Explicit Proxy — Set It Up

Set up an explicit proxy connection for mobile users; with explicit proxy, a proxy auto-config (PAC) file on mobile user devices redirects browser traffic to Prisma Access.
Before you begin, make sure you review the explicit proxy Explicit Proxy — Guidelines.

  1. Enable explicit proxy and allocate users
    Go to
    Service Setup
    Mobile Users
    to start setting up explicit proxy. When you enable explicit proxy, you’ll be prompted to specify the number of mobile users who will use this connection type.
  2. Add the proxy settings which mobile users will use to connect to Prisma Access
    Go to the
    Infrastructure Settings
    1. Specify an Explicit Proxy URL.
      By default, the name is
      .proxy.prismaaccess.com, where
      is the subdomain you specify, and uses port 8080. To use your company domain in the explicit proxy URL, add a CNAME record to your organization’s domain.
      You can use SAML or Kerberos authentication types to authenticate mobile users.
    2. Download the PAC file and customize it so that it meets your needs. Then, import it again here, and we’ll give you the URL for the location where Prisma Accesshosts the PAC file.
  3. Choose the Prisma Access location to which your mobile users will connect
    Add the Prisma Access locations where you want to support mobile users.
    The map displays the Prisma Access Explicit Proxy — Supported Locations.
    For the best user experience, if you are limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location is not available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.
  4. Authenticate mobile users
    Set up User Authentication
    so that only legitimate users have access to your services and applications.
    SAML and Kerberos are the supported authentication protocols. Prisma Access supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP).
  5. Review the best practice security rules that are turned on by default
    Prisma Access enforces best practice security policy rules by default. These rules allow your users to securely browse to general internet sites. Users are:
    • Blocked from visiting known bad websites based on URL
    • Blocked from uploading or downloading files that are known to be malicious
    • Protected from unknown, never-before-seen threats
    • Protected from viruses, spyware (command and control attacks), and vulnerabilities
    After going through the initial setup, you can review and update these default rules to meet your enterprise needs.
  6. Verify that the mobile users location is active
    After you push your initial configuration to Prisma Access, Prisma Access begins provisioning your mobile user environment. This can take up to 15 minutes. When your mobile user locations are up and running, you’ll be able to verify them on the Mobile Users setup pages, the Overview, and within Insights.
    You can also validate your setup by selecting
    Service Setup
    Mobile Users
    and edit Infrastructure Settings to confirm a gateway is set up in each of the locations you provisioned.
  7. Enable decryption for explicit proxy traffic
    • Set the maximum supported TLS version to 1.2.
    • Set
      Strip ALPN
      (Advanced SSL Forward Proxy settings) because explicit proxy does not support native HTTP/2, and you must remove the ALPN headers.

Recommended For You