Skip to main content
  • EN

Refer to case 00555037.

 

The main reasons we have this requirement is because our IdP domain myid.ladwp.com is within the App Discovery list *.ladwp.com (which allows users access to all internal hosts within this domain). However, the problem is that NPA is steering this myid.ladwp.com domain as a Private App, which causes Okta admins to always see the gateway IP as on-premise.

 

Okta administrators need to see the XFF/Gateway IP. So if a user is working at home or from a remote network, Okta Admins should see that remote network XFF IP address, not our DWP public IP address. When Okta evaluates the IP chain, it uses this XFF IP address to determine whether or not to MFA challenge. At the moment, a remote user always appears to be on-premise from Okta's perspective. This is a problem that we'd like to solve. Hoping you can provide a way to perform NPA bypass similar to how there is steering bypass for SWG/CASB/CFW.

 

Another strong use case is when on-premise detection feature is used, in the case where the on-prem detection IP address falls within the range of say 10.0.0.0/8 included in App Discovery.  As it’s a know issue to cause flapping, it would be nice to have a way to easily exclude a specified IP address, instead of having to do the opposite of including ever subnet except one.

Refer to case 00555037.

 

The main reasons we have this requirement is because our IdP domain myid.ladwp.com is within the App Discovery list *.ladwp.com (which allows users access to all internal hosts within this domain). However, the problem is that NPA is steering this myid.ladwp.com domain as a Private App, which causes Okta admins to always see the gateway IP as on-premise.

 

Okta administrators need to see the XFF/Gateway IP. So if a user is working at home or from a remote network, Okta Admins should see that remote network XFF IP address, not our DWP public IP address. When Okta evaluates the IP chain, it uses this XFF IP address to determine whether or not to MFA challenge. At the moment, a remote user always appears to be on-premise from Okta's perspective. This is a problem that we'd like to solve. Hoping you can provide a way to perform NPA bypass similar to how there is steering bypass for SWG/CASB/CFW.

 

Another strong use case is when on-premise detection feature is used, in the case where the on-prem detection IP address falls within the range of say 10.0.0.0/8 included in App Discovery.  As it’s a know issue to cause flapping, it would be nice to have a way to easily exclude a specified IP address, instead of having to do the opposite of including ever subnet except one.

We also noticed that the real-time policy and steering configuration exception do not support this type of complex configuration. In Netskope, it is not possible to configure the system to exclude tunneling for specific internal IPs only.

Reply


Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings