Skip to main content

Netskope Help

Azure Virtual Desktop

This document contains the best practices required in Azure Virtual Desktop and Netskope Client to ensure smooth interoperability.

Supporting Operating systems: Windows 10 and 11.

Specific configurations in Netskope webUI ensures processes or traffic from either of the applications are not blocked or directed to the Netskope Cloud.

Configurations In Netskope Client

While installing the Netskope Client in Azure Virtual Desktop, configure the following exceptions in the steering configuration to ensure proper functioning of the virtual desktop.

Configure Destination Location Exception

Destination Location exception bypasses traffic sent to specific destinations as defined in the network location profile.

Certain URLs are excluded to access your Azure Virtual Desktop resources anytime while configuring the steering configuration. Refer to  Azure IP Ranges and Service Tags . You can convert the URL list into a .csv file and upload them in Exceptions.

Note

Microsoft updates the URL list every week. Ensure to update your list accordingly.

To create a Network Location object:

  1. Login to your Netskope webUI and go to Policies > Network Location (under Profiles).

  2. In the Network Location page, click New Network Location and select Multiple Objects.

  3. In the Upload Network Locations pop-up window, select the ,csv file (max size 8 MB) with the list of destination addresses. The .csv file must have entries in the following format: [Net Location Name], [IP Address 1], [IP Address 2], , , For example, Location1, 11.2.3.4, 12.3.5.125/16.

    Upload_Network_Locations.png
  4. Click Upload to complete the process.

To create Destination Location exception:

  1. Go to Steering Configuration and select a configuration.

  2. In the EXCEPTIONS tab, click NEW EXCEPTION drop down list and select Destination Location.

  3. In the New Exception pop-up window, enter select the Network Location profile from the list.

  4. Click ADD to complete the process.

Configure Certificate Pinned App Exception

To add Azure Virtual Desktop  as a Certificate Pinned Application on the Netskope UI:

  1. Go to Settings > Security Cloud Platform > Steering Configuration.

  2. Click Default tenant config to levarage the default configurations or you can click NEW CONFIGURATIONS to create a new steering configuration.

  3. On the configuration page, click EXCEPTION > NEW EXCEPTION > Certificate Pinned Applications.

  4. In the New Exception window, do the following:

    1. From Certificate Pinned App, select the application. To add a new certificate pinned application in the New Certificate Pinned Application window, do the following:

      • Application Name: Enter the name of the application.

      • Platform: Select the operating system where the application is managed.

      • Definition: Provide the processes and .exe(s) list that you want to bypass. Here, add the following processes:

        • WindowsAzureGuestAgent.exe: Azure VM Agent service

        • WaAppAgent.exe: Azure RD Agent service

        • WindowsAzureNetAgent.exe: Azure Network Agent service

        • WindowsAzureTelemetryService.exe: Azure Telemetry Service

        • metricsextension.native.exe: Azure Monitor Agent

        • rdagentbootloader.exe: Azure Agent Bootloader

    2. From Custom App Domains, add * to bypass all the domains.

    3. From Actions, select Bypass for Windows.

    4. Click ADD.

Netskope Client Features

Refer to the list of validated use cases to verify Client operations.