DLP policies failing to match because user identified as NA when going through WSS
search cancel

DLP policies failing to match because user identified as NA when going through WSS


Article ID: 225314


Updated On:


Cloud Secure Web Gateway - Cloud SWG Data Loss Prevention Data Loss Prevention Cloud Detection Service for ICAP


DLP Cloud setup to integrate with WSS

Users accessing WSS with WSS agent

When a user accesses a URL that should be handled by DLP, DLP fails to apply the policy as the user is identified as NA.

DLP policy identifying the user from WSS parameters passed into upstream DLP server request and expecting an email address


The users reporting the issue did not have a valid email address configured within AD as shown below


When WSS is sending information upstream to the DLP server to enforce, the email address populated was NA which DLP was keying off for user information.

WSS can retrieve this information from AD LDAP server using the Auth Connector WSS component

Making sure that all WSS users have valid email addresses within AD addressed the issue.



Make sure that all WSS agent users connecting to WSS have a populated EMAIL Address (LDAP mail attribute) within the AD LDAP store Auth Connector is talking to.

Additional Information

ICAP Header Details for above incidents shows: 


2021-09-08 10:42:09 10.56 K 1.00 X-SYMC-Authenticated-User: #######; X-SYMC-User-Email-Address: TkE=; X-Client-IP:


Here 'X-SYMC-Authenticated-User' has captured users correctly however  'X-SYMC-User-Email-Address' has 'TkE=' which translates to NA and can is captured in the incident.

The user Name in  X-SYMC-Authenticated-User, masked out above, is correct however its not reflecting in the Incident.

DLP handles the info in the following order and we fail because the email address is defined as NA