Secured ICAP with stunnel TLS proxy

You can use the stunnel service to manage encrypted connection for ICAP scanning to increase security.

1.Install and activate ESET Server Security for Linux.

2.To enable ICAP scanning click Setup > Detection engine > Remote scanning > click the toggle next to Enable remote scanning using ICAP service.

3.Install stunnel by package manager. On Ubuntu 20.04, execute the following command from a Terminal window as a privileged user:

4.Store private and public keys to encrypt communication by stunnel in a file with restricted access. This certificate needs to be trusted by an ICAP client, which will connect to ESSL via this secured connection. Example of how to store keys and set permissions:

5.Create a configuration file /etc/stunnel/stunnel.conf readable only by root (chmod 0600) containing the following lines:

•efs_icap—Service name, which we configure in the following lines. Stunnel supports forwarding of multiple connections.

•accept—IP address and port that will accept ICAPS connections. In this example is localhost and port 11344

•connect—IP address and port where ESSL listen for ICAP requests. In this example is the same machine and the default port 1344

6.Start stunnel by systemd and enable it to run automatically after system boot:

7.Open port for ICAPS port in a firewall. On Ubuntu 20.04, execute the following commands from a Terminal window as a privileged user:

8.Configure ICAP client (for example, storage) according to its guide and connect it to port 11344, where ESSL runs with stunnel and trusts the used certificate. Then test if the antivirus connection works, for example, on the eicar sample.