Netskope Client Configuration
Netskope Client Configuration
You can configure system-wide settings using the Client Configuration dialog box. To access client configuration pages:
-
Log in to your tenant with admin credentials.
-
Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration.
-
Click New Client Configuration to add a new global configuration.
Additional configurations can be created to obtain granular control over the behavior of the Netskope Client at a group or OU level by creating a new configuration. If these configurations are applied to groups, they must be prioritized to determine which configuration is applied to the Client when there is an overlap in group membership.
Note
- Multiple configurations can be created and applied to different OUs or Groups. But when applying a configuration only one OU or User Group can be selected.
- The Client configuration name cannot exceed 40 characters.
Applies To
Select OU (Organizational Unit) or the User Group to which this configuration will be applied. You can apply the configuration either to the OU or the user group but not to both at the same time. If a user is part of multiple groups, the configuration is applied to first group in the configuration list.
For example: John Doe is part of HR-Group and Sales-Group. The organization creates Config-A and Config-B and applies to HR-Group and Sales-Group respectively. If in the list of configurations, HR-Group is listed above Sales-Group, then only the Config-A settings are applied to John Doe. The settings in Config-B is applied to all users in Sales-Group except John Doe. The Default Config is then applied to all users who are not part of HR-Group and Sales-Group. To apply the configuration to John Doe in Sales-Group, use the reorder handles (first column dot-icons) to drag and reposition the configuration.
Tunnel Settings(Earlier Termed as Traffic Steering)
-
Enable DTLS (Data Transport Layer Security): Enable DTLS (Data Transport Layer Security). Optionally, enter the MTU value.
It is recommended that you enable this option, if you have users connected to a lossy network.Enabling DTLS option supersedes TLS (Transport Layer Security) tunnel for communication thereby improving the network process. TCP inherently slows the overall flow performance if the network has high latency and packet drops. To overcome this issue, use DTLS tunnel (UDP tunnel). To know the current protocol, click the Client icon > Configurations > Tunnel Protocol.
The connection can fallback to TLS in the event of a DTLS connection issue. For example, the firewall blocking UDP traffic or data getting fragmented. To switch to DTLS, you can perform one of the following:
-
Manually disable and enable the Client.
-
Switch your network.
After enabling DTLS, you are prompted to enter the Maximum Transmission Unit (MTU) value. This value determines the maximum size of the IP packets sent by the Netskope Client to the next hop (router). The maximum configurable value is
1500
; however, it takes the value1350
if you do not enter any value in the MTU text-box.Supported TLS/DTLS version: 1.2
-
-
On-Premise Detection: For On-Premises Detection, enter either your DNS FQDN and IP address or HTTP FQDN and connection timeout period that can be resolved with a known IP address. By enabling this option, you can detect the location of an endpoint. If the endpoint is on-premises or off-premises, the Client tunnels the traffic based on the traffic mode configured for dynamic steering. On-Premise Detection enables you to add multiple entries in the DNS and HTTP fields. This allows you to add multiple URLs in the steering configuration. The maximum number of hosts and configured IPs that you can add is 16.
-
DNS
If the FQDN entered resolves to the provided IP Address, the Netskope client is considered to be on-premises. Ensure that this is a valid DNS record that is resolvable only when on your network
-
HTTP
If the Client looks for the HTTP response code 200, and if successful, the device is deemed to be on-premises. Also enter a connection timeout value. The default is 10 seconds, and the max is 60 seconds.
- Don’t use a .local hostname for the DNS check because the mDNS responder on Mac OSX might interfere with the resolution of local hostnames.
- Don’t use hostnames or IP addresses that are defined for Netskope Private Access in DNS or HTTP checks because they cause flapping in the On-Premises check. Netskope recommends you use a separate domain name that does not overlap with NPA app definitions. You can configure a dedicated forward lookup or separate entry in your enterprise DNS for the on-prem detection.
-
-
On-Premises: If the endpoint is on-premise, the client will tunnel the following types of traffic and this traffic is bypassed by the Netskope Cloud:
-
Cert pinned apps
-
Exception domains
-
Exception categories
-
-
Off-Premises: If the endpoint is off-premises, the client will bypass traffic based on the exception configurations.
-
Periodic re-authentication for Private Apps: Enable the Periodic re-authentication for Private Apps option to force a user to re-authenticate into the Netskope Client if the user’s device restarts, or logs out of the PC and logs back into the device. Contact Support to enable this functionality in your tenant.
Select a time period from the Re-Authentication Interval dropdown list for how often you want re-authentication to occur. To allow a user time to re-authenticate after the specified interval time has expired, enable the Grace Period checkbox and enter the minutes. The grace period must be less than the interval. -
Prelogon for Private Apps: Enable this option to allow the device to connect to the private apps. In the pre-login state, the device can authenticate to the Netskope cloud and access limited resources. After you enable the prelogon option:
Prelogon is only supported on Windows devices.-
Enter a prelogon username.
The email address always end in “@prelogon.netskope.com”. This is used to create a local user for pre-logon in the next section. -
To use a device certification authority, click Select File to upload the certificates in PEM format.
-
To validate the device certificate against a Certificate Revocation List, enable Validate CRL. The CRL used to validate the device comes from the CA certificate.
-
Enable Start Prelogon tunnel when user tunnel disconnects. This enables the Client to always try to re-establish the prelogon tunnel when the user tunnel switches from connected to disconnected, even when the user disables the Client.
If you enable this option, users cannot fully disable the Client while using prelogon. To allow users to fully disable the client, do not select this checkbox. -
-
Periodic Device Classification: Enable this option to run periodic device classification validations. You can set the time in minutes(between 1 and 120) while choosing this option.
Keeping shorter time intervals can affect your device performance. Netskope recommends to keep five minutes or more.After enabling, the Client:
-
Monitors the processes, files, or other criteria configured in the Device Classification.
-
Classifies that device as unmanaged in the event of any change in the criteria.
You can view the event details in Settings > Security Cloud Platform > Device details > Event History tab. In this section, check for the event Device Posture Change to understand the events in your device. The following events trigger a recheck of the device posture:
-
Network joined
-
Wi-Fi network joined
-
System wake up
For example, when a device connects to Wi-Fi, it triggers the Device Classification scan and checks if the current status of the device matches with the rule. The status is updated only when:
-
There is a change in the device status.
-
The current status does not match the previous status. If the previous status is unmanaged and after the device classification scan, the current status changes to managed, the New Status column in the device details user interface displays the updated status.
-
-
AdvancedOptions: Toggle the Advanced link to see the following options:
-
Interoperate with Proxy – Using this feature, the administrator can now configure proxies irrespective of their location in Netskope Client Configuration. By default, Netskope Client automatically detects the configured proxy by connecting to
addon-<tenant> <MP>.<tenant-domain>
, where MP = eu|de|au. If the PAC(Proxy Auto-Configuration) file redirects some traffic to other proxies, it is mandatory to declare them in the Interoperate with Proxy settings.Netskope Client always detect and intercept traffic that is sent to proxies declared in Interoperate with Proxy. Even though it is not mandatory to select this feature, you can use it whenever multiple proxies are deployed in the Network. Netskope Client always analyze requests sent to proxies defined in the Interoperate with Proxy settings based on the steering configuration to decide if the requests should be intercepted or bypassed.
The Netskope Client also conducts an availability check to select the proxy to use to contact Netskope Cloud services. The Netskope Client performs this check when:
-
The Client service starts.
-
Updates in the Client configuration.
-
Modifications in the proxy settings.
-
Change in the network.
Availability check is performed by contacting
addon-<tenant> <MP>.<tenant-domain>
. The auto detected proxy is always the preferred proxy to contact Netskope Cloud services.After you configure the proxies along with the Port, Netskope Client checks for the system proxy along with the configured proxies and verifies if any proxy is reachable:-
If the system proxy is reachable, the Client connects to the local proxy.
-
If the system proxy is unreachable, the Client checks with the other proxy IP addresses configured on the UI.
Supported platforms: Windows and macOS.
Select the option Interoperate with Proxy to enable this feature and add multiple proxy IP addresses.
Interoperate with Proxy WorkflowThe following steps describe working of Netskope Client when an administrator selects Interoperate with Proxy:
-
Netskope Client downloads the Client configuration that consists of all Client configurations. By default Netskope Client checks the configuration every hour and can be forced with manual update.
-
The Client checks if the Interoperate with proxy feature is enabled and checks if the proxy IP addresses are configured in the Client Configuration WebUI.
-
Afterwards, Client checks if any system proxy is configured. If yes, then the client uses that system proxy along with the configured and available proxies.NoteNote: Preference is given to the system proxy rather than the configured IP address.
-
The Client then performs health check to all proxies to identify the ones that provide access to
addon-<tenant><MP>.goskope.com
. The first active proxy is used to contact Netskope Cloud services. -
Traffic send to all proxies will be analyzed by the Client to determine if it should be intercepted and forwarded to Netskope Security Cloud.
-
Enable device classification and client-based end user notifications when the client is not tunneling traffic: This disables the Client when GRE, IPSec, Secure Forwarder and Data Plane On-Premises steering methods are detected.
Even when the Client disables itself, the user justification rules will continue to be active.
-
-
Perform SNI (Server Name Indication) check: In scenarios where multiple domains use single IP address, it is recommended to use SNI in addition to DNS to make a steering decision.The Netskope Client tunnels or bypasses the traffic whenever there is an overlap between the IP addresses of different domain names. Use the option Perform SNI check to get the domain name from SNI and for the Client to validate the traffic based on the SNI check. If this option is enabled, the domain name is obtained from SNI for lookup.For example, YouTube, drive.google.com, and plus.google.com are resolved with the same IP address. In such scenarios, the unmanaged YouTube traffic is allowed to the Netskope proxy because the client steers the SaaS traffic based on the IP address. To eliminate the IP address overlapping, you can configure the Client to steer the SaaS traffic based on SNI instead of IP address. The SNI feature supports the following operating systems:
-
Windows 7 or higher.
-
macOS
When SNI-based steering is enabled, the initial TCP three-way handshake is not steered inside the Netskope tunnel. The Client steers the traffic only after it retrieves SNI hostname from the SSL Client Hello packet. All applications with source IP restrictions fail as this happens outside the Netskope tunnel and is sourced from a non-Netskope IP. -
-
Endpoint DLP
Select Enable Endpoint DLP to enable Endpoint Data Loss Prevention for the client configuration and apply Content and Device Control policies to the devices. You can enable Endpoint DLP for the Default Tenant Config to apply policies to all client users or for custom client configurations to apply policies to specific users.
Client Installation & Troubleshooting
-
Upgrade Client automatically to a specific release version: For a tenant with automatic Client Upgrade option enabled, Netskope Client is set to upgrade automatically every 240 minutes or four hours.
Netskope Client checks for an update at regular intervals and in the event of an update, Netskope Client downloads the installation package and performs the update silently when one of the following conditions are met:
-
The idle time for the tunnel between Netskope Client and Netskope Cloud is greater than or equal to 25 seconds (no traffic flowing through the tunnel).
-
Tunnel getting re-established (this occurs upon network change, user location change and so on).
-
Netskope Client is starting (this occurs when the machine is rebooted by the user).
Once an update is complete, a pop-up is displayed to inform the user that the Client update was done automatically.
You can choose from the following upgrade options:
-
Latest Release: All Clients are upgraded to the latest released version.
-
Latest Golden Release: All Clients are upgraded to the latest golden release. The golden release version includes dot/hotfix release updates and automatically updates to the latest available. To know more about golden releases, view Client Downloads page.
-
Specific Golden Release: You can set all Clients to be upgraded to a specific golden release. After selecting this option, you can select the golden release from the list of available versions. In addition, you can select Opt-in Upgrade to ensure the Clients are upgraded to the latest minor or hotfix version of the selected golden release. To know more about golden releases, view Client Downloads.
-
Show upgrade notification to end users: Select this option to send notification to end-users after an upgrade is completed. This option is visible only if an upgrade option is selected.
-
Set time and frequency for the upgrade: Allows you to schedule automatic upgrades and define the time and day for the upgrade. The main benefit of this feature is you can schedule upgrades during critical business hours. Using this feature you can:
-
Set a day and time on a Daily, Weekly, or Monthly basis and the time depends on your device timezone.
-
Choose the order in which you want to schedule the upgrade after selecting the Monthly option.
For example, you want to schedule automatic upgrades to the latest release on the first Monday of every month. You can choose the following options on the webUI:
-
Repeat: Monthly
-
Order: First
-
Day: Monday
-
Time: 10:00 AM
With this selection, the device can start upgrading anytime after 10:00 AM. The time that you set denotes the starting time to check for a latest upgrade.
The Netskope client currently waits for an idle tunnel to initiate schedule upgrade and to ensure smooth auto upgrade experience. This behavior continues and might not explicitly see the system getting updated exactly at the scheduled time.Another set of examples to elucidate this feature:
-
Example 1: You configure Monthly – First – Monday – 10:00 AM in Set time and frequency for the upgrade option on Jan 15, 2024 and the current Netskope Client is in version 111.1.0. Netskope releases 112.0.0 on Feb 1, 2024. The Client cannot start upgrading until Feb 5, 2024 10:00 AM according to the scheduled upgrade setting. Feb 5 is the first Monday after the 112.0.0 release.
-
Example 2: One device out of many is offline for a few days from Jan 19 to Feb 6, 2024(Tuesday) 7:00 AM. Here, the Netskope client auto upgrades on Tuesday 7:00 AM as schedule upgrade check already elapsed on Feb 5 10:00 AM.
-
Example 3: Netskope releases 112.1.0 on Feb 20, 2024, Netskope Client upgrades to 112.1.0 only on Mar 4, 2024; the first Monday of the next month after releasing 112.1.0.
-
If a lower version is selected, then the endpoint with the higher version of Netskope Client will need manual uninstall and reinstall of the lower version of Netskope Client. Netskope Client checks for newer versions every 4 hours and if a new version is available, the Client will silently auto-upgrade. -
-
Uninstall clients automatically when users are removed from Netskope: The Netskope Client is uninstalled automatically whenever a user is removed from the Netskope tenant. The user need not manually uninstall Client from the endpoint.
Supported OS: Windows and macOS
For macOS devices, whenever this option is selected, the administrator must ensure to select Removable System Extension option under the System Extension Type in the MDM profile used to deploy Netskope Client. Otherwise, the uninstallation fails due to the OS restriction. No configurations required for Windows in the MDM profile.
-
Allow users to unenroll: If the Netskope client is provisioned via IdP, selecting this option allows users to unenroll from Netskope. When unenrolled the user is logged out from client and the Client is disabled, the user will be required to enter their IdP credentials to enroll again to enable client.
-
Advanced Options
-
Enable advanced debug option: Enable this option to view the debugging options. To view the debugging options, click the Client icon > Advanced Debugging option.
-
Log Level: This option provides the flexibility for the administrator to control and choose the log level and the default log level is Info. The Netskope Client uses log level received from the webUI. The log levels in nsdebug.log are displayed as Dump, Debug, Info, Warning, Error, and Critical. Setting to Dump level generates more logs to files. The Netskope Client keeps two log files (fixed file size 10M) for rotation. The Dump level can expedite the rotation that may incur useful logs being overwritten. The log files are stored by default in the following location:
-
Windows Devices: %ProgramData%/Netskope/stagent/Logs/nsdebug.log
-
macOS Devices: /Library/Logs/Netskope/nsdebug.log
-
Linux Devices: /opt/netskope/stagent/logs/nsdebug.log
Setting log level to Debug may impact the performance due to high disk operations.Since the Dump option is available only from version 113.0.0, the log level on the Netskope Client UI fallsback to Info if the Client Configuration on the tenant webUI is configured with the Dump option. -
-
Tamperproof
-
Allow disabling of all Client services together: This option was earlier displayed as Allow disabling of Client on the webUI.
The new option Allow disabling of all Client Services together serves as a business continuity plan in the event of a disaster that provides an easy way to disable Netskope Client across the user base without reaching out to Netskope Support. Select the checkbox Allow disabling of all Client Services together to enable this option. After you enable it, the webUI displays a Master Password text box(optional) that allows you to configure a password that the end-user can use while disabling the Netskope Client.
For disabling Netskope Client services such as CASB, SWG, or NPA, Netskope plans to provide a separate option in the future releases. You can leverage these options based on your requirements.
– This feature is currently in Beta. Contact Netskope Support or your Sales Representative to enable this feature for your tenant. If you decide to not enable the feature for your tenant, the webUI displays the previous setting as earlier.
– Master Password is currently optional and this works only with Netskope Client for Windows(from version 114.0.0) and macOS(from version 118.0.0). For all other operating systems, it works as before without the Master Password. Netskope plans to extend this functionality to all other operating systems in the future releases.After the administrator enables or selects this option, it facilitates the end-users to disable Netskope Client with or without password, based on the password configured or excluded in the Client Configuration. The password configured is not dynamic and remains static until the administrator decides to change. To learn more about the working of Master Password, view Using Netskope Client.
Ensure to configure a password beforehand if you decide to configure a master password in the Client Configuration. For example, in the event of a disaster in an organization, if the master password is already configured in advance in the Netskope Client Configuration, then, you as an administrator can share the configured password to multiple users at the same time. The end-users can use the same password shared by the administrator to disable Netskope Client from their devices.
-
Allow disabling of Internet Security: You can disable Netskope Client for Internet Security services using Allow disabling of Internet Security. For example, you want to test a critical application in your organization without Netskope Client being enabled. This option eliminates the need to uninstall Netskope Client and at the same time maintain business continuity.
– This feature is available as General Availability. Contact Netskope Support to enable this feature for your tenant.
– This option is currently available only on Windows platforms for internet security services with Client version 118.0.0 or later. Other platforms/OSes will be added in the future releases.
– Netskope Private Access is currently not supported and will be available in the future releases.
– Upgrade your Netskope Client to version 118.0.0 or higher to enable this feature in your tenant.Enable One-Time Password: After choosing Allow disabling of Internet Security, you can also optionally select Allow One-Time Disable with Password to enable a one-time password(OTP) for the enrolled devices. The end-users can later use the OTP while disabling Netskope Client for Internet Security. To enable OTP:
-
Select the checkbox for Allow One-Time-Disable with password.
-
In Default Time Duration, enter the duration you want to disable Netskope Client in minutes.
After the timer expires the Netskope Client is enabled again automatically.
The minimum and maximum values allowed here are five minutes and 24 hours respectively.
After you select the Allow One-Time Disable with password option and configure the duration, it generates a dynamic password for each device that you can access or view from the Devices page.
The OTP is auto-generated and cannot be set by the administrator. Once the admin selects the OTP option in the Client Configuration, it triggers or generates an OTP for each enrolled device. You can share this OTP to each end-users that has the permission to disable internet security. To learn more about disabling Internet Security from the system tray, view Using Netskope Client.
-
-
Allow disabling of Private Apps access: Allow users to disable the Client for Private Apps Access. After enabling this option, you can view Enable/Disable Private Apps Access in the Netskope Client system tray icon. To learn more, view Allow Users to Disable Private Apps.
This feature is supported only on Windows and macOS devices. -
Hide Client Icon on System Tray: Hides the Client icon from end users devices system tray. This will also prevent Client notifications from being displayed to the user.
-
Password protection for client uninstallation: Enable this option to prevent unauthorized uninstallation of the Client from end user devices. The end users need to enter the admin password for uninstalling the Client. Password protected uninstallation is supported in both Windows, macOS, and Linux devices. Service stop option is available only to Windows devices.
-
Protect Client configuration and resources: After you select this option, users with elevated permissions are prevented from altering any sub-part (files, folders, and process) of the Netskope Client installation. It prevents users from modifying, renaming, or deleting Netskope processes, folders, files, and registry keys.
– Supported Platforms: Windows 10 or higher versions.
– Netskope recommends you to enable the Password protect Client uninstallation option to restrict users from uninstalling or stopping the Netskope Client services.
– With this feature enabled, there are access restrictions to the default Netskope folders. If you have any processes that utilize the default Netskope folder, change the path to another folder that your process can access. For example, refer Configuring CLI-based Tools and Development Frameworks to work with Netskope SSL Interception to perform such configurations where CLI tools have access to Netskope folder. -
Fail Close: Blocks all traffic when a tunnel to Netskope is not established. Domain-based, IP-based, and Cert-pinned exceptions will be applied, but category-based exceptions will be blocked. When a user is detected as on-premises, the exceptions will be blocked.
In a multi-user environment, Fail-Close blocks all traffic for a non-provisioned user; only if at least one user has enrolled successfully to the multi-user device and mapped to a Client Configuration with the Fail-Close option enabled.
If a Netskope Internet Services tunnel fails to come up we recommend that you block the steered traffic from that device.When Fail Close is enabled, the Password Protection for Client Uninstallation and Service Stop become enabled and Allow Disabling of Clients options becomes disabled. With Fail Close, you can Exclude Private Apps Traffic, so Private Access is not affected, and also Show Notifications.
To enable Fail Close:
-
Select the checkbox.
-
This prompts a warning pop-up Enabling “Fail Close” will also enable “Password protection for client uninstallation and service stop” and disable “Allow disabling of clients”. Click Proceed.
-
Upon selecting Proceed, the following options are displayed:
-
Exclude Private App Traffic: Use this option to exempt private access traffic while fail close is enabled.
-
Show Notification: A fail-close pop-up is displayed whenever the tunneling to Netskope is blocked. You can select the checkbox for Show Notification to alert users why they are unable to access web applications.NoteNetskope recommends to enable the Show Notification option to get notifications.
-
Captive Portal Detection Timeout (Minutes): A captive portal is a web page displayed, whenever a user tries to access the network where captive portal is enabled, to let the users authenticate prior to accessing the network. For example, if you are trying to connect to the free Wi-Fi or hotspot in an airport or restaurant where captive portals are enabled, you need to complete a set of actions to access the network.
This option enables the administrator to define captive portal grace period. If Netskope Client detects a captive portal, it does not enforce fail close for the configured duration even if Netskope cannot establish a tunnel. This allows the user to perform captive portal authentication. Admin can enter a value between 1-10 (minutes) in the Captive Portal Detection Timeout text box.
The Netskope Client tries to detect the captive portal on Windows and macOS respectively. The Netskope Client makes the request to the platform specific URL and if captive portal is in the network, it redirects to captive portal URL. Netskope client adds the redirected URL to exception configuration. Netskope Client blocks all traffic if user cannot connect to the network within the configured time.
-
-
Client Configuration Encryption
Client configuration files generated in the admin config and downloaded by the client can be encrypted via the encryptClientConfig
feature flag. This flag is disabled by default. To enable encryption reach out to Netskope Support.
encryptbranding
feature flag. This can be enabled via a support ticket. Also, files generated by the user device are not encrypted. This option is not available in the Netskope Tenant Admin console and can be enabled only via a support ticket.Log files sent for debugging are decrypted before creating a zip bundle of all the log files.
Audit Logs for Client Configuration
Use Audit Logs to check logs for all intentional or accidental changes such as create, modify, or delete. Navigate to Settings > Administration > Audit Logs to view Audit Logs.
On the Audit Log page, click the View Details option and it displays Audit Log Details.
A few examples:
-
Suppose you edit a few details in Netskope Client Configuration, the Audit Log Details window displays:
-
When you create a new Netskope Client Configuration:
-
When you delete an existing Netskope Client Configuration: