Onboarding Workflow for Prisma Access Explicit Proxy Deployments

1. Go to ConfigurationOnboardingOnboard Users.
2. Configure Explicit Proxy.

   You might not see the same choices in your Prisma Access deployment; the choices you see in the UI depend on the licenses you have. For example, if you don't have a site-based remote network license, you don't see a choice to onboard branch sites.

3. In the Explicit Proxy area, Enable Explicit Proxy.

4. Configure the Explicit Proxy infrastructure and locations.

   1. Enter an FQDN for Explicit Proxy.

      The name for the proxy is proxyname.proxy.prismaaccess.com, where proxyname is the subdomain you specify.
   2. (Optional) Show Advanced Options and enter an Infrastructure Subnet and BGP AS.

      An infrastructure subnet is only required if you have the following deployments:

      • Explicit Proxy in Proxy Mode
      • Explicit Proxy in Tunnel and Proxy Mode
      • Explicit Proxy with a Service Connection

      Prisma Access uses the infrastructure subnet to create the network backbone for communication between your mobile users and the Prisma Access security infrastructure, as well as with the HQ and data center networks you plan to connect to Prisma Access over service connections. The BGP Private AS number is the autonomous system (AS) number that identifies the routes through which BGP can send traffic. If you don’t supply an AS number, Prisma Access uses the default AS number (65534).

      Prisma Access provides you with a default Infrastructure Subnet of 192.168.255.0/24. If you want to create a custom infrastructure subnet:

      • Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, we don't recommend it because of possible conflicts with the internet public IP address space.
      • Don’t specify any subnets that overlap with the 169.254.0.0/16 and 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
      • This subnetwork is an extension to your existing network and therefore, can’t overlap with any IP subnets that you use within your corporate network or with the IP address pools that you assign for Prisma Access for users or Prisma Access for networks.
      • Because the service infrastructure requires a large number of IP addresses, you must designate a /24 subnetwork (for example, 172.16.55.0/24).

      For the BGP AS, enter an RFC 6996-compliant BGP AS number. This number identifies the routes through which BGP can send traffic. If you don’t supply an AS number, Prisma Access uses the default AS number (65534).

      The BGP Private AS number is the autonomous system (AS)

   3. Enter the Locations for your Explicit Proxy mobile users.

      We recommend deploying Explicit Proxy in at least two different compute locations for redundancy.

      If you're limiting the number of locations, choose locations that are closest to your users or in the same country as your users for the best user experience. If a location isn’t available in the country where your mobile users reside, choose a location that’s closest to your users for the best performance.

   4. (Optional) Add domains that you use for authentication to the Domains Used in Authentication Flow.

      Explicit Proxy uses decryption on these domains to authenticate users.
   5. (Optional) Edit the PAC file in the Forwarding Profiles area.

      Either Edit PAC File to edit the existing PAC file or Upload New PAC file.

      Prisma Access provides you with a default PAC file. Edit the existing PAC file or create a new PAC file and upload it to use with Explicit Proxy.

      If you need to set up multiple PAC files, you can do that by creating a forwarding profile after you complete onboarding.

   6. Go to the Next step.
5. Specify authentication for your mobile users.

   You can use either the Cloud Identity Engine or local authentication.

   • To use the Cloud Identity Engine for authentication:
     1. Select Cloud Identity Engine and, if you have already created an authentication profile, enter it.

     2. If you have not created a profile:
        1. Add New.
           To use the Cloud Identity Engine with an identity provider (IdP) vendor, configure a cloud-based directory in the Cloud Identity Engine before starting this procedure.

        2. Configure IdP for SAML authentication by selecting an Identity Provider Vendor for SAML 2.0.

     3. Download the Metadata file.
     4. Set up an IdP profile.
        You can either upload a metadata file you downloaded (Upload Metadata) or a URL (Enter URL).
        The Identity Provider ID, Identity Provider Certificate, Identity Provider SSO URL, and HTTP Binding for SSO Request to Identity Provider fields populate using the metadata file or URL you provided. If you see any issues with the information in these fields, correct it on the IdP vendor site and upload the metadata again.
        Test SAML setup to verify the SAML IdP configuration with Prisma Access.

     5. Select the Username Attribute for the Cloud Identity Engine to use for authentication and Confirm your changes.
        Select the username attribute that uses the Name (/identity/claims/name) format. If you don’t select the correct username attribute, user authentication for projects isn’t successful. For more information, refer to the Microsoft documentation.

     6. Enter a CIE Authentication Profile Name for the profile you created and Finish the setup.

   • To use local authentication, select Prisma Access Authentication.
     Prisma Access creates a local profile for you and you can add local users and groups to the profile. Confirm your changes when complete.
6. Configure Security policy rules for your Explicit Proxy Prisma Access deployment.

   To simplify the onboarding process, Prisma Access provides you with predefined internet access and decryption policy rules based on best practices. You can quickly set up IPSec tunnels using defaults suitable for the most common IPSec-capable devices and enable SSL decryption for recommended URL categories.

   There are also predefined, best practice settings for decryption bypass, Advanced Threat Protection, and Vulnerability Protection. You can modify these settings as required.

7. Go to the Next screen and complete your configuration.

   1. Push Config to push your configuration changes.
   2. Deploy your Explicit Proxy configuration to your mobile uses.

      • Deploy the PAC file using mobile device management (MDM) or another method.
      • Retrieve the IP addresses used by Explicit Proxy and add them to your network's allow lists.
      • Review the Explicit Proxy best practices.
      • If you encounter any issues, use the Explicit Proxy troubleshooting steps.