Skip to main content

Netskope Help

Netskope Client For Linux

Netskope now inspects traffic from the devices with Linux operating system (OS) and provisions users similar to Windows and macOS. This document describes the steps to install the Client in a Linux device using CLI (Command-Line Interface), how to configure and steer traffic to the Netskope Cloud.

Note

Netskope Private Access (NPA) Linux Client is currently in Early Access. Netskope Cloud Firewall (CFW) is not supported on the Linux Client.

Environment

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Linux.

Download Linux Client

Before you begin, download Netskope client installers from the Download Netskope Client and Scripts page.

Linux Client CLI

After you download Netskope Client to the end-user, you can refer to the following options to install the Client.

Install Netskope Client In Linux Operating System

After you download the Netskope Client to the end-user device, perform the following steps to setup Client and connect to the Netskope Cloud:

  1. From your terminal, run the following command: sudo ./NSClient.run.

  2. After the installation is complete, a pop-up is displayed to the user to enter the Netskope Tenant name and select the tenant domain. This information is shared with the user by their respective IT admin.

    Enrollement_screen.png

  3. Click Next to continue with enrollment. The user is redirected to their IdP login screen. Authentication status message is displayed in the browser.

    Enrollment_successful.png

  4. Once the user enrollment is complete, you can see the Client icon on the taskbar. Click the Client icon to view the configuration details.

    NS_Client_icon.png
Install And Enroll by Email ID

Use the following command to install and enroll using email ID: sudo ./NSClient.run -H <tenant hostname> -o <org key> -m <email address>.For example, sudo ./NSClient.run -H abc.goskope.com -o abc123xyz -m user@example.org

NSClient.run {-H | --tenant-hostname tenant_hostname}            
             {-o | --orgkey orgKey}            
             {-m | --email email_address}             
             [-a | --enroll-auth-token enroll_authentication_token]          
             [-e | --enroll-encrypt-token enroll_encryption_token]            
             [-c | --cli]
Options:-H --tenant-hostname: Tenant hostname
        -o --orgkey: org key
        -m --email: User email
        -a --enroll-auth-token: enroll authentication token
        -e --enroll-encrypt-token: enroll encryption token
        -c --cli: This is a flag for CLI only mode and no value
                  When this argument is present, UI will not be installed

Note

All arguments mentioned within {} are mandatory.

Install And Enroll By UPN

Use the following command to install and enroll by UPN: sudo ./NSClient.run -H <tenant hostname> -o <org key>. For example, sudo ./NSClient.run -H abc.goskope.com -o abc123xyz.

NSClient.run {-H | --tenant-hostname Tenant_hostname}             
             {-o | --orgkey orgKey}           
             [-u | --upn UPN]            
             [-a | --enroll-auth-token enroll_authentication_token]        
             [-e | --enroll-encrypt-token enroll_encryption_token]           
             [-c | --cli]
Options:-u --upn: User UPN

Note

  • All arguments mentioned within {} are mandatory.

  • Use UPN name in the command line while using UPN for non AD joined devices.The Installer fails and quits if the UPN name is missing.

Install And Enroll By IDP

Use the following command to install and enroll by IDP: sudo ./NSClient.run -i | --idp.

NSClient.run {-i | --idp}	 
             [-t | --tenantname tenant_name]
             [-d | --domain tenant_domain]        
             [-e | --enroll-encrypt-token enroll_encryption_token] 
Options:-i --idp: This is a flag with no value. 
                  When this argument is present,installer will enroll by IDP. All other options will be skipped in IDP mode.
        -t --tenantName: tenant name
        -d --domain: tenant domain

Note

All arguments mentioned within {} are mandatory.

Uninstall Client

Use the command sudo /opt/netskope/stagent/uninstall.sh to uninstall Netskope Client in Linux.

Additional CLI Commands

Use the ‘help’ command to understand different instructions applicable to Netskope Client in a Linux device. For example:

  • To enable Netskope Client in CLI and then to quit:

    ~$ nsclient
start process....
===== Netskope Client CLI,  Version: 200.200.0.100 =====
Copyright(c) 2022 Netskope, Inc. All Rights Reserved.
Please enter <help> for available commands.
Netskope> enable
Enabling Netskope Client...
Netskope Client enable success.
Netskope> quit

  • To display Netskope Client Status

    ~$ nsclient
start process....
===== Netskope Client CLI,  Version: 99.0.0.1090 =====
Copyright(c) 2022 Netskope, Inc. All Rights Reserved.
Please enter <help> for available commands.
Netskope> show-status
Netskope Client enabled

  • To display Netskope Client Configuration

    Netskope> show-config
Show configuration in progress...     
    Netskope Client Configuration        
    Gateway: gateway-qa.de.goskope.com        
    Organization: Netskope Inc        
    Gateway IP: 163.116.140.35, POP: US-SFO1        
    User Email: jjia@netskope.com        
    Client Configuration: client_config1        
    Steering Configuration: jjia-mygroup2        
    Device Classification: unmanaged        
    Tunnel Protocol: TLS        
    Private Access: Connected (User Tunnel)        
    Private Access Gateway IP: 163.116.138.23        
    On-Premises Check: Remote        
    Traffic Steering Type: All Web Traffic        
    Config Updated: 10:27:26,  1st Dec, 2022        
    configuration update avaliable.Pleasae use <update-config> command to update latest configuration

  • To display the blocked events

    Netskope> show-blocked-event
Blocked Event:
App Name: [opera], Last Access Time: Thu Dec  1 21:01:20 2022

  • To update the client configuration

    Netskope> update-config
Update configuration in progress...
startConfigUpdate->bNeedUpdate=1
configuration update avaliable.
Please use <update-config> command to update latest configuration

Command

Description

--help

Usage for Netskope Client CLI.

- enable

Netskope Client status.

- disable

Disable Netskope Client.

- show-status

Netskope Client status.

- show-config

Display Netskope Client configuration.

- update-config

Update Netskope Client configuration.

- show-blocked-event

Display Netskope Client blocked event(s).

- set-log-level

Reset Netskope Client log level, <debug|info|warning|error|critical>

- save-logs

Save Netskope Client diagnostic information.

- start-pkt

Start packet capture, <inner|outer> packet <inner len from 0 to 9999 byte|outer size from 0 to 99 MB> Please use the 'stop-pkt' command to exit.

- stop-pkt

Stop packet capture.

- start-speedtest

Start speed test, testing <download|upload> <1|10|100>MB file.

- show-pa

Show Private Access status.

Exception For Certificate Pinned Application

By adding applications as a Certificate Pinned Application exception, the traffic from such applications is bypassed by Netskope cloud. A pinned app stores the public certificate or key of its destination website and presents it to Netskope cloud. When contacting the destination website / server, Netskope cloud verifies the pinned certificate with the server certificate. If they are validated, Netskope cloud bypasses traffic from the pinned application. For more information, view Certificate Pinned Applications.

CPA_Exceptions.png
In this section: