Netskope Client For Linux
Netskope now inspects traffic from the devices with Linux operating system (OS) and provisions users similar to Windows and macOS. This document describes the steps to install the Client in a Linux device using CLI (Command-Line Interface), how to configure and steer traffic to the Netskope Cloud.
Note
Netskope Private Access (NPA) Linux Client is currently in Early Access. Netskope Cloud Firewall (CFW) is not supported on the Linux Client.
Environment
Refer to Netskope Client Supported OS and Platform to understand the supported versions for Linux.
Download Linux Client
Before you begin, download Netskope client installers from the Download Netskope Client and Scripts page.
Linux Client CLI
After you download Netskope Client to the end-user, you can refer to the following options to install the Client.
Install Netskope Client In Linux Operating System
After you download the Netskope Client to the end-user device, perform the following steps to setup Client and connect to the Netskope Cloud:
From your terminal, run the following command: sudo ./NSClient.run.
After the installation is complete, a pop-up is displayed to the user to enter the Netskope Tenant name and select the tenant domain. This information is shared with the user by their respective IT admin.
Click Next to continue with enrollment. The user is redirected to their IdP login screen. Authentication status message is displayed in the browser.
Once the user enrollment is complete, you can see the Client icon on the taskbar. Click the Client icon to view the configuration details.
Use the following command to install and enroll using email ID: sudo ./NSClient.run -H <tenant hostname> -o <org key> -m <email address>.For example, sudo ./NSClient.run -H abc.goskope.com -o abc123xyz -m user@example.org
NSClient.run {-H | --tenant-hostname tenant_hostname} {-o | --orgkey orgKey} {-m | --email email_address} [-a | --enroll-auth-token enroll_authentication_token] [-e | --enroll-encrypt-token enroll_encryption_token] [-c | --cli] Options:-H --tenant-hostname: Tenant hostname -o --orgkey: org key -m --email: User email -a --enroll-auth-token: enroll authentication token -e --enroll-encrypt-token: enroll encryption token -c --cli: This is a flag for CLI only mode and no value When this argument is present, UI will not be installed
Note
All arguments mentioned within {} are mandatory.
Use the following command to install and enroll by UPN: sudo ./NSClient.run -H <tenant hostname> -o <org key>. For example, sudo ./NSClient.run -H abc.goskope.com -o abc123xyz.
NSClient.run {-H | --tenant-hostname Tenant_hostname} {-o | --orgkey orgKey} [-u | --upn UPN] [-a | --enroll-auth-token enroll_authentication_token] [-e | --enroll-encrypt-token enroll_encryption_token] [-c | --cli] Options:-u --upn: User UPN
Note
All arguments mentioned within {} are mandatory.
Use UPN name in the command line while using UPN for non AD joined devices.The Installer fails and quits if the UPN name is missing.
Use the following command to install and enroll by IDP: sudo ./NSClient.run -i | --idp.
NSClient.run {-i | --idp} [-t | --tenantname tenant_name] [-d | --domain tenant_domain] [-e | --enroll-encrypt-token enroll_encryption_token] Options:-i --idp: This is a flag with no value. When this argument is present,installer will enroll by IDP. All other options will be skipped in IDP mode. -t --tenantName: tenant name -d --domain: tenant domain
Note
All arguments mentioned within {} are mandatory.
Uninstall Client
Use the command sudo /opt/netskope/stagent/uninstall.sh to uninstall Netskope Client in Linux.
Additional CLI Commands
Use the ‘help’ command to understand different instructions applicable to Netskope Client in a Linux device. For example:
To enable Netskope Client in CLI and then to quit:
~$ nsclient start process.... ===== Netskope Client CLI, Version: 200.200.0.100 ===== Copyright(c) 2022 Netskope, Inc. All Rights Reserved. Please enter <help> for available commands. Netskope> enable Enabling Netskope Client... Netskope Client enable success. Netskope> quit
To display Netskope Client Status
~$ nsclient start process.... ===== Netskope Client CLI, Version: 99.0.0.1090 ===== Copyright(c) 2022 Netskope, Inc. All Rights Reserved. Please enter <help> for available commands. Netskope> show-status Netskope Client enabled
To display Netskope Client Configuration
Netskope> show-config Show configuration in progress... Netskope Client Configuration Gateway: gateway-qa.de.goskope.com Organization: Netskope Inc Gateway IP: 163.116.140.35, POP: US-SFO1 User Email: jjia@netskope.com Client Configuration: client_config1 Steering Configuration: jjia-mygroup2 Device Classification: unmanaged Tunnel Protocol: TLS Private Access: Connected (User Tunnel) Private Access Gateway IP: 163.116.138.23 On-Premises Check: Remote Traffic Steering Type: All Web Traffic Config Updated: 10:27:26, 1st Dec, 2022 configuration update avaliable.Pleasae use <update-config> command to update latest configuration
To display the blocked events
Netskope> show-blocked-event Blocked Event: App Name: [opera], Last Access Time: Thu Dec 1 21:01:20 2022
To update the client configuration
Netskope> update-config Update configuration in progress... startConfigUpdate->bNeedUpdate=1 configuration update avaliable. Please use <update-config> command to update latest configuration
Command | Description |
---|---|
--help | Usage for Netskope Client CLI. |
- enable | Netskope Client status. |
- disable | Disable Netskope Client. |
- show-status | Netskope Client status. |
- show-config | Display Netskope Client configuration. |
- update-config | Update Netskope Client configuration. |
- show-blocked-event | Display Netskope Client blocked event(s). |
- set-log-level | Reset Netskope Client log level, <debug|info|warning|error|critical> |
- save-logs | Save Netskope Client diagnostic information. |
- start-pkt | Start packet capture, <inner|outer> packet <inner len from 0 to 9999 byte|outer size from 0 to 99 MB> Please use the 'stop-pkt' command to exit. |
- stop-pkt | Stop packet capture. |
- start-speedtest | Start speed test, testing <download|upload> <1|10|100>MB file. |
- show-pa | Show Private Access status. |
Exception For Certificate Pinned Application
By adding applications as a Certificate Pinned Application exception, the traffic from such applications is bypassed by Netskope cloud. A pinned app stores the public certificate or key of its destination website and presents it to Netskope cloud. When contacting the destination website / server, Netskope cloud verifies the pinned certificate with the server certificate. If they are validated, Netskope cloud bypasses traffic from the pinned application. For more information, view Certificate Pinned Applications.