Cloud Explicit Proxy for Chromebooks

This guide illustrates using explicit proxy to steer SWG / CASB traffic from managed Chromebooks using the Netskope Chrome extension.

When steering private app traffic, the Chrome extension can work alongside the Netskope Cloud Director for Android that is used for NPA (Netskope Private Access) steering on Chromebooks. Ensure that you add private domains to the bypass_list or the PAC file so they are not steered to the explicit proxy.

Prerequisites for Steering SWG / CASB Traffic in Chromebooks – Configure your tenant with SAML forward proxy authentication.

You can push the Netskope Chrome extension through Google Workspace Admin console and pre-provision necessary configuration. The procedure has the following steps:

Installing the Netskope TLS CA Certificate

Install the TLS CA certificates to allow TLS decryption of traffic from managed Chromebooks. Before you proceed, download the certificates from the Netskope tenant admin console.

Downloading Certificates from Netskope Tenant

Login to Netskope tenant as administrator.
Go to Settings > Manage > Certificates > Signing CA.
Download the following certificates
- Root CA (Remote Users)
- Root CA
- Intermediate CA
Note
If you have configured your own signing CA certificate, import it together with all necessary intermediate CAs in addition to Root CA (Remote users) mentioned above.

Installing Certificates in Google Workspace Admin Console

Login to Google Workspace Admin console.
Go to Devices > Networks > Certificates and add the certificates download from your Netskope tenant.

Setting Proxy Mode to Allow User Configuration

In the Google Workspace Admin console go to Devices > Chrome > Settings > Users & browsers.
Select organizational units that should use the extension and confirm that Proxy mode is set to Allow user to configure (this is the default):

Configuring the Netskope Chrome Extension

In Google Workspace Admin console go to Devices > Chrome > Apps & extensions > Users & browsers.
Select organizational units that should be provisioned with the extension.
On the bottom right of the screen, click the + icon to add an extension from Chrome Web Store.
In the pop-up window, search Netskope in the Chrome store to get the Netskope Chrome extension.
Set the Installation Policy to Force Install + pin to browser toolbar option.

Click the Netskope Chrome Extension to specify JSON objects as Policy for extensions

The JSON object has the following format:

{"tenant": {            "Value": "<full-tenant-name>"   },   "block_disable": {            "Value": <option>   },   "enforce_os": {            "Value": ["<os-name>"]   },   "bypass_list": {        "Value": [                   "<comma-seperated_url_lists>"         ]    } }tenant - The JSON object must contain the tenant name in format of "tenant": {"Value":"<tenant-name>"}. For example: "tenant": {"Value":"myorg.<tenant-URL>"}, where myorg.eu.goskope.com is the full tenant name. The tenant name must include the goskope.com suffix. block_disable - A boolean value to disallow users from disabling steering to Netskope. For example: "block_disable": {"Value": true}enforce_os - An array of strings that specify where the Netskope Chrome extension will operate. If this parameter is not specified, the extension will automatically be installed on all devices for a given user profile even if other Netskope steering methods are supposed to be used on those devices. Example of a valid entry: enforce_os":{"Value":["cros"]}Valid operating system definitions are:
For ChromeOS, specify crosFor Microsoft Windows, specify winFor Apple macOS, specify macFor Google Android , specify android. Note
Google Chrome on Android does not support extensions, so this parameter is valid only for third-party Chromium based browsers
For non-ChromeOS linux, specify linuxFor OpenBSD, specify openBSD
bypass_list - An array of strings to identify the bypass settings for Netskope steering.This list may contain the following entries:Hostname : [_<scheme>_://]_<host-pattern>_[:_<port>_]. Match all hostnames that match  _<host-pattern>_.  A leading "." is interpreted as a "*." . Examples: "foobar.com", "*foobar.com", "*.foobar.com", "*foobar.com:99", "https://x.*.y.com:99".PatternMatchesDoes not Match.foobar.comwww.foobar.comfoobar.com*.foobar.comwww.foobar.comfoobar.comfoobar.comfoobar.comwww.foobar.com*foobar.comfoobar.com, www.foobar.com, foofoobar.com 
Simple Hostname: <local> . Matches simple hostnames. A simple hostname is one that contains no dots and is not an IP literal. For instance example and localhost are simple hostnames. However, example.com, example., and [::1] are not. IP Address: [_<scheme>_://]_<ip-literal>_[:_<port>_]. Match URLs that are IP address literals. Conceptually this is similar to the first case, but with special cases to handle IP literal canonicalization. For example, matching on [0:0:0::1]  is the same as matching on [::1]  because the IPv6 canonicalization is done internally. Examples: 127.0.1, [0:0::1], [::1], http://[::1]:99 .IP Address with Range: _<ip-literal>_/_<prefix-length-in-bits>_ . Match any URL containing an IP literal within the given range. The IP range is specified using CIDR notation. Examples: "192.168.1.1/16", "fefe:13::abc/33"
List of domains recommended to be bypassed by Google:
"bypass_list":{    "Value":[       "*.1e100.net",       "accounts.google.com",       "accounts.google.co.uk",       "accounts.gstatic.com",       "accounts.youtube.com",       "alt*.gstatic.com",       "chromeos-ca.gstatic.com",       "chromeosquirksserver-pa.googleapis.com",       "clients1.google.com",       "clients2.google.com",       "clients3.google.com",       "clients4.google.com",       "clients2.googleusercontent.com",       "cloudsearch.googleapis.com",       "commondatastorage.googleapis.com",       "cros-omahaproxy.appspot.com",       "dl.google.com",       "dl-ssl.google.com",       "firebaseperusertopics-pa.googleapis.com",       "*.googleusercontent.com",       "*.gvt1.com",       "gweb-gettingstartedguide.appspot.com",       "m.google.com",       "omahaproxy.appspot.com",       "pack.google.com",       "policies.google.com",       "printerconfigurations.googleusercontent.com",       "safebrowsing-cache.google.com",       "safebrowsing.google.com",       "ssl.gstatic.com",       "storage.googleapis.com",       "tools.google.com",       "www.googleapis.com",       "www.gstatic.com"    ] } Note
If using non-Google IdP ensure that you add relevant domains for SAML auth to bypass to this list.
pac_data - A static PAC file data to be used instead of the bypass_list. The provided PAC file should point the steered traffic to eproxy-<tenant-name>.goskope.com:8081.Note
If both pac_data and bypass_list are provided, only the pac_data is used.
Example of a valid pac_data entry is:
"pac_data":{"Value":"function FindProxyForURL(url, host) {   if (!shExpMatch(url, "https://*") && !shExpMatch(url, "http://*")) return "DIRECT";   var ExpList = [     "*.1e100.net",     "accounts.google.com",     "accounts.google.co.uk",     "accounts.gstatic.com",     "accounts.youtube.com",     "alt*.gstatic.com",     "chromeos-ca.gstatic.com",     "chromeosquirksserver-pa.googleapis.com",     "clients1.google.com",     "clients2.google.com",     "clients3.google.com",     "clients4.google.com",     "clients2.googleusercontent.com",     "cloudsearch.googleapis.com",     "commondatastorage.googleapis.com",     "cros-omahaproxy.appspot.com",     "dl.google.com",     "dl-ssl.google.com",     "firebaseperusertopics-pa.googleapis.com",     "*.googleusercontent.com",     "*.gvt1.com",     "gweb-gettingstartedguide.appspot.com",     "m.google.com",     "omahaproxy.appspot.com",     "pack.google.com",     "policies.google.com",     "printerconfigurations.googleusercontent.com",     "safebrowsing-cache.google.com",     "safebrowsing.google.com",     "ssl.gstatic.com",     "storage.googleapis.com",     "tools.google.com",     "www.googleapis.com",     "www.gstatic.com"];   for (var i=0; i<ExpList.length; i++) {     if (shExpMatch(host, ExpList[i])) return  "DIRECT" ;   }   var proxy = "PROXY eproxy-myorg.eu.goskope.com:8081";   return proxy; }"}
pac_url - A URL for PAC file to be applied instead of bypass_list or pac_data. The downloaded PAC file should point steered traffic to eproxy-<tenantname>.goskope.com:8081. If pac_url and bypass_list or pac_data are provided, only pac_url is used.Example of a valid pac_url entry is:
"pac_url":{"Value":"http://setools.netskope.io/mypac.pac"}

After providing the policy for the extension, click Save on the top right corner to save the settings.

Verifying Policy Propagation

To verify if policy is correctly propagated, on a managed Chromebook navigate to chrome://policy. At the bottom of the page you will have a formatted table for Netskope Chrome Extension policies.

The Netskope Chrome Extension policy list

Hardening Managed Chromebook Configuration

To ensure that users are not able to bypass the steering to Netskope, we recommend that you configure the following settings in Google Workspace Admin console:

In Devices > Chrome > Settings > Users & browsers, click Disallow incognito mode.
In Devices > Chrome > Apps & extensions > Users & browsers > Additional Settings, block unauthorized extensions with Set proxy or VPN provider permissions and disable any user-installed extensions (such as Ad Blockers and NoScript) to mess with goskope.com domains by adding *://*.goskope.com to the Runtime blocked hosts list.
Block all apps not in the allow list for Play Store and Chrome Web Store.
In Devices > Chrome > Settings > Users & Browsers, prevent users from managing certificates so they won’t tamper with the Netskope CA pushed by Google Workspace Admin.

Cloud Explicit Proxy for Chromebooks