1 of 1 people found this helpful
You can packet capture port 1344 in the MWG GUI.
This will determine if any data is leaving the MWG and what responses are returned by DLP.
Depending on the DLP product, there may be specific values needed instead of /reqmod for the service name.
I switched on packet capture; I am attaching the result. It seems that one ICAP packet was sent to the DLP device and one was received as a response on port 1344. No other ICAP packets, despite my POSTing data that should have been captured by the ICAP server at DLP's end. Also DLP device still didn't show any packet it received from the Webwasher.
I am using the DLP ruleset provided in Library, and enabled ICAP proxy on port 1344 (although I don't think this is necessary). I am posting my ruleset too. Do I need to enable RESPMOD service too?
Please let me know if I am missing something, if not I will proceed to check why my DLP appliance is not accepting the ICAP messages.
Thanks and Regards.
The fact that the tcpdump shows the OPTIONS response means there is connectivity.
I assume that the gmail proxy connection to port 8080 was expected to go to DLP?
You don't have SSL Scanning turned on. Or you do, but google is whitelisted and is not decrypting. I can tell this because the Google certificate is showing in the CONNECT, not a MWG cert.
Try going to some other non-ssl sites instead, and/or turn on SSL scanning.
Also, do NOT turn on RESPMOD. DLP is not designed to scan responses coming back from web sites.
That was it, gmail was bypassed from SSL Scanner. Tried with HTTP website, and ICAP connectivity is working fine. Thanks for all the help.