ICAP Connector
Introduction
Some organizations use a reverse proxy server like F5 for security purposes.
It is situated outside the organizational network in a Demilitarized Zone (DMZ). Public requests are directed to this server, which forwards them to their final destination based on its configurations and organizational policies.
ICAP (Internet Content Adaptation Protocol) is a protocol used for content analysis and content filtering.
It can also be employed for inserting advertisements, virus scanning, content translation, or language translation. ICAP reads the HTTP headers of incoming HTTP requests and processes these requests according to established rules.
As a result, integrating Proxy and ICAP offers a powerful combination that provides significant business value and a comprehensive solution.
Votiro now supports the integration of ICAP by receiving ICAP requests, forwarding them for sanitization, and routing them back to the Votiro ICAP-F5 server so they can reach the final destination.
Limitations
The following limitations apply to ICAP connector-supported products:
|
n |
F5 - Only uploads are supported. |
|
n |
Squid - Both uploads and downloads are supported. |
Workflow inside the F5 server
|
1. |
The Client uploads files to a specific URL via a web browser or IP address. |
|
2. |
Traffic arrives at the F5® BIG-IP® Local Traffic Manager™ (LTM) Public IP. |
|
3. |
The F5® Local Traffic Manager™ forwards HTTP requests to the F5 LTM Standard -Virtual-server (F5 Private IP). |
|
4. |
The F5 Standard-Virtual-server transfers the HTTP request to the Internal-virtual-server (Pre-Confgured By Template). |
|
5. |
The F5 Internal-Virtual-server transfers the HTTP request to the ICAP Pool, which contains Votiro’s ICAP endpoint address (Pre-Configured). |
|
6. |
The Votiro-ICAP server sends the original file for sanitization and responds with the sanitized file to the F5 LTM Internal-Virtual-server. |
|
7. |
The Internal-Virtual-server forwards the request to the F5 LTM Standard-Virtual server. |
|
8. |
The F5 LTM Standard-Virtual server transfers the HTTP request to the Web server. |
|
9. |
The sanitized file is uploaded. |
To simplify, a user uploads a document to a company's web server for approval. The document is then sent from F5 to Votiro SaaS for sanitization and forwarded to the web server, awaiting customer service review.
The following topology provides a more explicit visual representation of the process:
The image below is a snapshot of a BIG-IP F5 Load Balancer configuration used to manage server traffic flow:
The following is an explanation of the above screenshot:
Architectural Flow:
The flow of this configuration can be summarized as follows:
|
1. |
The Client traffic arrives at the Virtual Server (Votiro_ICAP_VS). |
|
2. |
The Virtual Server routes the traffic to a Pool (Votiro_ICAP_Pool). |
|
3. |
The Pool Members (3.124.13.188:1344 and others) handle the request if marked Available. |
|
4. |
Monitors (e.g., tcp_half_open) check the health of the pool members. |
|
5. |
If a pool member is unavailable, traffic will not be routed to it. |
|
6. |
Profiles (Votiro_ICAP_Profile) are applied to ensure specific protocol-level behavior. |
How to Configure ICAP on the F5 BIG IP Proxy Server and Set Up Your Web Server for File Uploads
Considerations
|
n |
This guide will cover BIG-IP version 16.1.5.1 build 0.13.7. |
|
n |
The Amazon Machine Image (AMI) used is “F5 BIG-IP 16.1.5.1-0.13.7 BYOL - All Modules 2Boot,” its AMI ID is ami-0cedc3bcc72cda188. |
|
n |
This basic setup does not cover file uploads with secure HTTP/TLS Certificates. |
|
n |
This guide does not cover ICAP handling or filtering as this is done on the customer side but this is generally made by the iRule feature handled by the “Votiro_ICAP_Request adapt” profile. |
Configuring F5 BIG-IP
|
1. |
You can launch an EC2 instance using your image or get one from the Marketplace . Then you need to obtain the appropriate license. |
|
2. |
You can log in using the Public IPv4 DNS address or the IP address via the management port 8443. |
|
3. |
Download the Votiro_icap.tmpl file. This template simplifies the creation of ICAP-related elements (such as nodes, pools, internal virtual servers, and profiles) in one centralized location. The newly created request and response adaptation profiles can be assigned to standard virtual servers, enabling them to utilize the Votiro ICAP Server. |
|
4. |
Connect to your F5® BIG-IP® server. |
Create the Local Traffic Manager™ (LTM) Internal-virtual-server
|
1. |
In the left pane menu, navigate to iApps > Templates. |
|
2. |
Click on Import, then select the downloaded template file “Votiro_icap.tmpl" and click on upload. |
|
3. |
To create a new application from the template, go to iApps, click on Application Services, and select Create. |
|
4. |
Choose an appropriate name for the application, such as "Votiro_ICAP_Prod_SG.” |
|
5. |
In the Template section, open the drop-down menu and select the template name. |
|
6. |
In the section labeled ICAP Pool, ensure that the option create a new pool is selected. |
|
7. |
Under Node/IP, enter the IP address of Votiro's ICAP server that corresponds to your region. |
|
8. |
Verify that Port 1344 is in use. |
|
9. |
Under the Create request and response adapt profiles section, select the service down actions that you would like to receive when the service is unavailable, according to your preferences. It is advisable to choose the reset option. |
|
10. |
Maintain all other configurations as they are and click on Finish. The Components map will be displayed. |
|
11. |
On the same screen, navigate to Properties. Open the drop-down menu and change the setting from Basic to Advanced. |
|
12. |
Uncheck the box labeled Strict Updates (recommended) and click on Update. This will allow us to modify specific configurations that were previously unchangeable in the next step. |
|
13. |
Navigate to Local Traffic > Profiles : Services : ICAP and select Votiro_ICAP_Profile. |
|
14. |
Contact Votiro support to obtain the Votiro ICAP endpoint. Then, in the Settings section under URL, paste the fully qualified domain name (FQDN) of Votiro’s ICAP server in the following format: <icap://fqdn/vicap> and then click on update. |
|
15. |
Navigate to the Pools section under Pool List. You will find the Votiro_ICAP_Pool, which should be highlighted in green to indicate that it is available. Click on it. |
|
16. |
Go to Configurations followed by Health Monitors. Scroll down through the available health check profiles and select tcp_half_open. Click the left arrow to add it and make it Active, then click on Update. |
|
17. |
You should now have an application named Votiro_ICAP_VS running as an LTM internal virtual server. To verify this, navigate to Local Traffic and select Virtual Servers. |
|
18. |
Because this server type is classified as “internal,” it does not have an IP address and will appear grayed out. However, if you hover your mouse over it, a status message will display: Available (Disabled Parent) - The virtual server is available. Its main purpose is to hold the ‘Votiro_ICAP_Profile'. |
Setting up the Web Upload Server on F5® BIG-IP®
Assuming your organization already has a web server, you must configure a virtual server to utilize it.
Create the Local Traffic Manager™ (LTM) Standard-virtual-server
Local Traffic Section
|
1. |
Go to the Virtual Servers section and click on Create. |
|
2. |
Under General Properties, set a name, preferably the name of your upload server. |
|
3. |
Under Source Address, set the subnet to 0.0.0.0/0 to accept traffic from any location. |
|
4. |
In the Destination Address/Mask field, enter your internal private IP address, which is located in the upper left corner of the management console. |
|
5. |
Set the desired Service Port according to your setup; for example, choose 80 for HTTP. |
|
6. |
In the Configuration section, change the setting from Basic to Advanced. Ensure that it includes the following options: |
|
t |
HTTP Profile (Client): HTTP
|
|
t |
Request Adaptation Profile - Votiro_ICAP_Request
|
|
t |
Source Address Translation: Auto Map
|
Pools Section
|
1. |
Go to Pools and click on Create. |
|
2. |
Give your pool a name that relates to your web server. |
|
3. |
Select tcp_half_open to be used as the health monitor. |
|
4. |
In the Resources section, set the Node Name to match your web server name, along with your web server's public IP address and the upload port (e.g., 5000). |
|
5. |
Click on Add. If your web server is online, it should display a "Green” status. |
|
6. |
Navigate to Virtual Servers and select your newly created virtual server. |
|
7. |
Navigate to the Resources tab and select the pool name you previously created under the Default pool section. |
Configuring the Votiro Management Console
For further instructions to complete the ICAP setup, contact Votiro support.
ICAP Server Configuration in the Votiro Management Console
To get to the ICAP Server page from the navigation pane on the left, click Cloud Connectors and Integrations > ICAP Server.
The ICAP Server page contains the following fields:
|
n |
Policy name - Select a policy to work with the connector. Select the Default Policy policy if you have not created an alternative policy to use. |
|
n |
Channel name - Specify the name of your channel. The channel name appears in the Incidents page as the name of a connector. This is the name of the service you configured in the ProxySG Management Console. |
ICAP traffic is displayed in the Management dashboard under Data source > File connector > ICAP Server.
The user can view and filter ICAP incidents by using the ICAP channel name in the filter channels.
Comments
0 comments
Please sign in to leave a comment.