ICAP Configuration Field Definitions
From the Advanced menu, you can configure ICAP servers that you want to use with a Secure Proxy engine to enable communication with external servers hosting third-party anti virus software to scan files/requetsts in inbound data in transit via Secure Proxy before it is sent to the backend destination server.
ICAP Configuration - Basic
Use this screen to configure a ICAP server connection information. Refer to the field definitions in the following table.
Field Name |
Description |
|---|---|
ICAP Server Name |
Name to assign to the ICAP server you create. Valid values are 1-150 alphanumeric characters with no spaces. Special characters allowed are period (.), dash (-), and underscore (_). |
ICAP Server Host |
DNS name or TCP/IP address where the ICAP server is installed. Valid values are 1-255 alphanumeric characters with no spaces. Special characters allowed are period (.), dash (-), colon (:), and underscore (_). |
ICAP Server Port |
Port number that the ICAP server listens for connections. This is the port number you specified when installing your ICAP server. Valid values include 1-65535. |
ICAP Configuration - Security
Use this screen to define secure connection requirements for ICAP server definition. Refer to the field definitions in the following table.
Field Name |
Description |
|
|---|---|---|
Use Secure Connection |
Use Secure Connection is checked by default to use of SSL/TLS to provide secure communications with ICAP Server. | |
Security Setting |
Security protocol allowed for connections to the ICAP Server:
Select the version from the drop-down list:
|
|
Trust Store |
Location where the system and CA certificates are stored. System and CA certificates are used during a secure connection to verify that a certificate received from a server is signed by a trusted source. | |
CA/Trusted Certificates |
The trusted certificate to use to authenticate the certificate presented by ICAP Server. You select one or more CA or trusted root certificates from the list of certificates stored in the trust store you selected in the Trust Store field. When ICAP Server presents a certificate to establish a secure connection, the trusted root certificate, located at the Secure Proxy server, must match or be the entity who signed the certificate presented by ICAP Server during the SSL handshake. | |
Key Store |
Location where the SSL/TLS keys and system certificates you want to use are stored. | |
Key/System Certificate |
Certificate presented by Secure Proxy to the ICAP Server, if the server requires client authentication during SSL/TLS handshake. Select the certificate to be used for client authentication during the SSL/TLS handshake with ICAP Server from the list that contains the certificates stored in the key store you selected in the Key Store field. | |
Cipher Suites |
List of ciphers that can be enabled to encrypt data transmitted during a secure SSL or TLS connection between Secure Proxy and a ICAP Server. Enable at least one cipher. | |
ICAP Configuration - Advanced
Use this screen to configure advanced feature fields such as the allowed maximum file size, connection retry limit, and file extension type to consider for scan. Refer to the field definitions in the following table.
Field Name |
Description |
|---|---|
Maximum allowed file/request size |
The maximum file/ request size allowed that is sent to a ICAP server hosting third-party anti virus software to scan. When file/ request size exceeds the maximum file/ request size specified here, the file is sent to the backend server with the default extension that is, .unscanned, as specified in the ICAP definition. In this case, .unscanned extension is added to the file only for SFTP. HTTP does not rename file when size exceeds the limit. Default=1024 KB, Range: 1-1000000 KB In case of HTTP request, |
Maximum allowed ICAP sessions |
The maximum file sessions allowed in an Secure Proxy Engine instance across multiple SFTP/Connect:Direct adapters with an ICAP server hosting a third-party anti virus software. Default=20 |
Connection retry limit |
Maximum number of connection retry attempts after which connection with ICAP server is abandoned. Default value: 3, Range: 1 - 10 |
| ICAP response timeout (in sec) | Number of seconds to wait for a response to begin arriving back from the ICAP
server after sending a request. Default value: 180 sec, Range: 1 - 600 sec |
| In case of ICAP server connection failures | Set one of the following system response when an ICAP server connection fails:
Default: Session fail |
| ICAP Server Provider | ICAP server provider name. Default: McAfee |
| ICAP Server Service Name | ICAP Server service name. Default: wwreqmod |
| Preview Scanning | Preview scanning is enabled by default. Enabling this feature allows a small
amount of data, from the beginning of file/ request, to be sent to the ICAP server. If there is no
malware detected, ICAP Server requests Secure Proxy to send rest of the data for virus and malware
scanning. Default: Selected |
ICAP Configuration - Scan by Extension
|
Field Name |
Description |
|---|---|
| File extension type scanning | Define file extension types to be considered for anti virus scanning. ‘*' indicates scanning all files. Default value: '*'. Valid values are 1–150 alphanumeric characters with no spaces. Special characters allowed are (+-_#$?~@&!µ?.*) |
ICAP Configuration - Rename Unscanned files
|
Field Name |
Description |
|---|---|
| Apply Extension to unscanned files | Select the check box to apply an extension to files that are not Anti-virus scanned and are directly sent to the backend server. |
| Extension to be appended to unscanned files | Define any extension string to be appended to unscanned file. Note that this
extension will be appended only if Apply Extension to unscanned files
check-box is enabled. Default: unscanned |
ICAP Configuration - Properties
Use this screen to define properties in addition to the default properties associated with an ICAP server. Refer to the field definitions of available properties in the following table.
Field Name |
Description |
|
|---|---|---|
| num.preview.bytes | Specify the number of bytes first sent by Secure Proxy to ICAP Server
if preview scanning is enabled. If there is no malware detected, ICAP Server signals Secure Proxy to
send rest of the file for malware scanning. Default =1024 bytes. |
|
| icap.scan.buffer.size | Buffer size used to send the file data to ICAP Server for scanning.
Default value is 131072 (128k). |
|
| icap.service.profile.name | This is an optional parameter. The value will be added as a query parameter in the ICAP URL as profile=<value specified here>. | |
| icap.handshake.timeout.secs | Timeout value in seconds for a TLS connection with the ICAP
Server. Default: 60 seconds |
|
| icap.connection.timeout.secs | Timeout value for a TCP connection with ICAP Server. Default: 180 seconds |
|
|
response.msg.for.scan.error |
Enter response message to be sent to the SFTP client in case an error occur during scan and a file is uploaded to backened without scan. | |
|
response.msg.for.scan.malware |
Enter response message to be sent to the SFTP/ HTTP client in case malware is detected and scan fails. | |
|
response.msg.for.scan.skipped |
Enter response message to be sent to the SFTP client in case scan is skipped and file is uploaded to backend without scan. | |
| sftp.client.temp.ext.names |
If you are using WinSCP SFTP client to upload files, it has a setting enabled by default that transfers large files of a certain size to a temporary file name (with the .filepart extension) and then renames the file. Set this to any special extensions separated by commas suitable to and used by the SFTP client. This adds a temporary extension when uploading large files. For example, WinSCP adds an extension 'filepart' for large file parts. |
|
| icap.http.unscanned.header.key |
Enter header name to be added in http request in case scan is skipped and the request goes to backend without scanning. Default : SCAN_SKIPPED |
|
| icap.http.unscanned.header.value |
Enter the header value to be used in the http request in case scan is skipped and the request goes to backend without scanning. Default : true |
|