DLP policies failing to match because user identified as NA when going through WSS
Article ID: 225314
Updated On:
Products
Issue/Introduction
DLP Cloud setup to integrate with WSS
Users accessing WSS with WSS agent
When a user accesses a URL that should be handled by DLP, DLP fails to apply the policy as the user is identified as NA.
DLP policy identifying the user from WSS parameters passed into upstream DLP server request and expecting an email address
Cause
The users reporting the issue did not have a valid email address configured within AD as shown below
When WSS is sending information upstream to the DLP server to enforce, the email address populated was NA which DLP was keying off for user information.
WSS can retrieve this information from AD LDAP server using the Auth Connector WSS component
Making sure that all WSS users have valid email addresses within AD addressed the issue.
Resolution
Make sure that all WSS agent users connecting to WSS have a populated EMAIL Address (LDAP mail attribute) within the AD LDAP store Auth Connector is talking to.
Additional Information
ICAP Header Details for above incidents shows:
| 2021-09-08 10:42:09 | 10.56 K | 1.00 | X-SYMC-Authenticated-User: #######; X-SYMC-User-Email-Address: TkE=; X-Client-IP: 10.243.100.87 |
Here 'X-SYMC-Authenticated-User' has captured users correctly however 'X-SYMC-User-Email-Address' has 'TkE=' which translates to NA and can is captured in the incident.
The user Name in X-SYMC-Authenticated-User, masked out above, is correct however its not reflecting in the Incident.
DLP handles the info in the following order and we fail because the email address is defined as NA
"X-SYMC-User-Email-Address"
"X-SYMC-Authenticated-User"
"X-Authenticated-User"
Feedback
