ESET Online Help

Search English
Select the topic

Integrate ICAP server with EMC Isilon

Overview

You can scan the files you store on an Isilon cluster for computer viruses, malware, and other security threats by integrating with ESET Server Security for Linux (ESSL) through the Internet Content Adaptation Protocol (ICAP).

Prerequisite

1.ESSL is installed and its Web interface is enabled.

2.Isilon OneFS is installed.

Enable ICAP server in ESSL

In this example ICAP server will listen on IP address 10.1.169.28 and on port 1344.

1.Click Setup > Detection Engine > Remote scanning, click the toggle next to Enable ICAP scanning.

2.Click Edit next to Listen addresses and ports, then click Add.

3.Type the applicable IP address and port. In our example, the Listen address is 10.1.168.28, and Listen port is 1344. Click Save.

4.Click Additional parameters, click the toggle next to Dell EMC Isilon compatibility.

5.Click Save.

Enabling ICAP server in OneFS

1.Log in to OneFS administration panel, click Data Protection > Antivirus > ICAP Servers > Add an ICAP Server.

2.Select Enable ICAP Server, and type the URL address of ICAP server to the ICAP Server URL field using the following pattern: icap://<IP_ADDRESS>:<PORT>/scan
In our example: icap://10.1.168.28:1344/scan

3.Click Add Server.

4.Click Settings, select Enable Antivirus Service.

5.Type into Path prefixes the path to scan. To scan all paths, type "/ifs" (without quotation marks).

6.Click Save changes.

Scan-related settings on EMC Isilon

File size, file name or file extension restrictions

On-access scanning or on-demand scanning via policy

Threat response settings

How does it work?

When a file is written to (or accessed on) the EMC Isilon cluster, OneFS queues the file to be scanned, and sends the file to the ICAP server configured in both OneFs and ESSL. ESSL scans the file and provides feedback on the scanned file to EMC Isilon. OneFS decides how to deal with the scanned files based on threat response settings.

Test your setup

To test your setup, you need to have access from your computer to OneFS cluster through one of the supported protocols. In our example, we will use the NFS protocol.

1.Configure NFS:

a.Log in to OneFS administration panel, click Protocols > UNIX Sharing (NFS) > Create Export.

b.Leave the default settings, verify the path is /ifs, click Save.

2.Mount NFS share on your Linux machine:

mkdir isilon

sudo mount -t nfs <IP address of OneFS cluster>:/ifs isilon

 

3.Complete a test scan:

a.Get eicar antivirus test file from www.eicar.org, copy it to Isilon's NFS share and try to read its content.

wget www.eicar.org/download/eicar.com

cp eicar.com isilon

cat isilon/eicar.com

 

b.Based on your OneFS antivirus settings, the result will be either permission denied on that file (default), or the file will be truncated or deleted. For example:

cat: isilon/eicar.com: Permission denied

 

c.To check the detected threat, log in to OneFS administration panel, click Data Protection > Antivirus.

Common ICAP response codes

Exit code

Meaning

100

Continue after ICAP preview.

101

Ready to switch protocol to one requested by client.

200

The request has succeeded. The information returned depends on the method.

201

Created. The new resource is created. The URI is specified in the body.

202

Accepted. The request was accepted but the processing has not being completed.

204

No modifications needed.

400

Bad request.

404

ICAP Service not found.

405

Method not allowed for service (for example, RESPMOD requested for service that supports only REQMOD).

408

Request timeout. ICAP server gave up waiting for a request from an ICAP client.

500

Server error. Error on the ICAP server, such as "out of disk space".

501

Method not implemented. This response is illegal for an OPTIONS request since implementation of OPTIONS is mandatory.

502

Bad gateway. This is an ICAP proxy and proxying produced an error.

503

Service overloaded. The ICAP server has exceeded a maximum connection limit associated with this service; the ICAP client should not exceed this limit in the future.

505

ICAP version not supported by server.