Netskope Help


Netskope offers a complete cloud encryption solution that includes a full-fledged Key Management service based on FIPS 140-2 Level 3 certified HSMs.

Customers that want to leverage their existing Key Management infrastructure can use their KMIP-compliant HSMs to retain full control of the Keys.

Secure Forwarder is Netskope's versatile virtual appliance footprint will be used to establish a channel between the Netskope Cloud, where encryption will happen, and the on premises key managers. The security and reliability of this channel is paramount, as Netskope does not retain the keys that are indispensable for the encryption and decryption processes.

These sections describe the steps required to deploy Secure Forwarder and the associated configuration necessary to enable the Netskope On-Premises Key Management option.

Enabling On-Premises Key Management for the Netskope Cloud

Netskope's encryption service uses the integrated key management service in the cloud by default. Transitioning to the On-Premises Key Management option is straightforward, but must be initiated via a Support request if it was not done during initial onboarding.

Installing the KMIP Forwarder Virtual Appliance

In order to provide secure and resilient real-time access to the keys, KMIP forwarding should be enabled on a pair of Secure Forwarder virtual appliances. Although Secure Forwarder can be used for multiple deployment options and diverse functionality can be combined, for the purpose of this document it is assumed they are dedicated to KMIP forwarding.

  • Download a VA package from Settings > Security Cloud Platform > On-Premises Infrastructure to a local disk to start the onboarding process.

  • Before running the downloaded VA, make sure you have at least 8 CORES, 32GB of RAM and 196GB of disk space.

  • Downloading the VA zip file requires 7 GB of free space, plus you must unzip the file using 7zip. Using another tool creates a false error saying 789 PB of space is required.

  • KMIP forwarding requires the following ports to be opened.


    In release 46 domain names changed. Existing deployments (release 45 and prior) do not require the new domain names, but using them are recommended. New deployments with release 46 and higher do need to use the new domain names.

    For management connectivity:




    New:config-<tenant hostname>


    Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.


    New: messenger-<tenant hostname>


    Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.


    New: callhome-<tenant hostname>


    Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.



    For international deployments, use ~ -<tenant hostname> or ~ -<tenant hostname>

    For KMIP over SSH tunnel connectivity:

    Domain Name


    remotesvc-<tenant hostname>

    For deployments with release 45 or lower, use