Team,

I have a website URL port 443 configured for NPA due to Geo-restrictions. I have developers that need to access a US site. I have a Publisher in my data center in the US behind a gateway public IP of 168.xxx.xx.x. When my user hits the web URL, they get a 163.xxx.xx.x address. Shouldn’t the NPA website URL use the local gateway address for egress traffic? It appears the NPA traffic is using the SWG tunnel. 

Thanks. 

That sounds like NPA is not configured correctly and the traffic is being steered through the SWG instead of the publisher. OR, are you using IPSEC tunnels to steer traffic from the site the publisher exists at?

Thanks.

This issue is now resolved. When you turn on “User Publisher DNS” you must specify the hostname and IP in the private app configuration for the traffic to be tunneled through NPA. Netskope is investigating why this is happening. More to come. 

Ah, I don’t use that option often, but that requirement is documented:

https://docs.netskope.com/en/private-access-best-practices/#best-practice-for-using-the-publisher-dns-feature-in-netskope-private-access

For example, if you are trying to access the private application portal.company.com, and that hostname resolves to 10.10.10.10 by the Publisher’s DNS server, the IP address returned to the endpoint process (like a browser) is going to be 10.10.10.10 instead of the stub IP address (191.x.x.x, or 100.64.0.0/16, depending on the version). The browser is then making a request to the IP address 10.10.10.10, which is as arbitrary as any IP address can be and NPA needs to know that it should intercept and tunnel traffic destined to that IP address. This is why you need to include either a CIDR block covering the IP address of the private application or the exact IP address of the private application in the Private App definition.

Thanks. This totally makes sense due to this being ZTNA. 

Question. Would configuring the internal DNS IP as a private app and adding it to an RT policy make a difference? My goal is to be able to use the hostname without the IP with the “Use Publisher DNS” enabled.  

Honestly, I have never tried that. If you end up testing it I’d be interested to hear how that goes.

What’s the use case here for requiring the “use publisher DNS” option? I’ve deployed hundreds of apps via NPA and really have only needed it for supporting connections to domain controllers as detailed in this KB article:

https://docs.netskope.com/en/netskope-private-access-for-microsoft-active-directory-domain-services/#configure-private-apps-for-dns-with-the-publisher-dns-feature-enabled

Excellent question regarding why I enabled “Use Publisher DNS” option. 

I have some of my server and network teams configured with NPA. The teams need to be able to troubleshoot, and as you know, troubleshooting application access using NPA sub IPs is not easy.

After reviewing the documentation, I plan to configure a subnet in NPA for my server and network teams that need access to hundreds of devices. This will allow them to perform troubleshooting and use the Publisher DNS option. 

Thanks again for all the info, this was very helpful.