Forum Discussion
NimbostratusLTM load balance antivirus scanner
I noticed F5 recommended to use ASM module for a solution to integrate antivirus scanning via ICAP. We only have LTM license and want to load balance the antivirus scanning on port 9053. Has anybody done this before and please provide your feedback. Thank you.
5 Replies
- Kevin_Stewart
Employee
ICAP support was integrated into LTM 11.3:
Here are the steps to recreate:
-
Create an ICAP profile that defines the ICAP URI and other request parameters.
-
Create an "internal" virtual server that uses the ICAP profile and pools to the ICAP server(s).
-
Create a Request Adapt (and optionally Response Adapt profile) that uses the internal VIP.
-
Apply the Request/Response Adapat profile/s to the application VIP.
The internal VIP load balances the ICAP servers. The application VIP sends the client request to the internal VIP and then forwards request to application server based on the (potentially adapted) response from the internal VIP.
-
AP_129594Our internal F5 is a virtual license on 11.2 HF2, and does not have iCAP service. Is there a way to work around this?
- Kevin_Stewart
Technically yes if you consider that the ICAP process is similar to a GUI-configurable sideband call.
TortiCirrus
workaround: use a antivirus proxy
- Kevin_Stewart
Yes, an AV proxy would certainly be an option, but then so would upgrading to 11.3 and using the built-in ICAP capability. A sideband-based custom iRule would also technically work, but it's definitely the more complicated option.
