Skip to main content
  • EN

Hello,

I want to clarify if the Netskope client is required for NPA access for users who are at the office.

We have deployed NPA so that we can force an external public Application traffic through a publisher to get a fixed public IP address due to public IP address whitelisting requirements.  As we have IPSec tunnels connecting the site to Netskope cloud,  do we still need to have the client installed on the users device? Do we need to have browser based access configured for this to work?

For Zscaler this is not a requirement. We use Zscaler ZPA for another customer to route Guest Wifi clients to the self-registration portal. The Guest traffic goes over IPsec tunnels to the Zsclaer cloud and Zsclaer send to to a ZPA connecter. This allows the routing of Guest traffic without having to send it over the customers internal network.

This set up does not seem to work in Netskope.  If application trafic is sent over the IPsec traffic Netskope, it is not sent to the Publisher. It works when the client is used. Would it work if we enabled browser based access?

Many thanks,

Michael

I don’t believe NPA interacts at all with IPSEC tunnels. Clientless NPA should work I would think as that ultimately goes to a dedicated netskope domain to get handled.

@Michael Horne OCD 

If a user is on premise without a client and this traffic is sent to Netskope via IPSEC tunnel then it will egress Netskope’s IP space by default. There are options to forward this traffic back to on premise devices using a forward to proxy policy option along with other options such as bypassing the traffic from the IPSEC tunnel so it doesn’t get sent to Netskope.  

If this is a requirement for you, please reach out to your local Netskope Channel SE or account team so we can provide architecture options for this use case. 

 

If your only purpose is Source IP Anchoring, and you’re not deploying NPA for any other purposes, then perhaps dedicated-egress-ip-addresses.pdf might also work for you?

https://docs.netskope.com/en/security-cloud-platform-configuration/#dedicated-egress-ip-footprint-1

 

--Erik

 

Hello ​@elawaetz ,

 

Dedicated Egress IP comes with extra licensing / cost and the functionality is is not necessarily for just a fixed external IP.

 

Regards,

Michael

Hello ​@sshiflett ,

 

Ok, I will reach out to my local SE.

 

Regards,

Michael

Reply


Terms & ConditionsCookie settings