Setting up an icap Server for ISG- 1000/2000 AV Support

Application Note Setting up an icap Server for ISG- 1000/2000 AV Support Version 1.1 Ronald Ng AJTAC Engineer AV/DI/UF Specialist Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net Part Number: 350075-001 August 2006

Contents Contents...2 Introduction...3 Prerequisites...3 Installation of the External AV Scanner...3 Administering Scan Engine 5.0...4 Installing the License...4 How External Scanning Works...5 Configuring the ISG-1000/2000 for External AV Scanning...6 WebUI Configuration...6 2 Copyright 2006, Juniper Networks, Inc.

Introduction Beginning with ScreenOS 5.4.0, the ISG-1000 and ISG-2000 now support anti-virus using Symantec icap server solution. This document describes requirements to run AV on an ISG- 1000 and/or ISG-2000. Prerequisites Requirements on the firewall are as follows: ISG-1000 or ISG-2000 ScreenOS 5.4.0r1 or higher The external scanner must be installed on a server that runs on any of the following operating systems: Windows 2000 server (with Service Pack 3) Windows 2003 server Solaris 8/9 Red Hat Linux 9.0 Red hat Enterprise Linux 3.0 Red Hat Linux Advanced Server 2.1 SuSE Linux Enterprise Server 8. All servers require a direct connection to the Internet, with Sun Java 2 run-time environment (version 1.4.2_06 or later within the version 1.4.2 platform) installed. Additional requirement of IE 6.0 SP1 or later to run the admin tool via the web browser. Installation of the External AV Scanner External AV scanner is supported with Symantec Scan Engine 5.0. This engine uses icap v1.0 and is fully compliant with RFC 3507. Customer will need to purchase Symantec Scan Engine 5.0 server software from their VAR or Reseller. Once the Scan Engine software is purchased, make sure the required OS is installed on the server platform to be used. See the section on prerequisites above. Before the server software is installed, Sun Java 2 is required. The installation will not complete unless the correct version Java 2 is installed. You can obtain the latest version at http://java.sun.com/j2se/1.4.2/download.html. Download Java Runtime Environment. Once this is installed on the server, you may proceed with the installation of Symantec Scan Engine 5.0. Copyright 2006, Juniper Networks, Inc. 3

Administering Scan Engine 5.0 You can administer the Scan Engine server from your desktop, using IE 6.0 SP1 or higher. However, make sure you have Java 2 enabled on your PC. Access the administration tool is via http to port 8004. For example, if your Scan Engine 5.0 server is at 172.19.50.138, then you can access the admin tool at http://172.19.50.138:8004 Installing the License 1. Before you can begin, you will need to install your license on your Scan Engine 5.0 server. From the administration screen, click the System icon. 2. Click Install License. Browse to the location where your license key file is, and click Install. At this point, the server is now set up for antivirus updates. For more information on the operation of Symantec Scan Engine, please refer to the Symantec documentation that came with the application. 4 Copyright 2006, Juniper Networks, Inc.

How External Scanning Works Copyright 2006, Juniper Networks, Inc. 5

Configuring the ISG-1000/2000 for External AV Scanning In setting up the ISG-1000/2000 for External AV scanning, the server must be able to access the Internet directly (without going through any proxied connections). The server must be able to communicate on TCP port 1344. The steps for configuration are as follows: 1. Create a server object 2. Create an AV Profile, and bind the server object to the AV profile 3. Create your policies, and bind the AV profile to any policies where AV scanning is required To walk through this procedure, we will assume the Symantec Scan Engine 5.0 server is accessible at IP address 172.19.50.138. We will create an icap AV server name JTAC_ICAP, and an AV Profile ICAP_AV. (Note: Configuration recommends using object names without spaces for compatibility) WebUI Configuration 1. To create the server object, go t Objects > Antivirus > ICAP Server, and click New. 6 Copyright 2006, Juniper Networks, Inc.

We will create the AV server name JTAC_ICAP, at 172.19.50.138 as shown in the illustration below: 2. Click Ok. 3. Next, create the AV Profile. Go to Screening > Antivirus > Profile. Click new. 4. Enter the profile name ICAP_AV 5. Click Ok. You will see a list of profiles created. 6. Next to ICAP_AV, click Edit 7. Next to the field ICAP Server Binded, click the pulldown menu, and select JTAC_ICAP. 8. Click Ok. You can now create your policy and bind this AV profile to the policy. Copyright 2006, Juniper Networks, Inc. 7

8 Copyright 2006, Juniper Networks, Inc.

CLI Configuration 1. First, create the server object. The CLI command for this is: set icap server JTAC_ICAP host 172.19.50.138 2. Create the AV Profile, and bind JTAC_ICAP to this profile nsisg2000-> set av profile ICAP_AV nsisg2000(av:icap_av)-> set icap JTAC_ICAP nsisg2000(av:icap_av)-> exit nsisg2000-> 3. Create the policy, and bind the AV profile to the policy nsisg2000-> set policy from trust to untrust any any http permit policy id = 1 nsisg2000-> set policy id 1 nsisg2000(policy:1)-> set av ICAP_AV nsisg2000(policy:1)-> exit nsisg2000-> Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright 2006, Juniper Networks, Inc. 9