Installation guide
Deployment Primer
2-7
Each configuration has implications for configuring IWSVA, configuring the network,
and for network security.
HTTPS Decryption
IWSVA closes the HTTPS security loophole by decrypting and inspecting encrypted
content for malware and URL access policy violations. You can define policies to
decrypt HTTPS traffic from selected Web categories. While decrypted, data is treated
the same way as HTTP traffic to which URL filtering and scanning rules can be applied.
IWSVA supports HTTPS decryption and scanning in the following modes:
• Transparent bridge
• WCCP
•Forward proxy
Planning FTP Flows
There are two possible FTP flows: standalone and dependent. They are similar to the
standalone and dependent-mode flows for HTTP service. Each requires a different
configuration and has its own implications including:
• Standalone—the IWSVA server acts as an FTP proxy server between the
requesting client and the remote site, brokering all transactions
• Dependent—IWSVA works in conjunction with another FTP proxy server within
a LAN
FTP Proxy in Standalone Mode
To scan all FTP traffic in and out of the LAN, set up the FTP scanning module so that it
“brokers” all such connections. In this case, clients FTP to the IWSVA server, supply
the log on credentials to the target site, and then allow the IWSVA FTP server to make
the connection. The remote site transfers the files to IWSVA FTP. Before delivering the
files to the requesting clients, the IWSVA FTP server scans the files for viruses and
other security risks.
The implications for the FTP standalone flow are:
• IWSVA must have access to the target FTP servers
• There is one less step in the flow, compared to the FTP proxy mode