Use the NPA Client in Windows Multi-User Virtual Desktop Environments

This article explains how to configure Netskope Private Access (NPA) for multi-user virtual desktop environments on Windows, where users are logging in simultaneously, enabling secure access for environments with shared system processes (Session ID 0) and dedicated VDI user tunnels, through which a user’s private application sessions are processed through.

Introduction

In Virtual Desktop Infrastructure (VDI) environments, private application traffic originates from both interactive user sessions and system processes (Session ID 0). To address this, NPA introduces a dedicated VDI User that creates its own dedicated tunnel to steer traffic from the Netskope Client from processes that can’t be attributed to a user. This design ensures that private app packets, whether from user-initiated or system processes, are securely handled and routed based on defined policies.

Supported Operating Systems

This feature is supported on Windows only. Ensure that your Windows servers and client devices are running a compatible version to fully leverage the NPA VDI support capabilities. Refer to our supported Windows versions here: Netskope Client Supported OS and Platform. Also, you need to ensure the platform supports multi-user sessions simultaneously.

Overview

The NPA VDI support solution is designed to:

• Steer Session ID 0 Traffic separately from user traffic: Route system-level traffic (e.g., SMB or AD server packets) via a dedicated tunnel using a specially designated VDI user since it cannot be attributed to a user.
• Enhance Multi-User Scenarios: Provide secure and consistent private access for environments like Azure Virtual Desktop, Amazon Appstream, and Citrix VDI.
• Streamline Client Enrollment: Offers flexible enrollment workflows via UPN or integrated IDP, ensuring that devices receive the correct Client configurations for VDI mode.

Prerequisites

Before proceeding, ensure you have:

• Netskope Tenant Access: Permissions to create users, configure Client settings, and set up policies.
• VDI User Account: Create a dedicated VDI user using the format:
  <username>@vdi.netskope.com

• Installer Requirements: Use the latest Client installer build (Build Version: 124+).

• Command Line Access: Required for installing the Client with appropriate flags.

Ensuring Proper VDI Configuration with npavdimode=on

For organizations deploying the Netskope Client in VDI environments, it is essential to enable multi-user support by specifying npavdimode=on during installation. This ensures that the appropriate VDI settings are applied, allowing for seamless configuration and operation.

Key Implementation Steps

1. During Installation:
   • When installing the Netskope Client on Windows devices, ensure the installer is launched with npavdimode=on.
   • This setting is required for multi-user environments and ensures the correct application of VDI configurations.
2. Client Enrollment Considerations:
   • Whether using UPN Enrollment Mode (via corporate directory services) or IDP Enrollment Mode (leveraging SSO with providers like Azure AD or Okta), the npavdimode=on flag must be included to properly configure VDI settings.
   • Enrollment workflows remain unchanged, but without this setting, multi-user functionality may not be properly applied.
   • The same configuration parameter needs to be applied when using a MDM-based deployment method.
3. Configuration Enforcement:
   • After authentication and device registration, the security cloud platform applies the necessary settings, ensuring that VDI users receive the correct configuration.

For full deployment details, refer to the Netskope client enrollment documentation links:

• Deploy Netskope Client via IDP
• Netskope Client for Windows

Setup Guide

Web UI Configuration

1. Add the VDI user:

1. Go to Setting > Security Cloud Platform > Users and click New User.
2. User Email Format: Enter the email as <username>@vdi.netskope.com.
3. Click Add. This VDI user is solely used for establishing a dedicated tunnel for Session ID 0 traffic.

2. Create or edit a Client configuration:

1. Access Client Configurations: Create a new configuration or modify an existing one. Go to Settings > Security Cloud Platform > Client Configuration.
2. On the Private App tab:
   • Enable VDI Support: Check the VDI Support for Private Apps option.
   • Select a VDI User: Use the search in th dropdown (displaying only users with “vdi.netskope.com”) to select the appropriate VDI user. The option to proceed is locked until a VDI user is selected.
3. Click Save.

3. Create a Private App Policy:

1. Go to Policies > Real-Time Protection > New Policy > Private App Access.
2. Policy Settings:
   • Source: Set to the VDI user (e.g., <username>@vdi.netskope.com).
   • Access Method: Use the Client.
   • Destination: Private Apps, and select the apps (e.g., SMB fileshare, DNetc) that generate Session ID 0 packets.
   • Action: Set to Allow to enable traffic via the dedicated tunnel.
3. Click Save.
4. Additional Steps: Optionally configure file/folder access rules on your SMB server to control user access.

Client Installation

1. Uninstall the Existing Client and Remove Previous Versions: Ensure any existing Netskope Client is uninstalled from the VDI server.

2. Install the New Client Build:

• Download Build 124+: Confirm that you are using the latest installer.
• Run the installation command:

msiexec /I "STAgent.msi" host=<addon host URL> token=<org id> mode=peruserconfig npavdimode=on

• For Secure Enrollment: Append enrollauthtoken and enrollencryptiontoken parameters if secure enrollment is enabled.

3. Establish a User Session

• Log Out and Log In: After installation, sign out and log back in to create a new user session.
• Tunnel Creation: The first user session triggers the creation of a dedicated VDI tunnel for Session ID 0 traffic.
• Verification: Check client logs (e.g., npadebuglog) to confirm that the tunnel is active and the VDI user is properly enrolled.

Best Practices

Due to the nature of shared Session ID 0 traffic, it is important to adopt the following best practices:

• Group Users by Access Profile: To minimize security risks and performance bottlenecks, group users on a multi-user virtual desktop machine based on their access profile.
  • Rationale: Since Session ID 0 traffic is shared among all users on the VM, grouping users with similar access needs can reduce potential conflicts and streamline policy enforcement.
  • Implementation: Consider deploying separate VMs or virtual desktop pools for different access profiles (e.g., administrative vs. standard user access). This ensures that private app policies and resource utilization are aligned with user requirements.

• Consistent VDI User Assignment: Ensure that every Client Configuration that requires this functionality support has a single designated VDI user. Configuration scenarios where multiple multi-user desktop environments are assigned to user groups with different VDI tunnel users is not supported. This consistency prevents disruptions in the dedicated tunnel due to configuration changes.
• Regular Monitoring: Monitor the tunnel status and user sessions to quickly identify and address issues related to Session ID 0 traffic routing or policy mismatches.

Configuration Considerations

• Steering Configurations:
  • Steering functions (enable/disable steering) are not applicable to VDI tunnels.
  • Steering and client configurations are applied uniformly, regardless of individual policy matches.
• Device Classification: Adding device classification for tunnels with a VDI user does not impact policy matching.
• Unsynced Users: It is expected that users not synchronized with Netskope may still access VDI tunnel traffic.
• Upgrade Process: Upgrading an existing Netskope Client will not enable VDI mode; a fresh installation is required.
• SRPv2 Support: Service Routing Protocol v2 (SRPv2) is not supported in the current release and will be added in April 2025.

Additional Notes and Support

• Tunnel Persistence: The VDI tunnel remains active as long as at least one user is logged into the VDI system. It disconnects only when the last user logs out. The prelogon user will be active if configured before a user session is established.
• User Deletion Restrictions: If a VDI user is assigned to a client configuration, that user cannot be deleted from the Users page to maintain tunnel stability.
• Troubleshooting: Review the npadebug.log file for detailed log entries regarding tunnel creation and user enrollment.
• Further Assistance: For additional help, contact Netskope Support.