• What is the maximum number of connections to ICAP servers?
  
• How to use multiple ICAP servers?
• How the ICAP service is load-balanced among several ICAP servers?

SGOS: 7.3.13.1

N/A

• There is no limit in configuring max number of ICAP servers on Proxy
• The configuration of one ICAP instance set on the Proxy needs to match the ICAP server max concurrent connections supported by the server.

As an example:

If you have one ICAP server (ICAP max connections max 4000), then if you use one client (Proxy) for sending the traffic then the max supported should be 4000. If you share the ICAP server among many devices you need to divide it by the number of devices as ex. ICAP server (4000) / 2x Proxies = 2000 ICAP connections per device.

ICAP MAXIMUM CONNECTIONS FOR CONTENT ANALYSIS (CAS) INSTANCE

If you’re using our Content Analysis as an ICAP server, there is a table that describes the number of ICAP concurrent connections supported and recommended setting for proxy (table shows settings 1CAS per 1Proxy) - Recommended ICAP connections on ProxySG and Maximum ICAP connections supported on Content Analysis models.

AUTOMATIC CONFIGURATION FOR ICAP SERVER  (SENSE SETTINGS)

When setting a new ICAP server on the Proxy (Proxy>Configuration>Content Analysis>ICAP) you have an option at the bottom of the configuration screen called “Sense settings” that negotiates the preferred settings with the ICAP server automatically.

ICAP SCAN LOAD-BALANCING BETWEEN SEVERAL ICAP SERVERS

To load-balance multiple ICAP servers configured within same product (CAS, Fireeye, Symantec DLP) it is recommended to create ICAP service group for same type of ICAP servers. Service group will help to load-balance the ICAP requests among same type of the ICAP servers:

example:

• 10x same Content Analysis instances set on the Proxy (ex. ICAP GROUP CAS)
• 10x same DLP instances set on the Proxy (ex. ICAP GROUP DLP)

When Proxy group service is used in the Web Content Layer rule, Proxy chooses one of the ICAP servers from the group based on the weight set or by using an intelligent load balancing algorithm which chooses the best server from the list by checking the loads and availability on ICAP servers from the list.

When deciding which service in the service group to send a scanning request, the intelligent load balancing algorithm takes into consideration the following factors:

• Number of requests that are in a “waiting” state on each service (a request is in this state when it has been sent to the service but the response hasn’t been received)
• Number of unused connections available on each service (calculated by subtracting the number of active transactions from the connection maximum on the server)

If you’d like to combine two different ICAP services (Fireeye, CAS or DLP scanner) you should create two separate rules specifying which service group of devices should be used for scanning. See more https://knowledge.broadcom.com/external/article/263508 

KB:

• How Does the ProxySG Load Balance ICAP Devices When Using Malware Scanning? https://knowledge.broadcom.com/external/article/169421 
• Attach additional ICAP service to EdgeSWG/ProxySG (Fireeye, Symantec DLP) and use them parallely to scan the traffic https://knowledge.broadcom.com/external/article/263508 
• High availability (failover) configuration for ICAP of ProxyAV units. https://knowledge.broadcom.com/external/article/166905 
• The maximum number of supported ICAP servers and service groups https://knowledge.broadcom.com/external/article/166975 
• The user-assigned weight given to each server (see Weighting) https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction/load-balance-multiple-content-analysis-appliances/about-icap-service-groups.html