Scribd Logo
Upload

Welcome to Scribd!

  • Secure Tenant Configuration

    Uploaded by

    Alexander Ramírez
    2 views5 pages

    Original Title

    Secure-Tenant-Configuration

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views5 pages

    Secure Tenant Configuration

    Uploaded by

    Alexander Ramírez

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Secure Tenant Configuration

    Platform Security
    This document describes how to secure a tenant by checking and changing settings for features and functions in the Netskope UI.

    Tenant Access

    The following steps are a guide to quickly set up your tenant.

    1. Set up a global admin that will only be used with proper change management controls. Log in to Netskope and go to Settings > Administration >
    Admins > New Admin. For more information, see: Create Administrators.

    2. Enable Single Sign On (SSO) with your current SSO provider. Log in to Netskope and go to Settings > Administration > SSO. For more info,
    see: SSO Settings .

    3. Create and assign roles for restricted admins. Log in to Netskope and go to Settings > Administration > Roles. For more information, refer to
    Create Roles and Assign Roles .

    4. Identify any non-corporate users in the administration list and remove or revoke access. Log in to Netskope and go to Settings > Administration
    > Admins. For more info, refer to Change Access.

    5. Confirm your enterprise policy for tenant support and enable or revoke based on the policy. Log in to Netskope and go to Settings >
    Administration > Admins. Identify tenant_support@netskope.com and review your corporate policy regarding this tenant support user and their
    level of access. Use the slide bar to the left which allows enablement and/or removal of this account. For more information, refer to Managing
    Administrators.

    Some default settings should be changed to secure a Netskope tenant.

    Netskope | Copyright 2023, All rights reserved. 1/ 5


    Feature/Function Description
    Default Secure
    Setting Setting

    Secure email invites with


    Allows making email invites to be one-time use to prevent reuse. Off On
    one-time enrollment

    Disallow concurrent logins by an Ensures an admin can log in to a tenant only once, instead of being able to log in to a tenant
    Off On
    Admin multiple times concurrently.

    MFA Enablement of multi-factor authentication. Integration with a third-party tool is required. Off On

    Enablement of SSO authentication using forms like SAML. Integration with a third-party tool is
    SSO Off On
    required.

    Logging of Admin actions to Logging of activity by admins is recommended but needs configuration by the user. Integration
    Off On
    SIEM with a third-party tool is required.

    Tenant Support allows our Support team to access your tenant. With this off you will need to
    Tenant Support Enablement On Off
    turn it on for Netskope to support you.

    Traffic Steering

    Default Secure
    Feature/Function Description
    Setting Setting

    Netskope | Copyright 2023, All rights reserved. 2/ 5


    Safe Search Enforce strict safe search for queries sent to search engines. On On

    Allow automatic download and use of intermediate certificate to verify server’s identity for SSL
    Dynamic Trusted Store On On
    handshake.

    Enhanced Cert-Pinned Allows using specific domains and process name combination before making a decision to
    On On
    Apps bypass or steer traffic.

    Bypass Loopback DNS Allows configuring the Client to not respond to DNS responses from a DNS server on the
    On On
    controls Loopback address.

    Error Settings in Steering Configurations

    Default Secure
    Feature/Function Description
    Setting Setting

    Between the Netskope Client and the Netskope Cloud Proxy, when the Netskope Cloud Proxy cannot
    No SNI Bypass Block
    determine the SNI.

    Between the Netskope Client and the Netskope Cloud Proxy, when the designated port is 443 but fails to
    Malformed SSL Bypass Block
    parse the first packet in the SSL traffic.

    CRL/OCSP checks Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is revoked. Bypass Block

    SSL Handshake Error Between the Netskope Cloud Proxy and the internet server, when the SSL handshake fails. Bypass Block

    Netskope | Copyright 2023, All rights reserved. 3/ 5


    Self-Signed Server
    Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is self-signed. Block Block
    Certificate

    Incomplete Certificate Between the Netskope Cloud Proxy and the internet server, when the server’s certificate chain is
    Bypass Block
    Trust Chain incomplete.

    Untrusted Root
    Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is not trusted. Block Block
    Certificate

    Between the Netskope Client and the Netskope Cloud Proxy, when the HTTP request received by the
    Malformed HTTP Block Block
    Netskope Cloud Proxy is invalid.

    SSL-Pinned Certificate For the Netskope Client to bypass a certificate-pinned application. Bypass Bypass

    Between the Netskope Cloud Proxy and the internet server, when the domain name of the server doesn’t
    SSL Host Mismatch Block Block
    match the common name in a server’s certificate.

    Client Configuration

    Default Secure
    Feature/Function Description
    Setting Setting

    Upgrade Client If a lower version is selected, the endpoint with the higher version of the Netskope Client installed will need a
    On On
    automatically manual uninstall and reinstall of the lower version of the Netskope Client.

    Netskope | Copyright 2023, All rights reserved. 4/ 5


    Uninstall Clients
    Uninstalls the Client when users are removed from the Netskope tenant. Off On
    automatically

    Allow users to
    If the Client is provisioned via IdP, selecting this option allows users to unenroll from Netskope. Off Off
    unenroll

    Allow disabling of
    Allows user to disable the Client on a device. On Off
    Clients

    Password protection
    for Client
    Password protection to prevent stopping the services is only supported on the Client on Windows. Off On
    uninstallation and
    service stop

    Blocks all traffic when a tunnel to Netskope is not established or a user device is not provisioned in the Netskope
    Cloud. Domain-based, IP-based, and cert-pinned exceptions will be applied, but category-based exceptions will
    be blocked. When a user is detected as on-premises, the exceptions will be blocked.
    Fail Close Off On
    When Fail Close is enabled, the Password Protection for Client Uninstallation and Service Stop and Allow
    Disabling of Clients options become enabled. With Fail Close, you can Exclude Private Apps Traffic, so Private
    Access is not affected, and also Show Notifications.

    Netskope | Copyright 2023, All rights reserved. 5/ 5

    You might also like