This article provides instructions on how to bypass ICAP reqmod service filtering on a ProxySG appliance. This can be accomplished either by using Content Policy Language (CPL) or via the Visual Policy Manager (VPM) in the WebUI.

Important Note: The steps provided below are general guidelines. The specific implementation may vary depending on your network environment's requirements and local security review criteria.

Method 1: Content Policy Language (CPL)

You can bypass the ICAP service at the proxy or cache layer by adding the following syntax to your CPL configuration.

• To bypass for a specific URL or domain:

  url.domain=example.com request.icap_service(no)
  

• To bypass globally (all traffic):

  request.icap_service(no)
  

For further details on these properties, please refer to the official documentation on Request ICAP Service Properties.

Method 2: WebUI / Visual Policy Manager (VPM)

If you prefer a graphical interface, you can configure the bypass within a Web Access Layer using the VPM.

Step-by-Step Instructions:

Step 1: Open the Visual Policy Manager

1. Log in to the ProxySG Management Console.

2. Select Configuration > Policy > Visual Policy Manager.

3. Click Launch. The Visual Policy Manager opens in a new window.

Step 2: Create a Web Access Layer

1. In the VPM top menu, select Policy > Add New Web Access Layer.

2. Accept the proposed name or assign a descriptive name to the layer (e.g., ICAP Bypass Layer).

3. Click OK.

Step 3: Configure the Destination and Service Objects

To ensure the bypass targets the correct upload requests (like HTTP POST/PUT or FTP STOR), configure the fields as follows:

1. Set the Destination: Right-click the Destination field in your new rule, select Set, and choose the target URLs, domains, or categories you want to exempt from ICAP scanning. (Leave as "Any" if you intend to bypass globally).

2. Create an HTTP/HTTPS service object: * Right-click the Service field of the rule and select Set > New.

   • Select Protocol Methods to open the Add Methods Object dialog.

   • Name the protocol method HTTP_Uploads and select HTTPS/HTTPS from the Protocol list.

   • In the Common methods section, check the POST and PUT boxes, then click OK.

3. Create an FTP service object:

   • Inside the Set Service Object dialog, click New > Protocol Methods.

   • Name the protocol method FTP_Uploads and select FTP from the Protocol list.

   • In the Commands that modify data section, check the STOR box, then click OK.

4. Combine the service objects:

   • Click New > Combined Service Object.

   • Select your newly created HTTP object and click Add.

   • Select your newly created FTP object and click Add.

   • Click OK, then click OK again to apply this Combined Service object to the Web Access Layer rule.

Step 4: Configure the Bypass Action (Specific UI Deviation)

1. Right-click the Action field of the rule and select Set > New.

2. Depending on your appliance's SGOS version, choose the appropriate object type:

   • SGOS 6.5.x: Select Set ICAP Request Service. The Add ICAP Request Service Object dialog opens.

   • SGOS 6.7.x and later (including 7.x): Select Perform Request Analysis. The Add Request Analysis Service Object dialog opens.

3. The Deviation (Step 6b): Instead of selecting or adding an active scanning service inside this dialog box, locate the policy action setting and choose/set it to "Do not use any ICAP service".

4. Click OK, then click OK again to bind the action to the rule.

Step 5: Install the Policy

1. Click Install Policy in the top control panel of the VPM window.

2. Once the confirmation message appears, click OK.

3. Close the VPM window.

For the complete context on constructing ICAP request rules, you can cross-reference the official Broadcom guide: Creating an ICAP Request Policy. Note that you will follow those standard instructions but deviate specifically at Step 6b to choose "Do not use any ICAP service".