​@ElTetu, 

This requires a bit of a broader discussion but in general, the answer for servers and managed devices is the client, IPSEC/GRE, or explicit proxy.  We would need to better understand if these are unattended servers and what authentication is required.  

Reverse Proxy will not be applicable to the servers as it requires user authentication as SAML is the redirection method.    Clientless BYOD can be served a number of different ways when on premise including IPSEC/GRE and as of R125 DNS security is in EA for content filtering and additional use cases such as Guest WiFi network.  

Authentication usually comes via the client or SAML integration but if a deeper discussion is required I’d suggest reaching out to your local account team or channel engineer to assist with a deeper architecture discussion based on your use case. 

Thanks a lot for your answer ​@sshiflett!

The end customer decid to addopt an explicit proxy solution, as they are more comfortable managing PAC files than IPSEC/GRE tunnels, and they don’t really expect a lot of BYOD users on premises.

My original question went looking for this deeper discussion, from a forum point of view, just to gain more knowledge and understanding of Netskope and SSE solutions in general :)