Skip to main content

Netskope Help

Configure Client Prelogon Connectivity

This article explains how to enable prelogon for Windows endpoints to access resources prior to user authentication on the Windows endpoint. This functionality is commonly used to access domain controllers, allowing Windows endpoints to update and/or reset their passwords when expired.  The following instructions assume NPA has been set up correctly and currently provides reachability to the AD DC.

There are two contexts in which an endpoint can establish a tunnel to NPA using the Netskope Client:

  • In the prelogon context, the user has not yet authenticated to the Windows endpoint. The prelogon user is used to authenticate the device itself to NPA to facilitate limited access to resources.

  • In the user tunnel context (sometimes referred to as postlogon), the user has authenticated to the Windows endpoint and logged on. The Netskope Client seamlessly assumes this authentication and evaluates all subsequent user-generated traffic against user policies.

Important

Be sure to evaluate existing access policies to prevent overexposure before prelogon is enabled. Do not use any user in a policy to prevent overexposure to prelogon.

Prerequisites

The requirements for using prelogon authentication are:

  • The IP address of the domain controller (or multiple) must be configured.  The wildcard domain definition should be configured to provide full access to the domain for the specified ports/protocols.

  • Access to a Windows Endpoint with permissions to install the Client.

  • In order to fully support Windows Domain services, specific protocols and ports are recommended. We also recommend enabling the Use Publisher DNS feature. This feature is needed to make Clients resolve DNS from the Publisher’s location in the network, allowing them to resolve DNS as if they were present locally on the network. To configure DNS and use specific protocols and ports, follow these instructions.

    The Private App configuration takes the previously resolved IP from the DNS lookup, and steers based on that. Provide all of the possible Domain Controllers’ IP’s in the Private App configuration. You can also specify the short form netbios name here as well if you wish, such as DC01, but you don’t use the FQDN.

Use Cases

Purposes for using prelogon authentication include:

  • Enable a first time user on Windows to join a domain as well as reset their password.

  • Enable a PC to immediately mount network drives after boot up.

  • Provide Always On Security, even when a user is not logged in.

Workflow

To use Prelogon authentication:

  1. Create or use a steering configuration.

  2. Configure the Netskope Client.

  3. Create a local user.

  4. Create Real-time protection policies.

Confirm the Steering Configuration for Prelogon Authentication

In order for the Netskope Client to steer traffic destined for Private Apps and servers, such as a domain controller, the correct steering method must be applied. If a configuration is already present and globally applicable, this setting can be modified by selecting the Edit button at the top right.  Note that any change to this configuration will impact user traffic, limited to the scope of users/groups configured for these changes.  We recommend to limit the scope of such changes in production environments.  Ensure that the Client is configured to steer private apps:

  1. Go to Settings > Security Cloud Platform > Steering Configuration and open or create the configuration to be used for Prelogon Authentication.

    NPA-Prelogin-Steering.png
  2. Confirm the user/user group.

  3. Enable Steer Private Apps and specify the Netskope Client will steer private apps.

  4. Click Save.

Configure the Netskope Client for Prelogon Authentication

After completing the above steps, and have verified that the Client is able to authenticate successfully, the Client configuration should be tuned to meet the use case and user experience requirements of the environment in which it is being deployed.

The Client Configuration allows the Netskope cloud to push updated Client versions and behaviors to endpoints transparently.  Prelogon functionality requires R94 or later.

  1. Go to Settings > Security Cloud Platform > Devices and click Client Configurations in the top right. Open or create the Device configuration to be used for Prelogon Authentication.

  2. Select the Traffic Steering tab to set Client behaviors regarding traffic handling. This is also where you can enable prelogon, and upload a PEM file with a CA certificate to authenticate against Clients if one is preferred. 

    Note

    To use PKI, additional work is required outside of the Netskope Admin Console. Each device authenticating to a Client Configuration with PKI enabled must have a device certificate available.

  3. Enable the Prelogon for Private Apps option.

    NPA-Pre-Logon-Client.png
  4. Enter a prelogon username. Note the email address, which always ends with @prelogon.netskope.com. This is used to create a local user for prelogon in the next section.

  5. To use a device certification authority, click Select File to upload the certificates in PEM format.

  6. To validate the device certificate against a Certificate Revocation List, enable Validate URL. The URL used to validate the device comes from the CA certificate.

  7. Enable Start Prelogon tunnel when user tunnel disconnects. This enables the Client to always try to re-establish the prelogon tunnel when the user tunnel switches from connected to disconnected, even when the user disables the Client.

    Note

    If you enable this option, users will not be able to fully disable the Client while using prelogon.  To allow users to fully disable the client, do not check this box.

  8. Click Save.

Create a Real-time Protection Policy for Prelogon Traffic

Add the local user that will be used for prelogon to a Real-time Protection policy, and ensure that user has access to the private app defined previously. This will ensure the prelogon user can join the domain prior to the user’s successful authentication against the Netskope cloud.

  1. Go to Policies > Real-time Policies and select Private App Access from the New Policy dropdown list.

  2. For Source, select the user(s) with @prelogon.netskope.com in the email address, and use Client for the Access Method.

  3. For Destination (Private App is preselected), select the private app for prelogon users from the dropdown list.

  4. For Profile and Action, use Allow.

  5. For Set Policy, enter a policy name.

  6. Click Save.

NPA-User-Policy.png
Create a Real-time Protection Policy for User Tunnel Traffic

After prelogon is enabled, a device tunnel is established leveraging the local user configured in Netskope and deployed with the Client. When the user logs into the Windows machine, the user credentials are carried over and then applied so subsequent traffic traverses the user tunnel, under the assumed authentication of the user that has logged into the endpoint. This seamless transition allows users to receive additional access beyond their prelogon state, by enforcing a separate set of policies tied to the user’s domain authentication. An example of such a policy is illustrated below, with the additional access to PrivateAppTest being granted to two domain-joined users.

  1. Go to Policies > Real-time Policies and select Private App Access from the New Policy dropdown list.

  2. For Source, select the users and use Client for the Access Method.

  3. For Destination (Private App is preselected), select the private apps for user tunnel traffic from the dropdown list.

  4. For Profile and Action, use Allow.

  5. For Set Policy, enter a policy name.

  6. Click Save.

NPA-Users-Policy.png