How do I add an ICAP server?

Adding an ICAP server is one of the tasks you must complete when configuring secure or unencrypted ICAP. See How do I configure secure ICAP? and How do I configure unencrypted ICAP? for the full list of tasks. 

Adding an ICAP server depends on whether you're using secure ICAP or unencrypted ICAP.

Click to:

Watch a video about ICAP Settings, including how to add an ICAP server.

Read about adding an ICAP server for secure ICAP

Read about adding an ICAP server for unencrypted ICAP

You must define your DLP servers in the Zscaler service admin portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service.

To add an ICAP server for secure ICAP, follow the instructions below. 

  1. Go to Administration > Settings > ICAP Settings.
  2. Click Add ICAP Server.
  3. Complete the following:
    • Enter a name for the DLP server.
    • Select Enable to allow the service to send communications to the DLP server. If you Disable a server, the ZEN cannot send information to that server.
    • Enter the Server URI. The URI must follow the format: icaps://[FQDN or IP address]:[port number]/[servicepath]
      • By default, the Server URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP.
      • FQDNs and IP addresses of DLP servers and load balancers are accepted.
      • A port number must be included and must match the port on which you’ve configured your network firewall to accept secure ICAP traffic from the Zscaler service. Zscaler recommends using port number 11344 for secure ICAP, per standard practice.
      • The servicepath specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath "reqmod" (for Request Mode) to indicate that the server monitors outgoing traffic.
      • Examples of correctly formatted server URIs: icaps://10.10.130.87:11344/reqmod
  4. Click Save and activate the change.

​​​​​You must define your DLP servers in the Zscaler service admin portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service. You can configure as many DLP servers as you need (though you specify just one server for each DLP policy). If your DLP server is behind a load balancer, you may also configure load balancers as well.

To add an ICAP server for unencrypted ICAP, follow the instructions below. 

  1. Go to Administration > Settings > ICAP Settings.
  2. Click Add ICAP Server.
  3. Complete the following:
    • Enter a name for the DLP server.
    • Select Enable to allow the service to send communications to the DLP server. If you Disable a server, the ZEN cannot send information to that server.
    • Enter the Server URI. The URI must follow the format: icap://[FQDN or IP address]:[port number]/[servicepath]
      • By default, the Server URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP. For scenarios where it is preferable to send unencrypted ICAP over plain text (for example, for debugging purposes), you can use the scheme icap://
      • FQDNs and IP addresses of DLP servers and load balancers are accepted.
      • A port number must be included and must match the port on which you’ve configured your network firewall to accept ICAP traffic from the service. Zscaler recommends using port number 1344 for secure ICAP, per standard practice.
      • The servicepath specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath "reqmod" (for Request Mode) to indicate that the server monitors outgoing traffic.
      • Example of correctly formatted server URIs for unencrypted ICAP: icap://metascan.corp.safemarch.com:1344/reqmod
  4. Click Save and activate the change.