Netskope Private Access User Guide

Private Apps Configuration Methods

This topic explains how to configure Private Apps for DNS, domain controllers, and SMB/CIFS file shares.

Private Apps - DNS

The Private App configuration allows for DNS requests to be sent over the Private Access connection for any host within the domain and resolve the hosts back to an IP. This also applies for the many obscure subdomains required to query for domain joins, group policy queries, and FSMO role owner lookups.

A port definition is required when defining a Private App. For this definition, we do not care what port is defined because with Publisher DNS enabled, it will be handling the traffic. Because this requires something to be defined, we will use post 53.

The _gc._tcp.domain.com and _ldap._tcp._sites.DomainDnsZones.domain.com addresses will always resolve back to one (or more) domain controllers, and the domain specification without the wildcard is required for CIFS connectivity to the domain (again, always one of the domain controllers), when pulling group policy updates. This is the easiest configuration method without having to define all of the possible things a client machine might try to access.

Host

*.domain.com
domain.com

Protocol & Port

UDP 53

Publisher

Whatever is relevant for domain machines.

Publisher DNS

enabled

Private Apps - Domain Controllers

The Private App configuration takes the previously resolved IP from the DNS lookup, and steers based on that. You provide all of the possible Domain Controllers’ IP’s here. You can also specify the shortform netbios name here as well if you wish, such as DC01, but you don’t use the FQDN.

Host

x.x.x.x (List of Domain Controller IPs)
DC01 (netbios name)

Protocol & Port

TCP

88,135,137,139,389,464,636,1512,3268,3269,5357,49152-65535

UDP

88,123,135,137,138,389,464,1512,5357

Publisher

Whatever is relevant for domain machines.

Publisher DNS

disabled

Port breakdown is as follows:

TCP

88 - Kerberos query 135 - Remote Procedure call 137 - NetBIOS name 139 - Netbios session 389 - LDAP (plain text) 464 - Kerberos password change 636 - LDAP (secure) - might not be required. 1512 - WINS - might not be required. 3268 - LDAP to Global Catalog 3269 - LDAP to Global Catalog (secure) - might not be required. 5357 - Network Discovery - might not be required. 49152-65535 - Upper range ephermal ports. Required... Sadly. Domain integration only requires TCP.

UDP

88 - Kerberos query 123 - NTP - used to set client time from domain controllers 135 - Remote Procedure call 137 - NetBIOS name 138 - NetBIOS datagram 389 - LDAP (plain text) 464 - Kerberos password change 1512 - WINS - might not be required. 5357 - Network Discovery - might not be required.

Note that SMB isn’t covered in this. Because file servers are typically addressable by all users, we normally split this out into a seperate application, and you’ll then be able to add any non-domain controller machines into it as well.

Private Apps - SMB/CIFS

You may also want a separate method for the Remote Desktop Access to the machines. This depends on how your business operates, but typically you’ll have a single app with an individual server IPs specified within it for port 3389, and if you have users that access a service on a different server (Citrix for instance), you define that separately.

So you might have an app entitled Remote Desktop - Admins, and an app entitled Remote Desktop - Users. From a policy standpoint, you’d assign the admins both of these apps by group, and the users (just relevant one). The other defined methods above would be applied to All users.

Host

x.x.x.x (List of File Server IPs)
fileserver01 (netbios name)

Also any other file servers specified by IP and netbios name.

10.104.120.221
fileserver01

Protocol & Port

TCP

445

UDP

445

Publisher Whatever is relevant for domain machines.

Publisher DNS

disabled