Skip to main content

Netskope Help

User Identity Methods for IPSec and GRE Tunnels

To steer tunnel traffic and identify users, you can use one of the following methods:

Netskope strongly recommends installing and configuring the Netskope Client to facilitate certificate distribution on devices and provide coverage for remote users. The Netskope Client provides user identification directly to Netskope so you don't have to implement authentication on the IPSec or GRE tunnel. If you install the Netskope Client, it can send device and user info to the Netskope Cloud and show user-facing notifications that occur from policy violations.

To enable user notifications:

  1. Go to Settings > Security Cloud Platform > Devices.

  2. Click Client Configurations.

  3. Click the Netskope Client Configuration with the users you want to send notifications to when they trigger a policy violation.

  4. In the Client Configuration window, under Tunnel Settings, select Enable device classification and client-based end user notifications when the client is not tunneling traffic.

    Netskope-Client-Configuration-Tunnel-Settings-Enable-device-classification-and-client-based-end-user-notifications.png

    Note

    Netskope Client supports multi-user concurrent log in. However, it doesn't support multi-user concurrent login if you select Enable device classification and client-based end user notifications when the client is not tunneling traffic.

When the Netskope Client detects an IPSec or GRE tunnel, it disables the data tunnel (i.e., TLS tunnel) to the Netskope cloud but continues sending user identity to Netskope and facilitates user notifications on the endpoint. However, you can only view one user's login information. If you installed the Netskope Client in multi-user mode on a multi-user device (e.g., terminal server), then when multiple users log in to the device at the same time, Netskope only logs and reports the first user as the one associated with the device.

Also, If you have Netskope Cloud Firewall and are using the Netskope Client, you can leverage user- and group-based policies.

You only need to provision certificates on user devices that don't have the Netskope Client.

To download the Netskope root CA certificate and provision it on your user's device:

  1. Go to Settings > Manage > Certificates to download the certificates.

  2. Click the Signing CA tab.

  3. In Netskope Certificate, for Root CA, click The Netskope Download icon..

    The Netskope Root and Intermediate CAs on the Certificates page.
  4. Provision the certificate on your user's device. See the product documentation of their device to learn more.

  5. Manage the certificate error settings.

If you don't use the Netskope Client, you can use SAML to authenticate a user with your Identity Provider (IdP) before their traffic is tunneled via IPSec or GRE. You must integrate Netskope as an authentication mode for an IdP. This method acts as an authentication module taking Netskope's framework and an IdP's auth assertion after authentication. To learn more: Forward Proxy Authentication.

Watch a video about forward proxy SAML authentication configuration for IPSec:

 
Enabling SAML Authentication

To enable SAML authentication for your tunnels:

  1. Go to Settings > Security Cloud Platform > Forward Proxy > Authentication.

  2. In Authentication, click Enable Authentication.

  3. In the Enable Authentication window, select Enabled.

    The Authentication section on the Authentication - Forward Proxy page.
  4. Under SAML Account, click Create New.

    The Enable Authentication window for Forward Proxy.
  5. In the New Account window:

    • Name: Enter a name identifying the SAML account.

    • In the Setup tab:

      • IdP SSO URL: Contact your third-party IdP and enter the unique IdP login URL.

      • IdP Entity ID: Enter the globally unique ID for your SAML entity.

      • IdP Certificate: Copy and paste the PEM format certificate of the third-party IdP. Netskope needs this information to validate the signature of the SAML assertion.

      The Setup tab in the New Account window for Forward Proxy.
    • In the Options tab:

      • Alternate User ID Field: Netskope looks at the NameID field in the SAML assertion to get the user identity. If you want to use another field for user identification, enter the name of the SAML attribute.

      • Group Attribute: Enter your name:value pair to identify and describe your entities user group and role memberships.

      The Options tab in the New Account window for Forward Proxy.
  6. Click Save.

Configuring the Authentication Bypass Settings

After enabling SAML authentication for your tunnels, you can specify domains, web categories, and network IP addresses that don't require user authentication.

Adding a Domain Bypass

To add a domain bypass:

  1. Go to Settings > Security Cloud Platform > Forward Proxy > Authentication.

  2. In Bypass Settings, under Domain Bypass, click Edit.

  3. In the Domain Bypass window, add the URLs you want to bypass from the tunnels. Separate each URL entry with a comma or by adding it to a new line.

    Tip

    Netskope recommends adding your IdP domains.

    The Domain Bypass window in the Authentication Bypass Settings.
  4. Click Save.

Adding a Web Category Bypass

To add a web category bypass:

  1. Go to Settings > Security Cloud Platform > Forward Proxy > Authentication.

  2. In Bypass Settings, under Web Category Bypass, click Edit.

  3. In the Web Category Bypass window, select any default or custom web categories you want to bypass from the tunnels.

    The Web Category Bypass window in the Authentication Bypass Settings.
  4. Click Save.

Adding a Source IP Address Bypass

To add a source IP address bypass:

  1. Go to Settings > Security Cloud Platform > Forward Proxy > Authentication.

  2. In Bypass Settings, under Source IP Address Bypass, click Edit.

  3. In the Source IP Address Bypass window, select the network locations you want to bypass from the tunnels. You can choose to bypass either the User IP or Egress IP of the network.

    If you want to add a network location, click +New. See Network Location Profile.

    The Source IP Address Bypass window in the Authentication Bypass Settings.
  4. Click Save.