Explicit Proxy and GlobalProtect (or a Third-Party VPN)
Use Explicit Proxy to secure internet resources and use
GlobalProtect or a third-party VPN, to secure private resources.
So your mobile users can connect securely,
you can combine Explicit Proxy with GlobalProtect or a third-party
VPN:
- Explicit Proxy and GlobalProtect
- Use GlobalProtect in split tunnel mode to provide secure access to private apps only.
- Use explicit proxy to secure public apps, including internet traffic and external SaaS applications.
- Explicit Proxy and a Third-Party VPNIf you are using a VPN client for access to data center and private applications, you can continue to use that client to secure access to private apps while you use Explicit Proxy and a PAC file to secure access to public apps. You can deploy Explicit Proxy in a location close to your mobile users, which eliminates the need to backhaul traffic to your data center for web security.
Get started:
How It Works
Before you decide what applications or traffic
you should protect with Explicit Proxy and which applications you
should protect with either GlobalProtect or a third-party VPN, you
should understand how GlobalProtect and Prisma Access make their
forwarding decisions based on the Explicit Proxy and VPN configuration.
The examples in this section assume that you have already deployed Explicit
Proxy and GlobalProtect into your organization’s network and have
configured GlobalProtect split tunnel options.
The following figure shows the process.
When
a mobile user requests an private or internet-based resource or
app, the request is sent to the Explicit Proxy PAC filethat
is installed on the endpoint.
- Traffic that is specified in the PAC file asreturn "DIRECT";bypasses Explicit Proxy processing. Thednsresolve(host)used withreturn "DIRECT";allows specified IP addresses to bypass Explicit Proxy processing.
- Traffic that is specified in the PAC file asreturn "PROXYis forwarded to Explicit Proxy.sitename:8080";
After the web request
is evaluated based on the conditions in the PAC file, it goes to
the endpoint for processing and the traffic is evaluated in the
GlobalProtect app for split tunnel configuration options (or the
third-party VPN options). You can split traffic based on domain (URL) or application or subnet. If you have configured split DNS options in GlobalProtect,
traffic is also evaluated based on those DNS options.
After
the traffic is processed, it is then sent to GlobalProtect, direct
to the internet, or to Explicit Proxy, based on the PAC file and
VPN processing.
The following figure shows a mobile user
attempting to access a private resource using the URL
internal-app.corp.com
.
- The PAC file has the following configuration to allowinternal-app.corp.comto bypass Explicit Proxy./* Bypass internal URL */ if (shExpMatch(host, "*internal-app.corp.com")) return "DIRECT";
- When the mobile user requestsinternal-app.corp.comfrom their browser, the browser evaluates the conditions in the PAC file. Based on that evaluation, the browser does not forward the request to the proxy and sends it directly to the GlobalProtect app.
- GlobalProtect notes thatinternal-app.corp.comis listed in theInclude Domainand sends it through the VPN tunnel.
- GlobalProtect sends the request to the resource ininternal-app.corp.combased on the configuration options in GlobalProtect.
You
might want to configure some resources, such as login resources,
so that they do not use either Explicit Proxy or the GlobalProtect
or third-party VPN for processing. The following figure shows a
user logging in to Microsoft Online by entering
login.microsoftonline.com
from
their browser.
- The PAC file has the following configuration to allowinternal-app.corp.comto bypass Explicit Proxy traffic./* Bypass internal URL */ if (shExpMatch(host, "login.microsoftonline.com")) return "DIRECT";
- When the mobile user requestslogin.microsoftonline.comfrom their browser, the PAC file evaluates the request from the PAC file in the mobile user’s endpoint and then sends it to the GlobalProtect VPN configuration (GlobalProtect in this case) for processing.
- The GlobalProtect app notes thatlogin.microsoftonline.comis listed in theExclude Domain.
- GlobalProtect bypasses the VPN and sends the request direct to the internet, based on the configuration options in GlobalProtect.
Guidelines
Follow these guidelines when using Explicit
Proxy with GlobalProtect or a third-party VPN:
- Follow the guidelines for setting up Explicit Proxy.
- To use Explicit Proxy with GlobalProtect, you must configure split tunneling for GlobalProtect. You can split traffic based on domain (URL), application, or access route.
- Make a list of the applications that you want to secure with the Mobile Users—GlobalProtect or third-party VPN deployment.For example, if you are configuring Explicit Proxy with GlobalProtect, you should configure GlobalProtect to secure all access to private apps or resources, while configuring the Explicit Proxy PAC file to secure public apps or SaaS applications. The configuration examples in this topic have GlobalProtect resolving the internal domains and Explicit Proxy resolving external domains.
- Configure authentication for Explicit Proxy and GlobalProtect or the third-party VPN. For Explicit Proxy, you must use SAML authentication.Palo Alto Networks recommends that you use the default browser on each mobile user’s endpoint for SAML authentication so you can take advantage of single sign-on (SSO).
- You must make sure that the browsers used by the mobile users honor the configuration in the PAC file.
Set It Up — Explicit Proxy and GlobalProtect
To implement GlobalProtect—Mobile Users with
Explicit Proxy, complete the following steps.
These configuration
steps make the following assumptions about your network environment;
if your network environment is different, the configuration might
be different:
- Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.Here’s where to find this information:
- GlobalProtect Gateway FQDNsandPortal Hostname➡ Go to
- Explicit Proxy URLandPAC File URL➡ Go to
- Mobile Users are able to resolve internal domains from GlobalProtect.
- Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
- Edit GlobalProtect portal settings.Go to
- InProxysettings:
- CheckDetect Proxy for Each Connection
- ClearSet Up Tunnel Over Proxy (Windows & Mac Only)
- InAuthenticationsettings:
- CheckUse Default Browser for SAML Authentication
- Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.Go to . Configure a split tunnel based on domain (FQDN), access routes, or applications.
- Configure the PAC file to exclude the domains you specified for the GlobalProtect split tunnel.To download the PAC file so you can edit it, go to .The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
- The portal hostname issplittunnel.gpcloudservice.com.
- The mobile user gateways are contained in the wildcard FQDN*examplegateways.gw.gpcloudservice.com.
- The PAC File URL ishttps://pacfileurl.pac.
- internal-app.corp.comis hosting the private apps that are being protected by Mobile Users—GlobalProtect.
- Okta is being used for SAML authentication.
- The Explicit Proxy URL isexample.proxy.prismaacess.com.
function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass the Prisma Access Portal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access Gateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access PAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY example.proxy.prismaaccess.com:8080"; }
Set It Up — Explicit Proxy and a Third-Party VPN
To use third-party VPNs with Explicit Proxy,
you have be able to make the following changes in your network:
- You must configure your third-party VPN to perform split tunneling to direct internet traffic to Explicit Proxy.
- Modify the PAC file to have Explicit Proxy bypass any of the following VPN components:
- Any IP addresses associated with the third-party VPN
- Any login URLs required for the third-party VPN
In
the following example, you configured the PAC file so that Explicit
Proxy bypasses internal resources using private IP addresses, as
well as authentication traffic flows.
++++++++++++++++ function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass SAML for AnyConnect Azure */ if (shExpMatch(host, "login.microsoftonline.com")) return "DIRECT"; if (shExpMatch(host, "login.windows.net")) return "DIRECT"; if (shExpMatch(host, "login.microsoft.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY example.proxy.prismaaccess.com:8080"; }
