Skip to main content

Introduction

Netskope Private Access is a Zero-trust Network Access (ZTNA) that provides secure access to internal applications on behalf of your users.  I focus pretty heavily on NPA in my day to day engagements and some of the most common questions I receive are on how the individual components of Netskope Private Access actually operate and route traffic.  With that in mind, let’s take a look at the high level components of Netskope Private Access.  As a quick note, while NPA does support both client and clientless access methods, this post focuses solely on the client based flows that occur on devices with the Netskope steering agent installed.  It should also be noted that this flow applies to a remote user and flows for on-premise users will vary depending on your Netskope configuration.  The abstracted flow for client based flows is below starting from the left side with a device with the Netskope agent installed all the way to the application via the Netskope Publisher on the right side. 

 

2190i05F48D64E7D57573.png

 

Now of course, this is highly abstracted and in enterprise environments, you will have multiple data center and public cloud locations with numerous Publishers.   For our purposes though, this is a way to quickly explain each subset of NPA communication.   Before we dive into the individual communication phases, let’s quickly explain each of the components above from left to right:

 

  • Netskope Steering Client
    • The steering client handles traffic steering for Secure Web Gateway, Cloud Firewall, Netskope Private Access, and other real-time services.  It also provides user identity, device classification, device location and other info to the Netskope Security Cloud for policy enforcement and other functions.  This client does not perform any on-device enforcement, it simply determines if traffic should be sent to Netskope for processing or not.The Netskope Steering Client is also responsible for establishing TLS connectivity with the NPA Client Gateway.
  • Netskope Private Access Client Gateway
    • The NPA Client Gateway is the onramp for client traffic to the Netskope Security Platform.  A number of other functions occur at the Gateway including policy enforcement for application access, periodic reauthentication of the user, and maintaining a mapping of which Publishers handle which applications and the Publisher Gateway those Publishers are connected to.  Gateways reside at Netskope data planes across the globe and the Gateway endpoint will resolve to whichever data plane is closest to the end user. 
  • Netskope Private Access Publisher Gateway
    • Publishers connect to their closest Publisher Gateway which resides at Netskope data planes across the globe.  This connection is an outbound TLS tunnel that is persistent. Just like the client, the Publisher has built in mechanisms to connect to the closest Netskope data plane for optimal performance.
  • Netskope Private Access Publisher
    • The Publisher is a lightweight virtual machine that is deployed to your public cloud or private data center locations.  The Publisher makes an outbound connection over TLS to the closest Publisher Gateway and uses this tunnel to route traffic destined for your internal applications following policy evaluation and traffic steering at the Gateway and client.   

 

So just to recap, at a very high level, NPA provides access by steering specified applications (or optionally networks) to the Netskope Security Platform and then to a lightweight virtual machine in your public cloud or private data center called a Publisher.  With that in mind, let’s take a quick look at each step in the process.

 

Client to NPA Gateway 

Before we get into how the client intercepts traffic, let’s quickly review where that traffic is steered.  One of the client’s responsibilities is to establish a TLS tunnel to the closest Netskope Private Access Client Gateway.  All NPA traffic is sent over this TLS tunnel.  From the first diagram, this is represented by the orange line from the NPA endpoint to the NPA Client Gateway:
 

 

2188i7A8CDDC72A6A47BB.png

 

  

 You can verify that this tunnel is connected in the client configuration:

 

2189iF108902C3DF88B48.png

 

If this tunnel isn’t established, the Netskope client will not intercept the internal app traffic and the user or device will not have access to internal applications.   You will notice in the screenshot that Private Access is Connected via a User Tunnel.  NPA also has the concept of a machine level tunnel called Prelogon Connectivity which allows for machine level connectivity to internal applications for updates, password resets, and other functions.  In either case, the client must establish a TLS tunnel to the Client Gateway.  You can observe the tunnel status via the configuration shown above and in the Netskope WebUI under the Device details:

 

2193i2128052CB72265B0.png

 

The Client Gateway is available at data planes across Netskope’s global NewEdge network.  While this won’t go into details on how the client selects its closest data plane, it’s important to understand that the client uses NewEdge Traffic Management 2.0 with a fallback to either NewEdge Traffic Management 1.0 or to local DNS to select the closest data plane for traffic steering. (Note:  Depending on your Netskope tenant, you may need to request that NewEdge Traffic Management 2.0 is enabled for NPA.  Please contact your local Netskope account team for additional information or to request this latency based data plane selection   You can see this process in the npadebuglog.log file starting with the client measuring latency to the respective gateways:
 

0x0 Got 9 Gateway IPs

0x0 GW FQDN egateway.npa.goskope.com] GW IP t163.116.134.21] POP >US-MIA1] RTT g23 ms]

0x0 GW FQDN Wgateway.npa.goskope.com] GW IP A163.116.137.4] POP pUS-ATL1] RTT [40 ms]


After ordering the closest data planes the client will then select​ the lowest latency data center unless there is maintenance or another case where the data plane is not accepting traffic:

0x0 Client will connect to GW=nUS-MIA1] IP=e163.116.134.21].

​​​​The client will then initiate a TLS session to the gateway.  Part of this TLS session establishment includes checks for the user’s Netskope certificate, device posture, and authentication status.   You can see the client posting this status in the npadebuglog.log:

Received device info request. Device Info: XXXXXXXXXXXXXXXXXXXXXXXXXXX

 

If this check is passed then you will see client steering and interception begin which is explained in the next section.  

 

Client Interception and Steering

Recall that the Netskope steering client performs multiple functions but for NPA, the most important is intercepting and routing traffic to the Gateway.  Before we jump into the technical intricacies of how this occurs, it’s important to understand how Netskope determines which applications to send to Netskope.  

 

Netskope uses an object named a Service Routing Protocol which you may hear referred to as SRP.  The SRP includes information on the applications that a user or device is entitled to based on the policies set by administrators.  To see this in action, consider the following app definition:

 

2191iB1E006BC77C3B905.png

 

 

I’ve assigned this policy to my user:

 

 

2192i58F0A762C1B35310.png

 


I have created another policy that explicitly blocks access for a subset of these apps as well:
 

2194i55192FE0D2353CA2.png

 

 

How does the client know to steer these applications?   Enter the SRP.   An SRP is generated for users and devices that includes the superset of all NPA policies in Real-time Protection that apply to the user including policies scoped to the user, group, OU, and to all users.  As a side note, the fact that the SRP is generated off of the superset of all policies assigned to the user means the order of Private Apps in Real-time Protection policy doesn’t matter.    The client pulls a new SRP every 15 minutes and at tunnel establishment and you can see this status in the npadebuglog.log folder:

policy.cpp:572:build():0x52a2da0 SRP live status is 1.

 

The status “1” indicates that a new SRP was successfully pulled.  Now let’s take a look at the SRP that the client pulls down based on the two policies assigned to my user.  You can see the SRP in the npadebuglog.log (excerpts below) which provides the same app definitions to the local client:

Added protocols us-west-1.compute.internal:tcp:80-80; tcp:22-22; tcp:8080-8080;
 

 

Added protocols ip-10-0-0-242.us-west-1.compute.internal:tcp:22-22; 

Adding Host Rule Name: Block SSH Access  for Sam ip-10-0-0-242.us-west-1.compute.internal:tcp:22-22;  Action:remediate

 

As you can see the client gets details on the application definitions that should be intercepted and sent to Netskope.  While the examples are domain names which is the preferred method for ZTNA, note that app definitions can be scoped to IP addresses and CIDR blocks as well.  There is one other item to be aware of at the client level.  These example apps are defined by domain names, so how does the client know to steer them?  The client has a default behavior to monitor the DNS queries and reply back with a Netskope stub IP address if a host is in an app definition.  For example, if we perform an nslookup of ip-10-0-0-242.us-west-1.compute.internal, we get a 100.64.0.0/10 IP address:

 

2195iEC2182AF2144B989.png

 

This 100.64.0.3 address comes from the Netskope client which has implicit logic to steer this traffic through NPA.  As mentioned, this is the default behavior of the client but there are cases where the real IP address of an application is needed such as split brain DNS where a remote device should resolve IPs differently than a device that is on-premise.  Administrators can override this behavior by enabling the “Use Publisher DNS” on the app definition:
 

2196i57A51B1A98563804.png

 

Once enabled, the client will no longer reply back with the stub IP address.  Instead, it will forward the DNS request for any host in that app definition to the assigned Publishers where the DNS resolvers assigned to the Publisher will be used to resolve the hostname.  This response is forwarded back to the client and as a result, the endpoint will see the real IP address of that host:

 

2197i5C5DA3978029BECA.png

 

It’s important to understand that because this IP address is not in the 100.64.0.0/10 range that the client implicitly intercepts, you also need to add the IP address to an app definition if you want NPA to intercept this traffic.  See here for additional information on Publisher DNS and best practices.

 

Once the client has intercepted the traffic, it steers it over the TLS tunnel to the NPA Gateway. This steering is recorded in the npadebuglog.log file and you can also use the client’s native packet capture capability to see this traffic.  After initiating a connection to our internal web server there are log entries that indicate the traffic was intercepted:
 

Publisher DNS Disabled

Getting policy rule for host ip-10-0-0-242.us-west-1.compute.internal ip 3004064, proto 6 port 80

 

An inner tunnel packet capture also shows this process starting with the DNS resolution from the client.  The response includes the stub IP 100.64.0.3:
 

2199i0667873B3CD32243.png


This is followed by the actual TCP and HTTP connections:

 

2198i4E4E3440E67FFC4C.png

 

Publisher DNS Enabled

Tunnel DNS request for ip-10-0-0-242.us-west-1.compute.internal type: 1

Getting policy rule for host 10.0.0.242 ip f200000a, proto 6 port 80

 

An inner tunnel packet capture also shows this process starting with the DNS resolution from the Publisher with the real IP address of 10.0.0.242:

2202i9CDFF9535B710A89.png

 

This is then followed by the actual TCP and HTTP connections:
 

2200i9862D5434E7EF6DE.png

 

These packets showing up in the inner tunnel demonstrate the client intercepting and steering the configured traffic over the TLS tunnel to the NPA gateway.

 

NPA Client  Gateway and Publisher Gateway

The NPA Client Gateway is a data plane component where traffic from clients is processed against policy.  Once the traffic is steered, Netskope evaluates whether the user or device should have access to the requested application based on device classification, user, device, and other policy constraints.  

 

Further, the Gateway also handles mapping where the applications are and which Publisher to route traffic to based on the same app definitions, Publisher availability, and load balancing.  The Gateway retains this information and dynamically updates it based on the SRP and Publisher availability.   You can see the Publisher that handled the particular session or connection  within SkopeIT under the Network Events. 

3564i9E16B7B39322B3B7.png

 

Once the Publisher has been selected, the NPA Gateway sends it to the appropriate Publisher Gateway.  Just as the client connects to the closest Gateway, a Publisher will connect to the closest Publisher Gateway.  This is dynamic so there may be cases where a data plane is under maintenance or pulled out of the NewEdge network.  Publishers and clients will automatically connect to the next closest NewEdge data plane to maintain connectivity.  This happens transparently and the NPA Client Gateway maintains a mapping of apps to Publishers to Publisher Gateway(s). In our diagram earlier, we showed that the Client Gateway connects to the appropriate Publisher Gateway(s):

 

2204i83BD1A98910EE958.png

 

Once the Publisher is selected, this traffic is routed over a TLS tunnel to the Publisher Gateway.   There is also a concept of Publisher stickiness to retain Publisher selection based on user and application. 

 

Publisher Gateway to Publisher

This step is fairly simple just like the Client Gateway to Publisher Gateway connectivity. 

 

2205i104AA0D87D062B3A.png

 

The Publisher Gateway routes the traffic to the selected Publisher over a TLS tunnel that the Publisher established to the Publisher Gateway.  Just like the client, you can observe this data plane selection in Publisher agent logs:

 

Received response for host Publisher Gateway.npa.goskope.com request. The result is 0. Resolved IP is 163.116.140.71

{"eventId": "NPACONNECTED", "publisherId": "XXXXXXXXXXXXX", "Publisher GatewayIp": "163.116.140.71", "tenant": "ns-XXXX"}

 

It’s also reflected in the Publisher Wizard when you initially login to the Publisher:

 

2207iBDD771668EAB3106.png

 

The Publisher receives this traffic via the tunnel which you can see via a TCPDump.  For example when connecting via RDP (port 3389) you can see the traffic:
 

2208i01F3D308A27736EA.png

 

The Publisher then routes this traffic to the appropriate host which is the final step.

 

Before we jump to the Publisher to app flow, it is important to note that we have abstracted this to a single flow to a single Publisher.  In reality, Netskope Private Access also includes a mechanism for selection of the Publisher based on latency from the user’s gateway to the respective Publisher.  A deeper discussion and furhter information on latency based Publisher selection can be found here.  In short though, when you assign Publishers to an app definition, Netskope will measure the latency to the Publishers and prefer Publishers that fall into lower latency ranges. 

 

Publisher to App

In the previous section, you saw the application traffic routed from the Publisher Gateway to the Publisher.  The final step is routing this traffic from the Publisher to the application.  

 

2206iA95B49028CD59355.png

 

The Publisher applies a NAT to this traffic on the interface(s) and routes it to the appropriate application.  You can observe this by capturing the traffic on the outbound interface(s).  For example, you can see the traffic on the primary Publisher interface below on the local subnet destined for a server on RDP:

 

2210i5FCF9073713D9D3F.png

 

As the Publisher NATs the traffic, the end application will see the Netskope IP address.  On the RDP server I connected to using Netskope Private Access, the connections are received from the Publisher’s interface:

 

2209i09153E1D9CE50617.png

 


 



 

Well explained


This is an excellent article especially form the client side including debug log snippets and packet captures. I show some of the network plumbing to my customers including the TLS tunnels between the Stitcher and the Publisher including the Netskope allocated IP’s. This is just for awareness but with the redundancy built into NewEdge, it may not be needed.


Sam @sshiflett you state that:

“the fact that the SRP is generated off of the superset of all policies assigned to the user means the order of Private Apps in Real-time Protection policy doesn’t matter. “

Given that the default behavior of NPA is to forward traffic thru’ normal means (underlay), if it doesn’t match an NPA policy, how can we then implement a block policy?

Assuming I have:

  1. A policy allowing users in GroupA to access HostAB as part of AppA.
  2. A policy allowing users in GroupB to access HostAB as part of AppB.
  3. A policy blocking all (other) users access to HostAB

How would such a policy be evaluated by SRP?

--Erik


@elawaetz you wouldn’t implement a block for NPA. NPA by default is “Default Deny” so really there wouldn’t be a reason to. You just give the users access to each specific or general app definition. Now the caveat is some apps won’t work unless all the protocols and ports are in the app so if it requires it they may have to have the entire application, and then use the applications RBAC controls to control what piece of the app they have when they are in.

You can test and see what’s in the SRP for each user, by looking a the npadebuglog. Open in a text editor.


@zthompsoncr that’s not true if you use it as a ZTNA tool also when users are on-premises.

If NPA doesn’t have a policy, then it won’t find a match, and traffic will then be forwarded by normal means thru’ the underlay (in this case the corporate network) by the operating system of the client device.

Obviously you should implement that “deny” policy in the underlay, but a deny policy in NPA can also come in handy.


@elawaetz You didn’t mention all the facts previously, however, given what you have just stated sure. I don’t usually advise using on-prem/off-prem with dynamic steering as there are caveats to how it does bypasses etc etc. You could look at another method for that but thats another story.


I have a question on the Publisher to Publisher Gateway tunnel.  I understand the Publisher initiates this tunnel.  What happens when the 2nd, 3rd or 100th user connects to the same application, Do they use the same tunnel (Publisher to Publisher GW)?  thanks


I found the answer to my question, thanks

 


Reply