Today, I will be your guide on creating a Reverse Proxy as a Service (RPaaS) in Google Workspace. We’ll then apply contextual awareness to “guide” employees to steer traffic to Netskope using RPaaS if they are not originating from a Netskope IP address. This is similar to what we do with Microsoft Azure AD RPaaS and conditional access policies; the contextual awareness is Google’s implementation of conditional access.
There are requirements needed for licensing as well as caveats which warrant mentioning. You will need to be licensed for Protect your business with Context-Aware Access - Google Workspace Admin Help . There are a limited number of applications at this point which context awareness works with or for, see pic below.
For SAML apps, policy evaluation occurs on sign-in to the app.
Cloud Identity Premium allows for only the following context awareness policies.
In addition, endpoint management will need to happen on desktops and mobile devices, see Create Context-Aware access levels - Google Workspace Admin Help
At a high-level, there are two steps required to create Google’s Reverse Proxy As A Service and limit access to it. First setup a reverse proxy as a service as a web SAML application in Google Workspace. Second and last of all, configure context-aware access control policies.
Setup Reverse Proxy as a Service
Copy the SAML Proxy ACS URL and Organization ID to be used later.
On the Google Identity Provider Details page, click Continue.
Locate the Google Reverse Proxy As A Service Web SAML application in Web and mobile apps.
Click on the newly defined SAML app in Google Workspace. In the User Access area, click the down character and expand the selection.
Turn on the application for everyone and then click Save.
In the upper right-hand corner of the browser, locate the nine bullets stacked on each other in a 3X3 pattern. A list of applications will appear.
In the upper right-hand corner of the browser, locate the nine bullets stacked on each other in a 3X3 pattern. Select an application from the list to test the Google Reverse Proxy As A Service.
Setup Context Aware Access Policies
The final step is to create a context awareness policy which limits access to Google Workspace applications as well as the Google Reverse Proxy As A Service application.
For Google Workspace Applications, you would limit access from non-Netskope IP addresses. These of course will vary based on the features in the tenant such as the Egress IP feature.
For the Google Reverse Proxy As A Service, we would limit access to this application from Netskope IP addresses.
The net effect is that we are funneling people to use the Google Reverse Proxy As A Service when the client is disabled, connected to another tenant, or access is attempted from a personal device.
Just like setting up the Google Reverse Proxy As A Service application in Google Workspace, there are a number of steps required for this to work.
Enable endpoint verification
The following OSes are supported for endpoint verification, mobile devices excluded from this discussion.
Click on the check-box for Monitor which devices access organization data and then click Save.
Verify endpoint verification
Turn on Context-Aware Access
Create an Access Level
Test Access to Google Workspace Applications
Confirm access to applications with the Netskope Client on and with the Netskope Client disabled.
With the Netskope Client disabled, access to the application is blocked and a notification page will be displayed.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button belowSign In