Configuring NSX Advanced Load Balancer for ICAP

NSX Advanced Load Balancer as an ICAP client supports the following:

• Preview functionality

• Streaming of payload

• Content rewrite

The following are the main configuration components for enabling ICAP for virtual service on an NSX Advanced Load Balancer:

• Configuring an ICAP pool group

• Configuring an ICAP profile (attached to the virtual service)

• Configuring an HTTP Policy for the virtual service with the action set as Enable ICAP

• Associating the ICAP profile to the virtual service

• Configuring HTTP security policy for ICAP

1. Configuring ICAP Pool Group

   Navigate to Application > Pool Group and create a pool group. Leave the field Fail Action under Pool Group Failure Settings blank.

   
   
   

2. Configuring ICAP Pool

   Navigate to create an ICAP pool. Configure the default port as 1344. Multiple Servers can be added as Pool members.

   
   
   

   1. Configuring ICAP Profile

      Refer to the following table for the various attributes used in the ICAP profile configuration:

      Configuration Item	Description	Example
      Name	Name of this profile	ICAP-APPX
      Cloud	Specifies which cloud object this is associated with	Default-Cloud
      Pool Group	Pool group of all ICAP server pools	ICAP-Pool-Group
      Vendor	Vendor specific configuration if a vendor is supported	OPSWAT Generic-ICAP
      Service URL	ICAP Server service URL	When using OPSWAT: /OMSScanReq-AV
      Request Buffer Size	Maximum buffer size for request body	Default: 51200 (50 MB)
      Enable ICAP Preview	Enable ICAP Preview functionality, where the ICAP server can make decisions by examining the preview size payload	Default: Enabled (Boolean)
      Preview Size	Payload size for ICAP preview	Default: 5000 (5 MB)
      Response Timeout	When this threshold is reached, the request will be handled as an error and the failure action will be executed	Default: 60000 (60 seconds)
      Slow Response warning Threshold	When this threshold is reached, the request will cause a significant log entry, but will still be served	Default: 10000 (10 seconds)

      Actions	Description	Example
      Failure Action	Handling of error with ICAP server. If failed closed, a 503 will be sent if an error is occurring.	Fail Closed/ Fail Open
      Large Upload Failure Action	Handling of size exceeded error. If fail closed, error 413 will be sent.	Fail Closed/ Fail Open

      Navigate to Virtual Service > Edit > ICAP Profile or Templates > Profiles > ICAP Profile to create an ICAP profile.

      
      
      

3. Navigate to the Application > Virtual Service, select the required virtual service, and select the ICAP profile (created in the previous step).

   
   
   

4. Creating HTTP Security Policy

   Create a security policy to define the rules based on which the ICAP scanning must be performed. Navigate to Application > Virtual Service, select the desired virtual service, and click Edit. Select Policies > HTTP Security, and create a new rule with the following options:

   • Select match criteria for the ICAP requests

   • Select Enable ICAP as the action

     
     
     
   Note:

   The rule name configured in this step will appear in the logs. Make it self-explanatory for ease of troubleshooting.

5. Save the virtual service configuration.

   With these steps, the ICAP configuration for the virtual service is complete. Incoming requests on the virtual service that match the rule or the match criteria of the HTTP security policy will use ICAP.

   NSX Advanced Load Balancer supports the following ICAP servers (Third-party AV-Malware/CDR vendors):

   • OPSWAT

   • MetaDefender ICAP Server (with MetaDefender Core)

   To set up an OPSWAT server for ICAP scanning, see OPSWAT documentation.

Limitations

The following are the limitations for ICAP support on NSX Advanced Load Balancer:

• ICAP is not supported for HTTP/2 virtual services.

• ICAP client does not work in the response context.