Netskope Private Access
Netskope Private Access
Netskope Private Access (NPA) is part of the Netskope security cloud and enables zero-trust secure access to private enterprise applications in Hybrid IT. NPA is a modern remote access service that:
- Fans out to enable access to applications in multiple networks, both in the public cloud (AWS/Entra/GCP) and in the datacenter.
- Provides zero trust application level access instead of network access with lateral movement.
- Is delivered as a cloud service with a worldwide footprint that scales easily.
NPA delivers these benefits through a capability called Service Publishing. Service Publishing makes enterprise applications available at and through the Netskope cloud platform instead of at the enterprise’s network edge.
The Netskope cloud platform becomes the location on the internet through which enterprise applications are accessed, in a sense, externalizing the access components of the DMZ. Externalizing remote access in this way has several advantages over traditional VPN and Proxy-based remote access approaches. And Service Publishing’s overall architecture and delivery-as-a-service model is consistent with the IT trends of infrastructure as a service, Hybrid IT, and the decentralized delivery of enterprise applications from datacenter, public cloud, and SaaS. NPA is illustrated in this diagram:
Netskope Private Access extends Netskope’s platform for secure access to SaaS and Web to include secure access to Private Applications that live behind an enterprise’s firewalls in the datacenter and the public cloud. Usage and performance of private applications that are accessed through Netskope Private Access can be monitored in the Digital Experience Management Private Applications page in the Netskope UI.
To watch a video about configuring Netskope Private Access, click play:
Prerequisites
In order to configure private apps with a Publisher, you need to:
- Purchase the Netskope Private Access license and contact Support to have it enabled in your tenant.
- Choose a private app to be published.
- Collect information about the app: host, port(s).
- Identify the network on which the app is running.
- Be using release 70 or later of the Netskope Client.
For Publisher requirements and recommendations, plus OS hardening information, go to: Deploy a Publisher.
Supported Browsers
NPA has been tested on these browsers:
- Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Big Sur
- Google Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Mojave
- Safari Version 14.1.2 (14611.3.10.1.5) on Mojave
- Brave Version 1.26.67 Chromium: 91.0.4472.114 (Official Build) (x86_64)
- Chrome Version 92.0.4515.159 (Official Build) (x86_64) on Catalina
- Firefox 91.0.1 (64-bit) (on Mac Catalina)
- Edge Version 80.0.361.69 (Official build) (64-bit)
- Microsoft Edge Version 92.0.902.78 (Official build) (64-bit) Windows 10
iOS Use with Netskope Private Access
Netskope is replacing the existing iOS App for NPA (Netskope Private Access) with a new iOS App that supports NPA/CASB/SWG/CFW. This new unified iOS Client is called Netskope Client in the app store, and is intended to offer all the Netskope security services in a single client for iOS phones and tablets (iPads).
Important
Netskope ends the existing NPA iOS Netskope Client support with the new app released in release 102.0.0. With this end of support, you need to remove the existing NPA Netskope Client from all your iOS phones and tablets (iPads), and install the new Netskope Client from the store.
To learn more: Netskope Client for iOS.
Workflow
You can grant access to multiple private apps by repeating the following steps:
- Create a publisher.
- Deploy the publisher on your network.
- Create a private app.
- Steer traffic for the private app.
- Add users.
- Create policies so users can access a private app.
- Deploy the Netskope Client on devices.
- View Private Apps and Network Events information in Skope IT.
Note
The same publisher can be used to give access to multiple apps which resides on the same network.
If you need private apps in different networks (which are not routable from one to another), you will need to repeat these steps for each:
- Create a publisher.
- Deploy a publisher.
The following sections explain how to configure and use Private Access.
- Publisher Management
- Private App Management
- Local Broker Management
- Create a Real-time Protection Policy for Private Apps
- Deploy the Netskope Client for Netskope Private Access
- Private Access Troubleshooting
- View Private Apps and Network Events in Skope IT
- Netskope Private Access for Microsoft Active Directory Domain Services
- Wiz Webhook with Netskope SSE
- NewEdge Traffic Management Zones per NPA Tenant
- Netskope Private Access for SMB and DFS Services
- Source IP Anchoring for an IdP with Netskope Private Access
- Private Access REST APIs
- Private Access Best Practices
- Private Access FAQs
Articles
- Publisher Management
- Private App Management
- Validate Wildcard Private Apps
- Access Private Apps using PQDN
- Configure Browser Access for Private Apps
- Local Broker Management
- Create a Real-time Protection Policy for Private Apps
- Deploy the Netskope Client for Netskope Private Access
- Install the Client for Private Access
- View Private Access Status for Devices
- Allow Users to Disable Private Apps Access on the Netskope Client
- Configure Client Prelogon Connectivity
- Windows Autopilot with Private Access Prelogon
- Use Client Re-authentication
- CGNAT Address Support for Local DNS Resolution
- Private Access Troubleshooting
- The NPA Troubleshooter Tool
- General Troubleshooting Methods
- Troubleshooting NPA Allowlisting for Specific Domains in AWS
- Troubleshooting Performance and Connectivity using TCPing and PsPing
- Troubleshooting Performance and Connectivity using Ping, Traceroute, or Telnet
- Troubleshooting Why NPA-steered Websites are Inaccessible
- What Do the Private Access Device Status Types Mean?
- View Private Apps and Network Events in Skope IT
- Netskope Private Access for Microsoft Active Directory Domain Services
- Wiz Webhook with Netskope SSE
- NewEdge Traffic Management Zones per NPA Tenant
- Netskope Private Access for SMB and DFS Services
- Source IP Anchoring for an IdP with Netskope Private Access
- Private Access REST APIs
- Private Access Best Practices
- Private Access FAQs