Netskope Client with Azure AD Conditional access

  • 6 June 2023
  • 4 replies
  • 40 views

Has anyone have a setup where you roll out Netskope client to all your endpoints and configure Azure AD conditional access to allow connections to Microsoft services if they come via Netskope IP?

 

we are doing this as part of our own ZTNA setup to only allow trusted devices/location. 

 

The setup works well with one minor problem. Netskope will have occasionally tunnel down/up (e.g. switching from LAN/docked to Wifi, etc) and that causes netskope to disabled momentarily before re-enabling again. (which means momentarily it shows attempting connection from non netskope IP)

 

This then lead to services e.g. teams, outlook etc require authentication immidiately which is not the best end user experience. 

 

Has anyone encounter this and able to suggest solution/workaround? I dont want to change trusted location to country based as that defeat the purpose of the ZTNA we are doing.


4 replies

Userlevel 6
Badge +16

Hello @TjhiaS,


What function of AzureAD Conditional Access is causing the immediate authentication attempt?  We might want to look at tuning the authentication timers or other options.  

We solved this ourselves in the end through different mechanisms but achieving same result. 

 

Netskope client will always have a momentarily disconnection if network is switching. If conditional access is set to only allow netskope IP and no other IP, then outlook, teams, onedrive will fail instantly and have pop up for re-authentication request.

 

Badge +13

Hello @TjhiaS 

Would yo mind to share details of the solution(s) that you found?
Disconnections after a networkchange is by nature and can't be avoided, so any hint on possible workarounds would be much appreciated!

HI @rkessler . Sure. It is as exactly like you say, any VPN solution going to cloud gateway (including Netskope) will be facing the same issue. So we tweaked our solution with following caveats:

 

1. Only our own computers can access our own infrastructure. 

2. All of our computers must have Netskope Client installed.

3. All of our environment is Azure AD registered/Managed. Only our authorised team can add device as managed/registered device. 

 

The Conditional acccess rule is then:

 

Block all connection unless coming from Device that is Windows OS and is Azure AD managed/Registered. exception to the rule is if such device comes from Netskope Public IP.

 

This works well for us. the exclusion to allow Netskope Public IP still there and handles well for sessions that do not understand AzureAD registered/Managed model, such as incognito or clean cookies session.

Reply