Skip to main content

Netskope Help

Security Cloud Platform Configuration


Contact Support to enable this feature in your account; additional licensing is required.

There are several auth related services which may require configuration to allow Netskope Cloud IPs as the source address to these services.

For example, with active auth on the O3654 Proxy, the local ADFS server may restrict auth from certain source IPs. Another case is when you want IdP providers to restrict auth requests from certain source IPs, or similarly restrict application access to a specific application. In these cases, you can use the Netskope Cloud IPs for these configurations.

Web and cloud apps that rely on source IP addresses as a form of identification and security can use the Netskope egress IP feature to help transition from on-premises security controls to a Security Service Edge (SSE) architecture. This provides admins with an additional option to enable access to these applications and minimize disruption to users.

Netskope's Dedicated Egress IP Footprint feature allocates a minimum of two IP addresses from Netskope owned IP ranges per data plane for your account. The dedicated IP ranges are completely separate from the shared IP ranges. A max of eight IP addresses can be made available depending on your user traffic requirements. Port exhaustion is monitored by the Netskope platform.

All traffic will use these IP addresses and is available for all steering methods except Cloud Firewall (CFW) and Netskope Private Apps (NPA).

You can see the list of IPs assigned to your account, navigate to Settings > Security Cloud Platform > Netskope Client > Enforcement > Netskope IP Ranges. The Dedicated IP Ranges tab lists the assigned dedicated IPs. You can copy the IP ranges to use for conditional access policies on the SaaS side.

Admins can enable / disable dedicated egress IPs for user traffic hitting SaaS apps through the proxy. Navigate to Settings > Security Cloud Platform > Configuration > Dedicated Egress IP Footprint.


Admins must update their IP restrictions for each application.