Configure Traffic Forwarding from SWG On-Prem to Skyhigh SSE DLP as ICAP
You can forward requests for content inspection from Skyhigh Secure Web Gateway On-prem to Skyhigh SSE for DLP inspection using ICAP.
Prerequisites
Before you begin, ensure that the following are enabled in SSE:
- API Key for ICAP inspection
- DLP Functionality
Configure Traffic Forwarding from SWG On-prem to SSE DLP
Follow these steps to configure and synchronize SWG On-prem policies to forward traffic to SSE for DLP inspection:
- Log in to the on-premises UI.
- Import the Data Loss Prevention (DLP) with ICAP from the library ruleset.
- Under ICAP Server List, create a server URL using one of the following formats:
icaps://icap.wgcs.skyhigh.cloud/:11344/v1/web/
or
icaps://icap.wgcs.skyhigh.cloud:11344/v1/web/?api_key=<APIKEY>For details, see Enable ICAP-based DLP for Unified Data Protection.
NOTE: SWG On-prem supports only server certificate verification and does not support CA certificate verification.
_1_(2).png?revision=1&size=bestfit&width=996&height=577)
- For correct rendering of our block pages, the ICAP Client should forward all HTTP GET requests starting with the URL path
*/mwg-internal/*to the ICAP Server. This allows fetching the subresources of the blockpage.
_1.png?revision=1)
Troubleshooting
- Certificate configuration Issue. SWG On‑prem supports only server certificate configuration, so if the certificate is rotated or changed without notice, trust validation errors may occur.
Solution: Verify that the current server certificate matches the one configured on SWG On‑prem and update it promptly if changed.