We're planning the implmentation of Secure ICAP to secure the ICAP traffic between our BlueCoat proxies and Web Prevent v12.5 server, and I would like to pick the community brain before I start installing software.
Environment
- DLP Web Prevent v12.5 running on Windows 2012 R2.
- BlueCoat Proxies
Has anyone implemented a similar secure ICAP config before?
What were the challenges? Any issues?
Was (is) there any performance impacts switching from ICAP to Secure ICAP?
Thoughts on effectiveness? Did you find any sites or services that failed to function after implementing the BC SSL inspection and Secure ICAP config?
Any problems using OpenSSL or Stunnel?
Any insights would be appreciated.
Sincerely,
BionicSecurityEngineer
Addendum:
I dislike self-signed certificates, so the big technical question is, "could we modify step 6 to - generate a CSR and obtain a signed cert from an internal CA vs a self signed cert?" Would you still need OpenSSL if you're using an internal CA? Could you simply point stunnel to the local keychain to use the new certificate?
This is the simplified install overview:
Steps for configuring Secure ICAP for Network Prevent for Web with Windows servers
- Install OpenSSL for Windows.
- Install stunnel for Windows.
- Generate a private key and public certificate using OpenSSL.
- Configure the stunnel service on Windows.
- Start the stunnel service on the Network Prevent for Web Server on Windows.
- Create and import the self-signed certificate.
- Create a new device profile.
- Create a new ICAP service or modify an existing ICAP service to use Secure ICAP.