Thank you in advance - as a security measure, I was wondering if rather than bypassing traffic to AWS Workspaces from Netskope, might it be possible instead to source anchor traffic from our AWS Netskope publishers and configure IP restrictions from the AWS-end, such that access to our Workspaces tenant was restricted to our AWS/Netskope publishers? We’d ideally only like for access to AWS Workspaces to be driven from Netskope client-driven endpoints.
Question
Source anchor AWS Workspaces to publishers?
Did you consider the dedicated IP address license from Netskope as this will solve the source ip anchoring challenge?
Yes it is possible if you have NPA. It’s in the documentation:
https://docs.netskope.com/en/source-ip-anchoring-for-an-idp-with-netskope-private-access
Yes it is possible. Check the documentation under source-IP-anchoring. I have done so many times for many customers.
- We unfortunately don’t have a dedicated egress IP license as it is highly cost prohibitive.
- I understand the concept of source anchoring, but AWS Workspaces, as a service, is comprised of numerous URLs for health checking, streaming, etc.
I was hoping we could source anchor by way of an app configuration or instance rather than parsing out hundreds of URLs…?
The logic with IDP is that you only allow access to this app through your IDP which checks the source IP. You only configure your IDP as a NPA app so that Netskope users that try to authenticate are coming from your location, after that they are direct to, e.g. AWS. Because you got a valid SAML response you are able to use the service (directly).
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.