You are here

Configure ICAP for Blue Coat AV

Airlock is able to use an ICAP server to vaildate and scan data for attacks and viruses. This article describes how to integrate a Blue Coat anti-virus server with Airlock.

This setup has been tested connecting Airlock 4.2.4 with Blue Coat AV510 version and the Kaspersky Scan Engine. Please note that a Blue Coat SG is not needed to use a Blue Coat AV for checking requests and responses with Airlock. Airlock itself will serve as a reverse proxy and directly use ICAP to communicate with Blue Coat AV.

The Scanner Version of Blue Coat seems to have a bug. The ICAP server answers requests with wrong HTTP bodies. Because of this, Airlock blocks such requests. The allow rule detects "Parameter name is too long" and the deny rule "Parameter name sanity" will block too.
This is NOT a issue of Airlock. BlueCoat is working on a solution.

Add the ICAP service to the Airlock configuration

You can add several ICAP services, either in request or in response mode, to Airlock. Do this in the Airlock Configuration Center under "System Setup" - "Network Services" as follows:

The path part in the ICAP Service URL has to match the path configured in the Blue Coat AV configuration GUI. Per default this is /avscan.

For using ICAP, Airlock needs a license with the ICAP capability. Make sure your license has this feature enabled.

Select the ICAP service for a certain mapping

For every Mapping you can enable one ICAP service for requests and one ICAP service for reponses.

The Request path pattern below specifies which requests should be validated through the ICAP service.
In the example, all HTTP or HTTPS requests sent to the back-end server starting with the path /upload/ will be passed to the ICAP server first.

Behavior for the client browser

If a virus was detected by the virus scanner and therefore the request was blocked by Airlock, the user will see the following popup window in his browser, delivered by Blue Coat AV:

followed by an HTML page also delivered by Blue Coat AV:

For information on how to customize these error messages and status pages, refer to the Blue Coat documentation.

In the Airlock Log Viewer, the message will be logged under Blocked request. The easiest way to filter for this selection is to use the Quick Search Button Today's Blocked Requests.

Knowledge Base Categories: