HTTP Proxy and Securepoint Antivirus

Configuration of a UTM when using a HTTP proxy and Securepoint Antivirus Pro

Last adaption: 02.2026

New:

Layout adjustments

notempty

This article refers to a Beta version

Proxy-0623

Introduction

Securepoint Antivirus Pro regularly checks for new updates and downloads them.
Please note the following:

With a direct Internet connection of a Windows client, this is not a problem because there are normally no rules for regulating website calls
In a network environment, on the other hand, workstations usually have ‘'no’' direct Internet access.
The data traffic is filtered via packet filters and proxies.
This offers malware as little attack surface as possible.

notempty

With a good firewall configuration, each client only gets the permissions it really needs.

This article presents three scenarios that allow the Antivirus Pro update via the HTTP proxy of a Securepoint NextGen UTM firewall and the web filter.

Scenario 1: Standard proxy without authentication

Webfilter

Webfilter UTMuser@firewall.name.fqdnApplications The UTM Web Filter

Call in menu Applications Webfilter

In this case, the HTTP proxy is used in Transparent mode.
In the Webfilter, only the websites required for communication are enabled.

Each Securepoint Antivirus Pro user must be included in a rule set that enables the Securepoint Antivirus Pro update servers.

You can either

adapt an existing rule set or
add a new rule set via + Add Rule Set as described in the Web Filter article and then supplement it with the necessary rules

The security rule set already contains these rules.

Add rules for Securepoint Antivirus Pro
Caption	Value	Description	Edit rule set
	Edit	Click the corresponding button to edit the rule set

General
No matching rule found	block	Select "Block"	Edit rule set UTMuser@firewall.name.fqdnApplicationsWebfilter Edit rule set for Securepoint Antivirus
	+ Add rule	Click the button to add a rule. 2 A new window opens with the message

Type:	URL	Select URL as the rule type	Add rule UTMuser@firewall.name.fqdnApplicationsWebfilterEdit rule set Add URL
URL	.ikarus.at/	Add the following URL: .ikarus.at/
Action		Allow action
	Save	Save URL
URL	.mailsecurity.at/	Add the following URL: .mailsecurity.at/
Action		Allow action
	Save and close	Save URL and close the dialog
notempty For the rule set to be applied, the rule set must be assigned to a profile that contains the corresponding computer!

Virus scanner of the UTM Call in menu Applications HTTP Proxy
The virus scanner of the HTTP proxy already includes exceptions for ikarus.at and mailsecurity.at in the default profile. If these have been deleted, you can assign the rules either to the default profile or to another configuration profile. ^[^:]://[^\.]\.ikarus\.at/ ^[^:]://[^\.]\.mailsecurity\.at/
	Edit	Edit configuration profile / global configuration profile	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log 42 Edit a profile
If the exceptions are restored in the standard profile, they will also apply to any additional configuration profiles you have created yourself. If the exceptions are only to apply to one additional configuration profile (or several profiles), then insert the exceptions there.

Virus scanner Allowlist
Website-Allowlist:	^[^:]://[^\.]\.ikarus\.at/	Add exceptions for ikarus and mailsecurity	Edit configuration profile / global configuration profile UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy HTTP-Proxy Log 42 Add rules for the virus scanner
Website-Allowlist:	^[^:]://[^\.]\.mailsecurity\.at/	Add exceptions for ikarus and mailsecurity

Scenario 2: Standard proxy with authentication Call in menu Applications HTTP Proxy Area General
To increase security, you can select an authentication method in the Securepoint NextGen UTM firewall.
Authentication method:	Basic	With basic authentication, the users are queried against the stored users under Authentication User Area User on the firewall	Select an authentication method
	NTLM/Kerberos	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication AD / LDAP Authentication
	Radius	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication Radius-Authentication

Authentication exception
Since the Securepoint Antivirus client cannot authenticate itself against the proxy with NTLM, additional 'authentication exceptions are required. The exceptions for ikarus and mailsecurity are already present by default. They are accessed after activating the authentication exceptions On If they have been deleted, they must be added again.
Enabled:	On	Authentication exceptions must be enabled	Authentication exceptions for ikarus and mailsecurity
Exceptions (URL):	\.ikarus\.at \.mailsecurity\.at	Add exceptions for ikarus and mailsecurity

Scenario 3: Standard proxy with authentication via NTLM and with SSL interception
SSL-Interception
Both for SSL interception and Transparent Mode, the exceptions for SSL interception are already configured system-wide. They take effect when SSL interception and Transparent Mode are activated. If they are no longer present, add them manually
Enabled:	Always	SSL interception has been activated

Exceptions for SSL interception

Exceptions:	.*\.ikarus\.at	Add exceptions for ikarus and mailsecurity
	.*\.mailsecurity\.at	Add exceptions for ikarus and mailsecurity
	.91\.212\.136\..	Release of server IP addresses for Transparent Mode

Transparent Mode

	On	Transparent Mode is active.

Introduction

Scenario 1: Standard proxy without authentication

Webfilter

Add rules for Securepoint Antivirus Pro

Virus scanner of the UTM

Scenario 2: Standard proxy with authentication

Authentication exception

Scenario 3: Standard proxy with authentication via NTLM and with SSL interception

SSL-Interception

Exceptions for SSL interception

Transparent Mode