Table Of Contents

Configuring Content Services Protocols

Overview of ICAP

About ICAP Services

About ICAP Services and Vector Points

ICAP Vendors Supported

Maximum File Size Supported

Sample Workflow of Configuring ICAP Services on a Content Engine

Configuring ICAP for a Locally Deployed Content Engine

Usage Guidelines

Configuring ICAP Settings for a Locally Deployed Content Engine

Configuring ICAP Services on a Locally Deployed Content Engine

Configuring an ICAP Server for a Locally Deployed Content Engine

Configuring Content Services Protocols

---

This chapter describes how to configure the Internet Content Adaptation Protocol (ICAP) on a locally deployed Content Engine. This chapter includes the following topics:

•Overview of ICAP

•Sample Workflow of Configuring ICAP Services on a Content Engine

•Configuring ICAP for a Locally Deployed Content Engine

---

Note For complete syntax and usage information for the CLI commands used in this chapter, refer to the Cisco ACNS Software Command Reference, Release 5.1.

---

Overview of ICAP

The Internet Content Adaption Protocol (ICAP) is an open standards protocol for content adaptation, typically at the network edge. Content adaptation includes virus scanning, content translation, content filtering, content insertion, and other ways of improving the value of content to end users. ICAP specifies how a Content Engine, acting as an HTTP proxy server, can communicate with an external device that is acting as an ICAP server, which filters and adapts the requested content.

ICAP provides two content-processing modes for HTTP services. These modes define the transactions that can occur between a Content Engine acting as an ICAP client and an ICAP server. The two modes are:

•Request modification (reqmod)—Allows modification of requests as they are sent from the Content Engine to the ICAP server on their way to the origin server. The ICAP server can modify these requests depending on the services requested.

•Response modification (respmod)—Allows modification of requests after they return from the origin server. The ICAP server only acts on requested objects, after they return from the origin server.

About ICAP Services

An ICAP service is a collection of attributes that define the service and one or more and ICAP servers that provide the ICAP services. You can configure a maximum of ten ICAP services per Content Engine, with an upper limit of five ICAP servers per ICAP service. Also, you can choose to apply ICAP services on all HTTP requests processed by the Content Engine or apply ICAP processing only to requests that match the Rules Template.

---

Tip To select the type of load balancing to use among a cluster of ICAP servers, use the icap service load balancing command.

---

About ICAP Services and Vector Points

The point at which ICAP services are applied to content is called the vector point, specified using the vector-point command. The following three vector points are supported:

•Client request vector point (reqmod-postcache)—The ICAP server performs one of the following actions in response to the client request:

–Terminates the connection

–Sends a modified error response

–Searches the cache using the URL in the request

–Searches the cache using a modified URL

–Modifies the request header or request body in the case of a cache miss

•Cache miss vector point (reqmod-precache)—The ICAP server performs one of the following actions before forwarding the request to the origin server:

–Terminates the connection

–Sends a modified error response

–Sends the request to the origin server using the original URL

–Sends the request to the origin server using an alternative URL

–Modifies the request header or request body

•Server response vector point (respmod-precache)—The ICAP server performs one of the following actions after receiving the response from the origin server:

–Returns the response to the client

–Modifies the request header or request body

–Caches the response using the original URL

–Caches the response using an alternative URL

---

Note Different ICAP services assigned to the same vector point can use different load-balancing options.

---

The following commands show a typical configuration for a virus-scanning service that requires processing on two vector points: reqmod-precache and respmod-precache:

ContentEngine(config)# icap apply all

ContentEngine(config)# icap service trend-reqmod

ContentEngine(config-icap-service)# enable

ContentEngine(config-icap-service)# vector-point reqmod-precache

ContentEngine(config-icap-service)# server icap://172.19.227.150/REQ-Service

ContentEngine# exit

ContentEngine# icap service trend-respmod

ContentEngine(config-icap-service)# enable

ContentEngine(config-icap-service)# vector-point respmod-precache

ContentEngine(config-icap-service)# server icap://172.19.227.150/interscan

ContentEngine# exit 

If an ICAP vendor supports the same service name for more than one vectoring point, you can configure a single service and add the supported vectoring points, as in the following example:

ContentEngine(config)# icap service myicap-service

ContentEngine(config-icap-service)# enable

ContentEngine(config-icap-service)# vector-point reqmod-precache

ContentEngine(config-icap-service)# vector-point respmod-precache

ContentEngine(config-icap-service)# server icap://172.19.227.150/icap-service-name

ContentEngine(config-icap-service)# exit 

ContentEngine(config)# 

ICAP Vendors Supported

The following is a complete list of the ICAP vendors that have been certified to interoperate with the Content Engine:

•TrendMicro for reqmod and respmod

•Symantec for respmod

Maximum File Size Supported

The maximum file size that is supported in the ACNS software in pass-through mode is 2 GB. Files that exceed this size limit are not supported for ICAP processing.

Sample Workflow of Configuring ICAP Services on a Content Engine

The following is a sample workflow of how to define and enable ICAP services on a locally deployed Content Engine:

1. Use the icap apply {all | rules-template} command to specify which ICAP services should be performed on which requests that are received by the Content Engine. For example,

–Use the icap apply rules-template command to instruct the Content Engine to only run the ICAP services that match the rules action use-icap-service.

ContentEngine(config)# icap apply rules-template

–Alternatively, you could use the icap apply all command to instruct the Content Engine to run all of the ICAP services on all of the HTTP requests that it receives.

2. Use the icap logging enable command to turn on the ICAP-related transaction logging, which is available in the local1/logs/icap/ directory

ContentEngine(config)# icap logging enable

3. Use the icap service service-id command to configure and enable various ICAP services on this Content Engine.

ContentEngine(config)# icap service trend-reqmod

ContentEngine(config-icap-service)# enable

ContentEngine(config-icap-service)# vector-point reqmod-precache

ContentEngine(config-icap-service)# server icap//172.19.227.150/REQ-Service

ContentEngine# exit

ContentEngine(config)# icap service trend-respmod

ContentEngine(config-icap-service)# enable

ContentEngine(config-icap-service)# vector-point respmod-precache

ContentEngine(config-icap-service)# server icap//172.19.227.150/interscan

ContentEngine# exit

4. Use the rule commands to define the ICAP service rules for this Content Engine.

For instance, in the following example certain traffic (such as intranet domain traffic or other trusted traffic) is intentionally prevented from going through ICAP processing:

ContentEngine(config)# rule enable

ContentEngine(config)# rule action use-icap-service trend-reqmod pattern-list 1 
protocol all

ContentEngine(config)# rule action use-icap-service trend-respmod pattern-list 1 
protocol all

ContentEngine(config)# rule pattern-list 1 domain !(.*cisco\.com|.*datek\.com)

---

Tip By default, requests from streaming-media clients are bypassed for ICAP processing. You can, however, use the icap bypass streaming-media command to turn on the bypass feature for streaming media if necessary.

---

---

Note For more information about defining the Rules Template, see "Configuring the Rules Template." For more information about ICAP services, see the "About ICAP Services and Vector Points" section.

---

Configuring ICAP for a Locally Deployed Content Engine

This section describes how to configure ICAP for a locally deployed Content Engine.

Usage Guidelines

To configure ICAP on a locally deployed Content Engine, you must use the CLI to complete the following tasks:

1. Configure ICAP settings on the Content Engine.

For more information on this topic, see the "Configuring ICAP Settings for a Locally Deployed Content Engine" section.

2. Configure ICAP services on the Content Engine.

To configure ICAP services, use the icap service global configuration command, as described in the "Configuring ICAP Services on a Locally Deployed Content Engine" section.

3. Configure an ICAP server for the Content Engine.

For more information on this topic, see the "Configuring an ICAP Server for a Locally Deployed Content Engine" section.

Configuring ICAP Settings for a Locally Deployed Content Engine

The CLI must be used to configure ICAP settings on a locally deployed Content Engine. (The Content Engine GUI does not currently support the configuration of ICAP settings.)

Use the following guidelines when using the icap command to set ICAP parameters on a locally deployed Content Engine.

•Use the icap service service-id command to enter ICAP configuration mode and to configure a specific ICAP service.

Replace service-id with a name of your choice for the current ICAP service. When you enter the icap service command and provide a name for the ICAP service, the system displays the ICAP service configuration prompt:

ContentEngine(config-icap-service)#

•Within ICAP service configuration mode, all commands that you enter apply to the current ICAP service.

•Use the icap append-x-headers command to specify the ICAP extension headers that are passed to the ICAP server during the session negotiation between the Content Engine and the ICAP server.

•Requests from streaming-media clients are by default bypassed for ICAP processing.

Use the icap bypass streaming-media command to force strict rechecking of the cached content every time the ISTAG changes. The ISTAG is a field in the HTTP response header that allows ICAP servers to send a service-specific cookie to an ICAP client, representing the current state of the service. The ISTAG may change as a result of an update to the server version, to a virus-pattern-file, or to the policy.

•Use the icap logging {enable | format [custom word | standard]} command to configure and enable transaction logging for ICAP exchanges between ICAP servers and the locally deployed Content Engine. Specify the format in which transaction log must be created.

–If you wish to create transaction logs in ICAP's standard logging format, choose standard.

–Choose custom if you wish to log additional fields not included in the standard format.

---

Note Customized format for transaction logging is not supported in ACNS software 5.1. Only standard transaction log format is available for ICAP services configured on a Content Engine.

---

Table 11-1 describes the icap command parameters for configuring ICAP settings on a locally deployed Content Engine.

Table 11-1 Parameters for icap Command 

Parameter	Description
append-x-headers	Appends x-headers during ICAP protocol handshake.
x-client-ip	Appends x-client-IP headers.
x-server-ip	Appends x-server-IP headers.
apply	Enables ICAP processing for HTTP requests.
all	Enables ICAP processing for all HTTP requests.
rules-template	Enables ICAP processing for HTTP requests that match the Rules Template using the rule action use-icap-service global configuration command.
bypass	Enables bypassing of certain requested content.
streaming-media	Enables bypassing of streaming media.
logging	Specifies logging-related options when ICAP services are used.
enable	Enables logging when ICAP services are used.
format	Specifies format of the logging option chosen.
custom	Specifies a customized format for logging.
word	Specifies the word used to identify the customized logging
standard	Specifies the standard format for logging.

Configuring ICAP Services on a Locally Deployed Content Engine

In ACNS 5.1 software, three vector points are supported to enable content adaptation, as described earlier in the "About ICAP Services and Vector Points" section.

ICAP servers configured at various vector points may become overloaded with HTTP requests, especially the request modification precache vector points because all requests pass through this point. Therefore, a cluster of ICAP servers (a load-balanced collection of ICAP servers) is made available for configuration. At a particular vectoring point, you can choose to load balance requests among the ICAP cluster of servers based on various parameters such as weighted load, client IP and server IP address-based hash, or round-robin format.

More than one ICAP service can be associated with a vectoring point. An ICAP service configured at a vector point can have only one load-balancing scheme, irrespective of the number of servers. However, multiple ICAP services configured at one or all of the vector points can have different load-balancing schemes.

---

Tip If the Aggregate Settings radio button is selected in the ICAP Services for Content Engine window, the ICAP services that have been previously configured for device groups to which the Content Engine belongs cannot be modified or deleted. In other words, you can only view the ICAP services created for the device groups.

---

Use the icap service global configuration command to configure ICAP services for a locally deployed Content Engine, as follows:

icap service service-id {enable | error-handling [bypass | return-error] | load-balancing [client-ip-hash | round-robin | server-ip-hash | weighted-load] | server url [max-connections connection-number [weight percentage] | weight percentage [max-connections connection-number]] | vector-point [reqmod-postcache | reqmod-precache | respmod_precache] order order-number}

Table 11-2 describes the icap service command parameters for configuring an ICAP service on a locally deployed Content Engine.

Table 11-2 Parameters for the icap service Command 

Parameter	Description
service-id	Specifies a name of your choice for the current ICAP service.
enable	Enables ICAP services.
error-handling	Specifies error-handling options when an ICAP service is used.
bypass	Bypasses this service when an error occurs with this service.
return-error	Returns an error message to the client and ends the request.
load-balancing	Specifies a load-balancing option for this service. See Table 11-3 for a list of these load-balancing options.
client-ip-hash	Allows for load-balancing among ICAP servers using the client IP address.
round-robin	Allows for round-robin load balancing among ICAP servers.
server-ip-hash	Allows for load balancing using the ICAP server IP address.
weighted-load	Allows for load balancing using a weight scheme that specifies weight on a server basis.

Table 11-3 describes the icap service load-balancing options.

Table 11-3 icap service Load-Balancing Options 

Load-Balancing Type	Description
Client IP hash	Uses a hash-based algorithm based on the client IP address for load balancing the ICAP servers in the cluster.
Round-robin	Uses the round-robin method in which ICAP servers take turns processing HTTP requests.
Server IP hash	Uses a hash-based algorithm based on the server IP address for load balancing among the ICAP servers in the cluster.
Weighted	Uses a farm of ICAP servers with different load capacities.

Configuring an ICAP Server for a Locally Deployed Content Engine

ICAP servers process HTTP requests from clients based on the ICAP services configured at various vector points. ICAP servers perform content adaptation such as request or response modification and filtering of requests or responses at the configured vector points while processing HTTP requests.

You can configure the maximum number of connections and the weight that can be handled by an ICAP server in a cluster of servers. The weight parameter represents the percentage of load that can be redirected to the ICAP server. An ICAP server with a weight of 40 denotes that this server handles 40 percent of the load. If the total weight of all ICAP servers in a load-balanced cluster exceeds 100, the percentage of load for each ICAP server is recalculated as a percentage measure represented by the weight parameters.

To configure an ICAP server for a configured ICAP service on a locally deployed Content Engine, use the icap service server global configuration command, as follows:

icap service server url [max-connections connection-number [weight percentage] | weight percentage [max-connections connection-number]] | vector-point [reqmod-postcache | reqmod-precache | respmod_precache] order order-number}

Table 11-4 describes the icap service server command parameters for configuring an ICAP server for a locally deployed Content Engine.

Table 11-4 Parameters for the icap service server Command 

Parameter	Description
server	Enables the ICAP server to be used for ICAP services using a URL format.
url	Specifies the URL based on the format icap://ICAPserverIPaddress/servicename.
max-connections	Specifies the maximum number of connections to a particular ICAP server.
connection-number	Maximum number of connections. (The maximum is 5000.)
weight	(Optional) Sets weight percentage for load balancing if the weighted-load load-balancing scheme is used.
percentage	Percentage of the load that can be redirected to this ICAP server (0-100). This parameter must not be defined if you chose the weighted-load load-balancing scheme.
vector-point	Specifies vectoring point or content-processing mode to be used for the specified ICAP service.
reqmod-postcache	Allows modification of requests sent by the ICAP server and cached by the Content Engine.
reqmod-precache	Allows modification of requests as they are sent from the Content Engine to the ICAP server on their way to the origin server
respmod-precache	Allows modification of requests after they return from the origin server.
order	Specifies the order for the content-processing mode used.
order-number	Order in which the content-processing mode handles requests to the Content Engine.

.