IMPORTANT INFORMATION: Making these changes will cause ALL users public GenAI traffic redirected to SurePath AI. Users will be required to use SSO to authenticate before getting access to GenAI sites under SurePath AI governance. Please talk to your SurePath AI technical representative if you have any questions.
Overview
Using this method of redirection will force all GenAI traffic (defined by the Custom URL Category) to be sent through the Netskope proxy system. From there Netskope will send the traffic to the SurePath AI Proxy and then on to the final destination. All of the GenAI traffic is visible in the Netskope tools. Netskope and SurePath AI logs can be used for troubleshooting or analysis.
If you are doing a POC or Pilot you can configure one of the CRITERIA in the Netskope Real-time Protection policy to redirect traffic for a subset of users, groups or other criteria. We recommend using a user group to do this for a select set of users and remove the Source criteria for a production deployment. All redirected users will be required to authenticate before gaining access to any resources controlled by SurePath AI.
Download files and gather information from SurePath AI
Gather the Proxy Address
SurePath AI provides a proxy address to forward traffic to. This address will be used in your Netskope configuration and will be called the following later in the document: SurePath AI Proxy URL
Access the Organization Settings -> Integration in the Admin UI at: https://admin.stage.surepath.ai/config/org-settings?tab=1
Copy the SurePath AI Proxy URL value SurePath AI GenAI site list
SurePath creates and curates a list of GenAI sites on the global Internet. The link to view and evaluate the vendor names and associated risk levels of their use can be found at the download link in the steps below.
Note: You will need to have access to the SurePath AI Admin site to download this file.
Access the SurePath AI Public Services at:
Click the DOWNLOAD CATALOG button
Select Netskope Config from the Download Format dropdown
Click the DOWNLOAD button and save the file
SurePath Security Certificate
To ensure that end users don't get security warning when using public GenAI services the SurePath AI certificate must be provided and trusted on each end device. Netskope will do this automatically when it's included in the Proxy setup.
Access the SurePath AI Integration at: https://admin.surepath.ai/config/org-settings?tab=1
Select the Certificate Format that you need
Click the DOWNLOAD CERTIFICATE button
Login to the Netskope Admin Console
Login to your home location for Netskope. The URL should be something like hte following:
Create a URL List
Note: Please do not add additional URLs to the text file because what you download from SurePath AI. Contact your SurePath AI technical representative for guidance on adding additional sites.
Click Policies -> URL Lists -> New URL List
Enter a descriptive name. We will use the following in these examples: SurePathAI
Click in the URL & IP ADDRESS text field.
Open the SurePath AI Public Services Netskope Config that you previously downloaded and select all hosts/lines in the file.
The file name should be similar to the following: surepath-ai-public-services-netskope-year-month-day.txt
Paste the hosts/lines into the text field (they must be on separate lines).
Click the Save button.
The URL List name of SurePathAI should now be visible in the list under URL Lists.
Note: The number of services and the number of lines in the file do NOT match. The lines in the file will be a higher number. This is due to some GenAI sites requiring more than one host or line in the file to capture all the traffic.
Create a URL Category
Click Policies > Web > Custom Categories > New Custom Category
Enter a descriptive name. We will use the following in these examples: SurePathAI
Select the field URL List (Include)
Select the URL List you created in the previous step. (SurePathAI)
Click the Save button.
The URL Category name of SurePathAI should now be visible in the list under Custom Categories.
Add the SurePath AI Security Certificates
Follow the steps in the SurePath AI Security Certificate section
From Home, select Settings (This will open a new window)
Click Manage -> Certificates -> New Trusted CA
In File Name, enter a descriptive name. This will be displayed in the UI. We will use the following in these examples: SurePathAI
Click SELECT FILE and select and accept the .pem file you received from SurePath.
Click VALIDATE
Click SAVE
The certificate name of SurePathAI should now be visible in the list of Trusted CAs.
Create a Proxy
Note: If you were given specific instructions regarding the Host or Port number, please use them instead of the default options shown in this section.
From Home, select Settings if you are not still there.
Click Manage -> Forward to Proxy Integration -> Setup Proxy
Enter a descriptive name. We will use the following in these examples: SurePathAI
Set the Host to the value of SurePath AI Proxy URL (from admin.surepath.ai)
Set the Port to: 8080
Save or perform the optional configuration below if required for your deployment.
(Optional) X-Authenticated-User
Netskope supports a header for the proxy connection that passes the end user username to SurePath AI. This is required for SurePath AI Discovery but is also optionally used for non-Discovery organizations to replace authentication requirements when visiting public services governed by SurePath AI. The use of the X-Authenticated-User header effectively makes SurePath AI fully transparent to the end user when using public GenAI services.
Under OPTIONS select X-Authenticated-User
Save the settings
Setup Forwarding to the Proxy
POC, POV, Limited Deployments: If you are doing limited deployment in your organization, please contact your SurePath AI technical representative before proceeding. The changes below will redirect traffic for ALL users.
From Home, click Policies -> Real-time Protection -> New Policy -> Web Access
Enter a descriptive name. We will use the following in these examples: SurePathAI
If you are doing a Pilot or POC set the Source to specific test users or groups of users.
Set Destination -> Category to the Category and select the URL category you created earlier: (SurePathAI). You can start typing surepath to find it quicker.
Set Profile & Action -> Action to Forward to Proxy
Set Profile & Action -> Proxy to SurePathAI
Click SAVE
The Policy of SurePathAI should now be visible in the list.
Adjust the Policy order to ensure that the rule you are creating is applied to your uses in an appropriate order for your organization. This rule should be before all other AI based rules.
Apply Changes
Click Apply Changes button on most screens.