Netskope Help

Deploy a Publisher

The Netskope Private Access Publisher can be deployed on AWS, Azure, GCP, HyperV, VMWare ESXi, and any Ubuntu 20.04 based virtual machine (VM). The following sections provide the requirements and some recommendations, plus instructions for each of these deployments.

The Publisher does not need to be deployed on the same network where the private app will be accessed, but it needs to have L3 reachability to the private applications.

Before deploying a Publisher, factor these requirements and recommendations:

General Host Requirements
  • 2 CPUs

  • 4GB RAM

  • 8GB HDD space

Network Time Protocol

For Network Time Protocol (NTP), either:

  • Ensure your local NTP servers are synchronized properly (this is generally required in case of DHCP networking configuration).

  • Ensure that access to Internet NTP servers works properly.

Publisher Capacity

When factoring publisher capacity and scaling, consider the following key points:

  • By default, up to 100 Publishers can be deployed. A message appears on the Publishers page when you're approaching the maximum limit. You can remove unused Publishers, or contact Support to increase the limit.

  • Each Publisher can handle around 160 Mbps of throughput.

  • A Publisher is agnostic to the number of users that traverse it.

  • A Publisher is limited to using a single IP address for both inbound and outbound connections.

  • A single publisher can support up to 32,000 concurrent TCP or UDP connections per IP destination.

Firewall Requirements

The Publisher only requires communication over the following ports and protocols:

  • Inbound

    • SSH Access: Port 22 for management.

  • Outbound

    • DNS: Port 53.

    • HTTPS: Port 443.

    • Other Ports: The Publisher requires connectivity to/from the TCP and UDP ports necessary for application access.

DNS and IP Information

Publisher uses DNS for Enrollment into the NPA service and for connecting to the NewEdge cloud. Please refer to the following DNS information for your NPA tenant.

  • http://gateway.npa.goskope.com

  • http://stitcher.npa.goskope.com

  • http://ns-<TENANTID>.<POPNAME>.npa.goskope.com

  • TENANTID would be the typical ID, such as 1234, etc.

  • POPNAME represents the Home PoP Name.

For example: ns-1234.us-sjc1.npa.goskope.com.

For Management Plane IPs, go to List of IP Ranges for Allowlisting LinkIcon.png and refer to the Netskope Private Access List for Allowlisting table.

For Dataplane IPs, go to Data Plane IP Ranges LinkIcon.png.

Publisher Sizing for Apps or Wildcard Networks/Domains

While publishers are agnostic to the number of users, the number of users that are supported by a single publisher is dependent on the type of application. Use the information below to help determine maximum number of users per publisher based on the applications used:

  • For web applications, browsers can open up to six concurrent connections per domain. For the purpose of sizing, the recommendation is to divide 32,000 by 6 to derive how many maximum concurrent users may be using a single Publisher for a web server.

  • For FTP workloads, it’s 2 TCP connections per user per FTP session.

  • For SSH/SQL connections, it’s one TCP connection per user.

To scale access to broad networks and/or large applications, the following approach can be used. A round robin mechanism to load balance users across publishers is used.

In order for NPA to distribute the load evenly across the newly introduced Publishers in the cluster, you can reboot the original set of Publishers during a maintenance window. This results in users getting evenly distributed across Publishers.

ScalingPublishers.png

Important

Netskope does not recommend spreading publishers serving the same application across different physical locations or geographic regions as this could result in higher latency for some users.

Networking Services

Network:

  • Publishers should have network connectivity to your internal apps.

  • Publishers should have network connectivity (outbound) to the Internet to reach various Netskope services: configuration, gateways, upgrade, and other service endpoints.

DNS: 

  • Publishers should be able to resolve internal service names, for example: myapp.example.com.

  • Publishers should be able to resolve external service names (on the Internet), including the various Netskope services: configuration, gateways, upgrade, and other service endpoints.

SSH:

You should be able to SSH into the Publisher from an internal desktop computer for basic administration tasks, such as passing the registration token to the Publisher during initial setup and troubleshooting any issues which might arise. A publisher cannot be used to connect to itself.

  • If you deploy the Publisher VM into a network with DHCP services, it should pick up a valid networking configuration automatically, including an IP address, default gateway, and DNS.

  • If you deploy the publisher VM into a network without DHCP services, you must configure a static IP address, default gateway, and DNS.

  • Netskope recommends that your network includes DHCP.

Note

Publishers may be subject to SSL interception. Make sure that access to *.npa.goskope.com is disabled for SSL interception.

Network Settings

In the NPA Publisher Wizard (available via your virtualization console or after SSHing to a running Publisher), you can now select Network Settings for configuration details.

There are two configuration options available:

  • DHCP: This allows you to specify a network adapter for DHCP configuration. eth0 is used in the example, but other adapters may be present depending on your NPA Publisher hardware configuration. For example, ens32 or similar will be present on NPA Publishers deployed to VMWare.

  • Static IP: This option allows you to specify static IP address configurations in environments where DHCP configuration is not possible. The following values must be provided as part of this configuration:

    • Network Adapter

    • IP Address and Mask: For example, 192.168.1.189/24

    • Gateway: For example, 192.168.1.1

    • DNS Servers: We recommend using two DNS server IP addresses, though only 1 is required.

    • Default Search Domain: This configuration is typically set to match the domain name of your company.

Netskope provides prebuilt Publishers for VMWare (OVA format), Hyper-V (VHDX), and AWS (AMI).  Additionally, you can also deploy a Publisher on top of a Ubuntu 20.04 based machine for other environments, such as GCP.  The deployment methods and use of Docker images may raise some concerns about hardening and security.  This document provides info that can be used by customers under NDA to better understand how a Publisher is deployed and maintained.

OS Requirements

Ubuntu 20.04 is supported.

Significant changes from the previously supported CentOS-based machine are:

  • Ubuntu Publishers are CIS benchmark enabled.

  • AppArmor and ufw are used instead of SELinux and FirewallD.

OS Hardening

Netskope takes a number of hardening steps for the images we provide including:

  • Disabling root login to base OS and container OS.

  • Removing root password.

  • Removing unneeded Linux firmware and packages.

  • Running the latest security updates prior to capturing the image.

  • Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.

You can perform additional hardening steps, such as:

  • Hardening SSH to use keys rather than passwords. AWS AMI uses keys by default. Publishers deployed on other platforms must be manually configured to use keys.

  • Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Publisher.

Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.

Updates

Netskope updates the host OS and the Publisher package during the software update process:

  • Base OS ( Ubuntu 20.04) security updates.

  • Publisher (security, functionality, and enhancements).

Netskope recommends that Publishers should always be updated to the most recent software version.

AppArmor and ufw for Ubuntu

The NPA Publisher is configured with AppArmor and ufw enabled and running. During Publisher installation, the following ufw configurations are made in order to enable the NPA Publisher to process data packets appropriately.

apt-get install -y ufw
echo y | ufw enable
ufw allow to 191.1.1.1/32 proto tcp port 784
ufw allow to 191.1.1.1/32 proto udp port 785
ufw allow in on tun0 to any port 53 proto tcp
ufw allow in on tun0 to any port 53 proto udp
ufw allow 22/tcp
ufw allow in on lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1
ufw reload
sudo pkill npa_publisher

Note

As indicated above, this configuration is applied automatically in all current NPA Publisher releases and is included here for reference/legacy Publishers.

Create a publisher to deploy on your network and use with a private app. The token generated in this procedure is used to deploy the publisher, so be sure to make a copy.

  1. Go to Settings > Security Cloud Platform > Publishers.

  2. Click New Publisher.

  3. Enter a publisher name (like AWS US-WestWing publisher).

    NewPublisher1.png
  4. Click Save and Continue.

  5. Click Generate Token.

    NewPublisher2.png
  6. Click Copy to get the registration token.

  7. Click Done.

After deploying the publisher, return to the Publisher page to verify the status is Connected.

NewPublisher3.png

The Publishers page shows each Publisher's name, status, version, CN, and number of connected apps. To customize the columns shown on the page, click the gear icon GearIconBlue.png in the table header and check the columns you want to see. To edit the name or delete a Publisher, click the menu icon MenuIcon.png in the row a Publisher is listed.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Amazon Web Services. 

This topic explains how to create a Publisher instance in Amazon Web Services. Knowledge of the Netskope UI and Amazon Web Services are required, along with:

  • A Netskope Tenant.

  • A copy of your Publisher registration token.

  • An Amazon Web Services account.

To access the AMI file from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher AMI .

NPA-Publisher-AWS.jpg

Perform these steps in the AWS console.

Launch an EC2 Instance
  1. Sign in to your Amazon Web Services (AWS) console.

  2. Click Services > Find services. Search for and then select EC2.

  3. Click Instances in the left sidebar menu.

  4. Click Launch Instance.

Choose an Amazon Machine Image (AMI)
  1. Click AWS Marketplace in the left sidebar menu.

  2. Enter Netskope in the search bar.

  3. Netskope Private Access Publisher should appear in the search results. Click Select.

Choose an Instance Type
  1. Select t3.medium as the instance type.

  2. Click Next: Configure Instance Details.

Configure Instance Details

The token you copied from the Netskope UI is needed to complete these steps.

  1. Enter 1 in the Number of instances field.

  2. Select the VPC where the application you want to publish via Netskope is deployed in the Network field.

  3. Keep the default values for the remaining fields.

  4. Click Advanced Details to expand this section.

  5. In the User data section, select the As text option.

  6. Enter the Netskope Publisher registration token into the User Data text field.

Add a Name Tag

Adding a name tag is optional, but doing so will make it easier to identify your Netskope Publisher EC2 instance.

  1. Click the Add Tags tab, near the top of the page.

  2. Click Add Tag.

  3. Enter Name in the Key field.

  4. Enter AWS US-WestWing publisher in the Value field.

  5. Click Review and Launch.

Review Instance Launch
  1. Review the information in the AMI Details Instance Type sections.

  2. Click Launch.

  3. Select or create a key pair.

  4. Click Launch Instances.

  5. Review the information on the Launch Status page.

  6. Click View Instances.

View Instances
  1. You should now see a new EC2 instance with the name AWS US-WestWing publisher (if you completed the Add a Name Tag steps).

  2. AWS typically takes several minutes to launch EC2 instance and run status checks. Wait until your Instance State is Running and Status Checks have passed.

Register the Publisher

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.

After you have deployed the Publisher, the default login is set to ubuntu with a default password of ubuntu. Change this password as soon as possible to ensure a secure configuration.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

This topic explains how to create a Publisher instance in VMWare ESXi. Knowledge of the Netskope UI and VMWare ESXi are required, along with:

  • A Netskope Tenant

  • A copy of your Publisher registration token

  • A VMWare ESXi account.

To access the OVA from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher OVA.

PublisherOVAlink.png

Note

If you want to validate the integrity of the OVA, you can download the SHA hash from here.

Perform these steps in the VMWare ESXi console.

  1. Install this OVA into your ESXi machine.

  2. SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and login with their new password before proceeding.

Register the Publisher

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.

After you have deployed the Publisher, the default login is set to ubuntu with a default password of ubuntu. Change this password as soon as possible to ensure a secure configuration.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Hyper-V. 

This topic explains how to create a Publisher instance in Hyper-V. Knowledge of the Netskope UI and Hyper-V are required, along with:

  • A Netskope Tenant

  • A copy of your Publisher registration token

  • A Hyper-V account.

To access the VHDX file from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher VHDX.

NPA-Publisher-HyperV.jpg

Note

If you want to validate the integrity of the VHDX, download the SHA hash from here.

Perform these steps in the Hyper-V console.

  1. Launch the Microsoft Hyper-V Manager and select the Action New > Virtual Machine....

    image1.png
  2. Enter a VM Name (like NPA Publisher), optionally an installation location, and then click Next.

    Tip

    Name the Publisher to describe its location and/or application use.

    image2.png
  3. Leave Generation 1 selected and click Next.

    image3.png
  4. Specify the amount of memory for the NPA Publisher (4096 is recommended for most use cases) and click Next.

    image4.png
  5. Select a network adapter to attach the NPA Publisher that has Internet access and click Next.

    image5.png
  6. Select Use an existing virtual hard disk and then Browse to the downloaded VHDX file. When finished, click Next.

    image6.png
  7. Confirm the Hyper-V Wizard configuration options and click Finish.

    image7.png
  8. Now you can Start your NPA Publisher in Hyper-V.

    image8.png
  9. Get the IP address provided by the Hyper-V Manager to SSH into a Publisher for Network Settings.

    image9.png
Register the Publisher

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.

After you have deployed the Publisher, the default login is set to ubuntu with a default password of ubuntu. Change this password as soon as possible to ensure a secure configuration.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Azure. 

This topic explains how to create a Publisher instance in Azure. Knowledge of the Netskope UI and Azure are required, along with:

  • A Netskope Tenant

  • A copy of your Publisher registration token

  • An Azure account.

Perform these steps in the Azure console.

Create a Virtual Machine (VM)
  1. Log in to Microsoft Azure portal (https://portal.azure.com/).

  2. Click Virtual machines.

  3. Click + Create and then select Virtual Machine from the drop-down list.

  4. Click See all images and then search for Ubuntu Server 20.04.

  5. Choose Ubuntu Server 20.04 LTS.

  6. Select Standard D2s v3 (2 vcpus, 8 GB memory) as the size.

    Note

    B1ms is good for most small deployments.

  7. Click Create.

  8. Enter a machine name (Example: NetskopePublisher for Name).

  9. Enter ubuntu for Username.

  10. Copy and paste your public SSH key under SSH public key. If you do not have a public SSH key, select Generate new key pair.

  11. Choose an existing or create a new Resource group under Resource Group. For testing, we recommend you create a new Resource group. The resource group is like a folder where it puts all VM associated resources.

  12. Click OK.

  13. Click Select.

  14. Choose SSH for Select public inbound ports.

  15. Click OK.

  16. Click Create.

  17. Wait until Deployment will be finished.

Open an SSH Session
  1. Click Virtual machines.

  2. Select the newly created VM.

  3. Find a public IP address.

  4. On your computer terminal execute: ssh -i  <your_private_ssh.key> ubuntu@<ipaddress>.

Install Netskope Publisher
  1. Run this command in your SSH session:

    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  2. This will take about 10 minutes. At the end of this process, you have a fully functional Netskope Publisher and can register it.

Register the Publisher

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.

After you have deployed the Publisher, the default login is set to ubuntu with a default password of ubuntu. Change this password as soon as possible to ensure a secure configuration.

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Google Cloud Platform. 

This topic explains how to create a Publisher instance in Google Cloud Platform Storage. Knowledge of the Netskope UI and Google Cloud Platform are required, along with:

  • A Netskope Tenant

  • A copy of your Publisher registration token

  • A Google Cloud Platform account with a working VPC setup and API permissions.

Perform these steps in the Google Cloud Platform console.

  1. Log in to Google Cloud Platform at https://console.cloud.google.com/Go-to-Icon.png.

  2. Click the menu icon in the top left and select Compute Engine and then VM instances.

    image1.png
  3. Click Create Instance.

    image2.png
  4. Enter a name for the instance, like netskope-publisher.

    image3.png
  5. Select a Region and Zone.  For testing purposes this can be anything.  In a production environment, you want to enter the region and zone where the applications reside. 

    image4.png
  6. Configure the instance memory and CPU settings (2 core, 4 GB memory is the recommended setting, but for testing purposes a smaller machine will work). 

    image5.png
  7. Click Change under Boot disk.

    image6.png
  8. Select Ubuntu as the Operating System and Ubuntu 20.04 LTS as the Version.  Leave the Boot disk type and Size as the defaults.

    image7.png
  9. Click Select.

    image8.png

    Note: Steps 10-13 are optional if no other route to the internet is available.

  10. Click Management, security, disks, networking, sole tenancy

    image9.png
  11. Click Networking.

    image10.png
  12. Click the pencil icon to edit the network interface.

    image11.png
  13. Select your Network, Subnetwork, and specify an Ephemeral external IP.

    image12.png
  14. Click Create to start the instance creation.

    image13.png
  15. Once the instance is available, connect to it by clicking SSH under the Compute Engine page.

    image14.png
  16. Run the following command in the SSH session to download and install the necessary components for the Publisher.  This may take about 10 minutes.

    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  17. At the end of this process, you have a fully functional Netskope Publisher and can register it with Netskope.

Register the Publisher

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

  2. When prompted for a menu choice, select Register.

  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.

After you have deployed the Publisher, the default login is set to ubuntu with a default password of ubuntu. Change this password as soon as possible to ensure a secure configuration.