Skip to main content

Netskope Help

Netskope Client Configuration

You can configure system-wide settings using the Client Configuration dialog box. To access client configuration pages:

  1. Log in to your tenant with admin credentials.

  2. Go to Settings > Security Cloud Platform > Devices

  3. Click Client Configurations in the top right corner to open the Client Configuration page.

  4. Click New Client Configuration to add a new global configuration.

    Additional configurations can be created to obtain granular control over the behavior of the Netskope Client at a group or OU level by creating a new configuration. If these configurations are applied to groups, they must be prioritized to determine which configuration is applied to the Client when there is an overlap in group membership.

    Note

    • Multiple configurations can be created and applied to different OUs or Groups. But when applying a configuration only one OU or User Group can be selected.

    • The Client configuration name cannot exceed 40 characters.

Applies To
01_ClientConfig_AppliesTo.png

Select OU (Organizational Unit) or the User Group to which this configuration will be applied. You can apply the configuration either to the OU or the user group but not to both at the same time. If a user is part of multiple groups, the configuration is applied to first group in the configuration list.

For example: John Doe is part of HR-Group and Sales-Group. The organization creates Config-A and Config-B and applies to HR-Group and Sales-Group respectively. If in the list of configurations, HR-Group is listed above Sales-Group, then only the Config-A settings are applied to John Doe. The settings in Config-B is applied to all users in Sales-Group except John Doe. The Default Config is then applied to all users who are not part of HR-Group and Sales-Group. To apply the configuration to John Doe in Sales-Group, use the reorder handles (first column dot-icons) to drag and reposition the configuration.

02_client-config-list.png
Devices-Client-Configuration-Traffic-Steering-Tab.png
  • Enable DTLS (Data Transport Layer Security) - Enable DTLS (Data Transport Layer Security). Optionally, enter an MTU value.

    Note

    It is recommended that you enable this option, if you have users connected to a lossy network.

    Enabling DTLS option supersedes TLS (Transport Layer Security) tunnel for communication thereby improving the network process. TCP inherently slows the overall flow performance if the network has high latency and packet drops.  To overcome this issue, use DTLS tunnel (UDP tunnel). To know the current protocol, click the Client icon > Configurations > Tunnel Protocol.

    The connection can fallback to TLS in the event of a DTLS connection issue. For example, the firewall blocking UDP traffic or data getting fragmented. To switch to DTLS, you can perform one of the following:

    • Manually disable and enable the Client.

    • Switch your network.

    After enabling DTLS, you are prompted to enter the Maximum Transmission Unit (MTU) value. This value determines the number of bytes sent to a server. With Netskope Client, the maximum configurable value is 1500.

  • On-Premise Detection - For On-Premises Detection, enter either your DNS FQDN and IP address or HTTP FQDN and connection timeout period that can be resolved with a known IP address. By enabling this option, you can detect the location of an endpoint. If the endpoint is on-premises or off-premises the Client tunnels the traffic based on the traffic mode configured for dynamic steering.

    Use DNS

    Use HTTP

    03a_UseDNS.png
    03b_UseHTTP.png

    If the FQDN entered resolves to the provided IP Address, the Netskope client is considered to be on-premises. Please make sure this is a valid DNS record that is resolvable only when on your network

    If the Client looks for the HTTP response code 200, and if successful, the device is deemed to be on-premises. Also enter a connection timeout value. The default is 10 seconds, and the max is 60 seconds.

    Note

    • When a proxy server is available for Netskope Client, HTTP requests go to the proxy server from Netskope Client

    • Netskope Client release 72 or higher is needed for this feature to work.

    • On-Premises: If the endpoint is on-premise, the client will tunnel the following types of traffic and this traffic is bypassed by the Netskope Cloud

      • Cert pinned apps

      • Exception domains

      • Exception categories

    • Off-Premises: If the endpoint is off-premises, the client will bypass traffic based on the exception configurations.

  • Periodic re-authentication for Private Apps - Enable the Periodic re-authentication for Private Apps option to force a user to re-authenticate into the Netskope Client if the user’s device restarts, or logs out of the PC and logs back into the device. Contact Support to enable this functionality in your tenant.

    Select a time period from the Re-Authentication Interval dropdown list for how often you want re-authentication to occur. To allow a user time to re-authenticate after the specified interval time has expired, enable the Grace Period checkbox and enter the minutes. The grace period must be less than the interval.

  • Pre-logon for Private Apps - Enable this option to allow the device to connect to the private apps. In the pre-login state, the device can authenticate to the Netskope cloud and access limited resources. After you enable the pre-logon option:

    1. Enter a pre-logon username.

      Note: The email address always end in “@prelogon.netskope.com”. This is used to create a local user for pre-logon in the next section.

    2. To use a device certification authority, click Select File to upload the certificates in PEM format.

    3. To validate the device certificate against a Certificate Revocation List, enable Validate CRL. The CRL used to validate the device comes from the CA certificate.

    4. Enable Start Pre-logon tunnel when user tunnel disconnects. This enables the Client to always try to re-establish the pre-logon tunnel when the user tunnel switches from connected to disconnected, even when the user disables the Client.

      Warning

      If you enable this option, users cannot fully disable the Client while using pre-logon.  To allow users to fully disable the client, do not select this checkbox.

  • Periodic Validation on Device Classification - Enable this option to run periodic device classification validations. You can set the time( in minutes) while choosing this option.

    Note

    Keeping shorter time intervals can affect your device performance.

    After enabling, the Client:

    • Monitors the processes, files, or other criterias configured in Device Classification.

    • Classifies that device as unmanaged in the event of any change in the criteria.

    The Event History section in the Devices details page displays status updates depending on the posture changes with one of the following Event Actor:

    • Network joined

    • Wi-Fi network changed

    • System wake up

  • Advanced Options - Toggle the Advanced link to see the following options:

    • Interoperate with Proxy - The Interoperate with Proxy checks and connects to the proxies available in your network. Configure your proxy here to which the Netskope Client connects to the proxies available in your network. IP address/hostname and port are default selections for the Cisco AnyConnect Web Security proxy. You can change the hostname and/or port. Select Static Web Proxy option from the Proxy dropdown list to add all details of all proxy endpoints used in your network.

      03c_ClientInterOp.png
    • Enable device classification and client-based end user notifications when the client is not tunneling traffic - This disables the Client when GRE, IPSec, Secure Forwarder and Data Plane On-Premises steering methods are detected.

      Note

      Even when the Client disables itself, the user justification rules will continue to be active.

    • Perform SNI (Server Name Indication) check - In scenarios where multiple domains use single IP address, it is recommended to use SNI in addition to DNS to make a steering decision.

      The Netskope Client tunnels or bypasses the traffic whenever there is an overlap between the IP addresses of different domain names. Use the option Perform SNI check to get the domain name from SNI and for the Client to validate the traffic based on the SNI check. If this option is enabled, the domain name  is obtained from SNI for lookup.

      For example, YouTube, drive.google.com, and plus.google.com are resolved with the same IP address. In such scenarios, the unmanaged YouTube traffic is allowed to the Netskope proxy because the client steers the SaaS traffic based on the IP address. To eliminate the IP address overlapping, you can configure the Client to steer the SaaS traffic based on SNI instead of IP address. The SNI feature supports the following operating systems:

      • Windows 7 or higher.

      • macOS

      Note

      When SNI-based steering is enabled, the initial TCP three-way handshake is not steered inside the Netskope tunnel. The Client steers the traffic only after it retrieves SNI hostname from the SSL Client Hello packet. All applications with source IP restrictions fail as this happens outside the Netskope tunnel and is sourced from a non-Netskope IP.

Note

Contact your Sales Representative to enable this feature for your account.

Select Enable Endpoint DLP to enable Endpoint Data Loss Prevention for the client configuration and apply Content and Device Control policies to the devices. You can enable Endpoint DLP for the Default Tenant Config to apply policies to all client users or for custom client configurations to apply policies to specific users.

The Endpoint DLP tab in the Client Configuration window.
  • Upgrade Client automatically to a specific release version. You can choose from the following upgrade options:

    04a_ClientInstall.png

    Note

    • If a lower version is selected, then the endpoint with the higher version of Netskope Client will need manual uninstall and reinstall of the lower version of Netskope Client.

    • Netskope Client checks for newer versions every 4 hours and if a new version is available, the Client will silently auto-upgrade.

    • Latest Release - All clients will be upgraded the latest released version.

    • Latest Golden Release - All clients will be upgraded to the latest golden release. To know more about golden releases, check out this Client Downloads page.

    • Specific Golden Release - You can set all clients to be upgraded to a specific golden release. After selecting this option, you can select the golden release from the list of available versions. In addition, you can select Opt-in Upgrade to ensure the clients are upgraded to the latest minor or hot fix version of the selected golden release. To know more about golden releases, check out this Client Downloads page.

    • Show upgrade notification to end users. Select this option to send notification to end-users for an upcoming Client upgrade. This option is visible only if an upgrade option is selected

  • Uninstall clients automatically when users are removed from Netskope.

  • Allow users to unenroll. - If the Netskope client is provisioned via IdP, selecting this option allows users to unenroll from Netskope. When unenrolled the user is logged out from client and the Client is disabled, the user will be required to enter their IdP credentials to enroll again to enable client.

  • Advanced Options

    04_ClientInstallOptions.png
    • Enable advanced debug option - Select this option to select the log level. Default is Info. The log levels in nsdebug.log are displayed as info, warning, error, and critical. The log files are stored by default in the following location:

      • Windows Devices: %PUBLIC%/Netskope/nsdebug.log

      • macOS Devices: /Library/Logs/Netskope/nsdebug.log

      Warning

      Setting log level to Debug may impact the performance due to high disk operations.

  • Allow disabling of Clients - Prevents end-users from disabling clients in the devices.

  • Allow disabling of Private Apps access - Allow users to disable the Client for Private Apps Access. After enabling this option, you can view Enable/Disable Private Apps Access in the Netskope Client system tray icon.

  • Hide Client Icon on System Tray - Hides the Client icon from end users devices system tray. This will also prevent Client notifications from being displayed to the user.

  • Password protection for client uninstallation and service stop - Enable this option to prevent unauthorized uninstallation of client from end user devices. End user will be required to enter password for uninstalling the Client. Password protected uninstallation is supported in both Windows and macOS devices. Service stop option is available only Windows devices.

  • Fail Close - Blocks all traffic when a tunnel to Netskope is not established or a user device is not provisioned in the Netskope Cloud. Domain-based, IP-based, and cert-pinned exceptions will be applied, but category-based exceptions will be blocked. When a user is detected as on-premises, the exceptions will be blocked.

    Note

    If a Netskope tunnel fails to come up we recommend that you block the steered traffic from that device.

    When Fail Close is enabled, the Password Protection for Client Uninstallation and Service Stop become enabled and Allow Disabling of Clients options becomes disabled. With Fail Close, you can Exclude Private Apps Traffic, so Private Access is not affected, and also Show Notifications.

    Important

    Fail close does not work the Netskope Client r78 with macOS 11 (Big Sur) due to the Network Extensions change in macOS. There is no impact on Windows with the r78 Client. Fail Close does work on Catalina, or below, using the r77 Client (only).

Client Configuration Encryption

Client configuration files generated in the admin config and downloaded by the client can be encrypted via the encryptClientConfig feature flag. This flag is disabled by default. To enable encryption reach out to Netskope Support.

Note

The encryption is performed on all files except the nsbranding file. The nsbranding file is encrypted via the encryptbranding feature flag. This can be enabled via a support ticket. Also, files generated by the user device are not encrypted. This option is not available in the Netskope Tenant Admin console and can be enabled only via a support ticket.

Log files sent for debugging are decrypted before creating a zip bundle of all the log files.