Netskope Client For Linux

Netskope Client for Linux

Netskope now inspects traffic from the devices with Linux operating system (OS) and provisions users similar to Windows and macOS. This document describes the steps to install the Client in a Linux device using CLI (Command-Line Interface), how to configure and steer traffic to the Netskope Cloud.

Note

Netskope Private Access (NPA) Linux Client is currently in Early Access. Netskope Cloud Firewall (CFW) is not supported on the Linux Client.

Environment

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Linux.

Download Linux Client

Before you begin, download Netskope client installers from the Download Netskope Client and Scripts page.

Linux Client CLI

After you download Netskope Client to the end-user, you can refer to the following options to install the Client.

Netskope Client supports Windows Subsystem for Linux(WSL) version 2 that allows you to run  Linux on your Windows devices without the need of a separate virtual machine. Netskope Client extends command-line interface(CLI) only support for WSLv2. This is available as Beta in version 113.0.0.
To learn more, view Windows Support for WSLv2.

Install Netskope Client In Linux Operating System

After you download the Netskope Client to the end-user device, perform the following steps to setup Client and connect to the Netskope Cloud:

  1. From your terminal, run the following command: sudo ./STAgent.run
  2. After the installation is complete, a pop-up is displayed to the user to enter the Netskope Tenant name and select the tenant domain. This information is shared with the user by their respective IT admin.
    Enrollement_screen.png
  3. Click Next to continue with enrollment. The user is redirected to their IdP login screen. Authentication status message is displayed in the browser.
    Enrollment_successful.png
  4. Once the user enrollment is complete, you can see the Client icon on the taskbar. Click the Client icon to view the configuration details.
    NS_Client_icon.png

Install And Enroll by Email ID

Use the following command to install and enroll using email ID: sudo ./STAgent.run -H <tenant hostname> -o <org key> -m <email address>.For example, sudo ./STAgent.run -H abc.goskope.com -o abc123xyz -m user@example.org

STAgent.run {-H | --tenant-hostname tenant_hostname}            
             {-o | --orgkey orgKey}            
             {-m | --email email_address}             
             [-a | --enroll-auth-token enroll_authentication_token]          
             [-e | --enroll-encrypt-token enroll_encryption_token]            
             [-c | --cli]
Options:-H --tenant-hostname: Tenant hostname
        -o --orgkey: org key
        -m --email: User email
        -a --enroll-auth-token: enroll authentication token
        -e --enroll-encrypt-token: enroll encryption token
        -c --cli: This is a flag for CLI only mode and no value
                  When this argument is present, UI will not be installed

Note

All arguments mentioned within {} are mandatory.

Install And Enroll By UPN

Use the following command to install and enroll by UPN: sudo ./STAgent.run -H <tenant hostname> -o <org key>. For example, sudo ./STAgent.run -H abc.goskope.com -o abc123xyz.

STAgent.run {-H | --tenant-hostname Tenant_hostname}             
             {-o | --orgkey orgKey}           
             [-u | --upn UPN]            
             [-a | --enroll-auth-token enroll_authentication_token]        
             [-e | --enroll-encrypt-token enroll_encryption_token]           
             [-c | --cli]
Options:-u --upn: User UPN

Note

  • All arguments mentioned within {} are mandatory.
  • Use UPN name in the command line while using UPN for non AD joined devices.The Installer fails and quits if the UPN name is missing.

Install And Enroll By IDP

Use the following command to install and enroll by IDP: sudo ./STAgent.run -i | –idp.

STAgent.run {-i | --idp} 
             [-t | --tenantname tenant_name]
             [-d | --domain tenant_domain]        
             [-e | --enroll-encrypt-token enroll_encryption_token] 
Options:-i --idp: This is a flag with no value. 
                  When this argument is present,installer will enroll by IDP. All other options will be skipped in IDP mode.
        -t --tenantName: tenant name
        -d --domain: tenant domain

Note

All arguments mentioned within {} are mandatory.

Uninstall Client

Use the command sudo /opt/netskope/stagent/uninstall.sh to uninstall Netskope Client in Linux.

Additional CLI Commands

Use the ‘help’ command to understand different instructions applicable to Netskope Client in a Linux device. For example:

  • To enable Netskope Client in CLI and then to quit:
    ~$ nsclient
    start process....
    ===== Netskope Client CLI,  Version: 200.200.0.100 =====
    Copyright(c) 2022 Netskope, Inc. All Rights Reserved.
    Please enter <help> for available commands.
    Netskope> enable
    Enabling Netskope Client...
    Netskope Client enable success.
    Netskope> quit
  • To display Netskope Client Status
    ~$ nsclient
    start process....
    ===== Netskope Client CLI,  Version: 99.0.0.1090 =====
    Copyright(c) 2022 Netskope, Inc. All Rights Reserved.
    Please enter <help> for available commands.
    Netskope> show-status
    Netskope Client enabled
  • To display Netskope Client Configuration
    Netskope> show-config
    Show configuration in progress...     
        Netskope Client Configuration        
        Gateway: gateway-qa.de.goskope.com        
        Organization: Netskope Inc        
        Gateway IP: 163.116.140.35, POP: US-SFO1        
        User Email: jjia@netskope.com        
        Client Configuration: client_config1        
        Steering Configuration: jjia-mygroup2        
        Device Classification: unmanaged        
        Tunnel Protocol: TLS        
        Private Access: Connected (User Tunnel)        
        Private Access Gateway IP: 163.116.138.23        
        On-Premises Check: Remote        
        Traffic Steering Type: All Web Traffic        
        Config Updated: 10:27:26,  1st Dec, 2022        
        configuration update avaliable.Pleasae use <update-config> command to update latest configuration
  • To display the blocked events
    Netskope> show-blocked-event
    Blocked Event:
    App Name: [opera], Last Access Time: Thu Dec  1 21:01:20 2022
  • To update the client configuration
    Netskope> update-config
    Update configuration in progress...
    startConfigUpdate->bNeedUpdate=1
    configuration update avaliable.
    Please use <update-config> command to update latest configuration
CommandDescription
–helpUsage for Netskope Client CLI.
– enableNetskope Client status.
– disableDisable Netskope Client.
– show-statusNetskope Client status.
– show-configDisplay Netskope Client configuration.
– update-configUpdate Netskope Client configuration.
– show-blocked-eventDisplay Netskope Client blocked event(s).
– set-log-levelReset Netskope Client log level, <debug|info|warning|error|critical>
– save-logsSave Netskope Client diagnostic information.
– start-pktStart packet capture, <inner|outer> packet <inner len from 0 to 9999 byte|outer size from 0 to 99 MB> Please use the ‘stop-pkt’ command to exit.
– stop-pktStop packet capture.
– start-speedtestStart speed test, testing <download|upload> <1|10|100>MB file.
– show-paShow Private Access status.

Exception For Certificate Pinned Application

By adding applications as a Certificate Pinned Application exception, the traffic from such applications is bypassed by Netskope cloud. A pinned app stores the public certificate or key of its destination website and presents it to Netskope cloud. When contacting the destination website / server, Netskope cloud verifies the pinned certificate with the server certificate. If they are validated, Netskope cloud bypasses traffic from the pinned application. For more information, view Certificate Pinned Applications.

CPA_Exceptions.png
Share this Doc

Netskope Client For Linux

Or copy link

In this topic ...