Secure ICAP between DLP detection server and ProxySG.
Article ID: 383826
Updated On:
Products
Issue/Introduction
You are about to setup secure ICAP communication between DLP detection server and ProxySG.
General steps can be used to configure communication with other proxy vendors yet it is on customer side to make sure it supports ICAP per RFC and secure ICAP feature.
For SICAP configuration steps on 3rd party proxies, the customer should consult with the corresponding proxy vendor and follow the vendor's proxy documentation.
Environment
DLP detection server works as Network Prevent for Web and cooperates with a proxy device with inspecting and blocking or allowing web traffic according to applied DLP policies.
Resolution
1. Follow the steps as per DLP documentation:
Configuring a Secure ICAP keystore for Network Prevent for Web
Certificate needs to be obtained or generated by customer, either it is a certificate signed by the company CA or by a public CA.
All TLS requirements are preserved here, certificate needs to have a correct CN/SN (Subject) which matches the NPW's FQDN or hostname.
2. CA certificate needs to added as a trusted certificate on the ProxySG side if it is not signed by a public CA.
Otherwise proxy will decline to connect with DLP Network Prevent for Web via secure ICAP.
Import certificate to the CA certificates:
Create a certificate list:
Give it a name and select the certificate that you imported in previous step:
NOTE: If you have a Public CA signed certificate these steps can be probably skipped as proxy already has a build-in certificate list with most of currently active CAs:
You can check on the list if the root CA certificate that signed your certificate is present on this list.
3. Create a device profile and assign a certificate list to that profile:
Use the previously defined certificate list that will be used by proxy to verify DLP server's certificate:
NOTE: you can uncheck "Verify Peer" option and connection should be able to setup properly even if there is any problem with certificate.
4. Next on the ICAP configuration section check the Secure ICAP option, configure the expected port and select the device profile which you have created earlier.
Feedback
