Netskope Client Overview

Netskope Client Overview

Netskope Client is a simple lightweight application that steers traffic from the end-user device to Netskope Cloud. It provides real-time visibility of the managed devices accessing the cloud and web from any location.

The Client uses Forward Proxy Steering mechanism where the Client creates an SSL tunnel from the end device and terminates it at the Netskope forward proxy in the Cloud. Tunnel carries traffic that is selected by the administrator as part of the steering configuration. All intermediate and root CA Certificates are installed in the system cert store during the Netskope Client installation to facilitate the SSL termination. The steering configuration in the Netskope admin console defines the apps and domains to be steered to the Netskope Cloud. This configuration is distributed to all the Clients and kept up-to-date on a regular basis.

If the Netskope Client is unable to establish a tunnel to the Gateway, it will Fail-Open. This means the Client cannot steer traffic for that duration and continue to attempt to establish the tunnel every 60 seconds.

Netskope Client extends its support for diverse operating systems such as:

To learn more, view Netskope Supported OS.

Benefits of deploying Netskope Client:

• Provide visibility to all users on and off premises.

• Provide visibility to all managed and unmanaged applications.

• Inspect browser and native application traffic.

• Enforce policy decisions at the device itself and a single agent across the organization to enforce policies seamlessly.

Netskope Client (henceforth referred to as Client in this doc) can be deployed as:

Netskope supports the following options to deploy Client on your device:

For the normal functioning of the Client, a set of outbound domains and port 443 must be allowed in the user’s firewall or proxy.  The Client connects to the domain URL after the installation is complete. After the installation is complete:

• Client connects to addon-<tenant>.eu.goskope.com:443.

• Downloads the certificates (root, tenant-specific, and user certificates) and configuration files (nsbranding.json, nsconfig.json, nsdomain.json, nsbypass.json, nsexception.json).

• Netskope CA Cert is installed in the following cert stores to prevent SSL certificate warning while accessing SaaS apps:

  • System Cert Store

  • Firefox cert store

  • Java cert store

Netskope Client steers traffic to Netskope’s security solutions such as Netskope Private Access, Netskope Cloud Firewall, SWG, and so on.

Netskope Private Access recommends that the Netskope Client be installed on a Windows, Mac, Android, or Chrome OS device. The Client steers private access application traffic to private access gateways. An alternate method is to use Browser Access for Netskope Private Access. To learn more, view Deploy Client for NPA.

The Netskope Client steers the traffic from the users’ device to the Netskope cloud based on certain rules and policies. HTTP(S) and non-HTTP(S) traffic is sent to Netskope gateway and based on traffic type, HTTP(S) traffic is forwarded to Netskope Proxy and non-HTTP(S) traffic is forwarded to Netskope Cloud Firewall. Netskope cloud performs policy enforcement, and the activity is displayed on the Netskope console in the cloud. To learn more, view Netskope Client in Cloud Firewall.

A Steering Configuration is responsible for directing traffic from end-users to the Netskope Cloud. A Netskope tenant steers thousands of apps by default, but to ensure the correct traffic (cloud apps or all web traffic) is steered, modify the default steering configuration, or create a steering configuration; these configurations can be assigned to groups or Organizational Units (OUs) to allow granular steering within an organization.

Click here to read more about Steering Configuration.