SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  icap-redirect - nothing gets inspected

    Posted 11-25-2022 10:00
    Anyone successfully using icap-redirect?

    I want to setup a transparent proxy for virus scanning http and https traffic. I have a virus scanner speaking ICAP. Juniper SRX345 (OS20.x) shall reak up the ssl connections and send the traffic via ICAP to the virus scanner using Juniper's icap-rediect feature (see. ICAP Service Redirect
    Juniper remove preview
    ICAP Service Redirect
    You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. SRX Series devices support ICAP redirect functionality to redirect HTTP or HTTPS traffic to any third-party server. For more information, read this topic.
    View this on Juniper >

    ).

    Breaking up https traffic is working. I also see a connection between Juniper and ICAP Server (echo messages are exchanged).

    However no content is ever sent to the ICAP server. In my security policy I have rule icap-redirect that fires (as I see with "show security flow session").

    policy icap-pol {
    match {
    source-address cgw81;
    destination-address any;
    application [ junos-http junos-https ];
    }
    then {
    permit {
    application-services {
    ssl-proxy {
    profile-name ssl-inspect-profile;
    }
    icap-redirect icap-pf1;
    }
    }
    }
    }

    and

    profile icap-pf1 {
    server tmws-icap {
    host 10.194.0.52;
    reqmod-uri echo;
    respmod-uri echo;
    sockets 64;
    inactive: tls-profile icaps;
    }
    http {
    redirect-request;
    redirect-response;
    }
    }
    traceoptions {
    file icap.log;
    flag all;
    }

    ssl-proxy is working (I see the page certificate getting exchanged) but nothing is sent to the ICAP server besides the echo messages. So surfing to a site with eicar.com I can download the file and my local virus scanner fires instead of of having it blocked beforehand. I'm monitoring with tcpdump ans also logging on the ICAP server. Has anyone any idea?

    Thx,
    Carsten



    ------------------------------
    CARSTEN GRAMMES
    ------------------------------



  • 2.  RE: icap-redirect - nothing gets inspected

    Posted 11-28-2022 10:43
    Problem is solved. Turned out that the ICAP Server did not accept redirect-request.

    ------------------------------
    CARSTEN GRAMMES
    ------------------------------



  • 3.  RE: icap-redirect - nothing gets inspected

    This message was posted by a user wishing to remain anonymous
    Posted 11-29-2022 10:56
    This message was posted by a user wishing to remain anonymous

    Would you mind posting the ICAP server software you are using ?