https://rancher.com/ logo
Join Slack
Powered by
Does anyone have experience dealing with Netskope ...
# rancher-desktop
n
Does anyone have experience dealing with Netskope and Rancher Desktop? We are recently migrating to Rancher from Docker Desktop. As we migrate folks over we have been finding that Netskope is causing problems due to the difference in the way the Rancher Desktop works as compared to Docker Desktop. We've been adding individual exceptions to Netskope - but don't want to continue doing that. We're hoping to find an approach that doesn't require us to modify every app/system to include the Netskope Cert. Has anyone dealt with this in a nice and hopefully easy way?
I see there's an open issue related to this from a few years ago: https://github.com/rancher-sandbox/rancher-desktop/issues/3346
f
The last comment on that issue says that upgrading to Rancher Desktop 1.15.1 fixed the issue for that person. I assume you are on a later version than that, ideally 1.20.0, but want to make sure
Rancher Desktop is using a "host resolver", that means the lookup for names happens on the host, not inside the VM. So if the names can be resolved on the host, they should work inside the VM as well (assuming there are no bugs), and this works with other VPN configurations. I have no idea what Netskope might be doing differently that breaks this.
n
Thanks for the reply Jan. It looks like the individual that upgraded was on Windows. We are on MacOS, and are updated to 1.20.0.
f
So do the names resolve on macOS, but not inside the VM? Can you 
curl
or whatever them from the host, but not inside the guest?
n
We end up getting ssl/certificate errors for external requests coming from the containers. From the host is fine, because our IT/Security has put the Netskope cert on our local machines.
f
I wonder where those certificates have been installed. Rancher Desktop automatically imports root certificates from all known keychains:
Copy code
❯ security list-keychains
    "/Users/jan/Library/Keychains/login.keychain-db"
    "/Library/Keychains/System.keychain"
And additionally from 
/System/Library/Keychains/SystemRootCertificates.keychain
For the docker daemon it also import client certificates from your 
~/.docker/certd.d
directory
So I'm curious if there is some additional location that needs to be imported into the VM. Please let me know what you find out!
You can also enable "Debug mode" (on the troubleshooting page) and restart Rancher Desktop. Then look at 
~/Library/Logs/rancher-desktop/networking.log
and see if your certificates get skipped for some reason. Maybe they are incorrectly treated as invalid/expired/untrusted? Don't forget to disable debug mode again; it just produces excess log data.
18 Views
Open in Slack
PreviousNext
Powered by