Netskope Help

Configure the KMIP Forwarder

Now that the Virtual Appliance has been deployed, it's time to configure it:

  1. In the VM, open the console view.

  2. Log into the VM using the credentials nsadmin/nsappliance

  3. When you first log in, the system shell opens.

    1. To configure the Secure Forwarder as a KMIP Forwarder, you need to access the Netskope shell. Enter nsshell at the command prompt. The prompt changes to sforwarder>

    2. At the sforwarder> prompt, enter configure to go into the configuration mode.

Configure the Interface

At this point you have a valid Secure Forwarder that has an identity. You now have to configure two aspects of this virtual appliance: interface configuration and DNS settings that steer cloud app traffic to your tenant instance in the Netskope cloud

In the sample network below, Secure Forwarder's client-facing interface, dp1, is connected to the subnet. The interface configuration uses IP ranges within the subnet for accepting client traffic. The Secure Forwarder management plane (mp) interface will be assigned the IP in the management subnet, and its egress interface, dp2, will be assigned the IP in the subnet


Issue the following commands to configure the IP addresses:


You can also use the show interface command to verify the configuration.

set interface mp ip 172.32 .0.2
set interface mp netmask
set interface mp gw
set interface dp1 ip .1.60,,,
set interface dp1 netmask
set interface dp1 gw
set interface dp2 ip
set interface dp2 netmask
set interface dp2 gw

Do note that the dp1 interface IP address can either be a full /24 block of IPs, or you can also assign non-contiguous IP addresses and/or IP address range. Example above shows the non-contiguous IP address and IP address range assigned for dp1.

Configure the DNS Server
  1. Configure the IP address the KMIP Forwarder uses to listen for DNS requests. This address is the first address specified for the dp1 interface IP. If an IP range was specified for dp1, use the first IP address in that range (in canonical order), or use dp1 's IP.

    set dataplane proxy-mode dns listener-ip
  2. Configure the address and/or address-range Secure Forwarder uses for DNS responses for cloud app domains. This address and/or address-range will be the same as that specified for the dp1 interface IP.

    set dataplane proxy-mode dns application-ips,,,
  3. Configure Secure Forwarder's default client traffic listener IP. This address is the first address configured on the dp1 interface.

    set dataplane proxy-listener-ip
  4. Enable DNS service on Secure Forwarder.

    set dataplane proxy-mode dns enable true
  5. Configure the primary upstream DNS Server in the network.

    set dns primary <primary upstream dns server>
    set dns secondary <secondary upstream dns server>
Configure the Console

The final step to connect this KMIP Forwarder on the network is to enter Save to activate the configuration.

Now try connecting to virtual appliance with an SSH client (like PuTTy for Windows). If successful, close the console by entering exit three times (one to exit configuration mode, one to exit the nsshell, and one to exit the Linux shell).

All further configuration should be performed over SSH.

Configure the System

First you need to install the tenant license key. You can get the license key from Settings > Security Cloud Platform > On-Premises Infrastructure next to where you download the OVA package.

  1. Copy the license key.

  2. Install the license key with the command: set system licensekey <licensekey>.

  3. Next, configure the system hostname. Set the hostname type with the command: set system hostname <hostname>.

Configure the KMIP

To complete the configuration, there are three KMIP specific settings that need to be configured. To do so, enter these commands:

set kmip-server enable true
set kmip-server hostname <key manager's hostname or IP address>
set kmip-server port <key manager's KMIP server port>
Configure a Proxy

The KMIP Forwarder requires a connection to port 443 on config-<tenant hostname> and messenger-<tenant hostname> for management connectivity. If an explicit proxy is deployed in the network, and the port 443 traffic needs to be routed via a proxy, configure the proxy hostname and port.


The domain names shown above and below apply to release 46 and higher. Using version 46 and later requires using the new domain names. For deployments on release 45 or lower, use and

  1. To configure a proxy, enter these commands at the configuration prompt:

    set management-plane upstream-proxy-server hostname <hostname or IP-address>
    set management-plane upstream-proxy-server port <proxy-port-number>

    If the proxy is configured to intercept SSL traffic, then you need to allowlist the traffic to config-<tenant hostname> and messenger-<tenant hostname>

    It is also important to note that KMIP Forwarder tunnels KMIP traffic using SSH, which requires direct connectivity to remotesvc-<tenant hostname> on port 22 and can't be proxied at this time.


    The domain name shown above applies to release 46 and higher. For deployments on release 45 or lower, use

  2. To save the proxy configuration, enter save at the configuration prompt.

Verify the Connection

To verify KMIP Forwarder successfully connected to the Netskope cloud, go to Settings > Security Cloud Platform > On-Premises Infrastructure. Scroll down the page until you see KMIP displayed beside your Serial Number. Last Seen shows the last time your KMIP Forwarder connected to the Netskope cloud.


It takes few minutes to refresh the status in the UI.

Finish the Configuration

At this point the KMIP Forwarder virtual appliance is fully configured. All further configuration will be done in the Netskope tenant instance.

Make sure you save the configuration before leaving the nsshell and closing the ssh connection.

Enter save to activate the configuration, and then close the console by entering exit three times (one to exit configuration mode, one to exit the nsshell and one to exit the Linux shell).

High Availability Considerations

In order to ensure redundancy, two Virtual Appliances should be configured as KMIP Forwarders. Please note there is no special configuration required to enable HA. In case of the active Secure Forwarder service failure or network unavailability, another Secure Forwarder will take over and re-establish the connection with the Netskope Cloud and will relay any new incoming connection to the Key Manager. It is recommended to have at least two KMIP forwarders running on different infrastructure, different ESX hosts at a minimum and geographically dispersed if possible, to maximize resiliency.

Configure the Tenant Instance

The final steps required to enable the On Premises Key Management option should be performed using you tenant instance Web Interface, specifically on the On-Premises Infrastructure page. Go to the On-Premises Infrastructure page by following these steps:

  1. Log in to your Netskope tenant.

  2. Go to Settings > Security Cloud Platform > On-Premises Infrastructure.

  3. Scroll down the page and look for your Name or Serial Number. Adjacent to that, if you see KMIP in the Configuration column, the KMIP Forwarder is connected in the Netskope tenant.

Install KMIP Certificates

Finally, the KMIP client and CA certs required for the Netskope cloud to authenticate and validate the key manager must be uploaded. Go to Settings > Security Cloud Platform > On-Premises Infrastructure, and under KMIP Forwarding:

  1. Click Upload to upload the KMIP Client certificate.

  2. Click Upload to upload the KMIP Server CA certificate.

Monitor the Status

The On-Premises Infrastructure page also shows the current state of all the Secure Forwarder Virtual Appliances that have been configured as KMIP Forwarders in the Status column.