Monitoring Sources
Stations
The Netskope “Enterprise Station” is a container-based software that allows you to perform synthetic tests:
- “Network Probe” tests allow you to discover the underlay network path between your corporate sites and the Netskope POPs.
- “App Probe” tests allow you to test the availability and performance of any kind of web-based service.
Technical requirements
Hardware & software specifications
The Netskope “Enterprise Station” can run on any type of hardware and software platforms that comply with the following minimum specifications:
- CPU and operating system must use x86_64 or ARM64 architecture
- 1GB of RAM (1,5GB of RAM is recommended)
- 1GB of hard disk space (no need for high-speed SSD disk)
- Docker container engine support
Network Flows during Setup Phase
During the setup phase, the machine on which the Enterprise Station is running must be able to connect to the internet on port TCP 443 (HTTPS) to download Netskope’s Docker image from a DockerHub repository. The targets that must be reachable are:
- registry-1.docker.io
- hub.docker.com
- production.cloudflare.docker.com
- docker-pinata-support.s3.amazonaws.com
- cdn.auth0.com
- login.docker.com
- auth.docker.io
Once the Enterprise Station is deployed, it will authenticate itself to the Netskope platform by sending an authentication request to https://events.goskope.com on TCP port 443.
Network Flows During Normal Operations
Enterprise Stations will perform Network Probe and App Probe tests.
The collected data for both types of tests are sent through HTTPS (TCP port 443) to https://events.goskope.com. Automatically checking for configuration updates from the Enterprise Stations requires the Enterprise Stations to connect to the same https://dem-config.goskope.com endpoint.
Network Probe Specific Flow
When the “Monitor NSClient connectivity” option is enabled, interacting with the GSLB service requires the following flow to bypass Netskope:
- TCP port 443 traffic to gateway.gslb.goskope.com/
As Network Probe tests can use either UDP or ICMP, the following flows must be allowed.
For ICMP method:
Source | Destination | IP protocol | Type | Code | Comment |
Enterprise Station host IP | Netskope POPs IPs | ICMP | 8 | 0 | Echo Request |
any | Enterprise Station host IP | ICMP | 11 | 0 | Time To Live Exceeded in Transit |
Netskope POPs IPs | Enterprise Station Host IP | ICMP | 0 | 0 | Echo Reply |
For UDP method:
Source | Destination | IP protocol | Ports |
Enterprise Station host IP | Netskope POPs IPs | UDP | 33.434 – 33.535 |
Source | Destination | IP protocol | Type | Code | Comment |
Netskope POPs IPs | Enterprise Station host IP | ICMP | 3 | 3 | Destination Unreachable – Port Unreachable |
any | Enterprise Station host IP | ICMP | 11 | 0 | Time To Live Exceeded in Transit |
App Probe Specific Flow
App Probe tests consist of targeting any kind of HTTPS target through web requests.
The behavior is identical to normal users surfing the internet.
App Probes tests must use the TCP Port 443.
Deployment
The Netskope “Enterprise Station” deployment is a three-step process:
- Creation of the Enterprise Station in the Netskope configuration User Interface.
- Deployment of the Enterprise Station docker container.
- Activation of the Enterprise Station.
Step 1: Enterprise Station creation
From the “Settings” menu, click on the “Stations” link (1) to get the list of already deployed Enterprise Stations.
Click on “Create Station” (2) to start the creation process of a new Enterprise Station.
As you can notice, creating an Enterprise Station can be as simple as providing a name!
The Provider and Description fields are optional. The Provider field is often used to identify the local ISP the Enterprise Station is connected to.
The Site dropdown list provides the list of all created Sites (please refer to the Sites section for more information). Select the site the Enterprise Station is linked to from this list:
“Gap Limit” corresponds to the maximum number of consecutive hops that cannot be identified (no response to Network Probe tests) before aborting the Network Probe test. It prevents a Network Probe test to indefinitely try to reach a target that will never respond. The default value is 8. In case you are dealing with really complex network architectures, this value may need to be increased. The maximum value is 16.
If the Network Probe does not discover any node and does not reach the target, no data will be reported in the Netskope interface.
Once you are done with the configuration, click on “Create” to confirm your settings.
The Enterprise Station is now created but is not activated yet.
If you go to the list of existing Enterprise Stations, you can see the newly created Enterprise Station and its status (“UNCONFIGURED”).
To come back in the Enterprise Station configuration menu, just click on its name from the list.
Step 2: Enterprise Station installation
Automated installation
The easiest way to deploy a Netskope Enterprise Station is by using an installation script.
In this case, you only have to provision a machine running a Linux operating system complying with the minimum requirements mentioned in the Technical Requirements section.
The following operating systems are supported:
Operating System | Supported releases |
Debian / Raspbian | Release 10 and higher |
Ubuntu | Release 18.04 and higher (LTS only) |
RHEL / Rocky / AlmaLinux | Release 7 and higher |
CentOS | Linux 7, Stream 8 and higher |
openSUSE Leap | Release 15.2 and higher |
To get the script on your local machine, go to the Enterprise Station configuration view and click on “Download installer”:
The script file name is station_<station_name>.sh.
Once the installer script is downloaded, move it to the host on which you want to deploy the Enterprise Station (typically through SFTP or SSH).
Launch the installer by issuing a bash command (as root account):
bash ./station_<station_name>.sh
Manual installation
Before manually deploying the Enterprise Station container, make sure the host on which you’ll deploy it contains a Docker engine. Then install docker compose software in version 1.21.0 or higher.
Once this is done, create the following docker-compose.yml file.
version: '3'
services:
ns-station:
image: "netskopedem/ns-station:latest"
labels:
com.centurylinklabs.watchtower.enable: true
restart: unless-stopped
volumes:
- /srv/netskope/ns-station/runner_xxxxx/storage:/run/kdstation/storage
network_mode: "bridge"
environment:
KD_STORAGE_PATH: "/run/kdstation/storage/storage.db"
KD_LOG_LEVEL: "INFO"
KD_BOOTSTRAP_API_KEY: "<ADD STATION KEY HERE>"
KD_NSPROXY_CACERT: "<ADD NETSKOPE CA HERE>"
watchtower:
image: "containrrr/watchtower"
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
WATCHTOWER_LABEL_ENABLE: 1
WATCHTOWER_POLL_INTERVAL: 172800
WATCHTOWER_CLEANUP: 1
WATCHTOWER_INCLUDE_RESTARTING: 1
WATCHTOWER_INCLUDE_STOPPED: 1
WATCHTOWER_REVIVE_STOPPED: 1
As mentioned previously, when started, the Enterprise Station must authenticate to the Netskope platform, which is done through an API key.
To retrieve this key, navigate to the Enterprise Station configuration view and click on “generate a key”:
Replace the KD_STATION_API_KEY variable provided in the template above by this key and launch the docker-compose.yml by issuing the command docker compose up -d (from the folder containing the docker-compose.yml file).
Step 3: Enterprise Station activation
If the Enterprise Station deployment is successfully completed, you should see the following screen:
The shown IP address should correspond to the public IP address of the Enterprise Station you have just deployed.
You still have to confirm the Enterprise Station enrollment by clicking on the “Yes, this is the correct IP address” button.