Integrate ICAP server with EMC Isilon
Overview
You can scan the files you store on an Isilon cluster for computer viruses, malware, and other security threats by integrating with ESET Server Security for Linux (ESSL) through the Internet Content Adaptation Protocol (ICAP).
Prerequisite
1.ESSL is installed and its Web interface is enabled.
2.Isilon OneFS is installed.
Enable ICAP server in ESSL
In this example ICAP server will listen on IP address 10.1.169.28 and on port 1344.
1.Click Setup > Detection Engine > Remote scanning, turn on both Enable remote scanning using ICAP service and Dell EMC Isilon compatibility.
2.Click Edit next to Listen addresses and ports.
3.Click Add.
4.Type the applicable IP address and port. In our example, the IP address is 10.1.168.28, and port is 1344.
5.Click Save.
Enabling ICAP server in OneFS
1.Log in to OneFS administration panel, click Data Protection > Antivirus > ICAP Servers > Add an ICAP Server.
2.Select Enable ICAP Server, and type the URL address of ICAP server to the ICAP Server URL field using the following pattern: icap://<IP_ADDRESS>:<PORT>/scan
In our example: icap://10.1.168.28:1344/scan
3.Click Add Server.
4.Click Settings, select Enable Antivirus Service.
5.Type into Path prefixes the path to scan. To scan all paths, type "/ifs" (without quotation marks).
6.Click Save changes.
Scan-related settings on EMC Isilon
•File size, file name or file extension restrictions
•On-access scanning or on-demand scanning via policy
How does it work?
When a file is written to (or accessed on) the EMC Isilon cluster, OneFS queues the file to be scanned, and sends the file to the ICAP server configured in both OneFs and ESSL. ESSL scans the file and provides feedback on the scanned file to EMC Isilon. OneFS decides how to deal with the scanned files based on threat response settings.
Test your setup
To test your setup, you need to have access from your computer to OneFS cluster through one of the supported protocols. In our example, we will use the NFS protocol.
1.Configure NFS:
a.Log in to OneFS administration panel, click Protocols > UNIX Sharing (NFS) > Create Export.
b.Leave the default settings, verify the path is /ifs, click Save.
2.Mount NFS share on your Linux machine:
mkdir isilon sudo mount -t nfs <IP address of OneFS cluster>:/ifs isilon |
3.Complete a test scan:
a.Get eicar antivirus test file from www.eicar.org, copy it to Isilon's NFS share and try to read its content.
wget www.eicar.org/download/eicar.com cp eicar.com isilon cat isilon/eicar.com |
b.Based on your OneFS antivirus settings, the result will be either permission denied on that file (default), or the file will be truncated or deleted. For example:
cat: isilon/eicar.com: Permission denied |
c.To check the detected threat, log in to OneFS administration panel, click Data Protection > Antivirus.
Common ICAP response codes
Exit code |
Meaning |
---|---|
100 |
Continue after ICAP preview. |
101 |
Ready to switch protocol to one requested by client. |
200 |
The request has succeeded. The information returned depends on the method. |
201 |
Created. The new resource is created. The URI is specified in the body. |
202 |
Accepted. The request was accepted but the processing has not being completed. |
204 |
No modifications needed. |
400 |
Bad request. |
404 |
ICAP Service not found. |
405 |
Method not allowed for service (for example, RESPMOD requested for service that supports only REQMOD). |
408 |
Request timeout. ICAP server gave up waiting for a request from an ICAP client. |
500 |
Server error. Error on the ICAP server, such as "out of disk space". |
501 |
Method not implemented. This response is illegal for an OPTIONS request since implementation of OPTIONS is mandatory. |
502 |
Bad gateway. This is an ICAP proxy and proxying produced an error. |
503 |
Service overloaded. The ICAP server has exceeded a maximum connection limit associated with this service; the ICAP client should not exceed this limit in the future. |
505 |
ICAP version not supported by server. |