Customer has integrated ProxySG with Symantec's DLP solution via icap. The customer now wants to send the username via icap and have DLP do the group lookup based on the username the Bluecoat ProxySG sends.
In Proxy device, one can apply policy options given below to achieve this. The options given below depends on how the format should be when sending to the DLP device.
Option 1: Username in the format of "Domain\Username"
<Proxy>
action.ICAP_REQMOD_User(yes)
define action ICAP_REQMOD_User
set(icap_reqmod.request.x_header.X-Authenticated-User, '$(user:encode_base64)')
end
Option 2: Username in the format of "username". i.e. without Domain prefix
<Proxy>
action.ICAP_REQMOD_User(yes)
define action ICAP_REQMOD_User
set(icap_reqmod.request.x_header.X-Authenticated-User, '$(cs-username:encode_base64)')
end
Note: The username sent by the ProxySG is base-64 encoded
Note: Since SGOS 7.3.4.1 new features and changes were introduced so
Additional headers are sent in ICAP requests with the existing commands:
#(config icap service_name) send authenticated-groups includes the X-SYMC-Groups header.
#(config icap service_name) send authenticated-users includes the X-SYMC-Users and X-SYMCUser-
Email-Address headers.
Please take this into account while having above CPL code added. Ideally untick "Authenticated Users" on ICAP.