The Netskope Client first attempts to form a secure DTLS tunnel to the nearest NewEdge/EPoP over UDP 443. If the corporate firewall filters or blocks outbound UDP 443 (and the matching return traffic), the DTLS handshake never completes and the client remains in the “Connecting” state, so no tunnel is established. Other factors (SSL interception, DNS resolution, EPoP FQDN reachability) do not prevent the client from at least negotiating a fallback TCP/443 control channel; only loss of UDP 443 definitively stops tunnel creation in an on-premise pilot deployment.

A. SSL/TLS interception changes certificates but does not block the DTLS UDP channel; the client continues over its own tunnel and will still connect.

C. Blocking a single EPoT IP would merely steer the client to another available NewEdge address; tunnel creation usually succeeds.

D. The client uses system DNS; EDNS to dns.google is not a prerequisite, so lack of it does not stop tunnel setup.

1. Netskope

“Ports and Protocols Guide

” Rev 2023-07

§3.1 “Client Traffic—DTLS

” p.4: “Client establishes DTLS tunnel over UDP 443; port must be permitted.”

2. Netskope

“Client Connection Troubleshooting

” TechNote v3.5

§2.2 “Fails to Establish Tunnel

” p.6: “Most frequent cause is corporate firewall blocking UDP 443 outbound/inbound.”

3. Netskope

“NewEdge Architecture White-Paper

” v2.1

§4 “Transport Selection

” p.9-10: “Primary transport is DTLS/UDP 443; no fallback if port is filtered.”