Netskope client SSL decryption issues

Seeing similar behavior, especially with Google Docs, that we just posted about. 

@Indu - So far I did not see this behavior on our end. There is a KB article in Netskope that has very good breakdown on how to approach troubleshooting performance related issues. This will be a good start, pick an application run some test as per this KB article to see where the latency is. 

https://support.netskope.com/s/article/Netskope-Performance-Troubleshooting-Guide

Also, ensure few basic things that if user is connected to nearest POP, Netskope client is updated to latest stable golden release or current version which will have fixes that might improve certain things. If you have remote access VPN's and on-prem firewall VPN's running in full tunnel mode then ensure Netskope traffic is configured in split tunnel mode to directly connect to web instead of going through VPN tunnel. There might be a chance the nearest POP might have some outages or issues which might had a temporary effect. 

In case everything looking good and still not sure, open a support ticket and escalate it to your TAM to get better support.

Thanks

Also to add on to, ensure you are using DTLS tunnel for your client configurations.

https://docs.netskope.com/en/netskope-client-configuration.html#UUID-9f0bd5ec-2750-b8a4-9cfb-5d36a7ab5868_section-idm4622793005625632607891040957

Enabling DTLS option supersedes TLS (Transport Layer Security) tunnel for communication thereby improving the network process. TCP inherently slows the overall flow performance if the network has high latency and packet drops.  To overcome this issue, use DTLS tunnel (UDP tunnel). To know the current protocol, click the Client icon > Configurations > Tunnel Protocol.

Our organization is having these same issues. We have found that websites using cloudfront for loading various elements seem to cause us the most trouble (we frequently have to View Source in the browser to see if cloudfront is involved behind the scenes). So even if we add a given domain to SSL bypass, the page will fail to load because it loads page elements from a cloudfront.net URI, which gets steered to Netskope for SSL decryption and may or may not load. When we disable the Netskope client, the page loads correctly. And bypassing *.cloudfront.net is not a suitable option for us due to creating a huge gap in our security visibility. So what are we to do?

Netskope support has mentioned this may be an SNI issue, and suggested we could try enabling SNI check, but we cannot do that in our environment because many of our partner websites use IP allowlists that restrict traffic to a specific range of IPs, which won’t work with SNI.

We’ve only got 200+ users on Netskope right now, but we’re getting ready to expand that to 3,000+ users. I’m concerned how many calls we’re going to get from our users for this issue when we deploy it to the rest of the company.