How do I enable ICAP communication between Zscaler and my organization's DLP server?

About ICAP communication between Zscaler and DLP servers

As explained in Overview: Data Loss Prevention, when you configure DLP policy rules in the admin portal, you can specify whether you want the Zscaler service to send information about policy violations via ICAP to your organization's on-premise or cloud-based DLP server. Your organization can then use the information sent to follow standard data loss prevention or remediation workflows. You have two main options when forwarding information:

When the Zscaler service sends information to your DLP server, it does not do so from a Zscaler Enforcement Node (ZEN) on the cloud that initially inspects your users' transaction. Instead, if a ZEN finds that a transaction violates a DLP policy rule and further, the rule specifies that the service send violation information to the organization's DLP server, that ZEN will forward the transaction information to another ZEN, on a different cloud that the service uses for sending communications to your DLP servers.

This second ZEN then is the ZEN that actually sends the following information about the transaction to your organization's DLP server:

  • Client IP and username via ICAP X-headers.
  • A copy of the HTTP POST request that contains the file that violated the DLP policy, or if the content is from HTTP Forms data, a copy of the content that violated the DLP policy. The host URL to which the user was attempting to send content would also be included here.

As will be detailed below, you will have to configure your organization's firewall to allow communications from the second ZEN. Further, to protect your organization's data, Zscaler recommends that you have the ZEN send the above information in encrypted form, via secure ICAP. However, because most DLP servers can only read unencrypted information, Zscaler recommends installing on your DLP server an open-source application called the stunnel application. Once the stunnel application is installed, the stunnel application and the ZEN can establish SSL communication, and the ZEN can send transaction information in encrypted form to the DLP server. The stunnel application will then decrypt the transaction information for the DLP server.

The figure below illustrates the process that takes place when the Zscaler service sends information to your organization's DLP servers using secure ICAP. Once the below process takes place, your DLP server can read the ICAP communications from the ZEN and report incidents as applicable in your DLP product dashboard.

About ICAP communication between Zscaler and DLP servers

NOTE:

  • While Zscaler recommends that you use secure ICAP, if your organization prefers to use unencrypted ICAP, you can do so. The above process would apply, with the following exceptions:
    • The second ZEN would not encrypt the transaction information it sends to your DLP server.
    • You would not need to install the stunnel application. The DLP server can accept the information from the ZEN as is.

Configuration requirements differ depending on whether you're using secure ICAP or unencrypted ICAP. Select the appropriate configuration option for your organization.

Configuration Tasks for Enabling Secure ICAP

To facilitate the process above, you must complete the following configuration tasks.

A. Configure your DLP server.

You must configure your DLP server with the following steps so that it successfully receives the transaction information the ZEN sends via secure ICAP.

  1. Ensure that you place your DLP server in a DMZ, where it can have a public IP address. ZENs must be able to reach your DLP server using its public IP address.
  2. Configure the stunnel application for your DLP server with the following steps:
  • Download and install the stunnel application. Refer to stunnel documentation.
  • Locate the stunnel configuration file.
Configuration Tasks for Enabling Secure ICAP
  • Modify the stunnel configuration file to include the following content.
  1. Once the above steps are complete, reboot the DLP server. The stunnel application can now decrypt the communications sent from the ZEN via secure ICAP. Note that you do not need to import the certificate generated by the stunnel application to the Zscaler admin portal. This certificate is used instead for encrypting and decrypting communications between the ZEN and the DLP server.
  2. Ensure that in your DLP product console (for example, in your Vontu admin portal) you have configured policy rules that correspond to the DLP policy rules you configure in the Zscaler admin portal.

    Recall that in the Zscaler admin portal, you can have two types of DLP policy rules for sending transaction information to your organization's DLP server:

    a.  Zscaler DLP rules with which you  leverage Zscaler's DLP engines for scanning content before forwarding transaction information to your organization's DLP server.

    b.  External DLP rules with which you bypass scanning by Zscaler's DLP engines and instead have the service filter content based on criteria you specify, then forward the transaction information to your organization's DLP server. With this option, you must specify one or more file types among your criteria.

    Thus, in your organization's DLP product, you must configure rules that correspond to each set of DLP rules from the Zscaler admin portal.
    • Your organization's DLP product must have rules that detect the same data type as your Zscaler DLP rules. For example, if you've configured a Zscaler DLP rule in the admin portal blocking credit card data, you must also have a rule in your DLP product blocking credit card data. Otherwise, the information that the Zscaler service sends to your server about a particular DLP rule violation will not be reported as an incident in your DLP product dashboard.

      Note, however, that the rules need not correspond exactly in other details. For example, you do not need to ensure that other criteria for the rules (beyond data type) correspond. If a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your DLP product must also block credit cards, but need not have a URL category as an additional criteria.
    • Your organization's DLP product must have rules that detect the same file types as your external DLP rules. For example, if you configure an External DLP rule in the admin portal that specifies PDFs as a file type criteria, you must also have a rule in your DLP product that specifies PDFs as a file type. Otherwise, the information that the Zscaler service sends to your DLP server regarding a particular rule violation will not appear in your DLP product dashboard.

B.  Configure your network firewall.

You must configure your organization's network firewall so that it allows the communications the ZEN sends via secure ICAP. This step is necessary because as explained above, when the service sends information to your DLP server, it does not do so from a ZEN on the cloud that initially inspects your users' transaction. (Your firewall is already be configured to accept communications from ZENs on that cloud). Instead, it forwards the transaction information to a ZEN on a different cloud (called the FCC cloud), which then sends that information to your DLP server. Your network firewall must be configured so that it also accepts communications from the ZENs on this latter cloud.

See http://ips.zscaler.net/icap for detailed information about the traffic your firewall must allow. You must configure your network firewall to accept communications from a specific set of ZEN IP addresses on the FCC cloud, on a designated port. This designated port must match the port you specify in the Zscaler admin portal (as detailed below in Configuration Task C, step 3). For secure ICAP, Zscaler recommends using port number 11344, as is standard practice.

C.  Define your DLP servers in the Zscaler service admin portal.

You must define your DLP servers in the Zscaler service admin portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service.

  1. Go to Administration > Settings > ICAP Settings.
  2. Click Add.
  3. Complete the following:
    • Enter a name for the DLP server.
    • Enable or disable the server as applicable. If you disable a server, the ZEN cannot send information to that server.
    • Enter the Server URI. The URI must follow the format: icaps://[FQDN or IP address]:[port number]/[servicepath]
      • By default, the Server URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP.
      • FQDNs and IP addresses of DLP servers and load balancers are accepted.
      • A port number must be included and must match the port on which you’ve configured your network firewall to accept secure ICAP traffic from the Zscaler service. Zscaler recommends using port number 11344 for secure ICAP, per standard practice.
      • The servicepath specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath "reqmod" (for Request Mode) to indicate that the server monitors outgoing traffic.
      • Examples of correctly formatted server URIs: icaps://10.10.130.87:11344/reqmod
  4. Click Save and activate the change.

Configuration Tasks for Enabling Unencrypted ICAP

You must configure your DLP server with the following steps so that it successfully receives the transaction information the ZEN sends via secure ICAP.

A. Configure your DLP server.

  1. Ensure that you place your DLP server in a DMZ, where it can have a public IP address. ZENs must be able to reach your DLP server using its public IP address.
  2. Ensure that in your DLP product console (for example, in your Vontu admin portal) you have configured policy rules that correspond to the DLP policy rules you configure in the Zscaler admin portal.

    Recall that in the Zscaler admin portal, you can have two types of DLP policy rules for sending transaction information to your organization's DLP server:

    a.  Zscaler DLP rules with which you leverage Zscaler's DLP engines for scanning content before forwarding transaction information to your organization's DLP server.

    b.  External DLP rules with which you bypass scanning by Zscaler's DLP engines and instead have the service filter content based on criteria you specify, then forward the transaction information to your organization's DLP server. With this option, you must specify one or more file types among your criteria.

    Thus, in your organization's DLP product, you must configure rules that correspond to each set of DLP rules from the Zscaler admin portal.
    • Your organization's DLP product must have rules that detect the same data type as your Zscaler DLP rules. For example, if you've configured a Zscaler DLP rule in the admin portal blocking credit card data, you must also have a rule in your DLP product blocking credit card data. Otherwise, the information that the Zscaler service sends to your server about a particular DLP rule violation will not be reported as an incident in your DLP product dashboard.

      Note, however, that the rules need not correspond exactly in other details. For example, you do not need to ensure that other criteria for the rules (beyond data type) correspond. If a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your DLP product must also block credit cards, but need not have a URL category as an additional criteria.
    • Your organization's DLP product must have rules that detect the same file types as your external DLP rules. For example, if you configure an External DLP rule in the admin portal that specifies PDFs as a file type criteria, you must also have a rule in your DLP product that specifies PDFs as a file type. Otherwise, the information that the Zscaler service sends to your DLP server regarding a particular rule violation will not appear in your DLP product dashboard.

B.  Configure your network firewall.

You must configure your organization's network firewall so that it allows the communications the ZEN sends via ICAP. This step is necessary because as explained above, when the service sends information to your DLP server, it does not do so from a ZEN on the cloud that initially inspects your users' transaction. (Your firewall is already be configured to accept communications from ZENs on that cloud). Instead, it forwards the transaction information to a ZEN on a different cloud (called the FCC cloud), which then sends that information to your DLP server. Your network firewall must be configured so that it also accepts communications from the ZENs on this latter cloud.

See http://ips.zscaler.net/icap for detailed information about the traffic your firewall must allow. You must configure your network firewall to accept communications from a specific set of ZEN IP addresses on the FCC cloud, on a designated port. This designated port must match the port you specify in the Zscaler admin portal (as detailed below in Configuration Task C, step 3). For ICAP, Zscaler recommends using port number 1344, as is standard practice.

C.  Define your DLP servers in the Zscaler service admin portal.

You must define your DLP servers in the Zscaler service admin portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service. You can configure as many DLP servers as you need (though you specify just one server for each DLP policy). If your DLP server is behind a load balancer, you may also configure load balancers as well.

  1. Go to Administration > Settings > ICAP Settings.
  2. Click Add.
  3. Complete the following:
    • Enter a name for the DLP server.
    • Select Enable to allow the service to send communications to the DLP server. If you Disable a server, the ZEN cannot send information to that server.
    • Enter the Server URI. The URI must follow the format: icap://[FQDN or IP address]:[port number]/[servicepath]
      • By default, the Server URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP. For scenarios where it is preferable to send unencrypted ICAP over plain text (for example, for debugging purposes), you can use the scheme icap://
      • FQDNs and IP addresses of DLP servers and load balancers are accepted.
      • A port number must be included and must match the port on which you’ve configured your network firewall to accept ICAP traffic from the service. Zscaler recommends using port number 1344 for secure ICAP, per standard practice.
      • The servicepath specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath "reqmod" (for Request Mode) to indicate that the server monitors outgoing traffic.
      • Example of correctly formatted server URIs for unencrypted ICAP: icap://metascan.corp.safemarch.com:1344/reqmod
  4. Click Save and activate the change.