Alternative to Bluecoat ProxySG

Can you recommend an alternative to Bluecoat ProxySG? We are looking at product with content filtering, malware protection and proxy service. Is Cisco WSA a good alternative?
Brian GarciaTechnology Support SpecialistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ramakrishna PrabhuNetwork EngineerCommented:
Squid can be a good alternative.
Brian GarciaTechnology Support SpecialistAuthor Commented:
We have used squid but we don't like the filtering (dansgurdian, squidguard). We have problems passing other protocols (citrix, SSL VPN, etc.). So we used Bluecoat, but it's costly so we are looking for an alternative.

We are looking at Cisco Web Security Appliance since we can get for a much lower price but I don't know if it can replace the functionality of Bluecoat.
Rich RumbleSecurity SamuraiCommented:
We use Sophos proxies with good results, but we don't inspect HTTPS as all the vendors we tried had issues, so maybe someone is doing it better these days. SafeSquid I've used in the past with good results, but the category lists from Sophos and others are typically better and more complete than what SafeSquid was using. The proxy should not be processing VPN traffic, well at least encrypted VPN traffic, you need a bypass/direct connection for them to work typically. Sophos is easy to use, good support and using WCCP instead of a PAC file was the best thing we did in our roll outs.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Brian GarciaTechnology Support SpecialistAuthor Commented:
We need to inspect all internet traffic because this is part of our network policy. We may have a hard time implementing WCCP because of complex network routing and multiple network connection.

Bluecoat can do all our requirement even https inspection, SSL VPN and citrix access but its costly so we need to provide an alternative.
Rich RumbleSecurity SamuraiCommented:
The VPN portion seems like a it would give you very little protection over what is already in place for most networks. When you are connected via VPN it's like you're in the office. I don't see the VPN as a critical from security perspective. Are your users not doing split-tunnel? I don't see the VPN inspection as a practical move, even if someone can do it.
Citrix too seems like a waste of resources, citrix is a remote control portal when your users are accessing it. 99% of the traffic is video, mouse and keyboard input, which isn't how a virus or unwanted exe get's into a network. The clipboard is the only part that would be remotely practical to inspect, and even then you should have AV on the server side that would catch it. I'm again not seeing why you'd inspect citrix.
As for the HTTPS, our clients have lots of trouble with every vendor we've used, we've POC'd BlueCoat and it was no better or worse, they (proxies)all suffer from not being able to do some sites and applications. The main benefit that comes from the proxies is always the site classifications, being able to curtail the users from visiting certain sites or types of sites is the best part overall. The second layer of AV is good too, especially when the AV vendor is different than what you are using already. BC allows you to choose from 5 different vendors, so if your PC's are using McAfee already don't use McAfee as the scanning engine in the proxy.
WCCP is perfect then, it allows you to FWD connections bound for HTTP/HTTPS based on certain criteria. You can base the rules that WCCP uses to fwd based on the physical interfaces, vlans, ip/subnet and mac addresses. A user moving around from port to port can still be fwd'd to the proxy if the rule is dynamic like using the subnet as a match.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian GarciaTechnology Support SpecialistAuthor Commented:
Thanks Rich for your explanation. I agree with you that VPN and CItrix should not be under proxy because of certain limitations and redundancy. And the facilities which they run is already secured.  

For https, we don't have any issues forwarding this to Bluecoat Proxy.

But our dilemmas is we are supporting multiple clients with multiple SSL VPN. Some SSL VPNs are through internet while some is through the corporate WAN (e.g. US, Europe, India and Asia). We may have problems implementing WCCP so we are using PAC.

Are you suggesting we moved to WCCP instead of PAC? how can we do that given the above dilemma and how can I redirect other HTTP traffic which is in the corporate WAN?
Brian GarciaTechnology Support SpecialistAuthor Commented:
We are also accessing multiple Citrix through Internet and Corporate WAN so how can we implement redirection through WCCP?
Rich RumbleSecurity SamuraiCommented:
WCCP can be used, but PAC files offer more flexibility. The only way to use WCCP effectively is to block egress 443 and port 80, where ever possible. If your networks are too messy to sort out who is a user and should be proxied, then you may have no choice and have to use PAC. If you have clearly defined subnets, WCCP is awesome, we have about 100 proxy by-passes or "directs" we use because (mostly) java applications don't work well with proxies. Web-ex, Fed-ex, citibank, lots of websites too don't work because of their java applets. But using WCCP we are able to use those sites and java applets. If you don't have any "return direct" statements in you PAC file it'd be the first I've ever seen :)
WCCP is hard if you have mixed use cases, if you can however properly isolate and segment functions using subnets then it's much easier.
Users = 10.10.10-30
Server = 10.10.100-120
Network = 10.10.200-220 (vpn, switches etc...)
Misc = 10.10.221-255
If you can't like that easily, then WCCP won't be easy, if you want to create a bunch of rules it could be done, but like you said it becomes an issue.
I've used the Sophos products with good success, WCCP and or PAC, but there are caveats, whitelists and bypasses for both.
Websense is traditionally Blue Coat's primary competition.  If you are looking for cloud services that muddies the waters.  Do you want to host at multiple sites?  What sort of traffic are you looking to proxy?  What control do you want to exert over it? If you start looking for threat protection you can look at new players like zscaler. If you have workers that are in the field and not physically behind a proxy, you are going to start needing to install a client.  The dreaded client.
Regarding Citrix, this is not compatible with many proxies last I checked. Palo ALto Networks NGX FWs can do all of the proxy, content filtering, SSL decryption etc that most proxies can, and they have moved toward the cloud hosting bandwagon as well.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.