Configuring ProxySG to work with Symantec CAS and Symantec DLP
Purpose
The purpose of this document is to help other successfully integrate CAS and DLP with ProxySG. This article will help you configure a certificate from your CAS, import it into ProxySG and configure ICAP services for CAS and DLP. CAS will be configured to use ICAP Response and DLP will be using Request Mode. The article will also help configure policies so that content gets scanned going out and coming in to your network.
Environment
The environment used in this scenario is as followed:
- SWG version SGOS 6.6.4.2 Blue Coat SG-VA Series
- CAS – Symantec Content Analysis Version 2.3.1.2
- Symantec DLP 15 3 tier installation, using Web Prevent
- Windows 7 virtual PC with Internet Explorer configured to use ProxySG
- Eicar.com for CAS testing
- DLPTEST.com for DLP Testing
Contents
- Steps to configure Internet Explorer to use ProxySG
- CAS ICAP integration and Certificate creation
- CAS VPM Rules
- Create SSL Intercept Rules
- Create DLP ICAP Services
- Create DLP VPM Rules
Step 1 – SWG configuration with Internet Explorer
In order to test ICAP and the policies we will be creating we need to configure Internet Explorer to use our ProxySG. To do this we need to perform the following steps.
1.1. Download the ‘default’ ProxySG SSL certificate – to do this connect to your ProxySG and go to Statistics – Advanced and click on SSL
1.2. Once you have clicked on SSL you will be presented with 3 options, click on ‘Download a Certificate as a CA certificate as per screenshot below
1.3. Once you have downloaded the certificate copy it to your test machine, and open up Internet Explorer
1.4. Click on settings and Internet Options
1.5. When the options box pops up go to the ‘Contents’ tab and then click on ‘Certificates’ as per screenshot below
1.6. Select the ‘Trusted Root Certification Authorities’ tab and press Import and select the certificate you recently downloaded from ProxySG.
1.7. Next we need to configure Internet Explorer to go through our ProxySG. To do this click on the ‘Connections’ tab and the ‘LAN Settings’ you should get a pop up as per the image below
1.8. Once you have entered in your proxy server details click ‘Ok’ and then ‘Apply’ Internet Explorer has now been configured to use your ProxySG and has been configured to use the default certificate for the proxy.
We can now proceed to the next steps
Step 2 – CAS ICAP integration and Certificate creation
2.1. on the CAS go to settings - ICAP – Certificate management - Either create or download public certificate if one is created
2.2. Go to the SWG configuration – SSL – CA Certificates – import – copy from clipboard (open downloaded Cert in notepad++)
2.3. After creating the CA go to CA cert list and add the certificate you have just imported, give it a name click ok and then apply. As per image below – Blue is step 1 Red step 2 and black step 3
2.4. Go to Device profiles – New - Give the profile a name, select TLS 1.2 & 1.1 and for ccl choose the certificate you have just imported. Click ok and then apply as per image
2.5. Go to Content analysis and add ICAP – Click New, name your icap service click save apply
2.6. Edit the Icap service and enter in the details of your CAS server. Icap://ip select icap protocols and then using ICAP secure use the certificate you imported in step 2.4 as per image below
Step 3 – CAS VPM Rules
3.1. Go to configuration – Policy – visual policy manager and click launch
3.2. Click on Policy – Web Content Layer – (Name the layer appropriately) – In Action click ‘Set’ then click click ‘New’ and select ‘Perform Response Analysis’ AS per image below
A box will appear, name the object – in available services select your icap server as per image below
click ‘Add’ Click ok and then ok again
3.3. Click install policy
3.4. Go to your browser that you configured with proxy settings and go to Eicar.com try to download the file using http – If you see the AV message then CAS has been successfully implemented to scan http content on your SWG Proxy
Step 4 – Create SSL Intercept Rules
4.1. Go to Configuration – Policy – Visual Policy Manager and click ‘Launch’
4.2. Click on policy - SSL intercept and name the policy accordingly
4.3. In Action right click and click ‘Set’
4.4. Click New and ‘Enable SSL Interception’ A box will pop up name accordingly
4.5 Ensure that ‘Enable HTTPS Interception is check and then select ‘Issuer Keyring and in this instance, we will use the ‘default’ keyring similar to the image below
4.6. Click ok and ok again and then install policy.
Step 5 – Create DLP ICAP Services
5.1. Go to configuration – Content Analysis – ICAP
5.2. Create new service by clicking ‘New’ and ‘Ok’ then ‘Apply’ changes
5.3. Highlight the service you just created and click ‘Edit’ a box will pop up and you will need to enter details of your DLP ICAP server for example Icap://10.10.10.10/REQMOD in ICAP Service Ports use Plain ICAP Port 1344 see image below
Click ok and then Apply.
Step 6 – Create DLP VPM Rules
6.1. Go to Configuration – Policy – Visual Policy Manager and click ‘Launch’
6.2. Select Policy – Web Access and name accordingly
6.3. We need to make a combined service to do this right click in service and select set a Object box will pop up
6.4 Select ‘New’ – Protocol Methods as per image below
6.5. An add methods box will pop up, name the method appropriately and in the protocol, select HTTP/HTTPS and select the following methods POST & PUT as per image below
6.6. Click ‘Ok’
6.7. We now need to create a protocol method for FTP to do this follow step 6.4
6.8. Once the method box pops up name the method appropriately and select FTP for protocol, and then select STOR as per the image below
6.9. Click ok
6.10. We know need to combine these 2 Methods. To do this click new and then select ‘Combined Service Object’ a box will pop up name your Service and add the 2 protocol methods you just created. See image below
6.11. Once you have added your methods click ‘Ok’ and then ‘Ok’ again, this will add the combined service into your ‘Service’ rule
6.12. We now need to create an Action for DLP. To do this right click in the action rule and select ‘Set’ and select ‘Perform Request Analysis’ as per the image below
6.13. A box will pop up name the object appropiatly an select your DLP ICAP service from ‘Available Services’ and add this into the ‘Selected Failover Sequence’ as per image below
6.14. Keep the options as they are and press ‘Ok’ and ‘Ok’ again, you should now see your ICAP in the action rule.
6.15 Install policy and the go to the browswer that you have configured to use your proxy server. Create a text file with some keywords that you have set in a DLP policy and got to dlptest.com and test uploading your test file using http, if this works then try using https. If you have followed these instructions correctly and you have got your DLP server configured to use Web Prevent with your policies enabled for keywords then you should get a message say that content is blocked.
I hope that anyone who comes across this article finds it useful/helpful. If you have any questions then please feel free to contact me.
Thanks For reading