29
Additional reading Don’t Strangle your SASE article
In addition to coniguring Split tunnel mode, you will need to add Steering Exceptions for the Netskope
Client to bypass the VPN concentrator gateway IP addresses to prevent SSL VPN trafic being steered
to Netskope SSE. Steering exceptions need to be conigured in the Netskope Tenant User Interface (UI).
Please refer to Exception Coniguration for VPN Applications: https://docs.netskope.com/en/exception-
coniguration-for-vpn-applications.html
For more recommendations and pros/cons of Split vs Full VPN tunnels refer to this blog post from the
Netskope portal: https://www.netskope.com/blog/dont-strangle-your-sase
Beneit of deploying Netskope Client
• Netskope Client is the preferred steering method and customers are always advised to deploy
whenever possible. It facilitates universal connectivity to the Netskope Security Cloud regardless
of the user and endpoint location.
• These beneits are a solution for common issues of the past such as lack of security if the user is
outside of the organization, lack of Zero Trust approach to the access to company resources and
no integration with the identity and the security stack. This causes companies to have a highly
complex operation with a lot of blind spots that put the organization at risk.
• In the context of discussing how Netskope addresses challenges with legacy architecture, the
following sections highlight the beneits for organizations looking to enhance their network
security, user experience, and operational eficiency:
◦ Remote worker support
▪ Network based architecture usually relies on backhauling the trafic to a datacenter to apply
network based security. This generates higher latency and capacity issues.
▪ Netskope Client can redirect dynamically to the closest datacenter and leverage New Edge
peering to provide the best user experience.
◦ Authentication
▪ Authentication has always been a challenge with proxies, which rely on HTTP authentication
mechanisms to authenticate/identify the user. But it is not transparent for the browser or the
application that needs to support it and generates a dependency on the directory/IDP. As a
consequence it can generate performance and availability issues while not accurate (IP based
authentication is weak). Moreover, customers need to manage complex exception lists for
applications like ofice applications which don't support HTTP authentications.
▪ Netskope Client solves those issues by performing client certiicate based authentication
at the network level (SSL session to connect to the Data Plane), which means:
• It’s only done once, not for each domain/session.
• It’s invisible for the browser or the app, it cannot fail, therefore no exception to manage.
• It’s not based on the IP but on the SSL session, therefore more secure, no problem to share
the same IP.
• It doesn’t need any interactive validation with any IDP, so even if the IDP or AD is down the
authentication is still working.