Data Loss Prevention

 View Only
  • 1.  Bluecoat ICAP integration

    Broadcom Employee
    Posted May 05, 2017 05:22 AM

    I am failing to integrate DLP with the Blue coat SG Porxy. I have confiured reqmod and respmod ICAP services on the bluecoat with an ICAP URL of icap://<x.x.x.x>:1344/<respmod/reqmod> and I have made sure the ICAP ports match on the Network Prevent for Web server. However no ICAP traffic is flowing. Could someone assist with a step by step Guide. The environment has 2 Blue coat proxies load balanced by an F5 appliance.



  • 2.  RE: Bluecoat ICAP integration

    Posted May 05, 2017 02:07 PM

    Maybe you've done this already & not listed it separately in your query but I suppose even ICAP response service object configuration is needed.

    We had done this sometime back by following step-by-step, the instructions in the PDF from bluecoat (see below). Again, maybe you are using the same already, kindly ignore if already known.

    https://bto.bluecoat.com/sites/default/files/tech_briefs/Generic_ICAP_Integation.4.pdf

    Additionally it could even be possible that you're using forward trust on proxy and that DLP is getting encrypted traffic. It might even make sense to run a wireshark capture on the DLP web prevent box and see if any/correct type of traffic is being received on 1344.



  • 3.  RE: Bluecoat ICAP integration

    Posted May 07, 2017 12:13 PM

    If you've followed the ICAP guide on the bluecoat site, ensure the site you're using to test match the categories you're forwarding to DLP in the Virtual Policy Manage (Blue Coat VPM).

    In addition, you need to have HTTPS Interception enabled and working on the Blue Coat proxy if you're forwarding HTTPS traffic via ICAP (and/or using it as a test).