Use case: Making an enterprise network secure by using ICAP for remote malware inspection

The Citrix ADC appliance acts as a proxy and intercepts all the client traffic. The appliance uses policies to evaluate the traffic and forwards client requests to the origin server on which the resource resides. The appliance decrypts the response from the origin server and forwards the plain text content to the ICAP server for an antimalware check. The ICAP server responds with a message indicating “No adaptation required,” or error, or modified request. Depending on the response from the ICAP server, the content requested is either forwarded to the client, or an appropriate message is sent.

For this use case, you must perform some general configuration, proxy and SSL interception related configuration, and ICAP configuration on the Citrix ADC appliance.

General configuration

Configure the following entities:

  • NSIP address
  • Subnet IP (SNIP) address
  • DNS name server
  • CA certificate-key pair to sign the server certificate for SSL interception

Proxy server and SSL interception configuration

Configure the following entities:

  • Proxy server in explicit mode to intercept all outbound HTTP and HTTPS traffic.
  • SSL profile to define SSL settings, such as ciphers and parameters, for connections.
  • SSL policy to define rules for intercepting traffic. Set to true to intercept all client requests.

For more details, see the following topics:

In the following sample configuration, the antimalware detection service resides at

Sample general configuration:

add dns nameServer

add ssl certKey ns-swg-ca-certkey -cert ns_swg_ca.crt -key ns_swg_ca.key

Sample proxy server and SSL interception configuration:

add cs vserver explicitswg PROXY 80 –Authn401 ENABLED –authnVsName explicit-auth-vs

set ssl parameter -defaultProfile ENABLED

add ssl profile swg_profile -sslInterception ENABLED

bind ssl profile swg_profile -ssliCACertkey ns-swg-ca-certkey

set ssl vserver explicitswg -sslProfile swg_profile

add ssl policy ssli-pol_ssli -rule true -action INTERCEPT

bind ssl vserver explicitswg -policyName ssli-pol_ssli -priority 100 -type INTERCEPT_REQ

Sample ICAP Configuration:

add service icap_svc TCP 1344

enable ns feature contentinspection

add icapprofile icapprofile1 -uri / -Mode RESMOD

add contentInspection action CiRemoteAction -type ICAP -serverName  icap_svc -icapProfileName icapprofile1

add contentInspection policy CiPolicy -rule "HTTP.REQ.METHOD.NE("CONNECT")" -action CiRemoteAction

bind cs vserver explicitswg -policyName  CiPolicy -priority 200 -type response

Configure the proxy settings

  1. Navigate to Security > SSL Forward Proxy > SSL Forward Proxy Wizard.

  2. Click Get Started and then click Continue.

  3. In the Proxy Settings dialog box, enter a name for the explicit proxy server.

  4. For Capture Mode, select Explicit.

  5. Enter an IP address and port number.

    Explicit proxy

  6. Click Continue.

Configure the SSL interception settings

  1. Select Enable SSL Interception.

    SSL interception

  2. In SSL Profile, select an existing profile or click “+” to add a new front-end SSL profile. Enable SSL Sessions Interception in this profile. If you select an existing profile, skip the next step.

    SSL profile

  3. Click OK and then click Done.

  4. In Select SSL interception CA Certificate-Key Pair, select an existing certificate or click “+” to install a CA certificate-key pair for SSL interception. If you select an existing certificate, skip the next step.

    SSL interception certificate-key pair

  5. Click Install and then click Close.

  6. Add a policy to intercept all the traffic. Click Bind. Click Add to add a new policy or select an existing policy. If you select an existing policy, click Insert, and skip the next three steps.

    Add SSL policy

  7. Enter a name for the policy and select Advanced. In the Expression editor, enter true.

  8. For Action, select INTERCEPT.

    SSL policy true

  9. Click Create.

  10. Click Continue four times, and then click Done.

Configure the ICAP settings

  1. Navigate to Load Balancing > Services and click Add.

    Add TCP service

  2. Type a name and IP address. In Protocol, select TCP. In Port, type 1344. Click OK.


  3. Navigate to SSL Forward Proxy > Proxy Virtual Servers. Add a proxy virtual server or select a virtual server and click Edit. After entering details, click OK.

    Proxy server

    Click OK again.

    Proxy server OK

  4. In Advanced Settings, click Policies.

    Add policies

  5. In Choose Policy, select Content Inspection. Click Continue.

    Add a content inspection policy

  6. In Select Policy, click the “+” sign to add a policy.

    Add a content inspection policy

  7. Enter a name for the policy. In Action, click the “+” sign to add an action.

    Add content inspection policy action

  8. Type a name for the action. In Server Name, type the name of the TCP service created earlier. In ICAP Profile, click the “+” sign to add an ICAP profile.

    ICAP action profile

  9. Type a profile name, URI. In Mode, select REQMOD.

    ICAP profile

  10. Click Create.

    ICAP profile creation

  11. In the Create ICAP Action page, click Create.

    ICAP action creation

  12. In the Create ICAP Policy page, enter true in the Expression Editor. Then, click Create.

    ICAP policy creation

  13. Click Bind.

    ICAP policy binding

  14. When prompted to enable the content inspection feature, select Yes.

    Enable content inspection

  15. Click Done.


Sample ICAP transactions between the Citrix ADC appliance and the ICAP server in RESPMOD

Request from the Citrix ADC appliance to the ICAP server:

RESPMOD icap:// ICAP/1.0


Connection: Keep-Alive

Encapsulated: res-hdr=0, res-body=282

HTTP/1.1 200 OK

Date: Fri, 01 Dec 2017 11:55:18 GMT

Server: Apache/2.2.21 (Fedora)

Last-Modified: Fri, 01 Dec 2017 11:16:16 GMT

ETag: "20169-45-55f457f42aee4"

Accept-Ranges: bytes

Content-Length: 69

Keep-Alive: timeout=15, max=100

Content-Type: text/plain; charset=UTF-8


Response from the ICAP server to the Citrix ADC appliance:

ICAP/1.0 200 OK

Connection: keep-alive

Date: Fri, 01 Dec, 2017 11:40:42 GMT

Encapsulated: res-hdr=0, res-body=224

Server: IWSVA 6.5-SP1_Build_Linux_1080 $Date: 04/09/2015 01:19:26 AM$

ISTag: "9.8-13.815.00-3.100.1027-1.0"

X-Virus-ID: Eicar_test_file

X-Infection-Found: Type=0; Resolution=2; Threat=Eicar_test_file;

HTTP/1.1 403 Forbidden

Date: Fri, 01 Dec, 2017 11:40:42 GMT

Cache-Control: no-cache

Content-Type: text/html; charset=UTF-8

Server: IWSVA 6.5-SP1_Build_Linux_1080 $Date: 04/09/2015 01:19:26 AM$

Content-Length: 5688

<html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"/>



Use case: Making an enterprise network secure by using ICAP for remote malware inspection