Cloud Explicit Proxy for Chromebooks
Cloud Explicit Proxy for Chromebooks
This guide illustrates using explicit proxy to steer SWG / CASB traffic from managed Chromebooks using the Netskope Chrome extension.
When steering private app traffic, the Chrome extension can work alongside the Netskope Cloud Director for Android that is used for NPA (Netskope Private Access) steering on Chromebooks. Ensure that you add private domains to the bypass_list or the PAC file so they are not steered to the explicit proxy.
Prerequisites for Steering SWG / CASB Traffic in Chromebooks – Configure your tenant with SAML forward proxy authentication.
You can push the Netskope Chrome extension through Google Workspace Admin console and pre-provision necessary configuration.
Installing the Netskope TLS CA Certificate
Install the TLS CA certificates to allow TLS decryption of traffic from managed Chromebooks. Before you proceed, download the certificates from the Netskope tenant admin console.
Downloading Certificates from Netskope Tenant
- Login to Netskope tenant as administrator.
- Go to Settings > Manage > Certificates > Signing CA.
- Download the following certificates
- Root CA (Remote Users)
- Root CA
- Intermediate CA
Note
If you have configured your own signing CA certificate, import it together with all necessary intermediate CAs in addition to Root CA (Remote users) mentioned above.
Installing Certificates in Google Workspace Admin Console
- Login to Google Workspace Admin console.
- Go to Devices > Networks > Certificates and add the certificates download from your Netskope tenant.
Setting Proxy Mode to Allow User Configuration
- In the Google Workspace Admin console go to Devices > Chrome > Settings > Users & browsers.
- Select organizational units that should use the extension and confirm that Proxy mode is set to Allow user to configure (this is the default):
Configuring the Netskope Chrome Extension
- In Google Workspace Admin console go to Devices > Chrome > Apps & extensions > Users & browsers.
- Select organizational units that should be provisioned with the extension.
- On the bottom right of the screen, click the + icon to add an extension from Chrome Web Store.
- In the pop-up window, search Netskope in the Chrome store to get the Netskope Chrome extension.
- Set the Installation Policy to Force Install + pin to browser toolbar option.
- Click the Netskope Chrome Extension to specify JSON objects as Policy for extensions
The JSON object has the following format:
{"tenant": { "Value": "<full-tenant-name>" }, "block_disable": { "Value": <option> }, "enforce_os": { "Value": ["<os-name>"] }, "bypass_list": { "Value": [ "<comma-seperated_url_lists>" ] } }
- tenant - The JSON object must contain the tenant name in format of
"tenant": {"Value":"<tenant-name>"}
. For example:"tenant": {"Value":"myorg.<tenant-URL>"}
, where myorg.eu.goskope.com is the full tenant name. The tenant name must include the goskope.com suffix. block_disable - A boolean value to disallow users from disabling steering to Netskope. For example:"block_disable": {"Value": true}
enforce_os - An array of strings that specify where the Netskope Chrome extension will operate. If this parameter is not specified, the extension will automatically be installed on all devices for a given user profile even if other Netskope steering methods are supposed to be used on those devices.Example of a valid entry:
enforce_os":{"Value":["cros"]}
Valid operating system definitions are:bypass_list - An array of strings to identify the bypass settings for Netskope steering.This list may contain the following entries:- For ChromeOS, specify
cros
For Microsoft Windows, specifywin
For Apple macOS, specifymac
For Google Android , specifyandroid
.For non-ChromeOS linux, specifyNote
Google Chrome on Android does not support extensions, so this parameter is valid only for third-party Chromium based browsers
linux
For OpenBSD, specifyopenBSD
- Hostname :
[_<scheme>_://]_<host-pattern>_[:_<port>_]
. Match all hostnames that match _<host-pattern>_. A leading "." is interpreted as a "*." . Examples: "foobar.com", "*foobar.com", "*.foobar.com", "*foobar.com:99", "https://x.*.y.com:99".Simple Hostname:PatternMatchesDoes not Match.foobar.comwww.foobar.comfoobar.com*.foobar.comwww.foobar.comfoobar.comfoobar.comfoobar.comwww.foobar.com*foobar.comfoobar.com, www.foobar.com, foofoobar.com <local>
. Matches simple hostnames. A simple hostname is one that contains no dots and is not an IP literal. For instanceexample
andlocalhost
are simple hostnames. However,example.com
,example.,
and[::1]
are not. IP Address:[_<scheme>_://]_<ip-literal>_[:_<port>_]
. Match URLs that are IP address literals. Conceptually this is similar to the first case, but with special cases to handle IP literal canonicalization. For example, matching on[0:0:0::1]
is the same as matching on[::1]
because the IPv6 canonicalization is done internally. Examples:127.0.1, [0:0::1], [::1], http://[::1]:99
.IP Address with Range:_<ip-literal>_/_<prefix-length-in-bits>_
. Match any URL containing an IP literal within the given range. The IP range is specified using CIDR notation. Examples:"192.168.1.1/16", "fefe:13::abc/33"
List of domains recommended to be bypassed by Google:
"bypass_list":{ "Value":[ "*.1e100.net", "accounts.google.com", "accounts.google.co.uk", "accounts.gstatic.com", "accounts.youtube.com", "alt*.gstatic.com", "chromeos-ca.gstatic.com", "chromeosquirksserver-pa.googleapis.com", "clients1.google.com", "clients2.google.com", "clients3.google.com", "clients4.google.com", "clients2.googleusercontent.com", "cloudsearch.googleapis.com", "commondatastorage.googleapis.com", "cros-omahaproxy.appspot.com", "dl.google.com", "dl-ssl.google.com", "firebaseperusertopics-pa.googleapis.com", "*.googleusercontent.com", "*.gvt1.com", "gweb-gettingstartedguide.appspot.com", "m.google.com", "omahaproxy.appspot.com", "pack.google.com", "policies.google.com", "printerconfigurations.googleusercontent.com", "safebrowsing-cache.google.com", "safebrowsing.google.com", "ssl.gstatic.com", "storage.googleapis.com", "tools.google.com", "www.googleapis.com", "www.gstatic.com" ] }
pac_data - A static PAC file data to be used instead of the bypass_list. The provided PAC file should point the steered traffic to eproxy-<tenant-name>.goskope.com:8081.Note
If using non-Google IdP ensure that you add relevant domains for SAML auth to bypass to this list.
Note
If both pac_data and bypass_list are provided, only the pac_data is used.
Example of a valid pac_data entry is:
"pac_data":{"Value":"function FindProxyForURL(url, host) { if (!shExpMatch(url, "https://*") && !shExpMatch(url, "http://*")) return "DIRECT"; var ExpList = [ "*.1e100.net", "accounts.google.com", "accounts.google.co.uk", "accounts.gstatic.com", "accounts.youtube.com", "alt*.gstatic.com", "chromeos-ca.gstatic.com", "chromeosquirksserver-pa.googleapis.com", "clients1.google.com", "clients2.google.com", "clients3.google.com", "clients4.google.com", "clients2.googleusercontent.com", "cloudsearch.googleapis.com", "commondatastorage.googleapis.com", "cros-omahaproxy.appspot.com", "dl.google.com", "dl-ssl.google.com", "firebaseperusertopics-pa.googleapis.com", "*.googleusercontent.com", "*.gvt1.com", "gweb-gettingstartedguide.appspot.com", "m.google.com", "omahaproxy.appspot.com", "pack.google.com", "policies.google.com", "printerconfigurations.googleusercontent.com", "safebrowsing-cache.google.com", "safebrowsing.google.com", "ssl.gstatic.com", "storage.googleapis.com", "tools.google.com", "www.googleapis.com", "www.gstatic.com"]; for (var i=0; i<ExpList.length; i++) { if (shExpMatch(host, ExpList[i])) return "DIRECT" ; } var proxy = "PROXY eproxy-myorg.eu.goskope.com:8081"; return proxy; }"}
pac_url - A URL for PAC file to be applied instead ofbypass_list
orpac_data
. The downloaded PAC file should point steered traffic toeproxy-<tenantname>.goskope.com:8081
. Ifpac_url
andbypass_list
orpac_data
are provided, onlypac_url
is used.Example of a valid
pac_url
entry is:"pac_url":{"Value":"http://setools.netskope.io/mypac.pac"}
- For ChromeOS, specify
- tenant - The JSON object must contain the tenant name in format of
- After providing the policy for the extension, click Save on the top right corner to save the settings.
Verifying Policy Propagation
To verify if policy is correctly propagated, on a managed Chromebook navigate to chrome://policy. At the bottom of the page you will have a formatted table for Netskope Chrome Extension policies.
Hardening Managed Chromebook Configuration
To ensure that users are not able to bypass the steering to Netskope, we recommend that you configure the following settings in Google Workspace Admin console:
- In Devices > Chrome > Settings > Users & browsers, click Disallow incognito mode.
- In Devices > Chrome > Apps & extensions > Users & browsers > Allow/block mode, click Edit in legacy view.
- In Additional Settings, block unauthorized extensions with Set proxy or VPN provider permissions and disable any user-installed extensions (such as Ad Blockers and NoScript) to mess with goskope.com domains by adding
*://*.goskope.com
to the Runtime blocked hosts list. - Block all apps not in the allow list for Play Store and Chrome Web Store.
- In Devices > Chrome > Settings > Users & Browsers, prevent users from managing certificates so they won’t tamper with the Netskope CA pushed by Google Workspace Admin.