Traffic flow when ProxySG is integrated with ICAP devices

book

Article ID: 169837

calendar_today

Updated On:

Products

Data Loss Prevention ProxyAV Software - AVOS Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Trace the path taken by a web request made to the ProxySG when ICAP devices like DLP (Data Loss Prevention) or AV Scanner (Content Analysis or ProxyAV) are integrated with it.

Environment

ProxySG integrated with DLP and network·based AV Scanning devices

Resolution

Setup

 

Kindly notice that there are 2 type of Scans happening here -- "Request Scan" (REQMOD) and "Response Scan" (RESPMOD). As the name suggests, REQMOD relates to requests sent by a client and before sending it to the server OCS. RESPMOD will kick in when an object is returned by the OCS and before sending it to client. Based on this setup, the steps will be as below:

  1. Request from client to proxy for an object.
  2. Proxy sends the request to DLP server using ICAP protocol (Over TCP 1344 for clear text)
  3. If DLP finds no issues with the Request, Proxy will FWD it to OCS
  4. Response from the OCS
  5. Proxy sends this file to the ProxyAV for scanning over ICAP protocol (Port 1344 for clear text). This normally includes the request from the client as well as the response from the server.

Now one among the below can happen:

  1. ProxyAV finds a malicious content and informs proxy via an exception. Proxy passes an exception to the client while dropping the object.

OR

  1. ProxyAV finds the file to be safe and informs ProxySG that it is clean. Proxy serves the file to the client.

Attachments