Enabling Dynamic Steering
Enabling Dynamic Steering
Dynamic steering enables location-based steering capabilities via on-premises or off-premises. Depending on the location, you can set up the steering configuration to steer or bypass configured traffic.
Dynamic Steering Prior To Version 112.0.0
When a managed device is detected to be on-premises, only cloud applications are steered and when the device is detected to be off-premises, all web traffic is steered. Dynamic steering also extends the capability to steer traffic from all or specific private applications.
For example, ACME Inc. uses a firewall in their on-prem network to manage web traffic, but they don’t want to change this setup and use Netskope to steer cloud traffic. However, for off-prem users, they want to configure Netskope to steer both cloud and web traffic. In this situation, dynamic steering can detect user location and use appropriate steering modes.
Irrespective of the user location all exceptions types are supported. However, when using the Destination Location (with public IP address only) exception type, select the Treat like local IP address option. To learn more about exception types: Adding Exceptions.
About Dynamic Steering
The following are the supported steering modes when a managed device is on-premises or off-premises.
On-Premises Steering Modes
When the managed device is on-premises, you can set up the steering configuration to steer either web or cloud traffic:
| Traffic Mode | Steering Exceptions |
|---|---|
| Cloud (Default) | The Netskope cloud application exceptions are bypassed from the Netskope Cloud. If domain exceptions are part of a steered cloud application, they are bypassed by the Netskope cloud. If the domain exceptions aren’t part of a steered cloud application, then the following behavior occurs:
|
| Web | All exceptions are bypassed from the Netskope Cloud. Contact Netskope Support to enable this mode. |
Note
The steering bypasses are aggregated at the Netskope Proxy level, so if traffic is steered/sent to the Netskope Cloud when the Netskope Client is on-premises, the domain exceptions specified in off-premises steering configurations are allowed.
Off-Premises Steering Modes
When the managed device is off-premises, all web traffic is steered by the Netskope Client.
| Traffic Mode | Steering Exceptions |
|---|---|
| Web (Default) | All exceptions are bypassed locally by the Netskope Client. |
Netskope doesn’t support Cloud mode for managed devices off-premises.
Note
The steering bypasses are aggregated at the Netskope Proxy level, so if traffic is steered/sent to the Netskope Cloud when the Netskope Client is off-premises, the domain exceptions specified in on-premises steering configurations are allowed.
Enabling On-Premises Detection
Before enabling dynamic steering, you must enable on-premises detection for the Netskope Client. To learn more about on-prem detection: Tunnel Settings (Earlier Termed as Traffic Steering).
To enable on-premises detection:
- Go to Settings > Security Cloud Platform > Devices.
- Click the Netskope Client configuration you want to enable on-premises detection for.
- In the Tunnel Settings tab, select On-Premises Detection, and choose the location detection method:
- Use DNS: Enter the endpoint domain and IP address. If the FQDN entered resolves to the provided IP Address, the device is considered to be on-premises. Ensure this is a valid DNS record that is resolvable only within your network.
- Use HTTP: Enter
http://and then the endpoint FQDN or IP address as well as a connection timeout value. The default is 10 seconds, and the maximum is 60. The HTTP server must return a200 OKresponse code to determine if the device is on-premises. When a proxy server is available for Netskope Client, HTTP requests go to the proxy server from Netskope Client. To use this method, you must have Netskope Client release version 72.0.0 or higher.
Note
- Don’t use a .local hostname for the DNS check because the mDNS responder on Mac OSX might interfere with the resolution of .local hostnames.
- Don’t use hostnames or IP addresses that are defined for Netskope Private Access in DNS or HTTP checks because they cause flapping in the On-Premises check. Netskope recommends you use a separate domain name that does not overlap with NPA app definitions. You can configure a dedicated forward lookup or separate entry in your enterprise DNS for the on-prem detection.
When dynamic steering is enabled, the Netskope Client Client checks the on-prem status every 3 to 5 minutes.
Enabling Dynamic Steering for On- or Off-Premises Devices
Note: Refer Create Steering Configuration to understand the new options available for Dynamic Steering.
To enable dynamic steering for on- or off-prem devices:
- Go to Settings > Security Cloud Platform > Steering Configuration.
- Click New Configuration, or click
and Edit Configuration to choose one of the existing steering configurations you want to enable dynamic steering for. - In the Edit Configuration window, select Enable Dynamic Steering. You can optionally enable traffic steering for all or specific private applications or DNS traffic (if you have Cloud Firewall).
Note
If dynamic steering is not enabled for on-prem, then all exceptions configured for off-prem will be bypassed by the Netskope Cloud instead of locally when the managed device is on-prem.
- Click Save.
- On the steering configuration page, select On-Premises or Off-Premises for the device location.
Dynamic Steering From Version 112.0.0
With release 112.0.0, Netskope adds more flexibility to the dynamic steering feature. In the new flexible dynamic steering:
-
For the steering traffic mode, you can switch traffic mode between On-Prem, Off-Prem and the new mode None. When the traffic mode is None, the Client does not establish a tunnel or steer traffic. Exceptions will not be processed as they are only applicable for steered traffic.
-
For the steering exception rules:
-
Firewall app exceptions contain separate sets of rules between On-Prem and Off-Prem in All steering traffic mode.
-
Category exceptions contain a set of rules between On-Prem and Off-Prem in Web or All mode.
-
- Contact Support to enable the new Dynamic Steering Configuration for the existing tenants. This feature is automatically enabled for the new tenants.
- This section is about the new Flexible Dynamic Steering that is available from version 112.0.0. If you want to know about configuring steering using the legacy dynamic steering, view Creating a Steering Configuration.
About Dynamic Steering
With the introduction of flexible dynamic steering in version 112.0.0, you can switch traffic mode between On-Prem, Off-Prem and the new mode None.
The following are the supported steering modes when a managed device is on-premises or off-premises.
On And Off -Premises Steering Modes
When the managed device is On-Prem or Off-prem, you can set up the steering configuration to steer the following traffic modes:
| Traffic Mode | Steering Exception |
|---|---|
| Cloud Apps Only | The Netskope cloud application exceptions are bypassed from the Netskope Cloud. If domain exceptions are part of a steered cloud application, they are bypassed by the Netskope cloud. If the domain exceptions aren't part of a steered cloud application, then the following behavior occurs:
|
| Web Traffic | All exceptions are bypassed from the Netskope Cloud. |
| All Traffic | Steer all traffic (web and non-web) to Netskope for deep analysis. You can make exceptions for traffic that have personal or private content. |
| None | Client does not establish any tunnel and continues to monitor On-Prem status change. The Client establishes a tunnel if the On-Prem status changes and a tunnel is needed for the new traffic steering mode. |
Legacy Dynamic Steering vs Flexible Dynamic Steering
| Steering Type | Location | Cloud Apps Only | Web Traffic | All Traffic | None |
|---|---|---|---|---|---|
| Legacy Dynamic Steering(Prior to version 112.0.0) | On-Premises | Yes | Yes | Yes | No |
| Off-Premises | Yes | Yes | No | No | |
| Flexible Dynamic Steering | On-Premises | Yes | Yes | Yes | Yes |
| Off-Premises | Yes | Yes | Yes | Yes |
Enabling On-Premises Detection
Before enabling dynamic steering, you must enable on-premises detection for the Netskope Client. To learn more about on-prem detection: Tunnel Settings (Earlier Termed as Traffic Steering).
To enable on-premises detection:
-
Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration.
-
Click the Netskope Client configuration you want to enable on-premises detection.
-
In the Tunnel Settings tab, select On-Premises Detection, and choose the location detection method:
-
DNS: Enter the endpoint domain and IP address. If the FQDN entered resolves to the provided IP Address, the device is considered to be on-premises. Ensure this is a valid DNS record that is resolvable only within your network.
-
HTTP: Enter http:// and then the endpoint FQDN or IP address as well as a connection timeout value. The default is 10 seconds, and the maximum is 60. The HTTP server must return a 200 OK response code to determine if the device is on-premises. When a proxy server is available for Netskope Client, HTTP requests go to the proxy server from Netskope Client. To use this method, you must have Netskope Client release version 72.0.0 or higher.
- Don’t use a .local hostname for the DNS check because the mDNS responder on Mac OSX might interfere with the resolution of .local hostnames.
- Don’t use hostnames or IP addresses that are defined for Netskope Private Access in DNS or HTTP checks because they cause flapping in the On-Premises check. Netskope recommends you use a separate domain name that does not overlap with NPA app definitions. You can configure a dedicated forward lookup or separate entry in your enterprise DNS for the on-prem detection.
-
Enabling Dynamic Steering for On- or Off-Premises Devices
To enable dynamic steering for on- or off-prem devices:
-
Go to Settings > Security Cloud Platform > Steering Configuration.
-
Click New Configuration, or click
and choose Edit Configuration to select one of the existing steering configurations you want to enable dynamic steering.
-
In the Edit Configuration window, select Enable Dynamic Steering. You can steer traffic for Netskope Client through the On- or Off-prem configurations in the drop-down menu.
-
You can choose one of the following steering options for On-Prem and Off-Prem:
-
Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications.
-
Web Traffic: Steer all web traffic (HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content. You must have a SWG/NG SWG license to select this option.
-
All traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option.
-
None: The Client does not establish any tunnel and continues to monitor On-Prem status change. The Client establishes a tunnel if the On-Prem status changes and a tunnel is needed for the new traffic steering mode.
-
-
Bypass exception traffic at Netskope Client or Netskope Cloud. If you choose:
-
Client – Traffic bypass on the local device.
-
Netskope Cloud – Traffic bypasses the firewall.
-
-
DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.
-
Private Apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:
-
All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.
-
Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud.
-
-
Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.
-
-
Click Save.
