Updated on April 2, 2025

Universal Reverse Proxy

Universal Reverse Proxy

This is a BETA feature. Contact your Netskope account team to enable it in your account.

Universal Reverse Proxy (URP) is a feature that allows unmanaged device access to sanctioned enterprise applications. The Netskope platform enforces inline controls on the unmanaged devices and extends reverse proxy to any application. 

Netskope’s URP uses RBI to provide an isolated environment for unmanaged users and devices to access SaaS applications. With this, users will have granular access and inline constraint control through unified policy creation for all SAML based applications. In addition, users can protect enterprise data from unmanaged devices that are granted access but are prevented from printing, cutting, and copying sensitive data. Finally, users can define custom app domains that should be isolated. 

Netskope’s URP provides a faster and scalable way to add new applications in a more efficient and less disruptive way which helps security operations maintain supported applications. This enables admins to onboard their ecosystem applications faster and controls risk for unmanaged devices.

The general workflow is outlined below:

Prerequisites

NOTE: URP can be enabled either via SAML Proxy or Office365 Authentication

  • Ensure you have Office365 Auth Universal Reverse Proxy set up
  • If Office365 configuration is not set up, ensure you have SAML Universal Reverse Proxy set up with SaaS apps authenticated. To learn more: SAML Reverse Proxy
While creating a SAML Proxy account, Application selection for Universal Reverse Proxy accounts should be ‘Office365’ under the dropdown instead of ‘Microsoft Accounts’ that is currently available for traditional Reverse Proxy.

Enable URP via SAML Reverse Proxy

The first step is to enable an account for URP.

  1. Navigate to Settings > Security Cloud Platform > Reverse Proxy > click an account name.

    Adding a new SAML account remains the same. The URP option is visible only when the feature is enabled in your account. To learn more: Configure the SAML Proxy in the Netskope UI

Select Proxy Type > Universal Reverse Proxy. By selecting URP, app traffic is sent via RBI.

2. Select an RBI template. You can view the RBI template option when editing or adding a new SAML account and Universal Reverse Proxy is selected.

If you select a ‘Block’ RBI template, the action is isolated and blocked right away. If you select an ‘Allow’ RBI template, Real-time Protection Policies are applied. This means user actions are governed by non-isolate RTP policies, e.g. Alert, Block.

To learn more: RBI Templates

RBI templates currently support File Upload (allow upload files from user devices to RBI) and File Download (allow download files from user devices to RBI).

You’ll know that you’re browsing in isolation based on certain visual queues. To learn more: Isolation in an End User’s Browser

3. Click Save.

Enable RAAS with URP via SAML Reverse Proxy

This section describes enabling Reverse Proxy As A Service (RAAS) using URP with SAML Reverse Proxy.

The first step is to enable an account for URP.

  1. Navigate to Settings > Security Cloud Platform > Reverse Proxy > click an account name.
    Adding a new SAML account remains the same. The URP option is visible only when the feature is enabled in your account.
  2. Select Proxy Type > Universal Reverse Proxy. By selecting URP, app traffic is sent via RBI.
  3. Select the Office365 application under the dropdown.
  4. A checkbox Enable RAAS (Reverse Proxy As A Service) appears. Enabling this checkbox facilitates the account to work similar to a Reverse Proxy as a Service with Microsoft Entra ID.
  5. Once the RAAS checkbox is selected, two new fields appear as shown:
    IDP ISSUER ID
    APP LANDING URL
  6. Provide the required fields as described in the section Reverse Proxy as a Service with Microsoft Entra ID.

7. Select an RBI template. You can view the RBI template option when editing or adding a new SAML account and Universal Reverse Proxy is selected.

8. In the App Landing URL field, type “https://portal.office.com”.

If you select a ‘Block’ RBI template, the action is isolated and blocked right away. If you select an ‘Allow’ RBI template, Real-time Protection Policies are applied. This means user actions are governed by non-isolate RTP policies, e.g. Alert, Block.
To learn more: RBI Templates

Enable pop-up messages when creating an RBI template. Navigate to create/edit RBI Template > Isolation Indicators > Pop-up Message checkbox.
RBI templates currently support File Upload (allow upload files from user devices to RBI) and File Download (allow download files from user devices to RBI).

You’ll know that you’re browsing in isolation based on certain visual queues. To learn more: Isolation in an End User’s Browser

Vanity URL support is not yet available for RAAS accounts configured with URP.

Enable URP via ‘Office365 Auth’ Under Reverse Proxy

The first step is to enable an account for URP.

1. Navigate to Settings > Security Cloud Platform > Reverse Proxy > click an account name.

Adding a new Office365 Auth SAML account remains the same. The URP option is visible only when the feature is enabled in your account. To learn more: Configure the Office365 Auth in the Netskope UI

You can view the Access Method on the list page under the Proxy Type column.

Updating Real-time Protection Policies

You can create a new Real-time Protection Policy or update an existing policy and use the URP access method. In addition, you can add URP as a new filter option in the RTP Policy list page. 

  1. Navigate to Policies > Real-time Protection > select a policy and open the policy editor.  

2. Select Source > Add Criteria > Access Method > Universal Reverse Proxy.

3. Select Destination > Application > Microsoft Office365 SharePoint Online.

4. Click Save.

Creating new Real-time Protection Policies remains unchanged. To learn more: Create a Real-time Protection Policy

Real-time Protection Policy Filter Option 

You can add URP as a new filter option in the RTP Policy list page. 

  1. Navigate to Policies > Real-time Protection > +Add Filter > Access Method > Universal Reverse Proxy
  2. Click  Apply.

    The Access Method appears in the Policy list page under the Source column.

Skope IT Filter Option

You can add URP as a new filter option in the Skope IT Application Events.
1. Navigate to Skope IT > Events & Alerts > Application Events > +Add Filter > Access Method > Universal Reverse Proxy.

2. Click Apply.

3. Click the gear icon and select General > Access Method.

The Access Method column appears in the Application Events list page. 

Known Limitations

The following are known limitations identified for beta. 

  • Audio and video interactions are not supported in the beta release.
  • MDM Bypass flows are not supported in beta for authentication flows.
  • When Browser specific menu options are used, Copy from the browser menu options will not work.
  • Direct log in to SharePoint using any SharePoint site URLs opens the SharePoint web site and not the site specific URLs.
  • New tabs might be closed sporadically when users try to access SharePoint or other Microsoft Office apps from devices using slower connections.
  • Clipboard operations for PowerPoint and slides will not work.
  • Copying cell data inside Microsoft Office365 Excel and Google Sheets will not work.
  • You may see the following error message: Lost toast after reload “You are under isolation..” This happens when there is latency, after a refresh the reload toast disappears.
  • Only Windows and Mac browser based interactions are enabled.
  • Share link utility solution is not supported in the beta release.
  • URP follows RBI best practices and limitations. To learn more: RBI Best Practices and Limitations 
  • Vanity URL support is not yet available for RAAS accounts configured with URP.
Share this Doc

Universal Reverse Proxy

Or copy link

In this topic ...