cancel
Showing results for 
Search instead for 
Did you mean: 

Steering Configuration - Tunnel Mode

rfletcher
New Contributor III

Since the upgrade to version 85, I started to notice it doesn't look as if cert pinned application exceptions recognize or apply tunnel exclusions any more. I'm opening a case with Support but I wanted to reach out here to see if anyone else experienced anything similar first. There is a exception for python.exe and if i use the tunnel settings it'll bypass any connections made to those domains but attempt to intercept everything else. 

 

For Example:

Python.exe > Tunnel Mode: pypi.org and Pythonhosted.org 


-Ryan
2 ACCEPTED SOLUTIONS

ross
Netskope
Netskope

I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.

 

I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.

View solution in original post

rfletcher
New Contributor III

Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options.  As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross  and @InfoSecRich for your inputs. 

-Ryan

View solution in original post

5 REPLIES 5

rfletcher
New Contributor III

I'm hearing this might be related to a feature called "Enhanced Cert Pinning". Does anyone have any knowledge or documentation on this feature?

-Ryan

ross
Netskope
Netskope

I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.

 

I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.

View solution in original post

InfoSecRich
New Contributor

Hello, Have you tried the "*" for the domain and then monitoring the logs?

rfletcher
New Contributor III

Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options.  As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross  and @InfoSecRich for your inputs. 

-Ryan

View solution in original post

jforrest
Netskope
Netskope

Please work with Support/TSM to understand the required scope of change to safely enable this feature. TSMs also have more information on this feature included in the Traffic Steering/Bypass section of the VRP.