Netskope Help

O365 Auth Proxy On-Premises

Office 365 (O365) Auth Proxy intermediates the authentication workflow between enterprise users and your organization's on-premises Auth/ Federation server (e.g. ADFS, PingFederate, etc). The Auth Proxy operates transparently. The user experience is unchanged, as the federation service itself is unchanged. The trust relationship between your organization's Auth/Federation Server with O365 also remains intact.

The Auth Proxy enhances the O365 authentication workflow to ensure access to an enterprise instance of O365 and protected by Netskope Security Cloud Platform.

For managed devices already under Netskope protection, enabling this option will bypass Auth Proxy for the remainder of the authentication flow, thus allowing on-premises SSO features such as Integrated Windows Authentication (IWA) to work.

Auth Proxy is a virtual appliance that resides on your premises.

Prerequisites

Prior to installing the O365 Auth Proxy on-premises, complete the following prerequisites.

  • Download a virtual appliance package from the Netskope tenant UI. Go to Settings > Security Cloud Platform > On-Premises Infrastructure and select one of the options there.

  • To run the downloaded VA, ensure that you have at least 8 CORES, 32GB of RAM, and the default amount of diskspace.

  • Have a public facing name and IP for the Auth Proxy.

  • Auth proxy requires a valid public certificate for users to transact over HTTPS.

  • As the source-IP is an important element in the decision making process of the AuthProxy, it should be seeing the actual source IP of the client.

  • Auth Proxy requires the following ports to be opened to for management connectivity:

    Domain

    Description

    Port

    config-<tenant hostname>.goskope.com

    Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

    443

    download-<tenant hostname>.goskope.com

    Use for software upgrades.

    443

    messenger-<tenant hostname>.goskope.com

    Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

    443