Unable to get Secure ICAP working between ProxySG and Symantec DLP or ProxyAV

book

Article ID: 168844

calendar_today

Updated On:

Products

Data Loss Prevention ProxyAV Software - AVOS ProxySG Software - SGOS

Issue/Introduction

In some configurations, you may see that the ICAP heath check fails as soon as a Secure ICAP service is enabled.

Showing the error:

proxySG#(config)external-services
proxySG#(config external-services)edit ProxyAV1
proxySG#(config icap ProxyAV1)health-check perform
    Enabled      Check failed      DOWN
    Last status: Certificate validation failed.
    Successes (total): 121100      (last): Fri, 06 Nov 2015 16:07:47 GMT      (consecutive): 0
    Failures  (total): 7833      (last): Fri, 06 Nov 2015 17:38:39 GMT      (consecutive): 545      (external): 0
    Last response time: 14 ms      Average response time: 15 ms
    Minimum response time: 13 ms      Maximum response time: 24 ms

% Health check has failed.
proxySG#(config icap ProxyAV1)exit
proxySG#(config external-services)exit

Cause

The possible root cause of the issue could be the following:

  1. The CN of the DLP or the ProxyAV certificate does not match the ICAP URL host name or IP address destination used for the DLP or AV under the ProxSGy ICAP settings.
  2. The Certificate may be expired.

Resolution

Workaround

Assuming that the proper steps have been taken on generating the certificate on the DLP or on the AV, and later importing it in to the proxy following the steps provided in Integrating the ProxySG and ProxyAV Appliances Guide (https://bto.bluecoat.com/sites/default/files/tech_pubs/SG_AV_Integration.pdf)

To solve the issue you must disable the function of "Verify Peer", on the proxy WebUI under the Configuration->SSL->Device Profile->select the secure ICAP that you created earlier and Edit.
Apply.

User-added image

Attachments