Hello everyone,Here's my problem: we have a bastion server on AWS (Active Directory authentication) that is restricted in terms of authorized IPs (at the AWS instance level), and we need mobile service providers (smartphone access points, for example, so no fixed IPs, and we can't open the entire internet without our authentication portal being blown up in 2 seconds) to be able to connect to it.The IP ranges of our Netskope server are authorized, so my question is: Would it be possible to create a specific Netskope client that service providers could activate when they need to connect to our bastion server and then deactivate it after ? Has anyone had a similar need? I asked the AI, and they told me it's possible. Theoretically, I should create a "mobility providers" user group where we could place the email addresses of our mobility providers for enrollment, but I don't have this menu, even though I'm a "tenant admin." Our Netskope account supports SWG and NPA.Thanks in advance if you can help me. Have a nice day!
Page 1 / 1
Option 1: Look within your organization to see if there is anything that can act as a forward proxy, for example Netscaler.
Then you can make a Netskope Realtime rule to your bastion server that says that particular destination should be sent to your forward proxy. Your forward proxy would have a rule that, coming from Netskope, it should forward on the request. You can restrict it by user group or other criteria if you want.
I can’t talk about the specifics of a Bastian server and the traffic protocols, I assume you use 80/443 (Netskope) to use RDP/SSH, the latter not routed by Netskope unless you are using one of their other products. But we have a 30 + apps that require the corporate network as source and the above solution works great. Note that you will want to consider that this extends - in a good way for us - the ability to reach those resources from anywhere, which makes it great if the Internet is out at your corporation you can still get to your cloud resources. Or, you can change the rule criteria to say the source IP must be from your internal network too in order to work.
Option 2: Ask for dedicated egress Netskope addresses and configure to those. They have several options as far as countries. This started out as cheap, and now is expensive (in our opinion)
Option 3: Go ahead and configure to Netskope’s IP range. At least if you ever have someone trying to break break in, you can ask Netksope who that was, they will have a detailed record! Source IP should not be the sole control, so opening it up to the Netskope space isn’t all that risky if you have MFA.
Option 4: Tell Netskope to bypass your bastion server. Then you will get the true IP every time.
Option 4 - there is probably an NPA way of doing this, but we do not subscribe. NPA would be good if you have vendors that can’t have the client.
Reply
Login to the community
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account.
Login with SSO
Employee Partneror
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.