Netskope Help

OpenVPN Cloud

A managed cloud solution that provides a secure network connection between a private network and its remote user.

This document contains the best practices required in OpenVPN Cloud and Netskope Client to ensure smooth interoperability.

Environment

This document was created using the following components:

  • OpenVPN Client Version: 3.3.1.2222

  • Netskope Client version: 92.1.0.943

  • OS: Windows Server 2016 DataCenter

Specific configurations in OpenVPN Cloud and Netskope tenant web UI ensure processes or traffic from either of the applications are not blocked or directed to the Netskope Cloud.

Configurations In OpenVPN Cloud

With the split tunneling feature, you can control the VPN traffic and optimize its route to its destination. A tunnel is created when a VPN application connects to OpenVPN Access Server that redirects all traffic to its destination. Enable split tunneling to allow the Netskope Client to steer traffic smoothly to Netskope Cloud without getting blocked by OpenVPN.

To enable split tunneling when using OpenVPN Access Server from the Admin WebUI, go to Configuration > VPN Settings > Routing, toggle Should client Internet traffic be routed through the VPN? to:

  • No -  All traffic from your private network will now route through a VPN.

  • Yes - To bypass VPN.sdiag.exe

Configurations In Netskope Client

When installing Netskope Client along with a VPN client, configure exceptions in steering configurations to bypass traffic from the VPN client. To learn more about adding exceptions for third-party VPN apps, view Exceptions.

To add OpenVPN as a Certificate Pinned Application on the Netskope UI:

  1. Go to Settings > Security Cloud Platform > Steering Configuration.

  2. Click Default tenant config.

  3. On the Default tenant config page, click EXCEPTION > NEW EXCEPTION > Certificate Pinned Applications.

    Certificate_Pinned_App.png
  4. In the New Exception window, do the following:

    1. From Certificate Pinned App, select the application. To add a new certificate pinned application in the New Certificate Pinned Application window, do the following:

      • Application Name: Enter the name of the application.

      • Platform: Select the operating system where the application is managed.

      • Definition: Provide the processes and .exe(s) list that you want to bypass.

    2. From Custom App Domains, add the URLs that you want to exclude.

    3. From Actions, select Bypass for all operating systems that you want to allow directly to the destination.

    4. Click ADD.

Recommendation
  • Add server hostname as Domains exception.

  • To bypass the server IP, add Destination Locations as the exception type.

Best Practices

Netskope recommends that you configure the VPN to bypass Netskope Client tunnels established to Netskope NewEdge Security Cloud. With this configuration, the Netskope Client can establish a direct connection to the Netskope Security Cloud by pinning it to a VPN tunnel. In this way, Netskope can:

  • Provide optimal performance.

  • Reduce on-premises bandwidth and hardware resources utilization.

To bypass the Netskope Cloud traffic, view Allowed IP Ranges.

Netskope Client Functions

Refer to the list of validated use cases that you can use to verify Client operations.

OpenVPN Validation

Ensure that traffic is going through the VPN.