The following are well-known precautions and workarounds when using InterScan Web Security Virtual Appliance (IWSVA) in ICAP mode.
Web Reputation Service (WRS) is also implemented in ICAP mode to classify the destination URL.
You can set the HTTP proxy server used for the ICAP client as WRS's HTTP proxy. However, that would cause a slowdown when accessing web sites.
In ICAP mode, IWSVA does the WRS check and contacts the WRS server provided by Trend Micro every time the ICAP request is received. IWSVA enables the HTTP access for the WRS server to go through the HTTP proxy server you set in Update > Connection Settings.
When you set the HTTP proxy server used for the ICAP client as WRS's HTTP proxy and IWSVA receives an ICAP request, the ICAP request for the WRS query might also be received by the HTTP proxy.
Though the WRS check for the WRS server is skipped by the internal whitelist, the number of the ICAP request doubles and this might cause a slowdown in accessing web sites.
Workaround
-
Configure the HTTP proxy in order for the WRS server to bypass the ICAP filtering.
The FQDN of the WRS server is "iwsva65-en.url.trendmicro.com".
For more details, contact the support of the HTTP proxy.
-
Do not use the HTTP proxy for the WRS check.
You can change the setting in Update > Connection Settings.
Note: this is also used for pattern, engine and license updates.
- IWSVA provides "Scan before delivering" / "Deferred scanning" to address large-file scan lag.
- The settings are located on HTTP > Advanced Threat Protection > Policies > Virus/Malware Scan Rule > Large File Handling.
- In the case of ICAP mode, however, the HTTP proxy used for ICAP client must add a "X-TE: Trailers" ICAP header for those features to work as expected.
If the ICAP request does not have a "X-TE: Trailers" header, IWSVA will assume that the ICAP client does not support data trickling and does not use the features. Therefore, IWSVA will start to send the reply to the ICAP client after it completes the scan, which might cause a delay in downloading.
Workaround
To skip the "X-TE: Trailers" ICAP header check:
- Log on to IWSVA as root via SSH (for example with a SSH shell such as PuTTy).
-
Create a backup copy of /etc/iscan/IWSSPIProtocolIcap.pni:
# cp /etc/iscan/IWSSPIProtocolIcap.pni /etc/iscan/IWSSPIProtocolIcap.pni.bak
-
Use vi to edit the file /etc/iscan/IWSSPIProtocolIcap.pni.
# vi /etc/iscan/IWSSPIProtocolIcap.pni
-
Change the following value to "no".
-------------------------------- require_xte_for_early_response=no (default:yes) --------------------------------
- Save the file and quit.
-
Run the following commands to restart the HTTP scan service.
# /etc/iscan/S99ISproxy stop
# /etc/iscan/S99ISproxy start
In the case of ICAP mode, the maximum number of the concurrent ICAP request is distributed to REQMOD/RESPMOD according to the following ratio:
- Maximum number of REQMOD requests: 35% of the maximum concurrent requests.
- Maximum number of RESPMOD requests: 65% of the maximum concurrent requests.
Note: after the installation, IWSVA adjusts its own configuration to handle these ICAP client requests without any modification, so no action is needed.
