OWA or O365 URLs seem to be stuck in reading state on the Content Analysis. This may result in an experience of an outage due to the number of connections that enter into the reading state when you have an group of individuals using OWA or O365. These connections will remain in a reading state for upward of six digit times (600000ms as example), tying up ICAP connections.
OWA and O365 stream data to the ProxySG continuously where the end of the transaction is never seen. Essentially, it's a permanent stream of data being sent to the ProxySG without the end of file being delivered. In turn, the ProxySG delivers OWA/O365 data to the Content Analysis system the same way, in which the end of file is not delivered. Thus, the Content Analysis continues to wait for more data in the reading state, as the ProxySG continues to deliver data from the URL. Each of these transactions consume CAS resources and when all of the resources are exhausted, the ProxySG will slow down processing of new transactions and eventually stop all processing of transactions causing an outage.
The only solution is to prevent the OWA/O365 traffic from being scanned so that the ProxySG and CAS resources are free to process all other web traffic.
Policy to prevent ICAP Scanning for OWA/O365 Traffic that causes reading state to occur:
Install policy on the ProxySG to bypass ICAP for OWA and O365 URL/IPs. A list of IP/URLs for O365 can be found in article TECH246276