>
    Explicit Proxy and GlobalProtect: Set It Up
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: Explicit Proxy
    5. Use Explicit Proxy with GlobalProtect (or a Third-Party VPN)
    6. Explicit Proxy and GlobalProtect: Set It Up
    Download PDF
    Prisma Access

    Explicit Proxy and GlobalProtect: Set It Up

    Table of Contents

    Explicit Proxy and GlobalProtect: Set It Up

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license
    For your mobile users to connect securely, you can combine an explicit proxy with GlobalProtect or a third-party VPN.
    • Explicit Proxy and GlobalProtect
      • Use GlobalProtect in split tunnel mode to provide secure access to private apps only.
      • Use explicit proxy to secure public apps, including internet traffic and external SaaS applications.
    • Explicit Proxy and third-party VPN
      • Use a VPN client for access to data center and private applications and to secure access to private apps.
      • Use an explicit proxy and a PAC file to secure access to public apps.
    Before you decide which applications or traffic you should protect with an explicit proxy and with either GlobalProtect or a third-party VPN, you should understand how GlobalProtect and
    Prisma Access
     make their forwarding decisions based on the explicit proxy and VPN configuration.
    When a mobile user requests a private or internet-based resource or app, the request is sent to the explicit proxy PAC file that is installed on the endpoint.
    • Traffic that is specified in the PAC file as return "DIRECT"; bypasses explicit proxy processing. The DNS resolve (host) used with return "DIRECT"; allows specified IP pass explicit proxy processing.
    • Traffic that is specified in the PAC file as return "PROXY sitename:8080"; is forwarded to an explicit proxy.
    After the traffic is processed, it's then sent to GlobalProtect, direct to the internet, or to explicit proxy, based on the PAC file and VPN processing.
    The PAC file has the configuration to allow "internal-app.corp.com" to bypass explicit proxy. When the mobile user requests "internal-app.corp.com" from their browser, the browser evaluates the conditions in the PAC file. GlobalProtect notes that "internal-app.corp.com" is listed in the Include Domain and sends it through the VPN tunnel. GlobalProtect sends the request to the resource in "internal-app.corp.com" based on the configuration options in GlobalProtect.

    Cloud Management

    To implement GlobalProtect—Mobile Users with Explicit Proxy, complete the following steps.
    These configuration steps make the following assumptions about your network environment; if your network environment is different, the configuration might be different:
    • Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.
      Here’s where to find this information:
      • GlobalProtect Gateway FQDNs
         and
        Portal Hostname
        ➡ Go to
        Manage
        Service Setup
        GlobalProtect
        Infrastructure Settings
        If you're using Strata Cloud Manager, go to
        Workflows
        Prisma Access
         Setup
        GlobalProtect
        Infrastructure
         and edit
        Infrastructure Settings
        .
      • Explicit Proxy URL
         and
        PAC File URL
        ➡ Go to
        Manage
        Service Setup
        Explicit Proxy
        Infrastructure Settings
        If you're using Strata Cloud Manager, go to
        Workflows
        Prisma Access
         Setup
        Explicit Proxy
        Infrastructure
         and edit
        Infrastructure Settings
        .
    • Mobile Users are able to resolve internal domains from GlobalProtect.
    1. Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.
      The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
    2. Edit GlobalProtect portal settings.
      Go to
      GlobalProtect
      App Settings
      App Configuration
      Advanced Settings
      1. In
        Proxy
         settings:
        • Check
          Detect Proxy for Each Connection
        • Clear
          Set Up Tunnel Over Proxy (Windows & Mac Only)
      2. In
        Authentication
         settings:
        • Check
          Use Default Browser for SAML Authentication
    3. Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.
      Go to
      GlobalProtect
      Tunnel Settings
      Split Tunneling
      . Configure a split tunnel based on domain (FQDN), access routes, or applications.
    4. Configure the PAC file to exclude the domains you specified for the GlobalProtect split tunnel.
      To download the PAC file so you can edit it, go to
      Manage
      Service Setup
      Explicit Proxy
      Infrastructure Settings
      Proxy Auto Configuration.
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access
       Setup
      Explicit Proxy
      Infrastructure
      Infrastructure Settings
      Proxy Auto Configuration.
      .
      The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
      • The portal hostname is
        splittunnel.gpcloudservice.com
        .
      • The mobile user gateways are contained in the wildcard FQDN
        *examplegateways.gw.gpcloudservice.com
        .
      • The PAC File URL is
        https://pacfileurl.pac
        .
      • internal-app.corp.com
         is hosting the private apps that are being protected by Mobile Users—GlobalProtect.
      • Okta is being used for SAML authentication.
      • The Explicit Proxy URL is
        example.proxy.prismaacess.com
        . 
      function FindProxyForURL(url, host) {
						/* Bypass FTP */
						if (url.substring(0,4) == "ftp:")
						return "DIRECT";
						/* Bypass the 
      Prisma Access
       Portal Hostname */
						if (shExpMatch(host, "*.splittunnel.gpcloudservice.com"))
						return "DIRECT";
						/* Bypass the 
      Prisma Access
       Gateway */
						if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com"))
						return "DIRECT";
						/* Bypass the 
      Prisma Access
       PAC File URL */
						if (shExpMatch(host, "https://pacfileurl.pac"))
						return "DIRECT";
						/* Bypass the URLs Being Sent to the GlobalProtect Portal */
						if (shExpMatch(host, "*.internal-app.corp.com"))
						return "DIRECT";
						/* Bypass ACS */
						if (shExpMatch(host, "*.acs.prismaaccess.com"))
						return "DIRECT";
						/* Forward to 
      Prisma Access
       */
						return "PROXY example.proxy.prismaaccess.com:8080";
						}

    Panorama

    Use this task to use
    Prisma Access
     Explicit Proxy with GlobalProtect .
    To implement GlobalProtect—Mobile Users with Explicit Proxy, complete the following steps.
    These configuration steps make the following assumptions about your network environment; if your network environment is different, the configuration might be different:
    • Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.
      • To find the gateway FQDNs, select
        Panorama
        Cloud Services
        Status
        Network Details
        Mobile Users—GlobalProtect
        Gateways
        .
      • To find the
        PAC File URL
        , select
        Panorama
        Cloud Services
        Configuration
        Mobile Users—Explicit Proxy
        PAC File URL
        .
    • Mobile Users are able to resolve internal domains from GlobalProtect.
    1. Plan your Mobile Users—Explicit Proxy deployment and your GlobalProtect deployment (either your Mobile Users—GlobalProtect or standalone GlobalProtect deployment).
    2. Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.
      The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
    3. In the Panorama that manages
      Prisma Access
      , configure GlobalProtect portal settings.
      1. Select
        Network
        GlobalProtect
        Portals
        .
        Be sure that you are in the
        Mobile_User_Template
         from the
        Template
         drop-down.
      2. Select
        GlobalProtect_Portal
         to edit the
        Prisma Access
         portal configuration.
      3. Select the
        Agent
         tab and select the
        DEFAULT
         configuration or
        Add
         a new one.
      4. Select the
        App
         tab.
      5. Make the following app configuration changes:
        • In
          Detect Proxy for Each Connection
          , select
          Yes
          .
        • In
          Set Up Tunnel Over Proxy (Windows & Mac Only)
          , select
          No
          .
        • In
          Use Default Browser for SAML Authentication
          , select
          Yes
          .
    4. Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.
      The following example uses a split tunnel to direct traffic based on domain (FQDN); you could also configure a split tunnel based on the access route of traffic.
      1. While you are still in the GlobalProtect Agent configuration (
        Network
        GlobalProtect
        Gateways
        GlobalProtect External Gateway
        ), select
        Agent
        Client Settings
        .
      2. Select the
        DEFAULT
         configuration or
        Add
         a new one.
      3. Select
        Split Tunnel
        Domain and Application
        .
      4. Add
         the
        Include Domain
         and, optionally, the
        Ports
         to use with the domain.
        This example uses internal-app.corp.com as the URL you use to host apps in your data center. You add this URL and the SAML authentication URL in the
        Exclude Domain
        .
      5. Click
        OK
         to save your changes.
      6. Commit and Push
         your changes.
    5. Configure the PAC file to exclude the domains you entered for split tunnel.
      The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
      • The portal hostname is
        splittunnel.gpcloudservice.com
        .
      • The mobile user gateways (
        Panorama
        Cloud Services
        Status
        Network Details
        Mobile Users—GlobalProtect
        Gateways
        ) are contained in the wildcard FQDN
        *examplegateways.gw.gpcloudservice.com
        .
      • The
        PAC File URL
         (
        Panorama
        Cloud Services
        Configuration
        Mobile Users—Explicit Proxy
        PAC File URL
        ) is
        https://pacfileurl.pac
        .
      • internal-app.corp.com
         is hosting the private apps that are being protected by Mobile Users—GlobalProtect.
      • Okta is being used for SAML authentication.
      • The Explict Proxy URL is
        example.proxy.prismaacess.com
        .
      function FindProxyForURL(url, host) { 
      /* Bypass FTP */ 
    if (url.substring(0,4) == "ftp:") 
        return "DIRECT"; 
      /* Bypass the 
      Prisma Access
       Portal Hostname */ 
    if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) 
        return "DIRECT"; 
  /* Bypass the 
      Prisma Access
       Gateway */
    if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) 
        return "DIRECT"; 
  /* Bypass the 
      Prisma Access
       PAC File URL */
    if (shExpMatch(host, "https://pacfileurl.pac"))
        return "DIRECT";  
      /* Bypass the URLs Being Sent to the GlobalProtect Portal */ 
    if (shExpMatch(host, "*.internal-app.corp.com")) 
        return "DIRECT"; 
        /* Bypass ACS */ 
    if (shExpMatch(host, "*.acs.prismaaccess.com")) 
        return "DIRECT"; 
    /* Forward to 
      Prisma Access
       */ 
    return "PROXY example.proxy.prismaaccess.com:8080";
}

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.