Operation of the Messaging Gateway DLP Bypass feature
search cancel

Operation of the Messaging Gateway DLP Bypass feature

book

Article ID: 161883

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When implementing the Data Loss Prevention (DLP) integration in Messaging Gateway (SMG) the DLP Bypass feature allows Messaging Gateway to deliver messages outbound when specific issues occur when attempting to deliver messages to DLP for processing. This prevents the accumulation of delayed messages on the SMG appliance in situations where the DLP infrastrucure is either unreachable or is may be overloaded.

Resolution

 DLP Bypass is triggered only under the following conditions:

  • SMG cannot establish a TCP connection to the DLP host and port configured in Content->DLP Connect for any reason including the following
    • DLP Servers are offline
    • No IP route to DLP is available
    • Firewall rules prevent a TCP connection to the configured host and port
    • DLP servers are running but not listening to the configured TCP port
  • A TCP connection is established to a configured DLP host but the SMTP session times out and no other configured DLP server can be connected to via TCP as mentioned above.

The following conditions will not trigger DLP Bypass

  • SMG can establish a TCP connection to the DLP host / hosts but the application level SMTP connection is deferred. This results in the message being queued on SMG for redelivery to DLP at a later time.
  • Email delivery to DLP results in an SMTP 4xx level response from the DLP server to any part of the SMTP conversation. This results in the message being queued on SMG for redelivery to DLP at a later time.
  • Email delivery to DLP results in an SMTP 5xx level response from the DLP server to any part of the SMTP conversation. This results in the message being bounced i.e. removed from the SMG queue and a delivery status notification sent to the sender.
  • A TCP connection is established to a configured DLP host but the SMTP session times out but another configured DLP host can be connected to via TCP. 
  • Transport Layer Security (TLS) secured delivery to DLP is required but a TLS session cannot be negotiated between SMG and DLP