Local Broker Management
Local Broker Management
This document explains how to enable and test the Local Broker feature. This functionality is commonly used to enable Campus ZTNA use cases where end-users that are on-premises would connect to a Local Broker instead of a Cloud Broker for accessing private applications hosted on-premises.
Definitions
Client Gateway: Netskope Client builds a TLS tunnel with the closest Client Gateway located in one of the several Netskope Data Centers. This is where policy is enforced.
Publisher Gateway (Stitcher): Publisher builds a TLS tunnel with the closest Publisher Gateway (Stitcher) located in one of the Netskope Data Centers. This is a gateway for the Publisher to connect to the Netskope Cloud. Publisher Gateway (Stitcher), as the name suggests, stitches connectivity between the Client Gateway and the Publisher.
Cloud Broker: The combination of NPA components: Client Gateway and Publisher Gateway (Stitcher) enable end-to-end connectivity over NPA in the cloud.
Local Broker (LBR): The combination of NPA components: Client Gateway and Publisher Gateway (Stitcher) enable end-to-end connectivity over NPA, but is deployed in customer-owned environments. Local Brokers are Netskope software components that enable ZTNA capability (similar to the Netskope Cloud) within your environment. They can be deployed in your virtual network at your public cloud provider (like AWS VPC), or an internal network in your private datacenter supported on VMware ESXi, Hyper-V, or any Ubuntu-based Linux system (including VM in the cloud). The Local Broker is instance-hosted in a customer-controlled environment, with both Client Gateway and Publisher Gateway (Stitcher) running as containers on this instance, offering similar capabilities to a Cloud Broker.
Local Broker Client Gateway: Similar to Client Gateway, except that it is installed as a container on the Local Broker instance deployed in a customer owned/controlled environment. When Local Broker is enabled, Netskope Client will connect to the Client Gateway container with an IP that is assigned during the installation of Local Broker.
Local Broker Publisher Gateway (Stitcher): Similar to Publisher Gateway (Stitcher), except that it is installed as a container on the Local Broker instance deployed in a customer owned/controlled environment. When Local Broker is enabled, Publisher will connect to the Publisher Gateway (Stitcher) container with an IP that is assigned during the installation of Local Broker.
Background
With this feature, NPA will enforce policies via on-premises (Local) Brokers when an on-premises user connects to on-premises applications. As a result, user experience improves as traffic does not hair-pin out to NPA cloud brokers. Additionally, policies are applied uniformly for on-premises and remote users.
The below diagram gives a general overview of the difference between a cloud broker and a local broker. For the Campus ZTNA use case, a user on-campus connects to a NPA Local Broker in an On-Premises DC, and is able to access applications hosted on the On-Premises DC.