DLP policies failing to match because user identified as NA when going through WSS

book

Article ID: 225314

calendar_today

Updated On:

Products

Web Security Service - WSS CASB Securlet SAAS With DLP-CDS Data Loss Prevention Data Loss Prevention Cloud Detection Service for ICAP

Issue/Introduction

DLP Cloud setup to integrate with WSS

Users accessing WSS with WSS agent

When a user accesses a URL that should be be handled by DLP, DLP fails to apply policy as the user is identified as NA

DLP policy identifying user from WSS parameters passed into upstream DLP server request and expecting an email address

Cause

The users reporting the issue did not have a valid email address configured within AD as shown below

 

When WSS is sending information upstream to the DLP server to enforce, the email address populated was NA which DLP was keying off for user information.

WSS can retrieve this information from AD LDAP server using the Auth Connector WSS component

Making sure that all WSS users have valid email addresses within AD addressed the issue.

 

Resolution

Make sure that all WSS agent users connecting to WSS have a populated EMAIL Address (LDAP mail attribute) within the AD LDAP store Auth Connector is talking to.

Additional Information

ICAP Header Details for above incidents shows: 

 

2021-09-08 10:42:09 10.56 K 1.00 X-SYMC-Authenticated-User: QkNPTS9uY2FzaGVsbA==; X-SYMC-User-Email-Address: TkE=; X-Client-IP: 10.243.100.87

 

Here 'X-SYMC-Authenticated-User' has captured users correctly however  'X-SYMC-User-Email-Address' has 'TkE=' which translates to NA and can is captured in the incident.

User Name in  X-SYMC-Authenticated-User is correct however its not reflecting in Incident.

DLP handles the info in the following order and we fail because the email address is defined as NA

"X-SYMC-User-Email-Address"
"X-SYMC-Authenticated-User"
"X-Authenticated-User"

Attachments