Netskope Client Overview

Netskope Client Overview

Netskope Client is a simple lightweight application that steers traffic from the end-user device to Netskope Cloud. It provides real-time visibility of the managed devices accessing the cloud and web from any location.


The Client uses Forward Proxy Steering mechanism where the Client creates an SSL tunnel from the end device and terminates it at the Netskope forward proxy in the Cloud. Tunnel carries traffic that is selected by the administrator as part of the steering configuration. All intermediate and root CA Certificates are installed in the system cert store during the Netskope Client installation to facilitate the SSL termination. The steering configuration in the Netskope admin console defines the apps and domains to be steered to the Netskope Cloud. This configuration is distributed to all the Clients and kept up-to-date on a regular basis.

If the Netskope Client is unable to establish a tunnel to the Gateway, it will Fail-Open. This means the Client cannot steer traffic for that duration and continue to attempt to establish the tunnel every 60 seconds.

Supported Platforms

Netskope Client extends its support for diverse operating systems such as:

  • Desktop
    • Windows
    • macOS
    • Linux
    • Chrome OS
  • Mobile
    • iOS
    • Android

To learn more, view Netskope Supported OS.


Windows and macOS support single and multi-user environments.

Deployment Methods

Benefits of deploying Netskope Client:

  • Provide visibility to all users on and off premises.

  • Provide visibility to all managed and unmanaged applications.

  • Inspect browser and native application traffic.

  • Enforce policy decisions at the device itself and a single agent across the organization to enforce policies seamlessly.

Netskope Client (henceforth referred to as Client in this doc) can be deployed as:

  • Installable App – On devices running Windows, macOS, Linux, and Android operating system the Client is installed as a lightweight non-intrusive application that steers traffic from the user’s device to the Netskope cloud. You can download the Client from the Download Netskope Client and Scripts page.
  • Configuration Profile – On devices running the iOS operating system, the Client is deployed as an On-Demand or a Per-App VPN configuration profile.


  • Release Number – Netskope Client uses 4-place version number system, for example: The individual digits represent release.major .minor.build_number respectively.
  • Client Golden Release – Golden releases are available every 3-months and support backward compatibility up to two previous versions. To know more about Golden release and download installers, see this Netskope Client Downloads article.

Netskope supports the following options to deploy Client on your device:

For the normal functioning of the Client, a set of outbound domains and port 443 must be allowed in the user’s firewall or proxy.  The Client connects to the domain URL after the installation is complete. After the installation is complete:

  • Client connects to addon-<tenant>

  • Downloads the certificates (root, tenant-specific, and user certificates) and configuration files (nsbranding.json, nsconfig.json, nsdomain.json, nsbypass.json, nsexception.json).

  • Netskope CA Cert is installed in the following cert stores to prevent SSL certificate warning while accessing SaaS apps:

    • System Cert Store

    • Firefox cert store

    • Java cert store

Netskope Client Services

Netskope Client steers traffic to Netskope’s security solutions such as Netskope Private Access, Netskope Cloud Firewall, SWG, and so on.

Netskope Client for Netskope Private Access

Netskope Private Access recommends that the Netskope Client be installed on a Windows, macOS, Linux, iOS, Android, or Chrome OS device. The Client steers private access application traffic to private access gateways. An alternate method is to use Browser Access for Netskope Private Access. To learn more, view Deploy Client for NPA.

Netskope Client for Netskope Cloud Firewall

The Netskope Client steers the traffic from the users’ device to the Netskope cloud based on certain rules and policies. HTTP(S) and non-HTTP(S) traffic is sent to Netskope gateway and based on traffic type, HTTP(S) traffic is forwarded to Netskope Proxy and non-HTTP(S) traffic is forwarded to Netskope Cloud Firewall. Netskope cloud performs policy enforcement, and the activity is displayed on the Netskope console in the cloud. To learn more, view Netskope Client in Cloud Firewall.

How it Works


Steering Configuration

A Steering Configuration is responsible for directing traffic from end-users to the Netskope Cloud. A Netskope tenant steers thousands of apps by default, but to ensure the correct traffic (cloud apps or all web traffic) is steered, modify the default steering configuration, or create a steering configuration; these configurations can be assigned to groups or Organizational Units (OUs) to allow granular steering within an organization.

Click here to read more about Steering Configuration.

Share this Doc

Netskope Client Overview

Or copy link

In this topic ...