Creating a Steering Configuration
The default steering configuration (i.e., Default tenant config) applies to all users in your organization. However, if some users in your organization require a different configuration, you can create a custom steering configuration for those specific OUs or user groups.
To create a custom steering configuration:
Go to Settings > Security Cloud Platform > Steering Configuration.
Click New Configuration.
In the Apply To window, choose whether all custom traffic steering configurations must apply to Organizational Units (OUs) or user groups. This option only appears when you create your first custom steering configuration.
In the New Configuration window:
Name: Enter a name for the steering configuration. It can't exceed 40 characters.
Organization Unit (OU)/User Group: Choose the OU or user group you want to steer traffic for.
In the Traffic Steering tab:
Enable Dynamic Steering: Enable Netskope Client to use on-premises detection and determine if the user's device is on-premises or off-premises. If enabled, the On-Premises and Off-Premises settings appear. When configuring, note the following:
You can steer traffic for older versions of the Netskope Clients through the on- or off-prem configurations in the drop-down menu.
By default, the On-Premises configuration only steers Cloud apps. and the Off-Premises configuration steers all web traffic. To steer all web traffic for both on- and off-prem configurations, contact your Sales representative to enable this feature.
To use dynamic steering, ensure you enable On-Premises Detection for your Netskope Client configuration.
You can only use dynamic steering for the OUs and user groups configured in your Netskope Client configuration.
Cloud Apps Only: Only steer specific cloud applications to the Netskope cloud for deep analysis. You can create exceptions and allow special accommodations for custom applications. Ensure you update your Netskope Client version to 70.0.0 or later. This option is the default for new accounts.
Web Traffic: Steer all web traffic (i.e., HTTP and HTTPS) to the Netskope cloud for deep analysis. You can create exceptions for traffic that have personal or private content.
All Traffic: Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis. You must have the Cloud Firewall license to select this option. Ensure you update your Netskope Client version to 70.0.0 or later.
Steer private apps: Steer private apps for On-Premises and Off-Premises configurations. You can steer:
All Private Apps: Choose if the Netskope Client must steer or not steer when other steering modes are present, like GRE, IPSec, and Explicit Proxy.
Specific Private Apps: Steer specific private apps. For example, if your existing VPN is active and allows access to all on-prem apps in your private data center, you can deselect those apps and only select apps hosted in AWS, Azure, or GCP. This allows your existing VPN to provide access to on-prem apps, but Netskope Private Access can access apps in the public cloud. You must update the Netskope Client to version 82.0.0 to steer specific private apps.
If you disabled dynamic steering, consider deselecting Steer private apps when steering Cloud Apps Only for on-prem configurations so that users aren't steered through Netskope Private Access. When steering Cloud Apps Only for off-prem configurations or All Web Traffic, consider selecting Steer private apps to steer their traffic through Netskope Private Access.
Go to App Definitions to select the private apps you want to steer with this configuration. Click the Private Apps tab, click
for the private app, click Select Steering Config, and then choose a steering config for the app. Click Save.
Steer DNS traffic: Select to steer DNS traffic to the Netskope cloud for deep analysis. This option is only available for Web Traffic and All Traffic types as well as Off-Premises configurations. You must have the Cloud Firewall and DNS licenses to select this option.
Status: Enable or disable the steering configuration. Netskope recommends disabling until you configure the steered items and exceptions.
In the Non-Standard Ports tab:
Steer non-standard ports: Allows the Netskope Client to steer web traffic (HTTP/HTTPS) on any port. Enter the ports or domains to steer. Click + New to add multiple ports. Click More to see the following options:
Import from CSV: Import a CSV file containing the ports and domains you want to steer.
Download Sample CSV: Download a sample CSV template to use to add multiple ports or domains and import the CSV file.
Delete All: Delete all listed ports.
The port number appears in the Domain, Page, and App columns on the Skope IT Page Events page.
Caution
Due to the macOS change to Network Extensions, non-standard ports aren't supported in steering configurations for devices using macOS Big Sur version 11 and later.
When using Cloud Firewall with GRE/IPSec tunnels, Netskope handles any configured non-standard ports as web traffic regardless of the hostnames. If there is non-web traffic using the same port, Netskope drops the traffic. For instance, if you have configured hostname1 and port1, Netskope considers SSH traffic to hostname2:port1 as web traffic and drops it. When using non-web traffic with Cloud Firewall through GRE/IPSec, ensure you use ports that aren't considered non-standard ports.
Click Save.
Add steered items (i.e., applications).
Add steering exceptions.
Review the steering error settings.
Click
for your custom steering configuration and then Enable Configuration.