As part of the enrollment of Cloud Detectors with the DLP Enforce server, an option exists to redirect traffic through an Explicit Proxy.
However, when the "Cloud Proxy Setting" is enabled ALL outbound traffic from the Enforce console will be redirected via this proxy.
This means that outbound calls from the Enforce server to other targets, such as the DLP Flex Response for Quarantine/Release from Quarantine, or other communications to servers on the network, may not function afterward.
Examples of failures of DLP Flex Response or Discover Cluster scanning, as logged in Enforce:
SEVERE [com.symantec.dlpx.flexresponse.emailquarantineconnect.EmailQuarantineConnectPlugin] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Enforce/logs/debug/MonitorController0.log
Date: 3/14/2025 9:49:05 PM
Class: com.symantec.dlp.communications.common.activitylogging.JavaLoggerImpl
Method: log
Level: SEVERE
Message:
java.lang.Exception: Proxy Response status: 503 Service Unavailable
DLP Cloud Services customers, with the "Cloud Proxy Setting" enabled to use Explicit Proxy.
Please note that once you set the Cloud Proxy for Enforce, all outbound DLP Enforce services calls are proxied.
Customers applying this feature will need to verify all use cases where traffic from Enforce might be going through this proxy, e.g., SSL inspection for certificate handshakes such as occur for Flex Response for Quarantine/Release from Quarantine (as sent to the Symantec Message Gateway, or SMG), or communications to other DLP servers such as Discover Clusters.
For any outbound calls, the proxy server must have exceptions in place to allow handshake negotiation between Enforce and target destination.
Recent versions of Enforce (15.8+) allow IPs to be whitelisted with regard to the Cloud Proxy Settings. For the latest instructions on it, see Safelisting Cloud Proxy Connections.
This has also been documented in external KB: Email Quarantine Connect FlexResponse fails with red banner with "plugin specified by the response rule is not available for invocation" (broadcom.com)