Skip to main content

Netskope Help

Private App Management

The following sections explain how to create and steer Private Apps.

Create a Private App Definition for the Publisher to steer. You can create up to 10,000 Private App Definitions per Netskope tenant. A message appears on the Private Apps App Definition page when you're approaching the maximum limit. You can contact Support to increase the limit.

  1. Go to Settings > Security Cloud Platform > App Definition and click Private Apps.

    PrivateApps.png
  2. Click New Private App.

    NewPrivateApp1.png
  3. Enter a meaningful app name in the Application Name field (like jira app).

  4. Enter the Host domain in the Host field (like jira.site.io). The Host field supports the following syntax: Host (jira.site.io). Up to 32 hosts can be added.

    Important

    Using a hostname is recommended. If an app needs to be accessible by hostname and IP address, enter each separately by clicking Add.

    When using an IP address for a host domain, ensure the IP address differs from all IP addresses used for Publishers. Other IP factors include:

    • Don't use wildcards, like *.com, and *.local, one level below the top-level domain. You can use wildcards two levels down, like *.test.xyz, for the purpose of private app discovery.

    • Don’t use 0/0.

    • Don’t use any CIDR less than /8. For example, if x.x.x.x/y is a configured CIDR, then y should be greater than or equal to 8. (eg 10/8 is allowed, 1/7 is not allowed).

    • Don’t use TLD.

    • Don’t use ipv6 equivalents of 0/0:

      • “::”

      • “0:0:0:0:0:0:0:0”

      • “::0”

    If the FQDN contains a .local domain, Netskope recommends one of the following for the Ubuntu-based Publishers:

    • Ensure Ubuntu publishers are running version 98 or later.

    • For Ubuntu publishers prior to version 98,  execute the following commands on the publisher machines.

      • sudo rm -f /etc/resolv.conf

      • sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

      • docker restart $(docker ps -a -q)

  5. Enter the app TCP or UDP port, port range, or ports and port ranges. For example:

    • Enter a specific port: 80

    • Enter a specific port range: 1024-2048

    • Enter ports and port range(s): 22,80,443,1024-2048

  6. Click in the Publisher text field and select one or more Publishers from the dropdown list.

    Tip

    For high-availability, add multiple publishers for each private app. Up to 16 Publishers can be used per app.

  7. (Optional) To have the Netskope Client send DNS requests for the specified hosts to the configured Publishers, enable the Use Publisher DNS toggle. To learn more, go to Configure Private Apps for DNS with the Publisher DNS Feature Enabled.

  8. (Optional) Private App Tags enable you to group multiple Private App Definitions for use in a Real-time Protection policy. Select one or more Private App Tag(s) from the dropdown list. To add a new Private App Tag, click Create New Tag. To learn more, go to Use Private Apps Tags in App Definitions.

  9. Click Save.

Connecting the Private App to the Publisher may take several minutes. Make sure that you see the green icon GreenCheckIcon.pngfor this Private App before proceeding. If the badge is red, use the Troubleshooter feature or check your firewall rules before proceeding.

Note

When a user has access to a private app on different tenants using Netskope-encoded private app URLs from the same browser, then after accessing the private app on one tenant, a user will need to clear the cookies from the browser before being able to access the private app on a different tenant.

Troubleshoot a Private App

To troubleshoot a private app:

  1. Click Troubleshoot on the Private Apps page.

    TroubleShooterButton.png
  2. Select an option for these settings:

    • Private App: Select an app from the dropdown list.

    • User and Device: Search for and select a user and device, or select one or more from the list.

      TroubleShooter1.png
  3. Click Troubleshoot. If the configuration is not correct, the troubleshooter will show what is not configured properly.

    TroubleShooter3.png

    When the configuration is correct, the Troubleshooter will show all is working.

    TroubleShooter2.png

For more information about troubleshooting, refer to the Private Access Troubleshooting .

When deploying Netskope Private Access as a ZTNA product, it may not be clear how your enterprise applications work (like ports necessary), and whether there is a reliance on other hosts to make the applications function correctly. App Discovery is a cornerstone for the successful deployment of a ZTNA product.

When configuring Private App Discovery in a production environment, using a dedicated Publisher for app discovery is recommended.

  1. On the Private Apps page, click the + icon beside App Discovery.

    Private-App-Discovery.png
  2. Click Edit.

    Private-App-Discovery-Edit.png
  3. Enter these parameters:

    • Host: Enter a Hostname for the DNS-based Private Apps and click Add. You can also enter a CIDR or IP addresses for IP-based Private Apps.

    • Publisher: Select the Publisher dedicated for the Private Apps.

    • User: Enter the user(s) that will access the Private Apps.

    • Status: Enable Allow.

    App-Discovery-Settings.png
  4. Click Save. The App Discovery Status is now green (Enabled) on the Private Apps page.

  5. Have users start generating traffic using the Private Apps.

Once App Discovery is Enabled, NPA will allow access to the Apps covered by the App Discovery definition, unless there is a more specific rule in a Real-time Protection policy that blocks access to the requested App. An explicit rule in a policy is not required for a Discovery definition.

Create a Private App Definition for a Discovered App

To create a Private App Definition for a Discovered App, click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-View-Discovered-Apps.png

To create an App Definition for a single Discovered App, click the menu icon for a Discovered App, and then click Create Private App.

NPA-Discovered-App-Create-2.png

To create an App Definition for multiple Discovered Apps, select the Discovered Apps, and then click Create App in the table header.

NPA-Discovered-App-Definition.png

Enter a Application Name and click Save. This new App Definition can now be used in a Real-time Protection policy.

If you select multiple Discovered Apps, and the Discovered Apps have different Publishers and ports, the new App Definition will include all Publishers and ports across the selected apps. This may result in certain Publishers being unable to access selected applications.

NPA-Discovered-App-Create-1.png

You can also add a Discovered App to an existing App Definition. Select the existing App Definition and the Discovered App(s) to add to the App Definition, and then click Create App. Review the settings and click Save.

NPA-Discovered-App-Select.png
App Discovery in Skope IT for Private Apps

After users generate traffic via Netskope Private Access, on the Private Apps page, click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-View-Discovered-Apps.png

Another option is to go to Skope IT > Private Apps and click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-SkopeIT-Private-Apps.png

This page shows:

  • Discovered Application Names

  • Hosts

  • Ports

  • Publishers

  • Number of users

  • Bytes Uploaded

  • Bytes Downloaded

Private App Tags enable you to group multiple Private App Definitions for use in a Real-time Protection Private App policy, which alleviates having to choose multiple Private App Definitions in a policy. Instead, you select the Private App tag in a policy that includes multiple Private App Definitions.

Private App Tags can be applied to new and existing Private App Definitions. In the App Definition dialog box, click in the Private App Tag text field and select one or more tags. To search for a tag, starting entering the name, and then select it when it appears. After adding a Private App Tag to an App Definition, the tag name is shown in the Private Apps Tag column on the App Definition page.

The v2 REST APIs can be used to incorporate Private App Tags in App Definitions. In your Netskope tenant, go to Settings > Tools > REST API v2 and click the API Documentation link. In the Swagger UI, look for the /api/v2/steering/apps/private/tags endpoints. To learn more, go to: REST API v2 Overview.

Create a Private App Tag

You can create a Private App Tag when creating an App Definition, or create a new tag when editing an existing App Definition. In both cases, click in the Private App Tag field in the App Definition dialog box, and then enter a tag name. When you see the new tag at the bottom of the list, click Create New Tag and then Save. The new tag now appears in the list and can be used in a Private App policy.

NPA-App-Tags-Create.png

After adding a tag to a Private App Definition, the name appears in the Private App Tag column on the App Definition page.

NPA-App-Tags-Column.png
Edit a Private App Tag

You can bulk add or delete Private App Tag(s) in one or more App Definitions. . Select the App Definition(s) in the left column of the App Definitions page, and then select Edit Tags from the Private App Tag dropdown list. Renaming a tag is not supported.

NPA-App-Tag-Menu.png

In the Edit Tags dialog box, choose to do a bulk add or bulk remove for the tags you will select next.

NPA-App-Tags-Edit.png

Search for the Private App Tags by entering text in the search field, or select the tag from the dropdown list.

NPA-App-Tags-Edits.png

When finished, click Save.

Manage Private App Tags

You can bulk add or delete Private App Tag(s) in one or more App Definitions. . Select the App Definition(s) in the left column of the App Definitions page, and then select Tag Manager from the Private App Tag dropdown list.

NPA-App-Tag-Menu.png

In the Manage Tags dialog box, search for the Private App Tags by entering text in the search field, or select the tag from the dropdown list.

NPA-App-Tags-Manage.png

The Pencil icon allows you to rename the Private App Tag, and the Trash icon allows you to delete the tag. When finished, click Save.

Select a Private Apps Tag in a Real-time Protection Policy

When creating a new policy, or updating an existing policy, you have the option to select Private App Tags in addition to selecting Private Apps. For Destination, click on Private App Tags to select the tags you want to include in the policy.

NPA-App-Tags-Policy.png

To steer traffic for private apps, you can add users or create a steering configuration that specifies an Organizational Unit (OU) or User Group.

OUs or User Groups are specified in the Real-time Protection policy that grants access to private apps.

If you do not already have a steering configuration that specifies the Organization Unit (OU) or User Group you want to steer to a private apps, follow these steps.

If you already have such a steering configuration, you can simply enable private apps for that steering configuration. For more details, refer to Change Steering Configurations to Include Private Apps.

  1. Go to Settings > Security Cloud Platform > Steering Configuration and click Create a New Configuration.

    NPAcreateSteeringConfig.png
  2. In the New Configuration dialog box, enter and select the following settings:

    • Configuration Name: Enter a meaningful name for this steering configuration.

    • Applies To: Choose either an OU or User Group. The dropdown/search field allows you to select and search for an OU or User Group.

    • Traffic: Select Cloud Apps Only or All Web Traffic.

    • Status: Change to Enabled.

    • Private Apps: Change to Steer All Private Apps.

    NPAaddSteeringConfig.png
  3. Click Save.

To update a steering configuration for private apps, follow these steps:

  1. Go to Settings > Security Cloud Platform > Steering Configuration. Complete the following steps for each steering configuration that you want to steer to private apps. There are two methods:

    • If you have just one Default steering configuration, you can use the Edit button in the top right corner.

      NPAsteeringConfig.png
    • If you have multiple steering configurations, click the MenuIcon.png icon on the right side of each configuration and select Edit Configuration.

      NPAsteeringEditConfig.png
  2. For Private Apps, change to Steer All Private Apps.

    NPAsteeringConfigEnable.png
  3. Click Done.