Explicit Proxy and GlobalProtect: How It Works
Focus
Focus
Prisma Access

Explicit Proxy and GlobalProtect: How It Works

Table of Contents

Explicit Proxy and GlobalProtect: How It Works

See some examples of using GlobalProtect with Explicit Proxy in a mobile users deployment.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Before you decide what applications or traffic you should protect with Explicit Proxy and which applications you should protect with either GlobalProtect or a third-party VPN, you should understand how GlobalProtect and
Prisma Access
make their forwarding decisions based on the Explicit Proxy and VPN configuration. The examples in this section assume that you have already deployed Explicit Proxy and GlobalProtect into your organization’s network and have configured GlobalProtect split tunnel options. The following figure shows the process.
When a mobile user requests an private or internet-based resource or app, the request is evaluated by the Explicit Proxy PAC file on the endpoint.
  • A
    return "DIRECT";
    function in the PAC file causes the traffic specified in the expression to bypass Explicit Proxy processing.
    Explicit Proxy provides you with a sample PAC file that uses the
    return "DIRECT";
    function with IP addresses and URLs. See Set Up Your Explicit Proxy PAC File to see the contents of the PAC file and a description of how to use it.
  • A
    dnsresolve(host)
    function in the PAC file forces the endpoint to make a DNS query to resolve a hostname to an IP address. This query then follows the VPN policy (for example, split tunnel or split DNS) for forwarding the DNS request to the destination DNS server.
    The PAC file provided with Explicit Proxy uses
    dnsresolve(host)
    ,
    return"DIRECT";
    , and private IP addresses together in an expression. If, after a DNS lookup, the returned IP address is included with the private IP addresses in the expression, the traffic associated with the private IP address bypasses Explicit Proxy processing.
  • Traffic that is specified in the PAC file as
    return"PROXY
    sitename
    :8080";
    is forwarded to Explicit Proxy.
After the web request is evaluated based on the conditions in the PAC file, it is then sent to the GlobalProtect or third-party VPN configuration on the endpoint for processing and the traffic is evaluated in the GlobalProtect app for split tunnel configuration options. You can split traffic based on domain (URL) or application or subnet. If you have configured split DNS options in GlobalProtect, traffic is also evaluated based on those DNS options.
After the traffic is processed, it is then sent to GlobalProtect, direct to the internet, or to Explicit Proxy, based on the PAC file and VPN processing.
The following figure shows a mobile user attempting to access a private resource using the URL
internal-app.corp.com
.
  • The PAC file has the following configuration to allow
    internal-app.corp.com
    to bypass Explicit Proxy.
    /* Bypass internal URL */ if (shExpMatch(host, "*internal-app.corp.com")) return "DIRECT";
  • When the mobile user requests
    internal-app.corp.com
    from their browser, the browser evaluates the conditions in the PAC file. Based on that evaluation, the browser does not forward the request to the proxy and sends it directly to the GlobalProtect app.
  • GlobalProtect notes that
    internal-app.corp.com
    is listed in the
    Include Domain
    and sends it through the VPN tunnel.
  • GlobalProtect sends the request to the resource in
    internal-app.corp.com
    based on the configuration options in GlobalProtect.
You might want to configure some resources, such as login resources, so that they do not use either Explicit Proxy or the GlobalProtect or third-party VPN for processing. The following figure shows a user logging in to Microsoft Online by entering
login.microsoftonline.com
from their browser.
  • The PAC file has the following configuration to allow
    internal-app.corp.com
    to bypass Explicit Proxy traffic.
    /* Bypass internal URL */ if (shExpMatch(host, "login.microsoftonline.com")) return "DIRECT";
  • When the mobile user requests
    login.microsoftonline.com
    from their browser, the PAC file evaluates the request from the PAC file in the mobile user’s endpoint and then sends it to the GlobalProtect VPN configuration (GlobalProtect in this case) for processing.
  • The GlobalProtect app notes that
    login.microsoftonline.com
    is listed in the
    Exclude Domain
    .
  • GlobalProtect bypasses the VPN and sends the request direct to the internet, based on the configuration options in GlobalProtect.

Recommended For You