Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

User Manual

Functions

Proxy

ICAP Server Groups

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","ICAP Server Groups")}}

ICAP Server Groups

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

Proxy data can be sent to an ICAP server from this unit, performing virus scanning and data loss prevention (DLP) against the proxy data. It also supports checking the internet's data download to perform virus scanning.

You can configure at most 64 ICAP server groups, and each server group can contain one or more ICAP servers. In an ICAP server group, servers are selected in a round-robin, which means the requests are sent to each ICAP server in the server group by round-robin. An ICAP server is given a unique IP address and port and must not exist in two different ICAP server groups.

To add a new ICAP server group, click Add and configure the following fields:

Name: Specify a different name for this ICAP server group.

Description: Description of the ICAP server group.

Inspection Mode: Can choose between Request and Response.

Request Type: You can choose between POST, GET, and Put.

Forward Threshold: Data will be forwarded to an ICAP server only if its size reaches the threshold. Recommend using the default value.

Max Connections: Number of maximum concurrent request and response sessions. If it reaches the maximum connection, sessions will be backlogged. Recommend using the default value or the optimal configuration.

Backlog: Maximum number of waiting connections. If a connection is not complete, subsequent connections will have to wait. For example, if you set the backlog to 10 and the number of waiting connections has reached 10, subsequent connections will be allowed directly. Recommend using the default value.

Modification: Enabling this will add the selected field to the end of the URL forwarded to the ICAP server, which will modify the original URL. The selected fields will be added in the following order: alias > username > department > custom content.

Response type:

Forward Threshold: Data will be forwarded to an ICAP server only if its size reaches the threshold. Recommend using the default value.

Whitelist: Put the file extension that doesn’t require forwarding to the ICAP server into the whitelist.

Max Connections: Number of maximum concurrent request and response sessions. If it reaches the maximum connections, sessions will be backlogged. Recommend using the default value or the optimal configuration.

Backlog: Maximum number of waiting connections. If a connection is not complete, subsequent connections will wait. If you set the backlog to 10, and the number of waiting connections has reached 10, subsequent connections will be allowed directly. Recommend keeping the default value.

You can configure 32 ICAP servers for each ICAP server group and perform operations against an individual server, such as enable, disable, and delete. The Status column displays the status of individual ICAP servers, enabled or disabled.

To add an ICAP server, click Add Server and configure the following fields.

Name: Specifies a different name for this ICAP server.

Description: Description of this ICAP server.

Server IP: Specifies the address of this ICAP server. It cannot exceed 96 characters. The IPv6 address is supported as well.

Port: Specifies the port of this ICAP server. It should be an integer between 1 and 65535.

Connection Timeout: Specifies the timeout of the connection. It should be an integer between 1 and 120 seconds.

Max Connections: Specifies the maximum number of connections. It should be an integer between 4 and 100.

Send: You can select the specific information to be sent to the ICAP server, such as the source IP address, server address, authenticated user, or authenticated groups.

Negotiate: Click Negotiate to test the validity of the ICAP server and negotiate parameters with that server.

Interval: Specify the interval to perform a health check. By default, health checks are performed every 10 seconds. Set the interval to an integer between 5 and 60. Unit: seconds.

Health Check Method: Select L4 health check and L7 health check as needed. The former is to check the port, while the latter is to check the application. For example, an HTTP GET or HTTP HEAD request for a specific URL can be sent.

Action: Specify the action to be performed if an error occurs on the ICAP server. Valid values: Rejects client request and Allow client request.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

ICAP Server Groups