1 Technical Brief

ProxySG TechBrief – ICAP Integration What is ICAP Integration? When integrated with a supported Internet Content Adaptation Protocol (ICAP) virus-scanning server, the Blue Coat ProxySG Appliance can automatically provide content scanning and repair service for files infected with an Internet-based virus. The virus checking capabilities are implemented via an “off-box” solution using ICAP as the communication mechanism between the Blue Coat secure proxy and the virus-scanning server. The policy definition for content scanning is fully integrated into the new Blue Coat policy enforcement framework and defined using the either the Blue Coat Content Policy Language (CPL) or through the Management Interface. The Blue Coat ICAP implementation is fully compatible with Finjan SurfinGate, Symantec SAVSE Server, and Trend Micro IWSS and Webwasher. Why Implement ICAP? In addition to using the ICAP implementation, the Blue Coat secure proxy will cache content that has been successfully scanned by the virus-scanning server. This is a very important performance feature and means that it’s not necessary to rescan objects that have been previously vectored to the virus-scanning server. The Blue Coat ICAP implementation allows the flexibility to select which virus scanning servers to be used by the appliance for virus scanning. While ICAP encapsulation is fast, using ICAP for a Web object can potentially introduce a delay in any given request. In order to eliminate threats to your network and to maintain acceptable performance, the Blue Coat ProxySG sends objects to the integrated virus-scanning server for checking and then saves the scanned object in its own object store. With subsequent content requests, the Security Appliance immediately serves the scanned object, rather than rescanning the same object all over again.

How to implement ICAP Integration There are three easy steps to implementing, configuring, and testing the Blue Coat ICAP solution:

1. Configure the ICAP-supporting virus scanning server 2. Configure and construct a Blue Coat policy with the desired virus scanning exactness 3. Test the New Policy

Step 1 – Configure the ICAP-Supporting Virus Scanning Server Launch the ICAP Services Screen within the Blue Coat Management System through the following steps:

Management section | External Services | ICAP tab

2 Technical Brief

Enter the new ICAP service name. ��������������� ����������������������������������� ������ �� ��� �� ������

Step 2 – Configure and Construct a Blue Coat Virus Policy The next step is to specify the location of the Scanning server by editing the ICAP Service � �������� ������ �� �� ���������� ��Edit���������� ��� �� � �� � ���� ��� ��!� �" # $ “icap://������

� � � �� � � �� � � � �� ������ � � � � � �<Enter>

3 Technical Brief

Optionally, select the patience page by clicking on the enable button which returns a “patience message” when users are downloading large files. The URLs for the ICAP servers are the following:

Server Type URL

Symantec SAVSE v4 icap://Ipaddressoftheserver:1344/avscan

Trend WebProtect v1.0 and 1.5 icap://Ipaddressoftheserver:1344

Finjan SurfinGate 6.05 icap://Ipaddressoftheserver:1344

Webwasher icap://Ipaddressoftheserver:1344/wwrespmod

4 Technical Brief

Click on sense settings – the settings from the server and IS-TAG should be retrieved automatically.

You can also register this ICAP Service for Health Check in order to ensure continuity of service.

Open the Blue Coat VPM (Visual Policy Manger) by following these steps: Management GUI | Policy | Visual Policy Manager | Launch From the VPM | Edit | Add WEB Content Policy

5 Technical Brief

Set the rule action to scan for viruses Action field | left click Set | New | Set ICAP Response Service

Click OK on the pop-up Add ICAP Service Action window without making any changes % � ���������� ��� ���� ����������� ������ �� ��� �� ������� &��� �� ��� ���������� ����� �� �������' ��� �� � ��� � ��( �� �� �) � �������* ���( ������ ������+�, ���' ��������- �������� ����� �� ��' ���������� �����( ����������� ��������' �' �� �� +��, �� ��' ���������� ���� � �� ���� ����� ������' ' ����� ��� � ���

. � �������� ��� ������������ ��� ��� ���/ .�� ���Fail Open����������Fail Closed������ ������ �

� ��� ����� � ���� ' ��� �� �+�

6 Technical Brief

Click OK twice and finally the policy is the following:

Install the policy

VPM tool bar | Install Policies button Enable access logging

���������� � �� � � �� �� �� � ��� � �, ��� ��������� ������ � ��� �����( ��� ���0 ��( 1�� �� 0 �� ����� � ��� �����( ����� ��!� ��� ����$ �( ����� ������� ���� ��� � �����( �� ��� �� ���� � ' +�

Blue Coat Management GUI | Access Logging category | General tab | Select Default Logging Policy for HTTP/HTTPS to main

7 Technical Brief

Clear the application logs on the ICAP server Windows | Event Viewer

) ��� ���������� ��� ���� �����������' ���/ �� � � ��������/ ��� �� 0 ��( �� ����( � ��� ���� ��� �� ( �� �� ��2 ��� �� ���� � �� �������+���Look at the Security Appliance’s current logs Blue Coat Statistics GUI | Access Logging category | Log Tail tab | Select the main facility | Start Tail button �3 / � ��� ��� ����� ��� � ' ���������� �� ���� �� ������ �( ��4 ��� ��� ��( �� �� ���������/ ����5 �� ���( +����� ������ ��� �� �� � ����� ' �� ����� ���� �� 0 �� ��������� ��� ���' �������� ����2 ��� ��' � +�

�

Download an “infected” test file Open a Netscape browser (which is proxied through the Security Appliance) | visit http://www.rexswain.com/eicar.html | download eicar.com This file is not actually an infected file but has a virus signature attached to it and the virus software should take action as if it were infected. This is a perfect example.

8 Technical Brief

Ensure the Security Appliance served the eicar.com object from the source 6 ��/ �� 0 ����� ����� ������' ' ����� ����( ( ��( �� � ����+�, ��, �� 7 * ����� ��������� ���� �� ���� ���/ .�� ���� ��������� �� ����������� � �������� �� ��� �������� ' � �����+�

�

1010632027.586 436 10.253.97.51 TCP_MISS/200 356 GET http://www.rexswain.com/eicar.com - DIRECT/www.rexswain.com application/octet-stream

Ensure the ICAP service has scanned and repaired the file # ����� �� ���� ������( �������� ������ � �( �� ��' ' �������� ��� ���� �������� �� � ��� ��� ���+�

[Wed Jan 09 19:09:32 2002],WARNING,A virus or other

malicious code has been detected. --> /eicar.com:EICAR Test String.70

[Wed Jan 09 19:09:32 2002],WARNING,File /eicar.com was infected with virus EICAR Test String.70. The infection has been found and repaired.

Download the eicar.com file and check the Blue Coat logs again , �� ������� ���/ .�� ��� � ���/ ��� ��� ��������� �� ���� ������ �����/ ����, �� 7 8 �, �

1010632362.953 3 10.253.97.51 TCP_HIT/200 358 GET

http://www.rexswain.com/eicar.com - DIRECT/- application/octet-stream

Check the Event Log to ensure the absence of any new file infected with a virus % � �� � ���� ������ ��( ���9�, ��' ��� �� � ���� ��������/ .�� ���� �� ��� ��������� �� �+� Conclusion Using the Blue Coat ProxySG you can implement a virus scanning solution that supports your network environment. The scan once, view many feature allows scanned content to be cached for

9 Technical Brief

future viewing without the need to rescan the same Web objects. This increases virus scanning performance dramatically and helps conserve network bandwidth.

Copyright ©2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.

Contact Blue Coat Systems • 1.866.30BCOAT • 408.220.2200 Direct • 408.220.2250 Fax • www.bluecoat.com