icon-unified.svg
Experience Center

Enabling Secure ICAP

Configuring secure ICAP is one of the tasks you must complete when configuring DLP policy rules. To learn more, see Configuring DLP Policy Rules with Content Inspection and Configuring DLP Policy Rules without Content Inspection.

Configuration Tasks for Enabling Secure ICAP

To enable secure ICAP, you must complete the following configuration tasks:

  • You must configure your DLP server with the following steps so that it successfully receives the transaction information the Internet & SaaS Public Service Edge sends via secure ICAP.

    1. Ensure that you place your DLP server in a DMZ, where it can have a public IP address. Internet & SaaS Public Service Edges must be able to reach your DLP server using its public IP address.
    2. Configure the stunnel application for your DLP server with the following steps:
      1. Download and install the stunnel application. Refer to the stunnel documentation.
      2. Locate the stunnel configuration file.
      3. Modify the stunnel configuration file to include the following content.
    debug = 7  (Specifies the level of logs the stunnel application records)
        cert = stunnel.pem (Specifies the certificate the stunnel application uses for secure communications with the Internet & SaaS Public Service Edge. 
                            This is the same certificate the application generates when it is first installed.)
        key = stunnel.pem (Specifies the certificate the stunnel application uses for secure communications with the Internet & SaaS Public Service Edge. 
                           This is the same certificate the application generates when it is first installed.)
        [icap]
        accept = address:port (Accepts SSL connections on the specified IP address and port. 
                               The port is that which stunnel listens on and is usually 11344. 
                               accept = 11344 is an example accept entry with port. 
                               accept =  192.0.2.0/24:11344 is an example accept entry with IP address and port.)
        connect = address:port (Connects to a remote address and port and sends decrypted ICAP traffic. 
                                  The address is the server’s hostname or IP address. 
                                  The port is where the DLP server accepts communications from and is usually 1344. 
                                  connect = safemarchserver.hostname.com:1344 is an example connect entry with hostname and port.
                                  connect = 10.2.1.101:1344 is an example connect entry with IP address and port.)
    1. To verify if the modification succeeded, start the stunnel and check if the stunnel console or the debug logs includes the message, "Configuration successful".
    2. Reboot the DLP server. The stunnel application can now decrypt the communications sent from the Internet & SaaS Public Service Edge via secure ICAP. You do not need to import the certificate generated by the stunnel application to the Admin Portal. This certificate is used instead for encrypting and decrypting communications between the Internet & SaaS Public Service Edge and the DLP server.
    3. Ensure that in your DLP product console (for example, your Vontu portal) you have configured policy rules that correspond to the DLP policy rules you configure in the Admin Portal.

    In the Admin Portal, you can have two types of DLP policy rules for sending transaction information to your organization's DLP server:

    • DLP rules with content inspection that allow you to leverage Zscaler's DLP engines for scanning content before forwarding transaction information to your organization's DLP server.
    • DLP rules without content inspection that allow you to bypass scanning by Zscaler's DLP engines and instead have the service filter content based on criteria you specify, then forward the transaction information to your organization's DLP server. With this option, you must specify one or more file types among your criteria.

    So, in your organization's DLP product, you must configure rules that correspond to each set of DLP rules from the Admin Portal.

    • Your organization's DLP product must have rules that detect the same data type as your DLP rules with content inspection. For example, if you've configured a DLP rule with content inspection in the Admin Portal that blocks credit card data, you must also have a rule in your DLP product blocking credit card data. Otherwise, the information that the Zscaler service sends to your server about a particular DLP rule violation will not be reported as an incident in your DLP product.

    However, the rules need not correspond exactly in other details. You do not need to ensure that other criteria for the rules, beyond data type, correspond. For example, if a DLP rule with content inspection blocks credit card numbers going to a specific URL category, the rule in your DLP product must also block credit cards, but need not have a URL category as an additional criteria.

    • Your organization's DLP product must have rules that detect the same file types as your DLP rules without content inspection. For example, if you configure a DLP rule without content inspection in the Admin Portal that specifies PDFs as a file type criteria, you must also have a rule in your DLP product that specifies PDFs as a file type. Otherwise, the information that the Zscaler service sends to your DLP server regarding a particular rule violation will not appear in your DLP product.
    Close

  • You must configure your organization's network firewall so that it allows the communications the Internet & SaaS Public Service Edge sends via secure ICAP. This is necessary because when the Zscaler service sends information to your DLP server, it does not do so from an Internet & SaaS Public Service Edge on the cloud that initially inspects your users' transaction. Your firewall is already configured to accept communications from Internet & SaaS Public Service Edges on that cloud. So, it forwards the transaction information to an Internet & SaaS Public Service Edge on a different cloud (called the FCC cloud), which sends that information to your DLP server. Your network firewall must be configured so that it also accepts communications from the Internet & SaaS Public Service Edges on the FCC cloud.

    For detailed information about the traffic your firewall must allow, see https://config.zscaler.com/zscaler.net/icap. You must configure your network firewall to accept communications from a specific set of Internet & SaaS Public Service Edge IP addresses on the FCC cloud on a designated port. This designated port must match the port you specify in the Admin Portal (as detailed in step 3 below). For secure ICAP, Zscaler recommends using port number 11344, as is standard practice.

    Close

  • You must define your DLP servers in the Admin Portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service.

    1. Go to Policies > Data Protection > Common Resources > DLP Incident Receiver.
    2. Click Add ICAP Receiver.

    The Add ICAP Receiver window appears.

    1. In the Add ICAP Receiver window:
      • Enter a Name for the DLP server.
      • Choose Enable to allow the service to send communications to the DLP server. If you Disable a server, the Internet & SaaS Public Service Edge cannot send information to that server.
      • Enter the Receiver URI. The URI must follow the format: icaps://<FQDN or IP address>:<port number>/<servicepath>
        • By default, the Receiver URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP.
        • FQDNs and IP addresses of DLP servers and load balancers are accepted.
        • A <port number> must be included and must match the port on which you’ve configured your network firewall to accept secure ICAP traffic from the Zscaler service. Zscaler recommends using port number 11344 for secure ICAP, per standard practice.
        • The <servicepath> specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath reqmod (for Request Mode) to indicate that the server monitors outgoing traffic. An example of a correctly formatted secure ICAP receiver URI for Vontu would be: icaps://10.10.130.87:11344/reqmod
    2. Click Save and activate the change.
    Close
Related Articles
About Zscaler Incident ReceiverAdding a Zscaler Incident ReceiverModifying a Zscaler Incident ReceiverConfiguring the Zscaler Incident Receiver for On-Premises VMsConfiguring the Zscaler Incident Receiver for Amazon Web Services EC2 VMsConfiguring the Zscaler Incident Receiver for Azure VMsAbout ICAP Receivers for DLPAbout ICAP Communication Between Zscaler and DLP ServersEnabling Secure ICAPEnabling Unencrypted ICAPAdding an ICAP Receiver for DLPConfiguring the ICAP Server with the Mutual Transport Layer Security (MTLS) CA Certificate