Cisco Cisco Web Security Appliance S670 User Guide
15-10
Cisco AsyncOS 8.0.6 for Web User Guide
Chapter 15 Prevent Loss of Sensitive Data
Defining External DLP Systems
Step 2
Click Edit Settings.
Step 3
(Optional) You can add another DLP server by clicking Add Row and entering the DLP Server
information in the new fields provided.
information in the new fields provided.
Setting
Description
External DLP Servers Enter the following information to access an ICAP compliant DLP system:
•
Server address and port. The hostname or IP address and TCP port for
accessing the DLP system.
accessing the DLP system.
•
Reconnection attempts. The number of times the Web Proxy tries to
connect to the DLP system before failing.
connect to the DLP system before failing.
•
DLP Service URL. The ICAP query URL specific to the particular DLP
server. The Web Proxy includes what you enter here in the ICAP request
it sends to the external DLP server. The URL must start with the ICAP
protocol: icap://
server. The Web Proxy includes what you enter here in the ICAP request
it sends to the external DLP server. The URL must start with the ICAP
protocol: icap://
Load Balancing
If multiple DLP servers are defined, select which load balancing technique the
Web Proxy uses to distribute upload requests to different DLP servers. You can
choose the following load balancing techniques:
Web Proxy uses to distribute upload requests to different DLP servers. You can
choose the following load balancing techniques:
•
None (failover). The Web Proxy directs upload requests to one DLP
server. It tries to connect to the DLP servers in the order they are listed. If
one DLP server cannot be reached, the Web Proxy attempts to connect to
the next one in the list.
server. It tries to connect to the DLP servers in the order they are listed. If
one DLP server cannot be reached, the Web Proxy attempts to connect to
the next one in the list.
•
Fewest connections. The Web Proxy keeps track of how many active
requests are with the different DLP servers and it directs the upload
request to the DLP server currently servicing the fewest number of
connections.
requests are with the different DLP servers and it directs the upload
request to the DLP server currently servicing the fewest number of
connections.
•
Hash based. The Web Proxy uses a hash function to distribute requests to
the DLP servers. The hash function uses the proxy ID and URL as inputs
so that requests for the same URL are always directed to the same DLP
server.
the DLP servers. The hash function uses the proxy ID and URL as inputs
so that requests for the same URL are always directed to the same DLP
server.
•
Round robin. The Web Proxy cycles upload requests equally among all
DLP servers in the listed order.
DLP servers in the listed order.
Service Request
Timeout
Timeout
Enter how long the Web Proxy waits for a response from the DLP server. When
this time is exceeded, the ICAP request has failed and the upload request is
either blocked or allowed, depending on the Failure Handling setting.
this time is exceeded, the ICAP request has failed and the upload request is
either blocked or allowed, depending on the Failure Handling setting.
Default is 60 seconds.
Maximum
Simultaneous
Connections
Simultaneous
Connections
Specifies the maximum number of simultaneous ICAP request connections
from the Web Security appliance to each configured external DLP server. The
Failure Handling setting on this page applies to any request which exceeds this
limit.
from the Web Security appliance to each configured external DLP server. The
Failure Handling setting on this page applies to any request which exceeds this
limit.
Default is 25.
Failure Handling
Choose whether upload requests are blocked or allowed (passed to Access
Policies for evaluation) when the DLP server fails to provide a timely response.
Policies for evaluation) when the DLP server fails to provide a timely response.
Default is allow (“Permit all data transfers to proceed without scanning”).