Integrate Third-Party Enterprise Browser with Explicit Proxy
Learn how to integrate a third-party browser with Prisma Access Explicit
Proxy.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access 5.2.1 license
End users who use the Prisma Access browser can access both SaaS
and private web applications using a secure, authenticated, and encrypted channel. Prisma Access ensures that a user is authenticated and authorized before they get
access to any application.
Prisma Access extends this support to third-party enterprise browsers, allowing
Explicit Proxy users to securely authenticate and be authorized to access private and
SaaS applications using the same security, encryption, and authentication methods.
You can use Prisma Access Browser with a third-party browser; however, you can't
use multiple third-party browsers at the same time.
Any advanced settings configured for existing Explicit Proxy customers are
applied to all third-party browsers to Explicit Proxy public or private app
access traffic.
Configure a Third-Party Enterprise Browser
To integrate a third-party enterprise browser with Prisma Access, allowing users to
securely access applications from that browser, complete the following steps:
Enable third-party enterprise browser integration with Prisma Access.
Log in to Strata Cloud Manager.
Go to WorkflowsIntegrationsPrisma Access and click the settings icon under Third Party
Enterprise Browser.
On the settings page, enable Third Party Enterprise Browser
Integration.
Under Import Certificate File, select
Browse to upload the public certificate, and
Save.
You must get
the public key from your third-party enterprise
browser.
All certificate expiration notifications are managed
in the third-party enterprise browser as it manages the
certificate lifecycle.
Push Config to push the Third Party
Enterprise Browser Integration configuration to the Prisma Access Explicit Proxy.
Configure Prisma Access Explicit Proxy integration on the third-party enterprise
browser:
On your third-party enterprise browser, enable Palo Alto Explicit
Proxy integration.
Add the public key provided to integrate the Palo Alto Strata Cloud Manager.
Configure the encoded tenant ID provided when you configure Third
Party Integration for the Palo Alto Networks Strata Cloud Manager.
Configure Explicit Proxy FQDN.
When you enable the integration, the browser control panel generates an asymmetric key
pair per tenant. The public key is provided to the admin for configuring
third-party integration on the Prisma Access side. The private key is used to
sign the JSON web token (JWT) by the browser control plane, and the public key
(uploaded by the admin) is used to validate the signature. You can see the validity of
the certificate on Strata Cloud Manager.
Troubleshooting for Proxy Errors
Error Condition
Response
Browser Action
No Poxy-Authorization header
HTTP 407 with Proxy-Authenticate: Basic
realm="proxy_fqdn"
Retry with Token (might need to fetch token)
Token empty or incorrect Proxy-Authorization header
format
HTTP 407 with Proxy-Authenticate: Basic
realm="proxy_fqdn"
Retry with Token (might need to fetch token)
Token parsing internal error
HTTP 407 with Proxy-Authenticate: Basic realm="proxy_fqdn" and
error_msg= "Proxy-Agent Malformed token"
Fetch a new token and retry- Limit retries to N number
Token expired
HTTP 407 with Proxy-Authenticate: Basic realm="proxy_fqdn" and
error_msg= "Proxy-Agent Auth-Cookie expired"
