UserGate can transfer the HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers, e.g. in order to check the traffic for viruses or to check the outgoing data from users by means of DLP systems. In this case, UserGate will serve as an ICAP client.
UserGate offers flexible settings for ICAP servers, e.g. administrators can set up rules for sending only part of the traffic to ICAP servers or for integration with ICAP server farms.
To set up UserGate for integration with external ICAP servers, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create an ICAP server. |
Go to Security policies-->ICAP servers, click Add and create one or more ICAP servers. |
|
Step 2. Create a balancing rule for ICAP servers (optional). |
When a balancing for ICAP server farms is required, go to Network policies-->Load balancing and create a new ICAP server balancer. Use the ICAP servers that you have created in the previous step. |
|
Step 3. Create a new ICAP rule. |
Go to Security policies-->ICAP rules and create a rule that defines conditions for resending the traffic to ICAP servers or ICAP server farms. Important! ICAP rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied. |
To create an ICAP server, go to Security policies-->ICAP servers, click Add and fill out the following fields:
|
Name |
Description |
|---|---|
|
Name |
Name of the ICAP server |
|
Description |
Description of the ICAP server |
|
Address |
IP address of the ICAP server |
|
Port |
TCP port of the ICAP server (1344 by default) |
|
Max message size |
The maximum size of a message sent to the ICAP server (in megabytes). The default value is 0 (disabled). |
|
Check ICAP server every |
A time period in seconds after which UserGate will send an OPTIONS request to the ICAP server to check its availability. |
|
Bypass if errors |
When this option is enabled, UserGate will not send any data to the ICAP server if the ICAP server is not available (does not respond to OPTIONS request). |
|
Reqmod path |
|
|
Respmod path |
|
|
Send username |
|
|
Send IP |
|
|
Send MAC |
|
To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->ICAP balancer and fill out the following fields:
|
Name |
Description |
|---|---|
|
Enabled |
Enable or disable the rule |
|
Name |
Name of the rule |
|
Description |
Description of the rule |
|
ICAP servers |
The list of ICAP servers among which the workload will be distributed, created in the previous step. |
To create an ICAP rule, click Add in Security policies-->ICAP rules and fill out the following fields.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
|
Name |
Description |
|---|---|
|
Enabled |
Enable or disable the rule |
|
Name |
Name of the rule |
|
Description |
Description of the rule |
|
Action |
The following options are supported:
|
|
ICAP servers |
An ICAP server or an ICAP server balancer to which UserGate will be resending user requests. |
|
Source |
A source zone and/or a list of source IP addresses for the traffic. |
|
Users |
The list of users and/or groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification. |
|
Destination address |
A destination IP addresses for the traffic. |
|
MIME types |
Lists of MIME types. The system provides the management functionality for video, audio, images, executable files, and other content types. Administrators can also create custom groups of MIME types. For more details on MIME types, please refer to the Content types |
|
Categories |
Lists of UserGate URL filtering categories |
|
URLs |
Lists of URLs |
|
HTTP method |
For HTTP requests, the system usually applies POST or GET methods |
|
Service |
Possible options:
|