Symantec Web Gateway does not send username to DLP Enforce if Dcinterface is used to identify users.

book

Article ID: 158100

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

When you connect a Symantec Web Gateway (SWG) to a Data Loss Prevention (DLP) Network Prevent server, and a DLP rule is triggered when a POST or PUT request (in the form of a file upload) is made by a user, only the IP address of the user's computer is visible in the DLP Enforce console. If NTLM is used to identify the user, the DLP Enforce console reports the username of the user.

Cause

SWG relies on NTLM Authentication to map usernames to IP addresses for DLP purposes. When NTLM is not configured, SWG does not relay the currently mapped user for the IP address of the client machine, even if there is a valid username to IP address map created by collecting log entries from the domain controller using dcinterface.

 

Resolution

Symantec recorded an enhancement request to change this behavior in a future version of the product.

To workaround this behavior, configure SWG to use NTLM Authentication for user identification.

 

Applies To

  • SWG 5.x with SSL Deep Inspection and DLP enabled, but NTLM not enabled.
  • SWG 5.x also configured to query a DLP Network Prevent server for DLP purposes.
  • User login information relayed from the domain controllers using the dcinterface accessory.