourfirst fewunitsandverifyingthattheyworkasexpectedbeforeyouautodeployalargenumberofunconfigured units. WhenyoufirstselectedastrategyforimplementingPolicyCenteryoushouldhavedecidedwhetheryou wishedtoconvertoneunitscurrentconfigurationintoasharablePolicyCenterconfigurationforseveral otherunits,orifyouwantedtocreateanewsharableconfigurationthatcontrolsjustafewkeyclassesand settings,whilemaintainingseparateconfigurationsforeachunitstraffictree. IfyouchosetocreateacomprehensivePolicyCenterconfiguration,refertoCreatea ComprehensivePolicyCenterConfigurationonpage33.
31
IfyoudecidedtocreateaselectivePolicyCenterconfigurationthatcontrolsonlyasmallportionof theunitsconfigurations,refertoCreateaSelectivePolicyCenterConfigurationonpage36. IfyoudecidedtocreateafunctionalPolicyCenterconfigurationthatallowsyoutomonitoryour unitconfigurationsyetstillmanageeachoneindividually,refertoCreateaFunctionalPolicyCenter Configurationonpage41.
32
Create a Comprehensive PolicyCenter Configuration !

Important: Follow the steps described in this section to create a comprehensive sharable configuration that manages all (or nearly all) of each units classes and settings. For a detailed description of comprehensive PolicyCenter configurations, see Comprehensive PolicyCenter Configuration Strategies on page 12. For alternate strategies, see Chapter 2 or refer to Create a Selective PolicyCenter Configuration on page 36 or Create a Functional PolicyCenter Configuration on page 41.
Thissectiondescribeshowto: UsetheconvertconfigurationoptiontoaddaprimaryunittoPolicyCenter,thencreateanew PolicyCentersharableconfigurationbasedonthatPacketShapersoriginaltraffictreeand configurationsettings. AddadditionalunitstoPolicyCenter. Assigntheunitstotheirpropersharableconfigurations.
Convert a Unit Configuration

ToaddaPacketShapertoPolicyCenterusingtheconvertoption: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptab,andselectPolicyCenteraccessfromtheChooseSetupPagelist. ThePolicyCenterAccesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterDirectoryServerpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
4.
(OptionalforunitsrunningPacketWise7.5.xor8.3.xandlater)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitwithin thePolicyCenterUnitslist.ThesuggestednamesaretheDNSnameoftheunit(ifpresent)ortheunit serialnumber.

33
5.
6.
ClicktheConvertconfigurationcheckbox,sotheunitretainsitscurrentclasstreeandsettingswhenit subscribestoPolicyCenter. Note: If a PacketShaper unit is configured with Frame Relay support, you cannot use PolicyCenter to manage its Frame Relay configuration. If a unit with configured static frame routing entries is subscribed to PolicyCenter using the convert configuration option, the frame routing entries may be lost.
7.
Clickapplychangestosaveyoursettings. Note: If the web browser uses any HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
Create the Comprehensive Configuration

Changetheuniqueconfigurationforyourprimaryunitintoasharablecomprehensiveconfigurationby makingasharablecopyofthatconfigurationandgivingthatnewconfigurationadifferentname. TocopyandrenameaPolicyCenterconfiguration: 1. 2. 3. 4. 5. LogintoPolicyCenter,andclicktheConfigurationstab. Fromtheconfigurationlistintheleftpaneofthiswindow,selectthenewPolicyCenterconfiguration foryourprimaryunit. IntherightpaneofthiswindowclicktheOperationstab.TheOperationswindowappears. IntheCopyConfigurationfield,clickthedropdownlistandselecttheslash(/)tomakeanewsharable copyoftheunitconfigurationatthetopoftheconfigurationtree. Intheand(optionally)renametheConfigurationtothefollowingfield,typeanameforthenew sharableconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_,and.(period). Spacesarenotallowedintheconfigurationname. ClickCopyandRename.
6.
Assign the PacketShaper to its PolicyCenter Configuration

Theproceduretoassigntheprimaryunittothenewcomprehensiveconfigurationvaries,dependingupon theversionofsoftwarethatPacketShaperisrunning. IftheunitisrunningPacketWise7.5.x,or8.3.xorhigher,simplyassignthatunittothenew comprehensiveconfiguration. IftheunitisrunninganearlierversionofPacketWise,firstcreateanewchildconfigurationunder thecomprehensiveconfiguration,andthenassigntheunittothatchildconfiguration. Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x, or Higher ToassignaprimaryunitrunningPacketWise7.5.x,8.3.x,orhigher: 1. 2. 3. 4. 5. ClicktheUnitstabtoopentheUnitswindow. FromtheUnitslistintheleftpaneofthiswindow,selecttheprimaryunityoujustaddedto PolicyCenter. ClicktheOperationstabintherightpaneofthiswindow.TheUnitOperationswindowopens. ClicktheChangethisUnitsConfigurationtodropdownlist,andselectthecomprehensive configuration. ClickChange.
ThePacketShaperisnowassignedtothesharablecomprehensiveconfiguration,andthatPacketShapers individualunitconfigurationwillappearbelowthecomprehensiveconfigurationintheconfigurationtree. However,sincetheunitconfigurationhasallthesamesettingsasitscomprehensiveparentconfiguration,

thoselocalunitsettingswilloverrideanychangesmadeintheparent.Inordertomanagethisunitviaits comprehensivesharableconfiguration,youmustclearthePacketShaperslocalsettings,soitcaninheritits traffictreeandsettingsfromitsparent. ToclearaPacketShapersuniqueconfiguration: 1. 2. 3. FromtheconfigurationlistintheleftpanetheConfigurationstab,selectthePolicyCenter configurationforyourprimaryunit(itsoriginalconfiguration,andnotthenewsharablecopy.) ClicktheOperationstabtodisplaytheOperationswindow. ClicktheClearbutton.
Theunitwillnowinheritfromitsparentconfigurationallofitssharablesettings. Assign a PacketShaper Running Earlier Versions of PacketWise Remember,PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xcanbeassigneddirectlytoa sharableconfiguration,leavingtheirindividualunitconfigurationsbehind.Therefore,inordertocreatea configurationtreewhereyoucanmakeindividualchangestoaunitifnecessary,youmustcreateanew childconfigurationunderthecomprehensiveconfiguration,andassigntheunittothatnewchild configuration. Note: Although you can assign a unit directly to the comprehensive configuration using the procedure described earlier, you will not be able to make changes to just that unit without modifying the comprehensive configurations and all other units assigned to it. First,createanewchildconfigurationunderthecomprehensiveconfiguration: 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. ClicktheConfigurationstab. Fromtheconfigurationlistintheleftpaneofthiswindow,selectyourcomprehensiveconfiguration. ClicktheNewbuttonbelowtheconfigurationlist. Enteranameforthenewchildconfiguration. ClickAdd. ClicktheUnitstabtoopentheUnitswindow. FromtheUnitslistintheleftpaneofthiswindow,selecttheunityoujustaddedtoPolicyCenter. ClicktheOperationstabintherightpaneofthiswindow.TheUnitOperationswindowopens. ClicktheChangethisUnitsConfigurationtodropdownlist,andselectthenewchildconfiguration. ClickChange.
Next,assigntheunittothenewchildconfiguration:
Add and Assign Other PacketShapers to this Configuration

ToaddotherPacketShapersalreadyoperatingonyournetwork,followsteps15and7oftheprocedure describedinConvertaUnitConfigurationonpage33,omittingtheconvertconfigurationoptiondescribed instep6.Theunitswillloseanyexistingtrafficclassesandsettingsandwillbeassignedtoanew PolicyCenterconfigurationwithdefaultsettingsonly. AssignunitsrunningthecomprehensiveconfigurationusingthestepsdescribedinAssignthe PacketShapertoitsPolicyCenterConfigurationonpage34.Notethatyouwillnotneedtocleartheunique unitconfigurationsforanyotherunits,becausetheywerenotcreatedwiththeconvertconfigurationoption, andthereforehavedefaultsettingsonly.
Manage your Configurations

Onceyouhavefollowedthestepsinthissectiontocreateyourinitialconfigurationtree,startcreating PolicyCenterorganizationsanduseraccounts,asdescribedinChapter6.BlueCoatalsorecommendsyou continueontoChapter7,andreviewsomeofthebestpracticesformanagingPolicyCenterconfigurations andunits.
Create a Selective PolicyCenter Configuration !

Important: Follow the steps described in this section to create a selective sharable configuration that manages only a few key classes and settings for each PacketShaper assigned to that configuration. For a detailed description of selective PolicyCenter configurations, see Selective Configuration Strategies on page 12. For alternate strategies, see Chapter 2 or refer to Create a Comprehensive PolicyCenter Configuration on page 33 or Create a Functional PolicyCenter Configuration on page 41.
Thissectiondescribeshowto: Createanewselectiveconfiguration. UsetheconvertconfigurationoptiontoaddPacketShaperstoPolicyCenterwhileretainingtheunits individualtraffictrees. Reassign(ormove)theunitsconfigurationsunderthenewselectiveconfiguration. Forcethechildconfigurationstoinherittheselectiveconfigurationbyremovinganylocaloverrides ofinheritedclasses.
Create a New PolicyCenter Configuration

WhenyoufirstinstallPolicyCenter,itwillhaveonlyonesharableconfiguration,thedefaultconfiguration. ThefirststepincreatingaselectivePolicyCenterconfigurationistoaddanentirelynewconfigurationto thePolicyCenterconfigurationtree. ToaddanewconfigurationtoPolicyCenter: 1. 2. 3. ClicktheConfigurationstab.ThePolicyCenterconfigurationtreeappearsintheleftpaneofthe window. MakesuretheRoot(/)isselected. ClicktheNewbuttonbelowtheconfigurationtree.TheAddaNewConfigurationwindowappears.
4. 5.
Enteranameforthenewconfiguration.PolicyCenterconfigurationnamescanhaveupto20characters, andcanincludeaz,AZ,09,,_,and.(period.)Spacesarenotallowed. Clickadd.
Add Classes to the New Configuration

Onceyouhavefollowedtheabovestepstocreateandnameyournewselectiveconfiguration,youmust createadraftcopyofthatconfigurationsoyoucanstartdefiningsettingssuchastrafficclasses,policies, andpartitions.Afteryoucommitthechangesyoumaketothedraft,trafficclassesinthisselective configurationcanbeinheritedbyanyunitorchildconfigurationsassignedtoit. 1. 2. 3. 4. ClickthePolicyCenterConfigurationstab.TheConfigurationswindowopens. Fromtheconfigurationtreeintheleftwindowpane,clickthenameofyournewselectiveconfiguration. ClicktheEditbuttonbelowtheconfigurationtreetocreateadraftcopyofthatconfiguration. Clickclass>add,thenspecifyaclassnameandothersettingstodefineaspecifictrafficclassforyour selectiveconfiguration.
36
5. 6.
Clickaddclasswhenyouhavefinished. (Optional)Ifyouwanttoaddapolicyand/orpartitiontotheclass,clicktheclassnameinthetraffictree, thenclickpolicyorpartition.Specifysettingsforthenewpolicyorpartition,thenclickapplychanges. Note: For more detailed information on adding classes, policies, and partitions, click the DOCUMENTATION link at the top of the browser window and refer to the information in the PacketGuide section Tasks > Classification > Create Class.
7. 8. 9.
Continuetoaddclassesuntilyouhavecompletedtheclasstreeforthisconfiguration. CommitthechangestothedraftconfigurationbyclickingtheCommitbuttonbelowtheconfiguration tree. Apopupwindowwillaskyoutoconfirmyourchanges.ClickCommitConfiguration. Note: The configuration can also contain any of the settings on the Setup tab.
Add PacketShapers to PolicyCenter

Onceyouhavedefinedthekeyclassesforyournewselectiveparentconfiguration,youwillneedtoadd PacketShaperstoPolicyCenterandmovethoseunitsconfigurationsundertheselectiveconfiguration.You arenotassigningPacketShaperstotheselectiveconfigurationdirectly,butarecreatingchildconfigurations undertheselectiveparentconfiguration.Eachunitremainsassignedtoitsownchildconfiguration. AsyouaddtheunitstoPolicyCenter,makesureyouselecttheconvertconfigurationoptionsoeachunits newPolicyCenterconfigurationwillreflecttheunitspreviouslocalmodeconfiguration.Withoutthis optionselected,theunitwillbeassignedtoaPolicyCenterconfigurationwithdefaultsettingsonly. ToaddunitstoPolicyCenter: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptabandselectPolicyCenteraccessfromtheChooseSetupPagelist.ThePolicyCenter Accesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterDirectoryServerpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
37
4.
(OptionalforunitsrunningPacketWise7.5or8.3andabove)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitandits configurationwithinthePolicyCenterUnitslist.ThesuggestednameistheDNSnameofthe PacketShaper(ifpresent)ortheunitsserialnumber. Clicktheconvertconfigurationcheckbox.Whenyouselectthisoption,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterconfigurationwiththesameattributesandvalues. BecausethePacketShapersnewPolicyCenterconfigurationwillbebaseduponitsprevious configuration,theunitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyou donotselecttheconvertoption,thePacketShapersnewPolicyCenterconfigurationiscleared,andwill havedefaultsettingsonly. Clickapplychangestosaveyoursettings TheunitwillbesettosharedmodeandwillbesubscribedtoPolicyCenter. RepeatthesestepstoaddadditionalPacketShaperstoPolicyCenter. Note: If the web browser uses any HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
5.
6.
7. 8.
Assign the PacketShaper to its PolicyCenter Configuration

Theproceduretoassigntheprimaryunittothenewselectiveconfigurationvaries,dependinguponthe versionofsoftwarethatPacketShaperisrunning. IftheunitisrunningPacketWise7.5.x,8.3,orhigher,simplyassigntheunitsindividual configurationtothenewselectiveconfiguration. IftheunitisrunningearlierversionofPacketWise,movetheunitsindividualPolicyCenter configurationunderthenewselectiveconfiguration.
Assign a PacketShaper Running PacketWise 7.5.x, 8.3.x or Higher

ToassignaPacketShapertoaselectivePolicyCenterconfiguration: 1. 2. 3. 4. 5. ClicktheUnitstab. FromtheUnitslistontheleftwindowpane,clicktheunittobereassigned. ClicktheOperationstabontherightwindowpane. IntheChangethisUnitsConfigurationtofield,selectthenewselectivesharableconfiguration. ClickChangetoassigntheunitconfigurationtothespecifiedsharableconfiguration.
Iftheindividualunitconfigurationhasdefinedclassesorsettingsthatoverridethesettingsinheritedfrom itsselectiveparentconfiguration,theseoverridesmustbeclearedbeforetheunitcanproperlyinherit settingsfromtheselectiveconfiguration.SeeRemoveLocalOverridingClassesonpage39.
Assign a PacketShaper Running Earlier Versions of PacketWise

PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xshouldhavetheiruniqueunitconfigurations movedunderthenewselectiveconfiguration.UnitsrunningearlierversionsofPacketWisewillleave behindtheirindividualunitconfigurationswhentheyareassigneddirectlytoasharableconfiguration,so youmustmovetheunitconfigurationundertheselectiveparentconfigurationinorderforthatunitto retainitscurrentlocalsettings. TomoveaunitconfigurationunderaselectivePolicyCenterconfiguration: 1. 2.
38
ClicktheConfigurationstab. FromtheConfigurationslistontheleftwindowpane,clicktheunitconfigurationtobemoved.
3. 4. 5.
ClicktheOperationstabontherightwindowpane. IntheMoveConfigurationfield,selectthenewselectiveconfiguration. (Optional)Intheand(optionally)renametheConfigurationtothefollowingfield,youmayentera newnamefortheunitconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_, and.(period).Spacesarenotallowedintheconfigurationname. ClickMove&Rename.
6.
Iftheindividualunitconfigurationhasdefinedclassesorsettingsthatoverridethesettingsinheritedfrom itsselectiveparentconfiguration,theseoverridesmustbeclearedbeforetheunitcanproperlyinherit settingsfromtheselectiveconfiguration.SeeRemoveLocalOverridingClassesonpage39.
Remove Local Overriding Classes

TheuniqueunitconfigurationforeachPacketShapernowappearsasachildconfigurationunderthe sharableparentconfiguration.Eachofthesechildconfigurationswillinheritfromtheirparent configurationanyclassesandsettingsnotalreadypresentonthechildconfiguration.Ifachild configurationalreadyhastheseclassesdefined,however,youwillhavetoremovetheselocalclassesbefore thechildconfigurationcaninherittheclassesfromitsparent. Toremoveanoverrideclass: 1. 2. 3. Ifitisnotalreadyselected,clicktheConfigurationstab. FromtheConfigurationslistintheleftwindowpane,selecttheuniqueunitconfigurationofaunit assignedtoyourselectiveconfiguration. Fromtherightwindowpane,clicktheClassTreetab.Mostofthetrafficclassnamesinthetraffictree belowappearinblack,indicatingthatthoseclasseswerecreatedonthechildconfiguration.Inherited classesappearinblue.Classesmanuallycreatedonachildconfigurationoverridethosesameclasses inheritedfromitsselectiveparentconfiguration.Therefore,theseoverridingclassesmustberemoved fromthechildconfigurationbeforethechildcaninherittheclassesdefinedintheselectiveparent configuration. ClicktheQuickCommandslinkatthebottomofthePolicyCenterwindow. SelecttheclassesyouwishtoremovefromtheAvailableClasseslistbyclickingontheclassnames. Youcanctrl+clicktoselectmultipleclassesatonce. Clickthe>buttontomovethoseclassestothelistoftargetclasses. FromtheClassCommandsdropdownlist,selectclassdelete. ClicktheRunbutton.
Toremoveoverridinglocalclassesfromachildconfiguration: 1. 2. 3. 4. 5.
Thespecifiedlocalclassesareremovedfromthechildconfiguration,whichcantheninheritthoseclasses fromitsparent.
39
Thefigurebelowshowswhatthetraffictreeofoneoftheseunitswilllooklikeonceitsoverridesare removed.Notethepolicyandpartitioniconsthatnowappearbytheinheritedclasses.
Manage your Configurations

Onceyouhavefollowedthestepsinthesectiontocreatetheinitialconfigurationtree,youcanstartcreating PolicyCenterorganizationsanduseraccounts,asdescribedinChapter5.BlueCoatalsorecommendsyou continueontoChapter6,andreviewsomeofthebestpracticesformanagingPolicyCenterconfigurations andunits.
40
Create a Functional PolicyCenter Configuration !

Important: Follow the steps described in this section to create a functional configuration tree that allows you to group and monitor your PacketShapers via PolicyCenter, yet still requires you to manage each PacketShaper individually through its own browser or command-line interfaces. For a detailed description of functional PolicyCenter configurations, see Functional Configuration Strategies on page 13. For alternate strategies, see Chapter 2 or refer to Create a Comprehensive PolicyCenter Configuration on page 33 or Create a Selective PolicyCenter Configuration on page 36.
Thissectiondescribeshowto: Createanewfunctionalparentconfigurationwithdefaultsettingsonly. UsetheconvertconfigurationoptiontoaddPacketShaperstoPolicyCenterwhileretainingtheunits individualtraffictrees. Assigntheunitsconfigurationsunderthefunctionalconfiguration.
Create a New PolicyCenter Configuration

WhenyoufirstinstallPolicyCenter,itwillhaveonlythedefaultconfiguration,whichcannotberemoved orrenamed.WhenyouaddPacketShapersrunningPacketWiseversion5.x6.xtoPolicyCenter, PolicyCenteraddstheunitsnewPolicyCenterconfigurationsunderthedefaultconfiguration.Units runninglaterversionsofPacketWisehavetheirindividualunitconfigurationsappearatthetopofthe configurationtreewhentheunitisaddedtoPolicyCenter. ThefirststepincreatingafunctionalPolicyCenterconfigurationistoaddanentirelynewconfigurationto thePolicyCenterconfigurationtree. ToaddanewconfigurationtoPolicyCenter: 1. 2. 3. ClicktheConfigurationstab.ThePolicyCenterconfigurationtreeappearsintheleftpaneofthe window. MakesuretheRoot(/)isselected. ClicktheNewbuttonbelowtheconfigurationtree.TheAddaNewConfigurationwindowappears.
4. 5.
Enteranameforthenewconfiguration.PolicyCenterconfigurationnamescanhaveupto20characters, andcanincludeaz,AZ,09,,_,and.(period.)Spacesarenotallowed. ClickAdd.
Add Units to PolicyCenter

Onceyouhavecreatedafunctionalconfigurationwithdefaultsettingsonly,youwillneedtoaddunitsto PolicyCenterandmovethoseunitsconfigurationsundertheparentconfiguration.Youarenotassigning unitstotheparentconfigurationdirectly,butarecreatingchildconfigurationsundertheparent.Eachunit remainsassigneditsownchildconfiguration.
41
Important:AsyouaddtheunitstoPolicyCenter,makesureyouselecttheconvertconfigurationoptionso eachunitsnewPolicyCenterconfigurationwillreflecttheunitspreviouslocalmodeconfiguration. Withoutthisoptionselected,theunitwillbeassignedtoaPolicyCenterconfigurationwithdefaultsettings only. ToaddunitstoPolicyCenter: 1. 2. AccessthePacketShaperyouwishtoaddtoPolicyCenterviatheunitsbrowserinterface. ClicktheSetuptabandselectPolicyCenteraccessfromtheChooseSetupPagelist.ThePolicyCenter Accesspageappears,asshownbelow.
3.
EntertheDNSname(recommended)orIPaddressofthePolicyCenterdirectoryserverandthe PolicyCenterdirectoryserverpassword. Note: Blue Coat strongly recommends identifying the server by DNS name, rather than by IP address. With this option, if you migrate PolicyCenter to a different server, you only need to assign the previous servers DNS name to the new server, and all units will be able to immediately contact the new PolicyCenter server. If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access each unit, unsubscribe it, then resubscribe the unit to the new IP address.
4.
(OptionalforunitsrunningPacketWise7.5or8.3andabove)ChecktheSecureConnectioncheckboxto establishasecureLDAPconnectionbetweenthePacketShaperandthePolicyCenterdirectoryserver. Notethatsecureconnectionsareslowerthanclearconnections. IntheUnitNamefield,enterauniquenamefortheunitthatwillhelpyoutoidentifytheunitandits configurationwithinthePolicyCenterUnitslist.ThesuggestednamesaretheDNSnameoftheunit(if present)ortheunitserialnumber. SelecttheConvertconfigurationcheckbox.Whenyouselectthisoption,theunitsexistingsharable attributeswillbeconvertedintoanewPolicyCenterconfigurationwiththesameattributesandvalues. BecausetheunitsnewPolicyCenterconfigurationwillbebaseduponitspreviousconfiguration,the unitwillcontinuetooperatethesameinPolicyCenterasitdidinlocalmode.Ifyoudonotselectthe convertoption,theunitsnewPolicyCenterconfigurationiscleared,andwillhavedefaultsettingsonly. Clickapplychangestosaveyoursettings. TheunitwillswitchtosharedmodeandbesubscribedtoPolicyCenter. Note: If the web browser uses an HTTPS port setting other than port 443 to perform the convert operation, it may display a Page Not Found error immediately after you perform this operation. The units port settings will be converted into a PolicyCenter configuration, but it may be a few seconds before you can refresh the web page.
5.
6.
7.
42
8.
Repeatsteps17toaddanyadditionalunitswhoseconfigurationsshouldappearunderthesame functionalparent.
Now,youmustmovetheindividualunitconfigurationsunderthenewsharableconfigurationfolder. Thisprocedurevaries,dependingupontheversionofsoftwarethatunitisrunning. ForunitsrunningPacketWise7.5.x,8.3.x,orhigher,seeReassigntheUnitConfigurationsonpage 43. ForunitsrunningPacketWise6.x7.4.xor8.0.x8.2.x,seeAssignaUnitRunningEarlierVersionsof PacketWiseonpage43.
Reassign the Unit Configurations

NowthattheotherPacketShapershavebeenaddedtoPolicyCenter,theirconfigurationscanbereassigned toasharableconfigurationfolder. ToassignaPacketShapertoadifferentsharableconfiguration: 1. 2. 3. 4. 5. AccessthePolicyCenterbrowserinterfaceandselecttheUnitstab. IntheUnitstableintheleftwindowpane,clicktheunityouwishtoreassignandmovetoadifferent sharableconfiguration. ClicktheOperationstabintherightwindowpane. IntheChangethisUnitsConfigurationTofield,selectthenewsharableconfigurationforyourunit. ClickChange.
Assign a Unit Running Earlier Versions of PacketWise

PacketShapersrunningPacketWise8.0.x8.2.xor7.0.x7.4.xshouldhavetheiruniqueunitconfigurations movedunderthenewfunctionalconfiguration.PacketShapersrunningearlierversionsofPacketWisewill leavebehindtheirindividualunitconfigurationswhentheyareassigneddirectlytoasharable configuration,soyoumustmovetheunitconfigurationundertheselectiveparentconfigurationinorder forthatunittoretainitscurrentlocalsettings. TomoveaunitconfigurationunderasharablePolicyCenterconfiguration: 1. 2. 3. 4. 5. ClicktheConfigurationstab. FromtheConfigurationslistontheleftwindowpane,clicktheunitconfigurationtobemoved. ClicktheOperationstabontherightwindowpane. IntheMoveConfigurationfield,selectthenewselectiveconfiguration. (Optional)Intheand(optionally)renametheConfigurationtothefollowingfield,youmayentera newnamefortheunitconfiguration.Thenamecanbeupto20characterslong,includingaz,AZ,,_, and.(period).Spacesarenotallowedintheconfigurationname. ClickMove&Rename.
6.
43
44
PolicyCenterletsnetworkadministratorsdefineupto256differentorganizations(groupsofconfigurations) andalistofuserswhocanaccessthoseconfigurations. APolicyCenterorganizationdefinestheuserswhocanaccessconfigurationsassignedtotheorganization. Althoughthisfeatureisoptional,itgivesthePolicyCenteradministratortheabilitytolimitwhichusers accesswhichconfigurations.ThisfeaturealsoallowsPolicyCenteradministratorstotracktheconfiguration changesmadebyeachuser. EveryPolicyCenteruserisassignedeitheratouchrolethatallowstheusertobothviewandmodifysettings fortheirPolicyCenterconfigurations,oralookrolethatletsausermonitorbutnotmodifysettings.When userslogintothePolicyCenterconsolewiththeiruniqueusernameandpassword,theycanaccessonly thoseunitsandconfigurationsassociatedwiththeirorganization,andcanperformonlythoseoperations allowedbytheirlookortouchrole. OnlyPolicyCenteradministratorswithtouchroleaccesstothedefaultPCorganizationcanviewand manageallunitsandconfigurationsinthePolicyCenterconfigurationtree.IfyouwanteveryPolicyCenter usertohavecompleteaccesstoallPolicyCenterconfigurationsandunits,youcanmakeeveryusera PolicyCenteradministrator.However,youmayfindthatnotallusersneedsuchacompletelevelofaccess. YoucanrestrictausersaccesstoaspecificsetofPolicyCenterconfigurationsandunitsbycreatinganew organization,specifyingtheconfigurationsandunitstheusersinthatorganizationareallowedtoviewor manage,thenaddinguserstotheorganization.
Create a New PolicyCenter Organization

OnlyPolicyCenteradministratorscancreateormodifyotherPolicyCenterorganizations.Tocreatea newPolicyCenterorganization: 1. 2. LogintoPolicyCenterwithaPolicyCenteradministratorpassword. ClicktheOrgstab.(Note:IfyouarenotloggedintoPolicyCenterwithtouchaccesstothedefaultPC organization,thePolicyCenterOrgstabwillnotappearinthebrowserinterface,andthePolicyCenter commandlineinterfacewillnotenablecommandstoconfigureorganizations.) ClicktheNewOrgbuttonbelowthelistoforganizations,atthebottomoftheleftwindowpane. TheAddaNewOrganizationwindowappears.
3.
4.
Enterthenameoftheneworganization.Anorganizationnamecanbecomprisedofupto32 alphanumericcharacters,periods,underscores,anddashes.Thefirstcharacterofthenamemustbea letter.Spacesandotherspecialcharactersarenotallowed,andorganizationnamesarenotcase sensitive.
5.ClickAdd. Youcannowcreatenewuseraccountsforthisorganization,andassignconfigurationstoit.
45
Create New User Accounts

PolicyCenteradministratorswithtouchroleaccesstothedefaultPCorganizationcanadduseraccountsto anyorganization,yetanyuserwithtouchroleaccesstotheirorganizationcanaddandmodifyuser accountsintheirownorganization. ToaddaPolicyCenteruseraccount: 1. 2. LogintoPolicyCenterasaPolicyCenteradministrator.(Organizationmanagerscanloginwithatouch passwordfortheirorganization). ClicktheUserstab.
3.
ClicktheNewUserbutton.TheAddaNewUsertoPolicyCenterwindowappears.
4.
EnterauniqueloginnameforthenewuserintheUserNamefield.Aloginnamecanbecomprisedof upto32alphanumericcharacters,periods,underscores,anddashes.Thefirstcharacteroftheuser namemustbealetter.Spacesandotherspecialcharactersarenotallowed,andusernamesarenotcase sensitive. EnteraloginPasswordfortheuser,thenretypethepasswordtoverifyit.Apasswordcanbeuptonine characterslongandcanincludeallprintablecharacters,includingspaces,periods,underscores,and dashes.
5.
46
6. 7.
EntertheusersnameintheFirstNameandLastNamefields.Namescannothavespaces;compound nameswillrequireadashorunderscorecharacter(forexample,AnnMarieorVan_Patten). (ForPolicyCenterAdministratorsonly)IntheOrganizationdropdownlist,selecttheorganizationto whichthisnewuserwillbelong.Ifyouhavenotyetdefinedanorganizationforthisuser,firstcreate theneworganization,andthenaddtheusertotheneworganization.Youcannotswitchanexisting usertoanotherorganizationwithoutdeletingandthenrecreatingthatuseraccount. FortheRole,selecteitherLookorTouch. ClickAdd.
8. 9.
Repeatthesestepsasnecessarytoaddadditionaluserstoyourorganizations,thenassignconfigurationsto theseorganizationsusingthefollowingprocedure.
Assign Configurations to an Organization

EveryPolicyCenterconfigurationisownedbyanorganization.Organizationmanagers(userswithtouch accesstotheirorganization)canmodifytheconfigurationsassignedtotheirownorganization,while PolicyCenteradministratorscanaccessandmodifyallconfigurations.OnlyPolicyCenteradministrators canassignaconfigurationtoadifferentorganization. Toassignaconfigurationtoadifferentorganization: 1. 2. 3. LogintoPolicyCenterwithaPolicyCenteradministratorpassword. ClicktheConfigurationstab. Theleftwindowpanedisplaystheconfigurationtree.Clicktheconfigurationyouwishtoassigntoa differentorganization.
4.
ClicktheOperationstabintherightwindowpanetodisplaytheOperationspane.
5.
ClicktheChangeConfigurationOwnershipdropdownlistandselectaneworganizationforthe configuration.Bydefault,theIncludeChildConfigurationscheckboxischecked.Uncheckthisbox onlytoassignaparentconfigurationtothePCorganization,whileallowingthatparentschild configurationstoremainassignedtoanotherorganization. ClickChange.

47
6.
48
NowthatyouhavecreatedyourPolicyCenterconfigurationtree,takethetimetoreviewthefollowingBest PracticestipsandhintsthatwillmakemanagingyourPolicyCenterconfigurationsfasterandeasier.
Move/Copy/Delete/Rename Operations
Themove,copy,delete,andrenameoperationsinvolvewritinganddeletingdatafromthedirectory server,sotheamountoftimeittakestocompleteeachoperationcanvarygreatly. Ifanoperationisperformeduponalargebranchoftheconfigurationtreeoronmorecomplex configurations,itwillrequiremoretimeanddirectoryserverresources.Youcanimprovetheefficiencyof yourdirectoryserverbyavoidingtheseoperationsunlessrequired.
Configuring Units for PolicyCenter Access

WhenconfiguringaPacketShaperforPolicyCenteraccess,youhavetheoptiontoconverttheunitsexisting configurationintoanewPolicyCenterconfiguration,ortodeletetheunitscurrentconfigurationandassign theunittoablankconfigurationwithdefaultsettingsonly.Ifyouchoosetodeletetheunitsexisting configurationwhenyouaddtheunittoPolicyCenter,theexistingconfigurationwillbelost. Arecommendedbestpracticeistoalwayssavetheunitconfigurationbeforeitisconfiguredfor PolicyCenteraccess.UsetheCLIcommandconfigsave<filename>tosavetheunitconfiguration.Saving theunitconfigurationwillallowyoutorestoretheconfigurationinthefuture,ifnecessary,usingthe commandconfigload<filename>.
Unsubscribing Units
AlwaysunsubscribeaunitfromPolicyCenterbeforedeletingtheconfigurationtowhichtheunitis assigned.Ifyoudodeletetheconfigurationbeforetheunitisunsubscribed,theconfigurationwillbe deletedfromtheunitaswell,resultinginerrorsontheunit. ArecommendedbestpracticeistosavetheunitconfigurationbeforeitisunsubscribedfromPolicyCenter. UsetheCLIcommandconfigsave<filename>tosavetheunitconfiguration.Savingtheunitconfiguration willallowyoutorestoretheconfigurationinthefuture,usingthecommandconfigload<filename>.
Bulk Changes
Bulkconfigurationchangesinparentconfigurationswithalargenumberofunitsassignedcantakeawhile tocomplete,andoftenrequiresignificantsystemresources. Thefollowingbulkoperationsmayrequireadvancedplanning,andshouldnotbeperformedatrandom timeswithoutcarefulconsideration: Loadingaconfigurationorclasstreewith50ormoreclasses Copying,moving,andpublishingconfigurationswith50ormoreclasses Renamingconfigurations
File Distribution Strategies

ThePolicyCenterfiledistributionfeaturecandistributePacketWiseimages,plugins,actionfiles,and customerportalfilestoindividualPacketShapers.Thefollowingbestpracticesarerecommendedforthis feature: Alwaysscheduletheimage/plugin/actionfile/portalfileupdatesfortimeswhenthenetworkisless busy
Ifyouplanonupgradingaunitsimageandpluginfiles,schedulethetwoeventstooccuratthe sametime.Thiswillrequiretheunittorebootonlyonce,ascomparedtothetworebootsthatwillbe requiredifthepluginandimagefilesareupdatedseparately. Whenyoudistributefiles,makesureyourfilenamesdonothavespacesormorethaneight characters(withathreecharacterfileextension),asthiscancauseerrors.
Compatible Software
PolicyCentercanmanageunitsrunningearlierversionsofPacketWise,however,werecommendthatyou alwaysusetheversionofPacketWisereleasedwiththePolicyCentersoftware.Thisensuresthatyour PacketShaperswillbeabletotakeadvantageofanynewfeatures,andavoidstheriskofschemaerrorsin eitherPolicyCenterortheunits.
DNS Name vs. IP Address

AlwaysusethedirectoryserverDNSname(andnottheserversIPaddress)whenconfiguringthe PolicyCentersoftwareandsubscribingunitsforsharedmodeaccess.Thiswillallowyoutomigratethe directoryservertoadifferentcomputerwithoutaffectinganyoftheunits. Note: If a unit is subscribed to PolicyCenter via the servers IP address, migrating PolicyCenter to a different server may require you to access the unit, unsubscribe it, then resubscribe the unit to the new IP address.
Initial Deployment Strategy

BlueCoatrecommendsthefollowinginitialdeploymentprocedure,whichwillhelpimprovethe performanceofthePolicyCenterapplicationandthedirectoryserver: 1. 2. 3. Createyourconfigurationsandconfigurationhierarchies. SubscribeyourunitstoPolicyCenter,eitherthroughtheunitsindividualbrowserinterfaces,orviathe PolicyCenterautodeploymentfeature. IfyoudidnotspecifyaPolicyCenterconfigurationforeachautodeployedunit,orifyoumanually subscribedindividualunits,assignyourunitstothedesiredconfigurationintheconfigurationtree.
Whenyouassignaunittoacompletedconfiguration,theunitreadsitsentireconfigurationallatonce.Itis lessefficienttoassignaunittoaconfigurationandthenmakemultiplechangestothatconfiguration,as thatwouldrequiretheunitstosendstatusupdatestothedirectoryserverforeverychange.
Saving Configurations
BlueCoatrecommendsmakingregularbackupsofallyourconfigurations.SeeChapter7fordetails.
50
ThebestwaytoprotectyourPolicyCenterconfigurationsagainstaccidentallydeletedorcorruptedfilesis tocreatebackupsofyourconfigurations.Configurationbackupscanbeperformedonce,orscheduledfor regular,automatedbackups.BlueCoatstronglyrecommendsyoumakeperiodicbackupsofthe configurationsinPolicyCenter.Youshouldalsobackupyourconfigurationfile(s)totheserverbefore upgradingyourPolicyCentersoftware. Thischapterdescribeshowtocreateandrestorethefollowingtypesofbackupfiles: BackupsofasinglePolicyCenterconfiguration BackupsofallPolicyCenterconfigurations Backupfilesforanentiredirectoryserver
51
Back Up and Restore a Single Configuration from PolicyCenter

PolicyCenterallowsyoutosavejustasingleconfigurationonyourPolicyCenterserver.Thisconfiguration canberestoredontoanyPolicyCenterserver,evenaPolicyCenterserverwithadifferentDNSnameorIP address. Tocreateabackupofaconfiguration: 1. 2. 3. AccessthePolicyCentercommandlineinterface. Selecttheconfigurationyouwanttosave,usingthecommand:
config view <cfg_path>
Savetheconfigurationusingthecommand:
config save [<cfg_path>]
Thebackupfilecanbespecifiedwithadirectory,forexample,
config save D:\tmp\ps.ldi
Ifyoudonotspecifyadirectory,thebackupfilewillbecreatedinthedirectory <install_directory>/BlueCoatSystems/PolicyCenter. TorestoreabackupofasinglePolicyCenterconfiguration,usethefollowingprocedure: 1. 2. 3. AccessthePolicyCentercommandlineinterface. SelectthePolicyCenterconfigurationyouwanttorestore,usingthecommand:

config view <cfg_path>
Loadthebackupconfigurationfileusingthecommand
config load <file>
Ifthebackupfileisnotinthedirectory<install_directory>/BlueCoatSystems/PolicyCenter,specifythe completepathofthebackupfile,forexample,
config load D:\tmp\ps.ldi
Theselectedconfigurationscurrentattributesandsettingswillbereplacedbythesettingsinthebackup file.
52
Back Up and Restore All PolicyCenter Configurations

Create Backup Files
PolicyCenter8.5providesaneasywaytoperformbackupandrestoreofPolicyCenterconfigurationsusing thepcbackup.batandpcrestore.battoolsthatareinstalledwithPolicyCenter.ThesebatchfilesrunaJava utilitythatinturnrunsSunLDAPcommandsandusestheJavaldapsdktoreadandwriteconfiguration datafromthedirectoryservers. BackupfilescanberestoredontoanyPolicyCenterserver. BecausepcbackupdependsontheSunDSJavafilesandLDAPutilities,youmustrunpcbackupona WindowsserverwhereyouhavealreadyinstalledPolicyCenter(thecoredirectoryserver). TocreateabackupofallPolicyCenterconfigurations: 1. 2. 3. Onthecoredirectoryserver,openacommandwindow. Navigatetothe\pcbackupfolderlocatedonthetargetsystem(typicallyunderC:\BlueCoatSystems). TobackupyourPolicyCenterDSservers,typepcbackup<core_host>where<core_host>istheIP addressofthecoredirectoryserver.
ThepcbackuputilitybacksupconfigurationdatatoLDIFfilesstoredatC:\BlueCoatSystems\ PcBackupData,inasubfoldernamedwiththecurrentdateandtime.Inamultipledirectoryserver deployment,pcbackupautomaticallyretrievestheedgeDSaddressesfromthecoreserverandbacksupall core/edgeconfigurationdata.
Restore Backup Files

TherearemultiplestepstorestoringbackupfilesofPolicyCenterconfigurations: 1. 2. 3. 4. 5. 6. UninstallPolicyCenterandtheSunONEDirectoryServerfromcoreandedgeservers.(optionalfor multipledirectoryserverdeploymentsonly) ReinstallPolicyCenterandtheSunONEDirectoryServersoftwareonthoseservers.(optionalfor multipledirectoryserverdeploymentsonly) ResetPolicyCenterandstopthePolicyCenterservice. Runthecleantree.batutility.(optional) Restorebackupfiles. RestartthePolicyCenterservice.
Multiple Directory Server Deployments: Uninstall PolicyCenter and the Sun ONE Directory Server (optional) Note: This procedure is not applicable to a single directory server deployment. ToensureacleanDSsetuppriortorestoreoperation,youmaywanttouninstallandreinstallPolicyCenter andtheSunONEDirectoryServersoftwareonallcoreandedgedirectoryservers. ThestepsrequiredtouninstalltheSunONEDirectoryServervarydependinguponthetypeofserveron whichitisinstalled(WindowsorSolaris).IntheeventthatyouneedtouninstallandreinstalltheSunONE DirectoryServer,usethefollowingprocedureappropriateforyourservertype. TouninstallPolicyCenterandtheSunONEDirectoryServerfromaWindowsserver: 1. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. UsetheWindowsAdd/RemoveProgramsutility(Start>Settings>ControlPanel>Add/Remove Programs)touninstallyourexistingPolicyCentersoftware.YoumustuninstallPolicyCenterbeforeyou uninstallthedirectoryserversoftware.
53
2.
3.
AfteruninstallingPolicyCenter,usetheWindowsAdd/RemoveProgramsutilitytouninstalltheSun ONEDirectoryServer.TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServer configurationuserIDandpassword.Thedefaultsettingsforbothoftheseareadmin. IftheSunONEuninstallutilitydoesnotremovetheSunfolderfromitsinstalldirectory,manually deleteit. AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSun ONEDirectoryServerandPolicyCenter8.5software. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe/var/Sundirectoryorsub directories,asthefilemaybelost.Savethefiletoanotherdirectoryinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps. Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.Thedefaultsettingsforbothoftheseareadmin. Issuethecommandrm -rf /var/SuntoremovetheSundirectory. AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSun ONEDirectoryServerandPolicyCenter8.5software. Note: Further detailed information on installing and uninstalling the Sun ONE Directory Server can be found on the Sun website: http://docs.sun.com/source/816-6697-10/install.html#23713
4. 5.
TouninstallSunONEDirectoryServerfromaSolarisserver: 1.
2.
3. 4. 5. 6. 7. 8.
Multiple Directory Server Deployments: Reinstall PolicyCenter and the Directory Server Software Note: This procedure is not applicable to a single directory server deployment. FollowthestepsdescribedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21to reinstallPolicyCenterandthedirectoryserversoftwareonyourcoreserver.Afterinstallation,youwillbe promptedtorunGuidedSetup.IfyouarereinstallingPolicyCenteronadifferentmachine,besuretoenter thesamehostname,DNS,andIPsettingsasyourpreviousPolicyCenterserver.Next,followthesteps describedinInstallanEdgeDirectoryServeronpage27toreinstalldirectoryserversoftwareonyour edgeservers.
Important: Do not set up data replication between the core and edge servers before you restore your backup file.
Reset PolicyCenter and Stop the PolicyCenter Service Beforeyourestorebackupfiles,youmustdiscardPolicyCentersconnectiontothedirectoryserverandstop thePolicyCenterserviceontheWindowsserver. 1. 2. 3. AccessthePolicyCentercommandlineinterfaceandissuethecommandconfig resettodiscard PolicyCentersconnectiontothedirectoryserver. AccesstheWindowsservicespanelonyourPolicyCenterserver.(Settings>ControlPanel> AdministrativeServices>Services) SelectthePolicyCenterservicefromthelistofservices.
54
4.
ClickthestopicontostopthePolicyCenterservice.
Run Cleantree.bat to Clean Up Old Directory Server Entries (optional) Beforerestoringtheconfigurations,youneedtoremoveolddirectoryserverentriesfromeachdirectory server;BlueCoatprovidesautilitytoautomatethisprocess. Note: This step is necessary only if the directory server has old DS entries. In most situations, this step can be skipped. 1. 2. 3. LogintotheBlueCoatdownloadsiteat
https://support.bluecoat.com/download
InthePolicyCentersection,locatetheToolsanddownloadthe.zipfile. Openthezipfile,andextractthefilecleantree.battothefolder<install_directory>\Program Files\Sun\mps\shared\bin,where<install_directory>isthedirectorywhereyouinstalledtheSunOne DirectoryServersoftware. Openacommandwindow,andnavigatetothefolder: <install_directory>\ProgramFiles\Sun\mps\shared\bin Issuethecommandcleantree.battolaunchtheutilityanddeleteunnecessaryentries.
4. 5.
Restore Backup Files ThepcrestoreutilityfindsthemostrecentbackupfilesandrestoresthemtothesamecoreIPaddressand edgeserveraddressesthatthepcbackuputilitydiscovered. Torestorethedirectoryserverbackup(.LDIF)files: 1. 2. 3. Openacommandwindow. Navigatetothe\pcbackupfolderlocatedonthetargetsystem(typicallyunderC:\BlueCoatSystems). TorestoreyourPolicyCenterconfiguration,typepcrestore.
55
Restart the PolicyCenter Service TorestartthePolicyCenterservice: 1. 2. 3. 4. IfyoudisconnectedyourPolicyCenterdirectoryserverfromthenetworkpriortouninstallingand reinstallingthedirectoryserversoftware,reconnecttheservertothenetwork. AccesstheWindowsservicespanelonyourPolicyCenterserver.(Settings>ControlPanel> AdministrativeServices>Services) SelectthePolicyCenterservicefromthelistofservices. ClicktherestarticontorestartthePolicyCenterservice.
Restore the Connection Between PolicyCenter and the Directory Server AccessthePolicyCentercommandlineinterfaceandissuethecommandconfigsetlocalhost<password> toresettheconnectionbetweenPolicyCenterandthedirectoryserver.Finally,logintothePolicyCenter browserinterfacetoverifythatthedesiredPolicyCenterconfigurationhasbeenrestored.
56
Back Up and Restore the Entire Directory Server Tree

Create a Backup of the Entire Directory Tree Configuration
Thefollowingprocessdescribeshowtocreateasinglebackupcopyofthedirectoryservertree.Ifyoucreate backupcopiesoften,youshouldconsiderschedulingautomatedbackups.BackupfilescreatedviatheSun ONEconsolemustberestoredontoaserverwiththesameDNSnameandIPaddressastheserveronwhich theywerecreated. 1. AccesstheSunONEConsole:
FromaWindowsserver:ClickStart>Programs>SunONEServerProducts>SunONEConsole 5.2. FromaSolarisserver:Enterthecommand/var/Sun/mps/startconsole
2. 3. 4.
Entertheusernameandpassword.(Thedefaultusernameandpasswordarebothadmin.) Inthemainconsolefilewindow,expandtheWindowsserverandServerGroupdirectories.Select DirectoryServer,thenclicktheOpenbuttonintheupperrightcornerofthewindow. Thedirectoryservertaskswindowwillopen.DoubleclickBackUpDirectoryServeranddesignatea backuplocation. Note: Do not use the default location if you plan to uninstall the Sun ONE Directory Server, as the backup configuration may be lost.
5.
ClickOKtobackuptheSunONEDirectoryServerconfiguration.
Creating a Scheduled Backup on a Windows Server

ThefollowingprocedurecreatesascheduleforautomaticallycreatingbackupsofyourWindowsdirectory server,includingallPolicyCenterconfigurations: 1. Beforeyousetupautomation,youmustselectalocationforSunONEbackupdata.Bydefault,theSun ONEbackupscript,db2bak.bat,storesbackupdataintheSunONEfolder: <installdirectory>\Sun\MPS\slapd<server_name>\db2bak.bat Forexample,ifyouinstalledtheSunONEDirectoryServerontotheProgramFilesfolderintheC:drive ofaWindowsservernamedCalifornia,thelocationoftheSunONEbackupscriptwouldbe: C:\ProgramFiles\Sun\MPS\slapdCalifornia\db2bak.bat Ifyourserversdefaultlocationisacceptabletoyou,proceeddirectlytostep2,below.Otherwise,you willneedtomodifytheSunONEscripttospecifyanewlocation.SeeModifytheSunONEBackup Scriptonpage58fordetails. Note: Do not use the default location if you plan to uninstall the Sun ONE Directory Server, as the backup configuration may be lost. 2. 3. 4. Next,youmustschedulethebackupswiththeWindowsTaskScheduler:Start>Settings>Control Panel>ScheduledTasks. DoubleclicktheAddScheduledTaskicontoopentheScheduledTaskWizard. WhentheScheduledTaskWizardasksyoutoselectaprogramtorun,clicktheBrowsebutton,and navigatetoyourbackupscriptfilelocatedinthefolder<installdirectory>\SunONE\Servers\slapd <server_name>.Selectthebackupscriptfile,thenclickOpen. InthenextScheduledTaskWizardwindow,enteranameforthescheduledtask,clickaradiobutton besideoneofthelistedrunschedules,thenclickNext. IfyouselectedtheDaily,Weekly,Monthly,orOnetimeonlyscheduleinstep5,enterthetimeyouwant thebackuptostart,andselectthedays(ormonths)youwantthebackupscripttorun.ClickNextwhen youarefinished.
5. 6.
57
Note: If you selected the When my computer starts or When I log on schedule options, the Task Wizard does not require you to specify a specific time or date. 7. 8. Enterausernameandpassword.(Thebackupscriptwillautomaticallyrunasifitwerestartedbythat user.)ClickNext. ThefinalwindowoftheScheduledTaskWizardshowstheconfiguredscheduleforthebackupscript. Reviewtheinformationtoensureitsaccuracy,thenclickFinish.
Afteryouhavedefinedthistask,theWindowsTaskSchedulerwillautomaticallycreateabackupcopyof yourconfigurationsaccordingtothescheduleyoujustcreated.Remember,thebackupwillbeinthefolder <installdirectory>\Sun\MPS\slapd<server_name>\db2bak.bat,unlessyoumodifiedthebackupscriptto selectanotherlocation.
Modify the Sun ONE Backup Script

Tospecifyacustomlocationtostoreyourbackups,youwillneedtomodifyonelineoftheSunONEdb2bak script.ItisagoodpracticetoavoidmodifyingtheoriginalinstalledSunONEscripts.Instead,modifya copyandthenrunyourcustomizedscriptinlieuoftheoriginalSunONEscript.Thefollowingisthe recommendedprocedureformakingthismodification. 1. Openatextbrowserandviewthedb2bak.batscriptinthisbrowser.TheSunONEbackupscriptis locatedintheSunONEfolder <installdirectory>\Sun\MPS\slapd<Windows_server_name>\db2bak.bat Useasaveascommandonthebrowserimmediatelytomakeacopyofthescript,suchas db2bak.custom.bat.Saveyournewcopyinthesamedirectorythatyoufoundtheoriginaldb2bak script. Findthefollowinglineinthescript:
set bakdir="<install directory>\Sun\MPS\slapd<Windows_server_name>\bak\%DATESTR%"
2.
3.
Thislinespecifiesthenameandlocationofthebackupfiles.Modifythislinetoread:
set bakdir="<new custom location>\%DATESTR%"
4.
For example, if you wanted to store your backup files in the drive T:\ds_backups, you would modify this line of the script to: set bakdir="T:\ds_backups\%DATESTR%" Saveyourmodifiedscript. Important: If the server does not have access rights to the backup files in their new location, you may not be able to restore the backup configuration directly from that location. If the procedure described in Restore a Directory Server Backup Configuration on page 58 does not restore your directory server backup file, copy the backup files to the default backup folder on your PolicyCenter server, (<install directory>\Sun ONE\Servers\slapd-<Windows_server_name>bak) and then repeat the procedure. The backup file should now appear in the drop-down list of available backups.
Restore a Directory Server Backup Configuration

TorestoreaSunONEDirectoryServerbackupconfiguration: 1. AccesstheSunONEConsole.
FromaWindowsserver:ClickStart>Programs>SunONEServerProducts>SunONEConsole 5.2. FromaSolarisserver:Enterthecommand/var/Sun/mps/startconsole
2. 3.
Entertheusernameandpassword.(Thedefaultusernameandpasswordarebothadmin.) Inthemainconsolefilewindow,expandtheWindowsserverandServerGroupdirectories.Select DirectoryServer,thenclicktheOpenbutton.Thedirectoryservertaskswindowwillopen.

58
4. 5.
DoubleclickRestoreDirectoryServeranddesignatetheexistingbackuplocation. ClickOKtorestorethatbackupconfiguration.
59
Uninstalling the Sun ONE Directory Server

ThestepsrequiredtouninstalltheSunONEDirectoryServervarydependingonwhetheritsinstalledon aWindowsorSolarisserver.IntheeventthatyouneedtouninstallandreinstalltheSunONEDirectory Server,usethefollowingprocedureappropriateforyourservertype. TouninstallSunONEDirectoryServerfromaWindowsserver: 1. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe<install_directory>\Sun folderorsubfolders,asthefilemaybelost.Savethefiletotherootofyourinstallationdirectory,orto theDesktopinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. UsetheWindowsAdd/RemoveProgramsutility(Start>Settings>ControlPanel>Add/Remove Programs)touninstallyourexistingPolicyCentersoftware.YoumustuninstallPolicyCenterbeforeyou uninstallthedirectoryserversoftware. AfteruninstallingPolicyCenter,usetheWindowsAdd/RemoveProgramsutilitytouninstalltheSun ONEDirectoryServer.TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServer configurationuserIDandpassword.Thedefaultsettingsforbothoftheseareadmin. IftheSunONEuninstallutilitydoesnotremovetheSunfolderfromitsinstalldirectory,youshould manuallydeleteit.
2.
3.
4.
5.
AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSunONE DirectoryServerandPolicyCenter8.5softwareandrestoreyourpreviousdirectoryserverconfiguration. TouninstallSunONEDirectoryServerfromaSolarisserver: 1. BackupthedirectoryserverconfigurationusingtheproceduredescribedinBackUpandRestorethe EntireDirectoryServerTreeonpage57.Donotsavethebackupfiletothe/var/Sundirectoryorsub directories,asthefilemaybelost.Savethefiletoanotherdirectoryinstead. Removethedirectoryserverfromyournetwork.Thisisanimportantstepiftheunitsareableto contactthedirectoryserverduringtheupgradeprocess,theunitswillreporterrorsuntiltheir configurationshavebeenrestored. LogintotheSolarisserverasarootuser. Navigateto/var/Sun/mps Enterthecommand./uninstall_dirserver. TheuninstallwizardwillpromptyoutoenteryourSunONEDirectoryServerconfigurationuserID andpassword.Thedefaultsettingsforbothoftheseareadmin. Issuethecommandrm -rf /var/SuntoremovetheSundirectory.
2.
3. 4. 5. 6. 7.
AftertheSunONEDirectoryServersoftwareandfoldershavebeenremoved,followtheprocedures describedinInstallPolicyCenterandtheDirectoryServerSoftwareonpage21toreinstalltheSunONE DirectoryServerandPolicyCenter8.5softwareandrestoreyourpreviousdirectoryserverconfiguration. Note: Further detailed information on installing and uninstalling the Sun ONE Directory Server can be found on the Sun website: http://docs.sun.com/source/816-6697-10/install.html#23713
60
Start the Command Line Interface

ThePolicyCenterClient(commandlineinterface)allowsyoutoissuecommandsforPolicyCentersharable configurationsorunitsinsharedmode.UnlikethePolicyCenterbrowserinterface,whichcanbeaccessed fromanycomputeronyournetwork,thePolicyCenterClientcanonlybeaccessedfromthePolicyCenter server. Note: The PolicyCenter browser interface also offers a Multi-Class Quick CLI Commands utility that can issue commands to multiple traffic classes in one operation. This Quick Commands utility can add a policy or partition to multiple traffic classes at once, or turn traffic discovery on or off for one or many traffic classes with a single command. For more details on the Quick Commands utility, see PacketGuide.
AccessthePolicyCentercommandlineinterfacebyclickingStart>Programs>BlueCoatPolicyCenter> PolicyCenterClient.ThePolicyCenterClientwindowwillopen,asshown.
Get an Explanation for a Command

Foranexplanationofanyofthecommands,type
help <command name>
Forexample:
Get Help With Syntax

Forhelpwithcommandsyntax,type:
<command name> ?
61
Forexample:
Ifyouenterthequestionmarkafteranincompletecommand,theCLIhelpwilllistthepossibleoptionsfor thefirstpartofthecommand.
PolicyCenter CLI Commands

BecausethePolicyCentercommandlineinterfaceisanextensionofthecommandlineinterfacefor individualPacketShapers,manyofthePolicyCenterandPacketShapercommandshavethesamesyntax andfunctionality.ForacompletelistofCLIcommandsspecifictoPolicyCenter,refertoPacketGuide,under thesectionReference>CommandLineInterfaceandlocatethePolicyCentercommandsdropdownlist. CLIcommandsthatpromptyouforconfirmationoradditionalinformationrequirearesponsetothose promptsbeforeyouendyourcommandlinesession.IfyouendtheCLIsessionwithoutrespondingtothe prompt,youmuststopandthenrestartthePolicyCenterservicebeforestartinganothersession.
62
DNS Errors
OneofthemostcommonproblemsininstallingPolicyCenterresultsfromincorrectDNSsettings.If PolicyCenterisreportingDNSerrorsduringinstallation,usethefollowingproceduretocheckyourDNS settings. ForWindows2000Server: 1. 2. 3. FromtheWindows2000Serverdesktop,rightclickMyComputer,andthenclickProperties.Thiswill opentheSystemPropertieswindow. ClicktheNetworkIdentificationtab,thenclickProperties.TheIdentificationChangeswindowwill open. ClickMore.TheDNSSuffixandNetBIOSComputerNamewindowopens.
4.
EnterthePrimaryDNSsuffixofyourWindowsserver,thenclickOK.
ForWindows2003Server: 1. 2. 3. FromtheWindows2003Serverdesktop,rightclickMyComputer,andthenclickProperties.Thiswill opentheSystemPropertieswindow. ClicktheComputerNametab,thenclickChange.TheComputerNameChangeswindowwillopen. ClickMore.TheDNSSuffixandNetBIOSComputerNamewindowopens.
4.
EnterthePrimaryDNSsuffixofyourWindowsserver,thenclickOK.
63
TCP/IP Errors
PolicyCenterrequiresastaticIPaddressonitsWindowsserver.PolicyCenterdoesnotsupportDHCP installationsthePolicyCenterservermusthaveastaticIPaddressinorderfortheinstallationtocomplete. 1. FromtheWindows2000/2003ControlPanel,selectandopentheNetworkandDialupConnections folder.Rightclickthenetworkconnectionyouwanttoconfigure,andthenclickProperties.Thiswill openthePropertieswindowforthatconnection. OntheGeneraltab(foralocalareaconnection)ortheNetworkingtab(allotherconnections),select InternetProtocol(TCP/IP),andthenclickthePropertiesbutton.TheInternetProtocol(TCP/IP)Properties windowwillopen. VerifythattheUsethefollowingIPaddressradiobuttonsareselected,andthattheinformationfor theIPaddress,subnetmask,anddefaultgatewayareaccurateforyourPolicyCenterserver.
2.
3.
4.
ClickOKtosaveyourchanges.
Solaris Directory Server Installation Errors

YourSolarisserverwillnotletyouinstallthedirectoryserveriftheserveralreadyhasaSunONE5.2 Directoryinstalled,includingtheversionbundledwithSolaris.YoumustremoveanyexistingSunONE DirectoryServerbeforePolicyCentercaninstallitsownversion.Fordetails,seeUninstallingtheSunONE DirectoryServeronpage60.
Command-Line or Browser Errors

IfthePolicyCentercommandlineinterfacedoesnotstartafterinstallation,orthebrowserinterfacereports thatthepagecannotbedisplayed,checkthatthePolicyCenterserviceisrunning.Iftheservicehasstopped, restartit.IfyouareunabletorestartthePolicyCenterservice,contactBlueCoatcustomersupport.
64
IIS Server Errors

PolicyCentercannotinstallonaserverrunningIIS.UsethefollowingproceduretoremoveIISfromyour serverpriortoinstallingPolicyCenter. 1. FromtheWindowsControlPanel,clickAdd/RemovePrograms.TheAdd/RemoveProgramswindow willopen.ClicktheAdd/RemoveWindowsComponentsbutton.TheWindowsComponentsWizard opens. ClicktheInternetInformationServices(IIS)checkboxtoremovethecheckmark,thenclickNext.The wizardwillremovetheIISserver.
2.
Disable Hardware Acceleration

Insomecases,accessingtheSunONEDirectoryServerconsolewhentheserversvideocardhasHardware Accelerationenabledwillcausetheservertostopresponding.Ifyouexperiencethisproblem,rebootthe server,thenturnoffHardwareAccelerationforthevideocard.
Operational Error Messages

Thefollowingerrormessagesmayappearinthebrowserinterface: Message Install warns about terminal services Explanation The SunOne Directory Server cannot be installed over terminal services. Install the PolicyCenter software directly onto the server on which it will run. PolicyCenter installs its own web server, which will not work when another web server is already installed. Uninstall IIS or any other web server and then install PolicyCenter. These errors occur when a unit detects a problem with its assigned PolicyCenter configuration. For example, the specified link size of a class could be bigger than the maximum link on the unit.
Install warns about IIS server
Configuration error in /config_name
65
Message Your password is invalid. Please retry.
Explanation If the unit is no longer in shared mode, the directory server password will no longer work. Return the unit to shared mode. This error may also occur when a unit running PacketWise version 5.x-6.x has subscribed to PolicyCenter. These units will be assigned to a child configuration under the /default parent configuration, and may inherit a new password if one has been set in the /default parent configuration. In this case, use the touch password for the /default configuration.
The configuration has been selected but not completely applied yet. It may thus have incomplete traffic tree. Error applying this configuration
You may have selected a configuration with a large class tree. Refresh the browser to ensure that the configuration is up-to-date.
If you select the class tree of a configuration that is in error, this warning tells you that there is an error in this configuration and it should be addressed. This error can result if a configuration from a large-capacity unit with many traffic classes is applied onto a smallercapacity unit that cannot support so many classes. Either reduce the number of classes you are moving to the smaller unit, or move the configuration onto a larger-capacity unit. When changing passwords, you entered the existing password incorrectly. Try again. Either the directory server wasnt installed properly or it has stopped. Open the Services window in the Windows 2000/2003 Control Panel. Check the status of the directory server service. Start it if it is not already running. Otherwise, reinstall it. The PolicyCenter service has not automatically started (or restarted after rebooting the server). Open the Services window in the Control Panel of Windows 2000/2003. Check the status of the PolicyCenter service. Start it if it is not already running. Connection to the directory server may not be working. First, reset the connection from PolicyCenter to the directory server: 1. Select the PolicyCenter Setup tab. 2. From the list of setup pages in the right pane of this window, click Core Directory Server. 3. Click refresh directory cache. Next, reset the connection from the unit to the directory server: 1. 2. 3. 4. Log in to the unit browser interface. Select the unit Setup tab. Select PolicyCenter Access from the Choose Setup Page list. Click refresh directory cache.
Error 1158: Incorrect old password ERROR 3302: DS error binding, Can't connect to the LDAP server, Error 0x0 connecting to 127.0.0.1: Connection refused. Browser cannot establish a connection to the server, or warns that the login page cannot be found.
(No message.) A configuration in the browser interface doesnt match the configuration in the CLI interface.
PolicyCenter uninstall warns of locked files
PolicyCenter has locked the files and InstallShield is unable to delete them. Stop the PolicyCenter service and repeat the uninstallation. If the condition persists, reboot the server and repeat the procedure.
66
Troubleshooting Commands
Occasionally,aunitmayreporterrorsintheConfigurationErrorssectionofthePolicyCenter Configurationstab.Describedbelowaresomeofthecommonlyusedcommandsthatcanhelpyou troubleshoottheerrors.
ds sessions
Thedssessionscommandcanhelpyoutroubleshootthefollowingerrortypes: Memoryallocationerrors Refusedconnections Unknownerrors ThecommanddisplaysthestatusofthereadandwriteconnectionsbetweenthePacketShaperor PolicyCenterconfigurationandtheSunONEDirectoryServer.Foreachconnection,thereisanErrorsfield thatwilldescribetheLDAPerrors(ifany).
ds requests
Thedsrequestscommanddisplaysthelistsofpendingrequestsbetweentheunitorconfiguration,andthe SunONEDirectoryServer.Iftenormorerequestsremainforalongtime,therecouldbesomeproblems withthecommunicationbetweentheunitorPolicyCenterandthedirectoryserver.
banner show
ThebannershowcommanddisplaysalltheconfigurationandoperationalerrorsintheunitorPolicyCenter configuration.TheInfotabinthebrowserinterfacedisplaysthesamesetofmessages.Thiscommandcan beusedtocheckunithardwarestatus,includingdisk,powersupply,andNICstatus,aswellasto troubleshootthefollowingerrortypes: Filedistributionerrors Configurationerrors Directoryserverschemaerrors
Additional Troubleshooting Solutions

TheSunONEDirectoryServerinstallationwritesaninstalllog,andyoucancheckthislogforerrors.Ifthe installationisnotsuccessful,thelogfilescanbefoundinthefollowinglocations: OnaWindowsserver:TEMP\setup.log OnaSolarisserver:/var/sadm/install/logsor/var/tmp IfPolicyCentercrashes,itwritesaneventlogandastacktracetoafileinitshomedirectorywithaname suchaslog/0801075450.txt,thefilenamethatcorrespondstothemonthdayhourminutesecondofthecrash. Youshouldprovideanysuchfilestoyoursupportcontact. YoumayalsoobservePolicyCenterserviceeventsintheWindowseventlog. YoucanusetheWindowsControlPanelServicesmanagertoobservethestateofthePolicyCenterand DirectoryServicesdaemons,andstoporrestartthem.
67
68
Capacity Planning Depends Upon the Units PacketWise Versions

Ifall(ormost)ofyourPacketShapersarerunningPacketWise8.2.xorearlier,capacityplanningisabitmore complex.RefertothissectiononlyforunitsrunningtheseearlierversionPacketWise. Chapter1describeshowaPolicyCenterconfigurationtreecanhaveseverallevelsofparentandchild configurations,withPacketShapersassignedtoconfigurationsatanylevel.TheSunONEDirectoryServer usesmorepersistentsearchestocommunicatewithaunitatalowerconfigurationlevelthanitdoesto communicatewithaunitassignedtoahighlevelconfiguration. WhenaunitisassignedtoarootlevelconfigurationatthetopofthePolicyCenterconfigurationtree,the directoryserverusesonlytwopersistentsearches:onefortheunitsconfiguration,andonefortheunit entry.Iftheunitisassignedtoasecondlevelconfiguration,thedirectoryserverthenmustusethree persistentsearches:onefortheparentconfiguration,oneforthechildconfiguration,andthethirdforthe unitentry.Iftheunitisassignedtoaconfigurationatanadditionallevelofdepth,thedirectoryservermust useanadditionalpersistentsearchtocontactthatunit.Therefore,afourthlevelunit(requiringfive persistentsearches)usesmoredirectoryserverresourcesthantwounitsassignedtoarootlevel configuration(requiringtwosearcheseach,orfourtotal). Inthefollowingexample,therearethreePacketWise7.4.0unitsdirectlyassignedtoarootlevelsharable configuration,andtwo7.4.0unitsassignedtoasecondlevelsharableconfiguration.
/California
PacketShape r 8500
www.packetee r.com STA TUS FAULT POWER CON SOLE
L INK Tx/Rx SPEED INSIDE OUTSIDE L INK Tx/Rx SPEED
PacketShape r 8500
two assigned units: 025-1000102 and 025-1000302

PacketShape r 8500
/San_Diego
one assigned unit: 025-1000303

PacketShape r 8500
/San_Francisco
one assigned unit: 025-1000404
ThetwounitsassignedtotheCaliforniaconfigurationrequiretwopersistentsearcheseach,whileSan_Diego andSan_Franciscounitseachrequirethreepersistentsearches,foratotalof10persistentsearchesforthe entireconfigurationtree.
Large Versus Small Configuration Hierarchies

Therearebenefitstobothlargeandsmallconfigurationtreehierarchies.Small(shallow)configuration hierarchieswithonlytwolevelsofparentandchildconfigurationscansupportmoreunits,butyoualso mayhavetomaintainmoreindividualconfigurations.Largerconfigurationhierarchiessupportfewerunits butcanbeeasiertomaintain,becauseyoucanmodifyaconfigurationanywherewithinthetraffictree, updatingallorjustafewofyourunitsatonce.
69
Large Configuration Hierarchy Example Thefollowingconfigurationtreeisanexampleofalargerconfigurationhierarchy.Thisconfigurationtree hasfourlevelsofconfigurationswith60assignedunitseach,andthereforerequiresadirectoryserverthat cansupport1,080persistentsearches.

Config 1 Basic Traffic Tree
+ 60 units
Config 2 Basic Traffic Tree Policy to control P2P
+ 60 units
Config 3 Basic Traffic Tree Policy to control P2P Policy to protect Citrix
+ 60 units
Config 5
+ 60 units Basic Traffic Tree Policy to control P2P Policy to protect Citrix Secure logins
Config 4 Basic Traffic Tree Policy to control P2P Policy to Protect VoIP
+ 60 units
Thistraffictreewouldberelativelysimpletomaintain,asanychangestothetraffictreecanbemadejust once,attherootlevelconfiguration,andthechangeswillautomaticallypropagatetothechild configurations.Similarly,anychangestotheP2PorCitrixpoliciescouldbemadeonasingleparent configurationandwouldimmediatelyappearonthechildconfigurations. If,however,thenetworkadministratorneededtoaddanadditional15unitstoeachconfiguration,theSun ONEDirectoryServercouldnolongersupportthenumberofpersistentsearchesrequiredfora configurationtreethiscomplex. Small Configuration Hierarchy Example Abetteroptionfora375unitdeploymentwouldbeaconfigurationtreeliketheoneshownbelow,withjust twolevelsofparentandchildconfigurations.
Config 1 Basic Traffic Tree Config 2 Basic Traffic Tree Policy to control P2P
+ 75 units
+ 75 units
Config 4 Basic Traffic Tree Policy to control P2P Policy to Protect VoIP Config 3 Basic Traffic Tree Policy to control P2P Policy to protect Citrix Config 5 Basic Traffic Tree Policy to control P2P Policy to protect Citrix Secure logins
+ 75 units
+ 75 units
+ 75 units
Unlikethepreviousconfiguration,whichrequired1080persistentsearchesfor300units,thissmaller hierarchicalconfigurationrequiresonly975searchesyetsupports375units.
70
Eventhoughthishierarchysupportsmoreunits,itmaybeslightlymoredifficulttomaintain.With configurations3and5atahigherlevelintheconfigurationtree,changestothetraffictreemustnowbe madeinbothrootlevelconfigurations,andchangestoP2Ppoliciesmustbemadeinallthreechild configurations.Intheprevious,largerconfiguration,thesechangesonlyhadtobemadeinaparent configuration. Sohowbigisyourdeployment?IfyouhavereviewedthetwobasicconfigurationstrategiesinChapter2 andhaveageneralideaofhowyouwilldesignyourPolicyCenterconfigurationtree,youcanusethe followingworksheettofindout.Dontworryifyoudontyetknowexactlyhowmanyunitsyouaregoing todeployorwhatyourfinalPolicyCenterconfigurationtreewilllooklikeifyouneedtoaddadditional PacketShapersorcreateadeeperconfigurationhierarchy,youcanupgradeasmallorstandarddirectory serverplatformatanytime. Note: If you do not yet know how many PacketShapers your enterprise will require or where you will be deploying them, a good resource is Deployment Topologies in PacketGuide. This guide provides PacketShaper installation, configuration and scalability advice for a variety of network topologies. Enterthevaluesoneachline,thenaddthetotalnumberofpersistentsearches
#ofPacketWise7.07.4or8.08.2unitsassignedtoalevel1(root)config.___x2= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel2config._____x3= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel3config._____x4= #ofPacketWise7.07.4or8.08.2unitsassignedtoalevel4config._____x5= Thetotalnumberofpersistentsearchesrequired= ____persistentsearches _____persistentsearches _____persistentsearches _____persistentsearches _______searches
Recommended Platforms
BlueCoathasidentifiedthreedifferenthardwareplatformsrecommendedforsmall,standard,orlarge PolicyCenterdeployments.Theseplatformssupportadirectoryserverconfigurationthatcansupportthe followingnumbersofpersistentsearches: Upto1200searches(forexample,400unitsassignedtoaleveltwoconfiguration,or240unitsas signedtoalevelfourconfiguration):Fordeploymentsofthissize,BlueCoatrecommendsusinga standardPolicyCenterhardwareplatform. 12013000searches(forexample,600unitsassignedtoalevelfourconfiguration):Fordeployments ofthissize,BlueCoatrecommendsusingalargePolicyCenterhardwareplatform. Foradditionalrequirementsanddetailedinformationonconfiguringyourserverplatform,see InstallationRequirementsonpage16.
71
72
Index
Index
A
add unconfigured units 31 attributes non-sharable 4 sharable 4 auto-deploy PacketShapers 31 auto-discovered classes 7
D
delete 49 directory location of PolicyCenter 22, 25 directory server LDAP 15 persistent search 15 uninstall 53, 60 distribute files 3 DNS name 50 DOS to UNIX conversion 24
B
backup all PolicyCenter configuration 53 all PolicyCenter configurations 53, 57 directory server 57 directory servers 57 single PolicyCenter configuration 52 single PolicyCenter configurations 52 backup configurations 49 browser interface online help 2 bulk changes 49
E
errors command-line or browser 64 DNS 63 IIS 65 installation 64 operational error messages 65 TCP/IP 64 troubleshooting commands 67 event log 67
C
command line interface commands 61 help 61 configuration assign unit to a sharable configuration 34 backup 49, 51 create new 34 move 49 save 49, 51 configuration strategy comprehensive configurations 12 functional configurations 13 selective configurations 12 configuration tree 7 configurations assign to an organization 47 inheriting settings 7 modifying an individual PacketShaper 8 parent 7 strategies 11 Control Panel 67 copy 49
I-1
F
file distribution 49 firewall 16, 17
G
Guided Setup 31
H
hardware extended deployment platforms 15 large deployment platforms 16 standard deployment platforms 15, 16 help system 2 hierarchical configurations 7 child configurations 7 HTTPS 29
I
Install PolicyCenter 21
Index
installation additional Windows requirements 16 configure the Solaris server 20 configure the Windows server 18 edge directory server (Solaris) 27 edge directory server (Windows) 27 large deployments on two Windows servers 22 large deployments on Windows and Solaris servers 24 requirements 16, 17 standard deployments on a single Windows server 21
PolicyCenter, starting 29 port 16, 17
R
remove override classes 39 rename 49
S
save configurations 49 secure logins 29 sharable attributes 4 compression 4 shared mode 3 software upgrades, PacketWise 3 stack trace 67 Standard Deployments on a Single Windows Server 21 starting PolicyCenter 29
L
local mode 3 log event 67
N
non-sharable attributes 4 NTFS 16, 21, 23, 25
T
TCP/IP 64 traffic classes autodiscovered 7 overridden 7 troubleshooting 67
O
organizations 45 assign configurations 47 new 45 override traffic classes 39
U
unit configurations adding with the convert option 5, 33 assign a unit to a sharable configuration 34 individual unit configurations 8 retaining in PolicyCenter 5 users 45 create new user accounts 46
P
PacketGuide 2 PacketShaper add to PolicyCenter 31, 35 assign to a sharable configuration 34 model type 11 remove from PolicyCenter 49 software (image) version 11 password 29 policies 3 PolicyCenter capacity planning 15 deployment capacity 15 start a session 29
I-2
W
Windows Control Panel Services manager 67 Windows event log 67 Windows server requirements 16

Policy Center Getting Started Guide v8.5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policy Center Getting Started Guide v8.5

Uploaded by

Copyright:

Available Formats

Version 8.

PolicyCenter Getting Started Guide

P/N 20-0231-851 Revision A

Table of Contents About This Guide

Chapter 1: Understanding PolicyCenter

Chapter 2: PolicyCenter Configuration Strategies

Chapter 3: Installing PolicyCenter

Chapter 4: Add PacketShapers to PolicyCenter

Chapter 5: Manage Users and Organizations

Chapter 6: Best Practices

Chapter 7: Saving and Recovering Configurations

Getting Started Guide

Uninstalling the Sun ONE Directory Server................................................................................................................................... 60

Chapter 8: Using the PolicyCenter Command-Line Interface

Appendix A: PolicyCenter Capacity Planning for Earlier Versions of PacketWise

Getting Started Guide

Getting Started Guide

About This Guide

About This Guide

Getting Started Guide

About This Guide

CustomerSupport IfyouhaveatechnicalquestionaboutPolicyCenter,signintotheBlueCoatcustomer supportwebsiteusingyourBlueTouchOnlinecredentials:

Chapter 1: Understanding PolicyCenter

Chapter 1: Understanding PolicyCenter

What are the Benefits of PolicyCenter?

PacketShaper Units Operate in Shared Mode

Getting Started Guide

Chapter 1: Understanding PolicyCenter

WhenaPacketShaperisinstandalone(local)mode,itoperateswithitsownindividualconfiguration uniquetothatPacketShaper.WhenaPacketShaperissettosharedmode,theunitcanoperateusinga combinationofbothasharableconfigurationandanindividualconfigurationuniquetothatunit.

Non-Sharable and Sharable Attributes

Chapter 1: Understanding PolicyCenter

Units Can Retain Their Original Configurations in PolicyCenter

Chapter 1: Understanding PolicyCenter

Getting Started Guide

Chapter 1: Understanding PolicyCenter

Not All Configurations Inherit Values From Other Configurations

Child Configurations Allow Individual Changes

Getting Started Guide

Chapter 1: Understanding PolicyCenter

Units with Different Versions of PacketWise Operate Differently in PolicyCenter

Modifying PacketShapers in PolicyCenter

Chapter 1: Understanding PolicyCenter

Getting Started Guide

Chapter 1: Understanding PolicyCenter

Getting Started Guide

Chapter 2: PolicyCenter Configuration Strategies

Chapter 2: PolicyCenter Configuration Strategies

Identify Groups of Existing Units

Select a Configuration Strategy

Getting Started Guide

Chapter 2: PolicyCenter Configuration Strategies

Comprehensive PolicyCenter Configuration Strategies

Selective Configuration Strategies

Chapter 2: PolicyCenter Configuration Strategies

Functional Configuration Strategies

Getting Started Guide

Chapter 2: PolicyCenter Configuration Strategies

Getting Started Guide

Chapter 3: Installing PolicyCenter

Chapter 3: Installing PolicyCenter

Getting Started Guide

Chapter 3: Installing PolicyCenter

Chapter 3: Installing PolicyCenter