Integrating ProxySG with DLP, with load balancing across multiple DLP servers.

Whether the request/traffic is sent to CAS or DLP, requisite ICAP services must be created on the ProxySG appliance. Yes, for CAS, the service would be RESPMOD, while for DLP, because the requests would be HTTP/HTTPS POST/PUT, the ICAP service would be REQMOD. Please, refer to the, additionally, attached .doc. file for the end-to-end of the Proxy-CAS and Proxy-DLP integration.

For the traffic flow, for both cases, please refer to the Tech. Article with URL below. We have shared, again, the guidance for the ProxySG-DLP policy config.

https://knowledge.broadcom.com/external/article?legacyId=TECH247046

https://knowledge.broadcom.com/external/article?legacyId=TECH242033

if multiple DLP servers are involved, for the purpose of high availability, the ICAP service should be created on ProxySG, for the various DLP server and their respective IP addresses, or FQDNs, should be referenced in the service URL.

Note

The Advanced Server settings, with the Symantec DLP as the case study, the (Icap.LoadBalanceFactor) on the 'Network Prevent for Web' server is the option to set the number of connections that its able to communicate with. When this value is set to 1 that means that there is only one connection to this Network Prevent server.

Thus, for example, if there is a farm of 6 servers, you absolutely need to set this up to 6 (provided the other resource related requirements are 'checked' on the boxes)

Knowing this to be 6 servers load balancing at the egress point of the whole network - hopefully this is really a large network and not an another requirement wherein, all traffic including GETs is been ICAPed.

In other words, to focus on egress in the true sense from a data loss perspective, POSTs is all that is mostly examined as a industry best practice.