Netskope Help

Configure an Upstream Proxy

The appliance requires a connection to port 443 on config-<tenant hostname>.goskope.com and messenger-<tenant hostname>.goskope.com for management connectivity. If an upstream proxy is deployed in the network, and the port 443 traffic needs to be routed via a proxy, configure the proxy hostname and port. You can also set up authentication to manage the traffic that is sent to your proxy server.

Note

The domain names shown above and below apply to release 46 and higher. Using version 46 and later requires using the new domain names. For deployments on release 45 or lower, use config.goskope.com and messenger.goskope.com.

  1. To configure a proxy, enter these commands at the configuration prompt:

    nsappliance(config)# set management-plane upstream-proxy-server hostname 10.136.210.17
    nsappliance(config)# set management-plane upstream-proxy-server port 8080
    nsappliance(config)# set management-plane upstream-proxy-server username <user-name>
    nsappliance(config)# set management-plane upstream-proxy-server password <password>
    Password: 
    Confirm password:
    nsappliance(config)# save 

    You can setup authentication with your proxy only if the appliance is running in OPLP and/or CDPP modes.

    If the proxy is configured to intercept SSL traffic, then you need to allowlist the traffic to config-<tenant hostname>.goskope.com and messenger-<tenant hostname>.goskope.com.

    It is also important to note that KMIP Forwarder tunnels KMIP traffic using SSH, which requires direct connectivity to remotesvc-<tenant hostname>.goskope.com on port 22 and can't be proxied at this time.

    Note

    The domain name shown above applies to release 46 and higher. For deployments on release 45 or lower, use remotesvc.goskope.com.

  2. To save the proxy configuration, enter save at the configuration prompt.