Skip to content
English
More support Sign in
EveryCloud
  • There are no suggestions because the search field is empty.

Netskope NPA Whitelisting and Discovery

As part of the 'discovery' process, we typically configure the Netskope policies to steer all Private App traffic to a Netskope publisher (referred in the question here as *.*)

However, we wouldn't want to grab *.* (everything) since that would also encompass web-based traffic (google.com, o365.com ..etc..!).
We only want to capture internal app traffic, so would steer, for example, *.everycloud.co.uk (or any other TLD's / IP's used by your internal applications).
 
A "Private App" is defined in the NPA policies using one of the following conditions
  • Domain name
  • Wildcard
  • PQDN
  • IP
  • CIDR
 
For example, using a wildcard of *.everycloud.co.uk we would discover all applications hosted on this domain name but only those applications behind the publisher this wildcard domain is pointing to
 
For example:
If *.everycloud.co.uk were pointing to a London DC Publisher, everyone (globally) would access the private applications through the London DC Publisher (not good for latency, and might not even have every application accessible from the London DC breakout)
 
Since your applications are hosted behind multiple locations (both on-premise and in Azure) then simply pointing a wildcard (*.everycloud.co.uk) to a single publisher (e.g London) is not a viable solution for discovery (Because apps in other regions might not be reachable through London, or would be very slow for any user 'far away' from the application).
 
Therefore, we would be better off knowing the IPs/Subnets in each region, for example:
192.168.1.0/24 = London DC
192.168.2.0/24 = Singapore DC
10.0.0.1/24 = Hong Kong DC
 
We can then use the wildcard domain *.everycloud.co.uk on the London Publisher to only resolve DNS names to the application IP addresses.
 
The resolved IP would then route the users traffic directly to the publisher in region (e.g London resolves "app1.everycloud.co.uk" to 192.168.2.100, which is hosted behind a publisher policy in Singapore) this would reduce latency and enable better multi-regional discovery.
 
Another thing that would help further (if possible) is if each region has a sub-domain, such as if Hong Kong had a DNS name "app.hk.everycloud.co.uk" or Singapore as "app.sg.everycloud.co.uk" - although not required.
 
Once the underlying physical architecture is in place (publishers are deployed and every region and application are reachable) then we can enable MFA across all applications at the same time (before individually segmenting the applications using more stringent policies)
 
The prerequisite to this architecture are:
1. You have a DNS server somewhere in the network which can resolve the IP's of your applications regardless of their location (e.g can a London DNS server can resolve app1.everycloud.co.uk even if this application is physically hosted in Singapore?)
 
2. Publishers are rolled out into each region where applications reside (also suggest a pair for resilience)