When you connect a Symantec Web Gateway (SWG) to a Data Loss Prevention (DLP) Network Prevent server, and a DLP rule is triggered when a POST or PUT request (in the form of a file upload) is made by a user, only the IP address of the user's computer is visible in the DLP Enforce console. If NTLM is used to identify the user, the DLP Enforce console reports the username of the user.
SWG relies on NTLM Authentication to map usernames to IP addresses for DLP purposes. When NTLM is not configured, SWG does not relay the currently mapped user for the IP address of the client machine, even if there is a valid username to IP address map created by collecting log entries from the domain controller using dcinterface.
Symantec recorded an enhancement request to change this behavior in a future version of the product.
To workaround this behavior, configure SWG to use NTLM Authentication for user identification.