Zscaler ZIA and ZPA with NetSkope CASB and DLP services

Hi Everyone

I have a customer considering Zscaler ZIA and ZPA with NetSkope CASB and DLP services. We will implement Zscaler ZIA with the Zscaler Client Connector. I’m wondering if there are likely to be any compatibility issues when running the two solutions side-by-side, and would value anyone’s thoughts on this. Unfortunately I know on a little about NetSkope and the CASB services are being sold to the customer by another provider, so I’m not able to lab it up in time.

Any replies are greatly appreciated.

Many Thanks

Jon

1 Like

I’ve heard of our solutions running side by side, but I’m not aware of the current status. It’s something we’re seeing less and less of and Zscaler’s bolstered its native DLP and CASB capabilities, among other SASE services coming into the portfolio.

ZS and NS side-by-side has defiantly been running in production in some customers, hopefully someone with recent expereince can chime in for you.

Hi Jon,

It would be worth understanding what they mean by Netskope CASB. I.e. customers can run Netskope in multiple modes such as Out of Band API or Log Parsing, Inline Forward or Reverse Proxy.

If it’s run as OOB then there is not a lot of interaction with ZIA. If they are looking to run anything inline however that will lead to significant complexity and user experience problems. I.e. which way should traffic go? To Netskope or Zscaler? Who makes the decision? How does that happen.

Cheers
Jamie

Hi Jamie

Thanks for your response - these are the exact questions I had in my mind.

I believe that it would need to be OOB CASB from NetSkope otherwise like you say we’ll run into complexity issues. If we move to the next phase and I get to POC it I will update the thread.

Many Thanks

Jon

Hi Scott

Thanks for your response.

As per Simon’s response, I think it’d work fine with OOB CASB but there might be complications with Inline services. I’ll keep working on it and then update the thread if I get the chance to take it further.

Many Thanks

Jon

Hi Jonathan

There are no compatibility issues. We are using it for more than 1 year now and haven’t seen any issues so far.
Netskope uses Steering configuration to pick up the known application traffic before it is picked up by ZCC. Whatever you define in the steering configuration is picked and rest is sent to ZCC.
All you need to make sure if that you remove Netskope URL from SSL decryption to make it work else ZIA may try to decrypt the traffic and break the communication.

Hi Jamie

Netskope makes the decision. Picks up the interested traffic, encrypts it and then it rides ZIA tunnel. For other traffic it automatically goes to ZIA.
The only issue is with SSL inspection where ZIA may try to open Netskope traffic hence we need to whitelist those URLs in ZIA configuration

1 Like