Use an On-premises DLP Server from the Cloud
You can perform DLP filtering using an on-prem DLP server with an ICAP client that runs in the cloud.
You can, however, only implement this method of DLP filtering if you are using the hybrid solution for Web Protection, which includes both Web Gateway and Skyhigh Security Web Security Gateway Service.
The ICAP client is made available by importing a rule set on Web Gateway , which is already configured for cloud use. Settings for this solution are imported with the rule set.
By modifying the rules in the rule set or the settings that are imported with it, you can adapt this solution to your requirements.
ICAP configuration
The DLP server takes the role of the ICAP server in this configuration. The server must be placed in a DMZ where it can have a public IP address, as the ICAP client connects to it using this type of address.
Internal and other protected addresses, for example, internal IP addresses of Skyhigh Security Web Security Gateway Service, must not be used in the cloud and are therefore excluded by a check that the ICAP client performs.
ICAP client and server also send health check messages to each other in regular intervals.
NOTE: We recommend using ICAPS (Secure ICAP), as data is transferred in plain text format when normal ICAP is used. The ICAPS client does, however, not validate the certificate that the DLP server sends in its role as ICAPS server.
ICAP-related properties for cloud use
The properties listed in the following can be used in rules for the filtering process on Skyhigh Security Web Security Gateway Service.
For example, the ICAP.ReqMod.Satisfaction property is used in a rule of the library rule set for Data Loss Prevention filtering using a cloud ICAP client.
- Properties for the ReqMod mode:
- ICAP.ReqMod.Satisfaction
- ICAP.ReqMod.ResponseHeader.Exists
- ICAP.ReqMod.ResponseHeader.ExistsMatching
- ICAP.ReqMod.ResponseHeader.Get
- ICAP.ReqMod.ResponseHeader.GetMatching
- ICAP.ReqMod.ResponseHeader.GetMultiple
- ICAP.ReqMod.ResponseHeader.GetMultipleMatching
- Properties for the RespMod mode:
- ICAP.RespMod.ResponseHeader.Exists
- ICAP.RespMod.ResponseHeader.ExistsMatching
- ICAP.RespMod.ResponseHeader.Get
- ICAP.RespMod.ResponseHeader.GetMatching
- ICAP.RespMod.ResponseHeader.GetMultiple
- ICAP.RespMod.ResponseHeader.GetMultipleMatching
Configure an on-prem DLP server from the cloud
To configure the use of an on-premise DLP server from the cloud, complete the following procedure.
- Configure the network components that run in this solution with Web Gateway.
- Place the DLP server in a Demilitarized Zone (DMZ), so that it can have a public IP address.
The ICAP client in the cloud must be able to connect to the DLP server in its role as ICAP server using the public IP address of this server.
- Configure the firewall to accept requests from Skyhigh Security Web Security Gateway Service on a dedicated port and a specific set of IP addresses. The port which must be the ICAP server port that is also configured on the ICAP client.
The port which must be the ICAP server port that is also configured on the ICAP client. Use port 1344 when working with ICAP and port 11344 when working with ICAPS.
There are several public IP addresses of Skyhigh Security Web Security Gateway Service that must be whitelisted on the firewall. For these IP addresses, see Web Gateway Cloud Service IP Addresses and Ranges.
Refer the following link to know the public facing IP addresses of Skyhigh Security WGCS which needs to be whitelisted on the firewall:
- On Web Gateway, import the Data Loss Prevention (DLP) with ICAP for Cloud rule set from the library.
The rule set is by default configured for use in the cloud. - Review the Reqmod for Cloud settings, which are imported with the rule set.