Deploy a Publisher

Deploy a Publisher

The Netskope Private Access Publisher can be deployed on AWS, Entra, GCP, HyperV, VMWare ESXi, and any Ubuntu 20.04 based machine. The following sections provide the requirements and some recommendations, plus instructions for each of these deployments.

Note

A Ubuntu 20.04 minimized server image cannot be supported as it does not contain systemd-resolve, which is required when running the install script.

The Publisher does not need to be deployed on the same network where the private app will be accessed, but it needs to have L3 reachability to the Private Apps.

Using at least a pair of Publishers for each Private App is recommended so they can provide high-availability access.

Note

Netskope recommends that you replace existing Centos-based Publishers with new Publishers that are based on Ubuntu OS. All Publisher releases starting with r94 support Ubuntu OS. To deploy a new Publisher, please follow the instructions in Deploy a Publisher. To learn how to transition a CentOS-based Publisher to an Ubuntu-based Publisher, go to CentOS-based Publisher Support End of Life.

Note

A Publisher needs reachability to the official Ubuntu Mirrors during the update process. Please review and allow the appropriate destinations for a successful Publisher software update.

Requirements and Recommendations

Before deploying a Publisher, factor these requirements and recommendations:

General Host Requirements

  • x86_64 architecture
  • 2 CPUs
  • 4 GB RAM
  • 16 GB HDD space

Network Time Protocol

For Network Time Protocol (NTP), either:

  • Ensure your local NTP servers are synchronized properly (this is generally required in case of DHCP networking configuration).
  • Ensure that access to Internet NTP servers works properly.

Publisher Capacity

When factoring publisher capacity and scaling, consider the following key points:

  • By default, up to 100 Publishers can be deployed. A message appears on the Publishers page when you’re approaching the maximum limit. You can remove unused Publishers, or contact Support to increase the limit.
  • Each Publisher can handle around 500 Mbps of throughput.
  • A Publisher is agnostic to the number of users that traverse it.
  • A Publisher is limited to using a single IP address for both inbound and outbound connections.
  • A single publisher can support up to 32,000 concurrent TCP or UDP connections per IP destination.

Firewall Requirements

The Publisher only requires communication over the following ports and protocols:

  • Inbound
    • SSH Access: Port 22 for management.
  • Outbound
    • DNS: Port 53.
    • HTTPS: Port 443.
    • Other Ports: The Publisher requires connectivity to/from the TCP and UDP ports necessary for application access.

Note

NPA Publisher traffic expects TCP return traffic from these destinations to be implicitly allowed as part of typical stateful outbound firewall policy.

Network Access

NPA access needs are:

ComponentURLPortNotes
Client
  • gateway.npa.<tenant-domain>

    (Example: gateway.npa.goskope.com)

  • addon-<tenant-URL>

    (Example: addon-acme123.goskope.com)

  • nsauth<tenant-URL>

    (Example: nsauth-acme123.goskope.com)

  • dns.google
TCP 443 (HTTPS)

UDP 53 (DNS)

  • Requires outbound access only.
  • The addon URL is typically required for retrieving feature flags and IDP enrollment.
  • The nsauth URL is required for the Periodic Re-authentication feature.
  • For identifying the closest Netskope Data Center, the Client leverages EDNS as the preferred method, so TCP 443 to dns.google needs to be allowed. (Corresponding IPs are 8.8.8.8, 8.8.4.4).
  • The fallback to EDNS is Local DNS (LDNS), so DNS (UDP 53) will need to be allowed to the DNS resolver.
Publisher
  • stitcher.npa.<tenant-domain>
  • addon-<tenant-URL>

    (Example: addon-acme123.goskope.com)

  • dns.google
  • *.docker.com
  • *.docker.io
  • *.ubuntu.com

    Note

    If your Publisher is running in China, you need to add these domains into the allowlist.

    • ns-1-registry.cn-shenzhen.cr.aliyuncs.com
    • npa-ova.oss-cn-shenzhen.aliyuncs.com
    • cri-0mv8zj4da6ewexnq-registry.oss-cn-shenzhen.aliyuncs.com
TCP 443 (HTTPS)

UDP 53 (DNS)

TCP 80 (HTTP) for *.ubuntu.com

  • Requires outbound access only.
  • The addon URL is typically required for retrieving feature flags.
  • For identifying the closest Netskope Data Center, the Client leverages EDNS as the preferred method, so TCP 443 to dns.google needs to be allowed. (Corresponding IPs are 8.8.8.8, 8.8.4.4).
  • The fallback to EDNS is Local DNS (LDNS), so DNS (UDP 53) will need to be allowed to the DNS resolver.

    Note

    For administration, please allow TCP 22 (SSH) from admin subnets to the Publisher.

  • For Publisher updates, allow outbound access to:

    *.docker.com and *.docker.io for TCP 443 outbound

    *.ubuntu.com for TCP 80 and TCP 443 outbound

Client and Publisherns-<tenant-ID>.<MP-name>.npa.<tenant-domain>

Contact your Netskope SE, TSM, or Support for your tenantid and mp-name and if IP subnets are needed instead of FQDNs.

gateway.gslb.<tenant-domain>

(Example: gateway.gslb.goskope.com)

TCP 443 (HTTPS)Requires outbound access during enrollment/re-enrollment of NPA for the Client and for registration of the Publisher.

Example URL: ns-1234.us-sv5.npa.goskope.com

MP-Name Variables:

  • us-sv5 (SV5)
  • us-sjc1 (SJC1)
  • us-sjc2 (SJC2)
  • de-fr4 (FR4)
  • nl-am2 (AM2)
  • au-mel2 (MEL2)
  • ch-zur2 (ZUR2)
  • uk-lon3 (LON3)
  • sg-sin2 (SIN2)
  • de-fra2 (FRA2)
  • us-dfw3 (DFW3)
  • sa-ruh1 (RUH1)

Note

Requires allowing inbound access only if using a CRL server that is maintained internally within your infrastructure for Prelogon enrollment, or enabling Browser Access. This is not needed for the dataplane traffic.

For allowlisting ns-<tenant-ID>.<MP-name>.npa.<tenant-domain> based on IP addresses, refer to the Netskope Private Access List for Allowlisting section here.

DNS and IP Information

Publisher uses DNS for Enrollment into the NPA service and for connecting to the Netskope cloud. Please refer to the following DNS information for your NPA tenant.

  • https://gateway.npa.<tenant-domain>
  • https://stitcher.npa.<tenant-domain>
  • *.docker.com
  • *.docker.io
  • *.ubuntu.com
  • https://ns-<tenant-ID>.<POP-name>.npa.<tenant-domain>

    tenant-ID would be the typical ID, such as 1234, etc. POP-name represents the Home PoP Name.

For example: ns-1234.us-sjc1.npa.goskope.com.

For Management Plane IPs, go to List of IP Ranges for Allowlisting LinkIcon.png and refer to the Netskope Private Access List for Allowlisting table.

For Dataplane IPs, go to Data Plane IP Ranges LinkIcon.png.

Publisher Sizing for Apps or Wildcard Networks/Domains

While publishers are agnostic to the number of users, the number of users that are supported by a single publisher is dependent on the type of application. Use the information below to help determine maximum number of users per publisher based on the applications used:

  • For web applications, browsers can open up to six concurrent connections per domain. For the purpose of sizing, the recommendation is to divide 32,000 by 6 to derive how many maximum concurrent users may be using a single Publisher for a web server.
  • For FTP workloads, it’s 2 TCP connections per user per FTP session.
  • For SSH/SQL connections, it’s one TCP connection per user.

To scale access to broad networks and/or large applications, the following approach can be used. A round robin mechanism to load balance users across publishers is used.

In order for NPA to distribute the load evenly across the newly introduced Publishers in the cluster, you can reboot the original set of Publishers during a maintenance window. This results in users getting evenly distributed across Publishers.

ScalingPublishers.png

Important

Netskope does not recommend spreading publishers serving the same application across different physical locations or geographic regions as this could result in higher latency for some users.

Networking Services

Network
  • Publishers should have network connectivity to your internal apps.
  • Publishers should have network connectivity (outbound) to the Internet to reach various Netskope services: configuration, gateways, upgrade, and other service endpoints.
DNS 
  • Publishers should be able to resolve internal service names, for example: myapp.example.com.
  • Publishers should be able to resolve external service names (on the Internet), including the various Netskope services: configuration, gateways, upgrade, and other service endpoints.
SSH

You should be able to SSH into the Publisher from an internal desktop computer for basic administration tasks, such as passing the registration token to the Publisher during initial setup and troubleshooting any issues which might arise. A publisher cannot be used to connect to itself.

  • If you deploy the Publisher VM into a network with DHCP services, it should pick up a valid networking configuration automatically, including an IP address, default gateway, and DNS.
  • If you deploy the publisher VM into a network without DHCP services, you must configure a static IP address, default gateway, and DNS.
  • Netskope recommends that your network includes DHCP.

Note

Publishers may be subject to SSL interception. Make sure that access to *.npa.goskope.com is disabled for SSL interception.

Network Settings

In the Publisher Wizard (available via your virtualization console or after SSHing to a running Publisher), you can now select Network Settings for configuration details.

There are two configuration options available:

  • DHCP: This allows you to specify a network adapter for DHCP configuration. eth0 is used in the example, but other adapters may be present depending on your Publisher hardware configuration. For example, ens32 or similar will be present on Publishers deployed to VMWare.
  • Static IP: This option allows you to specify static IP address configurations in environments where DHCP configuration is not possible. The following values must be provided as part of this configuration:
    • Network Adapter
    • IP Address and Mask: For example, 192.168.1.189/24
    • Gateway: For example, 192.168.1.1
    • DNS Servers: We recommend using two DNS server IP addresses, though only 1 is required.
    • Default Search Domain: This configuration is typically set to match the domain name of your company.

Note

For Publishers running in Public Cloud environment like AWS, Azure and GCP, network settings need to be set via the Cloud Provider Console.

To enable access using a PQDN with multiple search domains, refer to this article about enabling the Multi Search Domains Support feature. The Multi Search Domains Support feature is currently available for Windows and macOS operating systems. If PQDN access is needed from a mobile device such as Android or iOS, or from a device that is not domain joined, you will need to provision multiple search domains on the Publisher.

Publisher wizard settings allow adding one default search domain. Use the following steps to add multiple search domains on Ubuntu 20.04 Publisher machines:

  1. Create a /etc/netplan/51-cloud-init.yaml file with multiple search domains. For example:
    network:
      ethernets:
        eth0:
          nameservers:
            search: [one.com]
            search: [two.com]
            search: [three.com]
            search: [four.com]
            search: [five.com]
            search: [six.com]

    Note

    Change “eth0” to the corresponding internet network interface.

  2. Run this command: sudo netplan try.
  3. Run this command: sudo netplan apply.

Only six or less search domains can be added through netplan due to the limitation in systemd on Ubuntu 20.04. If there is a requirement to add more than six search domains, add the search domains in /etc/resolv.conf instead of netplan. Keep in mind the settings don’t persist on reboot, and the entries for search domains need to be added again if a Publisher is rebooted.

In addition to the above, the App Definition would also need to include the PQDN. For example, if the application to be accessed via PQDN is app1, then app1 must be defined as a host within the App Definition.

Publisher Configuration and Hardening

Netskope provides prebuilt Publishers for VMWare (OVA format), Hyper-V (VHDX), Azure (VHD), and AWS (AMI).  Additionally, you can also deploy a Publisher on top of a Ubuntu 20.04 based machine for other environments, such as GCP.  The deployment methods and use of Docker images may raise some concerns about hardening and security.  This document provides information that you can use to better understand how a Publisher is deployed and maintained.

OS Requirements

Ubuntu 20.04 is supported.

Significant changes from the previously supported CentOS-based machine are:

  • Ubuntu Publishers are CIS benchmark enabled.
  • AppArmor and ufw are used instead of SELinux and FirewallD.

OS Hardening

Netskope takes a number of hardening steps for the images we provide including:

  • Disabling root login to base OS and container OS.
  • Removing root password.
  • Removing unneeded Linux firmware and packages.
  • Running the latest security updates prior to capturing the image.
  • Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.

You can perform additional hardening steps, such as:

  • Hardening SSH to use keys rather than passwords. AWS AMI uses keys by default. Publishers deployed on other platforms must be manually configured to use keys.
  • Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Publisher.

Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.

Updates

Netskope updates the host OS and the Publisher package during the software update process:

  • Base OS ( Ubuntu 20.04) security updates.
  • Publisher (security, functionality, and enhancements).

Netskope recommends that Publishers should always be updated to the most recent software version.

AppArmor and ufw for Ubuntu

The NPA Publisher is configured with AppArmor and ufw enabled and running. During Publisher installation, the following ufw configurations are made in order to enable the NPA Publisher to process data packets appropriately.

apt-get install -y ufw
echo y | ufw enable
ufw allow to 191.1.1.1/32 proto tcp port 784
ufw allow to 191.1.1.1/32 proto udp port 785
ufw allow in on tun0 to any port 53 proto tcp
ufw allow in on tun0 to any port 53 proto udp
ufw allow 22/tcp
ufw allow in on lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1
ufw reload
sudo pkill npa_publisher

Note

As indicated above, this configuration is applied automatically in all current NPA Publisher releases and is included here for reference/legacy Publishers.

Create a New Publisher

Create a Publisher to deploy on your network and use with a private app. The token generated in this procedure is used to deploy the Publisher, so be sure to make a copy. Auto-Update profiles have been add to the Publisher settings. If you have not yet created an Auto-Update profile, you can choose to use the default profile, or go to Configure Publisher Auto-Updates to create one.

  1. Go to Settings > Security Cloud Platform > Publishers.
  2. Click New Publisher.
  3. Enter a Publisher name (like AWS US-WestWing publisher), and then select an Auto-Update profile.
  4. Click Save & Generate Token.
  5. Click Copy to get the registration token.
  6. Click Done.

After deploying the Publisher, return to the Publisher page to verify the status is Connected.

The Publishers page shows how many Publishers have been created, each Publisher’s name, status, version, CN, and number of connected apps. To customize the columns shown on the page, click the gear icon in the table header and check the columns you want to see. To edit the name, delete, or update a Publisher, click the menu icon in the row a Publisher is listed.

You can search for and filter Publishers listed on the page based on search criteria. If a filter has an arrow, you can select predefined search criteria, or search by entering specific criteria. Click Add Filter to view and select a predefined filter, or search for a Publisher, Update Profile, and Version.

Configure a Publisher in AWS

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Amazon Web Services. 

This section explains how to create a Publisher instance in Amazon Web Services. Knowledge of the Netskope UI and Amazon Web Services are required, along with:

  • A Netskope Tenant.
  • A copy of your Publisher registration token.
  • An Amazon Web Services account.

To access the AMI file from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher AMI.

Perform these steps in the AWS console.

Launch an EC2 Instance

  1. Sign in to your Amazon Web Services (AWS) console.
  2. Click Services > Find services. Search for EC2 and then select EC2.
  3. Click Instances in the left sidebar menu.
  4. Click Launch Instance.

Choose an Amazon Machine Image (AMI)

  1. Click AWS Marketplace in the left sidebar menu.
  2. Enter Netskope in the search bar.
  3. Netskope Private Access Publisher should appear in the search results. Click Select.

Choose an Instance Type

  1. Select t3.medium as the instance type.
  2. Click Next: Configure Instance Details.

Configure Instance Details

The token you copied from the Netskope UI is needed to complete these steps.

  1. Enter 1 in the Number of instances field.
  2. Select the VPC where the application you want to publish via Netskope is deployed in the Network field.
  3. Keep the default values for the remaining fields.
  4. Click Advanced Details to expand this section.
  5. In the User data section, select the As text option.
  6. Enter the Netskope Publisher registration token into the User Data text field.

Add a Name Tag

Adding a name tag is optional, but doing so will make it easier to identify your Netskope Publisher EC2 instance.

  1. Click the Add Tags tab, near the top of the page.
  2. Click Add Tag.
  3. Enter Name in the Key field.
  4. Enter AWS US-WestWing publisher in the Value field.
  5. Click Review and Launch.

Review Instance Launch

  1. Review the information in the AMI Details Instance Type sections.
  2. Click Launch.
  3. Select or create a key pair. This key pair is used to ssh in to the Publisher VM. Password-based authentication is by default disabled on the AWS publishers.
  4. Click Launch Instances.
  5. Review the information on the Launch Status page.
  6. Click View Instances.

View Instances

  1. You should now see a new EC2 instance with the name AWS US-WestWing publisher (if you completed the Add a Name Tag steps).
  2. AWS typically takes several minutes to launch EC2 instance and run status checks. Wait until your Instance State is Running and Status Checks have passed.

Register the Publisher

Note

Registering the Publisher is optional and only required if the Publisher token was not provided during the initial Publisher instance deployment.

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  4. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.

Configure a Publisher in VMWare ESXi

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in VMWare ESXi. 

This topic explains how to create a Publisher instance in VMWare ESXi. Knowledge of the Netskope UI and VMWare ESXi are required, along with:

  • A Netskope Tenant
  • A copy of your Publisher registration token
  • A VMWare ESXi account, version 6 or later.

To access the OVA from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher OVA to download the Publisher OVA file. The OVA file is needed to create a ESXi-based Publisher.

Note

If you want to validate the integrity of the OVA, the SHA hash can be found in the Publisher Release Notes.

Perform these steps in the VMWare ESXi console.

  1. Log in to your ESXi instance and click Virtual Machines.
    NPA-VMW-Create.png
  2. Click Create/Register VM.
  3. For Select Creation Type, select Deploy a virtual machine from an OVF or OVA file, and then click Next.
    NPA-Select-OVA-Type.png
  4. For Select OVF and VMDK files, enter a name for the VM, drag and drop the OVA from Netskope, and then click Next.
    NPA-Select-OVA.png
  5. For Select Storage, keep the default settings and click Next.
    NPA-Select-OVA-Storage.png
  6. For Deployment Options, select your default network, and then click Next.
    NPA-OVA-Deployment.png
  7. For Ready to Complete, review the settings to confirm, and then click Finish.
    NPA-OVA-Complete.png

    If a Publisher needs additional interfaces, proceed to step 8.

  8. To add another interface, click on the VM you just created and then click Edit Settings.
  9. Click Add Network Adapter, and then click Save.

Register the Publisher

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. Execute the following command only if the Publisher is hosted inside China and needs to connect to a NewEdge DC inside China: sudo touch resources/.prc_dp.
  4. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  5. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.

Configure a Publisher in Hyper-V

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Hyper-V. 

This topic explains how to create a Publisher instance in Hyper-V. Knowledge of the Netskope UI and Hyper-V are required, along with:

  • A Netskope Tenant
  • A copy of your Publisher registration token
  • A Hyper-V account.

To access the VHDX file from the Publisher page in the Netskope UI, go to Settings > Security Cloud Platform > Publishers and click Publisher VHDX.

Note

If you want to validate the integrity of the VHDX, the SHA hash can be found in the Publisher Release Notes.

Perform these steps in the Hyper-V console.

  1. Launch the Microsoft Hyper-V Manager and select the Action New > Virtual Machine….
    image1.png
  2. Enter a VM Name (like NPA Publisher), optionally an installation location, and then click Next.

    Tip

    Name the Publisher to describe its location and/or application use.

    image2.png
  3. Leave Generation 1 selected and click Next.
    image3.png
  4. Specify the amount of memory for the NPA Publisher (4096 is recommended for most use cases) and click Next.
    image4.png
  5. Select a network adapter to attach the NPA Publisher that has Internet access and click Next.
    image5.png
  6. Select Use an existing virtual hard disk and then Browse to the downloaded VHDX file. When finished, click Next.
    image6.png
  7. Confirm the Hyper-V Wizard configuration options and click Finish.
    image7.png
  8. Now you can Start your NPA Publisher in Hyper-V.
    image8.png
  9. Get the IP address provided by the Hyper-V Manager to SSH into a Publisher for Network Settings.
    image9.png

Register the Publisher

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. Execute the following command only if the Publisher is hosted inside China and needs to connect to a NewEdge DC inside China: sudo touch resources/.prc_dp.
  4. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  5. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.

Configure a Publisher in Azure

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Azure. 

This topic explains how to create a Publisher instance in Azure. Knowledge of the Netskope UI and Azure are required, along with:

  • A Netskope Tenant
  • A copy of your Publisher registration token
  • An Azure account.

Note

Azure Publishers require 30GB HDD instead of the standard 8GB.

Perform these steps in the Azure console.

Create a Virtual Machine (VM)

  1. Go to Azure Marketplace and search for Netskope Private Access Publisher.
  2. Click Create.
  3. Select Netskope Private Access Publisher from the drop-down menu.
  4. Click Basics.
  5. Select or edit the Resource group and virtual machine, if required.
  6. While creating the VM, the Username field automatically adds azureuser by default. Change the Username to ubuntu to ensure that you log in to the correct virtual machine.
    NPA-Publisher-Azure.png
  7. Copy and paste your public SSH key under SSH public key. If you do not have a public SSH key, select Generate new key pair. This key pair is used to ssh in to the Publisher VM. Password-based authentication is by default disabled on the Azure publishers.
  8. Select SSH from the Select public inbound ports dropdown menu.
  9. Click Next:Disks.
  10. Customize according to the desired disk settings or use the default settings.
  11. Click Next: Networking.
  12. Review your networking settings.
  13. Select SSH from the Select public inbound ports dropdown menu.
  14. Click  Review + Create and analyze the virtual machine settings.
  15. Click Create.
  16. Wait until the deployment completes.

Open an SSH Session

  1. Click Virtual machines.
  2. Select the newly created VM.
  3. Find a public IP address.
  4. On your computer terminal execute: ssh -i  <your_private_ssh.key> ubuntu@<ipaddress>.

Register the Publisher

Note

Registering the Publisher is optional and only required if the Publisher token was not provided during the initial Publisher instance deployment.

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  4. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.

Configure a Publisher in GCP

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center.  This includes the ability to leverage a Publisher in Google Cloud Platform. 

Note

If you deploy a Publisher in GCP, make sure to bump up the MTU to 1500 bytes. By default, GCP sets it to 1460 bytes.

This topic explains how to create a Publisher instance in Google Cloud Platform Storage. Knowledge of the Netskope UI and Google Cloud Platform are required, along with:

  • A Netskope Tenant
  • A copy of your Publisher registration token
  • A Google Cloud Platform account with a working VPC setup and API permissions.

Important

Ensure your /tmp folder has a 777 permission for successful Publisher deployments and OS updates.

Perform these steps in the Google Cloud Platform console.

  1. Log in to Google Cloud Platform at https://console.cloud.google.com/Go-to-Icon.png.
  2. Click the menu icon in the top left and select Compute Engine and then VM instances.
    image1.png
  3. Click Create Instance.
    image2.png
  4. Enter a name for the instance, like netskope-publisher.
    image3.png
  5. Select a Region and Zone.  For testing purposes this can be anything.  In a production environment, you want to enter the region and zone where the applications reside. 
    image4.png
  6. Configure the instance memory and CPU settings (2 core, 4 GB memory is the recommended setting, but for testing purposes a smaller machine will work). 
    image5.png
  7. Click Change under Boot disk.
    image6.png
  8. Select Ubuntu as the Operating System and Ubuntu 20.04 LTS as the Version.  Leave the Boot disk type and Size as the defaults.
    image7.png
  9. Click Select.
    image8.png

    Note: Steps 10-13 are optional if no other route to the internet is available.

  10. Click Management, security, disks, networking, sole tenancy
    image9.png
  11. Click Networking.
    image10.png
  12. Click the pencil icon to edit the network interface.
    image11.png
  13. Select your Network, Subnetwork, and specify an Ephemeral external IP.
    image12.png
  14. Click Create to start the instance creation.
    image13.png
  15. Once the instance is available, connect to it by clicking SSH under the Compute Engine page.
    image14.png
  16. Run the following command in the SSH session to download and install the necessary components for the Publisher.  This may take about 10 minutes.
    curl https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit
  17. At the end of this process, you have a fully functional Netskope Publisher and can register it with Netskope.

Register the Publisher

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  4. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.

Configure a Publisher on a Ubuntu Installed System

The Netskope Publisher allows for zero trust network access to applications and hosts in your public cloud or private data center. This includes the ability to leverage a Publisher on a standalone installation of Ubuntu OS. Any Ubuntu server, whether on-premises or in a public cloud, and whether physical or virtual, that satisfies the requirements is supported.

Note

Before you deploy a Publisher, make sure to bump up the MTU to 1500 bytes.

This topic explains how to create a Publisher instance on a Ubuntu OS. Knowledge of the Netskope UI is required, along with:

  • A Netskope Tenant.
  • A copy of your Publisher registration token.
  • A Ubuntu 20 LTS installed system with following configuration:
    • Meets Publisher Requirements.
    • Have a non-root user with sudo permission to install the publisher via script.

    Important

    Ensure your /tmp folder has a 777 permission for successful Publisher deployments and OS updates.

Run the following command in the non-root SSH session on your Ubuntu OS to download and install the necessary components for the Publisher. This may take about 10 minutes.

curl 
https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/bootstrap.sh | sudo bash; sudo su - $USER; exit

At the end of this process, you have a fully functional Netskope Publisher and can register it with Netskope.

Note

During auto-update of this Publisher, Netskope will update the Publisher and make an attempt to update the Ubuntu system. Kernel updates should be carried out by the system administrator.  For more information, go to Publisher Auto-Update.

Register the Publisher

SSH into the publisher (default username: ubuntu, default password: ubuntu). When prompted, change your password. After you change it, the system auto-disconnects your SSH session, so you will need to reconnect and log in with their new password before proceeding.

  1. SSH into the Publisher (default username: ubuntu, default password: ubuntu).

    Note

    In the event of a password change, the new password must meet the following minimum requirements:

    • Minimum password length must be 14 characters.
    • Must contain one upper case letter.
    • Must contain one lower case letter.
    • Must contain one digit (number).
    • Must contain one non-alphanumeric character.
    • Cannot be a palindrome.
  2. When prompted for a menu choice, select Register.
  3. When requested, enter the Netskope registration token, and then click Enter. You can also enter the token with this command: sudo ./npa_publisher_wizard -token <TOKEN>.
  4. Go to Settings > Security Cloud Platform > Publishers in your Netskope tenant and confirm your Publisher has a Connected status. If not, go to Publisher Logs for Troubleshooting.
Share this Doc

Deploy a Publisher

Or copy link

In this topic ...