HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Allow Read-Only Access of Facebook
DrillDown Icon Block Gmail Application in Desktop, iOS and Android Devices
DrillDown Icon Configure Cyberoam for Integration with ICAP Server
DrillDown Icon Determine Web Category of specific URL
DrillDown Icon Create Web Category with External URL Database
DrillDown Icon Block Facebook Games
DrillDown Icon Configure YouTube Education Filter
DrillDown Icon Allow Only Specific YouTube Videos
DrillDown Icon Import Domain Names and Keywords into Custom Web Filter Category
DrillDown Icon Configure Web Filter Policy
DrillDown Icon Update Web Category Database
DrillDown Icon Allow download of specific file types from selected website(s) only
DrillDown Icon Apply Schedule on a Specific Web Category
DrillDown Icon How to block the Facebook add-in in Skype?
DrillDown Icon Block Video Files in Cyberoam
DrillDown Icon Block a Specific File Type in Web Category in Cyberoam
DrillDown Icon Allow only specific member-URL(s) of default Web Category and block others
DrillDown Icon Block URL for Specific User
DrillDown Icon Block HTTP/HTTPS Upload
DrillDown Icon Can we add a website from default category to custom category?
DrillDown Icon Enforce Safe Search through Cyberoam
DrillDown Icon From where can I disable the reporting for a Web Filter Policy?
DrillDown Icon Which among Domain and Keyword is given precedence when a Custom Web Category is created?
DrillDown Icon Block a Specific Website
DrillDown Icon How to submit uncategorized website to Cyberoam Team?
DrillDown Icon Does Cyberoam’s Web Filter block HTTPS-based websites when HTTPS scanning is disabled?
DrillDown Icon Customize a Denied Message
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
 
Configure Cyberoam for Integration with ICAP Server

Applicable Version: 10.6.1 onwards

Overview

ICAP (Internet Content Adaptation Protocol) is an application protocol for adaptation orprocessingof HTTP messages. The ICAP client relays HTTP message (after ICAP-encapsulation) to the ICAP server which returns a modified message based on the adaptation parameters defined on the server. ICAP server essentially functions as a proxy server which modifies HTTP messages (requests and responses) and is capable of providing services such as Web-Content filtering,Antivirus orDLP (Data Loss Prevention). Such integration of ICAP-complaint clients (gateway or firewall) with the ICAP-enabled server is useful for efficient request handling or delivering compounded security to enterprise end-clients.

ICAP server’s major function is modification of ICAP-encapsulated HTTP Request or Response. In Request Modification, the ICAP server receives the request and returns possibly modified request or error message. In Response Modification, the ICAP server receives the response and returns possibly modified response or error message. In both the modes, the modification is based on the Services configured on the ICAP-enabled server product.

Cyberoam is ICAP complaint and supports integration with ICAP-enabled servers. The ICAP profile configuration can be done through Cyberoam Command Line Interface (CLI) console. The ICAP profile configuration includes Request Modification, Response Modification and Options.

Prerequisite

ICAP integration works only when a default or custom Web Filter Policy is applied on the Firewall Rule for the source and destination zones.

Scenario

Configure Cyberoam for ICAP Integration.
 


Configuration

Using Web Admin Console

Note
:

ICAP configuration using Web Admin Console is available from CyberoamOS 10.6.2 and above versions.

 

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure ICAP Sever

Go to Web Filter > ICAP > Server and click Add to add a new ICAP Server. Specify the parameters as shown in the table below.

 

Parameter

Value

Description

Server Name

ICAP

Specify name for ICAP Server.

Server IP

10.0.0.2

Specify IPv4 Address of ICAP Server.

Port

1344

Specify the port number on which ICAP Server is running.

Service

AV-SRVC

Specify the name of ICAP Service.

 


Click OK to save the settings.

Step 2: Configure ICAP Policy

Go to Web Filter > ICAP > Profile and click Add to add a new ICAP Policy. Specify the parameters as shown in the table below.

 

Parameter

Value

Description

Policy Name

ICAPpolicy

Specify name for the Policy.

Request Modifications

Enabled

Enable to configure ICAP Server in Request mode.

Request Server

ICAP

Select configured Request Server (created in step 1).

Response Modifications

Enabled

Enable to configure ICAP Server in Response mode.

Response Server

Max connections

16

Specify maximum concurrent connections to be allowed with the ICAP Server.

Default – 16

Note: Maximum connection limit and acceptable range differs as per appliance model as below:

 

For Appliance models: CR50iNG, CR100iNG, CR200iNG, CR200iNG-XP, CR300iNG, CR300iNG-XP

Max connections – 32

Acceptable Range – 1 to 32

 

For Appliance models: CR500iNG-XP, CR750iNG-XP

Max connections – 64

Acceptable Range – 1 to 64

 

For Appliance models: CR1000iNG-XP, CR1500iNG-XP, CR2500iNG, CR2500iNG-XP

Max connections – 128

Acceptable Range – 1 to 128

Content Limit

0

Specify the content limit for ICAP Server to process.

Default – 0 KB

Acceptable Range (KB) – 0 to 51200

Note: When content limit is set to 0, the default limit set is 25000KB.

DLP Mode

Disabled

Enable to process only DLP methods. If enabled, ICAP Server will only process POST/PUT methods.

Bypass Error

Disabled

Enable to bypass error messages.

 
 
 


Click
OK to save the settings.

 
Using CLI Console

Step 1: Access CLI console

Logon to the CLI console using Telnet or SSH. Select option 4. Cyberoam Console from the Main Menu list.

Step 2: Configure ICAP Profile settings

ICAP profile configuration includes the Request Modification, Response Modification and Options settings. Specify the following parameters for Request Modification and Response Modification:

IP Address: IP Address of the ICAP Server.

Port: Port number over which the ICAP Server listens. Default Port number is 1344.

Service Name: Service Name or ID, as specified by the ICAP-vendor.

Request Modification Settings

Execute the following command/s at the console prompt to specify the IP Address, Port and Service Name respectively for Request Modification settings:

set icap edit reqmod IP-address <IP address>

set icap edit reqmod port <port number>

set icap edit reqmod service-name <service name>
 

 Here,10.0.0.2 is IP-Address, 1344 is the Port and AVSRV is the Service ID of the ICAP Server.

Response Modification Settings

Execute the following command/s at the console prompt to specify the IP Address, Port and Service Name respectively for Response Modification settings:

set icap edit respmod IP-address <IP address>

set icap edit respmod port <port number>

set icap edit respmod service-name <service name>
 

Here, 10.0.0.2 is IP-Address, 1344 is the Port and AVSRV is the Service ID of the ICAP Server.

Note:

IP Address, Port and Service ID can be different for the Request and Respond Modification settings. Administrators may configure the settings as per the requirement or ICAP server/s configuration.

Step 3: Apply ICAP settings

Execute the following command at the console prompt to apply the ICAP-settings.

set icap apply-change
 

Step 4: Verify ICAP Settings

Execute the following command at the console prompt to verify the ICAP-settings.

show icap
 

                                                                                                                      

Resetting ICAP Settings

The administrator can reset the ICAP settings in the following way:

Request Mode:

Execute the following command at the console prompt to reset ICAP Request mode settings.

set icap edit reqmode reset
 

Request Mode:

Execute the following command at the console prompt to reset ICAP Response mode settings.

set icap edit respmode reset

 



Note:

No specific configuration is to be done on the ICAP Server for integration with Cyberoam. Cyberoam integration has been successfully tested 
with the following ICAP Server products:

• Symantec DLP

• Symantec Protection Engine 7.0

• Trend Micro Interscan Web Security Virtual Appliance

• Sophos Anti Virus

• Commtouch Anti Virus

                                                                                                                          Document Version: 1.3 – 13 April, 2015

Attachments
Article ID: 2968