Netskope DPOP

DPOP(Dataplane On-Premises) / Applaince?

This is on-premises data plane. DPOP provides cloud security services locally rather than routing all traffic to the Netskope cloud
Netskope placed a Box(Appliance) on customer premises for Packet Inspection.
Usage: Traffic inspection, Policy enforcement, SSL/TLS interception


---------Customer Env-------------------------------
|                                                   |
|   user1 -----\                                    |
|                (dp1)DPOP(does packet inspection)(dp2)----Get REST API Token---> [Tenant UI]
|   user2 -----/                 (mp)                <------- REST API token ----
|                                admin              ---- upload Logs, Events---->
|---------------------------------------------------

Benefits of DPOP

1. Traffic inspection within Organization: Since nothing is sent on cloud, it Keeps sensitive or regulatory-compliant traffic within the organization's infrastructure & does inspection and enforcement.
2. Reduced Latency: DPOP reduces latency by processing traffic locally, which is especially beneficial for applications that require real-time responses.
3. SSL Interception: DPoP can intercept and inspect encrypted traffic using customizable PKI options
4. Hybrid Deployment: DPoP can be deployed alongside Netskope's cloud services, allowing organizations to choose where to process their traffic based on their specific needs.

How requests can reach DPOP?

- PAC file, proxy settings, or firewall rules to send traffic to the DPoP appliance
- Netskope client cannot send traffic to Appliance

DPOP Interfaces


                          |-----------|
                         inbound    outbound 
explicit proxy   ---->   dp1  DPOP  dp2 ----> proxy, DNS, SSH
SSH, AD Connector         |           |
                          |----mp-----|
                            Management
inboud: 1 IP Address
OUtbound: 1 IP Address

Custom Certs for SSL Inspection

CSR is signed by internal CA, presently cannot be signed by External CA

Modes of Operation

Name	nsclient needed	Description
Inline (Transparent)	No	Traffic forwarded using (PAC file, WCCP, or routing rules) Supports layer 4 (non-HTTP) traffic inspection.
Explicit Proxy	Yes	Netskope Client (NSC) or browser/OS proxy settings to send traffic to DPoP. Best for remote users or branch offices.
Hybrid Mode	-	Combines inline and explicit proxy modes for flexible deployment.