Monitoring Sources 

Stations

The Netskope “Enterprise Station” is a container-based software that allows you to perform synthetic tests:

  • “Network Probe” tests allow you to discover the underlay network path between your corporate sites and the Netskope POPs.
  • “App Probe” tests allow you to test the availability and performance of any kind of web-based service.

Technical requirements

Hardware & software specifications

The Netskope “Enterprise Station” can run on any type of hardware and software platforms that comply with the following minimum specifications:

  • CPU and operating system must use x86_64 or ARM64 architecture
  • 1GB of RAM (1,5GB of RAM is recommended)
  • 1GB of hard disk space (no need for high-speed SSD disk)
  • Docker container engine support

Network Flows during Setup Phase

During the setup phase, the machine on which the Enterprise Station is running must be able to connect to the internet on port TCP 443 (HTTPS) to download Netskope’s Docker image from a DockerHub repository. The targets that must be reachable are:

  • registry-1.docker.io
  • hub.docker.com
  • production.cloudflare.docker.com
  • docker-pinata-support.s3.amazonaws.com
  • cdn.auth0.com
  • login.docker.com
  • auth.docker.io

Once the Enterprise Station is deployed, it will authenticate itself to the Netskope platform by sending an authentication request to https://events.goskope.com on TCP port 443.

Network Flows During Normal Operations

Enterprise Stations will perform Network Probe and App Probe tests.

The collected data for both types of tests are sent through HTTPS (TCP port 443) to https://events.goskope.com. Automatically checking for configuration updates from the Enterprise Stations requires the Enterprise Stations to connect to the same https://dem-config.goskope.com endpoint.

Network Probe Specific Flow

When the “Monitor NSClient connectivity” option is enabled, interacting with the GSLB service requires the following flow to bypass Netskope:

  • TCP port 443 traffic to gateway.gslb.goskope.com/
By default, the NSClient will not steer *.goskope.com traffic on ports 80/443 as per best practice.

As Network Probe tests can use either UDP or ICMP, the following flows must be allowed.

For ICMP method:

SourceDestinationIP protocolTypeCodeComment
Enterprise Station host IPNetskope POPs IPsICMP80Echo Request
anyEnterprise Station host IPICMP110Time To Live Exceeded in Transit
Netskope POPs IPsEnterprise Station Host IPICMP00Echo Reply

For UDP method:

SourceDestinationIP protocolPorts
Enterprise Station host IPNetskope POPs IPsUDP33.434 – 33.535
SourceDestinationIP protocolTypeCodeComment
Netskope POPs IPsEnterprise Station host IPICMP33Destination Unreachable – Port Unreachable
anyEnterprise Station host IPICMP110Time To Live Exceeded in Transit
Please refer to the section Network Probes for more details on how Network Probe tests are performed.

App Probe Specific Flow

App Probe tests consist of targeting any kind of HTTPS target through web requests.

The behavior is identical to normal users surfing the internet.

App Probes tests must use the TCP Port 443.

Deployment

The Netskope “Enterprise Station” deployment is a three-step process:

  1. Creation of the Enterprise Station in the Netskope configuration User Interface.
  2. Deployment of the Enterprise Station docker container.
  3. Activation of the Enterprise Station.

Step 1: Enterprise Station creation

From the “Settings” menu, click on the “Stations” link (1) to get the list of already deployed Enterprise Stations.

Click on “Create Station” (2) to start the creation process of a new Enterprise Station.

As you can notice, creating an Enterprise Station can be as simple as providing a name!

The Provider and Description fields are optional. The Provider field is often used to identify the local ISP the Enterprise Station is connected to.

The Site dropdown list provides the list of all created Sites (please refer to the Sites section for more information). Select the site the Enterprise Station is linked to from this list:

Network Probes tests performed from this newly created Enterprise Station directly depend on the site the Enterprise Station is attached to (refer to the “Sites” section for more details).

“Gap Limit” corresponds to the maximum number of consecutive hops that cannot be identified (no response to Network Probe tests) before aborting the Network Probe test. It prevents a Network Probe test to indefinitely try to reach a target that will never respond. The default value is 8. In case you are dealing with really complex network architectures, this value may need to be increased. The maximum value is 16.
If the Network Probe does not discover any node and does not reach the target, no data will be reported in the Netskope interface.

Once you are done with the configuration, click on “Create” to confirm your settings.

The Enterprise Station is now created but is not activated yet.

If you go to the list of existing Enterprise Stations, you can see the newly created Enterprise Station and its status (“UNCONFIGURED”).

To come back in the Enterprise Station configuration menu, just click on its name from the list.

Step 2: Enterprise Station installation

Automated installation

The easiest way to deploy a Netskope Enterprise Station is by using an installation script.

In this case, you only have to provision a machine running a Linux operating system complying with the minimum requirements mentioned in the Technical Requirements section.

The following operating systems are supported:

Operating SystemSupported releases
Debian / RaspbianRelease 10 and higher
UbuntuRelease 18.04 and higher (LTS only)
RHEL / Rocky / AlmaLinuxRelease 7 and higher
CentOSLinux 7, Stream 8 and higher
openSUSE LeapRelease 15.2 and higher

To get the script on your local machine, go to the Enterprise Station configuration view and click on “Download installer”:

The script file name is station_<station_name>.sh.

Once the installer script is downloaded, move it to the host on which you want to deploy the Enterprise Station (typically through SFTP or SSH).

Launch the installer by issuing a bash command (as root account):

bash ./station_<station_name>.sh
The Enterprise Station must authenticate to the Netskope platform.This is done through the use of an API key, which is embedded in the installer.

Manual installation

Before manually deploying the Enterprise Station container, make sure the host on which you’ll deploy it contains a Docker engine. Then install docker compose software in version 1.21.0 or higher.

Once this is done, create the following docker-compose.yml file.

version: '3'

services:
  ns-station:
    image: "netskopedem/ns-station:latest"
    labels:
      com.centurylinklabs.watchtower.enable: true
    restart: unless-stopped
    volumes:
      - /srv/netskope/ns-station/runner_xxxxx/storage:/run/kdstation/storage
    network_mode: "bridge"
    environment:
      KD_STORAGE_PATH: "/run/kdstation/storage/storage.db"
      KD_LOG_LEVEL: "INFO"
      KD_BOOTSTRAP_API_KEY: "<ADD STATION KEY HERE>"
      KD_NSPROXY_CACERT: "<ADD NETSKOPE CA HERE>"

  watchtower:
    image: "containrrr/watchtower"
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      WATCHTOWER_LABEL_ENABLE: 1
      WATCHTOWER_POLL_INTERVAL: 172800
      WATCHTOWER_CLEANUP: 1
      WATCHTOWER_INCLUDE_RESTARTING: 1
      WATCHTOWER_INCLUDE_STOPPED: 1
      WATCHTOWER_REVIVE_STOPPED: 1

As mentioned previously, when started, the Enterprise Station must authenticate to the Netskope platform, which is done through an API key.

To retrieve this key, navigate to the Enterprise Station configuration view and click on “generate a key”:

Replace the KD_STATION_API_KEY variable provided in the template above by this key and launch the docker-compose.yml by issuing the command docker compose up -d (from the folder containing the docker-compose.yml file).

Step 3: Enterprise Station activation

If the Enterprise Station deployment is successfully completed, you should see the following screen:

The shown IP address should correspond to the public IP address of the Enterprise Station you have just deployed.

You still have to confirm the Enterprise Station enrollment by clicking on the “Yes, this is the correct IP address” button.

Share this Doc

Monitoring Sources 

Or copy link

In this topic ...