Netskope Explicit Proxy for Chromebooks with Google SAML Forward Proxy

Netskope Explicit Proxy for Chromebooks with Google SAML Forward Proxy

This document explains how to configure Google SAML forward proxy and Chromebook for protection using explicit proxy. SAML forward proxy is required to provide identity to traffic reaching our edge from the Cloud explicit proxy.

Refer SAML Forward Proxy for detailed information on Mutiple and Concurrent IdP.


To perform these instructions you first need:

  1. A Google G Suite Account with a license that includes access to the admin console (Business, Enterprise, Education)

  2. A domain name.

  3. Access to to your G Suite account.

  4. At least one Chromebook that is managed by your G Suite account.

  5. A Netskope tenant with a web license and explicit proxy enabled.

Steps to Integrating Proxy with Chromebooks

  1. Configure SAML Forward Proxy for Google

  2. Configure Explicit Proxy for Managed Chromebook Devices

Configure SAML Forward Proxy for Google

  1. Log in to the Netskope UI and go to Settings > Security Cloud Platform > Traffic Steering > Explicit Proxy (will only display if you have Explicit Proxy enabled).

  2. Add the IP address(es) traffic will egress the network from Public IP.

  3. Go to Settings > Security Cloud Platform > Forward Proxy > SAML and click New Account. Configure your IdP account by following the steps mentioned in Mutiple and Concurrent IdP section.

    Create a new multiple IdP account
  4. In another browser tab, log in to the Google management console, go to Apps > SAML Apps,and then click Add App and select Add custom SAML app.

  5. Enter Netskope for the name, optionally add a logo, and then click Continue.

  6. A window with the Google IdP information opens. Copy the SSO URL and Entity ID, and then download the certificate.

  7. Return to the Netskope Add SAML Account window and do the following:

    1. Enter the the following when creating a new IdP Account:

      • Name: IdP Name

      • Access Method: Select Cloud Explicity Proxy or All (as per your requirement)

      • SSO URL (IdP URL in the Netskope Console)

      • Entity Id

      • Upload IdP certificate. To get the certificate you downloaded, open it in your favorite text editor to copy and paste it here.

        Leave the other fields blank, and then click Save.

  8. Next, go to Settings > Security Cloud Platform > Forward Proxy > SAML. To get the service provider details (specific to the IdP account) needed in the next step, click Netskope Settings to view the SAML Entity ID and ACS URL.

  9. Return to the Google admin console and click Continue, which opens the Service Provider Details screen. Enter the ACS URL and Entity ID, and then click Continue.

    The ACS URL is the 2nd item in the Netskope console, but the 1st item in the Google Admin Console.
  10. Leave the Attribute Mapping screen blank and click Finish.

  11. In the Netskope UI, go to Settings > Security Cloud Platform > Forward Proxy > SAML.

  12. Under Settings > BYPASS > Domain Bypass add Go to the IDP Account in previous step, click on more options (3 dots) > Enable. . At this point SAML forward proxy is ready to go.

In order to test, you need an endpoint that is pointing to the explicit proxy. You can test with a device, or proceed to to the next section to configure explicit proxy on your Chromebook devices.

Configure Explicit Proxy for Managed Chromebook Devices

Install the Netskope certificates in Google, then choose method 1 or 2 to configure your proxy settings.

Install Certificates

Regardless of the method you choose you will need the Netskope root cert on end user devices. Luckily allows us to mass install this for managed devices.

  1. In the Netskope UI, go to Settings > Manage > Certificates >Signing CA and download all 3 certificates (this will ensure decryption works whether or not you have an IP whitelisted in the tenant).

  2. In , go to Devices > Networks and click Certificates > Add Certificate to add each cert one at a time.

  3. Upload the Netskope Root Certificate, enable Chromebook in the Certificate Authority section, and then click Save. This certificate is automatically pushed to all managed ChromeOS devices.

Method 1: Configure Proxy Settings in the Google Admin Console

This method will work regardless of the Wifi Network/Browser a user tries to use on the ChromeOS device, but will ONLY work for Managed ChromeOS devices and not any other OS.

  1. In, go to Devices > Chrome > Settings > User, and in browser settings, select Network.

  2. Under Proxy mode, changet to Always use the proxy specified below. For Proxy Server URL, copy the URL from your Netskope tennant under Settings > Security Cloud Platform > Traffic Steering > Explicit Proxy. Be sure to remove https:// (Leave everything else default.)

  3. If any URLs need to be bypassed from being sent to the proxy, add them here. IP addresses and CIDR blocks also work. You’ll also need to add bypasses for the SSO of your choice, works for Google SSO. These are the suggested bypasses for ChromeOS:
  4. When done adding bypasses, wait a few minutes, then on your ChromeOS device, check under Settings > Network. Click on your Wifi Network and you should see the proxy settings.

  5. Visit some Google cloud apps, and then you should see the Access Method as Explicit Proxy in Skope IT details in your Netskope tenant.

Method 2: Configure a Hosted PAC File

The Google Admin console only supports hosted PAC files. Netskope plans to support this option in the tenant in a later release. For now you can host it on a 3rd-party site.

  1. In your Netskope tenant, go to Settings > Security Cloud Platform > Traffic Steering > Explicit Proxy and click Download Sample PAC File.

  2. A file called sample.pac will be downloaded. Open this file in a text editor of your choice, and use this file as a template to create a new PAC file that will steer traffic.

    1. Substitute and with the exceptions (bypassed sites) you need. This will allow the endpoint to reach Okta for authentication directly and not be sent via Cloud Explicit Proxy. This is not a requirement, but is done to illustrate how a PAC file is used to send some traffic directly and other traffic to the Cloud Explicit Proxy.

    2. Substitute proxy-<tenant-URL> with your tenant name and save your changes.

Share this Doc
In this topic ...