browse
This integration enables you to integrate Umbrella with an on-premises DLP solution for centralized event management and remediation workflows.
How do we integrate Secure Access with On-Premises DLP Servers?
Integration is done via a standard protocol called ICAP, which is typically used by network devices to offload tasks to specialized systems for content filtering, virus scanning, and data loss prevention. In our case, we use Secure ICAP to pass HTTP/S traffic that violates our DLP policy to your on-premises DLP server for additional DLP analysis and centralized event management.
How can you secure this communication channel?
First, we use Secure ICAP, which adds a layer of security to the communication channel by encrypting the traffic using TLS. Using the on-premises DLP server’s certificate that the admin uploads via our dashboard, we authenticate the server before passing traffic to it to eliminate the potential of man-in-the-middle eavesdropping. Secondly, you can configure your inbound firewall to only allow traffic from Umbrella to the on-premises DLP server to mitigate the potential of someone attacking your security infrastructure, i.e., the on-premises DLP server’s open ICAP port.
Which IPs do customers need to whitelist in their firewall?
50.18.191.74
54.153.85.86
54.90.48.200
3.234.7.118
How can I enable Secure ICAP?
You need to take two steps. First, you need to onboard your on-premises DLP server, and then you need to configure your Realtime DLP rules to forward traffic to that server. Configuration is done on a per-rule basis.
For onboarding in Umbrella dashboards, go to Admin > Authentication > ICAP.
After onboarding the on-premises DLP server via the ICAP section in the authentication management panel, you can enable traffic forwarding within Realtime DLP rules through a rule section titled: ICAP.
All Realtime DLP active rules are enabled by default.
Which information is sent over ICAP to the On-Premises DLP server?
Umbrella will send the entire HTTP/S message including body and headers. We also add custom headers to share the user and user-group identities and client-IP associated with the request. These will be X-Authenticated-User, X-Authenticated-Groups, and X-Client-IP respectively.
Does it send both monitored and blocked Realtime DLP violation events?
Yes, both monitored and blocked violation events are sent over the Secure ICAP API.
How do I get the ICAP server enabled in the on-premises DLP?
You should consult their DLP solution documentation and/or support to learn how to enable the embedded ICAP server in your DLP solution. If the solution only supports ICAP and not Secure ICAP, you would need to deploy a TLS termination component in front of your On-Premises DLP Server, for example, Stunnel, a widely popular open-source solution.
Where can I find more information?
Refer to Umbrella documentation for guidance.