Solved

Netskope client SSL decryption issues

  • 7 June 2023
  • 5 replies
  • 585 views

Userlevel 2
  • Netskope Partner
  • 10 replies
Our Real-time protection policies are simple - block high risk websites, allow enterprise websites and alert uploads and downloads of social media. No NPA. We have multiple issues with traffic passing through Netskope SSL decryption.
 
Few issues we noticied so far (be it any browser - firefox, chrome, edge or tor)
- websites (with SSL decryption) are intermittently not loaded (one day they work fine, next day they won't and the cycle repeats again)
- websites (with SSL decryption) are extremely slow
- downloading objects like 200MB files takes high times (minutes to hours)
- few websites have their dynamic buttons disabled or not becoming live
- there are instances the websites failed won't show in debug logs, application & page events & alerts. Clearly killed by Netskope client, but not logged or sent to cloud. The websites works as soon as we mention in SSL BYPASS.
 
Same sites with SSL bypass
- websites (with SSL bypass) are loading every time without intermittent issues
- websites (with SSL bypass)) are loading faster every time
- downloading objects like 200MB files takes few seconds
- websites having their dynamic buttons work as expected.
 
So, our current workaround is, if any Netskope client complains about a website, we are adding them to SSL bypass. However, it beats the purpose of inspection because traffic left encrypted will not be further analyzed by Netskope. Important inspection and detection capabilities will not be useful. We have Netskope cases logged, but clear cause hasn't been found yet.
 
We believe Netskope client and cloud are rewriting headers and content which causes overload and minor delays are understandable. However, the performance dropping by 10 times is not ideal. Admin guide and KBs don't mention or talk about the throughput times or performance improving features, unlike onsite appliances where a company can pick high specification models for faster throughputs and higher performance.
 
We are reaching out to community to see if others noticed these issues & how they overcome issues instead of SSL Bypass. Please share your ideas.
icon

Best answer by Indu 23 June 2023, 08:47

View original

5 replies

Seeing similar behavior, especially with Google Docs, that we just posted about. 

Userlevel 2
Badge +11

@Indu - So far I did not see this behavior on our end. There is a KB article in Netskope that has very good breakdown on how to approach troubleshooting performance related issues. This will be a good start, pick an application run some test as per this KB article to see where the latency is. 

 

https://support.netskope.com/s/article/Netskope-Performance-Troubleshooting-Guide

 

Also, ensure few basic things that if user is connected to nearest POP, Netskope client is updated to latest stable golden release or current version which will have fixes that might improve certain things. If you have remote access VPN's and on-prem firewall VPN's running in full tunnel mode then ensure Netskope traffic is configured in split tunnel mode to directly connect to web instead of going through VPN tunnel. There might be a chance the nearest POP might have some outages or issues which might had a temporary effect. 

 

In case everything looking good and still not sure, open a support ticket and escalate it to your TAM to get better support.

 

Thanks

Userlevel 2
Badge +11

Also to add on to, ensure you are using DTLS tunnel for your client configurations.

 

https://docs.netskope.com/en/netskope-client-configuration.html#UUID-9f0bd5ec-2750-b8a4-9cfb-5d36a7ab5868_section-idm4622793005625632607891040957

Enabling DTLS option supersedes TLS (Transport Layer Security) tunnel for communication thereby improving the network process. TCP inherently slows the overall flow performance if the network has high latency and packet drops.  To overcome this issue, use DTLS tunnel (UDP tunnel). To know the current protocol, click the Client icon > Configurations > Tunnel Protocol.

Userlevel 2

Thanks ark007 for your suggestions. We are already following setup as per KB. Using Digital Experience Management, we noticed that client to Netskope POP latency is ok, but Netskope POP to app latency is high. We are dealing this with Netskope support.

Badge +5

Our organization is having these same issues. We have found that websites using cloudfront for loading various elements seem to cause us the most trouble (we frequently have to View Source in the browser to see if cloudfront is involved behind the scenes). So even if we add a given domain to SSL bypass, the page will fail to load because it loads page elements from a cloudfront.net URI, which gets steered to Netskope for SSL decryption and may or may not load. When we disable the Netskope client, the page loads correctly. And bypassing *.cloudfront.net is not a suitable option for us due to creating a huge gap in our security visibility. So what are we to do?

Netskope support has mentioned this may be an SNI issue, and suggested we could try enabling SNI check, but we cannot do that in our environment because many of our partner websites use IP allowlists that restrict traffic to a specific range of IPs, which won’t work with SNI.

We’ve only got 200+ users on Netskope right now, but we’re getting ready to expand that to 3,000+ users. I’m concerned how many calls we’re going to get from our users for this issue when we deploy it to the rest of the company.

Reply