Hello everyone,Here's my problem: we have a bastion server on AWS (Active Directory authentication) that is restricted in terms of authorized IPs (at the AWS instance level), and we need mobile service providers (smartphone access points, for example, so no fixed IPs, and we can't open the entire internet without our authentication portal being blown up in 2 seconds) to be able to connect to it.The IP ranges of our Netskope server are authorized, so my question is: Would it be possible to create a specific Netskope client that service providers could activate when they need to connect to our bastion server and then deactivate it after ? Has anyone had a similar need? I asked the AI, and they told me it's possible. Theoretically, I should create a "mobility providers" user group where we could place the email addresses of our mobility providers for enrollment, but I don't have this menu, even though I'm a "tenant admin." Our Netskope account supports SWG and NPA.Thanks in advance if you can help me. Have a nice day!
Question
Netskope Client for External Service Providers
+2
Option 1: Look within your organization to see if there is anything that can act as a forward proxy, for example Netscaler.
Then you can make a Netskope Realtime rule to your bastion server that says that particular destination should be sent to your forward proxy. Your forward proxy would have a rule that, coming from Netskope, it should forward on the request. You can restrict it by user group or other criteria if you want.
I can’t talk about the specifics of a Bastian server and the traffic protocols, I assume you use 80/443 (Netskope) to use RDP/SSH, the latter not routed by Netskope unless you are using one of their other products. But we have a 30 + apps that require the corporate network as source and the above solution works great. Note that you will want to consider that this extends - in a good way for us - the ability to reach those resources from anywhere, which makes it great if the Internet is out at your corporation you can still get to your cloud resources. Or, you can change the rule criteria to say the source IP must be from your internal network too in order to work.
Option 2: Ask for dedicated egress Netskope addresses and configure to those. They have several options as far as countries. This started out as cheap, and now is expensive (in our opinion)
Option 3: Go ahead and configure to Netskope’s IP range. At least if you ever have someone trying to break break in, you can ask Netksope who that was, they will have a detailed record! Source IP should not be the sole control, so opening it up to the Netskope space isn’t all that risky if you have MFA.
Option 4: Tell Netskope to bypass your bastion server. Then you will get the true IP every time.
Option 4 - there is probably an NPA way of doing this, but we do not subscribe. NPA would be good if you have vendors that can’t have the client.
If it is RDP then NPA with a publisher configured for AnyApp access that allows browser based RDP/SSH connections to be established, in terms of created a mobility group I assume it just means to create an AD/Entra group called mobility access and then create associated steering and client configurations for those users that need access
Ben
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.