Skip to main content

Netskope Help

Private App Management

The following sections explain how to create and steer Private Apps.

Specify a Private App for the Publisher to steer. You can create up to 10,000 private app definitions per Netskope tenant. A message appears on the Private Apps App Definition page when you're approaching the maximum limit. You can contact Support to increase the limit.

  1. Go to Settings > Security Cloud Platform > App Definition and click Private Apps.

    PrivateApps.png
  2. Click New Private App.

    NewPrivateApp1.png
  3. Enter a meaningful app name in the Application Name field (like jira).

  4. Enter the Host domain in the Host field (like jira.site.io). The Host field supports the following syntax: Host (jira.site.io). Up to 32 hosts can be added.

    Important

    Using a hostname is recommended. If an app needs to be accessible by hostname and IP address, enter each separately by clicking Add.

    When using an IP address for a host domain, ensure the IP address differs from all IP addresses used for Publishers. Other IP factors include:

    • Don't use wildcards, like *.com, and *.local, one level below the top-level domain. You can use wildcards two levels down, like *.test.xyz, for the purpose of private app discovery.

    • Don’t use 0/0.

    • Don’t use any CIDR less than /8. For example, if x.x.x.x/y is a configured CIDR, then y should be greater than or equal to 8. (eg 10/8 is allowed, 1/7 is not allowed).

    • Don’t use TLD.

    • Don’t use ipv6 equivalents of 0/0:

      • “::”

      • “0:0:0:0:0:0:0:0”

      • “::0”

    If the FQDN contains a .local domain, Netskope recommends one of the following for the Ubuntu-based Publishers:

    • Ensure Ubuntu publishers are running version 98 or later.

    • For Ubuntu publishers prior to version 98,  execute the following commands on the publisher machines.

      • sudo rm -f /etc/resolv.conf

      • sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

      • docker restart $(docker ps -a -q)

  5. Enter the app TCP or UDP port, port range, or ports and port ranges. For example:

    • Enter a specific port: 80

    • Enter a specific port range: 1024-2048

    • Enter ports and port range(s): 22,80,443,1024-2048

  6. Click in the Publisher text field and select one or more Publishers from the dropdown list.

    Tip

    For high-availability, add multiple publishers for each private app. Up to 16 Publishers can be used per app.

  7. To have the Netskope Client send DNS requests for the specified hosts to the configured Publishers, enable the Use Publisher DNS toggle.

  8. Click Save.

Connecting the private app to the publisher may take several minutes. Make sure that you see the green icon GreenCheckIcon.pngfor this private app before proceeding. If the badge is red, use the Troubleshooter feature or check your firewall rules before proceeding.

Note

When a user has access to a private app on different tenants using Netskope-encoded private app URLs from the same browser, then after accessing the private app on one tenant, a user will need to clear the cookies from the browser before being able to access the private app on a different tenant.

Troubleshoot a Private App

To troubleshoot a private app:

  1. Click Troubleshoot on the Private Apps page.

    TroubleShooterButton.png
  2. Select an option for these settings:

    • Private App: Select an app from the dropdown list.

    • User and Device: Search for and select a user and device, or select one or more from the list.

      TroubleShooter1.png
  3. Click Troubleshoot. If the configuration is not correct, the troubleshooter will show what is not configured properly.

    TroubleShooter3.png

    When the configuration is correct, the Troubleshooter will show all is working.

    TroubleShooter2.png

For more information about troubleshooting, refer to the Private Access Troubleshooting .

When deploying Netskope Private Access as a ZTNA product, it may not be clear how your enterprise applications work (like ports necessary), and whether there is a reliance on other hosts to make the applications function correctly. App Discovery is a cornerstone for the successful deployment of a ZTNA product.

When configuring Private App Discovery in a production environment, using a dedicated Publisher for app discovery is recommended.

  1. On the Private Apps page, click the + icon beside App Discovery.

    Private-App-Discovery.png
  2. Click Edit.

    Private-App-Discovery-Edit.png
  3. Enter these parameters:

    • Host: Enter a Hostname for the DNS-based Private Apps and click Add. You can also enter a CIDR or IP addresses for IP-based Private Apps.

    • Publisher: Select the Publisher dedicated for the Private Apps.

    • User: Enter the user(s) that will access the Private Apps.

    • Status: Enable Allow.

    App-Discovery-Settings.png
  4. Click Save. The App Discovery Status is now green (Enabled) on the Private Apps page.

  5. Have users start generating traffic using the Private Apps.

Once App Discovery is Enabled, NPA will allow access to the Apps covered by the App Discovery definition, unless there is a more specific rule in a Real-time Protection policy that blocks access to the requested App. An explicit rule in a policy is not required for a Discovery definition.

Create a Private App Definition for a Discovered App

To create a Private App Definition for a Discovered App, click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-View-Discovered-Apps.png

To create an App Definition for a single Discovered App, click the menu icon for a Discovered App, and then click Create Private App.

NPA-Discovered-App-Create-2.png

To create an App Definition for multiple Discovered Apps, select the Discovered Apps, and then click Create App in the table header.

NPA-Discovered-App-Create-1.png

If you select multiple Discovered Apps, and the Discovered Apps have different Publishers and ports, the new App Definition will include all Publishers and ports across the selected apps. This may result in certain Publishers being unable to access selected applications.

We recommend creating separate App Definitions for Discovered Apps with different Publishers and ports, and only combining Discovered Apps in an App Definition when the Publishers and ports are the same.

NPA-Discovered-App-Select.png

Both methods opens the New Private App dialog.

NPA-Discovered-App-Definition.png

Enter a Application Name and click Save. This new App Definition can now be used in a Real-time Protection policy.

App Discovery in Skope IT for Private Apps

After users generate traffic via Netskope Private Access, on the Private Apps page, click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-View-Discovered-Apps.png

Another option is to go to Skope IT > Private Apps and click the + icon beside App Discovery, and then click View Discovered Apps.

NPA-SkopeIT-Private-Apps.png

This page shows:

  • Discovered Application Names

  • Hosts

  • Ports

  • Publishers

  • Number of users

  • Bytes Uploaded

  • Bytes Downloaded

To steer traffic for private apps, you can add users or create a steering configuration that specifies an Organizational Unit (OU) or User Group.

OUs or User Groups are specified in the Real-time Protection policy that grants access to private apps.

If you do not already have a steering configuration that specifies the Organization Unit (OU) or User Group you want to steer to a private apps, follow these steps.

If you already have such a steering configuration, you can simply enable private apps for that steering configuration. For more details, refer to Change Steering Configurations to Include Private Apps.

  1. Go to Settings > Security Cloud Platform > Steering Configuration and click Create a New Configuration.

    NPAcreateSteeringConfig.png
  2. In the New Configuration dialog box, enter and select the following settings:

    • Configuration Name: Enter a meaningful name for this steering configuration.

    • Applies To: Choose either an OU or User Group. The dropdown/search field allows you to select and search for an OU or User Group.

    • Traffic: Select Cloud Apps Only or All Web Traffic.

    • Status: Change to Enabled.

    • Private Apps: Change to Steer All Private Apps.

    NPAaddSteeringConfig.png
  3. Click Save.

To update a steering configuration for private apps, follow these steps:

  1. Go to Settings > Security Cloud Platform > Steering Configuration. Complete the following steps for each steering configuration that you want to steer to private apps. There are two methods:

    • If you have just one Default steering configuration, you can use the Edit button in the top right corner.

      NPAsteeringConfig.png
    • If you have multiple steering configurations, click the MenuIcon.png icon on the right side of each configuration and select Edit Configuration.

      NPAsteeringEditConfig.png
  2. For Private Apps, change to Steer All Private Apps.

    NPAsteeringConfigEnable.png
  3. Click Done.