Description
This article explains ICAP protocol support and its implementation within FortiOS.
Scope
FortiOS.
Solution
ICAP Definition:
The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-like protocol specified in RFC 3507. ICAP is used to extend transparent proxy servers, so as to free up resources and standardize the way in which new features are implemented.
ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches. Content Adaptation refers to performing the particular value-added service (content manipulation) for the associated client request/response.
ICAP concentrates on using edge-based devices (proxies and caches) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and will process them through ICAP Web servers.
These ICAP servers are focused on a specific function, for example, ad insertion, virus scanning, content translation, language translation, or content filtering. Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.
ICAP in its most basic form is a 'lightweight' HTTP-based remote procedure call protocol. In other words, ICAP allows its clients to pass HTTP-based (HTML) messages (Content) to ICAP servers for adaptation. Adaptation refers to performing the particular value-added service (content manipulation) for the associated client request/response.
FortiOS Implementation:
ICAP works with FortiOS by interacting with the standard transparent proxy as shown below:
config firewall policy
edit 0
set srcaddr "all"
set dstaddr "all"
set service "ANY"
set icap-profile "ICAP-Profile"
(...)
end
However, ICAP protocol and the FortiOS explicit proxy are not a supported configuration.
Related document:
ICAP support
