>
    Strata Copilot
    SOCKS5 Proxy with Basic Authentication for Explicit Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. SOCKS5 Proxy with Basic Authentication for Explicit Proxy
    Download PDF
    Prisma Access

    SOCKS5 Proxy with Basic Authentication for Explicit Proxy

    Table of Contents

    SOCKS5 Proxy with Basic Authentication for Explicit Proxy

    SOCKS5 proxy with Basic Authentication for Explicit Proxy secures legacy application traffic through Prisma Access in no-default-route environments.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    If you'd like to use this feature in your Prisma Access environment, get in touch with your account team to learn more.
    • Prisma Access 6.2 or later
    • PAN-OS 11.2.7 or later
    Prisma® Access now natively supports SOCKS5 proxy on port 1080 enabling organizations to extend cloud-delivered security to non-web TCP traffic for the endpoints or servers where endpoint agent can't be installed and connecting from the no-default route network branch. With SOCK5 Proxy support, customers can consolidate their proxy infrastructure under a single cloud-managed security stack. A remote network–explicit proxy deployment is required for endpoints to establish connections to the SOCKS5 proxy. SOCKS5 proxy supports Basic Authentication and Skip Authentication based on the Trusted Source IP address list.
    Basic Authentication for SOCKS proxy is supported over LDAP or LDAPS, including Active Directory and OpenLDAP. Security policies defined under the explicit proxy security policy scope are enforced on SOCKS5 traffic in addition to standard explicit proxy traffic. This feature is available for Strata Cloud Manager-managed deployments.

    Onboard Locations and Enable Explicit Proxy for Remote Networks

    1. Onboard your explicit proxy locations
    2. Onboard your remote network locations
    3. Enable explicit proxy for remote networks

    Configure the LDAP Server Profile

    1. Go to ConfigurationNGFW and Prisma Access, set Configuration Scope to Explicit Proxy.
    2. Go to Identity ServicesAuthenticationServer ProfilesLDAP Server Profiles and select Add.
    3. For Name, enter a name for the LDAP Server Profile.
    4. For Type, choose the directory type.
      Choose active-directory for Microsoft Active Directory or other for OpenLDAP.
    5. For Base DN, enter the base distinguished name for your directory (for example, dc=example,dc=com).
    6. For Bind DN, enter the distinguished name of the service account (for example, cn=admin,dc=example,dc=com).
    7. For Bind Password and Confirm Bind Password, enter the service account password.
    8. For Bind Timeout (sec), enter the number of seconds to wait for the bind operation (default: 30).
    9. Under LDAP Server, Add to enter the Name, Server (FQDN or IP address), and Port (389 for LDAP, 636 for LDAPS) for each LDAP server.
    10. For Search Timeout (sec), enter the number of seconds to wait for a search response (default: 15).
    11. Enable Require SSL/TLS secured connection.
      (Optional) Enable Verify server certificate to validate the LDAP server certificate against the trusted CA store and select OK.

    Configure Basic Authentication and SOCKS Proxy

    1. Go to ConfigurationNGFW and Prisma Access, set Configuration Scope to Prisma AccessRemote Networks.
    2. Go to SetupAdvanced Settings.
    3. Under Proxy Mode for Remote Networks, select the settings icon.
    4. Under User Authentications, Add Authentication.
    5. For Authentication Method, choose Basic.
    6. For Profile(s), choose the LDAP Server Profile you have created and Save.
    7. Under SOCKS Proxy, select the settings icon and enable SOCKS Proxy.
    8. For FQDN, enter the explicit proxy FQDN.
      This value is auto-populated from your explicit proxy configuration.
    9. For Port, enter 1080.
    10. Enable Authentication.
      If you disable authentication, add the source IP addresses of the SOCKS clients to the Trusted Source Address configuration to allow unauthenticated SOCKS5 connections.
    11. Under Advanced Settings, for Maximum Time to Wait on an Outbound CONNECT, enter the timeout value in seconds (default: 5) and Save.
    12. Push Config and verify the commit scope includes both Explicit Proxy and Remote Networks, then confirm and push.

    © 2026 Palo Alto Networks, Inc. All rights reserved.