Netskope Help

Troubleshooting Why NPA-steered Websites are Inaccessible

There are some scenarios where due to access control requirements, you may require access to public facing websites via Netskope Private Access. This article is to address how to troubleshoot situations where the site is not accessible even when properly defined as a private application.

Scenario

Development websites or sites that are hosted on publicly facing cloud providers may be locked down via Access Control Lists (ACL), so that access is only permitted from your known office locations. Using Netskope Private Access allows you to present your connectivity to these sites as if you were in the office, assuming you have a Publisher deployed in your office location.

Even when properly configured there are some situations where you may not be able to browse to these sites.

Versions/Platforms

78.0.x and newer

Cause

There are two possible causes for this issue, assuming that your NPA connection is functioning correctly.

  1. The Publisher itself is unable to access the site

  2. DNS over HTTPS is enabled on the browser and is the web request never reaches the NPA connection to be routed via the Publisher.

Resolution

To confirm Publisher connectivity, first SSH to the Publisher, and then select Exit from the command menu.

This will drop you to the command prompt, and you can test connectivity to the website with the following command, and making a note of the http response code:

curl -Is https://<site of interest> | head -n 1|cut -d$' ' -f2 

For example:

curl -Is https://www.netskope.com | head -n 1|cut -d$' ' -f2
200

Assuming this is correctly working, the other area that could cause some issues is with DNS over HTTPS being enabled in the browser.

As a test, to prove or disprove this, temporarily disable theUse Secure DNS setting of the browser and attempting access again.

If when this is disabled it works, you can either, enforce disabling of this setting to all users in your organization via managed browser configuration, or you can create an inline policy to silently block a cloud application entitled DNS over HTTPS. This is configured as follows:

  1. Log in to your Netskope tenant.

  2. Go to Policies > Real-time Protection.

  3. Click New Policy and then Cloud App Access.

  4. Configure the Source section as required (default is All Users).

  5. Configure the Destination section and in the Application field, select DNS over HTTPS. Leave Activities and Constraints as Any.

  6. Configure the Profile & Action section Action field as Block ,and in the Template dropdown, select No Notification (Mute).

  7. In the Set Policy section, define a name for the policy such as Block DNS over HTTPS.

  8. Click Save and ensure that the Policy is placed above your NPA access policies.

If you are still experiencing issues, please open a Support case for further assistance.