Netskope Help

Netskope Private Access

Netskope Private Access (NPA) is part of the Netskope security cloud and enables zero-trust secure access to private enterprise applications in Hybrid IT. NPA is a modern remote access service that:

  • Fans out to enable access to applications in multiple networks, both in the public cloud (AWS/Azure/GCP) and in the datacenter.

  • Provides zero trust application level access instead of network access with lateral movement.

  • Is delivered as a cloud service with a worldwide footprint that scales easily.

NPA delivers these benefits through a capability called Service Publishing. Service Publishing makes enterprise applications available at and through the Netskope cloud platform instead of at the enterprise's network edge.

The Netskope cloud platform becomes the location on the internet through which enterprise applications are accessed, in a sense, externalizing the access components of the DMZ.  Externalizing remote access in this way has several advantages over traditional VPN and Proxy-based remote access approaches.  And Service Publishing’s overall architecture and delivery-as-a-service model is consistent with the IT trends of infrastructure as a service, Hybrid IT, and the decentralized delivery of enterprise applications from datacenter, public cloud, and SaaS.  NPA is illustrated in this diagram:

NPAdiagram.png

Netskope Private Access extends Netskope’s platform for secure access to SaaS and Web to include secure access to Private Applications that live behind an enterprise’s firewalls in the datacenter and the public cloud. Usage and performance of private applications that are accessed through Netskope Private Access can be monitored in the Digital Experience Management Private Applications page in the Netskope UI.

To watch a video about configuring Netskope Private Access, click play:

 

Prerequisites

In order to configure private apps with a Publisher, you need to:

  1. Purchase the Netskope Private Access license and contact Support to have it enabled in your tenant.

  2. Choose a private app to be published.

  3. Collect information about the app: host, port(s).

  4. Identify the network on which the app is running.

  5. Be using release 70 or later of the Netskope Client.

For Publisher requirements and recommendations, plus OS hardening information, go to: Deploy a Publisher

Supported Browers

NPA has been tested on these browsers:

  • Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Big Sur

  • Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Mojave

  • Safari Version 14.1.2 (14611.3.10.1.5) on Mojave

  • Brave Version 1.26.67 Chromium: 91.0.4472.114 (Official Build) (x86_64)

  • Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Catalina

  • Firefox 91.0.1 (64-bit) (on Mac Catalina)

  • Edge Version 80.0.361.69 (Official build) (64-bit)

  • Microsoft Edge Version 92.0.902.78 (Official build) (64-bit) Windows 10

iOS Profile Use with Netskope Secure Web Gateway and Netskope Private Access

For Netskope Secure Web Gateway (and CASB), the iOS profile created uses an on-demand VPN on iOS devices. For Netskope Private Access installing the Client creates another always on VPN profile. You can only use one of these profiles at a time on an iOS device.

Both of the profiles are independent and can be created on the same device. Depending on the resource the you want to access, you'll need to go to iOS settings and switch between the iOS profiles.

Workflow

You can grant access to multiple private apps by repeating the following steps:

  1. Create a publisher.

  2. Deploy the publisher on your network.

  3. Create a private app.

  4. Steer traffic for the private app.

  5. Add users.

  6. Create policies so users can access a private app.

  7. Deploy the Netskope Client on devices.

  8. View Network and Page events in Skope IT.

Note

The same publisher can be used to give access to multiple apps which resides on the same network.

If you need private apps in different networks (which are not routable from one to another), you will need to repeat these steps for each:

  • Create a publisher.

  • Deploy a publisher.