Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

ICAP for remote content inspection

March 16, 2021
反对tributed by:
S

The Internet Content Adaptation Protocol (ICAP) is a simple lightweight protocol for executing value-added transformation service on HTTP messages. In a typical scenario, an ICAP client forwards HTTP requests and responses to one or more ICAP servers for processing. The ICAP servers performs content transformation on the requests and sends back responses with appropriate action to take on the request or response.

ICAP on a Citrix ADC appliance

In a Citrix ADC setup, the appliance acts as an ICAP client interoperating with third-party ICAP servers such as antimalware and Data Leak Prevention (DLP). When the appliance receives an incoming web traffic, the appliance intercepts the traffic and uses a Content Inspection policy to evaluate if the HTTP request needs an ICAP processing. If yes, the appliance decrypts and sends the message as a plain text to the ICAP servers. The ICAP servers execute the content transformation service on the request message and sends back a response to the appliance. The adapted messages can either be an HTTP request or an HTTP response. If the appliance interoperates with multiple ICAP servers, the appliance performs load balancing of ICAP servers. This happens in scenarios where one ICAP server is not sufficient to handle all the traffic load. Once the ICAP servers return a modified message, the appliance forwards the modified message to the back-end origin server.

The Citrix ADC appliance also provides a secured ICAP service if the incoming traffic is an HTTPS type. The appliance uses a SSL based TCP service to establish a secured connection between the appliance and ICAP servers.

How ICAP request modification (REQMOD) works

In the request modification (REQMOD) mode, the Citrix ADC appliance forwards the HTTP request received from client to the ICAP server. The ICAP server then performs one of the following:

  1. Sends back a modified version of the request and the appliance in turn sends the modified request to the back-end origin server or it pipelines the modified request to another ICAP server.
  2. Responds with a message indicating no adaptation is required.
  3. Returns an error and the appliance in turn sends the error message back to the user.

How ICAP response modification (RESPMOD) works

In the response modification (RESPMOD) mode, the Citrix ADC appliance sends an HTTP response to the ICAP server (the response sent by the appliance is typically the response sent by the origin server). The ICAP server then performs one of the following:

  1. Sends back a modified version of the response and the appliance in turn sends the modified response to the user or pipeline the modified response to another ICAP server.
  2. Responds with a message indicating no adaptation is required.
  3. Returns an error and the appliance in turn sends the error message to the user.

ICAP license

The ICAP feature works on a Citrix ADC standalone or high availability setup with Citrix ADC Premium or Advanced license edition.

反对figure ICAP for content transformation service

To use ICAP for content transformation service, you must begin by enabling the Content inspection and load balancing features. Once you enable the features, you can complete the following tasks

To enable content inspection

If you want the Citrix ADC appliance to act as an ICAP client and send requests or responses to third-party ICAP server, you must first enable the Content Inspection and load balancing features.

At the command prompt, type:

enable ns feature contentInspection LoadBalancing

Add ICAP profile

ICAP configurations for a Citrix ADC appliance can be specified in an entity called ICAP profile. The profile has a collection of ICAP settings. The ICAP profile is then associated to content Inspection action that want to use the ICAP configurations.

At the command prompt, type:

add nsicapProfile  -uri  -Mode ( REQMOD | RESPMOD )

Example:

添加nsicapProfile icap_reqmod uri“名”mode REQMOD add nsicapProfile icap_respmod –uri “servicename” –mode RESPMOD add nsicapProfile icap_reqmod_query –uri “servicename?query=data” –mode REQMOD

Add ICAP service as a TCP or SSL_TCP service

After you enable the Content Inspection feature, you must add an ICAP service for the ICAP servers that will be part of the load balancing setup. The service that you add provides the ICAP connection between the Citrix ADC appliance and load balancing virtual servers.

Note: As an administrator, you can add an ICAP service and directly configure the ICAP server IP address in the Content Inspection action.

At the command prompt, type the following:

add service

Example:

add service icapsv1 10.102.29.200 TCP 80 –gslb NONE –maxclient 0 –maxReq 0 –cip DISABLED –usip NO –useproxport YES –sp ON –cltTimeout 9000 –svrTimeout 9000 –CKA NO –TCPB NO –CMP NO add service icapsv2 10.102.29.200 SSL_TCP 11344 –gslb NONE –maxclient 0 –maxReq 0 –cip DISABLED –usip NO –useproxport YES –sp ON –cltTimeout 9000 –svrTimeout 9000 –CKA NO –TCPB NO –CMP NO

Add a TCP or SSL_TCP based load balancing virtual server

After creating an ICAP service, you must create a virtual server to accept ICAP traffic and load balance the ICAP servers.

Note: You can also use a SSL based TCP service over a secured channel. To do this, you must use a SSL_TCP service and bind to the Content Inspection action.

At the command prompt, type the following:

add lb vserver

Example:

add lb vserver vicap TCP 0.0.0.0.0 –persistenceType NONE -cltTimeout 9000 add lb vserver vicap SSL_TCP 0.0.0.0 0 –persistenceType NONE -cltTimeout 9000

Bind ICAP service to the load balancing virtual server

After you create an ICAP service and virtual server, you must bind the ICAP service to the virtual server.

At the command prompt, type the following:

bind lb vserver

Example:

bind lb vserver vicap icapsv1

Add content inspection action

After you enable the Content Inspection feature, you must add an ICAP action for handling the ICAP request information. The ICAP profile and services, or load balancing virtual server that are created are bound to the ICAP action.

At the command prompt, type the following:

add contentInspection action  -type ICAP -serverName  -icapProfileName  **add ContentInspection action  -type ICAP -serverip  - serverport  -icapProfileName **

Note:

If you can configuring ICAP service instead of a load balancing virtual server, you can mention the service name in the <-serverip> option. When adding the Content Inspection action, the TCP service is automatically created for the given IP address with port 1344 and it is used for ICAP communication.

Example:

add ContentInspection action ci_act_lb -type ICAP -serverName vicap -icapProfileName icap_reqmod add ContentInspection action ci_act_svc -type ICAP -serverName icapsv1 -icapProfileName icap_reqmod add ContentInspection action ci_act_svc -type ICAP -serverip  - serverport  -icapProfileName icap_reqmod

Add content inspection policies

After you create a Content Inspection action, you must create content inspection policies to evaluate requests for ICAP processing and audit logging. The policy is based on a rule which consists of one or more expressions. The rule is associated to the content inspection action that is associated if a request matches the rule.

At the command prompt, type the following:

add contentInspection policy  -rule  -action

Example:

添加ContentInspection策略ci_pol_basic规则true –action ci_act_svc add ContentInspection policy ci_pol_HTTP –rule HTTP.REQ.URL.CONTAINS(“html”) –action ci_act_svc

Bind content inspection policies to the content switching or load balancing virtual server

To put an ICAP policy into effect, you must bind it globally or bind it to a Content Switching or load balancing virtual server, which frontend the application. When you bind the policy, you must assign a priority to it. The priority determines the order in which the policies you define are evaluated.

For information about configuring a load balancing setup for forwarding the traffic to back-end origin server after content transformation, seeLoad Balancing.

反对figure secured ICAP service

To establish a secured connection between the Citrix ADC appliance and the ICAP web servers, the appliance uses an SSL-based TCP service or load balancing virtual server bound to an ICAP action.

To establish a secured ICAP connection, complete the following tasks:

  1. Add SSL-based TCP service.
  2. Bind SSL-based TCP service to load balancing virtual server of type TCP or SSL_TCP.
  3. 结合基于ssl的TCP服务或负载平衡古董al server to Content Inspection action.

Add SSL-based TCP service to load balancing virtual server

To establish a secured connection between the Citrix ADC appliance and the ICAP web servers, the appliance uses an SSL-based TCP service or load balancing virtual server bound to an ICAP action.

To establish a secured ICAP connection, complete the following tasks:

  1. Add SSL-based TCP service.
  2. Bind SSL-based TCP service to load balancing virtual server of type TCP or SSL_TCP.

结合基于ssl的TCP服务或负载平衡古董al server to Content Inspection action

Add SSL-based TCP service to load balancing virtual server

After you enable the Content Inspection feature, you must add a secured ICAP service that will be part of the load balancing setup. The service that you add provides a secured ICAP connection between the Citrix ADC appliance and load balancing virtual servers.

At the command prompt, type the following:

add service

Example:

add service icapsv2 10.102.29.200 SSL_TCP 11344 –gslb NONE –maxclient 0 –maxReq 0 –cip DISABLED –usip NO –useproxport YES –sp ON –cltTimeout 9000 –svrTimeout 9000 –CKA NO –TCPB NO –CMP NO

Bind SSL-based TCP service to SSL_TCP or TCP load balancing virtual server

After you create a secured ICAP service, you must bind the service to the load balancing virtual server (if you are using a load balancing virtual server to load balance the ICAP servers).

At the command prompt, type the following:

bind lb vserver

Example:

bind lb vserver vicap icapsv2

结合基于ssl的TCP服务或负载平衡古董al server to the Content Inspection action

You must add an ICAP action for handling the ICAP request information and also bind the SSL-based TCP service to the action.

At the command prompt, type the following:

add contentInspection action  -type ICAP -serverName  -icapProfileName

Example:

add ContentInspection action ci_act_svc -type ICAP -serverName icapsv2 -icapProfileName icap_reqmod add ContentInspection action ci_act_svc -type ICAP -serverName vicap -icapProfileName icap_reqmod

反对figure ICAP protocol by using the GUI

  1. Navigate toLoad Balancing>Servicesand clickAdd.
  2. In theServicespage, enter the service details.
  3. Navigate toLoad Balancing>Servers. Add a virtual server of type TCP. Or, you can select a virtual server and clickEdit.
  4. After entering the server details, clickOKand againOK.
  5. In theAdvanced Settingssection, clickPolicies.
  6. Go thePoliciessection and click thePencilicon to configure Content Inspection policy.
  7. On theChoose Policypage, select反对tent Inspection. Click反对tinue.
  8. In thePolicy Bindingsection, click “+”to add a Content Inspection policy.
  9. In theCreate ICAP Policypage, enter a name for the policy.
  10. In theActionfield, click the “+” sign to add an ICAP action.
  11. In theCreate ICAP Actionpage, enter a name for the action.
  12. Enter a name for the action.
  13. In theServer Namefield, enter the name of the TCP service already created.
  14. InICAP Profilefield, click the “+” sign to add an ICAP profile.
  15. In theCreate ICAP Profilepage, enter a profile name, URI, and MODE.
  16. ClickCreate.
  17. In theCreate ICAP Actionpage, clickCreate.
  18. In theCreate ICAP Policypage, enter “true” in theExpression Editorand then clickCreate.
  19. ClickBind.
  20. When prompted to enable the Content Inspection feature, clickYes.
  21. ClickDone.

For information about the Citrix ADC GUI configuration for load balancing and forwarding the traffic to back-end origin server after content transformation, seeLoad Balancing.

反对figure secured ICAP protocol by using the GUI

  1. Navigate toLoad Balancing>Servicesand clickAdd.
  2. In theServicespage, enter the service details.
  3. Navigate toLoad Balancing>Servers. Add a virtual server of type TCP_SSL. Or, you can select a virtual server of type TCP_SSL and clickEdit.
  4. After entering the server details, clickOKand againOK.
  5. In theAdvanced Settingssection, clickPolicies.
  6. Go thePoliciessection and click thePencilicon to configure Content Inspection policy.
  7. On theChoose Policypage, select反对tent Inspection. Click反对tinue.
  8. In thePolicy Bindingsection, click “+”to add a Content Inspection policy.
  9. In theCreate ICAP Policypage, enter a name for the policy.
  10. In theActionfield, click the “+” sign to add an ICAP action.
  11. In theCreate ICAP Actionpage, enter a name for the action.
  12. Enter a name for the action.
  13. In theServer Namefield, enter the name of the TCP_SSL service already created.
  14. InICAP Profilefield, click the “+” sign to add an ICAP profile.
  15. In theCreate ICAP Profilepage, enter a profile name, URI, and MODE.
  16. ClickCreate.
  17. In theCreate ICAP Actionpage, clickCreate.
  18. In theCreate ICAP Policypage, enter “true” in theExpression Editorand then clickCreate.
  19. ClickBind.
  20. When prompted to enable the Content Inspection feature, clickYes.
  21. ClickDone.

Auditlog support for remote content inspection

If an incoming request or outgoing response is content inspected, the Citrix ADC appliance logs the ICAP details. The appliance stores the details as a log message in the ns.log file.

Each log message typically contains the following details:

<源IP > <目的地IP > <域> < ICAP服务器IP>

Example for content inspected request log message:

Apr 18 14:45:41  10.106.97.104 04/18/2018:14:45:41 GMT 0-PPE-0 : default CI ICAP_LOG 788 0 : Source 10.102.1.98:39048 - Destination 10.106.97.89:8011 - Domain 10.106.97.89 - Content-Type application/x-www-form-urlencoded - ICAP Server 10.106.97.99:1344 - Mode REQMOD - Service /example - Response 204 - Action FORWARD

Example for content inspected response log message:

Apr 18 12:34:08  10.106.97.104 04/18/2018:12:34:08 GMT 0-PPE-0 : default CI ICAP_LOG 71 0 : Source 10.106.97.105:18552 - Destination 10.106.97.99:80 - Domain NA - Content-Type NA - ICAP Server 10.106.97.99:1344 - Mode RESPMOD - Service /example - Response 400 - Action Internal Error
ICAP for remote content inspection
March 16, 2021
反对tributed by:
S
March 16, 2021
反对tributed by:
S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | 反对sent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.