Skip to main content

Netskope Help

Proxy Chaining

Note

Contact your Sales Representative or Netskope Support to enable this feature for your account.

Netskope proxy chaining allows you to send traffic from your on-premises proxy to the Netskope Cloud. You must configure the proxy chaining URL in your own proxy, and then add your proxy's public IP address or range to the allowlist below so Netskope can trust traffic from your proxy chain. Netskope won't accept any traffic from an IP address that's not listed below.

The following diagram illustrates the traffic workflow for proxy chaining with Netskope Secure Web Gateway:

Proxy-Chaining-Network-Diagram.png

General Guidelines

When configuring proxy chaining, consider the following:

  • To obtain your proxy chaining URL, contact Netskope Support.

  • Ensure that you configure your downstream proxy to send X-Forwarded-For HTTP header for all HTTP requests. The X-Forwarded-For header is used to uniquely identify the tenant user.

  • For your proxy, ensure you add at least one header X-Forwarded-For or X-Authenticated-User HTTTP header inside the SSL tunnel. Netskope recommends adding both headers. However, the proxy must perform SSL decryption to add HTTP headers inside the SSL tunnel.

  • Configure your proxy to trust the Netskope certificate for SSL interception. You can download the certificate in Settings > Manage > Certificates > Signing CA.

About the Proxy Chaining Page

On the Proxy Chaining page (Settings > Security Cloud Platform > Proxy Chaining), you can:

  1. Add a proxy IP address to the Netskope proxy chaining allowlist.

  2. View a list of IP address allowlists. For each allowlist, you can see:

    • Name: The name of the proxy IP address allowlist.

    • IP Address Allowlist: The proxy IP or CIDR addresses in the allowlist.

  3. Click The More icon. to choose one of the following options:

  4. View up to 30 allowlists per page.

  5. View multiple pages of the table.

The Proxy Chaining page and its settings.