You're a big Sonos fan (like me), and you want to use the Sonos S1 Controller app, or the Sonos S2 app on your Windows or Mac machine with the Netskope Client. Well, you'll find it doesn't work without adding some Netskope Client steering exceptions...
When you launch the Sonos app it uses broadcast addresses to seek out Sonos devices on the local network, it can use both 255.255.255.255 (network broadcast address) and also 239.255.255.250 (simple service discovery protocol - SSDP). So these addresses need to be added to a Network Location Profile:
Netskope UI -> Policies -> Profiles: Network Location -> New Network Location -> Single Object (see attached screenshot)
And you'll need to reference that 'Network Location' as an exception in your steering configuration(s):
Netskope UI -> Settings -> Security Cloud Platform -> Traffic Steering: Steering Configuration -> [Your steering configuration] -> Exceptions -> New Exception -> Destination Locations -> [Select your Sonos Network Location and make sure the radio button is on 'Bypass'] (see attached screenshot)
With this exception in place the Sonos application will launch and discover the player devices on your network, but you might find that trying to browse your music services doesn't work. If you receive an error in the Sonos app saying something like 'Unable to browse music - there was a problem connecting to Apple Music' then it's because you need another Netskope Client bypass. First define the Sonos app:
Netskope UI -> Settings -> Security Cloud Platform -> Traffic Steering: App Definition -> Certificate Pinned Apps -> New Certificate Pinned Application
The application name isn't too important, call it 'Sonos app' or 'Sonos controller'. Next add an entry for Mac platform and enter the process names: 'Sonos' and 'Sonos S1 Controller' separated by a comma. If you don't use the Sonos S1 app (for older devices) then you only need 'Sonos'. Next add an entry for Windows platform and enter the process name: 'sonos.exe' (see attached screenshot for clarity).
Head back to your traffic steering exceptions and add a new Certificate Pinned Application exception:
Netskope UI -> Settings -> Security Cloud Platform -> Traffic Steering: Steering Configuration -> [Your steering configuration] -> Exceptions -> New Exception -> Certificate Pinned Applications
Choose your Sonos app definition, put an asterix (*) in the custom app domains and check that both Windows and Mac platforms are set to 'Bypass' (see attached screenshot).
| IMPORTANT NOTE: Putting a wildcard for the custom app domains allows the 'sonos.exe' process (or any other process renamed to 'sonos.exe' by a malicious user) to bypass Netskope when accessing any Internet domain. It is recommended that you add only the hosts/domains needed by the Sonos app. Sonos doesn't publish a list of required destinations or domains, but as an example I was able to use the Sonos app (with Apple Music) by adding the following destinations to the custom app domains: msmetrics.ws.sonos.com,update.sonos.com,update-services.sonos.com,sonos-music.apple.com |
Make sure that you've saved and applied any pending changes in the UI. Also make sure that the Netskope Client on the machine where the Sonos app is installed has completed a configuration update (remember you can force an update by right-clicking on the Netskope Client icon and selecting 'Configuration' and then clicking 'Update').
Hope this write up is useful to anyone struggling to get their Sonos apps working with Netskope. Enjoy your Sonos experience and rock on 🤘 🎶