Configure Public Web Application Access with Remote Browser Isolation
Focus
Focus
Prisma Access

Configure Public Web Application Access with Remote Browser Isolation

Table of Contents

Configure Public Web Application Access with Remote Browser Isolation

Learn how to configure secure, isolated access to public web applications (SaaS apps) for unmanaged users through Remote Browser Isolation.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Prisma Access version: 6.1 Preferred
  • Minimum PAN-OS dataplane version: 11.2.7
  • Prisma Access license with a Mobile User subscription
  • Remote Browser Isolation (RBI) license for data controls for SaaS applications
  • Cloud Identity Engine (CIE) for user authentication
  • Network Administrator or Superuser role
This procedure guides you through setting up public web applications (SaaS apps) with Remote Browser Isolation for agentless access within your Strata Cloud Manager environment. You will integrate with the Cloud Identity Engine, define portal settings, create access policies, configure the public web application, and set up URL Access Management to ensure isolation. If you already configured the portal, skip ahead to Step 4.
  1. Go to the Secure Agentless Access (SAA) Applications page.
    • For Prisma Access (Managed by Strata Cloud Manager):
      1. Log in to Strata Cloud Manager as the administrator.
      2. Select ConfigurationSecure Agentless AccessApplications.
    • For Prisma Access (Managed by Panorama):
      1. Launch Secure Agentless Access from the Cloud Services plugin on Panorama by selecting PanoramaCloud ServicesSecure Agentless Access.
      2. Click Get Started.
      3. Select ConfigurationSecure Agentless AccessApplications.
  2. Select ConfigurationSecure Agentless Access.
  3. Ensure Cloud Identity Engine (CIE) is configured for authentication. CIE is mandatory for user authentication, securing access to your public web applications through a centralized identity provider. This step links Secure Agentless Access to your organization's identity management system.
    1. On the Overview tab, verify that CIE is set up for authentication.
    2. To change the Cloud Identity Engine settings, select the gear icon to access the SAA settings.
    3. Select the CIE Directory from which to retrieve the user-group mapping.
    4. Select the corresponding CIE Authentication Profile, which is the SAML authentication profile that validates the login credentials of end users who access Secure Agentless Access.
    5. Save your settings.
  4. Configure the SAA Portal Settings. These settings customize the end-user portal, which serves as the central hub for users to authenticate and launch assigned applications.
    1. Select the Portal tab.
    2. Select the gear icon to edit the SAA portal settings.
    3. Enter a descriptive Portal Tab Name.
    4. Define a Portal URL.
    5. Configure Inactivity Timeout, Max Session Duration, and branding options, such as a Portal Logo.
    6. Save your portal settings.
    Session Timeouts
    TimeoutDurationBehavior
    Idle Timeout30 minutesIf no user activity occurs for 30 minutes, the session times out and is cleaned up. An alert is generated. The user must re-authenticate to start a new session.
    Authentication Token Expiration3 hoursThe authentication token expires after 3 hours. An alert is generated. Re-authentication is required for new application access.
    Remote Browser Isolation maintains its own session tokens independently. Even if the SAA authentication token expires, active RBI sessions continue to serve traffic until a new user action requires SAA interaction.
  5. Define a new public web application.
    1. Select the Applications tab.
    2. Add Application.
    3. Select Saas Application.
    4. Enter an Application Name (for example, "Salesforce").
    5. (Optional) Enter an Application Description.
    6. Associate the application with an existing Application Group, or create a new one.
      The App Isolation Policy is enabled by default for public web applications and cannot be disabled. You must configure the application URL (for example, https://org123.salesforce.com) under URL Access Management to enforce isolation.
    7. Enter the Application URL (for example, https://org123.salesforce.com). Only HTTPS-based applications are supported.
      Web apps with wildcard destination domains (for example, *.example.com) are not supported at this time.
    8. Configure DNS settings for the DNS resolution of your public web application.
      • For Prisma Access (Managed by Strata Cloud Manager):
        Select DNS Setup to configure client DNS settings directly within the application configuration.
        1. Select the Client DNS region to adjust and customize the DNS settings for that region (or use the Worldwide default).
        2. Select Resolve internal domains and Add one or more Internal Domain Resolve Rules.
        3. Enter a unique Name for the rule.
        4. Select Custom for Primary DNS and Secondary DNS and specify the IP addresses for your custom internal DNS server.
        5. Click + to enter the specific domains you want to resolve in the Domain Lists (for example, *.salesforce.com). You can specify a maximum of 1,024 domain entries.
        6. Save your changes.
      • For Prisma Access (Managed by Panorama):
        The DNS Setup option is disabled for Panorama-managed deployments. You must configure client DNS settings directly in Panorama by following the procedure in DNS Resolution for Mobile Users—Explicit Proxy Deployments.
        You must also enable the DNS proxy under Mobile User Infrastructure Settings. DNS proxy is a mandatory configuration for public web applications.
    9. Configure the certificate for the application. This certificate secures the connection between the unmanaged device and the SAA cluster (first leg).
      • Let us manage the certificate for you (PANW Managed Certificate):
        Palo Alto Networks generates and manages a certificate signed by Let's Encrypt for the access domain. When you select this option, the access domain appends your application URL with a primary domain (for example, org123-salesforce-com.pd-<unique-id>.panwsaa.com). This is the URL end users use to access the application through the portal.
      • Bring your own certificate:
        Go to certificate management to import the certificate and select an existing certificate. Use this option if your organization manages its own certificates for the public web application domain.
      The managed certificate option does not require you to create DNS records. Palo Alto Networks creates and manages the required CNAME records automatically. If you bring your own certificate, you must create the CNAME mapping on your public DNS server.
      How the access domain works: When you select the managed certificate option, the system takes your application URL (for example, org123.salesforce.com), appends it with the tenant's primary domain (for example, pd-<hash-of-tsg-id>.panwsaa.com), and the resulting access domain becomes org123.salesforce.com.pd-<unique-id>.panwsaa.com.
      This is the URL that end users see when accessing the application from the Secure Agentless Access portal. The certificate is used only on the first leg (between the unmanaged device and the SAA cluster). For the second leg (between the SAA cluster and the origin SaaS application), the SAA cluster trusts the certificate presented by the public SaaS application using its built-in CA bundle.
    10. Perform all the following configurations from the App Isolation Policy. The links in the App Isolation Policy navigate you to the corresponding configuration pages where you can complete each required task.
      1. Set up the RBI infrastructure in Strata Cloud Manager to establish the cloud environment for browser isolation.
      2. (Optional) Create a custom isolation profile to define the user experience and security restrictions for isolated browser sessions. You will associate this profile with the URL Access Management profile in a later step.
      3. Create a Custom URL Category and add the domains or IP addresses of the applications that you want to isolate.
      4. Create a URL Access Management profile, add the Custom URL Category created in the previous step, set its action to Isolate, and associate the custom isolation profile created in Step 2 (or use the default isolation profile).
      5. Create or update a Security Profile Group and add the URL Access Management profile created in the previous step.
      6. Create a Security policy rule for the required traffic and attach the Security Profile Group created in the previous step.
      7. Configure an SSL/TLS decryption policy that includes the Custom URL Category created in Step 3 to enable traffic inspection and browser isolation.
    11. Save the app configuration.
  6. (Optional) Set up application groups to help manage which users can access which groups of apps.
  7. Configure SAA policies to control access to public web applications by assigning users, user groups, or application groups.
    1. On the Portal tab, edit existing SAA policies or Add a policy.
    2. Enter a unique Name for the policy.
    3. Select specific Users and User Groups.
    4. Assign the Applications and Application Groups that include your public web application.
    5. Select a SAA Profile. If you don't specify a SAA Profile, the Default SAA Profile is used.
    6. Save your SAA policy settings.

Access Public Web Applications

This procedure outlines how unmanaged users can access public web applications after you configure public web application access.
  1. Access the configured Portal URL in your web browser, or directly enter the public web application URL.
    If you access the application URL directly, the system prompts for authentication if you are not already logged in.
  2. Authenticate using Cloud Identity Engine.
  3. From the landing page, select the desired public web application from the Web Apps tab.
    The application opens in an isolated browser session. You can identify isolated sessions by the Palo Alto Networks icon and the isolation banner displayed in the browser.
Navigating embedded links while isolated:
For example, if org123.salesforce.com and org123.oracle.com are both configured for isolation, a user browsing Salesforce who clicks a link to Oracle remains isolated in both cases. However, a link to an unconfigured domain (such as adobe.com) is blocked.