Netskope Help

Secure Forwarder Configuration Scenarios

The configuration scenarios explained in this section are:

  • Configure Netskope Secure Forwarder with Infoblox DNS Server

  • Configure Netskope Secure Forwarder with Microsoft AD DNS Server

  • Configure Netskope Secure Forwarder with a 3rd-party Explicit Proxy and PAC File

Configure Netskope Secure Forwarder with Infoblox DNS Server

In a network setup where Infoblox DNS servers are deployed, the Secure Forwarder can be configured to automatically create and upd ate Forward Zones for cloud apps that are managed.

To configure the Infoblox DNS server:

  1. Open an nsshell and enter the command configure

  2. Specify the Infoblox Master DNS Server hostname or IP:

    set external-dns infoblox hostname <hostname or IP>
  3. Enter the credentials of a user who has permissions to add and modify Forward Zones:

    set external-dns infoblox username <username>
    set external-dns infoblox password <password>
  4. Save the configuration with the command save, and then press Enter.

    Note

    You must save the configuration prior to enabling the external-dns infoblox process.

Enable the External DNS Infoblox Process

To enable updates to the Infoblox DNS server:

set external-dns infoblox enable <true or false>

Save the entire configuration with the command save, and then press Enter.

Configure Netskope Secure Forwarder with Microsoft AD DNS Server

Please refer to Netskope Adapter installation guide for details on integrating Secure Forwarder with Microsoft AD DNS Server.

Note

Ensure that DNS Connector is configured. See for details.

Configure Netskope Secure Forwarder with a 3rd-party Explicit Proxy and PAC File

Secure Forwarder can be configured to run as an explicit proxy and all cloud app traffic can be proxied through the Secure Forwarder while other traffic can go through the existing proxy server. To do this, the Secure Forwarder needs to be configured to download the existing PAC file and in turn host a modified PAC file that redirects cloud app traffic to the Secure Forwarder ' s proxy server and retains the PAC file rules for all other traffic.

If you want to direct the cloud app traffic to the appliance and the web traffic to your existing proxy server, configure the merged PAC file server on the.

  1. Set the IP address to host the merged PAC file server on the . If not provided, the IP address of the DNS server is used if it is configured:

    set dataplane pac-server listener-ip <PAC server IP>

    In appliance version 58 and higher, run the following command.

    set dataplane pac-server listener-interface <PAC server interface>
  2. Set the TCP port to host the merged PAC file server on the :

    set dataplane pac-server listener-port <PAC server port>
  3. Set the URL of the existing PAC file server:

    set dataplane pac-server url http://wpad.yourdomain.com/wpad.dat
    
  4. Enable the PAC file server:

    set dataplane pac-server enable true
  5. Save the configuration:

    save

    The PAC file will be hosted at http://<PAC server IP>:<pac-server-port>/wpad.dat and http://<PAC server IP>:<pac-server-port> /proxy.pac.

  6. Enable the explicit proxy mode for the by doing the following:

    set dataplane proxy-mode explicit enable true
  7. Optionally, specify the fully-qualified domain name that resolves to the IP configured for the . This host name will be used in the merged PAC file. If this setting is not provided, the IP will be present in the merged PAC file.

    set dataplane pac-server hostname sfproxy.yourdomain.com
  8. Optionally specify the TCP port for hosting the explicit proxy. The default port used by the is 8080.

    set dataplane proxy-mode explicit listener-port <explicit proxy port>
  9. Save the configuration.

    save