Enable Mobile Users to Access Corporate Resources
Focus
Focus
Prisma Access

Enable Mobile Users to Access Corporate Resources

Table of Contents

Enable Mobile Users to Access Corporate Resources

Enable your
Prisma Access
mobile users to access internal resources at your HQ or in you data center.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Panorama Managed Prisma Access
  • Prisma Access
    License
To enable
Prisma Access
for users to enable internet access only you do not need to set up any networking services because
Prisma Access
provides a default IP address pool and a cloud default DNS server.
However, if you want your mobile users to be able to access internal resources at your headquarters, data centers, or at remote network sites you have onboarded to Prisma Access, you will need to:
  • define the IP address pools
    Prisma Access
    es uses to assign IP addresses to your mobile users,
  • set up the
    Prisma Access
    service infrastructure,
  • and, to allow access to your headquarters or data centers, onboard service connections.
If you want your mobile users to connect to remote network sites, you must configure at least one service connection, even if you do not plan on using the connection to provide access to your data center or HQ locations. Though all branches are fully meshed, mobile user connections are not. Creating a service connection establishes the hub-and-spoke architecture required to enable mobile user traffic to route to your branch networks. In this case, you can minimally configure the service connection as follows:
  • When you onboard the service connection, use a
    Prisma Access
    location that is close to your mobile users.
  • When you set up the primary IPSec tunnel for the service connection, configure the IPSec peer authentication and tunnel settings using placeholder values.
  • When you enable routing and QoS for the service connection,add placeholder IP subnets.
    Because
    Prisma Access
    does not route any traffic through this tunnel, just make sure the IP subnet you use doesn’t conflict or overlap with other configured subnets connected to
    Prisma Access
    .
  1. Go to
    Manage
    Mobile Users
    Mobile Users Setup
    and edit
    Infrastructure Settings
    to adjust the network settings for mobile users.
  2. Review or adjust the
    Client IP Pool
    that
    Prisma Access
    uses to assign IP addresses to mobile users.
    • By default, a
      Worldwide
      IP pool is available for all mobile users.
    • You can
      Customize per region
      to use a set up IP pools dedicated to regions or locations. For regions or locations that you do not specify an IP pool,
      Prisma Access
      uses the worldwide IP pool.
    The IP address pools you define must meet the following requirements:
    • As a best practice, define RFC 1918-compliant IP address pools to prevent IP address conflicts.
    • Make sure the IP address pools you define do not overlap with other IP addresses you use internally.
    • Make sure the IP address pools you define do not overlap with the infrastructure IP address pool you are using for Prisma Access.
    • Do not specify any subnets that overlap with 169.254.0.0/16 and 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
    • Make sure you designate an IP address pool that allows enough coverage for all mobile users in your organization, based on the following guidelines:
    • If you plan to use a Worldwide address pool deployed in one or two regions the minimum required IP address pool is /23 (512 IP address).
    • If you plan to use a Worldwide address pool deployed in three or more regions the minimum required IP address pool is /19 (8,192 IP addresses), either in a single IP address pool or spread across multiple pools.
    • If you plan to define IP address pools per region, the minimum pool size in any region is /23 (512 IP addresses).
    • You do not need to assign an IP address pool in regions where you do not plan to deploy
      Prisma Access
      . For example, select the US East (N. Virginia), US East (Ohio), and US West (N. California), regions only when you onboard
      Prisma Access
      for users, you need to specify an IP address pool for the Americas region only. Keep in mind, however, that users in other regions will not be able to connect to
      Prisma Access
      .
    • If you plan to define a mix of Worldwide and regional pools, make sure you allocate at least 512 IP addresses per region. For example, for a three-region deployment, you can specify 1,024 addresses in the Europe region and 512 addresses Worldwide.
    • As a best practice, designate IP address pools so that you have at least one IP address for each unique mobile user in your organization so they can log in simultaneously. If you designate an IP address pool that has a smaller number of IP addresses than your licensed number of users,
      Prisma Access
      will display a warning message. However, if you have a limited IP address pool and you do not expect all users to log in concurrently you can bypass the message and use a smaller pool size.
  3. Add
    Client DNS
    settings—you can use the
    Worldwide
    default or customize settings based on region.
    Select the region for which you want to customize DNS settings:
    Check the option to use these DNS settings to
    Resolve internal domains
    and optionally
    Use the internal DNS Server for resolving public domains too
    . If you don’t select this option,
    Prisma Access
    uses its cloud default DNS serves to resolve requests for public domains.
    The DNS proxy in
    Prisma Access
    sends the requests to the DNS servers you specify. The source address in the DNS request is the first IP address in the IP pool you assign to the region. To ensure that your DNS requests can reach the servers you will need to make sure that you allow traffic from all addresses in your mobile user IP address pool to your DNS servers.
  4. If you want your mobile users to be able to access resources on your HQ or data center networks or at other branch locations, you must configure the
    Prisma Access
    Infrastructure Settings to enable the network backbone.
    Go to
    Manage
    Prisma Access
    Prisma Access
    Setup
    .
  5. To enable mobile users to access resources on your HQ or data centers, create service connections to connect these sites to
    Prisma Access
    .
    Go to
    Manage
    Service Connections
    Service Connections Setup
    .
  6. When you’re ready,
    Push Config
    to
    Prisma Access
    to save your mobile user settings.

Recommended For You