Blue Coat Systems Proxy SG Time Clock User Manual


 
Chapter 2: Managing Content Policy Language
37
But policy cannot determine the value of the Content-type response header until the response is
returned. The ProxySG cannot contact the server to get the response until policy determines what
hosts or gateways to route through to get there. In other words, policy must set the
forward()
property. But policy cannot commit the forwarding action until the Content-type response header has
been determined. Again, since the condition is not testable until later in the request (after the time at
which the property must be set), an error is received.
Understanding Layers
Five types of layers are allowed in any policy file. The layer type determines the kinds of transaction
its rules will act upon. The token used in the header identifies the layer type.
<Admin>—Used to define policy that controls access to the management console and the
command line. Policy is not evaluated for serial console access or SNMP traffic, however.
<Cache>—Used to list policy rules that are evaluated during both cache and proxy transactions.
<Exception>—Exception layers are evaluated when a proxy transaction is terminated by an
exception.
<Forward>—Forward layers are only evaluated when the current transaction requires an
upstream connection. Forwarding policy is generally distinct and independent of other policies,
and is often used as part of maintaining network topologies.
<Proxy>—Used to list policy rules that are evaluated during a proxy transaction.
Important: Only a subset of the conditions, properties, and actions available in the policy language is
permitted within each layer type; the remainder generate compile-time errors. The CPL
Reference for the conditions, properties, and actions describes where they can be used.
<Admin> Layers
<Admin> layers hold policy that is executed by Administrator transactions. This policy is used to
specify an authentication realm; to allow or deny administrative access based on the client’s IP
address, credentials, and type of administrator access requesuested (read or write); and to perform
any additional logging for administrative access.
Important: When traffic is explicitly proxied, it arrives at the <Admin> layer with the client IP
address set to the ProxySG’s IP address; therefore, the
client.address= condition is not
useful for explicitly proxied traffic.
The syntax is:
<Admin [label]> [admin_condition][admin_properties] ...
admin_content
where:
The
<Admin> layer defines the transactions evaluated against this policy, and restricts the triggers
and properties allowed in the rules used in the layer.
The optional
label, separated from the layer type by space, is a CPL User-defined Identifier.
The optional
admin_condition is a list of triggers, all of which must evaluate to true before the
layer content is evaluated. For more information on using conditions, see Chapter 3: "Condition
Reference". See also the following Layer Guards section.