ICAP integration will not work

what is your ASM policy set to? what does the message exactly say?

here are some screenshots from the settings of my asm policy regarding the AntiVirus settings.

At the moment the policy is transparent but if there is a violation I should see it in the asm log.

And here is the log of the ICAP scanner...

TIME;TIME-INT;PROTOCOL;CLIENT;SERVER;VIRUS;URL;HWSERIALNUMBER;MACHINENAME;MACHINEIP;AVVENDOR;AVENGINEVERS;AVPATTERNVERS;AVPATTERNDATE;APPVERSION
2014/03/10 14:15:49;1394460949;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))
2014/03/10 14:16:28;1394460988;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))
2014/03/10 14:17:10;1394461030;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))

Do you need more informations?

do you know which ICAP scanners are supported or should I open a case for the F5 support?

All right... I have found the problem. The configuration of the virus_header_name in the system variables are wrong. The configuration are ok for the McAfee ICAP scanner (this is the default). For BluecoatProxy AV the configuration must be "X-Error-details,X-Virus-Details".

Thank you for the help.

Hi,

I've similar problems for the file scanning - I configured the settings as you described (virus_header_name and other av settings in ASM).

When I do a tcpdump I can see:

1. REQMOD icap://1.2.3.4:1344/reqmod ICAP/1.0\r\n
2. no ICAP answer from server
3. multiple "Continuation" from F5
4. nothing else

I've also tested the request adaption method, but I don't want to send every request to the ICAP server (only file uploads). With request adaption I got:

1. REQMOD icap://1.2.3.4:1344/avscan ICAP/1.0\r\n

    

   (avscan is the service name on Bluecoat AV)

    

2. ICAP/1.0 200 OK\r\n

    

3. multiple "Continuation" from F5 with TCP-ACKs from Bluecoat

    

4. nothing else

This seems better to me, because Bluecoat answers with ICAP OK.

So I have some questions:

Is there any log or anything else for better troubleshooting this issue?

Can I adjust the "servicename" in ASM config method?

Does anyone have an idea, what may be the problem?

Thanks for your response, Philipp

Hey Philipp,

do you have a Firewall between the F5 and the ICAP servers and do you know the value which your ICAP server use for "tacking" a mail!? My problem in the past was that I´ve used the wrong value for identify if the ICAP has found a virus or not. One other problem at my structure was that I´ve configured the first time only the internal floating IP in the firewall for accessing the ICAP server. For successfully connection it is neccessary to permit also the internal self IPs from the appliances.

The problem which you´ve describe sounds similiar like my second problem.

Best regards

Each ICAP server will maybe use a different value to identify if a virus exists or not (x-headers) and if you do not configure the right value to search for the F5 will not see that the file which was inspected is bad.

Additional see the post above which is tagged as answer.

You must know it :)

But it is already strange that if you do a TCPdump at the F5 you´ll see no answer package.

Has anyone configured ASM [ICAP] with Sophos yet?