Use of "Cloud Proxy Setting" on Enforce forces all outbound traffic through proxy
search cancel

Use of "Cloud Proxy Setting" on Enforce forces all outbound traffic through proxy

book

Article ID: 170756

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Messaging Gateway Data Loss Prevention Cloud Package

Issue/Introduction

As part of the enrollment of Cloud Detectors with the DLP Enforce server, an option exists to redirect traffic through an Explicit Proxy.

However, when the "Cloud Proxy Setting" is enabled ALL outbound traffic from the Enforce console will be redirected via this proxy.

This means that outbound calls from the Enforce server to other targets, such as the DLP Flex Response for Quarantine/Release from Quarantine, or other communications to servers on the network, may not function afterward.

Examples of failures of DLP Flex Response or Discover Cluster scanning, as logged in Enforce:

SEVERE
[com.symantec.dlpx.flexresponse.emailquarantineconnect.EmailQuarantineConnectPlugin]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target 

 

Enforce/logs/debug/MonitorController0.log
Date: 3/14/2025 9:49:05 PM
Class: com.symantec.dlp.communications.common.activitylogging.JavaLoggerImpl
Method: log
Level: SEVERE
Message:  
java.lang.Exception: Proxy Response status: 503 Service Unavailable

Environment

DLP Cloud Services customers, with the "Cloud Proxy Setting" enabled to use Explicit Proxy.

Cause

Please note that once you set the Cloud Proxy for Enforce, all outbound DLP Enforce services calls are proxied.

Customers applying this feature will need to verify all use cases where traffic from Enforce might be going through this proxy, e.g., SSL inspection for certificate handshakes such as occur for Flex Response for Quarantine/Release from Quarantine (as sent to the Symantec Message Gateway, or SMG), or communications to other DLP servers such as Discover Clusters.

Resolution

For any outbound calls, the proxy server must have exceptions in place to allow handshake negotiation between Enforce and target destination.

Recent versions of Enforce (15.8+) allow IPs to be whitelisted with regard to the Cloud Proxy Settings. For the latest instructions on it, see Safelisting Cloud Proxy Connections.

Additional Information