Netskope Client Configuration overview

  • 29 June 2021
  • 1 reply
  • 185 views

Badge +11
  • Netskope Employee
  • 12 replies

Tenant specific configuration

These configurations are common configuration shared across all the users (as they are under one tenant). Netskope client service loads these common configurations as soon as it starts and updates on these configurations are done on events like policy change, config change (checked periodically).

Config Location

  1. Netskope-client for Windows stores these configurations in “%PROGRAMDATA%/netskopestagent”.
  2. Netskope-client for MacOS stores these configurations in “/Library/Application Support/Netskope/STAgent

Config Files

S.No.
Config File
Purpose
Fetching
Mandatory Config
API
Frequency API Timeout

1

nsconfig.json

contains various tenant-level configurations

  • When Config version changes (polls for latest config)
  • On-demand config update (from nsdiag or UI)
  • User Login-Event (done to identify if we have config of a higher priority user group)

Yes (default is generated)

v2/config/org/clientconfig?orgkey=<orgkey>&hashkey=<userkey>&tenantconfig=1
  1. Download for the first time or new config version
    1. First Time: 10 Minutes interval (until success)
    2. Checks for new Config version in 5 Minutes (Fast Sync Mode) otherwise 60 minutes
    3. If new config version is Available then download in 3 to 10 Minutes interval (backoff logic)
  2. On-Demand Config Download
  3. New User Login
    1. To check the higher group priority case

 

10 Seconds






 

 

 

2

nsdomain.json

Provides steering mode (CASB/Web) and along with domains to steer (CASB). Also has a config for dynamic steering








  • When Config version changes (Client polls for latest config in config update interval)
  • On-demand config update (from nsdiag or UI)

Yes

(V6) steering_config_2 and dynamic Steering
v1/steering/domains?orgkey=<orgkey>&userkey=<userkey>&os=<OS>

(V5) steering_config_2
steering/domains?orgkey=<orgkey>&userkey=<userkey>&os=<OS>

(V4)
v4/config/org/domains?orgkey=<orgkey>&userkey=<userkey>&os=<OS>

 






  1. Download for the first time or new config version
    1. First Time: 10 Minutes interval (until success)
    2. Checks for new Config version in 5 Minutes (Fast Sync Mode) otherwise 60 minutes
    3. If new config version is Available then download in 3 to 10 Minutes interval (backoff logic)
  2. On-Demand Config Download
3 nscacert.pem Netskope CA Certificate used as the root certificate Yes config/ca/cert?hashkey=<userkey>&orgkey=<orgkey>
4 nstenantcert.pem Tenant specific Certificate used as an intermediate certificate Yes config/org/cert?orgkey=<orgkey>
5

nsbypass.json

Provides a list of cert-pinned apps that needs to be bypassed/blocked by the Client.

No

(V3) steering_config_2 and dynamic Steering
v1/steering/pinnedapps?orgkey=<orgKey>&userkey=<userKey>&os=<OS>

(V2) steering_config_2
steering/pinnedapps?orgkey=<orgKey>&userkey=<userKey>&os=<OS>

(V1)
config/org/getcertpinnedapplist?orgkey=<orgKey>&os=<OS>

6

nsexception.json

Provides a list of domains/subnets/IP addresses which needs to be bypassed by the Client

Yes

(V3) steering_config_2 and dynamic Steering
v1/steering/exceptions?orgkey=<orgKey>&userkey=<userKey>

(V2) steering_config_2
steering/exceptions?orgkey=<orgKey>&userkey=<userKey>

(V1)
config/getexceptionlist?orgkey=<orgKey>&hashkey=<userKey>

7

nstunnelpolicy.json

It provides a set of apps and domains which needs to be bypassed/blocked by the Client.

No

config/org/gettunnelpolicy?orgkey=<orgKey>&os=<OS>
8

nsoverlap.json

Provides Steering decision for the scenario where different sass services get resolved to the same IP address.

No

config/getoverlappingdomainlist?orgkey=<OrgKey>
9

nsdeviceid.json

Lists the rules need to be checked for the purpose of device classification (managed, unmanaged, unknown, unconfigured)

No

v2/config/org/getmanagedchecks?orgkey=<OrgKey>&os=<OS>
10

nsbypasscat.json

TBD

No

(V2) steering_config_2
steering/categories?orgkey=<orgKey>&userkey=<userKey>

(V1)
config/getbypasscategorylist?orgkey=<orgKey>&hashkey=<userKey>

11

certutil.json

Install the certificate in Firefox cert store

For each logged-in user, In case Firefox installation/Firefox update is detected the cert utils are downloaded (if already not downloaded) and certutil.json is created (having the firefox version)

No

config/getcertutil?orgkey=<OrgKey>&version=<FireFoxVersion>&os=<OS>
  1. User Login
    1. Firefox already installed
    2. Installation is detected (one-hour interval)
12

nsuserconfig.json

Use to identify multi-user deployment

Generated  locally during Netskope client installation

No (Yes in case of multi-user deployment)

N/A    

User-specific configuration

These configurations are specific to the logged-in user. 

Config Location

For single-user mode deployment, these configurations are created at the same location as tenant-specific configuration. For Multi-User deployment these files are located as follows

  1. Netskope-client for Windows stores these configurations in “%APPDATA%/netskopestagent”.
  2. Netskope-client for MacOS stores these configurations in “<Home Direcotry>/Library/Application Support/Netskope/STAgent

Config Files

S.No.

Config File

Purpose

Fetching

Mandatory Config

API

Frequency

Timeout

1

nsbranding.json

This config is required to bootstrap the Client for each user. It uniquely identifies the user.

Downloaded (if already not present) on user-login or on force config update (from nsdiag or UI)

Yes

Activation Key: 

config/useractivationkey/getbranding?tenantid=<TenantID>&userkey=<Userkey>&activationkey=<activationkey>&os=<os>

 

Install Params:

api/v1/userconfig?token=<restToken>&email=<userEmail>&configtype=agent

 

IdP Enrollment:

config/user/getbrandingbyemail?orgkey=<org key>&email=<email-id>

 

User Login (UPN):

/config/user/getbrandingbyupn?orgkey=<orgKey>&upn=<username/UPN Hash>

 

One time - During Installation (Single user):

  1. Activation Key
  2. Install Params

 

Multiple Times based on Login Events (PerUser deployment or IdP deployment) :

  1. IdP Enrollment
  2. User Login (AD joined)

 

10 Seconds
2 nsusercert.p12 user-specific Certificate, use to sign Tunnel Downloaded on On user login Yes v2/config/user/cert
  1. New User Login (Retry in 10 mins till success)
  2. New Config Version
  3. On-Demand Config Download
3

eventcache.json

Used as a cache to store client status events

This config file is locally created (i.e. not downloaded) on user login. But it is used to push cached client status later. 

No

v2/update/clientstatus

  1. Push the client status every 5 minutes until all log-in user status is pushed successfully. 
  2. Install event is tried to push in every 1 min until install event is pushed successfully. 
10 Seconds
4

nsdeviceidstatus.json

Use to store the device classification status obtained from an addon (by post method)

Downloaded On user login if device classification rules are configured (see nsdeviceid.json above)

No

client/deviceclassification?orgKey=<OrgKey>&hashkey=<Userkey>
  1. New User Login (Retry in 10 mins till success)
  2. New Config Version
  3. On-Demand Config Download
10 Seconds
5

nsuser.conf

Use to maintain client-status and tunnel status

This file is locally generated but certain configuration parameters like admin-force-enable-client are fetched during user login or force-update config file. 

No.

v3/support/client/post

Every 5 minutes. 10 Seconds

Addon API calls during user login

Netskope client on user-login hits Addon for following APIs. These APIs are called by design and currently, there is no config that can disable these API calls

  1. Download Admin settings (done to identify if we have config of a higher priority user group) and update nsconfig.json
  2. API to get support parameters
    1. detect Admin-force-enable the client and update nsuser.conf
    2. detect auto-uninstall
    3. Fast Config synching
    4. Client Log Upload
    5. Client user reconfigure.
  3. Download user cert
  4. If device classification rules are configured, API to post device classification status and update nsdeviceidstatus.json

 


1 reply

Badge +5

Hi Jason, can you share details on what the userkey contained in nsbranding is used for other than uniquely identifying a user. For example does it play any role in establishment of tunnel used for steering?

Reply