Cisco Cisco Web Security Appliance S670 User Guide
16-10
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 16 Prevent Loss of Sensitive Data
Defining External DLP Systems
External DLP Servers Enter the following information to access an ICAP compliant DLP system:
•
Server address and Port – The hostname or IP address and TCP port for
accessing the DLP system.
accessing the DLP system.
•
Reconnection attempts – The number of times the Web Proxy tries to
connect to the DLP system before failing.
connect to the DLP system before failing.
•
Service URL – The ICAP query URL specific to the particular DLP
server. The Web Proxy includes what you enter here in the ICAP request
it sends to the external DLP server. The URL must start with the ICAP
protocol: icap://
server. The Web Proxy includes what you enter here in the ICAP request
it sends to the external DLP server. The URL must start with the ICAP
protocol: icap://
•
Certificate (optional) – The certificate provided to secure each External
DLP Server connection can be Certificate Authority (CA)-signed or
self-signed. Obtain the certificate from the specified server, and then upload
it to the appliance:
DLP Server connection can be Certificate Authority (CA)-signed or
self-signed. Obtain the certificate from the specified server, and then upload
it to the appliance:
–
Browse to and select the certificate file, and then click Upload File.
Note
This single file must contain both the client certificate and private
key in unencrypted form.
key in unencrypted form.
–
Use this certificate for all DLP servers using Secure ICAP – Check
this box to use the same certificate for all External DLP Servers you
define here. Leave the option unchecked to enter a different certificate
for each server.
this box to use the same certificate for all External DLP Servers you
define here. Leave the option unchecked to enter a different certificate
for each server.
•
Start Test – You can test the connection between the Web Security
appliance and the defined external DLP server(s) by clicking Start Test.
appliance and the defined external DLP server(s) by clicking Start Test.
Load Balancing
If multiple DLP servers are defined, select which load-balancing technique the
Web Proxy uses to distribute upload requests to different DLP servers. You can
choose the following load balancing techniques:
Web Proxy uses to distribute upload requests to different DLP servers. You can
choose the following load balancing techniques:
•
None (failover). The Web Proxy directs upload requests to one DLP
server. It tries to connect to the DLP servers in the order they are listed. If
one DLP server cannot be reached, the Web Proxy attempts to connect to
the next one in the list.
server. It tries to connect to the DLP servers in the order they are listed. If
one DLP server cannot be reached, the Web Proxy attempts to connect to
the next one in the list.
•
Fewest connections. The Web Proxy keeps track of how many active
requests are with the different DLP servers and it directs the upload
request to the DLP server currently servicing the fewest number of
connections.
requests are with the different DLP servers and it directs the upload
request to the DLP server currently servicing the fewest number of
connections.
•
Hash based. The Web Proxy uses a hash function to distribute requests to
the DLP servers. The hash function uses the proxy ID and URL as inputs
so that requests for the same URL are always directed to the same DLP
server.
the DLP servers. The hash function uses the proxy ID and URL as inputs
so that requests for the same URL are always directed to the same DLP
server.
•
Round robin. The Web Proxy cycles upload requests equally among all
DLP servers in the listed order.
DLP servers in the listed order.
Service Request
Timeout
Timeout
Enter how long the Web Proxy waits for a response from the DLP server. When
this time is exceeded, the ICAP request has failed and the upload request is
either blocked or allowed, depending on the Failure Handling setting.
this time is exceeded, the ICAP request has failed and the upload request is
either blocked or allowed, depending on the Failure Handling setting.
Default is 60 seconds.
Setting
Description