Skip to main content

Netskope Help

Secure Forwarder

On the Internet-facing side, Secure Forwarder establishes a TLS tunnel to your tenant instance in the Netskope cloud, and then multiplexes client transactions with cloud app domains over that tunnel.

On the client-facing side, Secure Forwarder becomes the destination for client requests to cloud app domains. Secure Forwarder generates trusted certificates for those cloud app domains, serving them up to the requesting clients to establish trusted path.

Cloud app domains are steered to Secure Forwarder using one of the methods:

Deployment mode


Use case

Secure Forwarder as a DNS Forwarder for cloud app domains.

In this mode, your enterprise DNS server delegates the DNS resolution for cloud app domains to Secure Forwarder. This is automated via API integration with Microsoft AD DNS server and Infoblox DNS Server. Infoblox DNS or Microsoft AD DNS serve as the primary DNS server for all the clients in the network.

Use this mode if you have an Infoblox DNS Server or Microsoft AD DNS in your environment.


Secure Forwarder can also function as a primary DNS server or an intermediate DNS Server in case you do not have a dedicated DNS Server on your network.

Secure Forwarder as explicit proxy for cloud app domains.

Secure Forwarder can seamlessly integrate with the existing explicit proxy in the network and serve as the explicit proxy for the cloud app domains.

In this mode Secure Forwarder appends the enterprise Proxy Auto-configuration (PAC) file with cloud app domains pointing to itself.

Use this mode if you have an explicit proxy server in your network using a PAC file.


Before installing Secure Forwarder, make sure you meet these prerequisites:

  • Download the Secure Forwarder OVA package. Go to Settings > Security Cloud Platform > On-Premises Infrastructure, and then click on one of the VA options to download it to a local disk to start the onboarding process.

  • Downloading the VA zip file requires 7 GB of free space, plus you must unzip the file using 7zip. Using another tool creates a false error saying 789 PB of space is required.

  • Before running the downloaded OVA, make sure you have at least 8 CORES, 32GB of RAM and 196GB of disk space.

  • Determine a range of 255 internal IP addresses that can be allocated to the Secure Forwarder.

  • Secure Forwarder requires the following ports to be opened.


    In release 46 domain names changed. Existing deployments (release 45 and prior) do not require the new domain names, but using them are recommended. New deployments with release 46 and higher do need to use the new domain names.

    For management plane connectivity:




    New:config-<tenant hostname>


    Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.


    New: messenger-<tenant hostname>


    Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.


    New: callhome-<tenant hostname>


    Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.



    For international configurations, use or

    For data plane connectivity:

    Domain name


    proxy.<tenant hostname>


    For international configurations, use or