Forward Proxy Global Settings

Forward Proxy Global Settings

This feature, when enabled, provides authentication through the Netskope Security Cloud Platform. In addition, you can bypass specific domains and web categories for which authentication is not required. Administrators can use this page to configure user authentication settings. You can enable SAML authentication and cookie surrogate, and also select an authentication refresh interval.

You can use Netskope as an authentication mode to integrate with an Identity Provider (IdP). This feature acts as an authentication module taking Netskope’s framework and an IdP’s auth assertion after authentication.

Using Cookie Surrogate

A cookie surrogate is useful in cases where users are behind a NAT device and the Netskope Security Cloud Platform sees the same IP for all the users that are behind NAT. When this feature is enabled, the cookie surrogate resolves this by using a cookie to fetch user identity. For this purpose, enter the private IP address of the NAT.

To use a cookie surrogate, go to Settings > Security Cloud Platform > Foward Proxy > SAML and click Settings. In the Settings pop-up enable the Enable Cookie Surrogate toggle, and then enter the source IP address (like 1.1.1.1) or subnet (like 1.1.1.0/24) for the cookie surrogate in the Source IP Addresses text field and click the + button.

To refresh the authentication token after a specified length of time, enter the days and hours for the Authentication Refresh Interval. This feature is optional; the default is 7 days, the minimum is 1 hour, and the maximum is 180 days.

Cookie Surrogate for Desktop Applications

Native apps on a desktop that do not honor cookie redirects, or background traffic from a browser such as .js and .css that do forward cookies or support redirects, may not have user identity available. When user identity is unavailable:

  • Policies that are user specific for access to specific apps, instances, or SSL decryption, etc., will not be enforced.

  • Events (Application/Page) will not show use information, but will show the IP address of the user.

  • With cookie surrogate, IdP authentication will happen for each browser instance because it is cookie dependent.

  • Device information is not supported with cookie surrogate.

  • Remediate actions include bypassing authentication for problematic domains.

Authentication Bypass Settings

You can specify domains, web categories, and network IP addresses for which user authentication is not required. To specify authentication bypass settings, go to Settings > Security Cloud Platform > Foward Proxy > SAML and click Settings. In the Settings pop-up click the Bypass tab.

Domain Bypass

Click to add comma-separated URLs to bypass. When finished, click Save.

Adding your IdP domains here are recommended.

Web Category Bypass

Click to add add comma-separated URLs to bypass. When finished, click Save.

Source IP Address Bypass

Click to edit and search for source networks. For each of the networks found, you can choose to bypass based on User IPs or Egress IPs (just one, not both). Enter the IP address, IP address range, or CIDR netmask in the text field. Click the Devices Deviceinformation Settings 104.png icon to add multiple network locations. After adding the network locations, click Save.

Share this Doc

Forward Proxy Global Settings

Or copy link

In this topic ...