Okta Advanced Server Access (ASA) and Netskope NPA Integration

  • 4 November 2022
  • 1 reply
  • 39 views

Userlevel 2
Badge +8

OktaAdvanced Server Access provides Zero Trust identity and access management for cloud and on-premises infrastructure. Using Okta as its source of truth, Advanced Server Access reconciles accounts to manage SSH and RDP access to Linux and Windows servers.

Advanced Server Access extends secure privileged access to users, automates lifecycle management for server accounts, and eliminates the need for credential management.

Okta Advanced Server Access can be configured to allow direct connection to servers or it can be configured to use a Bastion and/or an Okta ASA Gateway to provide the connection through a “Session Gateway Broker”

An example of integration with Netskope leveraging Network Private Access is the following:

 

In this example we have a Linux and a Windows machine published through the Okta ASA Gateway, and a Linux machine published directly without the ASA Gateway.
In this case we’ll configure 2 separate NPA Applications:

  • NPA Okta ASA Gateway Application: defined for the internal IP address of the ASA Gateway machine for ports TCP 22 and 7234 using the Publisher(s) deployed in the same environment (On-Prem or IaaS) of the Okta ASA infrastructure

  • NPA Okta ASA Linux Application: defined for the internal IP of the Linux machine for port TCP 22 using the Publisher(s) deployed in the same environment (On-Prem or IaaS) of the Okta ASA infrastructure

When publishing servers without the Okta ASA Gateway (or a Bastion) we must create a NPA Application for each published machine. When using the Okta ASA Gateway (or a Bastion) we can publish a single NPA Application for the Gateway (or Bastion) and this will provide connectivity to all the internal servers

It is important to notice that when the Okta ASA Client requests for the access to a remote session, it first contact Okta Cloud to verify the user rights, assignments and to retrieve the authentication token that will be used for the actual session authentication. This connection is performed by the client over HTTPS, hence we MUST bypass SSL inspection for the Okta ASA URL:

app.scaleft.com


1 reply

Userlevel 4
Badge +17

Hi @sartioli , Thank you for sharing a detailed solution on Okta Advanced Server Access (ASA) and Netskope NPA Integration.

Looking forward to other community members for their comments 😊. 

Thanks 

Rohit Bhaskar

Reply