Microsoft and Netskope SSE Coexistence

Microsoft’s Security Service Edge solution provides a robust set of capabilities to increase security and improve performance of your Microsoft 365 products. Some of these capabilities include:

• Prevent data exfiltration to untrusted tenants.
• Verify users and conditions before giving access to the network.
• Revoke access to Microsoft 365 products when conditions change by using continuous access evaluation.
• Leverage location-based conditional access, risk detection, and enhanced activity logs by taking advantage of source IP restoration.
• Protect Microsoft 365 apps against token infiltration and anonymous access.

These capabilities are unique to Microsoft Internet Access for 365, which provides a side-by-side opportunity for customers to benefit from these features while also using Netskope’s Security Service Edge.

When leveraging Microsoft and Netskope’s Security Service Edge (SSE) solutions in a unified environment, users can harness a robust set of capabilities from both platforms to elevate their SSE journey. The synergy between these platforms empowers customers with enhanced security and seamless connectivity.

This document contains steps to deploy these solutions side by side, specifically, Microsoft’s SSE for Microsoft 365 applications such as Exchange Online and SharePoint Online, and Netskope’s SSE for all other web traffic.

Solutions Tested

Default

• Microsoft SSE configuration: Microsoft 365 traffic is captured. Enable Microsoft 365 traffic forwarding profile, disable Internet Access and Private Access traffic forwarding profiles.
• Netskope SSE configuration: Internet Access traffic is captured. The Microsoft 365 traffic is excluded.
• Microsoft and Netskope clients installed on Windows 10 or 11 Entra joined device.

Netskope Inspect

• Netskope SSE configuration: Microsoft 365 traffic is inspected.
• Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile.

Configuration Summary

Microsoft

To configure Microsoft’s SSE for Microsoft 365, follow the steps in this getting started guide for Microsoft Entra Internet Access (Steps 3 and 4 are optional for this testing):

1. Enable the Microsoft 365 traffic forwarding profile.
2. Install and configure the Global Secure Access Client on end-user devices.
3. Enable universal tenant restrictions.
4. Enable enhanced Global Secure Access signaling and Conditional Access.

Netskope

To configure Netskope’s SSE for web traffic:

1. Create Network location profiles to bypass Microsoft 365 destination IPs and MSFT SSE service IPs.
2. Create a Steering Configuration to steer all web traffic to Netskope except Microsoft 365 by adding exceptions for IPs and domains.
3. Install Netskope Client.

Once configurations are complete and clients are installed side by side, verify clients’ connectivity and configurations.

Configuration Steps

Microsoft

Enable Microsoft 365 Traffic Profile

1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
2. Go to Global Secure Access (preview) > Connect > Traffic forwarding.
3. Select the checkbox for Microsoft 365 access profile.
4. Block QUIC traffic with a local firewall rule on your end device: The Global Secure Access Client currently only supports TCP traffic. Exchange Online uses the QUIC protocol for some traffic over UDP port 443 force this traffic to use HTTPS (443 TCP) by blocking the QUIC traffic with a local firewall rule. Non-HTTP protocols, such as POP3, IMAP, SMTP, aren’t acquired from the Client and are sent direct-and-local.

Install and Configure Global Secure Access Client

The most current version of the Global Secure Access Client can be downloaded from the Microsoft Entra admin center.

1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
2. Go to Global Secure Access (Preview) > Connect > Client download.
3. Select Download Client.

   

Organizations can install the client interactively, silently with the /quiet switch, or use mobile device management platforms like Microsoft Intune to deploy it to their devices.

1. Copy the Global Secure Access Client setup file to your client machine.
2. Run the setup file, like GlobalSecureAccessInstaller 1.7.376.1214. Accept the software license terms.
3. After the client is installed, users are prompted to sign in with their Microsoft Entra credentials.
   
4. After users sign in, the connection icon turns green, and double-clicking on it opens a notification with client information showing a connected state.

   

Netskope

Create Network Location Profiles to Bypass Microsoft 365 Destination IPs and MSFT SSE Service IPs

1. Go to Policies > Profile > Network Location > New Network Location > Single Object.
2. Add these IPs, name them as MSFT SSE Service, and save the network location:

   150.171.19.0/24, 150.171.20.0/24, 13.107.232.0/24, 13.107.233.0/24, 150.171.15.0/24, 150.171.18.0/24, 151.206.0.0/16, 6.6.0.0/16

   

3. Repeat steps 1-2 above to add Microsoft 365 IPs and save them as MSFT SSE M365 (Please note that we are working on acquiring additional Microsoft 365 traffic. Refer to M365 URLs and IP address ranges for a complete list):

   132.245.0.0/16, 204.79.197.215/32, 150.171.32.0/22, 131.253.33.215/32, 23.103.160.0/20, 40.96.0.0/13, 52.96.0.0/14, 40.104.0.0/15, 13.107.128.0/22, 13.107.18.10/31, 13.107.6.152/31, 52.238.78.88/32, 104.47.0.0/17, 52.100.0.0/14, 40.107.0.0/16, 40.92.0.0/15, 150.171.40.0/22, 52.104.0.0/14, 104.146.128.0/17, 40.108.128.0/17, 13.107.136.0/22, 40.126.0.0/18, 20.231.128.0/19, 20.190.128.0/18, 20.20.32.0/19

4. Go to Policies > Profile > Apply Changes on the top right side of your screen.

Create a Steering Configuration to Steer All Web Apps Traffic to Netskope except Microsoft 365

1. Go to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration > New Configuration
2. Add a name like MSFTSSEWebTraffic, assign to a user group or OU and select “Web Traffic” for the kind of traffic to steer. Leave the configuration disabled and Save.
   
3. Click the newly created configuration MSFTSSEWebTraffic and select Exceptions > New Exception > Destination Locations.
   
4. In this Exception, add MSFT SSE Service and MSFT SSE M365 in Destination Locations, and select the Bypass and Treat it like local IP address options.
   
5. Next add exceptions for domains for MSFT SSE service and MSFT M365. Click Exceptions > New Exception > Domains. Add these exceptions:

   *.globalsecureaccess.microsoft.com, *.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, *.onmicrosoft.com, *.outlook.com, *.protection.outlook.com, *.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net, *.sharepoint.com, *.sharepointonline.com, *.svc.ms, *.wns.windows.com, account.activedirectory.windowsazure.com, account.live.com, accounts.accesscontrol.windows.net, admin.onedrive.com, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, g.live.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.live.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, officeclient.microsoft.com, oneclient.sfx.ms, outlook.office.com, outlook.office365.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com, spoprod-a.akamaihd.net, ssw.live.com, storage.live.com

6. Ensure that the MSFT SSE configuration is at the top of the list of steering configurations in your tenant, and then enable this configuration.
   

Install the Netskope Client

To set up the Netskope Client, there are a lot of options, like tying in Entra ID to create your accounts. Steps can be found here.

For the most basic setup, you can just add your email address to the Netskope Security Cloud Platform.

1. Go to Settings > Security Cloud Platform > Netskope Client > Users.
2. Add the user’s email address that you want. The User will get an email to set up the client.

   

Verify Clients’ Connectivity and Configurations

1. After both clients are installed and running side by side and configurations from admin portals are complete, go to the system tray to check that Global Secure Access and Netskope clients are enabled.
2. Verify configurations for clients:
   1. Right click on Global Secure Access Client > Advanced Diagnostics > Forwarding Profile. Verify that only Microsoft 365 rules are applied to this client.
      
   2. In Advanced Diagnostics > Health Check, ensure no checks are failing (IPV4 preferred check can be ignored. You can resolve this by creating the reg key).
      
   3. Right click Netskope Client > Client Configuration. Verify steering config and traffic steering type match configurations in the earlier steps. Validate that configuration is up-to-date or update it.
      

Test Results

Default

• Netskope SSE configuration: Internet Access traffic is captured. The Microsoft 365 traffic is excluded.
• Microsoft SSE configuration: Microsoft 365 traffic is captured.

1. Access an internet site, like bing.com.
2. Sign in to Microsoft Entra admin center and browse to Global Secure Access (Preview) > Monitor > Traffic logs. Validate traffic related to bing.com missing from Global Secure Access traffic logs.
3. Sign in to Netskope Cloud Account and browse to Skope IT > Events > Application Events or Page Events. Traffic related to bing.com is present in Netskope logs.
4. Access Outlook Online, SharePoint Online and verify traffic is captured by Microsoft SSE. Validate traffic in the Global Secure Access traffic logs
5. Validate traffic related to Outlook Online, SharePoint Online and Teams is not in the Netskope logs.

Known Issues

1. If the Netskope client starts up (or enabled by the user) first and Global Secure Access client second, login popup doesn’t appear for Global Secure Access client and “tunneling succeeded” health check in advanced diagnostic fails. As a workaround, disable the Netskope client, log in to Global Secure Access client, and then re-enable Netskope client. The Entra SSE team is working on a solution and is expected to be available before General Availability.
2. After an hour or more, Global Secure Access client may disconnect and “tunneling succeeded” health check in advanced diagnostic isn’t successful. As a workaround, disable the Netskope client, log in to Global Secure Access client, and then re-enable Netskope client. The Entra SSE team is working on a solution and is expected to be available before General Availability.

Troubleshooting

For deeper troubleshooting information, please review this deep dive video: https://youtu.be/-gdaqLAwVt4?si=7c2-mvkR_yhBm5Io.

[Optional] Netskope Inspects Microsoft 365 Traffic

Occasionally customers want to use the single, unified policy engine by Netskope to inspect traffic across all applications, including Microsoft 365. This is especially applicable when customers wish to enforce consistent content management for data protection. To support this, a customer would need to disable the bypass settings to redirect all traffic to Netksope.

• Netskope SSE configuration: Microsoft 365 traffic is inspected.
• Microsoft SSE configuration: Enable Microsoft 365 traffic forwarding profile.

Netskope Inspect Setup

A small change needs to be made to the Steering configuration for Netskope to receive the Microsoft 365 traffic.

1. Sign in to Netskope Cloud Account and browse to Settings > Security Cloud Platform > Steering Configuration and click the same configuration name as shown in Netskope client’s Steering Configuration value. (In our case, as shown here, it is Group A.)
2. Click Add Steered Item and Cloud Apps.
3. Add a Steered Item as shown below and click Add.