OWA or O365 URLs seem to be stuck in reading state on the Content Analysis. This may result in an experience of an outage due to the number of connections that enter into the reading state when you have an group of individuals using OWA or O365. These connections will remain in a reading state for upward of six digit times (600000ms as example), consuming ICAP connections.

OWA and O365 stream data to the Edge SWG continuously where the end of the transaction is never seen. Essentially, it's a permanent stream of data being sent to the Edge SWG without the end of file being delivered. In turn, the Edge SWG delivers OWA/O365 data to the Content Analysis system the same way, in which the end of file is not delivered. Thus, the Content Analysis continues to wait for more data in the reading state, as the Edge SWG continues to deliver data from the URL. Each of these transactions consume CAS resources and when all of the resources are exhausted, the Edge SWG will slow down processing of new transactions and eventually stop all processing of transactions causing an outage.

The only solution is to prevent the OWA/O365 traffic from being scanned so that the Edge SWG and CAS resources are free to process all other web traffic.

Policy to prevent ICAP Scanning for OWA/O365 Traffic that causes reading state to occur:

1. Install policy on the ProxySG to bypass ICAP for OWA and O365 URL/IPs. A list of IP/URLs for O365 can be found in Microsoft documentation: Office 365 URLs and IP address ranges
2. Install the following policy for OWA traffic:

<cache>
server_url.path=/owa/ev.owa2 server_url.query.regex="(.*)ns=PendingRequest(.*)ev=PendingNotificationRequest(.*)" response.icap_service(no)
response.icap_service(proxyav, fail_closed)