Installation guide

Deployment Primer

2-19

6. The HTTP service scans the content for unwanted data and returns an appropriate

response to the HTTP client.

HTTP Proxy in Dependent Mode (Proxy Behind)

The proxy behind flow consists of a caching proxy placed between the HTTP client and

the IWSVA server without using ICAP. Organizations typically use this flow to increase

performance, as with ICAP.

WARNING! Two security trade-offs exist for this potential performance enhancement:



1. If the cache contains data with a virus, for which there was no pattern

when the data hit the cache, the IWSVA HTTP service cannot prevent the

spread of the virus. 



2. Similarly, if a policy regarding valid content changes, or unauthorized

users request data that exists in the cache (for authorized users), the

HTTP service cannot prevent subsequent unauthorized access to this

data.

Instead of using the proxy-behind flow, Trend Micro recommends that administrators

use an ICAP caching device. This solution provides the performance enhancements of

caching without the security issues of proxy-behind topology.

ABLE

2-4.

HTTP Proxy in Dependent Mode (Proxy Ahead)

DVANTAGES

IMITATIONS

Proxy server controls timing and content

availability behavior.

IWSVA has to scan every

response-even when cached.

It is more secure—configuration changes

will affect cached objects.

IWSVA does not wait for the downloading

of already cached objects.