Virus Scanning with McAfee Web Gateway
The purpose of this technical note is to announce that AirWatch tested support for in-line, 3rd-party virus scanning via the iCAP protocol.The intended audience for this tech note is admins who want to protect their network from content that has malware.
This document was last published on November 17, 2015 and corresponds to the AirWatch v8.2 release. Since then, the functionality may have changed such that this document is no longer accurate or applicable. Technical notes do not receive regular updates, so if the information here is not valid for your needs, please contact AirWatch Support.
Protect content from malware by scanning it for viruses using the McAfee Web Gateway. To delegate virus scanning to the McAfee Web Gateway, you need to configure an F5 load balancer to use HTTP Adaption. This conditionally forwards HTTP requests and responses to an Internet Content Adaptation Protocol (ICAP) Server for modification, before sending the request or response to it’s original destination. The section below outlines the communication flow for requests (REQMOD) and responses (RESPMOD).
Uploading Content (REQMOD)
Ensure that malicious content never enters the corporate network.
- Client sends out a content upload bound for the MAG/RFS, to F5.
- F5 sends a REQMOD request over the ICAP protocol to the McAfee Web Gateway.
- McAfee views the request:
- Malware Detected – McAfee uses the ICAP protocol to instruct the F5 not to forward the request to the origin server (e.g., RFS). Instead, it tells the F5 to return a canned HTTP 403 status response from McAfee.
- No Malware Detected - McAfee uses the ICAP protocol to instruct the F5 to forward the request as-is to the origin server.
Downloading Content (RESPMOD)
Ensure that malicious content never downloads to a user’s machine.
- Client sends out a Content Download request bound for the MAG/RFS, to F5.
- F5 sends a RESPMOD request over the ICAP protocol to the McAfee Web Gateway.
- McAfee Web Gateway scans the content for malware and returns a response:
- Malware Detected – Returns a403 – Forbidden Error Message.
- No Malware Detected – McAfee uses the ICAP protocol to instruct the F5 to forward the response as-is to the client.
Take advantage of these updates by meeting the minimum requirements and downloading Virus Scanning with McAfee Web Gateway.
- AirWatch 8.2+
- F5 load balancer (11.6.0+)
How to Get Virus Scanning with McAfee Web Gateway
AirWatch cannot communicate with the ICAP protocol used for McAfee virus scanning . You must place the F5 load balancer, or an appropriate alternative, in front of the MAG/RFS Server to communicate with the ICAP protocol An alternative to an F5 is using an open source software (Squid) as an ICAP Proxy. All configurations for this functionality occur on third party clients. Please reach out to F5, Squid and McAfee resources, respectively, for more in-depth information on implementation.