Cloud Explicit Proxy

Cloud Explicit Proxy provides a new method for steering traffic from any device to the Netskope Cloud using a Proxy Auto Configuration (PAC) file. A PAC file tells a browser to forward traffic to a proxy server instead of the destination server. When a user opens a browser, the browser sends a request for the default PAC file, and then uses the instructions to forward traffic to the Netskope URL in the PAC file. Cloud Explicit Proxy is a great traffic steering method for organizations that are unable to use Netskope Client. Additionally, it doesn’t require an IPSec or GRE tunnel and can be reached from the internet.

The following diagram illustrates the traffic workflow for Cloud Explicit Proxy when users open a browser for the first time:

The following diagram illustrates the traffic workflow for Cloud Explicit Proxy after users the first access:

In certain use cases, you might want to use Cloud Explicit Proxy. For example:

• There is an existing process to distribute proxy PAC files to roaming users in place, and you want to use it for exceptions including SSL decryption exceptions, but you have other configurations already scripted into the PAC file.

• The roaming or trusted-location user relies heavily on the browser for applications and must install the proxy CA directly on the browser as well as interactively self-identify and perform authentication with the browser.

• The user’s browser traffic requires additional SSL inspection to provide additional security controls without a tunnel or additional client software.

General Guidelines

When configuring Cloud Explicit Proxy, consider the following:

• Configure SAML 2.0 authentication using SAML Forward Proxy. User identity can be retrieved with an IdP that uses SAML 2.0, which you can go to Settings > Security Cloud Platform > Forward Proxy > SAML to configure. The user’s browser must be set up to use port 8081. Authentication is used to get the identity of the user, which you can use to apply policies. To enable authentication after configuring the forward proxy, see Forward Proxy Authentication.

• You can configure endpoints to use the proxy directly. For example:

  

• Only send HTTP and HTTPS traffic (typically on ports 80, and 443, but Netskope also supports custom ports) for the Explicit Proxy. Don’t send any other traffic through these ports.

• If you want to exclude traffic from the Netskope cloud, you must add exceptions in the PAC file.

• Explicit Proxy relies on cookies to identify users (see Cookie Surrogate). For Firefox, if you enable Enhanced Tracking Protection, Firefox might block certain cookie, which might affect user experience.

• Because Explicit Proxy relies on the IdP to get the user ID, you must not send your IdP request/response to Netskope but instead send the traffic directly to the IdP server.

• For Box endpoints, consider these factors when using explicit proxy:

  • Policies that are user specific for access to specific apps, instances, or SSL decryption, etc., aren’t enforced.

  • Events (Application/Page) doesn’t show user information but shows the IP address of the user.

About the Explicit Proxy Page

On the Explicit Proxy page (Settings > Security Cloud Platform > Explicit Proxy), you can:

1. Download a sample PAC file template to create your own custom PAC file for Explicit Proxy and distribute it to all your user’s devices. Your modified PAC file can be hosted on-premises so that devices can retrieve it automatically. Enter the domains not to proxy, the substrings (HTTP/HTTPS) to proxy, and your tenant name:

   function FindProxyForURL(url, host) { 
       /* Normalize the URL for pattern matching */
       url = url.toLowerCase();
       host = host.toLowerCase();
       /* Don't proxy local hostnames */
       if (isPlainHostName(host)) {
           return 'DIRECT';
       }
        /* Don't proxy IDP servers. */
       /*
       if ((dnsDomainIs(host, '.okta.com'))
       {
           return 'DIRECT'
       }
       */
       /* Don't proxy for domains. */
       /*
       if ((dnsDomainIs(host, '.domain-example1.com')) ||
       (dnsDomainIs(host, '.domain-example2.com')))
       {
           return 'DIRECT'
       }
       */
       if (url.substring(0, 5) === 'http:' || url.substring(0, 6) === 'https:') {
           return 'PROXY eproxy-<Tenant Name>:8081';
       }
       return 'DIRECT';
   }

2. Under Explicit Proxy Destination:

   • Certificates: Click to go to the Certificates page where you can download and install the Netskope Root CA on your endpoints. For macOS, install it in Certificates from the Keychain Access tool. There is a separate certificate available for remote users.

   • Explicit Proxy Destination: View the Explicit Proxy destination.

   • Download Root Certificate (Remote Users): Download and install the Netskope root CA for remote users, which you can also find on the Certificates page.

3. Under Tenant Lookup Service:

   • Tenant Name: View the Tenant Name. You must:

     • Replace the <Tenant Name> in the sample PAC file template.

     • Provide to remote users as they need the organization (tenant) name for validation. Once validated, Netskope redirects remote users to authenticate with their IdP before accessing the web. Authentication is mandatory for remote users.

   • Preview: View an example of the validation notification that remote users see.

     

IP Address Allowlist & User Identity

Netskope requires users from unknown locations to authenticate. However, you can choose whether to allow or block unauthenticated traffic from specific IP addresses.

In the IP Address Allowlist & User Identity section, you can:

1. Click to Allow or Block unauthenticated traffic.

2. Add source egress IP addresses you want to allow unauthenticated traffic from.

3. View a list of IP addresses you are allowing unauthenticated traffic from. For each IP address, you can see the following information:

   • Name: The name of the IP address.

   • IP Address: The on-premises source egress IP address of the user’s device.

4. Click to choose one of the following options:

   • Edit: Modify the IP address and its settings. You can edit only one IP address or CIDR at a time. To learn more: Allowing Unauthenticated Traffic from IP Addresses.

   • Delete: Delete the IP address.

5. View up to 100 IP addresses per page.

6. View multiple pages of the table.

Viewing Explicit Proxy Traffic in Skope IT

After you configure Explicit Proxy, when users navigate to a website, Netskope requires them to authenticate to the IdP before continuing to the site. To view these web page events in Skope IT:

1. Go to Skope IT > Page Events.

2. Click to view more information on the page event.

3. In the Page Event Details pane, under General, the Access Method displays Explicit Proxy.