CAS with ProxySG integration guidelines

book

Article ID: 168311

calendar_today

Updated On:

Products

Content Analysis Software - CA Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide initial guidelines for configuring the connection between the ProxySG and the Content Analysis System. For more information on this subject, refer to the latest integration guide for each CAS version located here (version 2.3.X as of this article):

https://support.symantec.com/en_US/article.DOC10909.html

This article assumes you are performing SSL Interception (decryption) for client machines that are going through the proxy. This is a requirement in order for the proxy to send HTTPS traffic for analysis (regardless of the deployment in use), so make sure you have an SSL Interception rule in place before you attempt configuring and testing this integration.

Also, after the initial configuration, make sure you install our best practices CPL code in order to avoid overloading the CAS with queued ICAP connections. Refer to this article for more information on this:

https://support.symantec.com/en_US/article.DOC10920.html

Resolution

Once you have configured your CAS so that it is part of your network and that it has the relevant licenses installed you will then need to connect to your ProxySG and add the CAS unit as an ICAP service and configure it via policy as seen below:

  1. Create the ICAP service
  • Go to Configuration > Content Analysis > ICAP > New
  • Enter an alias for this ICAP service then OK and Apply
  • Select the new ICAP Service and go to Edit
  • Enter the URL of the CAS with the following syntax: icap://x.x.x.x/ (where x.x.x.x is the IP of the CAS device) 
  • Click on Sense Settings to test access to the device as well as set some initial configurations automatically.
  • OK and Apply once again to finish creating the ICAP service.
  1. Create policy to send decrypted traffic to the CAS
  • Open the VPM (Configuration > Policy > Visual Policy Manager > Launch)
  • Create a Web Content Layer (Policy > Add Web Content Layer)
  • Under Action, right-click the option that says “Use Default Caching” > Set > New > Perform Response Analysis
  • Name the object as you prefer and add the CAS from "Available services" to "Selected failover sequence". Refer to the full integration guide for more information on the other settings.
  • Click OK then Install Policy
  1. Validate that traffic is being sent to the CAS for analysis
  • Go to Statistics > Sessions > Active Sessions > Show
  • In the current sessions, there is a column named "I" which displays ICAP information. In this column, there is an icon that represents a baseball cap with the letter "I" on it. If the icon has green checkmark on it, this means that the traffic has been sent to the CAS (or any other ICAP service in use) for analysis. If you hover on the icon, you will see the ICAP service that analyzed the payload.