Operational Modes > ICAP Mode:

Administrator Console Settings
The ICAP mode should be used if this Web Filter is designated to function with an Internet Content Adaptation Protocol (ICAP) server to off-load specific content normally processed by the Web Filter, such as Internet filtering.

With an ICAP server, the Web Filter will not capture any network packets but will solely work with ICAP requests from an ICAP client (proxy server). When an end user makes a request for Internet content, this request is routed to the proxy server, which then submits the request to the ICAP server. The ICAP server sends back a response to the proxy server—which may send the request to the original Web Filter in some network setups, and then return a response to the proxy server. Based on the end user's filtering profile, the proxy server either fulfills the request or returns a block page.

Hardware Settings
A Web Filter set up in the ICAP mode can work in conjunction with another Web Filter set up in invisible, router, or firewall mode.

NOTE: When using the ICAP mode, the following items must be taken into consideration:

  • In order for Tier 3 authentication to work correctly with the ICAP mode, the virtual IP used for authentication has to be a real and available IP address.
  • The proxy server must be configured to not forward any traffic to the Web Filter's virtual IP (used for authentication) via ICAP, or else the Tier 3 applet will be blocked if the Web Filter is configured to block uncategorized sites.
  • Looping occurs in environments in which a Web Filter is filtering traffic from end users to an internal proxy.
    • To display block pages correctly and to prevent “looping,” the proxy server must be configured to not forward any traffic to the Web Filter via the ICAP server.
    • Also to prevent "looping," if a custom URL is being used for the X Strikes block page, the proxy must be configured to not forward any traffic to that custom URL.
  • In order for the authentication form to display correctly, the proxy server must be configured to accept the certificate coming from port 8081 of the Web Filter as being valid.
  • Since the authentication form is only accessible via HTTPS, the proxy server must be configured to give workstations access to HTTPS sites from the Web Filter.

Back



© Trustwave. All rights reserved.