Creating a Steering Configuration
Creating a Steering Configuration
The default steering configuration (Default tenant config) applies to all users in your organization. However, if some users in your organization require a different configuration, you can create a custom steering configuration for those specific OUs or user groups. Netskope also provides options that bring more flexibility while creating Steering Configuration.
Creating Steering Configuration From Version 112.0.0
With version 112.0.0, Netskope delivers Flexible Dynamic Steering enhancement that brings more flexibility while creating a steering configuration.
– After enabling dynamic steering, Netskope recommends avoiding disabling dynamic steering since it provides better flexibility in terms of choosing the traffic mode and bypass options. Continuous toggling of dynamic steering can lead to the loss of exceptions in the steering configuration.
To create a custom Steering Configuration,
-
Go to Settings > Security Cloud Platform > Steering Configuration.
-
Click New Configuration. You can also click and Edit Configuration to choose one of the existing steering configurations you want to enable dynamic steering.
-
In the Apply To window, choose whether all custom traffic steering configurations must apply to Organizational Units (OUs) or user groups. This option only appears when you create your first custom steering configuration.
-
In the New Configuration window:
-
Name: Enter a name for the steering configuration. It cannot exceed 40 characters.
-
Organization Unit (OU)/User Group: Choose the OU or user group you want to steer traffic for.
-
-
In the Traffic Steering tab,
-
Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user’s device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear.
When configuring, note the following:
-
You can only use dynamic steering for the OUs and user groups configured in your Netskope Client configuration.
-
To use dynamic steering, ensure you enable On-Premises Detection for your Netskope Client configuration.
You can steer traffic for Netskope Client through the On- or Off-prem configurations in the drop-down menu.
-
-
You can choose one of the following steering options for On-Prem and Off-Prem:
-
Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications.
-
Web Traffic: Steer all web traffic (HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content. You must have a SWG/NG SWG license to select this option.
-
All traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option.
-
None: The Client does not establish any tunnel and continues to monitor On-Prem status change. The Client establishes a tunnel if the On-Prem status changes and a tunnel is needed for the new traffic steering mode.
-
-
Bypass exception traffic at Netskope Client or Netskope Cloud. Choose one of the following:
-
Client – Traffic bypass on the local device.
-
Netskope Cloud – Traffic bypasses the firewall.
-
-
DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.
-
Private Apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:
-
All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.
-
Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud.
Go to App Definitions to select the private apps you want to steer with this configuration.
Click the Private Apps tab, click for the private app, click Select Steering Config, and then choose a steering config for the app. Click Save.
-
-
Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.
-
-
In the Non-Standard Ports tab:
-
Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:
-
Import from CSV: Import a CSV file containing the ports and domains you want to steer.
-
Download Sample CSV: Download a sample CSV template to use to add multiple ports or domains and import the CSV file.
-
Delete All: Delete all listed ports.
-
-
The port number appears in the Domain, Page, and App columns on the Skope IT Page Events page.
-
-
Click Save.
-
Add steered items (i.e., applications).
-
Add steering exceptions.
-
Review the steering error settings.
-
Click for your custom steering configuration and then Enable, Disable, or Edit Configuration.
Creating Steering Configuration Prior To Version 112.0.0
To create a custom steering configuration:
- Go to Settings > Security Cloud Platform > Steering Configuration.
- Click New Configuration.
- In the Apply To window, choose whether all custom traffic steering configurations must apply to Organizational Units (OUs) or user groups. This option only appears when you create your first custom steering configuration.
- In the New Configuration window:
- Name: Enter a name for the steering configuration. It can’t exceed 40 characters.
- Organization Unit (OU)/User Group: Choose the OU or user group you want to steer traffic for.
- In the Traffic Steering tab:
- Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user’s device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear. When configuring, note the following:
- You can steer traffic for older versions of the Netskope Clients through the on- or off-prem configurations in the drop-down menu.
- By default, the On-Premises configuration only steers Cloud apps. and the Off-Premises configuration steers all web traffic. To steer all web traffic for both on- and off-prem configurations, contact your Sales representative to enable this feature.
- To use dynamic steering, ensure you enable On-Premises Detection for your Netskope Client configuration.
- You can only use dynamic steering for the OUs and user groups configured in your Netskope Client configuration.
- Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications. Ensure you update your Netskope Client version to 70.0.0 or later. This option is the default for new accounts.
- Web Traffic: Steer all web traffic (i.e., HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content.
- All Traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option. Ensure you update your Netskope Client version to 70.0.0 or later.
- Steer private apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:
- All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.
- Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud. You must update the Netskope Client to version 82.0.0 to steer specific private apps.
If you disabled dynamic steering, consider deselecting Steer private apps when steering Cloud Apps Only for on-prem configurations so that users aren’t steered through Netskope Private Access. When steering Cloud Apps Only for off-prem configurations or All Web Traffic, consider selecting Steer private apps to steer their traffic through Netskope Private Access.
Go to App Definitions to select the private apps you want to steer with this configuration. Click the Private Apps tab, click for the private app, click Select Steering Config, and then choose a steering config for the app. Click Save.
- Steer DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.
- Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.
- Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user’s device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear. When configuring, note the following:
- In the Non-Standard Ports tab:
- Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:
- Import from CSV: Import a CSV file containing the ports and domains you want to steer.
- Download Sample CSV: Download a sample CSV template to use to add multiple ports or domains and import the CSV file.
- Delete All: Delete all listed ports.
The port number appears in the Domain, Page, and App columns on the Skope IT Page Events page.
Caution
- Due to the macOS change to Network Extensions, non-standard ports aren’t supported in steering configurations for devices using macOS Big Sur version 11 and later.
- Any non-standard port configured in a steering configuration applies to all the IPsec and GRE users.
- When using Cloud Firewall with GRE/IPSec tunnels, Netskope handles any configured non-standard ports as web traffic regardless of the hostnames. If there is non-web traffic using the same port, Netskope drops the traffic. For instance, if you have configured hostname1 and port1, Netskope considers SSH traffic to hostname2:port1 as web traffic and drops it. When using non-web traffic with Cloud Firewall through GRE/IPSec, ensure you use ports that aren’t considered non-standard ports.
- Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:
- Click Save.
- Add steered items (i.e., applications).
- Add steering exceptions.
- Review the steering error settings.
- Click for your custom steering configuration and then Enable Configuration.