Proxy tab

The Configuration: Proxy tab is only available for the Sensor and is used for detecting traffic going through web proxies. It includes the following configuration options:

ICAP server

If Enabled, the Sensor will run an ICAP service. This allows ICAP-aware HTTP proxies to connect to this service and receive blocking decisions based on the system's protection capabilities.

Inline analysis

This option is only available if ICAP server is enabled.

If Enabled, the ICAP capability can act upon the transfer of malicious files. This option should be enabled in the vast majority of cases.

Secure ICAP

This option is only available if ICAP server is enabled.

If Enabled, the option allows ICAP-aware HTTP proxies to connect to the appliance by means of a secure connection. The default port is 11344.

Blocking settings

Blocking threshold

Set a threshold value between 0 and 100. Any content that gets a score above that value will be sanitized. The default is 70. Type a value in the textbox. You can also use the +/- icon to scroll to the desired value.

To understand the threshold values, see the Impact score.

Check the Disabled checkbox to allow all content.

Blocking pages

Blocked page message

When a URL is blocked, the server notifies the client. You can customize the message sent to the user by editing the content in the textbox.

At any time, you can revert to the original text by clicking the Default button.

Pending page message

If Full with feedback blocking is enabled, the server provides feedback to the client. This page informs the user that the requested content is being held pending a VMware NSX Network Detection and Response analysis. You can customize the message sent to the user by editing the content in the textbox.

At any time, you can revert to the original text by clicking the Default button.

Blocked page details

If Enabled, system details are displayed on the blocking pages.

X-Lastline-* headers

If Enabled, additional X-Lastline-* headers are included in the HTTP responses. These can be useful to understand the blocking decisions.

Lastline logo

If Enabled, the VMware logo is displayed on the blocking pages.

Blocking behavior

Use the list to configure the blocking policy to be applied by the ICAP daemon for each type of file. Refer to the VMware NSX Network Detection and Response ICAP Integration Guide (PDF) for more information.

File types

Click the radio buttons in the list to set the blocking behavior for each type of file:

  • Executable Binary program formats such as Windows Portable Executable

  • Archive Archive formats such as ZIP or RAR

  • Media Macromedia (Adobe) Flash file

  • Document Includes other types of Office documents

  • PDF Portable Document Format files

  • Other Other recognized file format

  • File upload HTTP POST requests that are detected to contain malicious content

Passive

No blocking is attempted on this type of file, but any relevant content will be analyzed.

Sensor-known

Block all artifacts known to be malicious by the Sensor (listed in its local cache). This method offers the lowest levels of protection but ensures minimal lag.

Manager-known

Block all artifacts known to be malicious by the Manager. These data are listed in the Manager cache and shared across all managed appliances.

Full

Artifacts are not served to the client until they have been fully analyzed. This method offers the maximum level of protection against new, unknown files. However, it can result in significant delays (in the order of minutes) when serving certain types of content.

Full with feedback

Same as Full, artifacts are not served to the client until they have been fully analyzed. While waiting for analysis results, a feedback page is served to the client. This page is refreshed regularly until the analysis completes. The results are then served to the client.

HTTP POST

Determines what the Sensor does with malicious content. If Block, the Blocked page message is sent to the destination. If Sanitize, the Sensor removes the malicious content before it forwards the request to its destination.

Timeout

Set the maximum time in seconds that the proxy server is allowed to delay the request.

When you are done, click the Save and deploy button to enable your changes. Otherwise click Cancel to discard any changes.

If you have not made any changes, click the Retrigger configuration button to reload the appliance configuration.

Click Back to appliance list to return to the Overview tab