|
|
|
The ICAP agent is configured to work automatically with Blue Coat ProxySG ICAP clients. But if you are using a different proxy server or if you use an alternate configuration, you need to configure the ICAP agent. To do this, you must edit values in this registry key:
HKEY_LOCAL_MACHINE\Software \ComputerAssociates\CA DLP \CurrentVersion\ICAP
This registry key contains the following registry values:
Type: REG_DWORD
Data: Defaults to 1344. This specifies the port used by the ICAP client and server (that is, the ICAP agent) to communicate ICAP requests and responses.
Note: If you change the port value, you must restart the PE hub.
Type: REG_DZ
Data: Defaults to ‘base64’ for base64 encoding. This specifies the encoding scheme for the user name in the ICAP message.
Do not specify a value if you are not using base64 encoding on the proxy server.
Type: REG_DZ
Data: Defaults to X-Authenticated-User. This is the default for Blue Coat ProxySG servers.
This specifies the ICAP x-header that contains the user credentials. Policy engines use these credentials to map the user to a CA DLP user account. If you use a different proxy server, you must set this value to identify the ‘user credentials’ header used by that proxy server.
Type: REG_DZ
Data: Defaults to DN. This is the default for Blue Coat ProxySG servers that use LDAP authentication.
This specifies what type of user information is included in the AuthenicatedUserHeader header. Policy engines can then use this ‘user type’ information to retrieve an email address for the specified user, which in turn allows them to map the user to a CA DLP user account.
For Blue Coat ProxySG servers, this registry value indicates that AuthenicatedUserHeader is populated with the user’s DN entry in the LDAP directory. Policy engines use this information to perform LDAP lookups based on the user’s DN entry in order to retrieve that user’s email address.
If using a different proxy server, you may need to modify this value to indicate the type of user information included in the ICAP message.
Note: Only LDAP authentication is supported in the current release.
Type: REG_DWORD
Data: Defaults to 2. This specifies how ICAP messages passed to the ICAP agent are stored in the specified DiagnosticFolder (see below). Supported values are:
0 Do not write any messages to the diagnostic folder.
1 Dump every message to the diagnostic folder. Only use this value if directed to do so by CA Technical Support.
2 Only write messages to the diagnostic folder if a processing error occurs.
If no diagnostic folder is specified (that is, if DiagnosticFolder is blank), no ICAP messages are written, regardless of what value CreateICAPMsg is set to.
Type: REG_DZ
Data: Defaults to X-Client-IP, the default value for Blue Coat ProxySG servers. This registry key value specifies the portion of the HTTP header that contains the IP address of the user system. If using a different proxy server, you may need to modify this value.
Type: REG_DZ
Data: No default value. This specifies the folder into which ICAP messages passed to the ICAP agent are saved for diagnostic purposes. The level of saved messages is set by CreateICAPMsg (see above).
You may be asked to modify this value by CA Technical Support.
Type: REG_DWORD
Data: Defaults to 1. This determines whether the ICAP agent connects to a local policy engine hub. Do not change this value.
Type: REG_DWORD
Data: Defaults to 2. This determines the level of logging for the ICAP server. For example, you can configure the ICAP server to only log errors or important system messages.
Log entries are written to the WgnICAP_<date>.log file, where <date> is the date and time when the log file was created; the file is located in CA DLP's \data\log subfolder of the Windows All Users profile; see Viewing log files. The supported logging levels are:
1 Errors only
2 Errors and warnings
3 Errors and warnings, plus informational and status messages
Note: Setting LogLevel=3 will cause the log file to grow extremely rapidly. This level of logging is provided for testing and diagnostic purposes only. For example, it shows storage and retrieval on every resource item.
Type: REG_DWORD
Data: Defaults to 50. This specifies the maximum size (in MB) of message to be processed by the ICAP agent. Messages larger than this are allowed, but not processed; an entry is written to the log file indicating that a message exceeded the maximum size and was allowed.
To avoid unnecessary delays, ensure that this maximum file size threshold matches or is less than the Maximum Size of Files (KB) setting in the user policy (which also defaults to 50 MB). This prevents very large files being sent for policy processing by the ICAP agent, only to be rejected if they exceed the user policy-defined threshold.
Type: REG_DZ
Data: Specifies the name and path to the HTML template file that contains the notification message shown to users for HTTP responses from Web sites as a result of policy processing. This registry value defaults to:
C:\Program Files\CA\CA DLP\client\ResponseTemplate.html
This default template is very generic. It contains variables for the message text issued by the policy engine. If required, you can modify the template content and the file name and location to meet your organization’s needs.
Type: REG_DZ
Data: Specifies the HTML template file that contains the notification message shown to users for HTTP requests as a result of policy processing. This registry value defaults to:
C:\Program Files\CA\CA DLP\client\RequestTemplate.html
This default template is very generic. It contains variables for the message text issued by the policy engine. If required, you can modify the template content and the file name and location to meet your organization’s needs.
Type: REG_DWORD
Data: Defaults to 0. Enables administrators to update the ICAP agent configuration. Set to 1 to force the ICAP agent to re-read the registry. When the ICAP agent has accepted the changes, it automatically resets this value to 0.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |