Lab 7: SSL Visibility for DLP (ICAP)

In this lab exercise, you will send decrypted traffic to an ICAP-based Data Loss Prevention (DLP) service for inspection. The DLP will block HTTP POSTs (uploads) of certain content such as credit cards numbers and documents with Top Secret data classification labels.

Estimated completion time: 15 minutes

Objectives:

  • Re-configure the SWG iApp to send unencrypted HTTP and decrypted HTTPS traffic to an ICAP (DLP) server
  • Verify that the DLP service is able to see SWG proxy traffic and block if a policy violation occurs

Lab Requirements:

  • Working SWG iApp deployment

Task 1 – Re-configure SWG iApp to enable ICAP inspection

  • Browse to iApps >> Application Services > Applications

  • Click on SWG

  • Click Reconfigure

  • Scroll down to the ICAP Configuration section

  • Change the ICAP option to Yes, create a new ICAP DLP deployment

  • Enter 10.1.20.150 as the IP address of the DLP server (the default port of 1344 is correct).

    image37

  • Browse to the bottom and click Finished

Task 2 – Testing

  • Open Internet Explorer on your Jump Host client machine
  • Browse to http://dlptest.com
  • If you are prompted for authentication, login as user1 with password AgilityRocks!
  • Click on the HTTP Post link at the top of the page.
  • Fill in the Subject and Message fields with some random text and then add a credit card numbers such as 4111 1111 1111 1111.
  • Click on the Submit button to see if the DLP service detects this. *Hint: You should receive a blocking page message.*
  • Go back to the previous page try submitting again but with the words top secret. Again, you should receive a blocking page from the DLP service.
  • Now, go back to the previous page and click on the HTTPS Post link at the top of the page.
  • Perform the credit card number and top secret submissions again. You should again see the blocking pages since SWG is decrypting the HTTPS connection and sending the decrypted POST data to the DLP service for inspection.
  • If you want to see the DLP policy violations, browse to https://10.1.20.150/logs. Log in as mydlp with password mydlp.