Blue Coat Home Page Choose a PacketGuide version  Search Index


What's New?




 Blue Coat Sky Tasks

 PolicyCenter Tasks


 Product Information


Install BCAAA

PacketShaper uses the Blue Coat Authentication and Authorization Agent (BCAAA) to resolve IP addresses to user names so that it can classify and report on network users and groups. You must install BCAAA version 6.1 on a Windows Domain Controller (DC) or other member server (running version Windows 2008 or 2012). When deciding where to install BCAAA, keep in mind that it must be able to contact every DC that contains user login sessions for the users you are authenticating. Therefore, you should try to keep BCAAA on the same subnet as the DC whenever possible to avoid excess WAN bandwidth usage.


  • You must have a BTO account with a valid support contract in order to download BCAAA. If you do not yet have an account, you can request one at the following URL:
  • BCAAA version 6.1 is required when using the user awareness feature in PacketWise 9.2.2. If you were using an earlier version of BCAAA with PacketWise 9.2.1, you must uninstall it before installing the new version.
  • The BCAAA-PacketShaper communication port on your Windows server firewall needs to be opened up for BCAAA to work. The BCAAA Setup wizard has an option for configuring this setting.

Planning for your BCAAA Installation

It’s important to size your BCAAA installation appropriately when preparing to use the user awareness feature. To ensure that BCAAA can service all the queries from PacketShaper, Blue Coat recommends the following BCAAA-to-PacketShaper ratios:

  • One instance of BCAAA per PacketShaper for any number of supported hosts.


  • For redundancy, a PacketShaper can connect to two BCAAA servers. If PacketShaper detects that the primary BCAAA server is down, it automatically connects to the secondary BCAAA server. One server is active, and the other is standby.


  • Multiple PacketShapers can share a single BCAAA server if the number of active hosts on each PacketShaper is less than or equal to the IP-user cache size for that model (equivalent to three times the supported number of users).

Disregarding these recommendations could overload the BCAAA server, resulting in BCAAA being unable to respond to PacketShaper IP-user queries. See Configuration Limits for per-model specifications.

Caution: To prevent any impact on ProxySG authentication functionality, PacketShaper should not share a BCAAA server with a ProxySG.

Download and Install BCAAA

The user who installs BCAAA needs admin rights on the BCAAA server. Installation can be performed by a local admin – that is, an account that exists only on the BCAAA server, and not in Active Directory. The install could also be performed by an Active Directory admin.

1. Log in to the Windows server where you plan to install BCAAA.

2. In a web browser, log in to BTO (

3. Go to the PacketShaper download page ( and locate the version of PacketWise you are using.

4. Click the WindowsBCAAA link. Follow the screen prompts to download the package.

5. Unzip the BCAAA setup package and double-click the .exe file to launch the BCAAA Setup wizard.

6. To begin the setup, click Next.

7. Destination Folder: Specify the location for the BCAAA software. You can accept the default location (C:\Program Files\Blue Coat Systems\BCAAA) or browse to a different location. Make sure that your anti-virus software is not configured to scan the directory in which you install BCAAA. Click Next to continue.

Note: If you are installing on a system that is running a previous BCAAA version, make sure you install to the same location as the previous version to ensure that your configuration settings are retained.

8. Port Number: Specify the port number that BCAAA and the PacketShaper will use to communicate. By default, both BCAAA and the PacketShaper use port 16101. If you choose a port other than the default, you must set the same value on the PacketShaper. In addition, make sure that this port is not blocked by a firewall between the BCAAA server and the PacketShaper or by the Windows firewall on the server where you are installing BCAAA. Click Next to continue.

9. Firewall Configuration: Enable the Open port option to have the BCAAA Setup wizard open the BCAAA-PacketShaper communication port (16101 by default) on the Windows server firewall. If you don't enable this option, you will need to manually configure this setting yourself.

10. SSL Requirements: When prompted whether you want to use SSL between the PacketShaper and BCAAA, select Forbidden, and then click Next.


11. Windows SSO Configuration: When asked whether this installation will be supporting a ProxySG with a Windows SSO realm or a PacketShaper, select Yes. Click Next to continue.

12. Service Account Configuration: Enter the user name and password that the BCAAA service will log on as. The account must be a member of the domain. Click Next to continue.

13. Click Install. When installation completes, the final BCAAA screen displays.


  • To uninstall the BCAAA agent, double-click the BCAAA .exe file to launch the BCAAA Setup wizard, then select Remove. Note that if you need to modify a setting after installing BCAAA, you must remove it and then re-install.

See also:

BCAAA Overview

BCAAA Troubleshooting

Configure PacketShaper as a BCAAA Client

User Awareness Overview

PacketGuide™ for PacketWise® 9.2