SharePoint 2016 large file upload and LTM ICAP configuration

Hi Joe,

I don't have a solution for your issue. However, I have an opinion I'd like to share. From my experience, I would recommend to limit the file size sent to the ICAP server. You could do that with an iRule for example. Or not to use ICAP at all and check for alternative places to scan the uploaded files for viruses.

Last time I tcpdumped a LTM ICAP setup (June 2020, BIG-IP v15.1), the file was uploaded to F5, sent to the ICAP server, scanned, sent back to the F5, and finally sent to the destination (SharePoint). For 100 MB file this means it was sent around around 3 times before it arrived on SharePoint. That's a lot of traffic on the wire and subjective wait time for the user.

An alternative could be to use ICAP with ASM / AWAF. In that combination the file won't be sent around between F5 and ICAP server, because the ICAP server will answer to the AWAF with either a 204 Unmodified (no virus) or a 403 Forbidden (virus found, x-header).

In my opinion it would be a better solution to use AV on the SharePoint server. I think if you enable RBS you can scan the files on the disk, because they are no longer stored in the DB. Or maybe there are AV products for SharePoint.

KR

Daniel