DLP Endpoint Agent does not communicate when connected by Microsoft Direct Access (VPN)
search cancel

DLP Endpoint Agent does not communicate when connected by Microsoft Direct Access (VPN)

book

Article ID: 172989

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You have DLP Endpoint agents installed and working correctly when on the LAN. Policies are received, incidents are communicated etc. 

However, connecting by Microsoft Direct Access notice that the agent recieves no DLP policy changes. You can ping the detection server and telnet to port 10443 on the detection server. No incidents are created until the agent reconnects to the LAN.

FINEST level logs from the Endpoint Agent show messages such as:

8024 | FINEST | Communication.CurlTransportLayer | TransportDisconnectionInformation [DisconnectReason: FAILURE_TO_CONNECT, TransportErrorCode: SERVER_UNREACHABLE, ErrorMessage:Libcurl Error: '7'. Error Message: Couldn't connect to server. Last Error String: Failed to connect to <DetectionServerName.YourCompany.com> port 10443: Timed out

 

Environment

DLP 15.x

Cause

Microsoft Direct Access supports IPv6 connections only. All current versions of the DLP Endpoint Agent require native IPv4 connectivity. 

See extract from the administrator guide for DLP (version 15.x):

Symantec Data Loss Prevention IPv6 support is limited to [Network] monitoring [solution]. The Enforce Server administration console must still be deployed on an IPv4 network; there is no support for command and control functionality over IPv6. This release does not include support for: 

  • Deployment of Symantec Data Loss Prevention over IPv6 networks
  • Support of other Symantec Data Loss Prevention servers on IPv6 networks
  • Use of IPv6 system-defined data identifiers
  • Use of IP fragmentation over IPv6
  • Configuring or communicating with detection servers over IPv6
  • Deployment of IPv6 endpoints
  • Deployment of Symantec Encryption Server on IPv6
  • Deployment of the Oracle database on an IPv6 connection
  • See Configure a protocol in online Help for more information about specific implementation details of IPv6 support.

Resolution

Prior to DLP 16.0, only Network Monitor solution supported IPv6. 

IPv6 support has been added for the DLP agent in DLP 16.0 release. Please refer to the below link:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0/DLP-system-requirements/product-compatibility-v20286691-d366e6299/support-for-ipv6-addresses.html