Netskope Private Access User Guide

Deploy a Publisher

The Netskope Private Access Publisher can be deployed on AWS, Azure, VMWare ESX, and any CentOS-based virtual machine (VM). The following sections provide instructions for each of these deployments.

The publisher needs to be deployed on the network where the private app will be accessed.

Perform these steps in the AWS console.

Launch an EC2 Instance

  1. Sign in to your Amazon Web Services (AWS) console.

  2. Click Services > Find services. Search for and then select EC2.

  3. Click Instances in the left sidebar menu.

  4. Click Launch Instance.

Choose an Amazon Machine Image (AMI)

  1. Click AWS Marketplace in the left sidebar menu.

  2. Enter Netskope in the search bar.

  3. Netskope Private Access Publisher should appear in the search results. Click Select.

Choose an Instance Type

  1. Select t3.medium as the instance type.

  2. Click Next: Configure Instance Details.

Configure Instance Details

The token you copied from the Netskope UI is needed to complete these steps.

  1. Enter 1 in the Number of instances field.

  2. Select the VPC where the application you want to publish via Netskope is deployed in the Network field.

  3. Keep the default values for the remaining fields.

  4. Click Advanced Details to expand this section.

  5. In the User data section, select the As text option.

  6. Enter the Netskope Publisher registration token into the User Data text field.

Add a Name Tag

Adding a name tag is optional, but doing so will make it easier to identify your Netskope Publisher EC2 instance.

  1. Click the Add Tags tab, near the top of the page.

  2. Click Add Tag.

  3. Enter Name in the Key field.

  4. Enter AWS US-WestWing publisher in the Value field.

  5. Click Review and Launch.

Review Instance Launch

  1. Review the information in the AMI Details Instance Type sections.

  2. Click Launch.

  3. Select or create a key pair.

  4. Click Launch Instances.

  5. Review the information on the Launch Status page.

  6. Click View Instances.

View Instances

  1. You should now see a new EC2 instance with the name AWS US-WestWing publisher (if you completed the Add a Name Tag steps).

  2. AWS typically takes several minutes to launch EC2 instance and run status checks. Wait until your Instance State is Running and Status Checks have passed.

Register the Publisher

The token you copied when creating a new publisher is needed to complete these steps:

  1. SSH into the Publisher (default username: centos, default password: centos).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter.

After you have deployed the Publisher, the default login is set to centos with a default password of centos. Change this password as soon as possible to ensure a secure configuration.

Factor Firewall Rules

  1. If you have a firewall (as an example AWS "Security groups") between the publisher and the application, it needs to be configured to allow the publisher to access the application.

  2. For AWS: Modify the applications security group to allow inbound connections from the publisher on applications ports.

    Notes on Security groups:

    • A publisher doesn't need any inbound connections. A a result, you can configure security groups to deny all inbound traffic.

    • A publisher needs access to DNS and to private access cloud (on port 443). 

Perform these steps in the Azure console.

Create a Virtual Machine (VM)

  1. Login to Microsoft Azure portal ( https://portal.azure.com/ )

  2. Click Virtual machines.

  3. Click + Add.

  4. Click See all images and then search for CentOS-based Rogue.

  5. Choose CentOS-based 7.7 by Rogue Wave Software (publisher).

  6. Select Standard D2s v3 (2 vcpus, 8 GB memory) as the size.

    Note

    B1ms is good for most small deployments.

  7. Click Create.

  8. Enter a machine name (Example: NetskopePublisher for Name).

  9. Enter centos for Username.

  10. Copy and paste your public SSH key under SSH public key. If you do not have a public SSH key, click Generate new key pair.

  11. Choose an existing or create a new Resource group under Resource Group. For testing, we recommend you create a new Resource group. The resource group is like a folder where it puts all VM associated resources.

  12. Click OK.

  13. Click Select.

  14. Choose SSH for Select public inbound ports.

  15. Click OK.

  16. Click Create.

  17. Wait until Deployment will be finished.

Open an SSH Session

  1. Click Virtual machines.

  2. Select the newly created VM.

  3. Find a public IP address.

  4. On your computer terminal execute: ssh -i  <your_private_ssh.key> centos@<ipaddress>.

Install Netskope Publisher

  1. Run this command in your SSH session:

    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  2. This will take about 10 minutes. At the end of this process, you have a fully functional Netskope Publisher and can register it.

Register the Publisher

The token you copied when creating a new publisher is needed to complete these steps:

  1. SSH into the Publisher (default username: centos, default password: centos).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter.

After you have deployed the Publisher, the default login is set to centos with a default password of centos. Change this password as soon as possible to ensure a secure configuration.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Google Cloud Platform. 

This topic explains how to upload an OVA into Google Cloud Platform Storage and import it into a compute instance. Knowledge of the Netskope UI and Google Cloud Platform are required, along with:

  • A Netskope Tenant

  • A copy of your tenant REST API token

  • Netskope Publisher OVA file from your tenant

  • A Google Cloud Platform account with a working VPC setup and API permissions.

To configure a Publisher in GCP:

  1. Log in to Google Cloud Platform at https://console.cloud.google.com/.

  2. Click the menu icon in the top left and select Compute Engine and then VM instances.

    image1.png
  3. Click Create Instance.

    image2.png
  4. Enter a name for the instance, like netskope-publisher.

    image3.png
  5. Select a Region and Zone.  For testing purposes this can be anything.  In a production environment, you want to enter the region and zone where the applications reside. 

    image4.png
  6. Configure the instance memory and CPU settings (2 core, 4 GB memory is the recommended setting, but for testing purposes a smaller machine will work). 

    image5.png
  7. Click Change under Boot disk.

    image6.png
  8. Select CentOS as the Operating System and CentOS 7 as the Version.  Leave the Boot disk type and Size as the defaults.

    image7.png
  9. Click Select.

    image8.png

    Note: Steps 10-13 are optional if no other route to the internet is available.

  10. Click Management, security, disks, networking, sole tenancy

    image9.png
  11. Click Networking.

    image10.png
  12. Click the pencil icon to edit the network interface.

    image11.png
  13. Select your Network, Subnetwork, and specify an Ephemeral external IP.

    image12.png
  14. Click Create to start the instance creation.

    image13.png
  15. Once the instance is available, connect to it by clicking SSH under the Compute Engine page.

    image14.png
  16. Run the following command in the SSH session to download and install the necessary components for the Publisher.  This may take about 10 minutes.

    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  17. At the end of this process, you have a fully functional Netskope publisher and can register it with Netskope.

  18. When prompted for a menu choice, select Register.

    image16.png
  19. When requested, enter the Netskope registration token and click Enter.

These instructions assume that the CentOS user is configured and available on a default CentOS installation. Use an account other than root, and not named centos. Otherwise, this configuration will not work

The token you copied when creating a new publisher is needed to complete these steps:

  1. Start with a CentOS 7-based Linux VM.

  2. SSH into the CentOS-based system. 

  3. Run the command:

    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  4. Wait about 10 minutes.

  5. At the end of this process, you have a fully functional Netskope publisher and can register it with Netskope.

  6. When prompted for a menu choice, select Register.

  7. When requested, enter the Netskope registration token and click Enter.

Download the VHDX file, and then perform these steps in the Hyper-V console.

If you want to validate the integrity of the VHDX, you can download the SHA hash from here.

  1. Launch the Microsoft Hyper-V Manager and select the Action New > Virtual Machine....

    image1.png
  2. Enter a VM Name (like NPA Publisher), optionally an installation location, and then click Next.

    Tip

    Name the Publisher to describe its location and/or application use.

    image2.png
  3. Leave Generation 1 selected and click Next.

    image3.png
  4. Specify the amount of memory for the NPA Publisher (2048 is recommended for most use cases) and click Next.

    image4.png
  5. Select a network adapter to attach the NPA Publisher that has Internet access and click Next.

    image5.png
  6. Select Use an existing virtual hard disk and then Browse to the downloaded VHDX file. When finished, click Next.

    image6.png
  7. Confirm the Hyper-V Wizard configuration options and click Finish.

    image7.png
  8. Now you can Start your NPA Publisher in Hyper-V.

    image8.png
  9. Get the IP address provided by the Hyper-V Manager to SSH into a Publisher for Network Settings.

    image9.png

Register the Publisher

The token you copied when creating a new publisher is needed to complete these steps:

  1. SSH into the Publisher (default username: centos, default password: centos).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter.

After you have deployed the Publisher, the default login is set to centos with a default password of centos. Change this password as soon as possible to ensure a secure configuration.

The token you copied when creating a new publisher is needed to complete these steps:

  1. Download the OVA from the Publisher page in the Netskope UI. Go to Settings > Security Cloud Platform > Publishers and click Publisher OVA .

    PublisherOVAlink.png
  2. If you want to validate the integrity of the OVA, you can download the SHA hash from here.

  3. Install this OVA into your ESXi machine.

  4. SSH into the publisher (default username: centos, default password: centos)

  5. When prompted for a menu choice, select Register.

  6. When requested, enter the Netskope registration token and click Enter.

After you have deployed the Publisher, the default login is set to centos with a default password of centos. This password should be changed as soon as possible to ensure a secure configuration.

This topic explains how to enable SNMP on a Publisher and edit the firewall to allow external monitoring.

  1. Connect to a Publisher using SSH and login.

  2. On the menu, select 5 and exit to the CLI.

  3. Install SNMP and snmp-utils.

    sudo yum install net-snmp net-snmp-utils
  4. Configure the SNMP daemon to start after a device restart.

    sudo systemctl enable snmpd
  5. Check the snmpd service to make sure it is running.

    systemctl status snmpd.service
  6. Install your favorite file editing utility, in this nano.

    sudo yum install nano
  7. Edit the snmpd.conf file to change community strings and increase security.

    sudo nano /etc/snmp/snmpd.conf
  8. Restart the snmpd service.

    sudo systemctl restart snmpd.service
  9. Check the snmpd service to make sure it is running.

    systemctl status snmpd.service
  10. Verify the firewall service.

    sudo firewall-cmd --state running
  11. Determine what the default zone is.

    firewall-cmd --get-default-zone
    public
  12. Determine what zones are active. Please note that if the publisher has not connected to an application yet the docker interface will not be present.

    firewall-cmd --get-active-zones
    docker interfaces: docker0
    public interfaces: ens32 virbr0
  13. Add the SNMP service to the public firewall zone.

    sudo firewall-cmd --zone=public --add-service=snmp
    success
  14. Confirm that the SNMP service has been added to the public firewall zone.

    sudo firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: ens32 virbr0
    sources:
    services: dhcpv6-client snmp ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept
    rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept
    sudo firewall-cmd --zone=public --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: ens32 virbr0
    sources:
    services: dhcpv6-client snmp ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept
    rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept

Test access to SNMP. If it works, then add permanent.

  1. Add the SNMP service to the firewall permanently.

    sudo firewall-cmd --zone=public --permanent --add-service=snmp
    success
  2. Verify that the SNMP service has been added to the firewall permanently.

    sudo firewall-cmd --zone=public --permanent --list-services
    dhcpv6-client snmp ssh