Docy

Creating a Steering Configuration

Creating a Steering Configuration

The default steering configuration (Default tenant config) applies to all users in your organization. However, if some users in your organization require a different configuration, you can create a custom steering configuration for those specific OUs or user groups. Netskope also provides options that bring more flexibility while creating Steering Configuration. 

Creating Steering Configuration Prior To Version 112.0.0

To create a custom steering configuration:

This section is mainly for tenants using the old Steering Configuration UI that was available prior to the version 112.0.0. To learn about the new options available for Steering Configuration, view Creating Steering Configuration After 112.0.0.
  1. Go to Settings > Security Cloud Platform > Steering Configuration.
  2. Click New Configuration.
  3. In the Apply To window, choose whether all custom traffic steering configurations must apply to Organizational Units (OUs) or user groups. This option only appears when you create your first custom steering configuration.
    The Steering Configuration Apply To window
  4. In the New Configuration window:
    • Name: Enter a name for the steering configuration. It can’t exceed 40 characters.
    • Organization Unit (OU)/User Group: Choose the OU or user group you want to steer traffic for.
    • In the Traffic Steering tab:
      • Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user’s device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear. When configuring, note the following:
        • You can steer traffic for older versions of the Netskope Clients through the on- or off-prem configurations in the drop-down menu.
        • By default, the On-Premises configuration only steers Cloud apps. and the Off-Premises configuration steers all web traffic. To steer all web traffic for both on- and off-prem configurations, contact your Sales representative to enable this feature.
        • To use dynamic steering, ensure you enable On-Premises Detection for your Netskope Client configuration.
        • You can only use dynamic steering for the OUs and user groups configured in your Netskope Client configuration.
      • Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications. Ensure you update your Netskope Client version to 70.0.0 or later. This option is the default for new accounts.
      • Web Traffic: Steer all web traffic (i.e., HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content.
      • All Traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option. Ensure you update your Netskope Client version to 70.0.0 or later.
      • Steer private apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:
        • All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.
        • Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud. You must update the Netskope Client to version 82.0.0 to steer specific private apps.

        If you disabled dynamic steering, consider deselecting Steer private apps when steering Cloud Apps Only for on-prem configurations so that users aren’t steered through Netskope Private Access. When steering Cloud Apps Only for off-prem configurations or All Web Traffic, consider selecting Steer private apps to steer their traffic through Netskope Private Access.

        Go to App Definitions to select the private apps you want to steer with this configuration. Click the Private Apps tab, click The More icon. for the private app, click Select Steering Config, and then choose a steering config for the app. Click Save.

        The Steer private apps option for On- and Off-Premises steering configurations.
      • Steer DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.
        The Steer DNS Traffic option for Off-Premises steering configurations with Dynamic Steering enabled
      • Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.
      Enable Dynamic Steering selected in the Traffic Steering tab.
      Enable Dynamic Steering deselected in the Traffic Steering tab.
    • In the Non-Standard Ports tab:
      • Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:
        • Import from CSV: Import a CSV file containing the ports and domains you want to steer.
        • Download Sample CSV: Download a sample CSV template to use to add multiple ports or domains and import the CSV file.
        • Delete All: Delete all listed ports.

        The port number appears in the Domain, Page, and App columns on the Skope IT Page Events page.

        Caution

        • Due to the macOS change to Network Extensions, non-standard ports aren’t supported in steering configurations for devices using macOS Big Sur version 11 and later.
        • Any non-standard port configured in a steering configuration applies to all the IPsec and GRE users.
        • When using Cloud Firewall with GRE/IPSec tunnels, Netskope handles any configured non-standard ports as web traffic regardless of the hostnames. If there is non-web traffic using the same port, Netskope drops the traffic. For instance, if you have configured hostname1 and port1, Netskope considers SSH traffic to hostname2:port1 as web traffic and drops it. When using non-web traffic with Cloud Firewall through GRE/IPSec, ensure you use ports that aren’t considered non-standard ports.
      The Non-Standard Ports tab in the New Configuration window.
  5. Click Save.
  6. Add steered items (i.e., applications).
  7. Add steering exceptions.
  8. Review the steering error settings.
  9. Click The More icon. for your custom steering configuration and then Enable Configuration.
    EnableConfiguration.png

Creating Steering Configuration From Version 112.0.0

With version 112.0.0, Netskope delivers Flexible Dynamic Steering enhancement that brings more flexibility while creating a steering configuration.

Contact Support to enable the new Dynamic Steering Configuration for the existing tenants. This feature is automatically enabled for the new tenants.

To create a custom Steering Configuration,

If you want to know the steps to configure steering using the legacy Steering Configuration UI, view Creating a Steering Configuration Prior to 112.0.0.
  1. Go to Settings > Security Cloud Platform > Steering Configuration.

  2. Click New Configuration. You can also click The More icon. and Edit Configuration to choose one of the existing steering configurations you want to enable dynamic steering.

  3. In the Apply To window, choose whether all custom traffic steering configurations must apply to Organizational Units (OUs) or user groups. This option only appears when you create your first custom steering configuration.

  4. In the New Configuration window:

    • Name: Enter a name for the steering configuration. It cannot exceed 40 characters.

    • Organization Unit (OU)/User Group: Choose the OU or user group you want to steer traffic for.

  5. In the Traffic Steering tab,

    • Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user’s device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear.

      When configuring, note the following:

      You can steer traffic for Netskope Client through the On- or Off-prem configurations in the drop-down menu.

    • You can choose one of the following steering options for On-Prem and Off-Prem:

      • Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications.

      • Web Traffic: Steer all web traffic (HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content. You must have a SWG/NG SWG license to select this option.

      • All traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option.

      • None: The Client does not establish any tunnel and continues to monitor On-Prem status change. The Client establishes a tunnel if the On-Prem status changes and a tunnel is needed for the new traffic steering mode.

    • Bypass exception traffic at Netskope Client or Netskope Cloud. Choose one of the following:

      • Client – Traffic bypass on the local device.

      • Netskope Cloud – Traffic bypasses the firewall.

    • DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.

    • Private Apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:

      • All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.

      • Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud.

      Go to App Definitions to select the private apps you want to steer with this configuration. 

      Click the Private Apps tab, click The More icon. for the private app, click Select Steering Config, and then choose a steering config for the app. Click Save.

    • Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.

  6. In the Non-Standard Ports tab:

    • Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:

      • Import from CSV: Import a CSV file containing the ports and domains you want to steer.

      • Download Sample CSV: Download a sample CSV template to use to add multiple ports or domains and import the CSV file.

      • Delete All: Delete all listed ports.

    • The port number appears in the Domain, Page, and App columns on the Skope IT Page Events page.

  7. Click Save.

  8. Add steered items (i.e., applications).

  9. Add steering exceptions.

  10. Review the steering error settings.

  11. Click The More icon. for your custom steering configuration and then Enable, Disable, or Edit Configuration.

Share this Doc
In this topic ...