BCCPA Review Questions
Module 1: Introduction to the ProxySG
Review Questions and Answers
- Describe the role of a proxy server.
Answer: A proxy server is an intermediary that acts as both a server and a client for the purpose of
making requests on behalf of other clients. - Can proxy servers modify traffic between a client and server?
Answer: Yes - Where can you find information about the currently available models and capacities of the ProxySG
family?
Answer: bluecoat.com - Where can you go online to find the Blue Coat knowledge base?
Answer: support.bluecoat.com or bto.bluecoat.com
Module 2: ProxySG Security Deployments
Review Questions and Answers
- What are the three principal physical deployment methods for the ProxySG?
Answer: Inline, virtually inline, out of path - What are the two main client connection methods for the ProxySG?
Answer: Explicit proxy, transparent proxy - In which type of physical deployment is a ProxySG out of path but still has potential visibility to all
traffic through the use of a device such as a WCCP-capable router or a Layer 4 switch?
Answer: Virtually inline. - Name three methods by which client configuration can be performed in an explicit ProxySG
deployment.
Possible answers: Configure the user agent to point to the IP address or hostname of the ProxySG;
configure the user agent to use WPAD; configure the user agent to point to the location of a PAC file. - In which client connection type are user agents aware that a proxy has been deployed?
Answer: Explicit proxy. - In an explicit ProxySG deployment, the TCP packet sent from the client to the ProxySG contains what
value as the destination IP address?
Answer: The IP address of the ProxySG or a load balancer - In a transparent ProxySG deployment, the TCP packet sent from the client to the ProxySG contains
what value as the destination IP address?
Answer: The IP address of the origin content server - In a transparent ProxySG deployment, the TCP packet sent from the ProxySG to the origin content
server contains what value as the source IP address?
Answer: It depends on whether client IP address reflection is enabled. If so, the client IP address; if
not, the ProxySG IP address.
===================================================================================================
Module 3: ProxySG Initial Security Configuration
Review Questions and Answers
- True or false: Blue Coat Director cannot be used to configure a ProxySG until an IP address has been
assigned to the ProxySG by either the front panel or the serial console.
Answer: True. - Which SGOS edition is designed for Secure Web Gateway deployments?
Answer: Proxy Edition - Can a ProxySG automatically get its own IPv4 address during initial configuration?
Answer: No - If you lose the password to the setup console, what methods can be used to regain access to the setup
console?
Possible answers: Use the front panel buttons and screen, if available on this model, to reset the
password; open a serial connection, and use the CLI command restore-defaults
factory-defaults; use the appliance reset button, if available on this model. - When you issue the CLI command restore-defaults factory-defaults, does the ProxySG
keep its configured IP address so it can continue to be accessed?
Answer: No - When configured as part of an IPv6 network, how does the ProxySG gets its IP address?
Answer: The administrator must supply an IPv4 address manually. The ProxySG obtains an IPv6
address for each interface automatically, and the administrator can change these after completing
initial configuration.
Module 4: ProxySG Management Console
Review Questions and Answers
- What client-side technology does the Management Console use?
Answer: Java applets - What are the three main tabs of the Management Console?
Answer: Statistics, Configuration, Management - In the Management Console, how can you determine the serial number of the ProxySG?
Answer: The serial number is contained in the header, or you can go to Maintenance > System and
Disks. - How does the Management Console perform commands on the ProxySG?
Answer: By generating the appropriate CLI commands and executing them. - Can an access control list for built-in ProxySG administration contain IP addresses, subnet masks,
domain names, or some combination of these?
Answer: IP addresses and subnet masks. - What happens if two administrators on separate web browsers both change the time zone of the
ProxySG?
Answer: Last one wins. - If you click Revert three times in the Management Console, what happens?
Answer: Only the most recent uncommitted changes are undone; changes that already have been
applied cannot be undone. - When you click the Help button in the Management Console, what type of help can you expect to
receive?
Answer: Context-sensitive help related to the page from which you clicked Help. - How many SGOS images can reside on one ProxySG at the same time?
Answer: Up to five.
===================================================================================================
Module 5: ProxySG Security Licensing
Review Questions and Answers
- In the Proxy Edition of SGOS, are client connections allowed or denied by default?
Answer: Denied. - Can you change from the Proxy Edition to the MACH5 Edition?
Answer: Yes, but the previous configuration is lost. - A newly-shipped physical ProxySG contains what type of license?
Answer: Trial. - True or false: Use of the Flash streaming proxy requires the installation of an optional license.
Answer: True. - Some models of the ProxySG have a user limit. This limit is based on what factor?
Answer: The number of unique client IP addresses with open inbound TCP connections to the ProxySG.
Module 6: Proxy Services
Review Questions and Answers
- Listeners, services, or proxies: Which of these are responsible for detecting incoming traffic that
matches specific IP addresses or subnets?
Answer: Listeners. - What are the four components of a proxy service?
Answer: Listener parameters to match against, whether to intercept or bypass, which proxy to use, and
attributes to control proxy processing. - When a proxy service listener matches incoming client traffic and is set to Bypass, what happens to the
traffic?
Answer: The answer depends on whether the client is using an explicit or transparent proxy
connection. - What are the four components of a proxy service listener?
Answer: Source addresses, destination addresses, TCP port, action. - Can more than one listener be associated with a proxy service?
Answer: Yes. - What service group does Blue Coat recommend for the Telnet service, and why?
Answer: Bypass recommended, because it is an interactive service that cannot benefit significantly
from caching or optimization. - Which proxy service matches incoming traffic if it does not match any other listener?
Answer: Default. - Why does the Internal HTTP proxy service use the TCP Tunnel proxy by default?
Answer: Many internal applications are not fully HTTP-compliant, which might cause the ProxySG to
reject connections. - If you enable client IP address reflection for all proxy services, what could cause client traffic to be handled incorrectly?
Answer: Asymmetric routing could cause TCP connections to be dropped and client requests to fail.
Module 8: Introduction to the Visual Policy Manager
Review Questions and Answers
- If you use the VPM to create policy, can you also write your own CPL outside the VPM to create
additional policy?
Answer: Yes. - What policy tasks require using the VPM and cannot be performed in CPL?
Answer: None. (But the opposite is not true.) - When policy created in the VPM is installed, what two files does the VPM update on the ProxySG?
Answer: VPM-CPL and VPM-XML. - What is the purpose of the VPM-XML file?
Answer: It stores the visual state of the VPM user interface (not the generated CPL). - Are VPM rules grouped into layers, or are layers grouped into rules?
Answer: Rules are grouped into layers. - Can you have more than one Web Access layer active in the VPM at any given time?
Answer: Yes. - What are the four types of VPM trigger objects?
Answer: Source, destination, service, and time. - In the VPM, a URL category such as “Travel” or “Hacking” is an example of what type of trigger?
Answer: Destination. - When rules in a VPM layer are being evaluated, what causes evaluation to stop and proceed to the next
layer?
Answer: A match against the trigger in that rule. - If the VPM has two Web Access layers, which one is evaluated first?
Answer: The one that is visually to the left. - If the VPM displays a Web Access layer on the left edge and a Web Authentication layer to the right of
the Web Access layer, which one is evaluated first?
Answer: Web Authentication layer.
Module 9: Content Filtering and WebPulse
Review Questions and Answers
- WebPulse uses URL information from which Blue Coat products?
Answer: ProxySG, ProxyClient, K9. - In WebPulse, does background analysis of URLs use human raters?
Answer: Yes, but only if machine analysis is inconclusive. - Where is the WebFilter database stored?
Answer: On both the ProxySG and at several data centers around the world. - If the ProxySG is configured to use the Internet Watch Foundation content filtering database, can
WebFilter be enabled at the same time?
Answer: Yes. - When WebFilter is enabled, how often does the ProxySG check for updates to the WebFilter database?
Answer: Every five minutes, during the hours of the day that are specified in the Management Console. - When dynamic categorization is disabled, what information is sent to WebPulse for each transaction?
Answer: The ProxySG does not contact WebPulse when dynamic categorization is disabled. - If both WebFilter and a local content filtering database are enabled on the ProxySG, which set of
categories takes priority in policy processing?
Answer: Neither has automatic priority. The order of rules and layers in policy determines how
categories affect the decision to allow or deny a transaction. - If a URL is categorized by WebFilter as “None,” what does this mean?
Answer: The URL is for a site that has not been categorized by WebFilter. This is common for intranet
sites. - A URL that is categorized by WebFilter can have how many applications associated with it?
Answer: Zero or one. - What list on the ProxySG can be configured to prevent requests to specific URLs from being shared
with WebPulse?
Answer: The private networks list.
Module 11: Authenticating Users on the ProxySG
Review Questions and Answers
- If you do not enable authentication on the ProxySG, can you still write policy to control client access to web content?
Answer: Yes, but only on external criteria such as IP address and time of day, not by username, group,
or attributes. - Explicit proxy authentication uses which HTTP response code to request credentials?
Answer: 407. - On the ProxySG, can more than one authentication realm be active at any given time?
Answer: Yes. - Which type of authentication realm does not require communication with an external authentication
server?
Answer: Local realm. - How does a local authentication realm know what credentials to authenticate against?
Answer: The administrator creates a user list on the ProxySG and associates it with one or more local
realms. - From the viewpoint of the ProxySG, a user login consists of which three components?
Answer: Username, IP address, authentication realm. - In the VPM, what does an Action object of Force Authenticate do?
Answer: It forces a user to authenticate even if the ProxySG is going to deny the request for some other
reason.
Module 12: IWA and LDAP Authentication Realms
Review Questions and Answers
- What types of authentication credentials are supported in an IWA realm?
Answer: Basic, NTLM, and Kerberos. - When does the ProxySG require the use of BCAAA with an IWA realm?
Answer: When your organization does not permit the ProxySG to join the Windows domain of the
authentication server. - In NTLM authentication, are passwords transmitted in plaintext, base 64-encoded, or encrypted?
Answer: None of the above. The challenge-response architecture of NTLM allows the client to be
authenticated without ever transmitting the password in any form. - In which type of IWA realm, BCAAA or direct, does the administrator specify the IP address of an
authentication server?
Answer: BCAAA. - How can you prevent passwords from being sent in plaintext between the ProxySG and an LDAP
server?
Answer: By enabling SSL communication between the ProxySG and the authentication server. - When specifying a search user for an LDAP authentication realm, what administrative permissions are
required on the search user account?
Answer: No special permissions are required. - A ProxySG has its Explicit HTTP proxy service set to Intercept with all of the default settings. An LDAP authentication realm is in use, and the authentication mode is set to “auto.” When
a client connects via HTTP and an explicit proxy connection to the Internet for the first time through this ProxySG, what is
the first response code that the client receives?
Answer: 407.
- When the ProxySG performs LDAP authentication with an explicit proxy connection, how often does the
ProxySG send a bind request with the search user DN to the authentication server?
Answer: The first time that an authentication request is made using this realm since the ProxySG was
last rebooted, or when the credential cache expires for the user in question. - For how long are LDAP user credentials cached on the ProxySG?
Answer: The default is 15 minutes, but the administrator can change this.
Module 14: Exceptions and Notifications
Review Questions and Answers
- What are the two types of ProxySG exceptions?
Answer: Pre-defined and user-defined. - When the ProxySG sends an exception page to a client, where does it get the text of the exception
page?
Answer: From the exception definition stored on the ProxySG. - How do you create a new built-in exception on the ProxySG?
Answer: You cannot do this. - In a user-defined exception created on the ProxySG, what is the default HTTP response code?
Answer: 403. - When you delete a user-defined exception that is in use by the VPM, what happens when that exception
is subsequently triggered?
Answer: This cannot happen; the ProxySG prevents you from deleting the exception unless you first
remove all objects that reference that exception. - From where does the exception exception.user-defined.all inherit its properties?
Answer: The exception.all definition. - How do you create exception pages in the VPM?
Answer: You cannot do this in the VPM. - In the VPM, what type of object is a Notify User object?
Answer: Action. - After receiving a splash page from the ProxySG, how often will a user receive a subsequent splash
page?
Answer: The interval is configurable by the administrator.
Module 15: Access Logging
Review Questions and Answers
- By default, how often are ProxySG access logs uploaded to an external database or server?
Answer: Once per day, at 2 a.m. local time. - What are the five components of a log facility?
Answer: Log file, upload schedule, rotation schedule, log format, password. - By default, HTTP traffic that is logged is recorded to which log facility?
Answer: main. - By default, what log format is associated with the main log facility?
Answer: bcreportermain_v1 - What does the ELFF string cs-bytes represent?
Answer: The number of bytes transmitted from the client to the ProxySG. - If an access log file has no header, how does Blue Coat Reporter process the file?
Answer: It cannot, unless the administrator manually re-creates the header. - When uploading access logs, which type of upload uses the least disk space on the ProxySG: periodic
or continuous?
Answer: Continuous. - If you have configured continuous uploading of access logs and the ProxySG is unable to reach the
upload destination, what happens to the log entries?
Answer: They are stored locally until the connection is re-established, and then they are uploaded. - In the VPM, access logging is controlled by which type of objects?
Answer: Action objects. - True or false: Access logging is disabled by default, and you must configure the ProxySG to intercept
the protocols that you wish to log.
Answer: True.
Module 16: Managing SSL Traffic
Review Questions and Answers
- Which versions of SSL and TLS does the ProxySG support?
Answer: SSL versions 2 and 3, and TLS version 1.x. - For the ProxySG to decrypt SSL traffic, does the traffic need to be intercepted by a proxy service?
Answer: Yes. Tunneled traffic cannot be decrypted. - By default, when the ProxySG decrypt SSL traffic?
Answer: Only when there is an exception such as a certificate error or policy denial. In all other cases,
SSL traffic is tunneled unless policy is specifically written to intercept and decrypt it. - True or false: The SSL proxy uses location awareness to implement privacy policy consistent with local
laws at the client location.
Answer: False. - When a ProxySG processes an SSL transaction between a client and a content server, does the
ProxySG function as an SSL client or as an SSL server?
Answer: Both. - When a browser is configured to use an explicit proxy connection to the ProxySG, incoming HTTPS
traffic from that browser is intercepted by which proxy service?
Answer: Explicit HTTP. - When a browser is configured to use an explicit proxy connection to the ProxySG, which service setting
determines whether the traffic is passed to the SSL proxy or the HTTP proxy?
Answer: Detect protocol. - Which VPM layer can be most commonly used to control decryption of SSL traffic by authenticated
username?
Answer: SSL Intercept layer
Module 19: IPv6 in ProxySG Security Deployments
Review Questions and Answers
- IPv6 addresses are formed from an address space that is how long?
Answer: 128 bits. - What optional features or licenses must you purchase to enable IPv6 support on the ProxySG?
Answer: None. - Can you use the same ProxySG default gateway for both IPv4 and IPv6 addressing?
Answer: No. - Can you use IPv6 addressing on a ProxySG that communicates via WCCP with its router?
Answer: No. WCCP does not support IPv6 addressing. - If the ProxySG IPv6 force bypass setting is enabled, what happens to incoming IPv6 traffic?
Answer: It is bridged or routed and is not processed by the ProxySG. - When a ProxySG is being used as an IPv4-to-IPv6 gateway, how does the ProxySG determine the IPv6
address of the content server to which a client request should be directed?
Answer: By querying the IPv6 DNS server(s) that have been specified in the ProxySG configuration.
Meaningful information.
i need training on blue coat proxy