Configuring integration with a proxy server via ICAP

Integration with a proxy server over ICAP with feedback allows you to prevent malicious objects from entering the corporate LAN and prevent users of the host from visiting malicious or phishing websites. Kaspersky Anti Targeted Attack Platform acts as an ICAP server, and your proxy server acts as an ICAP client. The proxy server sends ICAP requests to the ICAP server. The ICAP server runs a scan and returns the result to the proxy server. If any threats are detected, a notification HTML page is displayed to the user on the host.

Enabling and disabling integration with a proxy server via ICAP

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The application administrator must take steps to ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable or disable integration with a proxy server via ICAP on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the ICAP integration with proxy server tab.
5. Do the following:
   • If you want to enable integration with a proxy server via ICAP, move the Enable ICAP integration toggle switch to Enabled.
   • If you want to disable integration with a proxy server via ICAP, move the Enable ICAP integration toggle switch to Disabled.

Integration with a proxy server via ICAP is enabled.

To enable or disable integration with a proxy server via ICAP on an individual server with the Sensor component:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window, in that window, select the Enabled line and press the ENTER key.

   [x] is displayed to the right of the Enabled setting.

5. In the settings of your proxy server, enter the URL from the RESPMOD field.

Integration with the proxy server and an individual server with the Sensor component via ICAP is configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with a proxy server.

To configure the high availability integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Enabling or disabling real-time scanning of ICAP traffic

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the ICAP integration with proxy server tab.
5. Under Real-time scanning, select one of the following options:
   • Disabled

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Enabled, standard ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

   • Enabled, advanced ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

6. Under Extract user name:

   If you want to get the user name from the ICAP server, set the Extract user name toggle switch field to Enabled. If you need to use Base64 decoding, select the Use Base64 decoding check box.

7. Click Save.

Real-time scanning of ICAP traffic is enabled or disabled.

To enable or disable real-time scanning of ICAP traffic on an individual server with the Sensor component installed:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window; in that window, make sure that [x] is displayed to the right of the Enabled setting.
5. Select one of the following options:
   • Disable real-time scanning.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Standard ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Anti-Malware Engine and YARA modules.

   • Advanced ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules.

6. Select an option and press ENTER. (O) is displayed to the right of the selected option.

   To select a row, you can use the ↑ and ↓ keys. The selected row is highlighted in red.

7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, specify the URL from the REQMOD field in the settings of your proxy server.

Real-time scanning of ICAP traffic on an individual server with the Sensor component is enabled or disabled.

If you enabled real-time scanning of ICAP traffic, scanning does not work if integration with the proxy server is disabled. All ICAP traffic scanning settings are saved. When you re-enable integration with the proxy server, ICAP traffic scanning is also enabled.

Configuring real-time scanning of ICAP traffic

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Real-time ICAP traffic scanning on standalone servers with the Sensor component can only be configured in Technical Support Mode. To perform actions in Technical Support Mode, we recommend contacting Technical Support.

You can configure real-time ICAP traffic scanning on a server with the Central Node and Sensor components for anti-virus scanning of data. Scan results are displayed to the user of the host on a notification HTML page.

To configure real-time ICAP traffic scanning:

1. In the window of the application web interface, select the Settings section, ICAP traffic scanning subsection.

   The ICAP traffic scanning settings page is displayed.

   By default, under Notifications, pages corresponding to the following events are loaded:

   • The page uploaded in the Link blocked field is displayed if a threat is detected at the address requested by the user.
   • The page uploaded in the File blocked field is displayed if a threat is detected in a scanned file.
   • The page uploaded in the Scan file field is displayed if a file scan is started. If the file is safe, the user can click a link to download the file.
   • The page uploaded in the File expired field is displayed if the file was scanned, but the storage duration for that file has expired.

   By default, HTML pages from the distribution kit are loaded in Kaspersky Anti Targeted Attack Platform. You can upload your own notification pages and configure how they must be displayed. The size of a notification page must not exceed 1.5 MB. If the uploaded notification page is larger than 1.5 MB, an error is displayed.

2. Under File block threshold, in the Sandbox alert importance field, select a value from the drop-down list. These values correspond to the possible impact of the alert on the security of a computer or your corporate network based on the expert opinion of Kaspersky.

   This setting can take one of the following values:

   • High for a high importance alert. This option is selected by default.
   • Medium for a medium-importance alert.
   • Low for a low-importance alert.
3. Under Scan timeout, in the Timeout field, specify the time after which the link to the scanned file is unblocked and downloading the scanned file becomes possible.

   The default value is 10 minutes. You can set any value greater than 1 minute.

4. Click Apply.

The scan is performed with the specified settings.