Integrate Secure Access with On-Premises DLP Using Secure ICAP

Available Languages

Download Options

  • PDF     (77.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (148.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (128.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 22, 2025
Document ID:225253

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes how to integrate Secure Access with on-premises Data Loss Prevention (DLP) servers using Secure ICAP.

Overview

You can integrate Umbrella with your on-premises DLP solution for centralized event management and remediation workflows. This integration uses Secure ICAP (Internet Content Adaptation Protocol) to forward HTTP/S traffic that violates DLP policies to your on-premises DLP server for further analysis.

Integrate Secure Access with On-Premises DLP Servers

  • Integration uses Secure ICAP, which securely transfers HTTP/S traffic that violates DLP policies to your on-premises DLP server for additional inspection.
  • Secure ICAP encrypts traffic using TLS and authenticates your DLP server with a certificate uploaded in the Umbrella dashboard.
  • Restrict inbound firewall rules to allow only traffic from Umbrella IP addresses to your DLP server’s ICAP port for enhanced security.

Required IP Addresses to Allow

Add these Umbrella IP addresses to your firewall to allow Secure ICAP traffic:

  • 50.18.191.74
  • 54.153.85.86
  • 54.90.48.200
  • 3.234.7.118

Enable Secure ICAP Integration

  1. Onboard your on-premises DLP server:

    • In the Umbrella dashboard, go toAdmin > Authentication > ICAP.
    • Upload the DLP server certificate to enable Secure ICAP.

    *Disclaimer : Text extracts can be incorrect, here are alerts based on extracted text potential public FQDN : icap.domain

  2. Configure Realtime DLP rules to forward traffic to the on-premises DLP server:

    • In the rule configuration, use theICAPsection to enable forwarding.
    • All Realtime DLP active rules are enabled by default.

secure icap

Data Sent to On-Premises DLP Server

  • Umbrella sends the entire HTTP/S message (body and headers) to the on-premises DLP server.
  • Custom headers are included:
    • X-Authenticated-User:User identity
    • X-Authenticated-Groups:User group identity
    • X-Client-IP:Client IP address

Supported Violation Events

Both monitored and blocked Realtime DLP violation events are sent over Secure ICAP.

Enable ICAP on Your DLP Server

Consult your DLP solution documentation and support to enable the embedded ICAP server. If only ICAP (not Secure ICAP) is supported, deploy a TLS termination component (such as Stunnel) in front of your On-Premises DLP server to enable Secure ICAP.

Related Resources

Refer to Umbrella documentation for additional guidance: Manage Secure ICAP 

Revision History

Revision Publish Date Comments
1.0
22-Oct-2025
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products