To secure mobile users with Explicit Proxy, complete this task.
Go to WorkflowsOnboardingOnboard Users.
Configure Explicit Proxy.
You might not see the same choices in your Prisma Access deployment; the choices you see in the UI depend on the
licenses you have. For example, if you don't have a site-based remote network license,
you don't see a choice to onboard branch sites.
In the Explicit Proxy area,
Enable Explicit Proxy.
Configure the Explicit Proxy infrastructure and locations.
Enter an FQDN for Explicit Proxy.
The name for the proxy is
proxyname.proxy.prismaaccess.com, where
proxyname is the subdomain you specify.
(Optional) Show Advanced Options and
enter an Infrastructure Subnet and BGP
AS.
An infrastructure subnet is only required if you have the following
deployments:
Prisma Access uses the infrastructure subnet to create the
network backbone for communication between your mobile users and the
Prisma Access security infrastructure, as well as with the
HQ and data center networks you plan to connect to Prisma Access
over service connections. The BGP Private AS number is the
autonomous system (AS) number that identifies the routes through
which BGP can send traffic. If you don’t supply an AS number, Prisma Access uses the default AS number (65534).
Prisma Access provides you with a default
Infrastructure Subnet of 192.168.255.0/24.
If you want to create a custom infrastructure subnet:
Use an RFC 1918-compliant subnet. While the use of non-RFC
1918-compliant (public) IP addresses is supported, we don't
recommend it because of possible conflicts with the internet
public IP address space.
Don’t specify any subnets that overlap with the
169.254.0.0/16 and 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets
for its internal use.
This subnetwork is an extension to your existing network and
therefore, can’t overlap with any IP subnets that you use
within your corporate network or with the IP address pools
that you assign for Prisma Access for users or Prisma Access for networks.
Because the service infrastructure requires a large number of
IP addresses, you must designate a /24 subnetwork (for
example, 172.16.55.0/24).
For the BGP AS, enter an RFC 6996-compliant
BGP AS number. This number identifies the routes through which BGP
can send traffic. If you don’t supply an AS number, Prisma Access uses the default AS number (65534).
The BGP Private AS number is the autonomous system (AS)
Enter the Locations for your Explicit Proxy
mobile users.
We recommend deploying Explicit Proxy in at least two different compute locations for
redundancy.
If you're limiting the number of locations, choose locations that are
closest to your users or in the same country as your users for the
best user experience. If a location isn’t available in the country
where your mobile users reside, choose a location that’s closest to
your users for the best performance.
(Optional) Add domains that you use for authentication to the
Domains Used in Authentication Flow.
Explicit Proxy uses decryption on these domains to authenticate users.
(Optional) Edit the PAC file in the
Forwarding Profiles area.
Either Edit PAC File to edit the existing PAC
file or Upload New PAC file.
Prisma Access
provides you with a default PAC file. Edit the existing PAC file or
create a new PAC file and upload it to use with Explicit Proxy.
If you need to set up multiple PAC files,
you can do that by creating a forwarding
profile after completing this onboarding workflow.
Go to the Next step.
Specify authentication for your mobile users.
You can use either the Cloud Identity Engine or local authentication.
To use the Cloud Identity Engine for authentication:
Select Cloud Identity Engine and, if you
have already created an authentication profile, enter it.
If you have not created a profile:
Add New.
To use the Cloud Identity Engine with an identity
provider (IdP) vendor, configure a
cloud-based directory in the Cloud Identity
Engine before starting this procedure.
Configure IdP for SAML authentication by selecting an
Identity Provider Vendor for SAML
2.0.
Download the Metadata file.
Set up an IdP profile.
You can either upload a metadata file
you downloaded (Upload Metadata) or a
URL (Enter URL).
The
Identity Provider ID,
Identity Provider Certificate,
Identity Provider SSO URL, and
HTTP Binding for SSO Request to Identity
Provider fields populate using the metadata
file or URL you provided. If you see any issues with the
information in these fields, correct it on the IdP vendor
site and upload the metadata again.
Test SAML
setup to verify the SAML IdP configuration
with Prisma Access.
Select the Username Attribute for the
Cloud Identity Engine to use for authentication and
Confirm your changes.
Select the
username attribute that uses the Name
(/identity/claims/name)
format. If you don’t select the correct username attribute,
user authentication for projects isn’t successful. For more
information, refer to the Microsoft
documentation.
Enter a CIE Authentication Profile Name
for the profile you created and Finish
the setup.
To use local authentication, select Prisma Access
Authentication.
Prisma Access creates a local profile for you and you can
add local users and groups
to the profile. Confirm your changes when
complete.
Configure Security policy rules for your Explicit Proxy Prisma Access
deployment.
To simplify the onboarding process, Prisma Access provides you with
predefined internet access and decryption policy rules based on best
practices. You can quickly set up IPSec tunnels using defaults suitable for
the most common IPSec-capable devices and enable SSL decryption for
recommended URL categories.
There are also predefined, best practice settings for decryption bypass,
Advanced Threat Protection, and Vulnerability Protection. You can modify these
settings as required.
Go to the Next screen and complete your
configuration.
Push Config to push your configuration
changes.
Deploy your Explicit Proxy configuration to your mobile uses.
Deploy the PAC file using mobile device management (MDM) or
another method.
