Netskope Client Network Configuration
Netskope Client Network Configuration
This topic describes the various network configuration requirements for Netskope Client with respect to Global Server Load Balancing (GSLB) and how it works.
Client Outbound Connectivity Requirements
For normal functioning, the Netskope Client must be allowed to connect outbound directly to the subnets, domains, ports, and protocols as given in the following tables:
- Configure Firewalls and proxies to allow these connections without decryption.
Configure Full Tunnel VPNs with exceptions for these connections. - Do not include these connections in Split Tunnel VPNs.
- The following document includes references to “NG-SWG” which includes Cloud Inline, SWG, Cloud Firewall, DNS Security, and Remote Browser Isolation(RBI).
- The following document includes references to “NPA” which is Netskope Private Access and also known as ZTNA Next L7.
- HTTP/2: We negotiate HTTP/2 for all domains if the origin server supports it, otherwise, we fallback to HTTP 1.1. All other traffic will continue to leverage HTTP 1.1.The protocol change is completely transparent to users, no configuration is required by admins. Contact Support to enable this feature in your account.
- In addition, the Netskope Client and GRE / IPSEC and iOS access methods are fully supported.
Client Version: 109.0.0 or later
The following section applies to tenants with Client version 109.00 or later where the GSLB feature is enabled for SWG and NPA.
Netskope Products | Destination Subnets and Domains | Protocols/Ports | Purpose |
---|---|---|---|
NG-SWG NPA | Netskope Subnets Documentation | TCP/443 | GSLB latency-based Gateway Selection for NG-SWG and NPA. TLS connectivity to Netskope NewEdge data plane. |
UDP/443 | DTLS connectivity to Netskope NewEdge data plane for NG-SWG. | ||
NG-SWG NPA | DNS Servers | UDP/53 | DNS lookups for connectivity to Netskope services. This can be a private or public DNS server, but must resolve public domains. |
NPA | *.npa.goskope.com Contact Netskope Support, or Sales Representatives if tenant-specific domains or IP subnets are required. | TCP/443 | Client enrollment and re-enrollment for NPA. |
Endpoint DLP | epdlp.gslb.goskope.com *.epdlp.goskope.com epdlp-prod.netskope.io | TCP/443 | Endpoint DLP connectivity and policy updates. |
Secure Enrollment | enrollment.goskope.com | TCP/443 | Secure enrollment connectivity |
GSLB API | gateway.gslb.goskope.com | TCP/443 | The Netskope Client connects to Netskope’s API to request the list of nearby Netskope data centers. |
Client Version: 103.0.0 to 108.x.x
This section applies to tenants with Client version 103.0.0 or later where the GSLB feature is enabled for SWG and disabled for NPA.
Netskope Products | Destination Subnets and Domains | Protocols/Ports | Purpose |
---|---|---|---|
NG-SWG NPA | Netskope Subnets Documentation | TCP/443 | GSLB latency-based Gateway Selection for NG-SWG. TLS connectivity to Netskope NewEdge data plane NG-SWG and NPA. |
UDP/443 | DTLS connectivity to Netskope NewEdge data plane for NG-SWG. | ||
NG-SWG NPA | DNS Servers | UDP/53 | DNS lookups for connectivity to Netskope services. This can be a private or public DNS server, but must resolve public domains. |
NPA | dns.google 8.8.8.8 8.8.4.4 | TCP/443 | EDNS geolocation-based Gateway Selection for NPA. If this is blocked or fails, LDNS geolocation-based Gateway Selection will be used which can result in higher latency connectivity. |
NPA | *.npa.goskope.com Contact Netskope Support, or Sales Representatives if tenant-specific domains or IP subnets are required. | TCP/443 | Client enrollment and reenrollment for NPA. |
All Client Versions
This section applies to all tenants with any Client version where the GSLB feature is disabled for SWG and NPA.
Netskope Products | Destination Subnets and Domains | Protocols/Ports | Purpose |
---|---|---|---|
NG-SWG NPA | dns.google 8.8.8.8 8.8.4.4 | TCP/443 | EDNS geolocation-based Gateway Selection for NG-SWG and NPA. If this is blocked or fails, LDNS geolocation-based Gateway Selection will be used which can result in higher latency connectivity. |
NG-SWG NPA | DNS Servers | UDP/53 | DNS lookups for connectivity to Netskope services. This can be a private or public DNS server, but must resolve public domains. |
NG-SWG NPA | addon-<tenant>[.region].goskope.com | TCP/443 | Downloading configuration files and dynamically detecting proxies. |
NG-SWG NPA | download-<tenant>[.region].goskope.com | TCP/443 | Downloading client package updates. |
NG-SWG NPA | nsauth-<tenant>[.region].goskope.com | TCP/443 | IdP-based Client Enrollment and Periodic Re-authentication for Private Apps. |
NG-SWG | gateway-<tenant>[.region].goskope.com gateway-backup-<tenant>[.region].goskope.com | TCP/443 | Primary and Backup TLS connectivity to Netskope NewEdge data plane for NG-SWG. |
UDP/443 | Primary and Backup DTLS connectivity to Netskope NewEdge data plane for NG-SWG. | ||
NG-SWG | achecker-<tenant>[.region].goskope.com | TCP/443 | Client enforcement. This is required to enforce the end-user to install the Client on their device. If the Client is not installed in the users’ device, access to an app or domain specified in the steering configuration is restricted and the user is redirected to a browser page with instructions to install the Client. |
NPA | gateway.npa.goskope.com | TCP/443 | TLS connectivity to Netskope NewEdge data plane for NPA. |
NPA | *.npa.goskope.com Contact Netskope Support, or Sales Representatives if tenant-specific domains or IP subnets are required. | TCP/443 | Client enrollment and re-enrollment for NPA. |
Publisher Outbound Connectivity Requirements
This section applies to all NPA Publisher versions starting with 109.0.0 where the GSLB feature is enabled for NPA publishers.
Netskope Products | Destination Subnets and Domains | Protocols/Ports | Purpose |
---|---|---|---|
NPA Publisher | Netskope Subnets Documentation | TCP/443 | GSLB latency-based Stitcher Selection for NPA; TLS connectivity to Netskope NewEdge data plane. |
NPA Publisher | DNS Servers | UDP/53 | DNS lookups for connectivity to Netskope services. This can be a local or public DNS server, but must resolve public domains. |
NPA Publisher | *.docker.com *.docker.io *.ubuntu.com | TCP/443 | Publisher updates |
NPA Publisher | *.ubuntu.com | TCP/80 | Publisher updates |
NPA Publisher | *.npa.goskope.com Contact Netskope Support, or Sales Representatives if IP subnets are needed instead of FQDNs. | TCP/443 | Publisher registration |
GSLB API | gateway.gslb.goskope.com | TCP/443 | To request a list of nearby Netskope data centers. |
NewEdge Traffic Management Gateway Selection
NewEdge Traffic Management 2.0 (GSLB) is a latency-based gateway selection method that uses a proprietary Netskope-hosted API service instead of relying on third-party services such as Google DNS. Global Server Load Balancing (GSLB) provides a better user experience by allowing Netskope to quickly identify and address network issues, improve performance, improve stability, and improve resilience. The Netskope Client now considers many nearby NewEdge data centers and calculates latency (RTT) to each, then selects the data center with the lowest latency. If GSLB cannot be reached then the Netskope Client falls back to the previous extended DNS(EDNS) and local DNS(LDNS) geolocation-based gateway selection behavior.
- GSLB services are available for SWG and Private Access.
- NG-SWG: This feature is enabled by default for tenants created after the release of platform version 109. To enable this feature for tenants created earlier, contact your Sales Representative or Netskope Support.
- NPA: GSLB services are available for all tenants. To enable this feature contact your Sales Representative or Netskope Support.
- In the event of GSLB call failure, Publisher and Netskope Client fallback to EDNS or LDNS.
- By default GSLB will return 10 nearby data centers to test for latency. Contact Support to modify this value.
- For NPA:
- The minimum version for Client and Publisher must be 109.0.0. Older versions continue to work with EDNS/LDNS. Restart of Netskope Client and Publisher may be required upon enabling the feature:
- If GSLB functionality is enabled for Netskope Client versions 108.0.0 or lower, updating to 109.0.0 activates GSLB automatically without requiring a restart.
- If the GSLB functionality is enabled for Netskope Publisher versions 108.0.0 or lower, updating to 110.0.0 activates GSLB automatically without requiring a restart.
- You can now configure New Edge Traffic Management Zones per tenant. Contact Support to configure this feature.
- Do not support Periodic RTT checks during the session.
- Fallback to EDNS/LDNS can be disabled. Contact Support to configure this feature.
Supported Operating Systems
New behavior is supported on all operating systems. For more details, view Netskope Client Supported OS and Platform.
Prerequisites
Refer to the tables in the previous sections of this page for Client version and network connectivity requirements. Refer to the Support portal to understand the allowed IP ranges for outbound access on your firewall.
- FedRAMP High IPs are different and the current list can be found here: https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting (Requires a Support account).
- To collect Client logs through the Netskope tenant, view Unable to collect client debug logs remotely(Requires a Support account).
Also, ensure that your VPN is not configured to tunnel those IP ranges through a VPN tunnel. To learn more about VPN compatibility, view VPN Applications.
GSLB Gateway Selection Process
-
The Netskope Client connects to Netskope’s API (gateway.gslb.goskope.com) using HTTPS (tcp/443) to request a list of nearby Netskope data centers.
-
Netskope’s API uses the public IP of the API request to look up the geolocation of the endpoint.
-
Netskope’s API then responds with a list of geographically nearby Netskope data centers.
-
The Netskope Client tests latency to each of the nearby Netskope data centers.
-
The Netskope Client connects to the Netskope data center with the lowest latency.
- If the HTTPS connection to Netskope’s API is steered through a VPN, this will change the public IP of the request and incorrectly geo locate the user, which can result in the Netskope Client connecting to a Netskope data center far from the endpoint.
- If the endpoint’s public IP is incorrectly registered with geolocation databases, this can result in the Netskope Client connecting to a Netskope data center far from the endpoint.
- If the HTTPS connection to Netskope’s API is blocked, the Netskope Client will attempt to use EDNS and LDNS for gateway selection.
Netskope Private Access tenants may now take advantage of NewEdge Traffic Management intent-based Zones. Some organizations have inline (or “data in motion”) compliance requirements that restrict inline traffic processing to specific geographical regions.Now, the NPA tenants can restrict traffic to supported Zones. To learn more: Configure NewEdge Traffic Management Zones per NPA Tenant.
Gateway Selection Behavior Using EDNS and LDNS
NewEdge Traffic Management 1.0 is a geolocation-based gateway selection method that uses DNS. Initially, the Netskope Client used EDNS to resolve one of the following gateway fully qualified domain names(FQDN):
-
gateway-<tenant>[.region].goskope.com
-
gateway-backup-<tenant>[.region].goskope.com
If EDNS resolution fails then the Netskope Client uses LDNS to resolve the gateway FQDNs.
EDNS Gateway Selection Process
Refer to the following instructions to understand the EDNS gateway selection process:
-
The Netskope Client connects to Google DNS (dns.google) using DNS over HTTPS (tcp/443) to request an IP for gateway-<tenant>[.region].goskope.com.
-
Google DNS uses the public IP of the DNS over HTTPS request to look up the geolocation of the endpoint.
-
Google DNS then resolves gateway-<tenant>[.region].goskope.com to the Netskope data center geographically closest to the endpoint’s public IP.
-
The Netskope Client connects to the Netskope data center using the provided IP.
- If the DNS over HTTPS connection is steered through a VPN, this changes the public IP of the request and incorrectly geo-locates the user, which can result in the Netskope Client connecting to a Netskope data center far from the endpoint.
- If the endpoint’s public IP is incorrectly registered with geolocation databases, this can result in the Netskope Client connecting to a Netskope data center far from the endpoint.
- If the DNS over HTTPS connection is blocked, the Netskope Client attempts to use LDNS to resolve gateway-<tenant>[.region].goskope.com.
-
LDNS Gateway Selection Process
Refer to the following instructions to understand the LDNS gateway selection process:
-
The Netskope client uses the endpoint’s configured DNS server using standard DNS (udp/53) to resolve gateway-<tenant>[.region].goskope.com.
-
The Netskope Client connects to the Netskope data center using the provided IP.
If the DNS server’s public IP is registered geographically far from the endpoint, this can result in the Netskope Client connecting to a Netskope data center far from the endpoint. For example, if the endpoint is in San Jose, CA, but it is configured to use a corporate DNS server located in Ashburn, VA, the endpoint will connect to a Netskope data center near Ashburn, VA. This would result in significant additional latency for all Internet and Private Access connectivity through Netskope.
Netskope Client in a Non-Proxy Environment
Here are the packet flow details of how the cloud app traffic is intercepted and sent through the tunnel when the client is installed in a non-proxy environment:
- The Client establishes the SSL tunnel between the Client and the Netskope gateway.
- Browser/App sends a DNS request for a managed cloud service (For example: Box.com).
- Browser/App receives a DNS response (For example: 74.112.184.73).
- The Client driver captures DNS response and creates a map of domain and IP (For example: Box.com = 74.112.184.73 for cloud app domains).
- Browser/App sends packets to Box.com (For example: DST IP 74.112.184.73).
- Client tunnels Box traffic (For example: DST IP 74.112.184.73) through the SSL tunnel.
Netskope Client in an Explicit Proxy Environment
Here are the packet flow details of how the Cloud app traffic is intercepted and sent through the tunnel when the client is installed in an explicit proxy environment:
-
The Client establishes the SSL tunnel between the Client and the Netskope gateway. The Client first tries to connect directly through default gateway to establish the SSL tunnel. If this is blocked, then it looks for system proxy settings, such as PAC (proxy auto-config) files, WPAD (Web Proxy Auto-Discovery Protocol), and manual configuration. The client uses the proxy settings and connects to the Netskope gateway via HTTP Connect.
The Netskope gateway should be SSL allowlisted if the proxy is configured for SSL decryption. If your environment uses firewall or proxy, ensure that you process the backup gateway URL in the same manner as the primary gateway URL. The backup gateway URL is suffixed withgateway-backup
to your primary URL. -
The browser or native app reads the proxy settings (PAC file, explicit proxy setting) and opens a connection to an explicit proxy server, for example: ep.customer.com.
-
The client parses the initial header of the connection.
-
If the initial header indicates the connection is:
-
Cloud mode (SaaS app): The initial header indicates the hostname of the SaaS application. If the hostname is not a part of the managed SaaS application exception configuration, the Client bypasses the traffic to a local proxy server.
-
Web and All Traffic mode: The initial header indicates the hostname of the web application. If the hostname is a part of the exception, the Client bypasses the traffic to a local proxy server. Otherwise, the traffic is tunneled to the Netskope gateway.
-
-
If the initial header does not indicate SaaS app HTTPS access, the Netskope Client bypass the traffic and forwards the entire payload to the explicit proxy server. For example: ep.customer.com.
Netskope Client log messages with On-prem Proxy
Steering traffic flow and Log message: With on-prem proxy, the Netskope Client monitors for HTTP CONNECT requests. It checks for the domain name in these requests against the managed domain list. If the name matches then it will reconstruct the TCP SYN packet and send it through the Netskope Tunnel and at the same time it will send TCP RST to on-prem proxy, and it will take control of that connection. After the TCP 3-way handshake with Netskope proxy, it sends the HTTP CONNECT request and the flow continues with Netskope proxy. Since TCP flow will be with destination IP of on-prem proxy when Netskope Client logs the message, it will show destination IP as on-prem Proxy and the domain name will be the managed domain.
Assuming on-prem Proxy IP is 10.10.10.11 and Proxy port is 8080 and the managed domain is www.box.com then you will see the log line as below:
2021/07/18 17:16:11.282 stAgentSvc pfbc t296c 4 tunnel.cpp:618 nsTunnel TLS [sessId 1] Tunneling flow from addr: 192.168.13.40:49614, process: chrome.exe to host: www.box.com,addr: 10.10.10.11:8080