Netskope Client Interoperability
Netskope Client Interoperability
By design, the Netskope Client establishes a tunnel to steer traffic, according to the steering configuration, to the Netskope cloud to perform all required security functions (example: DLP, threat protection, etc). To provide optimal performance, the Client must connect to the closest Netskope POP to steer traffic.
When third-party apps, for example, VPN clients are installed, they establish a full tunnel and steer all traffic from the user’s device to their enterprise security stack. In such a scenario, Netskope Client will tunnel over the VPN tunnel. This results in the following performance issues:
- Traffic from the client is steered via a suboptimal path to connect to Netskope POP.
- Since the third-party VPN Client has no visibility into the Netskope tunnel, it offers no additional security value to the tunnel traffic.
- The complete benefits of Netskope security features are not available to the users.
Interoperability Validation
The best practices guide for various third-party applications ensures that the following Netskope features operate smoothly and as expected:
| Netskope Client Features | Use case Description | Third-Party Applications |
|---|---|---|
| Deployment | As part of deployment validation, the client was deployed on the same device that had third-party applications using an email invite. To learn more about the different deployment methods, see Netskope Client Deployment Options. | VMware Carbon Black, Symantec Endpoint Protection, Palo Alto GlobalProtect, Cisco AnyConnect, McAfee Endpoint Security, OpenVPN Cloud, TrendMicro, Kaspersky Security Cloud, CrowdStrike, Microsoft Always-On VPN, Sophos, Squid Proxy, Fortigate VPN, PulseSecure VPN, Blackberry Cylance |
| Installation Status | Post-deployment, Netskope tenant WebUI received the Client installation status events from devices that had both Netskope Client and supported third-party applications. To learn more about Client status, see Client Status. | VMware Carbon Black, Symantec Endpoint Protection, Palo Alto GlobalProtect, Cisco AnyConnect, McAfee Endpoint Security, OpenVPN Cloud, TrendMicro, Kaspersky Security Cloud, CrowdStrike, Microsoft Always-On VPN, Sophos, Squid Proxy, Fortigate VPN, PulseSecure VPN, Blackberry Cylance |
| Traffic Steering | A series of traffic steering tests were conducted to confirm that the Client was able to steer traffic without any conflicts from third-party apps installed in the same device. To learn more about traffic steering, see Steering Configuration. | VMware Carbon Black, Symantec Endpoint Protection, Palo Alto GlobalProtect, Cisco AnyConnect, McAfee Endpoint Security, OpenVPN Cloud, TrendMicro, Kaspersky Security Cloud, CrowdStrike, Microsoft Always-On VPN, Sophos, Squid Proxy, Fortigate VPN, PulseSecure VPN, Blackberry Cylance |
| Log Collection | As part of Client troubleshooting tasks, the log collection process was successfully executed from the tenant WebUI. Log files of the Client in a machine that was installed with the third-p party apps were successfully generated. To learn more about Client logs, see Netskope Client Configuration. | VMware Carbon Black, Symantec Endpoint Protection, Palo Alto GlobalProtect, Cisco AnyConnect, McAfee Endpoint Security, OpenVPN Cloud, TrendMicro, Kaspersky Security Cloud, CrowdStrike, Microsoft Always-On VPN, Sophos, Squid Proxy, Fortigate VPN, PulseSecure VPN, Blackberry Cylance |
| Client Upgrade | A client configuration with an upgrade option was able to upgrade the Client installed in devices with third-party apps. To learn more about Client Configuration, see Netskope Client Configuration. | – |
| Client Enable/Disable | The tenant admin could enable or disable clients installed on devices that had third-party apps. | VMware Carbon Black, Symantec Endpoint Protection, Palo Alto GlobalProtect, Cisco AnyConnect, McAfee Endpoint Security, OpenVPN Cloud, TrendMicro, Kaspersky Security Cloud, CrowdStrike, Microsoft Always-On VPN, Sophos, Squid Proxy, Fortigate VPN, PulseSecure VPN, Blackberry Cylance |
Compatibility Matrix
This section list third-party software that is tested and qualified to work on the same devices with Netskope Client.
Third-party VPN applications require steering configuration exceptions to ensure that the respective VPN application is able to reach their gateway. To learn more about creating VPN exceptions, see Exception Configuration for VPN Applications . For detailed instruction on configuration best practices in the third-party, click on the interop best practices link for your third-party app in the Notes column of the following table.
| Application Name | Version |
| Cisco AnyConnect | 4.3, 4.4, 4.5, 4.6, 4.8,4.9,4.10 |
| Palo Alto GlobalProtect | 4.1.0 |
| OpenVPN Cloud | 3.3.1.2222 |
| Microsoft Always-On VPN | Windows 10 Pro with OS build 19044.1586 |
| FortiGate VPN | FortiOS v7.2.0-b1157 (Server), 7.0.5.0238 (Client) |
| PulseSecure VPN | 9.1R14 (build 16847) (Server), 9.1.14.13525 (Client) |
To ensure Netskope Client traffic operates smoothly, follow the instructions in Exceptions for Anti Virus Applications.
| Application Name | Version |
| Sophos | 2.0.24 |
| McAfee End Point Security | 10.7 |
| VMware Carbon Black | 3.8.0.398 |
| Symantec Endpoint Protection | 14.0.MP1 build 2332 (14.0.2332.100) |
| CrowdStrike | 6.36.15005 |
| TrendMicro Maximum Security | 17.7.1243 – USOI202074.Q4EXP |
| Blackberry Cylance | 2.1.1574 (Windows), 3.0.1000.511 (macOS) |
You can use any of the following proxy applications to steer traffic from any device to the Netskope Cloud. To learn more about how Netskope Client steers traffic via explicit proxies, see Netskope Client in an Explicit Proxy Environment .
| Application | Version |
| Squid Proxy | 3.5.12 |
| Cisco Umbrella | 2.2.580.0 |
