icon-unified.svg
Experience Center

Enabling Unencrypted ICAP

Configuring unencrypted ICAP is one of the tasks you must complete when configuring DLP policy rules. To learn more, see Configuring DLP Policy Rules with Content Inspection and Configuring DLP Policy Rules without Content Inspection.

Configuration Tasks for Enabling Unencrypted ICAP

To enable unencrypted ICAP, you must complete the following configuration tasks:

    1. Ensure that you place your DLP server in a DMZ, where it can have a public IP address. Internet & SaaS Public Service Edges must be able to reach your DLP server using its public IP address.
    2. Ensure that in your DLP product console (for example, your Vontu portal) you have configured policy rules that correspond to the DLP policy rules you configure in the Admin Portal.

    In the Admin Portal, you can have two types of DLP policy rules for sending transaction information to your organization's DLP server:

    • DLP rules with content inspection that allow you to leverage Zscaler's DLP engines for scanning content before forwarding transaction information to your organization's DLP server.
    • DLP rules without content inspection that allow you to bypass scanning by Zscaler's DLP engines and instead have the service filter content based on criteria you specify, then forward the transaction information to your organization's DLP server. With this option, you must specify one or more file types among your criteria.

    So, in your organization's DLP product, you must configure rules that correspond to each set of DLP rules from the Admin Portal.

    • Your organization's DLP product must have rules that detect the same data type as your DLP rules with content inspection. For example, if you've configured a DLP rule with content inspection in the Admin Portal that blocks credit card data, you must also have a rule in your DLP product blocking credit card data. Otherwise, the information that the Zscaler service sends to your server about a particular DLP rule violation will not be reported as an incident in your DLP product.

    However, the rules need not correspond exactly in other details. You do not need to ensure that other criteria for the rules, beyond data type, correspond. For example, if a DLP rule with content inspection blocks credit card numbers going to a specific URL category, the rule in your DLP product must also block credit cards, but need not have a URL category as an additional criteria.

    • Your organization's DLP product must have rules that detect the same file types as your DLP rules without content inspection. For example, if you configure a DLP rule without content inspection in the Admin Portal that specifies PDFs as a file type criteria, you must also have a rule in your DLP product that specifies PDFs as a file type. Otherwise, the information that the Zscaler service sends to your DLP server regarding a particular rule violation will not appear in your DLP product.
    Close

  • You must configure your organization's network firewall so that it allows the communications the Internet & SaaS Public Service Edge sends via ICAP. This step is necessary because as explained above, when the service sends information to your DLP server, it does not do so from an Internet & SaaS Public Service Edge on the cloud that initially inspects your users' transaction. Your firewall is already configured to accept communications from Internet & SaaS Public Service Edges on that cloud. So, it forwards the transaction information to an Internet & SaaS Public Service Edge on a different cloud (called the FCC cloud), which then sends that information to your DLP server. Your network firewall must be configured so that it also accepts communications from the Internet & SaaS Public Service Edges on the FCC cloud.

    For detailed information about the traffic your firewall must allow, see https://config.zscaler.com/zscaler.net/icap. You must configure your network firewall to accept communications from a specific set of Internet & SaaS Public Service Edge IP addresses on the FCC cloud, on a designated port. This designated port must match the port you specify in the Admin Portal (as detailed in step 3 below). For ICAP, Zscaler recommends using port number 1344, as is standard practice.

    Close

  • You must define your DLP servers in the Admin Portal by providing the public IP address of your DLP server with the port number on which your network firewall initially accepts the secure ICAP traffic sent by the Zscaler service. You can configure as many DLP servers as you need. However, you only need to specify one server for each DLP policy. If your DLP server is behind a load balancer, you can configure the load balancers as well.

    1. Go to Policies > Data Protection > Common Resources > DLP Incident Receiver.
    2. Click Add ICAP Receiver.

    The Add ICAP Receiver window appears.

    1. In the Add ICAP Receiver window:
      • Enter a Name for the DLP server.
      • Select Enable to allow the service to send communications to the DLP server. If you Disable a server, the Internet & SaaS Public Service Edge cannot send information to that server.
      • Enter the Receiver URI. The URI must follow the format: icap://<FQDN or IP address>:<port number>/<servicepath>
        • By default, the Receiver URI field is prepopulated with icaps:// because Zscaler recommends sending transaction information via secure ICAP. For scenarios where it is preferable to send unencrypted ICAP over plain text (for example, for debugging purposes), you can use icap://.
        • FQDNs and IP addresses of DLP servers and load balancers are accepted.
        • A <port number> must be included and must match the port on which you’ve configured your network firewall to accept ICAP traffic from the service. Zscaler recommends using port number 1344 for ICAP, per standard practice.
        • The <servicepath> specifies whether the DLP server monitors outgoing traffic or incoming traffic. For example, if you are using Vontu, you would use the servicepath reqmod (for Request Mode) to indicate that the server monitors outgoing traffic. An example of a correctly formatted unencrypted ICAP receiver URI for Vontu would be: icap://metascan.corp.safemarch.com:1344/reqmod
    2. Click Save and activate the change.
    Close
Related Articles
About Zscaler Incident ReceiverAdding a Zscaler Incident ReceiverModifying a Zscaler Incident ReceiverConfiguring the Zscaler Incident Receiver for On-Premises VMsConfiguring the Zscaler Incident Receiver for Amazon Web Services EC2 VMsConfiguring the Zscaler Incident Receiver for Azure VMsAbout ICAP Receivers for DLPAbout ICAP Communication Between Zscaler and DLP ServersEnabling Secure ICAPEnabling Unencrypted ICAPAdding an ICAP Receiver for DLPConfiguring the ICAP Server with the Mutual Transport Layer Security (MTLS) CA Certificate