Skip to main content
Solved

Steering Configuration - Tunnel Mode

  • May 27, 2021
  • 5 replies
  • 518 views
R
Forum|alt.badge.img+12

Since the upgrade to version 85, I started to notice it doesn't look as if cert pinned application exceptions recognize or apply tunnel exclusions any more. I'm opening a case with Support but I wanted to reach out here to see if anyone else experienced anything similar first. There is a exception for python.exe and if i use the tunnel settings it'll bypass any connections made to those domains but attempt to intercept everything else. 

 

For Example:

Python.exe > Tunnel Mode: pypi.org and Pythonhosted.org 


Best answer by ross

I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.

 

I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.

-Ryan
This topic has been closed for replies.

5 replies

R
Forum|alt.badge.img+12
  • rfletcher
  • Author
  • New Member III
  • 14 replies
  • May 27, 2021

I'm hearing this might be related to a feature called "Enhanced Cert Pinning". Does anyone have any knowledge or documentation on this feature?

-Ryan
R
Netskope Employee
Forum|alt.badge.img+12
  • ross
  • Netskope Employee
  • 9 replies
  • Answer
  • May 27, 2021

I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.

 

I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.

I
Forum|alt.badge.img+3
  • InfoSecRich
  • New Member
  • 1 reply
  • May 28, 2021

Hello, Have you tried the "*" for the domain and then monitoring the logs?

R
Forum|alt.badge.img+12
  • rfletcher
  • Author
  • New Member III
  • 14 replies
  • May 28, 2021

Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options.  As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross  and @InfoSecRich for your inputs. 

 

-Ryan
jforrest
Netskope Employee
Forum|alt.badge.img+12
  • jforrest
  • Netskope Employee
  • 23 replies
  • June 17, 2021

Please work with Support/TSM to understand the required scope of change to safely enable this feature. TSMs also have more information on this feature included in the Traffic Steering/Bypass section of the VRP.

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement