Configuring the proxy to communicate with ICAP Service

Before you begin

Applies to:
  • Forcepoint URL Filtering, v8.5.x

The precise steps required to configure the third-party proxy to communicate with ICAP Service vary from product to product.

For Blue Coat SG Series appliances running SGOS 6.2 or later:

Steps

  1. Log on to the Management Console and go to Configuration > External Services > ICAP.
  2. Create an ICAP Service with a name like “ForcepointICAP.”
  3. Enter the Service URL in the following format:

    icap://<ICAP_server_address>/<service_name>

    For example:

    icap://10.100.57.120/icap

    See Configuring ICAP Service for more information about setting or determining the service name.

  4. Under ICAP Service Ports, verify that This service supports plain ICAP connections is selected, and that the Plain ICAP port value is set to 1344 (default).
    See Configuring ICAP Service for information about changing the ICAP port.
  5. Under ICAP v1.0 Options, click Sense settings to request settings from ICAP Service.
    • When the settings are retrieved, the Client address, Server address, and Authenticated user boxes should be marked, and “WEBSENSE” should appear as the ICAP server tag.
    • If you do not want the proxy to authenticate users and pass user name information to your web protection software as part of the ICAP request, deselect the Authenticated user check box.
  6. Click OK to close the Edit window.

Next steps

Additional configuration steps include:
  • Configure a Web Access Layer rule to pass all traffic from any source to any destination to the ICAP server configured above, and specify whether the proxy should fail open (permit all traffic) or fail closed (block all traffic) when the ICAP server is not available.
  • Configure a Web Access Layer rule to allow all traffic to the IP address of the Filtering Service machine. This allows client browsers to receive block pages.
  • If you want the proxy to authenticate users and pass user name information to your web protection software, configure an authentication rule to authenticate users against a supported directory service.

    Note that if you are using Active Directory for user authentication, and use a hostname to identify the Active Directory server, make sure that the hostname resolves to the same IP address for both the third-party proxy and the Forcepoint Security Manager.

    Also, if Active Directory is identified by hostname in the proxy, the hostname is what appears in log records, even if Active Directory is identified by IP address in the Forcepoint Security Manager.

  • Optionally configure HealthCheck for the external ICAP server. This causes the Blue Coat appliance to periodically send a URL filter request to the ICAP Service to ensure that it is still running and responding correctly.