Skip to main content
  • EN

Hello Skope community!

I hope everyone is doing well.

I would like to tell you that I have related IDP configuration with AzureAD for the install via IDP, using reverse proxy for NPA access over Web-browser, among other experiences with Netskope in labs, POC, production environments, among others.

Now I have to configure Reverse Proxy for the following environment.

-Control access to office 365 suite (Sharepoint, Onedrive, Outlook, etc.)
- IDP Azure-AD / Entra ID.

Environment with users with Netskope agent, with steering profiles forwarding all office 365 (SSL Exception Pining Apps O365) to Netskope.
Environment with users with Netskope agent, with steering profiles with bypass of office 365.

What is sought with the use of Reverse Proxy, control access, upload, download, authentication, etc. to Office 365, of unmanaged computers.

I have already been in the process of analyzing and reviewing Links to document and be able to read, analyze and acquire information for the configuration.

https://docs.netskope.com/en/configure-reverse-proxy-in-netskope/
https://docs.netskope.com/en/reverse-proxy-as-a-service-with-microsoft-entra-id-1/

Now for the Skope community, those who already have experience with configurations of this type of environment, ideally similar to this environment mentioned.

Can you please share your: Recommendations, advice, warnings, considerations, tips, risks, experiences, etc.

The idea is that all corporate users, with the Netskope agent, can work as usual with Office 365, even if with or without steering, all of Office 365 goes through Netskope, and that third parties, endpoints without the possibility of installing an agent, without the possibility of using explicit proxy, endpoint equipment over which there is no control, cannot or have strict limitations when it comes to accessing Office 365 Corporate.

User01@contoso.com using Netskope Agent installed - User01@contoso.com trying to enter from a non-corporate computer. It will detect when the traffic comes from a computer with the agent installed, therefore reverse proxy does not apply, but when it is a computer without an agent installed, it will go through the reverse proxy?

 

I thank you in advance for your time, your support, your collaboration

Thanks: ​@Rohit_Bhaskar  

@sshiflett     ​@Mandeep Singh     ​@ejang   ​@aplaza  ​@qyost  ​@Aaron_Zhang   

I look forward to hearing from you

Best regards

@MetgatzNK

 

Apologies for the delayed reply.  The traditional reverse proxy detects whether a device is managed based off a few different criteria but the primary mechanism is the egress IP which would indicate if a device is being steered through Netskope or not.  That being said, when using Reverse Proxy for M365 and the IDP is Entra ID, the flow is a bit different as Microsoft does not allow third parties to modify the authentication flow so we leverage Reverse Proxy as a Service in tandem with Conditional Access:

https://docs.netskope.com/en/reverse-proxy-as-a-service-with-microsoft-entra-id-1/

In this scenario, Conditional Access is used to determine what IPs and devices are blocked and must use the Reverse Proxy. Additionally,  there is a vanity URL that can be used to simplify this flow too that’s documented in that section.  I’d suggest contacting your local Sales Engineer or Channel Engineer for additional details and information as we also have some roadmap items that enhance this functionality. 

Reply


Terms & ConditionsCookie settings