Why is there no ICAP network traffic between an EMC CAVA client and a SAV For NAS (Scan Engine) 5.x?
|Article:TECH89174|||||Created: 2008-01-14|||||Updated: 2010-08-05|||||Article URL http://www.symantec.com/docs/TECH89174|
Network captures of a SAV For NAS (Scan Engine) 5.x server being used with an EMC CAVA connector do not show any ICAP traffic present and/or a live capture doesn't show any ICAP traffic.
When a network capture is done on the SAV For NAS (Scan Engine) server that is being used with an EMC CAVA connector the captures do not produce any ICAP traffic; however, the Scan Engine logs show that requests are being received and processed.
EMC CAVA uses a client/server model where the server resides on the NAS and clients reside on each machine that SAV For NAS (Scan Engine) 5.x is installed on. The communication between the CAVA server and client does not use ICAP. Once the CAVA client receives the request from the CAVA server it then makes an ICAP FILEMOD request to Scan Engine and passes the absolute file path of the file to be scanned. SAV For NAS (Scan Engine) then reads/scans the file directly from the NAS using CIFS (SMB). Because both the CAVA client and Scan Engine reside on the same machine this traffic travels via loopback and cannot be captured by most capture packet utilities such as WireShark.
A possible solution is the use of a network capture utility that has the ability to capture localhost/loopback traffic; however, it should be noted that the captured traffic will contain very little useful information since the contents of the ICAP request will be a single FILEMOD request along with the absolute path to the file that needs to be scanned. The contents of the file are not passed from the CAVA server to the CAVA client or from the CAVA client to SAV For NAS (Scan Engine), only the path is passed. Once Scan Engine receives the path it reads from the file directly.
About other integrations with similar restrictions
Similar restrictions occur in any situation where Scan Engine is installed on the same machine with a server application which connects to it. These deployments are known to be possible with the following implementations:
Protocol / Connector
- ICAP / Symantec Protection for Microsoft SharePoint Servers 5.1.x
- Native / ClearSwift MIMESweeper
- Native / MailMarshal
Article URL http://www.symantec.com/docs/TECH89174