Netskope One Private Access

Netskope One Private Access

Netskope One Private Access offers a comprehensive solution that combines classic Zero Trust Network Access (ZTNA) for user-to-application flows with Layer 3 (L3) access capabilities for client-to-client and server-to-client interactions. This dual approach ensures secure, seamless, and least-privileged access to applications, whether hosted in the cloud or on-premises, or while extending connectivity to workflows requiring direct client or server communication, such as file sharing, remote desktop, or specialized applications.

By replacing legacy VPNs with a modern Zero Trust framework, Netskope One Private Access delivers complete coverage for all access scenarios, enhancing security with granular context-aware controls, and simplifying operations for IT teams. This unified solution secures the entire ecosystem while aligning with Zero Trust principles to protect sensitive resources and improve operational efficiency.

The Netskope One Private Access solution includes 3 subcomponents:

  • Netskope One Private Application Access (currently known in the UI as Netskope Private Access) supports all endpoint-initiated apps with a zero trust architecture to ensure secure, least-privileged access to private applications.
  • Netskope One Private Optimized Access (currently known in the UI as Netskope Endpoint SD-WAN) supports all endpoint- and server-initiated apps, like-to-like VPN replacement adding traffic optimization capabilities for enhanced performance and security.
  • Netskope One Private Unified Access is a combination of both Application and Optimized Access components, and supports all endpoint- and server-initiated apps with a zero trust architecture.

This modular yet unified approach allows organizations to tailor their secure access solutions to meet specific requirements while ensuring optimal security, scalability, and user experience.

Netskope One Private Application Access

Netskope One Private Application Access (currently known in the UI as Netskope Private Access)is a core component of the Netskope One Private Access solution, designed to securely connect users to private applications hosted in data centers, private clouds, or public clouds. It leverages a Zero Trust architecture to enforce least-privileged access, ensuring that users can only access specific applications they are authorized for, without exposing the broader network.

Key Features
  • Endpoint-Initiated Access: Supports all applications initiated by user devices, providing seamless and secure connectivity.
  • Zero Trust Principles: Verifies identity, device posture, and application-specific permissions before granting access.
  • Granular Policy Enforcement: Implements precise, application-level access controls, reducing the attack surface.
  • Cloud-Native Design: Eliminates the need for legacy VPNs, offering faster and more efficient access
Use Cases
  1. Secure Remote Workforce Access (Including BYOD): Provide employees working remotely, whether on corporate or personal (BYOD) devices, with seamless and secure access to private applications. The solution ensures that only authorized and secure devices can connect to sensitive resources—eliminating the need for traditional VPNs.
  2. Third-Party Vendor and Partner Access: Grant specific, limited access to private applications for contractors, vendors, or partners. Zero Trust policies ensure they only access the resources required for their work while protecting the broader network from unnecessary exposure.
  3. Mergers and Acquisitions: Quickly provide secure access to private applications for employees from acquired companies. The solution enables seamless integration while maintaining strict access controls to protect sensitive resources
  4. Application Migration to the Cloud: Facilitate seamless, secure access to private applications during cloud migration projects, minimizing disruption for users.
  5. Compliance and Audit Needs: Enforce strict access policies to meet compliance requirements, and gain detailed visibility into application access for audit purposes.
  6. Improved Security Posture: Reduce lateral movement risks and protect against unauthorized access by enforcing identity and device-based security policies.
  7. Modernizing Legacy Systems Access: Replace traditional VPN solutions for accessing on-premises legacy applications with a more secure and efficient alternative.
How It Works

Netskope One Private Application Access (NPA) operates through the seamless integration of the Private Access Broker and the Publisher to enforce Zero Trust principles and provide secure access. The Private Access Broker functions as a cloud-native control plane that validates user identity, device posture, and access policies in real time before granting access to applications.

The Publisher, a lightweight connector deployed on-premises or in the cloud, establishes secure, encrypted communication between users and private applications without exposing applications to the internet. This architecture ensures that users gain access only to the specific applications they are authorized to use, with optimized routing and granular control, while eliminating the need for traditional VPNs. This combination provides a highly secure, scalable, and efficient access solution for endpoint-initiated workflows.

NPA is illustrated in this diagram:

NPAdiagram.png

To watch a video about configuring Netskope One Private Application Access, click play:

 

Prerequisites

In order to configure private apps with a Publisher, you need to:

  1. Purchase the Netskope Private Access license and contact Support to have it enabled in your tenant.
  2. Choose a private app to be published.
  3. Collect information about the app: host, port(s).
  4. Identify the network on which the app is running.
  5. Be using release 70 or later of the Netskope Client.

For Publisher requirements and recommendations, plus OS hardening information, go to: Deploy a Publisher.

Supported Browsers

NPA has been tested on these browsers:

  • Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Big Sur
  • Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Mojave
  • Safari Version 14.1.2 (14611.3.10.1.5) on Mojave
  • Brave Version 1.26.67 Chromium: 91.0.4472.114 (Official Build) (x86_64)
  • Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Catalina
  • Firefox 91.0.1 (64-bit) (on Mac Catalina)
  • Edge Version 80.0.361.69 (Official build) (64-bit)
  • Microsoft Edge Version 92.0.902.78 (Official build) (64-bit) Windows 10

iOS Use with Netskope Private Access

Netskope is replacing the existing iOS App for NPA (Netskope Private Access) with a new iOS App that supports NPA/CASB/SWG/CFW. This new unified iOS Client is called Netskope Client in the app store, and is intended to offer all the Netskope security services in a single client for iOS phones and tablets (iPads).

Important

Netskope ends the existing NPA iOS Netskope Client support with the new app released in release 102.0.0. With this end of support, you need to remove the existing NPA Netskope Client from all your iOS phones and tablets (iPads), and install the new Netskope Client from the store.

To learn more: Netskope Client for iOS.

Workflow

You can grant access to multiple private apps by repeating the following steps:

  1. Create a publisher.
  2. Deploy the publisher on your network.
  3. Create a private app.
  4. Steer traffic for the private app.
  5. Add users.
  6. Create policies so users can access a private app.
  7. Deploy the Netskope Client on devices.
  8. View Private Apps and Network Events information in Skope IT.

Note

The same publisher can be used to give access to multiple apps which resides on the same network.

If you need private apps in different networks (which are not routable from one to another), you will need to repeat these steps for each:

  • Create a publisher.
  • Deploy a publisher.

Netskope One Private Optimized Access

Netskope One Private Optimized Access (currently known in the UI as Netskope Endpoint SD-WAN) provides real-time visibility and optimization for all applications while ensuring consistent policy enforcement for employees connecting from any location, whether remote or on-premises.

Capabilities of Netskope One Private Optimized Access

1. Bi-directional Flows

  • Provides both client-to-server and server-to-client traffic flows, enabling peer-to-peer communication, including legacy on-premises hosted VoIP solutions.
  • With dynamic traffic steering and context-aware QoS, it overcomes network performance challenges, boosting productivity for remote call center employees by ensuring an optimal voice and video application experience.

2. Server-to-Client Flows

  • Supports legacy applications that require server-initiated traffic, also known as inside-out connectivity, where the traffic is endpoint-initiated.
  • Streamlines IT operations by supporting tools such as Microsoft Remote Assistance and TeamViewer for remote access, control, and support.

Further information on how to configure the private Optimized Access is here : https://netskope.document360.io/.

The following sections explain how to configure and use Private Access.

Articles

Share this Doc

Netskope One Private Access

Or copy link

In this topic ...