Restrict ICAP scanning based on source IP address or group


Article ID: 166872


Updated On:


ProxySG Software - SGOS


Visual Policy Manager allows you to restrict ICAP scanning based on destination URL / IP address only, but you want to restrict it based on source parameters, e.g. IP address or Active Directory group.


Note: It is NOT possible to restrict ICAP scanning based on authentication criteria (e.g. Active Directory user or group), only by IP address.

There are occasions where certain rules that cannot be created within Visual Policy Manager can be created using native CPL. This is one such occasion. The following CPL can be added either to your Local Policy or to a CPL Layer in Visual Policy Manager.

;; Modify NoScanList accordingly
define condition
end condition

;; Only devices NOT in NoScanList will be ICAP scanned
condition=!NoScanList response.icap_service(icap_response, fail_closed) response.icap_service.secure_connection(auto)

Note that it is not recommended to allow certain devices to be excluded from ICAP scanning. If an excluded device requests an object and the object is not scanned, that object could contain a virus. This infected object will then be placed into the proxy cache, where it could then be retrieved by other people trying to access the same object. Therefore, you should ensure that unscanned objects are not cached by adding the following CPL code in additional to that code above.

;; Do not cache these objects
NoScanList cache(no)