Netskope Help

Introduction to Remote Browser Isolation

Netskope RBI use cases are grouped into two buckets: Threat Protection and Access Control. Netskope RBI is focused on the threat protection use case. It delivers Targeted RBI, isolation of users web browsing of uncategorized and security risk web pages to provide an additional layer of threat protection.

Figure 1. RBI use cases and Netskope RBI offering
RBI use cases and Netskope RBI offering


Blocking uncategorized websites can be disruptive and targeted RBI enables safe access by pixel rendering content and blocking file up/downloads, plus limiting copy/paste/print user activity. Security risk categorized websites are a gray area for cybersecurity, and targeted RBI allows safe access with no code or script execution on endpoints using browser isolation.

Rendering content in an isolated environment requires that the environment provide capabilities for different file formats, media, as well as be cognizant of the user’s browser and OS capabilities. It also has to block different user actions, such as drag-and-drop, copy/paste, content upload/downloads and printing. The service core uses the Chromium Embedded Framework (CEF) to perform the rendering. The execution of each user’s browsing session takes place in a dedicated, isolated and ephemeral remote browsing instance.

RBI products rely on different modes for isolating websites including pixel rendering, streaming media, and DOM mirroring options. Netskope RBI provides full webpage isolation based on pixel rendering, making sure none of the original webpage content ever reaches the endpoint unlike other RBI modes like DOM mirroring.

Figure 2. Netskope Targeted RBI
Netskope Targeted RBI


Here is how the process typically works:

A user attempts to access a web page.

  • The web page category matches with a real time policy of  type “web access”  and gets steered to the Netskope Secure Web Gateway.

  • Administrative policies identify the web page requested as uncategorized or security risky and steer the request to RBI to process it in a dedicated isolation environment.

  • The web page is loaded on a remote browser.

  • The remote browser serves the user with a rendering (stream of pixels) of the requested page. The end user sees the page as they normally would, except the remote browser delivers only pixels to the end-user device browser, not full HTML.

This process ensures that no active content from the remote web site, including malware, is downloaded to the endpoint device. This ensures that the endpoint device remains safe.