Netskope Global Technical Success (GTS)
KB - Custom Hostname configuration for Netskope Browser Access
Netskope Cloud Version - 128
Objective
This article aims to guide our customers into the NPA Browser Functionality (link) with a focus on the custom DNS Hostname and the related TLS certificate.
Prerequisite
Netskope Private Access (ZTNA) entitlement
Configuration
Step #1 - DNS Hostname creation
Path: Netskope Tenant UI >>> Settings >>> Secure Cloud Platform >>> App Definition >>> Private App
During the Private App Definition, by enabling the “Allow Browser Access” option, Netskope will provide a Public Host associated to this Private App
This custom host can be used for a Public DNS record (CNAME record type) creation as shown below. By doing this, users will be able to access to the Private App in the clientless mode using a custom hostname within the customer’s owned domain that in the example below is privateapp.cyberfrenk.top
Step #2 - Private App Certificate and Key Upload
Path: Netskope Tenant UI >>> Settings >>> Manage >>> Certificates >>> Private App Cert
By using a custom hostname to access to the Private App, Netskope requires a valid certificate
for the custom hostname (“privateapp.cyberfrenk.top” for this example). On the other hand, adding just the certificate is not enough because in order to allow Netskope to perform decryption, we will need to upload a Certificate along with the Private Key pair.
| ℹ️ Netskope uses the “.pem” format for the certificate and key upload
Wildcard certificates with the *.domain.com formats are accepted and can be used to cover multiple Private Applications. |
The Private’s app Certificate has to include the custom hostname certificate, the Intermediate Certificate Authority and the Root CA. Below an example which shows how is the correct format:
| ℹ️ This format can be obtained using any standard text editor |
Below an example of the Private key’s format:
Step #3 - Uploading Certificate and Key Pair
Path: Netskope Tenant UI >>> Settings >>> Manager >>> Certificates >>> Private app-cert
Here is how it should look like after uploading Certificate and Key Pair:
| ⚠️ Customers are responsible to replace/renew the certificate and re-load before its expiration. We highly suggest replacing/renewing the certificate after working hours and after deleting the existing one, the new certificate will be used by NSProxy after a few minutes. |
Limitations
Please be aware that NPA Browser Access have the below limitations:
- Browser Access only supports HTTP/HTTPS Web Applications (HTTP1.1 and HTTP/2).
- Browser Access does not support HTTP3.
- Browser Access does not follow HTTP URL redirects in server responses (HTTP 301/302/307 status codes). For example, if the private app server redirects to another internal/external website, the traffic will not be passed using NPA BA. However, we can define another Clientless App to achieve the requirement.
| ℹ️ Browser Access recently support multiple IDPs, if this option is not seen on your tenant (link), please open a support ticket selecting: “How-to” as case type to request its activation. |
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
