For the Netskope Client to function correctly, it must establish a secure tunnel to the Netskope cloud infrastructure. The primary communication channel is a TLS tunnel over TCP port 443, which is a mandatory requirement. Therefore, firewall rules must permit this traffic to the designated Netskope IP ranges or domains. For optimal performance, especially with latency-sensitive applications, the Netskope Client also attempts to establish a DTLS tunnel over UDP port 443. While the client can fall back to TCP-only, allowing UDP is a highly recommended best practice to ensure the best user experience.

A. Netskope requires modern, secure protocols like TLS 1.2 or higher. TLS 1.1 is deprecated and insecure. Also, rules should be scoped to Netskope destinations, not "all destinations".

B. The Netskope Client's tunnel to the cloud is secured with certificate pinning. Enabling SSL decryption on a proxy to inspect this tunnel will break the trust and cause the connection to fail.

1. Netskope Support Portal

"Netskope Client Networking Requirements": This document explicitly states the need to allow traffic to Netskope domains and IP ranges. It details that TCP port 443 is required for the primary tunnel (TLS) and that UDP port 443 is recommended for the secondary

performance-enhancing tunnel (DTLS).

2. Netskope Support Portal

"Add Netskope Exceptions to your Firewall": This guide provides the specific domains and IP addresses that need to be allowed. It confirms that "TCP/UDP Port 443" should be open for these destinations

reinforcing that both protocols are used.

3. Netskope Support Portal

"Certificate Pinning": This article explains that Netskope services

including the client

use certificate pinning to prevent man-in-the-middle attacks. This directly contradicts the idea of using a proxy to decrypt the client's tunnel

as it would be treated as a security violation

causing the connection to be terminated.