ICAP (Internet Content Adaptation Protocol) and Secure ICAP (ICAPS) are protocols used by proxy servers, such as ProxySG, to offload content filtering and scanning tasks to dedicated servers. Here's a comparison of the two:

ICAP (Internet Content Adaptation Protocol)

Purpose: ICAP is designed to facilitate HTTP-based content filtering and adaptation by offloading these tasks to a dedicated ICAP server.

Communication: Uses standard HTTP for communication between the ProxySG and the ICAP server.

Data Security: Data exchanged between the ProxySG and the ICAP server is not encrypted, which can be a security risk if sensitive information is being transmitted.

Use Cases: Suitable for environments where data security between the proxy and the content adaptation server is not a primary concern or where internal network security is considered sufficient.

Secure ICAP (ICAPS)

Purpose: Secure ICAP is an extension of ICAP that provides encrypted communication between the ProxySG and the ICAP server.

Communication: Uses HTTPS (HTTP over SSL/TLS) to secure the data transmitted between the ProxySG and the ICAP server.

Data Security: Ensures that all data exchanged is encrypted, protecting it from interception and unauthorized access, which is critical when handling sensitive or confidential information.

Use Cases: Ideal for environments where data security is paramount, such as financial institutions, healthcare organizations, or any setting where sensitive data is processed.

Key Differences

Encryption:

• ICAP: Does not support encryption.

ICAPS: Uses SSL/TLS to encrypt the data, ensuring secure communication.

SG/ASG/ISG-Proxy

Secure ICAP not implemented.

So, when it's said that ICAP isn't sending HTTPS/SSL traffic, it typically means the following:

• Plain Text Transmission: The data exchanged between the ProxySG and the ICAP server is transmitted in plain text without encryption. This includes any HTTP requests and responses being modified or analyzed by the ICAP server.

• Lack of Encryption: The absence of encryption means that the data is not protected from potential interception or eavesdropping. Any data transmitted over the network can be viewed by anyone with access to the network traffic.

• Security Implications: This lack of encryption poses a security risk, especially if the data being transmitted includes sensitive information such as personal data, authentication credentials, or any other confidential content.

Detailed Explanation:

ICAP Traffic:

• ICAP Protocol: ICAP is designed to offload content adaptation tasks from the proxy server to a dedicated ICAP server. The protocol itself is not inherently designed to handle encrypted (HTTPS/SSL) traffic.

• HTTP Only: ICAP operates at the application layer and deals with HTTP traffic. When an HTTP request or response needs to be modified, the proxy server sends it to the ICAP server using ICAP.

Handling of HTTPS/SSL Traffic:

• Decryption at Proxy: To process HTTPS traffic using ICAP, the ProxySG must first decrypt the HTTPS traffic. This is typically done using SSL interception (also known as SSL bumping or SSL bridging), where the proxy acts as a man-in-the-middle.

• Encrypted Payloads: When HTTPS traffic is intercepted and decrypted by the ProxySG, the decrypted HTTP content can then be sent to the ICAP server for inspection or modification.

• Re-encryption: After the ICAP server processes the decrypted HTTP content, the ProxySG can re-encrypt the content before forwarding it to the client or the server.

Summary Points:

• Non-Encrypted Communication: Saying ICAP isn’t sending HTTPS/SSL traffic means ICAP itself does not transmit data over an encrypted channel. Any data sent between the ProxySG and the ICAP server via ICAP is not encrypted by default.

• Security Measures: To handle HTTPS traffic securely, the ProxySG must decrypt the HTTPS traffic before sending it to the ICAP server and ensure secure handling of sensitive information.

• ICAPS (Secure ICAP): If encryption is required between the ProxySG and the ICAP server, Secure ICAP (ICAPS) should be used. ICAPS uses SSL/TLS to encrypt the communication channel, ensuring that all data transmitted is secure.

So, you will need to implement Secure ICAP.

Refer to the steps in the Tech. Doc. with the URL below, for how you should implement Secure ICAP, on the Proxy, to handle https/SSL traffic.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/sg-introduction/communication/secure_icap.html 

Notes: 

By default, Content Analysis receives data from the ProxySG appliance through an Internet Content Adaptation Protocol (ICAP) connection. The default TCP port for plain ICAP communications is 1344. For heightened security, enable a secure connection between Content Analysis and the ProxySG appliance on port 11344.

Secure ICAP impacts performance. When security is of concern, an alternative is to deploy the Content Analysis and ProxySG appliance on a segmented network to which no outside access is permitted.

If you are employing secure ICAP connections from the ProxySG appliance to the Content Analysis appliance, you must add the Content Analysis certificate to the ProxySG appliance so that it is selectable when creating the Secure ICAP Service. For the implementation steps, R refer to the Tech. Doc. with the URL below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/sg-introduction/communication/secure_icap_sgcert.html

Implement as guided, to have ICAP handle HTTPS/SSL traffic, as desired. Should you have related queries, share the details on this ticket, with evidences, and we will respond accordingly.