Secure Users and Devices at Remote Networks With an Explicit
Proxy
Learn how to use multicast and unicast IP address to
secure mobile users and devices at Remote Networks with an Explicit
Proxy.
If you want to forward traffic to Explicit
Proxy from your branches through a secure IPSec tunnel, you use
Explicit Proxy in conjunction with a Prisma Access Remote Network.
You integrate this functionality by using anycast and unicast IP
addresses that Prisma Access allocates from the infrastructure subnet,
and you specify these addresses to connect to Explicit Proxy from
the Remote Network IPSec tunnel. In this way, users and devices
at a branch location or site can securely access internet-based
apps and resources using Explicit Proxy.
Integrating Explicit
Proxy with a Remote Network deployment gives you the following advantages:
- Prisma Access sends Internet-bound traffic without backhauling it to a data center or HQ site, which provides a clear benefit over an on-site proxy solution.
- Prisma Access takes the IP addresses you use with Explicit Proxy from its infrastructure subnet, which is a private IP address subnet. Prisma Access provides you with four anycast IP addresses globally, and one unicast IP address per Remote Network, that you use to forward traffic to Explicit Proxy.
- Since these anycast and unicast IP addresses are private, you don’t need to set up a route to a public IP address, which simplifies Explicit Proxy configuration in networks that don’t have a default route.
- If you onboard multiple Explicit Proxy locations during Explicit Proxy setup, the Remote Network automatically forwards traffic to the closest onboarded Explicit Proxy location, relative to the Remote Network's location.In addition, if the compute location that corresponds to an Explicit Proxy location goes down for any reason (for example, in the event of a regional or cloud provider outage), Prisma Access fails over to an active, onboarded Explicit Proxy location in another compute location with no additional configuration required.
- If you require more than 1000 Mbps of bandwidth for a Remote Network, you can create a high-bandwidth remote network connection using multiple Remote Network connections and specify the Explicit Proxy anycast and unicast addresses in each connection.
- If you want your Remote Network to be resilient between geographical locations, you can create multiple Remote Networks with different locations and use them for the same site.
The following
diagram shows a Remote Network that has been configured for a site
that has no default route configured. To protect users and headless
devices at the site using Explicit Proxy, the administrator has
made the following configuration changes:
- You have onboarded remote networks and Explicit Proxy locations and have retrieved the anycast and unicast IP addresses that Prisma Access takes from its infrastructure subnet.You can also create a hostname for Explicit Proxy-directed traffic and add the Explicit Proxy unicast and anycast IP addresses to that hostname.
- You have configured the CPE to forward Explicit Proxy traffic to these anycast and unicast addresses.Use the anycast IP addresses in the PAC file to have Prisma Access select from any onboarded Remote Network tunnel to forward traffic to Explicit Proxy. Use the unicast address to have Prisma Access forward traffic through a specific Remote Network tunnel. In this example, you can use either anycast or unicast addresses, since the traffic is going only through one Remote Network IPSec tunnel.
- You have specified these IP addresses in the PAC files of the users’ endpoints and in the system proxy settings of the headless devices.
After configuration is complete, Prisma
Access forwards the traffic from the Remote Network tunnel to Explicit
Proxy.
If you want to use a high-bandwidth connection
with Explicit Proxy, create a high-bandwidth remote network connection
using multiple Remote Networks; then, add the anycast and, optionally, unicast
IP addresses to the PAC file on the remote users’ endpoints or headless
devices. The following diagram shows the traffic flow using anycast
addresses; Prisma Access chooses the Remote Networks based on the
configuration on your CPE.
To create
a high-bandwidth, geographically diverse Remote Network-Explicit
Proxy deployment, add multiple Remote Network and Explicit Proxy
deployments in different compute locations, as shown in the following
diagram.
The use
of anycast addresses lets you use a consistent PAC file across a
deployment that has a wide geographic distribution, and lets you
use ECMP on the CPE for high-bandwidth use cases. If you want to
target a specific Remote Network, use unicast addresses.
The
following example shows two sites, one in Canada and one in the
United States, connected with a WAN link. The administrator wants
to keep the Explicit Proxy traffic flow within each country. To do
so, the administrator uses the unicast addresses that are specific
to the Remote Network tunnel for the Canada East and the US Northeast
locations. The use of Unicast IPs ensures that users are always sent
to the preferred regional Remote Network tunnel and Explicit Proxy
location.
Prisma Access uses the Remote Network loopback IP
address as the unicast IP address.
You
can also use anycast addresses to provide regional isolation. For
example, you could specify anycast addresses only in Canada to deploy
the Explicit Proxy solution only in Canada.
Integrate Explicit Proxy With a Remote Networks Deployment
In Cloud Managed Prisma Access
To configure an Explicit Proxy deployments
in a Remote Network deployment, complete the following steps.
- Configure your Explicit Proxy setup and onboard the Explicit Proxy locations you want to add.
- Onboard your remote networks if you have not done so already.
- Push Config, being sure thatMobile Users—GlobalProtectandRemote Networksare selected in thePushscope.The push operation retrieves and anycast addresses you need to integrated Explicit Proxy with the remote network.
- Get the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
- Go to .
- Enable Explicit Proxy for Remote Networks.
- Go to .
- Push Config, being sure thatMobile Users—Remote WorkforceandRemote Networksare selected in thePushscope.
- Go to in your Remote Networks Setup and find the anycast IP addresses used to forward traffic to Explicit Proxy.
- (Optional) Find the unicast address to use for your Explicit Proxy/Remote Network deployment.Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
- Go to .
- Make a note of theLoopback IPaddress.If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.
- Ensure that your PAC file does not bypass the anycast and unicast IP addresses.If you created a hostname for Explicit Proxy-directed traffic and added the Explicit Proxy unicast and anycast IP addresses to that hostname, be sure that the PAC file does not bypass this hostname and that it is sent to Explicit Proxy. Any traffic sent to the anycast and unicast IP addresses must be sent to Explicit Proxy.
- Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to Explicit Proxy via the anycast and unicast IP addresses.
