About This Guide
This guide is intended to provide the information you need to:
Learn about new features, updated features, and bug fixes on each MetaDefender ICAP Server release (i.e. each product version's release notes).
Learn about frequently asked questions and additional concepts through our library of knowledge base articles.
While we offer the option to download this guide to a PDF file, it is optimized for online browser viewing. OPSWAT updates the online version of the guide regularly on an "as needed" basis. By viewing the document online, you are assured that you are always seeing the most recent and most comprehensive version of the guide.
About MetaDefender ICAP Server
The MetaDefender ICAP Server product is designed to enable scanning the contents of HTTP traffic –that enter or leave an internal network– for advanced threats.
MetaDefender ICAP Server provides ICAP interface between MetaDefender Core and ICAP clients (mainly Proxies: Web or Reverse Proxy Servers). Any content routed through the ICAP interface will be scanned with the same anti-malware engines and policies as files scanned through any other MetaDefender Core interface. Scan results can be cached by MetaDefender Core and/or by the Proxy, which can significantly improve scanning throughput and lower traffic load.
Scanning with a MetaDefender ICAP Server also allows logging files entering the network. This log information may be used later as evidence during the investigation of security incidents.
The Internet Content Adaption Protocol (ICAP) is, in essence, a lightweight protocol for executing a "remote procedure call" on HTTP messages. It allows ICAP clients to pass HTTP messages to ICAP servers for some sort of transformation or other processing ("adaptation"). The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. Typically, the adapted messages are either HTTP requests or HTTP responses. [IETF]
ICAP is a lightweight HTTP-like protocol specified in RFC 3507 which is used to extend transparent proxy servers, thereby freeing up resources and standardizing the way in which new features are implemented. ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches. Content adaptation refers to performing the particular value added service (content manipulation) for the associated client request/response. [WIKI]
ICAP concentrates on leveraging edge-based devices (caching proxies) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and will process them through ICAP web servers. These ICAP servers are focused on a specific function, for example malware scanning. Off-loading value-added services from web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks. [WIKI]
MetaDefender ICAP Server
MetaDefender ICAP Server provides ICAP interface on top of MetaDefender Core.
When a user uploads data over HTTP (for example with a PUT or POST request), the contents of the request are forwarded to MetaDefender Core by MetaDefender ICAP Server for scanning. When a user downloads data from an external server (for example wit a GET request), the contents of the reply are also forwarded for scanning, before being sent to the user’s computer. HTTP requests and responses are always redirected to the MetaDefender ICAP server, independently from the HTTP method.
Based on the scan results MetaDefender ICAP Server may either accept or reject the request:
If attached data is clean, then MetaDefender ICAP Server accepts the traffic and returns HTTP contents that can be forwarded normally by the Proxy. Based on the configuration of MetaDefender Core, clean files can be sanitized, so the contents of a clean file may still be modified.
If attached data is identified as a threat, then MetaDefender ICAP Server rejects the traffic and modifies the HTTP request or reply accordingly (e.g., a custom HTML message): the original, malicious content won't reach its intended destination.
Web Gateway or NGFW Integration
MetaDefender ICAP Server allows system administrators to easily integrate MetaDefender Core's multi-scanning technology into an existing web gateway or new-generation firewall to enable anti-malware scanning of all HTTP downloads and uploads. Any web gateway or new-generation firewall that implements ICAP –such as Fortinet FortiGate – can be set up to automatically forward HTTP requests to MetaDefender ICAP Server.
Web Proxy Integration
MetaDefender ICAP Server allows system administrators to easily integrate MetaDefender Core's multi-scanning technology into an existing web proxy to enable anti-malware scanning of all HTTP downloads and uploads.
Any proxy that implements ICAP –such as
Blue Coat® ProxySG
or Squid– can be set up to automatically forward HTTP requests to MetaDefender ICAP Server.
Reverse Proxy Integration
MetaDefender ICAP Server allows system administrators to easily integrate MetaDefender Core's multi-scanning technology into an existing reverse proxy to enable anti-malware scanning of all HTTP file uploads. Any reverse proxy that implements ICAP –such as F5® BIG-IP® Load Traffic Manager™ (LTM®)– can be set up to automatically forward any uploaded files to MetaDefender ICAP Server.
For comments and questions regarding this document, please contact OPSWAT on the Support tab at https://portal.opswat.com/.