Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ICAP Redirects for Logical Systems

ICAP is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources. For more information, see the following topics:

ICAP Redirect Support for Logical Systems

Starting in Junos OS Release 18.3R1, SRX Series devices support the Internet Content Adaptation Protocol (ICAP) service redirect when the device is configured for logical systems.

ICAP redirect profile is only allowed to attach on the policy which belongs to the same logical system. This profile is applied to a security policy as application services for the permitted traffic. The ICAP profile defines the settings that allow the ICAP server to process request messages, response messages, fallback options (in case of a timeout), connectivity issues, too many requests, or any other conditions.

Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence.

ICAP redirect services has the dependency on SSL proxy to build secure connections. Because the SSL proxy is not supported on user logical systems in Junos OS Release 18.3R1, ICAP redirect works with clear text connections or with shared certificates in Junos OS Release 18.3R1.

The following sequences are involved in a typical ICAP redirect scenario:

  1. The user opens a connection to a Website on the internet.

  2. The request goes through the SRX Series device that is acting as a proxy server.

  3. The SRX Series device receives information from the end-host, encapsulates the message and forwards the encapsulated ICAP message to the third-party on-premise ICAP server.

  4. The ICAP server receives the ICAP request and analyzes it.

  5. If the request does not contain any confidential information, the ICAP server sends it back to the proxy server, and directs the proxy server to send the HTTP to the internet.

  6. If the request contains confidential information, you can choose to take action (block, permit and log) as per your requirement.

Limitations of SSL Proxy with Logical Systems

Following are the limitations for using ICAP redirect service for user logical systems:

  • SSL Proxy is supported only on primary logical system in Junos OS Release 18.3R1.

  • SSL profile configured to provide a secure connection to the ICAP server is not supported on user logical systems in Junos OS Release 18.3R1.

Example: Configuring ICAP Redirect Service on SRX Devices

This example shows how to define an ICAP redirect profile for an SRX Series device.

Requirements

This example uses the following hardware and software components:

  • SRX Series device with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you configure an ICAP redirect profile in logical systems and apply these profiles as application services in the security policy for the permitted traffic.

Table 1 lists the details of the parameters used in this example.

Table 1: ICAP Redirect Configuration Parameters

Parameters

Names

Description

Profile

icap-pf1

The ICAP server profile allows the ICAP server to process request messages, response messages, fallback options and so on, for the permitted traffic. This profile is applied as an application service in the security policy.

Server name

icap-svr1

icap-svr2

The machine name of the remote ICAP host. Client’s request is redirected to this ICAP server.

Server IP address

192.0.2.2/24

192.0.2.179/24

The IP address of the remote ICAP host. Client’s request is redirected to this ICAP server.

Logical system name

LSYS1

Displays the logical system name which belongs to the same profile.

Security policy

sp1

In a security policy, apply the SSL proxy profile and ICAP redirect profile. to the permitted traffic.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the ICAP redirect service:

  1. Configure the ICAP redirect profile for the first server (icap-svr1).

  2. Configure the ICAP redirect profile for the second server (icap-svr2).

  3. Configure the redirect request and the redirect response for the HTTP traffic.

  4. Configure a security policy to apply application services for the ICAP redirect to the permitted traffic.

  5. Configure zones.

  6. Configure interfaces.

Results

From configuration mode, confirm your configuration by entering the show logical-systems LSYS1 services icap-redirect, show logical-systems LSYS1 security policies, show logical-systems LSYS1 security zones, and show logical-systems LSYS1 interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying ICAP Redirect Configuration

Purpose

Verify that the ICAP redirect service is configured on the device.

Action

From operational mode, enter the show services icap-redirect status logical-system and show services icap-redirect statistic logical-system commands.

Meaning

The status Up indicates that the ICAP redirect service is enabled. The Message Redirected and the Message Received fields show the number of HTTP requests that have passed through the ICAP channel.