Configure Private Web Application Access

1. Go to the Secure Agentless Access (SAA) Applications page.

   • For Prisma Access (Managed by Strata Cloud Manager):
     1. Log in to Strata Cloud Manager as the administrator.
     2. Select ConfigurationSecure Agentless AccessApplications.
   • For Prisma Access (Managed by Panorama):
     1. Launch Secure Agentless Access from the Cloud Services plugin on Panorama by selecting PanoramaCloud ServicesSecure Agentless Access.
     2. Click Get Started.
     3. Select ConfigurationSecure Agentless AccessApplications.
2. Select ConfigurationSecure Agentless Access.
3. Ensure Cloud Identity Engine (CIE) is configured for authentication. CIE is mandatory for user authentication, securing access to your private web applications through a centralized identity provider. This step links Secure Agentless Access to your organization's identity management system.

   1. On the Overview tab, verify that CIE is set up for authentication.
   2. To change the Cloud Identity Engine settings, select the gear icon to access the SAA settings.

   3. Select the CIE Directory from which to retrieve the user-group mapping.
   4. Select the corresponding CIE Authentication Profile, which is the SAML authentication profile that validates the login credentials of end users who access Secure Agentless Access.
   5. Save your settings.
4. Configure the SAA Portal Settings. These settings customize the end-user portal, which serves as the central hub for users to authenticate and launch assigned applications.

   1. Select the Portal tab.
   2. Select the gear icon to edit the SAA portal settings.
   3. Enter a descriptive Portal Tab Name.
   4. Define a Portal URL.
   5. Configure Inactivity Timeout, Max Session Duration and branding options, such as a Portal Logo.
   6. Save your portal settings.

5. Define a new private web application. You can either define a completely new application or select an existing application to enable agentless access, provided you already have a private web application.

   1. Select the Applications tab.
   2. Add Application.
   3. Enter an Application Name.
   4. Select Private Web Browsing as the app Type.

   5. Enter the Destination Details, including the protocol, FQDN or host IP address, and port number (for example https://intranet-app1.example.com:443). You can configure any port value in addition to the default port 443.

      Web apps with wildcard destination domains (e.g., *.example.com) are not supported at this time.
   6. Configure DNS settings for the DNS resolution of your private web application FQDN.

      • For Prisma Access (Managed by Strata Cloud Manager):
        Select DNS Setup to configure client DNS settings directly within the application configuration.
        1. Select the Client DNS region to adjust and customize the DNS settings for that region (or use the Worldwide default).

        2. Select Resolve internal domains and Add one or more Internal Domain Resolve Rules.

        3. Enter a unique Name for the rule.

        4. Select Custom for Primary DNS and Secondary DNS and specify the IP addresses for your custom internal DNS server.
        5. Click + to enter the specific domains you want to resolve in the Domain Lists (for example, *.acme.com). You can specify a maximum of 1,024 domain entries.
        6. Save your changes.
      • For Prisma Access (Managed by Panorama):
        The DNS Setup option is disabled for Panorama-managed deployments. You must configure client DNS settings directly in Panorama by following the procedure in DNS Resolution for Mobile Users—Explicit Proxy Deployments.
   7. Back in the Add Application window, configure Secure Agentless Access Settings for the application, defining the external Access Domain (for example, *.acme.com). This is the domain that end users will see while accessing the app.

      If the destination host is specified as an IP address, ensure to specify the corresponding FQDN in the Access Domain .

   8. Upload the certificate for the external access domain. This enables app access through the access domain.

      • For Prisma Access (Managed by Strata Cloud Manager):
        You can choose from the certificates that are already present or Import Certificates to upload a new certificate.
        You can use the following certificate options:
        • Public CA-signed certificate—Signed by a publicly trusted CA (such as Let's Encrypt or GoDaddy). The public CA bundle is pre-loaded on SAA Clusters and trusted by unmanaged user browsers by default, requiring no additional configuration on end-user devices.
        • Private CA-signed certificate—Signed by your organization's own CA. You must upload the CA certificate to the MU gateway and install the root CA on all end-user devices that access the application. Without this, browsers display certificate trust errors.
        • Both public and private certificates—You can use a publicly trusted certificate (such as DigiCert or Let's Encrypt) for unmanaged user connections while maintaining your private CA for managed devices that require explicit validation. This approach eliminates the need to install a private CA on unmanaged devices.
        Important: Ensure that the certificate is committed and pushed to the MU gateway(s).
      • For Prisma Access (Managed by Panorama):
        The Import Certificates option is disabled for Panorama-managed deployments. You must import the certificate and private key directly in Panorama by following the procedure in Import a Certificate and Private Key.
   9. Save your application configuration. After you save, the SAA backend generates a CNAME. Map this CNAME to your application access FQDN on your public DNS server.

      After the initial configuration, if you edit an app and change certain fields such as the destination, the CNAME might change. In this case, you must update the CNAME entry on your public DNS server.

      Before updating your public DNS, validate application access by adding the access FQDN-to-CNAME mapping in your local hosts file. After you confirm connectivity, apply the mapping on your public DNS server.
6. (Optional) Set up application groups to help manage which users can access which groups of apps.
7. Configure SAA policies to control access to private web applications by assigning users, user groups, or application groups.

   1. On the Portal tab, edit existing SAA policies or Add a policy.
   2. Enter a unique Name for the policy.
   3. Select specific Users and User Groups.
   4. Assign the Applications and Application Groups (for example, HTTP app IP, Jenkins).
   5. Select a SAA Profile. If you don't specify a SAA Profile, the Default SAA Profile is used.

      SAA profiles with data control apply to only RDP, SSH, and VNC apps. If you want file blocking controls for private web apps, you will need to configure these settings in the Prisma Access Security Policies in Strata Cloud Manager (ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy).
   6. Save your SAA policy settings.

8. Configure data controls for private web applications.

   For private web applications, configure security policies in Prisma Access using Endpoint DLP or other cloud-delivered security services. For example, if you want file blocking controls for private web apps, you will need to configure these settings in the Prisma Access Security Policies in Strata Cloud Manager (ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy).
9. Share the private web app with your users.

   1. Select the Applications tab.
   2. Locate the app (with app type Private Web Browsing) and share the access domain with your contractors or unmanaged device users so they can access the application.

      End users can access the app through the portal that you have configured, or directly with the access domain URL, provided that they are authenticated and authorized.

10. Monitor active connections. Select the Active Connections tab to gain real-time visibility into current user sessions, allowing you to monitor usage and troubleshoot.