ICAP settings

The Internet Content Adaptation Protocol (ICAP) settings allow the administrator to configure ICAP engines to be used as part of the SecureTransport file transfer processes so that data loss prevention (DLP) is achieved and anti-virus (AV) scans are completed. SecureTransport allows the administrator to use the ICAP connector to set up a SecureTransport server to scan (with external DLP engine) files when delivering them to the recipient folder. ICAP server scan is executed when a file is going to be (therefore before it is) delivered.

Prior to configuring ICAP scanning, verify that ICAPScan is enabled. For information on enabling ICAPScan, refer to Enable a rules package.

Note The SecureTransport administrator can edit the entire DLP/AV ICAP URL in the following format icap://dlpav-address:port/servicename. Both the Symantec anti-virus AVSCAN and AVSCANREQ are supported, though AVSCANREQ is preferred.
Note The McAfee Web Gateway is supported by SecureTransport ICAP scanning.

Up to two ICAP servers can be configured. To enable ICAP scanning, first enable ICAPScan package in Transaction Manager and then restart Transaction Manager. If two ICAP servers are enabled transfers will be scanned by both servers.

To enable and configure the ICAP servers:

  1. Navigate Setup > ICAP Settings.
  2. The ICAP Scan Settings page is displayed.
  3. Select Enable first ICAP server.
  4. On the first ICAP Server Settings pane:
    1. Enter the ICAP URL. Enter the DLP/AV ICAP URL in the following format:
    2. icap://dlpav-address:port/servicename
    3. The servicename could be the same as the mode of operation - REQMOD or RESPMOD, or it could be something custom and vendor specific. Please refer to the documentation of the DLP/AV you have for the exact service name.
    4. If the default ICAP port (1344) is used you can leave port blank - it will be filled automatically.
    5. Examples:
    6. icap://dlpav-address:1344/AVSCAN
    7. icap://dlpav-address:1344/REQMOD
    8. icap://dlpav-address:11344/RESPMOD
    9. (Optional) Select Use Secure ICAP connection to use a secure connection to the ICAP server.
      1. (Optional) Select Verify certificate to use certificate verification to secure the connection to the ICAP server.
      2. (Optional) Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).
      3. NoteVerify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection.
    10. Enter Max file size (MB).
    11. The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will send up to the maximum configured file size to the ICAP server.
    12. Enter Preview Size (KB).
    13. The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.
    14. (Optional) Select Deny file transfer on connection error.
    15. If Deny file transfer on connection error is selected, file transfers will be denied on a connection error to the ICAP server.
    16. (Optional) Select Enable e-mail notifications on connection error.
    17. If Enable e-mail notifications on connection error is selected, notification emails will be sent when there is a connection error to the ICAP server.
  5. If a second ICAP server is configured, select Enable second ICAP server and complete the following.
  6. On the second ICAP Server Settings pane:
    1. Enter the ICAP URL. Enter the DLP/AV ICAP URL in the following format:
    2. icap://dlpav-address:port/servicename
    3. The servicename could be the same as the mode of operation - REQMOD or RESPMOD, or it could be something custom and vendor specific. Please refer to the documentation of the DLP/AV you have for the exact service name.
    4. If the default ICAP port (1344) is used you can leave port blank - it will be filled automatically.
    5. Examples:
    6. icap://dlpav-address:1344/AVSCAN
    7. icap://dlpav-address:1344/REQMOD
    8. icap://dlpav-address:11344/RESPMOD
    9. (Optional) Select Use Secure ICAP connection to use a secure connection to the ICAP server.
      1. (Optional) Select Verify certificate to use certificate verification to secure the connection to the ICAP server.
      2. (Optional) Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).
      3. NoteVerify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection.
    10. Enter Max file size (MB).
    11. The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will send up to the maximum configured file size to the ICAP server.
    12. Enter Preview Size (KB).
    13. The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.
    14. (Optional) Select Deny file transfer on connection error.
    15. If Deny file transfer on connection error is selected, file transfers will be denied on a connection error to the ICAP server.
    16. (Optional) Select Enable e-mail notifications on connection error.
    17. If Enable e-mail notifications on connection error is selected, notification emails will be sent when there is a connection error to the ICAP server.
  7. Click Save.

Connection settings

You can configure ICAP server connection settings using the following configuration options:

Configuration option Description

icap.FirstServer.ConnectTimeout

icap.SecondServer.ConnectTimeout

Specifies the timeout period for establishing a TCP connection to the respective ICAP server. If the TCP connection is not established during this period, the connection attempt fails. The default value is 60 seconds.

icap.FirstServer.ReadTimeout

icap.SecondServer.ReadTimeout

Specifies the timeout applied from the moment a connection to the respective ICAP server is established. If there is no response from the ICAP server during this period, the connection is terminated. The default value is 60 seconds.

 

Note Make sure that the connection timeout value specified in SecureTransport is less than or equal to the TCP timeout value defined on the underlying operating system; otherwise, SecureTransport will be prevented from enforcing the connection timeout, specified in the configuration option.

Related Links