Explicit Proxy for Chromebooks

Explicit Proxy for Chromebooks

This guide illustrates using explicit proxy to steer SWG / CASB traffic from managed Chromebooks using the Netskope Chrome extension.

When steering private app traffic, the Chrome extension can work alongside the Netskope Cloud Director for Android that is used for NPA (Netskope Private Access) steering on Chromebooks. Ensure that you add private domains to the bypass_list or the PAC file so they are not steered to the explicit proxy.

Prerequisites for Steering SWG / CASB Traffic in Chromebooks – Configure your tenant with SAML forward proxy authentication.

You can push the Netskope Chrome extension through Google Workspace Admin console and pre-provision necessary configuration. The procedure has the following steps:

Installing the Netskope TLS CA Certificate

Install the TLS CA certificates to allow TLS decryption of traffic from managed Chromebooks. Before you proceed, download the certificates from the Netskope tenant admin console.

Downloading Certificates from Netskope Tenant

  1. Login to Netskope tenant as administrator.
  2. Go to Settings > Manage > Certificates > Signing CA.
  3. Download the following certificates
    • Root CA (Remote Users)
    • Root CA
    • Intermediate CA

    Note

    If you have configured your own signing CA certificate, import it together with all necessary intermediate CAs in addition to Root CA (Remote users) mentioned above.

Installing Certificates in Google Workspace Admin Console

  1. Login to Google Workspace Admin console.
  2. Go to Devices > Networks > Certificates and add the certificates download from your Netskope tenant.
    01_ga_addCert.png

Setting Proxy Mode to Allow User Configuration

  1. In the Google Workspace Admin console go to Devices > Chrome > Settings > Users & browsers.
    Users & browsers menu in the Google Admin Console
  2. Select organizational units that should use the extension and confirm that Proxy mode is set to Allow user to configure (this is the default):
    The Proxy Mode set to Allow user to configure in the Network section.

Configuring the Netskope Chrome Extension

  1. In Google Workspace Admin console go to Devices > Chrome > Apps & extensions > Users & browsers.
    Users & browsers menu in the Google Admin Console
  2. Select organizational units that should be provisioned with the extension.
  3. On the bottom right of the screen, click the + icon to add an extension from Chrome Web Store.
    The Add (+) icon in the Google Admin Console.
  4. In the pop-up window, search Netskope in the Chrome store to get the Netskope Chrome extension.
    The Netskope Chrome Extension in the Chrome Web Store.
  5. Set the Installation Policy to Force Install + pin to browser toolbar option.
    The Policy for extensions pane for the Netskope Chrome Extension.
  6. Click the Netskope Chrome Extension to specify JSON objects as Policy for extensions

    The JSON object has the following format:

    {"tenant": {            "Value": "<full-tenant-name>"   },   "block_disable": {            "Value": <option>   },   "enforce_os": {            "Value": ["<os-name>"]   },   "bypass_list": {        "Value": [                   "<comma-seperated_url_lists>"         ]    } }
    • tenant - The JSON object must contain the tenant name in format of "tenant": {"Value":"<tenant-name>"}. For example: "tenant": {"Value":"myorg.<tenant-URL>"}, where myorg.eu.goskope.com is the full tenant name. The tenant name must include the goskope.com suffix. block_disable - A boolean value to disallow users from disabling steering to Netskope. For example: "block_disable": {"Value": true}enforce_os - An array of strings that specify where the Netskope Chrome extension will operate. If this parameter is not specified, the extension will automatically be installed on all devices for a given user profile even if other Netskope steering methods are supposed to be used on those devices.

      Example of a valid entry: enforce_os":{"Value":["cros"]}Valid operating system definitions are:

      • For ChromeOS, specify crosFor Microsoft Windows, specify winFor Apple macOS, specify macFor Google Android , specify android.

        Note

        Google Chrome on Android does not support extensions, so this parameter is valid only for third-party Chromium based browsers

        For non-ChromeOS linux, specify linuxFor OpenBSD, specify openBSD
      bypass_list - An array of strings to identify the bypass settings for Netskope steering.This list may contain the following entries:
      • Hostname : [_<scheme>_://]_<host-pattern>_[:_<port>_]. Match all hostnames that match _<host-pattern>_.  A leading "." is interpreted as a "*." . Examples: "foobar.com", "*foobar.com", "*.foobar.com", "*foobar.com:99", "https://x.*.y.com:99".
        PatternMatchesDoes not Match.foobar.comwww.foobar.comfoobar.com*.foobar.comwww.foobar.comfoobar.comfoobar.comfoobar.comwww.foobar.com*foobar.comfoobar.com, www.foobar.com, foofoobar.com
        Simple Hostname: <local> . Matches simple hostnames. A simple hostname is one that contains no dots and is not an IP literal. For instance example and localhost are simple hostnames. However, example.com, example., and [::1] are not. IP Address: [_<scheme>_://]_<ip-literal>_[:_<port>_]. Match URLs that are IP address literals. Conceptually this is similar to the first case, but with special cases to handle IP literal canonicalization. For example, matching on [0:0:0::1] is the same as matching on [::1] because the IPv6 canonicalization is done internally. Examples: 127.0.1, [0:0::1], [::1], http://[::1]:99 .IP Address with Range: _<ip-literal>_/_<prefix-length-in-bits>_ . Match any URL containing an IP literal within the given range. The IP range is specified using CIDR notation. Examples: "192.168.1.1/16", "fefe:13::abc/33"

      List of domains recommended to be bypassed by Google:

      "bypass_list":{    "Value":[       "*.1e100.net",       "accounts.google.com",       "accounts.google.co.uk",       "accounts.gstatic.com",       "accounts.youtube.com",       "alt*.gstatic.com",       "chromeos-ca.gstatic.com",       "chromeosquirksserver-pa.googleapis.com",       "clients1.google.com",       "clients2.google.com",       "clients3.google.com",       "clients4.google.com",       "clients2.googleusercontent.com",       "cloudsearch.googleapis.com",       "commondatastorage.googleapis.com",       "cros-omahaproxy.appspot.com",       "dl.google.com",       "dl-ssl.google.com",       "firebaseperusertopics-pa.googleapis.com",       "*.googleusercontent.com",       "*.gvt1.com",       "gweb-gettingstartedguide.appspot.com",       "m.google.com",       "omahaproxy.appspot.com",       "pack.google.com",       "policies.google.com",       "printerconfigurations.googleusercontent.com",       "safebrowsing-cache.google.com",       "safebrowsing.google.com",       "ssl.gstatic.com",       "storage.googleapis.com",       "tools.google.com",       "www.googleapis.com",       "www.gstatic.com"    ] } 

      Note

      If using non-Google IdP ensure that you add relevant domains for SAML auth to bypass to this list.

      pac_data - A static PAC file data to be used instead of the bypass_list. The provided PAC file should point the steered traffic to eproxy-<tenant-name>.goskope.com:8081.

      Note

      If both pac_data and bypass_list are provided, only the pac_data is used.

      Example of a valid pac_data entry is:

      "pac_data":{"Value":"function FindProxyForURL(url, host) {   if (!shExpMatch(url, "https://*") && !shExpMatch(url, "http://*")) return "DIRECT";   var ExpList = [     "*.1e100.net",     "accounts.google.com",     "accounts.google.co.uk",     "accounts.gstatic.com",     "accounts.youtube.com",     "alt*.gstatic.com",     "chromeos-ca.gstatic.com",     "chromeosquirksserver-pa.googleapis.com",     "clients1.google.com",     "clients2.google.com",     "clients3.google.com",     "clients4.google.com",     "clients2.googleusercontent.com",     "cloudsearch.googleapis.com",     "commondatastorage.googleapis.com",     "cros-omahaproxy.appspot.com",     "dl.google.com",     "dl-ssl.google.com",     "firebaseperusertopics-pa.googleapis.com",     "*.googleusercontent.com",     "*.gvt1.com",     "gweb-gettingstartedguide.appspot.com",     "m.google.com",     "omahaproxy.appspot.com",     "pack.google.com",     "policies.google.com",     "printerconfigurations.googleusercontent.com",     "safebrowsing-cache.google.com",     "safebrowsing.google.com",     "ssl.gstatic.com",     "storage.googleapis.com",     "tools.google.com",     "www.googleapis.com",     "www.gstatic.com"];   for (var i=0; i<ExpList.length; i++) {     if (shExpMatch(host, ExpList[i])) return  "DIRECT" ;   }   var proxy = "PROXY eproxy-myorg.eu.goskope.com:8081";   return proxy; }"}
      pac_url - A URL for PAC file to be applied instead of bypass_list or pac_data. The downloaded PAC file should point steered traffic to eproxy-<tenantname>.goskope.com:8081. If pac_url and bypass_list or pac_data are provided, only pac_url is used.

      Example of a valid pac_url entry is:

      "pac_url":{"Value":"http://setools.netskope.io/mypac.pac"}
  7. After providing the policy for the extension, click Save on the top right corner to save the settings.

Verifying Policy Propagation

To verify if policy is correctly propagated, on a managed Chromebook navigate to chrome://policy. At the bottom of the page you will have a formatted table for Netskope Chrome Extension policies.

The Netskope Chrome Extension policy list

Hardening Managed Chromebook Configuration

To ensure that users are not able to bypass the steering to Netskope, we recommend that you configure the following settings in Google Workspace Admin console:

  1. In Devices > Chrome > Settings > Users & browsers, click Disallow incognito mode.
    Incognito mode set to Disallow incognito mode in the Google Admin Console
  2. In Devices  > Chrome > Apps & extensions > Users & browsers > Additional Settings, block unauthorized extensions with Set proxy or VPN provider permissions and disable any user-installed extensions (such as Ad Blockers and NoScript) to mess with goskope.com domains by adding *://*.goskope.com to the Runtime blocked hosts list.
    The configured Permissions and URLs in Additional Settings
  3. Block all apps not in the allow list for Play Store and Chrome Web Store.
    The configured Allow/block mode section in Additional Settings
  4. In Devices > Chrome > Settings > Users & Browsers, prevent users from managing certificates so they won’t tamper with the Netskope CA pushed by Google Workspace Admin.
    The User management of installed Ca certificates set to Disallow users from managing certificates in the Google Admin Console.
Share this Doc

Explicit Proxy for Chromebooks

Or copy link

In this topic ...