See what features are supported in the different deployment modes of InterScan Web Security Virtual Appliance (IWSVA). Use this as a guide when deploying IWSVA to your gateway infrastructure.
Select your IWSVA version:
Refer to this table for the deployment modes, daemons involved, and supported features:
| Daemon | Mode | Support for HTTP | Support for FTP | Support for LDAP | Support for Intelli Tunnel | Protocol-based1 | # of Connections made |
|---|---|---|---|---|---|---|---|
| HTTP | Forward Proxy | Yes | Yes2 | Yes3 | Yes | Yes | +1 |
| ICAP | Yes | Yes4 | Yes5 | Yes6 | Yes | +2/4 | |
| FTP | FTP Proxy | No | Yes | No | No | Yes | +1 |
| HTTP + FTP | Bridge mode | Yes | Yes | No | Yes7 | No | +1 |
1 - Protocol-based; relies on the protocol (FTP/HTTP) and not on the packet type / port (TCP,Dst: 80).
2 - Supports FTP-over-HTTP.
3 - No support for Active Directory and NTLM authentication in Downstream Squid proxy mode.
4 - Supports native FTP and FTP-over-HTTP.
5 - No LDAP support if Request Modification Mode is not used.
6 - Only the Instant Messaging Protocols can be identified and blocked.
7 - Only the Authentication Connections requests can be identified and blocked.
- FTP-over-HTTP is not supported in ICAP mode when using Cisco CE.
- IWSVA does not support anti-pharming in Dependent mode (Forward Proxy).
Refer to this table for the deployment modes, daemons involved, and supported features:
| Daemon | Mode | Support for HTTP | Support for HTTPS Decryption | Support for FTP | Support for LDAP | Support for Intelli Tunnel | Protocol-based1 | # of Connections made |
|---|---|---|---|---|---|---|---|---|
| HTTP | Forward Proxy | Yes | Yes8 | Yes2 | Yes3 | Yes | Yes | +1 |
| ICAP | Yes | No | Yes4 | Yes5 | Yes6 | Yes | +2/4 | |
| FTP | FTP Proxy | No | No | Yes | No | No | Yes | +1 |
| HTTP + FTP | Bridge mode | Yes | Yes | Yes | No | Yes7 | No | +1 |
1 - Protocol-based; relies on the protocol (FTP/HTTP) and not on the packet type / port (TCP,Dst: 80).
2 - Supports FTP-over-HTTP.
3 - No support for Active Directory and NTLM authentication in Downstream Squid proxy mode.
4 - Supports native FTP and FTP-over-HTTP.
5 - No LDAP support if the Request Modification Mode is not used.
6 - Only the Instant Messaging Protocols can be identified and blocked.
7 - Only the Authentication Connections requests can be identified and blocked.
8 - Not supported on Simple Transparency Mode.
- FTP-over-HTTP is not supported in ICAP mode when using Cisco CE.
- IWSVA does not support anti-pharming in Dependent mode (Forward Proxy).
Refer to this table for the deployment modes, daemons involved, and supported features:
| Daemon | Mode | Support for HTTP | Support for HTTPS Decryption | Support for FTP | Support for LDAP | Support for Intelli Tunnel | Protocol-based10 | # of Connections made |
|---|---|---|---|---|---|---|---|---|
| HTTP | Forward Proxy | Yes1 | Yes2 | Yes3 | Yes5 | Yes | Yes | +1 |
| ICAP | Yes | No | Yes4 | Yes6 | Yes8 | Yes | +2/4 | |
| FTP | FTP Proxy | No | No | Yes | No | No | Yes | +1 |
| HTTP + FTP | Bridge mode | Yes | Yes | Yes | Yes7 | Yes9 | No | +1 |
| WCCP | Yes | Yes | Yes | Yes7 | Yes | No | +1 |
1 - IWSVA does not support anti-pharming in Dependent mode (Forward Proxy).
2 - Not supported on Simple Transparency Mode.
3 - Supports FTP-over-HTTP.
4 - Supports native FTP and FTP-over-HTTP. However, FTP-over-HTTP is not supported in ICAP mode when using Cisco CE.
5 - No support for Active Directory and NTLM authentication in Downstream Squid proxy mode.
6 - No LDAP support unless the Request Modification Mode is used.
7 - Only when WMI Windows Client or DC Agent Query is enabled (for HTTP only).
8 - Only the Instant Messaging Protocols can be identified and blocked.
9 - Only the Authentication Connections requests can be identified and blocked.
10 - Protocol-based; relies on the protocol (FTP/HTTP) and not on the packet type / port (TCP,Dst: 80).
Refer to this table for the deployment modes, daemons involved, and supported features:
| Daemon | HTTP | FTP | HTTP + FTP | |||
|---|---|---|---|---|---|---|
| Mode | Forward Proxy | Reverse Proxy | ICAP | FTP Proxy | Bridge Mode | WCCP |
| Support for HTTP | Yes2 | Yes | Yes | No | Yes | Yes |
| Support for HTTPS Decryption | Yes3 | No | No | No | Yes | Yes |
| Support for FTP | Yes4 | No | Yes7 | Yes | Yes | Yes |
| Support for LDAP | Yes5 | No | Yes8 | No | Yes9 | Yes9 |
| Support for HTTP Inspection | Yes | Yes6 | Yes9 | No | Yes10 | Yes |
| Support for Application Control | No | No | No | No | Yes | No |
| Protocol-Based1 | Yes | Yes | Yes | Yes | No | No |
| # of Connections Made | +1 | +1 | +2/4 | +1 | +1 | +1 |
1 - Protocol-based; relies on the protocol (FTP/HTTP) and not on the packet type /port (TCP, Dst: 80).
2 - In Dependent mode (Forward Proxy), IWSVA does not support anti-pharming.
3 - Not supported on Simple Transparency Mode.
4 - Supports FTP-over-HTTP.
5 - No support for Active Directory and NTLM authentication in Downstream Squid proxy mode.
6 - Disabling HTTP Inspection is recommended because it is not necessary for this type of deployment.
7 - Supports native FTP and FTP-over-HTTP. However, FTP-over-HTTP is not supported in ICAP mode when using Cisco CE.
8 - No LDAP support unless the Request Modification Mode is used.
9 - Only when WMI Windows Client or DC Agent Query is enabled (for HTTP only).
10 - Only the Authentication Connections requests can be identified and blocked.
Refer to this table for the deployment modes, daemons involved, and supported features:
| Daemon | HTTP | FTP | HTTP + FTP | |||
|---|---|---|---|---|---|---|
| Mode | Forward Proxy | Reverse Proxy | ICAP | FTP Proxy | Bridge Mode | WCCP |
| Support for HTTP | Yes2 | Yes | Yes | No | Yes | Yes |
| Support for HTTPS Decryption | Yes3 | No | No | No | Yes | Yes |
| Support for FTP | Yes4 | No | Yes7 | Yes | Yes | Yes |
| Support for LDAP | Yes5 | No | Yes8 | No | Yes | Yes |
| Support for HTTP Inspection | Yes | Yes6 | Yes | No | Yes9 | Yes |
| Support for Application Control | Yes | No | No | No | Yes | No |
| Protocol-Based1 | Yes | Yes | Yes | Yes | No | No |
| # of Connections Made | +1 | +1 | +2/4 | +1 | +1 | +1 |
| DLP | Yes | No | Yes | No | Yes | Yes |
| Botnet | Yes | No | No | No | Yes | Yes |
1 - Protocol-based; relies on the protocol (FTP/HTTP) and not on the packet type / port (TCP, Dst: 80).
2 - In Dependent mode (Forward Proxy), IWSVA does not support anti-pharming.
3 - Not supported on Simple Transparency Mode.
4 - Supports FTP-over-HTTP.
5 - No support for Active Directory and NTLM authentication in Downstream Squid proxy mode.
6 - Disabling HTTP Inspection is recommended because it is not necessary for this type of deployment.
7 - Supports native FTP and FTP-over-HTTP. However, FTP-over-HTTP is not supported in ICAP mode when using Cisco CE.
8 - No LDAP support unless the Request Modification Mode is used.
9 - Only the Authentication Connections requests can be identified and blocked.
