ESET Online Help

Search English
Select the topic

Secured ICAP with stunnel TLS proxy

You can use the stunnel service to manage encrypted connection for ICAP scanning to increase security.

1.Install and activate ESET Server Security for Linux.

2.To enable ICAP scanning click Setup > Detection engine > Remote scanning > click the toggle next to Enable remote scanning using ICAP service.

3.Install stunnel by package manager. On Ubuntu 20.04, execute the following command from a Terminal window as a privileged user:

sudo apt install stunnel

4.Store private and public keys to encrypt communication by stunnel in a file with restricted access. This certificate needs to be trusted by an ICAP client, which will connect to ESSL via this secured connection. Example of how to store keys and set permissions:

sudo cat private_key.pem ca_key.pem >> /etc/pki/tls/private/stunnel.pem

sudo chmod 400 /etc/pki/tls/private/stunnel.pem

5.Create a configuration file /etc/stunnel/stunnel.conf readable only by root (chmod 0600) containing the following lines:


accept =

connect =

cert = /etc/pki/tls/private/stunnel.pem

efs_icap—Service name, which we configure in the following lines. Stunnel supports forwarding of multiple connections.

accept—IP address and port that will accept ICAPS connections. In this example is localhost and port 11344

connect—IP address and port where ESSL listen for ICAP requests. In this example is the same machine and the default port 1344


Stunnel can even run on a dedicated server and connect to multiple machines with ESSL or be sandboxed in chroot. For all stunnel options see the manual.

6.Start stunnel by systemd and enable it to run automatically after system boot:

sudo systemctl start stunnel

sudo systemctl enable stunnel

7.Open port for ICAPS port in a firewall. On Ubuntu 20.04, execute the following commands from a Terminal window as a privileged user:

sudo ufw allow 11344/tcp
sudo ufw reload

8.Configure ICAP client (for example, storage) according to its guide and connect it to port 11344, where ESSL runs with stunnel and trusts the used certificate. Then test if the antivirus connection works, for example, on the eicar sample.