Anyone successfully using icap-redirect?
I want to setup a transparent proxy for virus scanning http and https traffic. I have a virus scanner speaking ICAP. Juniper SRX345 (OS20.x) shall reak up the ssl connections and send the traffic via ICAP to the virus scanner using Juniper's icap-rediect feature (see.
ICAP Service Redirect
Juniper |
remove preview |
|
ICAP Service Redirect |
You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. SRX Series devices support ICAP redirect functionality to redirect HTTP or HTTPS traffic to any third-party server. For more information, read this topic. |
View this on Juniper > |
|
|
).
Breaking up https traffic is working. I also see a connection between Juniper and ICAP Server (echo messages are exchanged).
However no content is ever sent to the ICAP server. In my security policy I have rule icap-redirect that fires (as I see with "show security flow session").
policy icap-pol {
match {
source-address cgw81;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
ssl-proxy {
profile-name ssl-inspect-profile;
}
icap-redirect icap-pf1;
}
}
}
}
and
profile icap-pf1 {
server tmws-icap {
host 10.194.0.52;
reqmod-uri echo;
respmod-uri echo;
sockets 64;
inactive: tls-profile icaps;
}
http {
redirect-request;
redirect-response;
}
}
traceoptions {
file icap.log;
flag all;
}
ssl-proxy is working (I see the page certificate getting exchanged) but nothing is sent to the ICAP server besides the echo messages. So surfing to a site with eicar.com I can download the file and my local virus scanner fires instead of of having it blocked beforehand. I'm monitoring with tcpdump ans also logging on the ICAP server. Has anyone any idea?
Thx,
Carsten
------------------------------
CARSTEN GRAMMES
------------------------------