4 Replies Latest reply on Jan 22, 2012 10:27 PM by gardenhead_rules

    ICAP service for DLP



      I am trying to use my Webwasher appliance as an ICAP client for forwarding web uploads to DLP server. The ruleset I am using is imported from the Rule Library. It's called Data leakage prevention.

      In Reqmod settings I have given the link for ICAP service running on DLP appliance : icap://IP_of_DLP:1344/reqmod.

      Is there any way to see that data is getting forwarded to DLP appliance? I am unable to see any data arriving on my DLP appliance, so I need to make sure if it is actually leaving the Webwasher.

      Are there any commands on DLP appliance that let me see the incoming connections?




        • 1. Re: ICAP service for DLP

          You can packet capture port 1344 in the MWG GUI.

          This will determine if any data is leaving the MWG and what responses are returned by DLP.

          Depending on the DLP product, there may be specific values needed instead of /reqmod for the service name.

          1 of 1 people found this helpful
          • 2. Re: ICAP service for DLP

            Hi Eelsasser,


            I switched on packet capture; I am attaching the result. It seems that one ICAP packet was sent to the DLP device and one was received as a response on port 1344. No other ICAP packets, despite my POSTing data that should have been captured by the ICAP server at DLP's end. Also DLP device still didn't show any packet it received from the Webwasher.

            I am using the DLP ruleset provided in Library, and enabled ICAP proxy on port 1344 (although I don't think this is necessary). I am posting my ruleset too. Do I need to enable RESPMOD service too?

            Please let me know if I am missing something, if not I will proceed to check why my DLP appliance is not accepting the ICAP messages.


            Thanks and Regards.

            • 3. Re: ICAP service for DLP

              The fact that the tcpdump shows the OPTIONS response means there is connectivity.


              I assume that the gmail proxy connection to port 8080 was expected to go to DLP?

              It won't.

              You don't have SSL Scanning turned on. Or you do, but google is whitelisted and is not decrypting. I can tell this because the Google certificate is showing in the CONNECT, not a MWG cert.


              Try going to some other non-ssl sites instead, and/or turn on SSL scanning.


              Also, do NOT turn on RESPMOD. DLP is not designed to scan responses coming back from web sites.

              • 4. Re: ICAP service for DLP

                That was it, gmail was bypassed from SSL Scanner. Tried with HTTP website, and ICAP connectivity is working fine. Thanks for all the help.