Solutions

Integrating ProxySG & ProxyAV (SGOS 5.4)

Solutions ID:    KB3802
Version:    1.0
Status:    Published
Published date:    05/20/2010
 

Problem Description

This solution provides high-level basic steps for integrating the ProxyAV with the ProxySG, using SGOS 5.4 and AVOS 3.2.

For detailed instructions, see the following PDF guide: Integrating the ProxySG and ProxyAV Appliances.

 

Note: If you are using SGOS 5.5, see a similar solution for this version.

Resolution

Configure ProxyAV Settings

  1. Name the ICAP service: ICAP Settings > Antivirus Service Name. The default name is avscan but you can change it if you like.
  2. You may change other settings if desired.

Configure ProxySG Settings

  1. Create an ICAP response service: Configuration > External Services > ICAP > ICAP Services
  2. Edit the service and enter the Service URL of the ProxyAV: icap://x.x.x.x/avscan
  3. Enable Defer scanning at threshold.
  4. Use the Sense settings button to get the correct value that your platform supports for Maximum number of connections. (Do not change the suggested value.)
  5. Set trickle object data at end for interactive and non-interactive traffic: ICAP Feedback tab

Create Scanning Policy

  1. Go to the Visual Policy Manager (VPM).
  2. Create a Web Content layer (Policy > Add Web Content Layer ) for the ICAP response service you created.
    • Action = ICAP Response Service (Note: The Error Handling option refers to the behavior of the ProxySG if there's an error in the TCP connection between the ProxySG and the ICAP service.)
  3. Install policy.
  4. In the Web Content layer, add rules to specify what to bypass from scanning (internal sites, AV update files).
    • Destination: Destination IP Address/Subnet or Destination Host/Port
    • Action: None (right-click Action cell and choose Delete)
  5. The ICAP response service must be the last rule: use the Move Down button.
  6. Install policy.

Note: Since the ProxySG and ProxyAV fail-close by default, you need to decide if there are some ICAP error codes that, if they occur, it would be okay if the content wasn't scanned. This policy is defined in the Web Access layer. You can skip this step if you want to use the default (deny the connection for all ICAP errors).

  1. Create a Web Access layer.
  2. Create a rule for all ICAP error codes you want to allow:
    • Service = ICAP Error Code (select error codes to allow)
    • Action = Allow
  3. Add a rule for all all ICAP error codes you want to deny:
    • Service = ICAP Error Code (select error codes to deny)
    • Action = Deny
  4. Install policy.

 

Install Best Practice Policy

To enhance user satisfaction and achieve maximum performance from the ProxyAV, some customers choose not to scan data streams that are known to cause issues. One benefit of this policy is reduced load on the ProxyAV. The risk is that the exemption could potentially allow malicious content to slip viruses through unscanned. Blue Coat has written the Content Policy Language (CPL) for this policy and you can download the file, customize it for your own needs, and install it on your ProxySG.

  1. Go to: http://techlabs.bluecoat.com/policy/icap_noscan.txt
  2. Save the file to your desktop or other convenient location.
  3. Modify the policy to meet your requirements. For example, if there are URL domains that you know contain infinite streams, you can add them to the condition named “Bad_response_for_ICAP.”
  4. Add and this policy to existing CPL policy: Configuration > Policy > Policy Files > Install Local File from > Text Editor > Install.

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question