Use Explicit Proxy to Secure Public Apps and GlobalProtect or a Third-Party VPN to Secure Private Apps
Table of Contents
Use Explicit Proxy to Secure Public Apps and GlobalProtect or a Third-Party VPN to Secure Private Apps
Learn how to configure Prisma Access Explicit Proxy to
secure internet resources and use GlobalProtect or a third-party
VPN, to secure private resources.
If you are using GlobalProtect in split tunnel mode to provide
secure access to private apps only, you can add Prisma Access Explicit
Proxy (Explicit Proxy) to your deployment to secure public apps,
including internet and external SaaS applications.
In addition,
if you are using a VPN client for access to data center and private
applications, you can continue to use that client to secure access to
private apps while you use Explicit Proxy and a PAC file to secure
access to public apps. You can deploy Explicit Proxy in
a location close to your mobile users, which eliminates the need
to backhaul traffic to your data center for web security.
Use
the following sections to see deployment examples and learn how
to configure Explicit Proxy with GlobalProtect or a third-party
VPN.
Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples
This section provides examples of adding Explicit
Proxy to existing on-premise GlobalProtect, Prisma Access Mobile Users—GlobalProtect,
and third-party VPN deployments.
The following figure shows
a deployment using an on-premise or virtual GlobalProtect gateway
along with Explicit Proxy. GlobalProtect routes the traffic using
the GlobalProtect client to the Palo Alto Networks next-generation
firewall. To configure this deployment, you create a split tunnel configuration
in GlobalProtect, allowing private apps to be secured with GlobalProtect
and public apps to be secured with Explicit Proxy. When configuration
is complete, mobile users connect to the private apps in your organization’s
data center using GlobalProtect and connect to private internet-based
apps using Explicit Proxy.
If you
have a third-party VPN, you can use it to connect to private apps
in the data center, while securing public apps using Explicit Proxy,
as shown in the following figure.
How Explicit Proxy Works With GlobalProtect
Before you decide what applications or traffic
you should protect with Explicit Proxy and which applications you
should protect with either GlobalProtect or a third-party VPN, you
should understand how GlobalProtect and Prisma Access make their
forwarding decisions based on the Explicit Proxy and VPN configuration.
The examples in this section assume that you have already deployed
Explicit Proxy and GlobalProtect into your organization’s network
and have configured GlobalProtect split tunnel options.
The following figure shows the process.
When a
mobile user requests an private or internet-based resource or app,
the request is evaluated by the Explicit Proxy PAC file on the endpoint.
- A return "DIRECT"; function in the PAC file causes the traffic specified in the expression to bypass Explicit Proxy processing.Explicit Proxy provides you with a sample PAC file that uses the return "DIRECT"; function with IP addresses and URLs. See PAC File Guidelines and Requirements to see the contents of the PAC file and a description of how to use it.
- A dnsresolve(host) function in the PAC file forces the endpoint to make a DNS query to resolve a hostname to an IP address. This query then follows the VPN policy (for example, split tunnel or split DNS) for forwarding the DNS request to the destination DNS server.The PAC file provided with Explicit Proxy uses dnsresolve(host), return "DIRECT";, and private IP addresses together in an expression. If, after a DNS lookup, the returned IP address is included with the private IP addresses in the expression, the traffic associated with the private IP address bypasses Explicit Proxy processing.
- Traffic that is specified in the PAC file as return "PROXY sitename:8080"; is forwarded to Explicit Proxy.
After the web request
is evaluated based on the conditions in the PAC file, it is then
sent to the GlobalProtect or third-party VPN configuration on the
endpoint for processing and the traffic is evaluated in the GlobalProtect
app for split tunnel configuration options. You can split traffic
based on domain (URL) or application or subnet. If you have configured split DNS options in GlobalProtect,
traffic is also evaluated based on those DNS options.
After
the traffic is processed, it is then sent to GlobalProtect, direct
to the internet, or to Explicit Proxy, based on the PAC file and
VPN processing.
The following figure shows a mobile user
attempting to access a private resource using the URL internal-app.corp.com.
- The PAC file has the following configuration to allow internal-app.corp.com to bypass Explicit Proxy.
/* Bypass internal URL */ if (shExpMatch(host, "*internal-app.corp.com")) return "DIRECT"; - When the mobile user requests internal-app.corp.com from their browser, the browser evaluates the conditions in the PAC file. Based on that evaluation, the browser does not forward the request to the proxy and sends it directly to the GlobalProtect app.
- GlobalProtect notes that internal-app.corp.com is listed in the Include Domain and sends it through the VPN tunnel.
- GlobalProtect sends the request to the resource in internal-app.corp.com based on the configuration options in GlobalProtect.
You
might want to configure some resources, such as login resources,
so that they do not use either Explicit Proxy or the GlobalProtect
or third-party VPN for processing. The following figure shows a
user logging in to Microsoft Online by entering login.microsoftonline.com from
their browser.
- The PAC file has the following configuration to allow internal-app.corp.com to bypass Explicit Proxy traffic.
/* Bypass internal URL */ if (shExpMatch(host, "login.microsoftonline.com")) return "DIRECT"; - When the mobile user requests login.microsoftonline.com from their browser, the PAC file evaluates the request from the PAC file in the mobile user’s endpoint and then sends it to the GlobalProtect VPN configuration (GlobalProtect in this case) for processing.
- The GlobalProtect app notes that login.microsoftonline.com is listed in the Exclude Domain.
- GlobalProtect bypasses the VPN and sends the request direct to the internet, based on the configuration options in GlobalProtect.
Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs
Before you start your configuration, make
sure that you follow the requirements and recommendations that are
required to deploy Explicit Proxy with GlobalProtect or with a third-party
VPN:
- To use Explicit Proxy with GlobalProtect, you must deploy GlobalProtect (either a Mobile Users—GlobalProtect deployment or a standalone GlobalProtect deployment that uses GlobalProtect gateways and portals.You configure a split tunnel configuration in GlobalProtect. The examples in this section show traffic being split based on a domain (URL) or application; however, you can also split traffic based on the access route.You can also configure split DNS options in GlobalProtect to configure which domains are resolved by the VPN assigned DNS servers and which domains are resolved by the local DNS servers.
- To use Explicit Proxy with a third-party VPN, you must deploy the VPN solution.
- Make a list of the applications that you want to secure with the Mobile Users—GlobalProtect or third-party VPN deployment.For example, if you are configuring Explicit Proxy with GlobalProtect, you should configure GlobalProtect to secure all access to private apps or resources, while configuring the Explicit Proxy PAC file to secure public apps or SaaS applications. The configuration examples in this section have GlobalProtect resolving the internal domains and Explicit Proxy resolving external domains.
- Configure authentication for Explicit Proxy and GlobalProtect or the third-party VPN.
- For Explicit Proxy, you must use SAML authentication. Follow the guidelines for configuring SAML in an Explicit Proxy deployment, including the URLs to use for SAML sign-on.
- For Mobile Users—GlobalProtect deployments, if you use SAML authentication with Okta as the Identity Provider (IdP), see the procedure you use to configure SAML authentication using Okta in the Prisma Access Integration Guide (Panorama Managed).
- For standalone GlobalProtect deployments, you can configure SAML authentication in PAN-OS.
- For a third-party VPN, refer to the product documentation for that VPN.
Palo Alto Networks recommends that you use the default browser on each mobile user’s endpoint for SAML authentication so you can take advantage of single sign-on (SSO) by editing the portal configuration as shown in Use Explicit Proxy with GlobalProtect. - You must make sure that the browsers used by the mobile users honor the configuration in the PAC file. See Explicit Proxy System Guidelines and Requirements for Explicit Proxy browser restrictions.
Use Explicit Proxy with GlobalProtect
To implement GlobalProtect—Mobile Users with
Explicit Proxy, complete the following steps.
These configuration
steps make the following assumptions about your network environment;
if your network environment is different, the configuration might
be different:
- Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.
- To find the gateway FQDNs, select .
- To find the PAC File URL, select .
![]()
- Mobile Users are able to resolve internal domains from GlobalProtect.
- Plan your Mobile Users—Explicit Proxy deployment and your GlobalProtect deployment (either your Mobile Users—GlobalProtect or standalone GlobalProtect deployment).Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.In the Panorama that manages Prisma Access, configure GlobalProtect portal settings.
- Select .Be sure that you are in the Mobile_Users_Template from the Template drop-down.Select GlobalProtect_Portal to edit the Prisma Access portal configuration.Select the Agent tab and select the DEFAULT configuration or Add a new one.Select the App tab.Make the following app configuration changes:
- In Detect Proxy for Each Connection, select Yes.
- In Set Up Tunnel Over Proxy (Windows & Mac Only), select No.
- In Use Default Browser for SAML Authentication, select Yes.
Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.The following example uses a split tunnel to direct traffic based on domain (FQDN); you could also configure a split tunnel based on the access route of traffic.- While you are still in the GlobalProtect Agent configuration (), select .Select the DEFAULT configuration or Add a new one.Select .Add the Include Domain and, optionally, the Ports to use with the domain.This example uses internal-app.corp.com as the URL you use to host apps in your data center. You add this URL and the SAML authentication URL in the Exclude Domain.
![]()
Click OK to save your changes.Commit and Push your changes.Configure the PAC file to exclude the domains you entered for split tunnel.The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:- The portal hostname is splittunnel.gpcloudservice.com.
- The mobile user gateways () are contained in the wildcard FQDN *examplegateways.gw.gpcloudservice.com.
- The PAC File URL () is https://pacfileurl.pac.
- internal-app.corp.com is hosting the private apps that are being protected by Mobile Users—GlobalProtect.
- Okta is being used for SAML authentication.
- The Explicit Proxy URL is example.proxy.prismaacess.com.
For more information about what PAC files do and how to create and modify them, see PAC File Guidelines and Requirements.function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass the Prisma Access Portal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access Gateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access PAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY example.proxy.prismaaccess.com:8080"; }Use Explicit Proxy with Third-Party VPNs
To use third-party VPNs with Explicit Proxy, you have be able to make the following changes in your network:- You must configure your third-party VPN to perform split tunneling to direct internet traffic to Explicit Proxy.For any assistance with configuring your third-party VPN, contact your third-party VPN vendor.
- modify the PAC file to have Explicit Proxy bypass any of the following VPN components:
- Any IP addresses associated with the third-party VPN
- Any login URLs required for the third-party VPN
In the following example, you configured the PAC file so that Explicit Proxy bypasses internal resources using private IP addresses, as well as authentication traffic flows.++++++++++++++++ function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass SAML for AnyConnect Azure */ if (shExpMatch(host, "login.microsoftonline.com")) return "DIRECT"; if (shExpMatch(host, "login.windows.net")) return "DIRECT"; if (shExpMatch(host, "login.microsoft.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY example.proxy.prismaaccess.com:8080"; }
