This article describes how to configure load balancing, assign weights on each member of LB group or configure failover across multiple ICAP servers. This only applies to configurations changes applied through the Content Analysis settings within the SG Management Console (SG UI > Configuration Tab > Content Analysis ). It does not apply for the ICAP services located under the Malware Scanning settings.
EdgeSWG (ProxySG) appliance supports weighted ICAP load balancing when forwarding ICAP requests through the use of service groups. By default, the appliance performs typical round-robin load balancing and evenly forwards requests sequentially to servers as defined within the service group. Manually assigning weights takes advantage of round-robin load balancing in service groups that are not homogeneous, or where the servers have different capacities.
Weighting determines what proportion of the load one server bears relative to the others. If all servers have either the default weight (1) or the same weight, each share an equal proportion of the load. If one server has weight 25 and all other servers have weight 50, the 25-weight server processes half as much as any other server. If a server has a weight of 0, no traffic will be sent to this server, if all servers have a weight of 0 then ICAP with will fail. In the event of a 'Fail_Closed' ICAP rule in the VPM users will be unable to browse and will receive an ICAP error.
EdgeSWG (ProxySG), ASG that uses multiple request or response ICAP services such as Content Analysis System (CAS) OR Data Loss Prevention (DLP)
To assign weights to ICAP services in Content Analysis service group using the Proxy's Management Console:
In order to configure ICAP services to do an active-passive failover instead of load balancing, when configuring the ICAP Request/Response object through policy in a Web Content Layer, use ICAP services directly instead of using service groups. This way, the EdgeSWG (ProxySG) will send ICAP traffic to the first ICAP service on the list, and if it fails to send it, it will attempt to do so with the next one.