Restrict ICAP scanning based on source IP address or group

book

Article ID: 166872

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Visual Policy Manager allows you to restrict ICAP scanning based on destination URL / IP address only, but you want to restrict it based on source parameters, e.g. IP address or Active Directory group.

Resolution

Note: It is NOT possible to restrict ICAP scanning based on authentication criteria (e.g. Active Directory user or group), only by IP address.

There are occasions where certain rules that cannot be created within Visual Policy Manager can be created using native CPL. This is one such occasion. The following CPL can be added either to your Local Policy or to a CPL Layer in Visual Policy Manager.


;; Modify NoScanList accordingly
define condition
NoScanList
      client.address=192.168.1.2
      client.address=10.0.0.0/8
end condition
NoScanList

;; Only devices NOT in NoScanList will be ICAP scanned
<Cache>
     
condition=!NoScanList response.icap_service(icap_response, fail_closed) response.icap_service.secure_connection(auto)


Note that it is not recommended to allow certain devices to be excluded from ICAP scanning. If an excluded device requests an object and the object is not scanned, that object could contain a virus. This infected object will then be placed into the proxy cache, where it could then be retrieved by other people trying to access the same object. Therefore, you should ensure that unscanned objects are not cached by adding the following CPL code in additional to that code above.

;; Do not cache these objects
<Cache>
       condition=
NoScanList cache(no)