- Local User Groups
ICAP integration for R77.30 and R80.10
Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:
You can use more ICAP Server in "Web Content Layer" on Bluecoat SG for example CAS appliance and TEX appliance.
Enable ICAP Server
Start ICAP server on TEX appliance or gateway:
# icap_server start
Enable ICAP Logs
# tecli advanced remote emulator logs enable <<< Hotfix 286 or higher automatically activates logging.
Enable firewall rule to connect ICAP Server (TEX Appliance)
Source: Symantec SG
Destination: "ip-address of sandblast appliance"
Configure Thread Rules
Configure Thread rules in SmartDashboard
Configuring ICAP on Symantec SWG:
I am currently writing a documentation for Trustwave SWG and F5 LTM. The F5 ICAP configuration is a bit more complex. Therefore, this will be a longer article. But it works without any problems. Further information can be found at F5 under the following link: Configuring Content Adaptation for HTTP Requests.
I think you need two layers - the web access layer will allow your connections and the content layer is responsible for the ICAP req/resp modifications. I'm not sure if you can combine actions from access and content layers (It's been a while since I've used a Proxy SG).
This is really great info. We also look for the same kind of solution for our McAfee customers, where for example the TIE server sends files for emulation to TEX, based on the ThreatPrevention API for example.
Did you, or anyone else try to build something like this ?
without deeper knowledge of the McAfee TIE Server it looks like TIE2ATD integration is proprietary, so there is no way to leverage our API here:
But you can attach our Sandbox to McAfee Web Gateway and also within your mail flow via MTA. Here is the MWG ICAP config:
Afterwards you can share our Threat Intelligence via our McAfee DXL integration:
Works without any problems.
But I still have one question? Can I limit the maximum number of ICAP connections on the Sandblast Appliance?
you can change the amount of processes and threads in the ICAP config file:
1. Open for editing: $FWDIR/c-icap/etc/c-icap.conf
2. Change the number of processes and threads: MaxServers ThreadsPerChild MinSpareThreads MaxSpareThreads
It can be found in the ICAP Server documentation:
I did not find a maximum connection setting for the underlying c-icap server.
On default configuration the sizing for this parameter ia 10. But i have experience icap server bussy when run it. For proxy wiith around 1000 users, could you advice what number that should i configure for this parameter?
Actually i a bit confused to configure it cause dont now the number exactly represent of what?
you can find a description of the parameters here:
The least recommendation I can give is to adapt these numbers to the proxy´s ICAP settings like "Max number of connections" etc.
Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback: