Microsoft and Netskope SSE Coexistence
Microsoft and Netskope SSE Coexistence
When leveraging Microsoft and Netskope’s Security Service Edge (SSE) solutions in a unified environment, users can harness a robust set of capabilities from both platforms to elevate their SSE journey. The synergy between these platforms empowers customers with enhanced security and seamless connectivity.
By configuring the integration of Microsoft and Netskope solutions, organizations can unlock a potent combination of features that not only fortify their security posture, but also optimize the overall performance of their Security Service Edge deployment. Interoperability tests conducted between Microsoft Entra Internet Access / Microsoft Entra Private Access and Netskope Security Service Edge access further ensure that these configurations maximize the visibility and effectiveness of the solutions, providing customers with a powerful and integrated SSE experience.
Solutions Tested
Default
- Netskope SSE configuration: Internet Access traffic is captured. The Microsoft 365 traffic is excluded.
- Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile, disable Internet Access and Private Access traffic forwarding profiles
Netskope Inspect
- Netskope SSE configuration: Microsoft 365 traffic is inspected.
- Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile
Setup Steps
Netskope
Microsoft
Netskope Setup
Netskope Client
To set up the Netskope client there are a lot of options like tying in Azure Active Directory to create your accounts. Steps can be found at this link https://docs.netskope.com/en/netskope-help/netskope-client.
For the most basic setup, you can just add your email address to the Netskope Security Cloud Platform.
- Browse to Settings > Security Cloud Platform > Netskope Client > Users
- Add the user’s email address that you want. User will get an email to set up the client.
Create a Steering Configuration
If you don’t already have a steering configuration select New Configuration. Detailed documentation can be found here. https://docs.netskope.com/en/netskope-help/traffic-steering. For this test we sent all users web traffic to the two solutions. No changes needed to be done outside of the defaults.
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration.
Microsoft Setup
Detailed Microsoft instructions can be found here for the Global Secure Access Client for Windows. https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client
Download the Microsoft SSE Client
The most current version of the Global Secure Access Client can be downloaded from the Microsoft Entra admin center.
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access (Preview) > Devices > Clients > Download.
Install the Microsoft SSE Client (Global Secure Access)
Organizations can install the client interactively, silently with the /quiet switch, or use mobile device management platforms like Microsoft Intune to deploy it to their devices.
- Copy the Global Secure Access Client setup file to your client machine.
- Run the setup file, like GlobalSecureAccessInstaller 1.5.527. Accept the software license terms.
- After the client is installed, users are prompted to sign in with their Microsoft Entra credentials.
- After users sign in, the connection icon turns green, and double-clicking on it opens a notification with client information showing a connected state.
Verify Connectivity
Go to the system tray to check for the Global Secure Access and Netskope clients.
Test Results
Default
- Netskope SSE configuration: Internet Access traffic is captured. The Microsoft 365 traffic is excluded.
- Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile, disable Internet Access and Private Access traffic forwarding profiles.
Access an internet site, like bing.com.
Sign in to Microsoft Entra admin center and browse to Global Secure Access (Preview) > Monitor > Traffic logs. Validate traffic related to bing.com missing from Global Secure Access traffic logs.
In the Netskope UI, go to Skope IT > Events > Application Events. Traffic related to bing.com is present in the Netskope logs.
Access Outlook Online, SharePoint Online and Teams, and verify traffic is captured by Microsoft SSE. Validate traffic in the Global Secure Access traffic logs.
Validate traffic related to Outlook Online, SharePoint Online and Teams is not in the Netskope logs.
Validate the New Steering Configuration
In the Netskope UI, verify traffic is captured by the Netskope Client. Go to Skope IT and validate traffic on the Application Event or Page Event page.
Access Outlook Online, SharePoint Online and Teams, and verify traffic is captured by Microsoft SSE. Validate traffic in the Global Secure Access traffic logs.
Microsoft 365 traffic is captured by the Microsoft SSE.
Netskope Inspects Microsoft 365 Traffic (Optional)
Occasionally customers want to use the single, unified policy engine by Netskope to inspect traffic across all applications, including Microsoft 365. This is especially applicable when customers wish to enforce consistent content management for data protection. To support this, a customer would need to disable the bypass settings to redirect all traffic to Netksope.
- Netskope SSE configuration: Microsoft 365 traffic is inspected.
- Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile
Netskope Inspect Setup
A small change needs to be made to the Steering configuration for Netskope to receive the Office 365 traffic.
Sign in to Netskope Cloud Account and browse to Settings> Security Cloud Platform> Steering Configuration and click the same configuration name as shown in Netskope client’s Steering Configuration value. (In our case as in previous screenshot, it is “Group A”)
Click Add Steered Item > Cloud Apps.
Add a Steered Item as below and click Add.
