ICAP settings

The Internet Content Adaptation Protocol (ICAP) settings allow the administrator to configure ICAP engines to be used as part of the SecureTransport file transfer processes so that data loss prevention (DLP) is achieved and anti-virus (AV) scans are completed. SecureTransport allows the administrator to use the ICAP connector to set up a SecureTransport server to scan (with external DLP engine) files and AdHoc messages when delivering them to the recipient folder or mailbox. ICAP server scan is executed when a file is going to be (therefore before it is) delivered.

Prior to configuring ICAP scanning, verify that ICAPScan is enabled. For information on enabling ICAPScan, refer to Enable a rules package.

Note The SecureTransport administrator can edit the entire DLP/AV ICAP URL in the following format icap://dlpav-address:port/servicename. Both the Symantec anti-virus AVSCAN and AVSCANREQ are supported, though AVSCANREQ is preferred.
Note SecureTransport will scan received AdHoc messages and attachments when recipients open a message or download an attachment.
- An AdHoc message, identified as blocked by the DLP policy, will be displayed but the content will be changed to a notification stating that you are not allowed to view this message because it was blocked by the DLP policy. Subjects of messages remain changed.
- When downloading message attachments, identified as blocked by DLP policy, they will be successfully downloaded but the content will be changed to a notification stating that you are not allowed to view the file because it is blocked by the DLP policy. This applies for all file types regardless if they are text files or not. File extensions will not be changed.

The ICAP Server(s) provide

  • Multiple ICAP servers
  • Incoming and outgoing ICAP scanning for all file and message transfers
  • Scanning policy support
  • ICAP headers reporting: X-Authenticated-User, X-Client-IP, X-Server-IP
Note X-Server-Icap header reports the SecureTransport local IP address with each scanning request. If multiple network interfaces are available on the machine, the reported IP may not match the actual one.
  • Custom HTTP headers reporting
  • Certain variables are now exposed to Advanced Routing

Setup of ICAP servers

Multiple ICAP servers can be configured. There is no limitation about the number of servers. Scanning will be performed only by ICAP servers which are enabled. There will be no prioritization – all the servers will be used for scanning files and messages. If a server along the chain returns a negative result from scanning - the other servers will not be used and the transfer will be denied.

Navigate to Setup > ICAP Settings. The ICAP Servers List page presents a list of ICAP servers with basic management controls plus the option to create (add) a new server.

Click Add new ICAP server to open the ICAP Server Settings page with multiple sets of options.

Basic ICAP settings

  • Enter the ICAP server name. It must be unique and there cannot be two ICAP servers with the same name.
  • Enter the ICAP server type. It can be INCOMING, OUTGOING or BOTH.
    • INCOMING means that scanning will be performed by this ICAP server for all Incoming transfers: File upload, AdHoc message creation, Server-initiated pull (for example from a Transfer Site)
    • OUTGOING means that scanning will be performed by this ICAP server for all Outgoing transfers: File download, Reading of an AdHoc message, Server-initiated push (for example in the Advanced Router step: Send to Partner or Publish to Account)
    • BOTH means that scanning will be performed by this ICAP server for all types of transfers
  • Enter the ICAP URL. Enter the DLP/AV ICAP URL in the following format:
    icap://dlpav-address:port/servicename
    The servicename can be the same as the mode of operation - REQMOD or RESPMOD, or something custom and vendor-specific.
    For the exact servicename, refer to the Data Loss Prevention (DLP) or Anti-virus (AV) documentation.
    If the default ICAP port (1344) is used, leave the port blank - it will be auto-populated.
    Examples:
    icap://dlpav-address:1344/AVSCAN
    icap://dlpav-address:1344/REQMOD
    icap://dlpav-address:1344/RESPMOD
    • Use Secure ICAP connection for a secure connection to the ICAP server.
    • Select Verify certificate to use certificate verification to secure the connection to the ICAP server.
    • Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).
      Note: Verify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection.
  • Enter Max file size (MB).
    The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will send up to the maximum configured file size to the ICAP server.
  • Enter Preview Size (KB).
    The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.
    • Select Deny file transfer on connection error.
      If the Deny file transfer on connection error option is selected, file transfers will be denied on a connection error to the ICAP server
    • Select Enable e-mail notifications on ICAP error.
      If the Enable e-mail notifications on ICAP error is selected, notification emails will be sent when there is a connection failure to the ICAP server.
  • Select Enable e-mail notifications on ICAP denied.
    If the Enable e-mail notifications on ICAP denied is selected, notification emails will be sent when there is a deny by the ICAP server.

ICAP scan filtering settings

Select Scan Policy Expression if you want to perform scanning only under specific circumstances.
When you select the Scan Policy Expression checkbox, the text box field allows you to use SecureTransport Expression Language. If both settings are disabled, scanning will always be performed. Sample usage - do not scan if the transfer is taking place over SSH protocol: ${session.protocol ne 'ssh'}
Refer to the ICAP scan policy expression language subtopic for the complete list of available expressions.

Select Perform scanning only if there is a partner recipient.
This field enables or disables ICAP scanning for AdHoc messages if at least one of the recipients is external. User type - internal or external- is controlled by the account setting Account Type. Possible values are Internal - internal accounts - and Partner - external accounts.
If the type of a recipient cannot be identified or is set to Unspecified, the account will be considered External. If both the filtering settings are enabled, this particular setting will be applied over AdHoc messages.

Select Scan Without BU to choose whether or not to enable ICAP scanning for accounts with no Business Unit assigned.

Ignored File Types Enter a list of file extensions, separated by comma. Files with these extensions will not be scanned.

Custom ICAP header settings

This allows you to specify any additional custom headers that must be passed to the ICAP server when making requests, along with their values. The Header value fields can either have a static value or a ST expression-based one. Expressions allow you to dynamically set a value, based on a specific context, by utilizing the SecureTransport session or environment variables.
By default, there aren't any custom headers configured, but you can add any number of headers by selecting Add custom headers mapping.
If a header value is not present or can’t be resolved, the header will be added with an empty or null value, when sending the request.
Example:

  • Header Name: X-Account-Name
  • Header Value: ${account.name}
  • If a user with name - user1 has logged in and the ICAP scan is performed, the Header:Value will be evaluated to X-Account-Name = user1 and it will be reported to the ICAP server(s).

Advanced connection settings

  • By selecting Show advanced connection settings you can see the additional server configuration options for connection.
  • Connection timeout. This is the maximum connection timeout in seconds that the server will wait until it stops trying to reconnect.
  • Read timeout. This is the maximum read timeout in seconds.
  • Enabled Ciphers. This is a list of ciphers to be used for an SSL connection. The ciphers must be comma-separated. The default ciphers are:
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • Enabled Protocols. This is a list of SSL protocols to be enabled. The protocols must be comma separated. The default value is: TLSv1.2.

Advanced ICAP settings

  • By selecting Show advanced ICAP settings you can see the additional server configuration options.
    • Select Enable WindowsNt format. With this setting you can choose whether or not to report X-Authenticated-User in WinNT format in case of LDAP authentication.
    • X-Authenticated-User
      X-Authenticated-User is reported with each LDAP request. The header is reported differently depending on user type. Below are the supported X-Authenticated-User formats:
      • User with a local account and a locally stored password: Local://<account name>
      • Real OS user: Local://<login name>
      • Non LDAP user mapped to a template (SiteMinder or SSO): Local://<login name>
      • LDAP user options:
        • If WinNT format is not enabled for the server: LDAP://<LDAP domain name>/<user DN>*
        • If WinNT format is enabled for the server: WinNT://<LDAP domain name>/<login name>
        Note For more information about user DN format, see User DN format.
    • Select Stop transfers modify or not handled to choose whether or not to stop the transfer if ICAP server returns a MODIFY result or an unhandled status.
    • Select Treat modify as Block to choose whether or not to treat the ICAP MODIFIED action as block.
  • To enable or disable an ICAP server, mark the preferred ICAP server and select the Enable or Disable button.
  • To delete an ICAP server, mark the preferred ICAP server and select the Delete button.
  • To edit an ICAP server, click on the record in the list of ICAP servers displayed on the page.

ICAP legacy system import and upgrade

Mapping between old ICAP options and new ICAP server during legacy system import and upgrade from 5.3.6 GA to 5.4:

ICAP Server  Old Configuration option
icapServer.connectionTimeout icap.First/SecondServer.ConnectTimeout
icapServer.enabledCiphers icap.First/SecondServer.EnabledCipherSuites
icapServer.enabledProtocols icap.First/SecondServer.EnabledProtocols
icapServer.fipsEnabled icap.First/SecondServer.enableFipsMode
icapServer.scanWithoutBu icap.First/SecondServer.enableScanForAccountsWithoutBusinessUnit
icapServer.useSecure icap.First/SecondServer.enableSecureConnection
icapServer.ignoredFileTypes icap.First/SecondServer.IgnoredFileTypes
icapServer.mailAddressesOnIcapError icap.First/SecondServer.mailtoAddressesForMailsIfIcapErrors
icapServer.mailAddressesOnIcapDenied icap.First/SecondServer.mailtoAddressesForMailsIfTransferDeniedByIcap
icapServer.maxSize icap.First/SecondServer.MsgMaxSize
icapServer.previewSize icap.First/SecondServer.PreviewSize
icapServer.readTimeout icap.First/SecondServer.ReadTimeout
icapServer.enabled icap.First/SecondServer.ScanEnabled
icapServer.sendEmptyPreview icap.First/SecondServer.sendEmptyPreview
icapServer.notifyOnIcapErrors icap.First/SecondServer.sendMailsIfIcapErrors
icapServer.notifyOnIcapDenied icap.First/SecondServer.sendMailsIfTransferDeniedByIcap
icapServer.denyOnConnectionError icap.First/SecondServer.stopTransfersIfIcapErrors
icapServer.stopModifyOrNotHandled icap.First/SecondServer.stopTransfersIfIcapResultModifyOrNotHandled
icapServer.treatModifyAsBlock icap.First/SecondServer.treatModifyAsBlock
icapServer.url icap.First/SecondServer.Url
icapServer.certVerify icap.First/SecondServer.verifyCertificate
icapServer.id runtime generated value
icapServer.enableWinNtFormat false (0)
icapServer.headersMapping NULL
icapServer.name Name mapping (ex. i_cap.FirstServer.Url_ FirstServer)
icapServer.scanOnlyIfPartnerRecipient false (0)
icapServer.scanPolicyExpression NULL
icapServer.type INCOMING
icapServer.customAttributesId NULL

On legacy system import:

  • If the value of configuration option FirstServer.Url_ is not empty, the new ICAP server entity with name FirstServer _ will be created, if an ICAP server with the same name exists - the legacy system import will fail.
  • If the value of configuration option SecondServer.Url_ is not empty, the new ICAP server entity with name SecondServer_ will be created, if an ICAP server with same name exist - the legacy system import will fail.

On upgrade from 5.3.6 GA:

  • If the value of configuration option icap.FirstServer.Url is not empty, the new ICAP server entity with name FirstServer will be created.
  • If the value of configuration option icap.SecondServer.Url is not empty, the new ICAP server entity with name SecondServer will be created.

User DN format

User DN is reported when authenticating over LDAP. There are 2 supported formats for User DN.

If no additional configuration is performed user DN contains the exact attribute containing the user login name, for example: LDAP://elf/CN=test

User DN can be configured to contain the full DN of the logged in user or the value of any existing LDAP attribute. Below are the configuration steps:

  1. Navigate to the desired LDAP domain.
  2. Go to the Attributes List section.
  3. Add a new attribute with an ST Attribute Name that equals DN.
  4. The value of the LDAP Attribute Name can be any LDAP attribute. To display the complete DN of the logged in user, type in the attribute that contains the complete DN of the logged-in user. (for example distinguishedName).
  5. Click Map to Schema and save.
    Example: LDAP://userDirectory/CN=exampleuser,CN=Users,DC=example,DC=com

 

Related Links