Best practice notes for monitoring http traffic in DLP Network Prevent for Web (NPW), request (REQ) vs response (RESP)

As indicated in the Administrators Guide links below, you must configure at least one HTTP proxy server to forward Web requests or responses to the Network Prevent for Web (NPW) Server.

•  DLP 15.8 Techdoc "About proxy server configuration"
•  DLP 16.0 About Proxy Server Configuration
•  DLP 16.1 About Proxy Server Configuration

The HTTP proxy acts as an ICAP client to the Network Prevent for Web Server. Symantec Data Loss Prevention supports both the request modification (REQMOD) and response modification (RESPMOD) modes of ICAP.

IMPORTANT:

If you want to analyze both requests and responses, you should deploy one NPW server for each direction of traffic –  REQ or RESP..ie

• Use one NPW Server to analyze requests (REQMOD)
• Use a second NPW Server to analyze responses (RESPMOD).

Remember  that most proxy servers provide methods of filtering what is forwarded to the Network Prevent for Web Server in both REQMOD mode and RESPMOD modes. Consult the proxy server's documentation for details.

Mixing REQMOD and RESPMOD on the same Web Prevent Server will likely lead to the DLP filereader service crashing and web pages taking a long time to load.