UserGate allows sending of HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers --- e.g., to check it for malware or have DLP systems examine the data sent by users. In that case, UserGate will work as an ICAP client.
UserGate can be configured flexibly for working with ICAP servers: for example, the administrator can specify rules for the selective forwarding of traffic to the ICAP servers or configure the use of ICAP server farms.
To configure UserGate for using external ICAP servers, follow these steps:
Task |
Description |
---|---|
Step 1. Create an ICAP server. |
In the Security policies --> ICAP servers section, click Add and create one or more ICAP servers. |
Step 2. (Optional) Create a balancing rule for ICAP servers. |
If you need load balancing within an ICAP server farm, go to the Network policies --> Load balancing section and create an ICAP load balancer. Use the ICAP servers created at the previous step. |
Step 3. Create an ICAP rule. |
In the Security policies --> ICAP rules, create a rule that will set the conditions for forwarding traffic to ICAP servers or server farms. Important! ICAP rules are applied top to bottom in the rule list. Only the first rule for which all conditions are matched is triggered. |
To add an ICAP server, go to the Security policies --> ICAP servers section, click Add, and fill in these fields:
Name |
Description |
---|---|
Name |
The name of the ICAP server. |
Description |
A description of the ICAP server. |
Server address |
The IP address of the ICAP server. |
Port |
The TCP port used by the ICAP server; the default is 1344. |
Max message size |
The maximum message size in kilobytes (kB) that can be transmitted to the ICAP server. The default is 0 (the request body will not be passed to the ICAP server). |
Check ICAP server every |
Sets the time interval in seconds with which UserGate sends OPTIONS requests to the ICAP server to verify that the server is available. |
Bypass if errors |
If this is enabled, UserGate will not send data to the ICAP server when the server is unavailable (does not respond to OPTIONS requests). |
Reqmod path |
|
Respmod path |
|
Send username |
|
Send IP |
|
Send MAC |
|
To create a balancing rule for ICAP servers, go to the Network policies --> Load balancing section, select Add ‑‑> Add ICAP load balancer, and fill in these fields:
Name |
Description |
---|---|
Enabled |
Enables or disables the rule. |
Name |
The name of the rule. |
Description |
A description of the rule. |
ICAP servers |
The list of ICAP servers created at the previous step between which the load will be distributed. |
To create an ICAP rule, go to the Security policies --> ICAP rules section, click Add, and fill in the relevant fields.
Note
The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
Note
The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).
Name |
Description |
---|---|
Enabled |
Enables or disables the rule. |
Name |
The name of the rule. |
Description |
A description of the rule. |
Action |
The options are as follows:
|
ICAP servers |
The ICAP server or load balancer where UserGate will send the requests. |
Source |
The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
Users |
The list of users and user groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. |
Destination address |
The IP addresses, GeoIP, or URL (host) lists of the traffic destination. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
Content types |
The content type lists. Video, audio, images, executables, and other types of content can be controlled. Administrators can also create custom content type groups. For more details on working with content types, see the chapter Content Types. |
Categories |
UserGate URL Filtering category lists. |
URL |
URL lists. |
HTTP method |
The method used in HTTP requests, usually POST or GET. |
Service |
The available options are:
Important! Before using SMTP and POP3 in ICAP rules, a mail security rule should be created for these services. For more details on protecting email traffic, see the section Mail Security. |