Internet Content Adaptation Protocol (ICAP) is an open standard used to link devices with enterprise-grade virus scan engines, and filter content flowing through business dataflows. ICAP also facilitates content filtering applications.
Request Adapt profiles can be used to direct the BIG-IP system to send HTTP requests that require modification to a pool of ICAP servers for modification and to establish load balancing among these ICAP servers. They also serve as load balancers.
What is ICAP?
Internet Content Adaptation Protocol (ICAP) is an HTTP-like protocol used for transmitting messages or content from third-party services for transformation and return. ICAP extends security capabilities in file-based integration scenarios by connecting dataflows to antivirus scanning and quarantine apps or business content filtering and loss prevention use cases.
ICAP allows web servers and cache proxies to offload the processing of specific Internet-based content to dedicated ICAP servers, freeing up resources on their own web servers while standardizing how new features are implemented – for instance an ICAP server that specializes solely in language translation can often be more efficient than typical web servers that must also perform additional tasks such as security.
ICAP servers enable a website visitor to pass through and receive responses that can either be customized and returned back to them or rejected with an error code. They also offer mechanisms for monitoring and logging their activity.
To create an ICAP pool, navigate to Application > Pool Groups and create one specifically dedicated for ICAP. When finished, toggle Enabled off, type in a pool name, and create or retain its default value of 1344 in the URI field.
Enter or retain the default value of zero for Preview Length in BIG-IP system configuration mode. This field specifies the length of an ICAP preview sent from BIG-IP system when adapting request or response for adaptation by an ICAP server.
ICAP servers use message serial numbers from request messages to generate response messages, with identical serial numbers written back into them if possible; otherwise they write back their response number into each respective request message instead, thereby eliminating disorder on TCP links due to out-of-order transmission of requests and responses messages.
ICAP servers must implement an OPTIONS method in order to fulfill their contractual obligation, which typically returns service-specific options; although some servers may also return global options.
How does ICAP work?
ICAP allows you to off-load Internet-based services from Web servers onto ICAP servers, freeing up resources and standardizing the implementation of new features. For instance, virus scanning could be offloaded to ICAP servers specifically tailored for this function, increasing throughput while decreasing server count requirements for that service.
NSX Advanced Load Balancer supports both ICAP client and server modes. In ICAP client mode, TMWS on-premises gateway acts as an ICAP client receiving Web requests or responses from an ICAP server before being modified by it before sending back out to clients; this approach helps reduce bandwidth and latency requirements on TMWS on-premises gateway.
In ICAP server mode, the TMWS on-premises Gateway acts as an ICAP server, receiving connections from ICAP v1.0-compliant cache servers or third-party content filtering, human language translation or virus scanning appliances that implement ICAP (known as clients) before making necessary modifications and sending back out as final responses to clients.
This approach can reduce bandwidth and latency requirements on an on-premises gateway for serving Web requests and responses, as well as ensure valid responses are being served to clients by an application.
Utilizing ICAP can assist your organization with increasing security and compliance by blocking specific types of content. For instance, it could prevent employees from accessing websites containing malicious code or violating company policies as well as enforce content filters to prevent employees from visiting inappropriate websites or downloading files with harmful contents.
To configure an ICAP client or server, navigate to the Settings page and select the ICAP tab. Here you can configure how SSL Orchestrator interacts with ICAP servers and their clients; specify a maximum preview length for a Web session; override this preview length using ICAP documentation as necessary; set an alternate service down action per device which determines what happens if one fails; this action could include ignore (skip this device from chain), reset or drop connection depending on what action needs to take place when something goes wrong – all on one page!
What is an ICAP server?
An ICAP server is a network device that offers added services such as virus scanning, content filtering, ad insertion, language translation, authentication or language translation for HTTP traffic from client devices. ICAP servers also perform data loss prevention by scanning outgoing web content for sensitive information such as credit card or social security numbers that might otherwise escape detection.
BIG-IP systems provide ICAP functionality by configuring an internal virtual server to route HTTP requests from load balancing servers through to ICAP servers for content adaptation and then directly back to web servers. This virtual server must refer to an ICAP profile, which specifies which content adaptation servers receive requests as well as their load balancing method and routing strategy.
Navigating to the ICAP Configuration area of SSL Orchestrator’s user interface, navigate to the Service Catalog, select an ICAP service, and press Add. Enter a name for this ICAP service into the Name field before setting an External IP Address and Listening Port or leaving it at default TCP monitors in ICAP Device Settings area. Next select one ICAP device to configure its entry point port, device name, type of monitors it has as well as which ones to use by clicking their respective check boxes if applicable.
Under Preview Size, choose either an optimal preview length of zero (default setting) or adjust its value using the slider bar. ICAP will use this information to decide whether or not encasing packet headers with bodies is required and then streaming those headers directly to the server for adaptation.
ICAP servers may use this preview data to decide what actions, if any, should be taken based on it. For instance, an ICAP server could choose to stream back a response or perform keyword searches in the body text of an email message.
As soon as an ICAP server becomes inaccessible, its monitor(s) should take appropriate action. Depending on its type and monitoring methods, this could involve using another monitor or simply bypassing it altogether. You can assign all ICAP servers within a pool with the same action or create one individually for each of them in a pool.
What is an ICAP pool?
An ICAP pool refers to a collection of ICAP servers which perform content adaptation or filtering before web servers can deliver their resultant content to clients. ICAP servers may perform virus scanning or ad blocking prior to delivering resources such as websites to clients.
ICAP was developed to offload these value-added services from Web servers and free up resources for more critical tasks, like virus scanning or translation services, more efficiently than they would on their own. By focusing on specific functions like virus scans or translation services instead of having to perform all functions at once like traditional Web servers do, these ICAP servers can focus on specific functions more efficiently than regular servers can.
BIG-IP systems feature an ICAP pool that you can configure for adapting HTTP requests and responses. To create one, from the Local Traffic tab select Virtual Servers > New to access the Virtual Server List screen where you will select Type before typing a name for the virtual server and selecting either Request Adapt or RespmOD from ICAP Profile menu respectively.
To choose your default pool, select it from the Default Pool list and then a load balancing method from Load Balancing Method; Round Robin is usually selected. To configure health or performance monitors for ICAP server pools in BIG-IP systems, go into Monitors menu and choose which type of monitor should be used when traffic balancing occurs to these ICAP server pools.
On the ICAP Servers menu, choose the name of a pool you previously created for ICAP content adaptation and, under Pool Members setting, select Less than. Under Available Members field, input minimum member availability in priority group(s), so as to guarantee this pool can handle any traffic it receives.
To configure how long virtual servers should wait for an ICAP server’s response, in the Preview Size menu select an integer value and make a selection from this menu’s Preview Size drop-down list – this represents how much time a virtual server may delay sending ICAP requests if an adaptation request does not need to be sent at this moment in time.