Customer have the ability to forward authenticated usernames by checking "Authenticated User" in Configuration - ICAP Options within EdgeSWG GUI console. Doing so would send ICAP header X-SYMC-User-Email-Address (version 7.3.4.1 and later) and X-Authenticated header to Symantec DLP. 

However, Symantec DLP would pick up value of X-SYMC-User-Email-Address header instead of the value it expects from X-Authenticated header. This cannot be changed on the Symantec DLP side as it is hardcoded to read the first header value which is X-SYMC-User-Email-Address. The wrong value caused unmatched policies on DLP hence impacting detection and prevention of sensitive information leaving customer's organization. 

The solution is to disable the "send authenticated-user" for the relevant ICAP service configuration. This would disable sending of both X-SYMC-User-Email-Address and X-Authenticated header all together. We will then re-add the X-Authenticated-User header and format the value from $user.domain substitution variable according to what Symantec DLP is looking for which is WinNT://<domain>/<username>. 

1. Disable "send authenticated-user" from ICAP request service 
#(config icap cas_req)no send authenticated-user
  ok

2. Apply the following ICAP header substitution CPL policy

<proxy>
 request.icap_service(cas_req)

<Proxy>
  variable.custom_var_str_1(“WinNT://“) 

<proxy>
  action.ICAP_REQMOD_User(yes)

define action ICAP_REQMOD_User
  set(icap_reqmod.request.x_header.X-Authenticated-User, “$(variable.custom_var_str_1:concat($(user.domain)/$(cs-username)):encode_base64)“)
end

Note: Above solution can only be used on SGOS 6.7.5.23 and 7.3.14.1 and above as variable.custom_var_str_1()is only found in these versions.