# On-Premises Appliance

## Overview of Netskope On-Premises Appliance

Netskope's on-premises Cloud Access Security Broker (CASB) provides the ability to process and maintain data inside an enterprise's perimeter. The N1000, N2000, and N5000 appliances are the cornerstone of this service as they provide a physical footprint.

### Note

This document is dedicated to the full on-premises deployment mode; there's a separate guide if you are managing appliances from the cloud.

When installed, your appliances should be using the latest software package.

### New N2000 Appliances

The new N2000 Appliances are 1U appliances.

The front of the unit has a removable bezel.

When the bezel is removed, you can see a control panel with a power button and status LEDs.

The following table describes the control panel.

Label number

Name

Description

1

Power button

The main power switch powers on or off the appliance. When switch maintains a standby power from the power supply to the appliance.

2

UID button and LED

The unit identification (UID) button powers on or off the blue light function of the Information LED and a blue LED on the rear of the chassis. The blue LEDs are used to locate the server in large racks.

3

Power LED

Indicates power is being supplied to the system power supply units. This LED is illuminated when the system is operating normally.

4

HDD

Indicates activity on the hard drive when flashing.

5

NIC LED for LAN1

Indicates network activity on LAN1 when flashing.

6

NIC LED for LAN2

Indicates network activity on LAN2 when flashing.

7

Information LED

Alerts operator to several states, as mentioned in the table below.

The following table describes the various states of the Information LED.

Information LED status

Description

Continuously on and red

An overheating condition has occurred. This may be caused by cable congestion.

Fan failure, check for an inoperative fan.

Power failure, check for a non-operational power supply.

Solid blue

UID has been activated locally to locate the server in a rack environment.

UID has been activated using IPMI to locate the server in a rack environment.

The rear of the unit has several ports with specific purposes.

The IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

The following table provides a mapping of the interface to ports on the unit.

Interface

Ports

Speed

IPMI

1g

eth0

Management

1g

eth1

Aux1

1g

eth2

Tap

1g

eth3

Aux2

1g

eth4

Out (Outbound)

10g

eth5

In (Inbound)

10g

### N1000 and N2000 Appliances

The N1000 and N2000 are 1U appliances. They are best suited for log parsing and other traffic handling duties but can be used in any capacity.

The front of the units has a power button at the center, and a small bank of LEDs on the right side:

### Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

On older appliances, the rear of the unit is as shown in the following image.

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N1000 chassis.

### N5000 Appliances

The N5000 is a 2U appliance best suited for management duties because of its expanded event retention capabilities but can be used in any capacity.

The front of the unit has a power button at the center, and a small bank of LEDs on the right side:

### Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N5000 chassis.

### Appliance LED Status

The appliance has three LEDs in the front - Power LED, HDD LED, and System Status LED.

The following tables provide details about of various states of the LEDs that indicate the status of the appliance.

Power LED

Color

State

Criticality

Description

Green

Solid on

System OK

Off

N/A

AC power is off.

HDD LED

Color

State

Criticality

Description

Amber

Solid on

HDD OK

HDD is active.

Amber

HDD OK

HDD is transferring data.

Off

N/A

HDD is inactive.

System Status LED

Color

State

Criticality

Description

Action

Green

Solid on

System OK

No action

Green

• Non-critical temperature threshold asserted

• Non-critical voltage threshold asserted

• Non-critical fan threshold asserted

• Fan redundancy lost, sufficient system cooling maintained. This does not apply to non-redundant systems.

• Power supply predictive failure

• Power supply redundancy lost. This does not apply to non-redundant systems.

• Correctable errors over a threshold of 10 and migrating to a mirrored DIMM (memory mirroring). This indicates the user no longer has spare DIMMs indicating a redundancy lost condition. The corresponding DIMM LED should light up.

Contact Netskope support.

Amber

Non-critical

Non-fatal alarm - system is likely to fail:

• Critical temperature threshold asserted

• CA TERR asserted

• Critical voltage threshold asserted

• VRD hot asserted

• SMI Timeout asserted

Contact Netskope support.

Amber

Solid on

Critical, non-recoverable

Fatal alarm - system has failed or shut down

• CPU Missing

• Thermal Trip asserted

• Non-recoverable temperature threshold asserted

• Non-recoverable voltage threshold asserted

• Power fault/Power Control Failure

• Fan redundancy lost, insufficient system cooling. This does not apply to non-redundant systems.

• Power supply redundancy lost insufficient system

### Note

This state also occurs when AC power is first applied to the system. This indicates the BMC Is booting.

Contact Netskope support.

Off

N/A

AC power off, if no degraded, non-critical, critical, or non-recoverable conditions exist.

• System is powered down or S5 states, if no degraded, non-critical, critical, or non-recoverable conditions exist.

No action

### Outbound Ports

Use these ports for management connectivity and log uploads.

### Note

In release 46 domain names changed. Using version 46 and later requires using the new domain names. Existing deployments (release 45 and prior) do not require the new domain names, but using them are recommended. The one required update is for auto-updates; either turn off auto-update or use the new download-<tenant hostname>.goskope.com domain name. New deployments with release 46 and higher do need to use the new domain names.

For management connectivity:

Domain

Description

Port

New:config-<tenant hostname>.goskope.com

Old: config.goskope.com

Use for configuration updates. The domain needs to be SSL if you have SSL decryption enabled.

443

New: download-<tenant hostname>.goskope.com

Old: download.goskope.com

443

New: messenger-<tenant hostname>.goskope.com

Old: messenger.goskope.com

Use for reporting and status updates in the UI. The domain needs to be SSL if you have SSL decryption enabled.

443

New: callhome-<tenant hostname>.goskope.com

Old: callhome.goskope.com

Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL if you have SSL decryption enabled.

443

defupdate.goskope.com

### Note

There is no change in the domain name.

443

### Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.

Domain

Description

Port

New: upload-<tenant hostname>.goskope.com

Old: upload.goskope.com

Use for sending logs to the Netskope cloud with SFTP. This is the default port for log uploads.

22

No change: logupload-<tenant hostname>.goskope.com

Use for sending logs to the Netskope cloud with HTTPS. This port is enabled by default.

443

No change: <tenant hostname>.goskope.com

Use for fetching the REST API token with HTTPS.

443

### Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.

### Inbound Ports

Service

Description

Port

Syslog

Use for receiving syslog traffic.

514

Use for getting IP-to-user mapping with the Netskope AD connector.

4400

SFTP and SCP

Use for management connectivity and log uploads to the log parser appliance.

22

FTPS

Use for management connectivity and log uploads to the log parser appliance.

21 (using explicit SSL)

### Note

Netskope does not support implicit ssl over port 990.

### Prerequisites

Before you begin the installation, make sure you meet these hardware and software requirements:

• Hardware Requirements: To perform a successful install, you will need one temporary network cable for the IPMI port. You will also need two permanent network cables, one for the management interface port and one for the inbound interface port.

• Software Requirements: To access the remote console for the appliance over the IPMI interface, you will need to a working Java Runtime Environment. If you don't have this, you can download it from http://www.java.com.