Skip to main content
NetScaler

Search

NetScaler ADC ICAP Integration

© 2024 Cequence Security. All Rights Reserved.

NetScaler ADC ICAP Integration

  • Updated on
  • ~ minute read
Download PDF

This article describes how to integrate Cequence with Netscaler ADC using the built-in ICAP (Internet Content Adaptation Protocol) capability of the Netscaler ADC. To understand how ICAP works in the Netscaler ADC, read the official documentation.

The NetScaler ADC usually serves as a gateway to applications deployed in the network with visibility into all traffic flowing from the clients to the application services and servers. Capturing data at the NetScaler ADC allows the Cequence UAP platform to gather all client-server traffic (requests and responses) necessary to discover and detect APIs for compliance and sensitive data exposure, as well as to detect malicious requests.

ICAP is a lightweight protocol aimed at providing simple object-based content vectoring for HTTP services. It allows ICAP clients to pass HTTP messages to ICAP servers for transformation or other processing ("adaptation"). The ICAP server executes its transformation service on the messages and sends back responses to the client. The HTTP messages can be HTTP requests or HTTP responses.

The NetScaler ADC acting as an ICAP client, intercepts incoming HTTP/HTTPS traffic (request and response), decrypts the traffic (if it is HTTPS), encapsulates the traffic into ICAP protocol format, and sends the encapsulated data to the ICAP server.

The Cequence Bridge, acting as the ICAP server, reads the ICAP data, abstracts the traffic from the ICAP encapsulation, transforms the data for consumption by the Cequence UAP platform for analysis, and transfers the required metadata to the Cequence UAP platform.

Since the integration's purpose is to only capture the application and API data being received by the NetScaler ADC, the Cequence Bridge (ICAP server) sends a response back to the NetScaler ADC (ICAP client) indicating that there are no modifications to the data sent by it. The NetScaler ADC then forwards the traffic to the intended recipient - requests are sent to the back-end origin server and responses from the back-end origin server are sent to the original requestor.

Cequence supports ICAP over TLS connections for secure data transfer. A high level flow diagram of the integration is shown below.

netscaler-integration-zendesk.png

 

Prerequisites

The following prerequisites must be confirmed before proceeding with setting up the integration between Cequence and the NetScaler ADC.

Cequence UAP Platform

Confirm that the Cequence UAP platform is installed and working properly before proceeding with the integration with the NetScaler ADC. On a new install, a member of the Cequence Customer Success team can confirm that the Cequence UAP platform is working properly.

Confirm that you have access to the credentials for a user account on the Cequence UAP platform that has the privileges to create a client token for traffic ingestion using the User Management menu.

Cequence Bridge

Confirm that you have a Cequence Bridge installed in your network and that it is accessible from the BIG-IP. It is recommended that the latency between the Cequence Bridge and the NetScaler ADC be as low as possible to take advantage of the near real-time detection capabilities of the Cequence platform.

You can install the Cequence Bridge in Kubernetes using Helm, or as a Docker container directly on the host machine.

Sensitive Data Masking

You can configure the Bridge to mask sensitive data before sending it to Cequence UAP. This will prevent any sensitive data values in API requests or responses to be sent as raw values to the UAP platform. Cequence UAP will still be able to identify sensitive data in requests and responses. Configuration of traffic filtering and sensitive data masking for the Cequence Bridge is discussed in a separate article.

Known Limitation: Load balancing of multiple Cequence Bridge instances for ICAP is
currently not supported. Configure the NetScaler ADC to send traffic to a single Cequence Bridge.

Network Communication

The Cequence UAP platform and the Cequence Bridge communicate over HTTPS. Confirm that this communication has been enabled.

The NetScaler ADC and the Cequence Bridge communicate over TCP port 1345 using TLS. Confirm that this communication has been enabled.

NetScaler ADC

Confirm that you have access to the credentials for an account on the NetScaler ADC with privileges required to create and modify Profiles, Nodes, Pools and Virtual Servers.

Confirm that the NetScaler ADC is licensed for the Content Inspection feature and that the feature is enabled. The ICAP feature works on a NetScaler ADC standalone or high availability setup with NetScaler Premium or Advanced license edition.

KNOWN LIMITATION: HTTP/2 is not compatible with NetScaler ADC Content Inspection 
                  feature. The applications using the HTTP/2 might not function 
                  properly if the traffic is sent through the content inspection.

Configuring NetScaler ADC

To integrate with the Cequence UAP platform, Cequence requires the use of ICAP profiles on the NetScaler ADC attached to an existing Virtual Server for sending a copy of the traffic received by the Virtual Server to the Cequence Bridge.

The procedures in this section outlines the creation of the a Service on the NetScaler ADC to send ICAP traffic to the Cequence Bridge over SSL/TLS, the creation of ICAP profiles for the two ICAP modes (REQMOD and RESPMOD), the creation of Content Inspection Policies for the two ICAP profiles, and the attachment of the ICAP Policies to the Virtual Server to enable the capture and logging of the requests and responses to the Cequence Bridge via ICAP.

Step 1: Create a Server on the NetScaler ADC

  1. Navigate to Traffic Management > Load Balancing > Servers.
    The Servers page appears.
  2. Click Add.
  3. On the Create Server page:
    • Provide a name for the server (example: CQ-Bridge-Server) in the Name field.
    • Provide the IP address of the Cequence Bridge in the IP Address field.
  4. Click Create.

Step 2: Create a Service on the NetScaler ADC

  1. Navigate to Traffic Management > Load Balancing > Services.
    The Services page appears.
  2. Click Add.
  3. On the Load Balancing Service page:
    • Provide a name for the service (example: CQ-Bridge-Service) in the Service Name field.
    • Select the Existing Server radio button.
    • Select the server created in Step 1 from the Server drop-down list.
    • Select the SSL_TCP protocol from the Protocol drop-down list.
    • Provide the Cequence Bridge ICAP port (1345) in the Port field.
    • Click OK
  4. You will be taken back to a detailed Load Balancing Service page:
    • Ensure that DEFAULT_BACKEND is configured for the SSL Ciphers.
    • Click on the Pencil icon next to the SSL Parameters field.
    • The SSL Parameters field expands for editing.
      • Ensure that TLSv12 has been selected in the Protocol field.
      • Click OK.
  5. Click Done.

Step 3: Create ICAP Profiles for two ICAP modes (REQMOD and RESPMOD) on the NetScaler ADC

  1. Navigate to Security > Content Inspection > ICAP Profiles.
    The ICAP Profiles page appears.
  2. Click Add to create a new ICAP profile for the REQMOD mode.
  3. On the Create ICAP Profile page:
    • Provide a name for the ICAP profile (example: CQ-ICAP-REQ-Profile) in the Name field.
    • Check the Preview box.
    • Add "1024" in the Preview Length field.
    • Add "/icap-req" in the URI field.
    • Select REQMOD in the Mode field.
    • Select BYPASS in the Request Timeout Action field.
    • Ensure that the Connection Keep-Alive box is unchecked.
    • Check the box for Allow 204.
    • Click Create.
  4. You will be taken back to the ICAP Profiles page. On the ICAP Profiles page, click Add to create a new ICAP profile for the RESPMOD mode. On the Create ICAP Profile page:
    • Provide a name for the ICAP profile (example: CQ-ICAP-RESP-Profile) in the Name field.
    • Check the Preview box.
    • Add "1024" in the Preview Length field.
    • Add "/icap-resp" in the URI field.
    • Select RESPMOD in the Mode field.
    • Select BYPASS in the Request Timeout Action field.
    • Ensure that the Connection Keep-Alive box is unchecked.
    • Check the box for Allow 204.
    • Click Create.

Step 4: Create Content Inspection Policies for the two ICAP Profiles on the NetScaler ADC

  1. Navigate to Security > Content Inspection > Policies.
    The Content Inspection Policies and Actions page appears.
  2. Click Add to create a new Content Inspection Policy for the REQMOD mode.
  3. On the Create Content Inspection Policy page:
    • Provide a name for the policy (example: CQ-ICAP-REQ-Policy) in the Name field.
    • Click Add for the Action field.
    • On the Create Content Inspection Action page:
      • Provide a name for the action (example: CQ-ICAP-REQ-Action) in the Name field.
      • Select ICAP in the Type field.
      • Select the Server Name radio button.
      • Select the Service created in Step 2 from the Server Name drop-down list.
      • Select the ICAP profile created for the REQMOD mode from Step 3 in the ICAP Profile field.
      • Select CONTINUE in the If Server Down field.
      • Click Create.
    • You will be taken back to the Create Content Inspection Policy page. On the Create Content Inspection Policy page:
      • Enter "true" in the Expression field.
      • Click Create.
  4. You will be taken back to the Content Inspection Policies and Actions page. Click Add to create a new Content Inspection Policy for the RESPMOD mode.
  5. On the Create Content Inspection Policy page:
    • Provide a name for the policy (example: CQ-ICAP-RESP-Policy) in the Name field.
    • Click Add for the Action field.
    • On the Create Content Inspection Action page:
      • Provide a name for the action (example: CQ-ICAP-RESP-Action) in the Name field.
      • Select ICAP in the Type field.
      • Select the Server Name radio button.
      • Select the Service created in Step 2 from the Server Name drop-down list.
      • Select the ICAP profile created for the RESPMOD mode from Step 3 in the ICAP Profile field.
      • Select CONTINUE in the If Server Down field.
      • Click Create.
    • You will be taken back to the Create Content Inspection Policy page.
    • On the Create Content Inspection Policy page:
      • Enter "true" in the Expression field.
      • Click Create.

Step 5: Attach the ICAP Policies to the Virtual Server on the NetScaler ADC

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
    The Virtual Servers page appears.
  2. Click the Virtual Server that you want to attach the ICAP Policies to.
    The Virtual Server page appears.
  3. Scroll to the Policies section. If there are no existing policies, add the Policies section by navigating to Advanced Settings section on the right and click Policies.
  4. Click the + icon to add a new policy for the REQMOD mode.
    • On the Choose Type page, in the Policies section:
    • Select Content Inspection in the Choose Policy field.
    • Select Request in the Choose Type field.
    • Click Continue.
    • On the Choose Type page, in the Policy Binding section:
    • Select the Content Inspection Policy created for the REQMOD mode in Step 4.
    • Click Bind.
  5. You will be taken back to the Virtual Server page. On the Virtual Server page, scroll to the Policies section.
    • Click the + icon to add a new policy for the RESPMOD mode.
    • On the Choose Type page, in the Policies section:
    • Select Content Inspection in the Choose Policy field.
    • Select Response in the Choose Type field.
    • Click Continue.
    • On the Choose Type page, in the Policy Binding section:
    • Select the Content Inspection Policy created for the RESPMOD mode in Step 4.
    • Click Bind.
  6. You will be taken back to the Virtual Server page. On the Virtual Server page, click Done.

 

 

Was this article helpful?
Japanese (Japan)