TTechclick ⚡ XP 0% All lessons
Netskope · Architecture · Traffic Steering & NewEdgeInteractive · L1 / L2 / L3

Netskope Architecture & Traffic Steering: — Client, NewEdge & SSL Inspection

A policy can only inspect traffic it actually sees. This lesson is about the plumbing that gets traffic to Netskope — the Client, the NewEdge POPs, the four other on-ramps, and the SSL decryption that lets Netskope read HTTPS at all. Get steering right and everything else works; get it wrong and your beautiful policies inspect nothing.

📅 2026-06-05 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

How traffic reaches Netskope: the Netskope Client (TLS/DTLS tunnel), NewEdge POPs, steering modes (Cloud Apps / Web / All Traffic), IPsec, GRE, explicit and reverse proxy, SSL decryption, certificate-pinned bypass and single-pass inspection.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

How traffic arrives

Client, NewEdge POPs and the path every request takes.

 2

Steering methods

Client vs IPsec, GRE, explicit & reverse proxy.

 3

SSL inspection

Why HTTPS must be decrypted, and the Netskope CA.

 4

Bypass vs DND

Pinned apps, exceptions and what to choose.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A laptop has the Netskope Client installed. How does its traffic reach Netskope?

Answered in How traffic arrives.

2. Why would Netskope need to decrypt your HTTPS traffic?

Answered in SSL inspection.

3. Your banking app stops working right after the Client is deployed. The most likely culprit is…

Answered in Steering methods.

Most engineers think…

Most engineers think “installing the Netskope Client = my traffic is protected,” full stop.

Wrong — and it is the number-one rollout mistake. The Client only builds the tunnel. What goes down that tunnel is decided by your Steering Configuration (Cloud Apps Only / Web Traffic / All Traffic) and your exceptions. A Client with the wrong steering mode, or with the app sitting in a bypass, sends Netskope nothing to inspect — and every Real-time Protection policy downstream silently does nothing.

① How traffic actually reaches Netskope

In Lesson 1 we said Netskope is the cloud checkpoint between your people and every app. This lesson answers the obvious next question: how does the traffic physically get there? Because a checkpoint only works if cars are routed through it. In Netskope, that routing is called steering.

The most common on-ramp is the Netskope Client — a small agent on the laptop. When it starts, it builds an encrypted tunnel to the nearest Netskope data centre: TLS over TCP/443 or DTLS over UDP/443. Your web and app traffic rides inside that tunnel to a POP, gets inspected, and egresses to the internet wearing a Netskope public IP — not your home IP.

That global network of full-compute data centres is NewEdge. As of 2026 it spans 120+ data centres across 80+ regions, with data-sovereignty controls in two dozen countries and a NewEdge AI Fast Path for agentic-AI workloads. For an L1, the practical point is simpler: there is almost certainly a POP near your users, so steering to it adds little delay.

👉 So far: steering routes endpoint traffic into a tunnel to the nearest NewEdge POP, which inspects and egresses it. Next: see all the on-ramps on one picture.
Figure 1 — Four on-ramps, one POP
Four on-ramps, one checkpoint: every steering method lands on the same NewEdge POP On the left, four traffic on-ramps — Netskope Client tunnel, IPsec or GRE from a branch router, an explicit proxy PAC file, and reverse proxy via SAML — all converge on a single NewEdge point of presence in the middle, which decrypts and inspects, then egresses to SaaS and the internet on the right with a Netskope IP. Pick any on-ramp — they all meet at one inspection point how traffic gets on Netskope ClientTLS / DTLS 443 · managed laptopIPsec / GREbranch router · whole siteExplicit ProxyPAC file · no clientReverse ProxySAML redirect · unmanaged BYOD NewEdge POPSSL decrypt · single-passSWG+CASB+DLP+threat ← TLS terminates HERE, then re-encrypts SaaS (M365 / SFDC) internet / web private app (via NPA) egress carries a Netskope public IP untrustedtrusted / inspectedinspection pointkey ideaallowed / direct
Whatever the on-ramp — Client tunnel, IPsec/GRE, explicit proxy or reverse proxy — traffic converges on a single NewEdge POP that decrypts, inspects once, and egresses with a Netskope IP.

Four words for the plumbing

Tap each card — these are the moving parts of steering.

🧭
Steering
tap to flip

Deciding which traffic goes to Netskope vs straight to the internet. It is the first thing you configure and the first thing that breaks a policy.

🛰️
NewEdge POP
tap to flip

A full-compute Netskope data centre near the user. It decrypts, runs every engine once, and egresses. Nearest POP = low latency = inspection stays on.

🔌
Netskope Client
tap to flip

The endpoint agent. Builds a TLS/DTLS tunnel to the POP and sends the steered traffic down it. No Client? Use a tunnel or proxy instead.

🎚️
Steering mode
tap to flip

Cloud Apps Only, Web Traffic, or All Traffic — how much of the device’s traffic the Client captures. Wrong mode = Netskope sees nothing useful.

Check the Netskope Client on a Windows endpoint (nsdiag -f)
C:\> "C:\Program Files (x86)\Netskope\STAgent\nsdiag.exe" -f

Orgname          : wipro
Steering Config  : BLR-HQ-Managed-Laptops
Client status    : enable
Tunnel status    : NSTUNNEL_CONNECTED
Gateway          : gateway-bom1.goskope.com
Gateway IP       : 163.116.144.50
Tunnel Protocol  : DTLS
Traffic Mode     : All Traffic
Dynamic Steering : enabled
Expected output
Client status: enable plus Tunnel status: NSTUNNEL_CONNECTED to a nearby Gateway (here gateway-bom1 = Mumbai) means traffic is actually steered. Read the Steering Config and Traffic Mode lines together — they tell you WHICH configuration and how much traffic it captures. If Tunnel status shows anything other than NSTUNNEL_CONNECTED, or Traffic Mode is None, the Client builds no useful tunnel and inspects nothing — even when Client status says enable.
Quick check · Q1 of 10

Priya at Wipro installs the Client on a remote laptop. nsdiag -f shows Client status: enable but Tunnel status is not NSTUNNEL_CONNECTED and no Gateway is selected. What is the most likely cause?

Correct: c. No connected tunnel and no Gateway means the Client cannot reach NewEdge. The usual culprit is a firewall or full-tunnel VPN not allowing/excluding 443 to Netskope’s 163.116.128.0/17 range, so POP selection fails. A missing CA causes cert errors (traffic still tunnels); DLP and a SaaS outage do not stop the tunnel forming.

Pause & Predict

Predict: a user’s corporate VPN is full-tunnel and does NOT exclude Netskope’s range. What happens to nearest-POP selection? Type your guess.

Answer: It breaks. All Netskope traffic rides the VPN to a single VPN egress first, so the Client picks a POP near that egress, not near the user. A Mumbai user whose VPN exits in the US lands on a US POP — latency spikes. Fix: split-exclude Netskope’s 163.116.128.0/17 (TCP+UDP 443) from the VPN.

② Steering methods and modes — Client, tunnels and proxies

The Client is not the only on-ramp. You pick the steering method based on the device, and the steering mode based on how much traffic you want captured. Methods and modes are independent dials — set both.

The five steering methods

Netskope Client — best for managed laptops; per-user, follows the device anywhere. IPsec and GRE tunnels — from a branch router/firewall, they steer a whole site’s traffic without touching endpoints (great for kiosks, OT, unmanaged desktops); you build them under Settings → Security Cloud Platform → IPSec (or GRE), picking a primary and backup POP per source peer. Explicit Proxy — a PAC file points browsers at Netskope; no client, no tunnel. Reverse Proxy — the clientless path: a SAML redirect (configured under Settings → Security Cloud Platform → Reverse Proxy → SAML → Add Account) steers unmanaged/BYOD devices to sanctioned SaaS only.

The three traffic modes

Inside a Steering Configuration you choose one mode: Cloud Apps Only (just sanctioned SaaS), Web Traffic (all HTTP/S on 80/443), or All Traffic (web plus non-web ports — SSH, SMTP, custom TCP/UDP). All Traffic needs the Cloud Firewall licence, because inspecting non-web ports is firewall work, not web-proxy work. There is also a None setting, where the Client establishes no tunnel at all.

Figure 2 — Steering cheat-sheet
Steering at a glance — modes, methods and the one path traffic takes A cheat-sheet card with three columns. Column one lists the three traffic modes Cloud Apps Only, Web Traffic and All Traffic. Column two lists the five steering methods Client, IPsec, GRE, Explicit Proxy and Reverse Proxy with when to use each. Column three shows the fixed order traffic flows: on-ramp, POP, decrypt, single-pass, egress. Traffic Steering — your one-glance map ① What to steer (mode) Cloud Apps Onlysanctioned SaaS onlyWeb Trafficall HTTP/S (80/443)All Trafficweb + non-web ports* *All Traffic needs Cloud Firewall licence ② How to steer (method) Netskope Clientmanaged laptopIPsec / GREbranch / siteExplicit ProxyPAC, no clientReverse Proxyunmanaged BYOD + SAML Dynamic Steeringdifferent mode on-prem vs off-prem ③ The fixed path on-rampnearest POPSSL decrypt†single-passre-encrypt → egress †unless pinned / Do-Not-Decrypt Steering decides what reaches Netskope. Get this wrong and every policy after it is dead. untrustedtrusted / inspectedinspection pointkey ideaallowed / direct
Two dials plus one fixed path. Pick a mode (what to steer) and a method (how to steer); the path traffic then takes is always the same.
🖥️ This is the screen you’ll use to control what reaches Netskope — Settings → Security Cloud Platform → Steering Configuration → New Configuration. (Recreated for clarity — your tenant matches this.)
tenant.goskope.com · Settings → Security Cloud Platform → Steering Configuration
1
Configuration Name
BLR-HQ-Managed-Laptops
2
Traffic Steering
All Traffic
3
Assign to
Organizational Unit: HQ-Endpoints
Steered Apps tab
Add Steered Item
4
Exceptions tab
New Exception → Certificate Pinned Application
Save & Enable

New for steering: Dynamic Steering. Tick Enable Dynamic Steering and you get separate On-Premises and Off-Premises dropdowns (each can be Cloud Apps Only / Web Traffic / All Traffic / None). An On-Premises Detection Profile (Egress IP, DNS or HTTP check) tells the Client which mode to use, and it re-checks every 3–5 minutes.

Karthik at ICICI faces this

Karthik, an L1, is told: “in the office, send only sanctioned SaaS to Netskope (the branch firewall handles the rest); when staff work from home, inspect ALL their traffic.” He is about to build two separate configs and swap them manually.

Likely cause

Manual swapping is error-prone and never matches reality — laptops move all day. This is exactly what Dynamic Steering exists for: one config, two modes, switched by location.

Diagnosis

He checks whether a single Steering Configuration can apply different modes on-prem vs off-prem.

Settings → Security Cloud Platform → Steering Configuration → Enable Dynamic Steering
Fix

In one config, enable Dynamic Steering: On-Premises = Cloud Apps Only, Off-Premises = All Traffic. Attach an On-Premises Detection Profile (Egress IP of the office) so the Client auto-switches.

Verify

On office Wi-Fi, nsdiag shows the on-prem mode; tether to a phone and within ~5 minutes it flips to All Traffic. Skope IT logs reflect the mode change.

Quick check · Q2 of 10

A site has only kiosks and contractor BYOD desktops — nothing you can install software on — but you must steer their web traffic. Best method?

Correct: a. An IPsec/GRE tunnel from the site edge steers everyone behind it without touching endpoints — ideal for kiosks/unmanaged desktops. The Client needs install rights; reverse proxy only covers sanctioned SaaS via SAML, not general web; and unmanaged devices absolutely can be steered via tunnels/proxy.

Pause & Predict

Predict: you set traffic mode to Web Traffic, then a custom internal app on TCP 8443 to 10.20.5.10 stops being controlled. Why — and what mode fixes it? Type your guess.

Answer: Web Traffic only steers HTTP/S on 80/443, so a non-web port (8443 custom TCP) is never sent to Netskope. Switch the config to All Traffic (which needs the Cloud Firewall licence) so non-web ports are steered too — or add 8443 under Non-Standard Ports.

③ SSL/TLS decryption — why Netskope must open the envelope

Steering gets traffic to the POP. But almost all of that traffic is HTTPS — encrypted end to end. You cannot scan for malware, block an upload, or run DLP on bytes you cannot read. So Netskope performs SSL/TLS decryption: a controlled man-in-the-middle during the TLS handshake.

Mechanically, the POP runs two TLS sessions. Session one is between the endpoint and the POP; session two is between the POP and the real server (using the server’s real certificate). In the middle, the POP decrypts, inspects in a single pass, and re-encrypts. To make session one work, the POP re-signs the page with the Netskope CA certificate — which is why that CA must be installed and trusted on every endpoint (via MDM/GPO). Miss it, and every HTTPS site throws a certificate warning.

By default, all traffic steered to Netskope is decrypted, then analysed by Real-time Protection policies. You carve out exceptions with an SSL Decryption policy set to Do Not Decrypt (for example, banking or healthcare categories you must not read). Do-Not-Decrypt traffic still reaches Netskope and still matches Real-time Protection — but with limited context, since the payload stays sealed.

Figure 3 — SSL inspection is a controlled MITM
SSL inspection is a controlled MITM: two TLS sessions, joined by the Netskope CA A left-to-right flow showing the endpoint opening a TLS session to the NewEdge POP, the POP opening a second TLS session to the real server, and in the middle the POP decrypting, inspecting and re-encrypting. A callout shows the Netskope CA certificate that must be trusted on the endpoint or the browser throws a certificate error. No trusted Netskope CA on the device = constant cert errors endpoint10.50.2.7browser / app NewEdge POPdecrypt → inspect→ re-encryptre-signs with Netskope CA real serversalesforce.comreal cert TLS #1 TLS #2 (to real cert) Netskope CA must be in the device trust storepush via MDM/GPO — or every HTTPS page warns Pinned app? It rejects ANY re-signed cert→ bypass it, don't try to inspect it untrustedtrusted / inspectedinspection pointkey ideaallowed / direct
Two TLS sessions joined at the POP. Watch where TLS terminates and re-signs — that is why the Netskope CA must be trusted on the device, and why pinned apps reject it.

▶ Follow one HTTPS request through SSL inspection

Aditya at HCL opens Salesforce; watch the decrypt-inspect-re-encrypt round trip. Press Play for the healthy path, then Break it to see the failure.

① SteerAditya (10.50.2.7) Client tunnels HTTPS to NewEdge POP (Mumbai)
② DecryptPOP terminates TLS, re-signs with Netskope CA — device trusts it
③ Inspectsingle pass: SWG + CASB + DLP + threat read the plaintext
④ Re-encryptPOP opens TLS to real server cert → allow; logged in Skope IT
Press Play to step through the healthy path. Then press Break it.
Common mistake — "users see cert errors everywhere after rollout"

Symptom: every HTTPS page warns “your connection is not private” right after SSL Decryption is enabled. Cause: the Netskope CA certificate was never pushed to the device trust stores (and to NSS for Firefox / Java keystores for some apps). Fix: distribute the Netskope CA via MDM/GPO before you enable decryption — not after.

Quick check · Q3 of 10

Why does Netskope present its own CA certificate to the endpoint during SSL inspection?

Correct: c. Inspection means the POP terminates and re-signs the TLS session, presenting a Netskope-issued cert to the device. The device only trusts it if the Netskope CA is in its trust store — otherwise every HTTPS session looks like a stranger and throws an error. It is about trust, not speed or cost.

Pause & Predict

Predict: a hospital steers staff through Netskope but must legally NOT read patient-portal traffic. Decrypt everything? What is the right control? Type your guess.

Answer: No — add an SSL Decryption policy with Action: Do Not Decrypt for the Health/Medical category (or the specific portal domains). Traffic still reaches Netskope and is logged with limited context, but the payload stays encrypted. This is a Do-Not-Decrypt policy, not a steering bypass — you keep a record.

④ Certificate pinning, bypass vs Do-Not-Decrypt, and exceptions

Some apps refuse to be inspected. A certificate-pinned app ships with its own certificate baked in and trusts nothing else. When Netskope re-signs the session with the Netskope CA, the pinned app sees a cert it did not expect and breaks — connection failures, not security alerts. Common examples: Dropbox, iCloud, CrowdStrike, Microsoft Teams desktop, many native mobile apps.

Netskope auto-maintains a default bypass list of around 52 enterprise pinned apps (June 2025), so most “just work.” You control how new predefined ones are handled under Settings → Security Cloud Platform → Steering Configuration → Preferences, in the Certificate Pinned Application updates setting — Ask me (default; review each release), Skip (added to the Default config only), or Bypass (added as an exception to all configs). For an app Netskope does not know, you create it under Settings → Security Cloud Platform → App Definition → Certificate Pinned Apps → New Certificate Pinned App (give it a name, platform and the process name, e.g. myapp.exe), then add it as a Steering Configuration exception.

Here is the distinction L1s get wrong in interviews. A Steering Bypass means the traffic never leaves the device for Netskope — it goes direct, so there are no logs in Skope IT. An SSL Do-Not-Decrypt policy means the traffic still reaches Netskope but stays encrypted — you keep a log and a risk score. Netskope’s own guidance: prefer Do-Not-Decrypt over a hard bypass wherever the app tolerates it, so you do not go blind.

Figure 4 — Bypass vs Do-Not-Decrypt
Steering Bypass goes direct and blind; Do-Not-Decrypt still reaches Netskope Two side-by-side flows. Left: a Steering Bypass where traffic leaves the endpoint and goes straight to the app, never reaching Netskope, so there are no logs. Right: an SSL Do-Not-Decrypt policy where traffic still goes through the Netskope POP and is logged with limited context, but stays encrypted. Same goal, very different visibility — pick on purpose Steering Bypass never reaches Netskope endpoint app (direct) no logs in Skope IT · no DLP SSL Do-Not-Decrypt reaches Netskope, stays sealed endpoint POPno decrypt app logged + limited Real-time match Rule of thumbPrefer SSL Do-Not-Decrypt over Steering Bypass — you keep a record and risk score.Use a true Steering Bypass only for apps that break under inspection (pinned / latency-critical). untrustedtrusted / inspectedinspection pointkey ideaallowed / direct
Both leave the app working, but only one keeps you any visibility. Choose a true steering bypass only when the app genuinely breaks under inspection.

One more sharp edge: Enhanced Cert Pinning. Plain pinned-app bypass can over-match — a browser visiting the same domains as a pinned app may also get bypassed, leaving a hole. Enhanced Cert Pinning makes the Client verify the destination domain belongs to that app before bypassing, so only the real app traffic skips inspection.

Pro tip — the two-question steering check

For any “why isn’t my policy applying?” ticket, ask: (1) Is the traffic even steered? Right mode (Cloud Apps / Web / All), not sitting in a bypass — check nsdiag and the Steering Config. (2) Is it being decrypted? Not a pinned app, not under a Do-Not-Decrypt policy. Ninety percent of “Netskope isn’t working” turns out to be one of these two, not the policy itself.

Common mistake — "sanctioned SaaS shows zero activity in Skope IT"

Symptom: a SaaS app you are supposedly monitoring shows no transaction records at all. Cause: its native desktop app is certificate-pinned and on the default bypass list, so that traffic never reaches the tenant — logs stay local. Fix: decide per app — keep the bypass (accept the blind spot) or move users to browser access with SSL Decrypt to regain visibility and DLP.

Prove you understand steering end to end

Take a real request — “a contractor on an unmanaged laptop uploads a file to the company’s sanctioned Box from home.” You should be able to name the method (reverse proxy via SAML), say whether it is decrypted (yes, unless Box is pinned/Do-Not-Decrypt), and where you’d confirm it (Skope IT). If you can, you’re ready for Next Gen SWG.

Next: Next Gen Secure Web GatewayBack to basics: SASE, SSE & the platform
Quick check · Q4 of 10

Your manager wants a pinned app to keep working AND wants to keep a record of its connections for risk scoring. Which control fits?

Correct: b. Do-Not-Decrypt keeps the app working (no MITM to break pinning) yet the traffic still flows through Netskope, so you get logs and a risk score. A hard steering bypass sends it direct with no logs; blocking breaks the app; disabling the Client removes all protection.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Netskope docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which protocol/ports does the Netskope Client use to build its tunnel to a POP?

Correct: a. The Client builds a TLS tunnel on TCP/443 or a DTLS tunnel on UDP/443 to the nearest NewEdge POP. SSH and plain HTTP are not used for the tunnel; IPsec/500 is a separate site-steering method, not the Client tunnel.
Q6 · Apply

A bank must steer staff through Netskope but legally cannot read customer banking-portal traffic. What is the correct configuration?

Correct: b. Do-Not-Decrypt lets the traffic reach Netskope (so it is logged with limited context) without reading the payload — exactly the legal requirement. Mode None or uninstalling removes all protection; blocking the portal breaks legitimate banking access.
Q7 · Apply

You must steer an internal app reachable only on a custom non-web port (TCP 9100) at 172.16.40.10. Which steering mode is required?

Correct: c. Cloud Apps Only and Web Traffic only steer SaaS / HTTP-S (80/443); a non-web port like 9100 is only captured by All Traffic, which requires the Cloud Firewall licence. None steers nothing.
Q8 · Analyze

A sanctioned SaaS app shows zero events in Skope IT even though users clearly use it via its desktop app. Most likely root cause?

Correct: d. Bypassed pinned-app traffic never reaches Netskope, so no transaction records are generated — that is the visibility gap. A DLP licence lapse or a monitor-mode policy would still produce events; the OU only affects which config applies, not whether pinned traffic is logged.
Q9 · Analyze

Bengaluru remote users complain everything is slow since rollout. nsdiag -f shows Tunnel status NSTUNNEL_CONNECTED but Gateway gateway-iad1.goskope.com (US East). What is the most likely cause?

Correct: a. A US gateway (iad1) for Bengaluru users means traffic exits via a US VPN egress before reaching Netskope, breaking nearest-POP selection — it should land on gateway-bom1 (Mumbai). Fix by split-excluding 163.116.128.0/17 from the VPN. Netskope does have India POPs; a missing CA causes cert errors, not POP misselection; decryption state does not pick the POP.
Q10 · Evaluate

For a pinned app that must keep working but whose connections you want recorded for risk scoring, which is the better default and why?

Correct: b. Do-Not-Decrypt avoids the MITM that breaks pinning yet still routes traffic through Netskope, preserving logs and risk scoring — the best balance. A hard bypass goes direct with no visibility; blocking breaks the app; disabling inspection tenant-wide blinds you everywhere.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why can a Client show "Enabled" yet Netskope still inspects none of the user’s traffic? Then compare to the expert version.

Expert version: Because the Steering Configuration mode is None (or the app sits in a bypass), so the Client builds no useful tunnel and sends Netskope nothing — "Enabled" only means the agent is running, not that traffic is being steered.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Steering
Selecting which endpoint traffic is sent to Netskope versus sent direct to the internet.
NewEdge
Netskope’s privately-owned global security cloud / data plane — 120+ data centres across 80+ regions (2026).
POP / Data Plane
Point of Presence — a NewEdge data centre that decrypts, inspects and egresses your steered traffic.
Netskope Client
The endpoint steering agent; builds a TLS (TCP/443) or DTLS (UDP/443) tunnel to the nearest POP.
Steering Configuration
The policy object (Cloud Apps Only / Web Traffic / All Traffic) assigned to OUs or user groups.
Steering mode
Cloud Apps Only, Web Traffic, All Traffic or None — how much of the device’s traffic the Client captures.
Dynamic Steering
Applies a different steering mode on-premises vs off-premises, decided by an On-Premises Detection Profile.
Steering Bypass
An exception where traffic never leaves the device for Netskope — goes direct, so no logs in Skope IT.
SSL Decryption
Controlled MITM at the POP that terminates and re-signs TLS so the plaintext can be inspected.
Do Not Decrypt
An SSL policy where traffic still reaches Netskope but stays encrypted (limited Real-time Protection context).
Certificate pinning
An app trusts only its own cert, so a re-signed (MITM) cert is rejected and the app breaks — it must be bypassed.
Enhanced Cert Pinning
The Client also checks the destination domain matches the pinned app before bypassing, closing the over-match hole.

📚 Sources

  1. Netskope Docs — "Configure a Steering Configuration", "Steering Preferences" & traffic modes (Cloud Apps Only / Web Traffic / All Traffic). docs.netskope.com
  2. Netskope Docs — "SSL Decryption", "Certificate Pinned Applications" & "Add Bypasses in Netskope". docs.netskope.com
  3. Netskope Community — "Certificate-pinned application steering exceptions" (default ~52 pinned apps, Enhanced Cert Pinning, Skope IT visibility gap). community.netskope.com
  4. Nathan Catania — "Netskope Quick Start" (Client TLS/DTLS tunnel, 163.116.128.0/17, VPN full-tunnel breaks POP selection). nathancatania.com
  5. Help Net Security / Netskope press — NewEdge 120+ DCs / 80+ regions, data sovereignty in 24 countries, NewEdge AI Fast Path (May 2026). helpnetsecurity.com
  6. Netskope — NCCSI (NSK200) certification blueprint: steering methods, client deployment, SSL Decryption policy, Real-time Protection. infosec.netskope.com

What's next?

Now that traffic reliably reaches Netskope and is decrypted, Lesson 3 goes deep into the Next Gen Secure Web Gateway — categories, activities, threat protection and how a web policy is actually built.

Next · Netskope Next Gen SWG → Practice on exam.techclick.in →