Skip to main content

Netskope Help

Dynamic Steering

Dynamic steering enables location-based steering capabilities, viz on-prem or off-prem. Depending on the location, you can set up the steering configuration to steer or bypass configured traffic. When a managed device is detected to be on-premises, only cloud applications are steered and when the device is detected to be off-premises, all web traffic is steered. Dynamic steering also extends the capability to steer traffic from all or specific private applications.

Consider the scenario, where ACME Inc uses a firewall in their on-prem network to manage web traffic. They do not prefer to change this setup and use Netskope to steer cloud traffic. However, for off-prem users, they configure Netskope to steer both cloud and web traffic. In such a scenario dynamic steering can detect user location and use appropriate steering modes.

Prerequisites

On-premises detection must be enabled to configure dynamic steering.

Default Settings for Dynamic Steering

The following are the supported steering modes when a managed device is on-premises or off-premises.

On-Premises Steering Modes

When the managed device is on-premises, you can set up steering configuration to steer either web or cloud traffic

Traffic Mode

Steering Exceptions

Cloud (Default)

The cloud application exceptions are bypassed by the Netskope Cloud. If domain exceptions are part of a steered cloud application, they will be sent and bypassed by the Netskope cloud. If the domain exceptions aren't part of a steered cloud application, then the following behavior occurs:

  • For Windows devices, traffic is only sent locally and not to the Netskope Cloud.

  • For Mac devices, traffic is bypassed by the Netskope cloud. If you don't want traffic to be to the Netskope cloud, ensure the domain doesn't exist in the steered cloud application and exceptions list.

Web

All exceptions are bypassed by the Netskope Cloud. Contact Netskope Support to enable this mode.

Off-Premises Steering Modes

When the managed device is off-premises, all web traffic is steered by the client.

Traffic Mode

Steering Exceptions

Web (Default)

All exceptions are bypassed locally by the Client.

Netskope doesn't support Cloud mode for managed devices off-premises.

Note

The steering bypasses are aggregated at the Netskope Proxy level, so if traffic is steered/sent to the Netskope Cloud when the Netskope Client is off-premises, the domain exceptions specified in on-premises steering configurations are still applied and allowed.

Enabling Dynamic Steering

Before you begin configuring dynamic steering options, you must enable on-premises detection.

Enabling On-Premises Detection
  1. In your tenant, go to Settings > Security Cloud Platform > click Devices under Netskope Client.

  2. If you are using an existing client configuration, select the configuration from the list and enable the On-Premises Detection option.

    1. Enable On-Premises Detection.

    2. Select location detection method:

      • Use DNS: If the FQDN entered resolves to the provided IP Address, the device is considered to be on-premises. Please make sure this is a valid DNS record that is resolvable only within your network.

      • Use HTTP: The HTTP server must return 200 OK response code to determine if the device is on-premises. Also enter a connection timeout value. The default is 10 seconds, and the max is 60 seconds.

    3. Specify the endpoint address.

    img-01-onPremDetection.png
Configuring Dynamic Steering for On-Premises
  1. In the tenant, go to Settings > Security Cloud Platform > Steering Configuration. You can either make changes to an existing steering configuration or create a new one. The following steps illustrate modifying an existing default configuration (Default tenant config).

    Note

    • Irrespective of the user location all exceptions types are supported. However, when using the Destination Location (with public IP address only) exception type, select the Treat like local IP address option.

    • If dynamic steering is not configured for on-prem, then all exceptions (if configured) for off-prem will be bypassed by Netskope Cloud when the managed device in on-prem

    • When configuring on-prem or off-prem you have the option to enable traffic steering for all or specific private applications.

    • To learn more about steering configuration and exception types , see Steering Configuration and Exceptions.

  2. On the steering configuration page, click the Edit button to modify the configuration.

  3. In the Edit Configuration window, choose the traffic mode (Cloud Apps Only, Web Traffic, and All Traffic) and select the Enable Dynamic Steering option.

    img-04-onPrem.png
  4. Click Save to apply the changes.

  5. On the steering configuration page, select On-Premises for the device location.

    img-05-onPremTraffic.png
Configuring Dynamic Steering for Off-Premises
  1. Go to Settings > Security Cloud Platform > Steering Configuration. You can either make changes to an existing steering configuration or create a new one. The following steps illustrate modifying an existing default configuration (Default tenant config).

    Note

    • Irrespective of the user location all exceptions types are supported. However, when using the Destination Location (with public IP address only) exception type, select the Treat like local IP address option.

    • If dynamic steering is not configured for on-prem, then all exceptions (if configured) for off-prem will be bypassed by Netskope Cloud when the managed device in on-prem.

    • When configuring on-prem or off-prem you have the option to enable traffic steering for all or specific private applications.

    • To learn more about steering configuration and exception types , see Steering Configuration and Exceptions.

  2. On the steering configuration page, click the Edit button to modify the configuration.

  3. In the Edit Configuration window, choose the traffic mode and select the Enable Dynamic Steering option.

    img-06-offPrem.png
  4. Click Save to apply the changes.

  5. On the steering configuration page, select Off-Premises for the device location.

    img-07-offPremTraffic.png