troubleshooting guide - at&t web securitycloudwebsecurity.att.com/docs/att_wss_tsgd.pdf · the...
TRANSCRIPT
copy 2017 ATampT Internal use only All rights reserved
ATampT Cloud Web Security Service
Troubleshooting Guide
copy 2017 ATampT Internal use only All rights reserved
2
Table of Contents
1 Summary 3
2 Explicit Proxy ndash Access Method 4
21 Explicit Proxy ndash Flow Diagram 4
3 Proxy Forwarding ndash Access Method 6
31 Explicit Proxy ndash Flow Diagram 7
4 IPSecVPN ndash Access Method 8
41 IPSecVPN ndash Flow Diagram 9
5 Client Connector ndash Access Method 10
51 Client Connector ndash Flow Diagram 11
6 Auth Connector SAML ndash Authentication 12
61 Authentication ndash Flow Diagram 13
copy 2017 ATampT Internal use only All rights reserved
3
1 Summary
The purpose of this document is to describe the troubleshooting steps Cloud WSS customers need to take when experiencing service issues These steps will assist customers in determining the root cause as well as escalating the issue to the proper supporting organization (internal or ATampT)
There is a section for each access method and core functionality Within each section troubleshooting steps are grouped by testing category In addition each section includes a technical data flow diagram to assist troubleshooting
If the problem persists after using this troubleshooting guide please contact ATampT MSS Help Desk
1-800-727-2222 Prompt 82
Managedsecurityemsattcom
copy 2017 ATampT Internal use only All rights reserved
4
2 Explicit Proxy ndash Access Method
Explicit Proxy ndash Minimum Requirements Trouble Shooting the Explicit Proxy Connection Method
Firewall Configuration
TCP 8080 must be open on the firewall
TCP 443 must be open (for SSL connections)
Client proxy configuration o Explicit Proxy Destination
proxythreatpulsecom8080 o Destination if using Pac Configuration
httpsportalthreatpulsecompac o Portal Configuration
Define Location
If using Auth Connector or SAML refer to the Auth ConnectorSAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled)
2 Node Explicit Proxy
21 In Windows 2111 open Internet Explorer 2112 click on tools
212 click on Internet Options 213 click on Connections 214 click on LAN Settings 215 Click on the check box for Proxy Server 216 proxythreatpulsecom and port 8080 217 click ok 218 Open the browser to demothreatpulsecom to see if the
computer is protected
3 PAC Configuration 31 In Windows
3111 open Internet Explorer 3112 click on tools 3113 click on Internet Options 3114 click on Connections 3115 click on LAN Settings 3116 Click on the check box for Proxy Server 3117 Automatic Configuration put
ldquoproxythreatpulsecompac and port 8080rdquo 3118 click ok 3119 Open the browser to demothreatpulsecom to see if
the computer is protected 4 Portal Configuration
41 In browser go to portalthreatpulsecom 4111 Log in with correct username and password 4112 Click on ldquoServicerdquo 4113 ldquoClick on Add Locationrdquo 4114 Add the location name 4115 Choose the access method ldquoExplicit Proxyrdquo from the
down arrow 4116 Verify the IPSubnet 4117 If using SAML or Auth Connector make sure that
ldquoEnable Captive Portalrdquo is checked 4118 Verify Country and Time zone 4119 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
41110 Verify ldquoBypassed Sitesrdquo tab to make sure that the correct IP addresses are permitted or denied
copy 2017 ATampT Internal use only All rights reserved
5
21 Explicit Proxy ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
2
Table of Contents
1 Summary 3
2 Explicit Proxy ndash Access Method 4
21 Explicit Proxy ndash Flow Diagram 4
3 Proxy Forwarding ndash Access Method 6
31 Explicit Proxy ndash Flow Diagram 7
4 IPSecVPN ndash Access Method 8
41 IPSecVPN ndash Flow Diagram 9
5 Client Connector ndash Access Method 10
51 Client Connector ndash Flow Diagram 11
6 Auth Connector SAML ndash Authentication 12
61 Authentication ndash Flow Diagram 13
copy 2017 ATampT Internal use only All rights reserved
3
1 Summary
The purpose of this document is to describe the troubleshooting steps Cloud WSS customers need to take when experiencing service issues These steps will assist customers in determining the root cause as well as escalating the issue to the proper supporting organization (internal or ATampT)
There is a section for each access method and core functionality Within each section troubleshooting steps are grouped by testing category In addition each section includes a technical data flow diagram to assist troubleshooting
If the problem persists after using this troubleshooting guide please contact ATampT MSS Help Desk
1-800-727-2222 Prompt 82
Managedsecurityemsattcom
copy 2017 ATampT Internal use only All rights reserved
4
2 Explicit Proxy ndash Access Method
Explicit Proxy ndash Minimum Requirements Trouble Shooting the Explicit Proxy Connection Method
Firewall Configuration
TCP 8080 must be open on the firewall
TCP 443 must be open (for SSL connections)
Client proxy configuration o Explicit Proxy Destination
proxythreatpulsecom8080 o Destination if using Pac Configuration
httpsportalthreatpulsecompac o Portal Configuration
Define Location
If using Auth Connector or SAML refer to the Auth ConnectorSAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled)
2 Node Explicit Proxy
21 In Windows 2111 open Internet Explorer 2112 click on tools
212 click on Internet Options 213 click on Connections 214 click on LAN Settings 215 Click on the check box for Proxy Server 216 proxythreatpulsecom and port 8080 217 click ok 218 Open the browser to demothreatpulsecom to see if the
computer is protected
3 PAC Configuration 31 In Windows
3111 open Internet Explorer 3112 click on tools 3113 click on Internet Options 3114 click on Connections 3115 click on LAN Settings 3116 Click on the check box for Proxy Server 3117 Automatic Configuration put
ldquoproxythreatpulsecompac and port 8080rdquo 3118 click ok 3119 Open the browser to demothreatpulsecom to see if
the computer is protected 4 Portal Configuration
41 In browser go to portalthreatpulsecom 4111 Log in with correct username and password 4112 Click on ldquoServicerdquo 4113 ldquoClick on Add Locationrdquo 4114 Add the location name 4115 Choose the access method ldquoExplicit Proxyrdquo from the
down arrow 4116 Verify the IPSubnet 4117 If using SAML or Auth Connector make sure that
ldquoEnable Captive Portalrdquo is checked 4118 Verify Country and Time zone 4119 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
41110 Verify ldquoBypassed Sitesrdquo tab to make sure that the correct IP addresses are permitted or denied
copy 2017 ATampT Internal use only All rights reserved
5
21 Explicit Proxy ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
3
1 Summary
The purpose of this document is to describe the troubleshooting steps Cloud WSS customers need to take when experiencing service issues These steps will assist customers in determining the root cause as well as escalating the issue to the proper supporting organization (internal or ATampT)
There is a section for each access method and core functionality Within each section troubleshooting steps are grouped by testing category In addition each section includes a technical data flow diagram to assist troubleshooting
If the problem persists after using this troubleshooting guide please contact ATampT MSS Help Desk
1-800-727-2222 Prompt 82
Managedsecurityemsattcom
copy 2017 ATampT Internal use only All rights reserved
4
2 Explicit Proxy ndash Access Method
Explicit Proxy ndash Minimum Requirements Trouble Shooting the Explicit Proxy Connection Method
Firewall Configuration
TCP 8080 must be open on the firewall
TCP 443 must be open (for SSL connections)
Client proxy configuration o Explicit Proxy Destination
proxythreatpulsecom8080 o Destination if using Pac Configuration
httpsportalthreatpulsecompac o Portal Configuration
Define Location
If using Auth Connector or SAML refer to the Auth ConnectorSAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled)
2 Node Explicit Proxy
21 In Windows 2111 open Internet Explorer 2112 click on tools
212 click on Internet Options 213 click on Connections 214 click on LAN Settings 215 Click on the check box for Proxy Server 216 proxythreatpulsecom and port 8080 217 click ok 218 Open the browser to demothreatpulsecom to see if the
computer is protected
3 PAC Configuration 31 In Windows
3111 open Internet Explorer 3112 click on tools 3113 click on Internet Options 3114 click on Connections 3115 click on LAN Settings 3116 Click on the check box for Proxy Server 3117 Automatic Configuration put
ldquoproxythreatpulsecompac and port 8080rdquo 3118 click ok 3119 Open the browser to demothreatpulsecom to see if
the computer is protected 4 Portal Configuration
41 In browser go to portalthreatpulsecom 4111 Log in with correct username and password 4112 Click on ldquoServicerdquo 4113 ldquoClick on Add Locationrdquo 4114 Add the location name 4115 Choose the access method ldquoExplicit Proxyrdquo from the
down arrow 4116 Verify the IPSubnet 4117 If using SAML or Auth Connector make sure that
ldquoEnable Captive Portalrdquo is checked 4118 Verify Country and Time zone 4119 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
41110 Verify ldquoBypassed Sitesrdquo tab to make sure that the correct IP addresses are permitted or denied
copy 2017 ATampT Internal use only All rights reserved
5
21 Explicit Proxy ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
4
2 Explicit Proxy ndash Access Method
Explicit Proxy ndash Minimum Requirements Trouble Shooting the Explicit Proxy Connection Method
Firewall Configuration
TCP 8080 must be open on the firewall
TCP 443 must be open (for SSL connections)
Client proxy configuration o Explicit Proxy Destination
proxythreatpulsecom8080 o Destination if using Pac Configuration
httpsportalthreatpulsecompac o Portal Configuration
Define Location
If using Auth Connector or SAML refer to the Auth ConnectorSAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled)
2 Node Explicit Proxy
21 In Windows 2111 open Internet Explorer 2112 click on tools
212 click on Internet Options 213 click on Connections 214 click on LAN Settings 215 Click on the check box for Proxy Server 216 proxythreatpulsecom and port 8080 217 click ok 218 Open the browser to demothreatpulsecom to see if the
computer is protected
3 PAC Configuration 31 In Windows
3111 open Internet Explorer 3112 click on tools 3113 click on Internet Options 3114 click on Connections 3115 click on LAN Settings 3116 Click on the check box for Proxy Server 3117 Automatic Configuration put
ldquoproxythreatpulsecompac and port 8080rdquo 3118 click ok 3119 Open the browser to demothreatpulsecom to see if
the computer is protected 4 Portal Configuration
41 In browser go to portalthreatpulsecom 4111 Log in with correct username and password 4112 Click on ldquoServicerdquo 4113 ldquoClick on Add Locationrdquo 4114 Add the location name 4115 Choose the access method ldquoExplicit Proxyrdquo from the
down arrow 4116 Verify the IPSubnet 4117 If using SAML or Auth Connector make sure that
ldquoEnable Captive Portalrdquo is checked 4118 Verify Country and Time zone 4119 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
41110 Verify ldquoBypassed Sitesrdquo tab to make sure that the correct IP addresses are permitted or denied
copy 2017 ATampT Internal use only All rights reserved
5
21 Explicit Proxy ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
5
21 Explicit Proxy ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
6
3 Proxy Forwarding ndash Access Method
Proxy Forwarding ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT)
Proxy SG forwarding configuration o Forwards to proxythreatpulsecom8080
Portal Configuration o Define Location (use Egress Address of NBFW)
1 Firewall 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 8080 13 telnet to proxythreatpulsecom 443 14 ping proxythreatpulsecom (if ping is enabled) 15 Verify that Port 8443 is enabled
2 Proxy SG
21 Open the Proxy SG browser interface https11118082 (use correct IP) and log in
211 Click on configuration 212 Click on Forwarding 213 Click on ldquoForwarding Hostsrdquo 214 Is proxythreatpulsecom there 215 Click on ldquoDefault Sequencerdquo 216 Is proxythreatpulsecom on the right side under Alias
name 217 Click on ldquoStatisticsrdquo tab 218 Click on Health Monitoring to verify the health check
ldquoDoes it have a green OKrdquo
3 Portal Configuration 31 In browser go to portalthreatpulsecom
311 Log in with correct username and password 312 Click on ldquoServicerdquo 313 Click on ldquoAdd Locationrdquo 314 Add the ldquoLocation Namerdquo 315 Choose the access method ldquoProxy Forwardingrdquo from
the drop down arrow 316 Verify the ldquoIPSubnetrdquo 317 Verify Country and Time zone 318 If the information is correct a green check mark will
appear to the right of the screen under ldquoStatusrdquo
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
7
31 Proxy Forwarding ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
8
4 IPSecVPN ndash Access Method
IPsec ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id
Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal)
If using Auth Connector or SAML refer to the Auth
ConnectorSAML- Minimum Requirements section
1 Firewall 11 Is there an active Internet connection 12 Is the firewall behind another firewall (Bluecoat will not
accept NAT-Traversal) 13 Can a Bluecoat Load Balancer be pinged (if ICMP is enabled) 14 How far does trace-route go ( if the load balancer is not able to
be pinged)
15 Phase 1 151 Is Bluecoat Cloud Load Balancer defined as Gateway 152 Do the Phase 1 proposals match 153 Does the Pre-Shared key match the Portal 154 Is Dead Peer Detection enabled (optional)
16 Phase 2
161 Is the correct tunnel defined 162 Do the Phase 2 proposals match 163 Is the Proxy Id defined 164 Are SSL and HTTP defined in an active SA 165 Is SSL and HTTP forwarded to the active tunnel
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
9
41 IPSecVPN ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
10
5 Client Connector ndash Access Method
Client Connector ndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP ports 443
Client Configuration o Must have an active Internet connection o DownloadInstall Client Connector to local machine
1 Firewall (NBFW) 11 Is there an active Internet connection 12 telnet to proxythreatpulsecom 443 13 ping proxythreatpulsecom (if ping is enabled)
2 Client Connector
21 Behind a Bluecoat Cloud Connection under the same account in the portal 211 Mouse over Bluecoat Icon on bottom right of the screen 212 Should be failed open (color white)
22 Not Behind a Bluecoat Cloud Connection method in the same account 221 Mouse over Bluecoat Icon on bottom right of the screen 222 Should not be failed open (color is blue)
23 Verify that the Client Connector is connected 24 Right mouse on Bluecoat Icon 25 ldquoClick Statusrdquo
251 Is the Customer ID correct 252 Are Local Services ldquoUPrdquo 253 Is Network ldquoavailablerdquo 254 Is the Connector status ldquoConnected to Threatpulse 255 Is ldquoHTTPS-OKrdquo
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
11
51 Client Connector ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
12
6 Auth Connector SAML ndash Authentication
Auth Connector SAMLndash Minimum Requirements Troubleshooting
Firewall Configuration (NBFW) o Allow TCP port 443 through Egress
Portal Configuration o Define Auth ConnectorSAML o Cert must match server (if using SAML) o Under Location rdquoCaptive Portalrdquo the subnet must be
defined (if using SAML)
Server Configuration
Must use Active Directory
Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML)
Cert must match Portal Cert (if using SAML)
IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port
Auth ConnectorSAML can be used with Explicit and Ipsec Access Methods
1 Firewall 11 Is there an active Internet connection
11 telnet to proxythreatpulsecom 443 12 ping proxythreatpulsecom (if ping is enabled)
2 Portal Side Configuration for Auth Connector or SAML 21 Log into Portal threatpulsecom
211 Click on Service 212 Click on ldquoAuthenticationrdquo 213 Click Auth Connector 214 Is ldquoAuth Connector Statusrdquo Green
3 If using SAML 31 Follow the previous Steps 21 through 212 32 Click SAML
321 Under Endpoint URL the address should look as follows http19216811bccasamlidp (The internal non routed IP of the server with Active directory) 322 Does the Cert defined in Signing Certificate Chains match the cert
on the Active Directory Server 323 Is ldquoAuth Connector Statusrdquo Green
4 Server Side Configuration
41 Services 411 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquordquo Servicesrdquo
4111 Click on Blue Coat Auth Connector 4112 Are Blue Coat Auth services running (under
status started) 4113 If not click Start or Restart (to start or restart
services)
42 Event Logs
421 Click on Start ldquo All Programsrdquo ldquoAdministrative Toolsrdquo rdquoEvent Viewerrdquo
422 Click on ldquoWindows Logsrdquo ldquoApplicationrdquo 423 Click refresh and view the top BCCA log
4231 Does it show connected to the user Id 4232 If it does not show connected Why does it show
that it fails (what is the error) 4233
43 Is Active Directory working correctly 44 Is the internal Ip address of the server directly reachable by the client
machine (if using SAML)
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram
copy 2017 ATampT Internal use only All rights reserved
13
61 Auth Connector SAML ndash Flow Diagram