Secure Users and Devices at Remote Networks With an Explicit Proxy
Table of Contents
Secure Users and Devices at Remote Networks With an Explicit Proxy
Learn how to use multicast and unicast IP address to
secure mobile users and devices at Remote Networks with an Explicit
Proxy.
If you want to forward traffic to Explicit
Proxy from your branches through a secure IPSec tunnel, you use
Explicit Proxy in conjunction with a Prisma Access Remote Network.
You integrate this functionality by using anycast and unicast IP
addresses that Prisma Access allocates from the infrastructure subnet, and
you specify these addresses to connect to Explicit Proxy from the
Remote Network IPSec tunnel. In this way, users and devices at a
branch location or site can securely access internet-based apps
and resources using Explicit Proxy.
Integrating Explicit Proxy
with a Remote Network deployment gives you the following advantages:
- Prisma Access sends Internet-bound traffic without backhauling it to a data center or HQ site, which provides a clear benefit over an on-site proxy solution.
- Prisma Access takes the IP addresses you use with Explicit Proxy from its infrastructure subnet, which is a private IP address subnet. Prisma Access provides you with four anycast IP addresses globally, and one unicast IP address per Remote Network, that you use to forward traffic to Explicit Proxy.
- Since these anycast and unicast IP addresses are private, you don’t need to set up a route to a public IP address, which simplifies Explicit Proxy configuration in networks that don’t have a default route.
- If you onboard multiple Explicit Proxy locations during Explicit Proxy setup, the Remote Network automatically forwards traffic to the closest onboarded Explicit Proxy location, relative to the Remote Network's location.In addition, if the compute location that corresponds to an Explicit Proxy goes down for any reason (for example, in the event of a regional or cloud provider outage), Prisma Access fails over to an active, onboarded Explicit Proxy in another compute location with no additional configuration required.
- If you require more than 1000 Mbps of bandwidth for a Remote Network, you can create a high-bandwidth network using multiple Remote Network connections and specify the Explicit Proxy anycast and unicast addresses in each connection.
- If you want your Remote Network to be resilient between geographical locations, you can create multiple Remote Networks with different locations and use them for the same site.
The following
diagram shows a Remote Network that has been configured for a site
that has no default route configured. To protect users and headless
devices at the site using Explicit Proxy, the administrator has
made the following configuration changes:
- You have onboarded Remote Networks and Explicit Proxy locations and have retrieved the anycast and unicast IP addresses that Prisma Access takes from its infrastructure subnet.You can also create a hostname for Explicit Proxy-directed traffic and add the Explicit Proxy unicast and anycast IP addresses to that hostname.
- You have configured the CPE to forward Explicit Proxy traffic to these anycast and unicast addresses.Use the anycast IP addresses in the PAC file to have Prisma Access select from any onboarded Remote Network tunnel to forward traffic to Explicit Proxy. Use the unicast address to have Prisma Access forward traffic through a specific Remote Network tunnel. In this example, you can use either anycast or unicast addresses, since the traffic is going only through one Remote Network IPSec tunnel.
- You have specified these IP addresses in the PAC files of the users’ endpoints and in the system proxy settings of the headless devices.
After configuration is complete, Prisma
Access forwards the traffic from the Remote Network tunnel to Explicit
Proxy.
If you
want to use a high-bandwidth connection with Explicit Proxy, create a high-bandwidth
remote network connection using multiple Remote Networks;
then, add the anycast and, optionally, unicast IP addresses to the
PAC file on the remote users’ endpoints or headless devices. The
following diagram shows the traffic flow using anycast addresses;
Prisma Access chooses the Remote Networks based on the configuration
on your CPE.
To create
a high-bandwidth, geographically diverse Remote Network-Explicit
Proxy deployment, add multiple Remote Network and Explicit Proxy
deployments in different compute locations, as shown in the following
diagram.
The use
of anycast addresses lets you use a consistent PAC file across a
deployment that has a wide geographic distribution, and lets you
use ECMP on the CPE for high-bandwidth use cases. If you want to
target a specific Remote Network, use unicast addresses.
The
following example shows two sites, one in Canada and one in the
United States, connected with a WAN link. The administrator wants
to keep the Explicit Proxy traffic flow within each country. To
do so, the administrator uses the unicast addresses that are specific
to the Remote Network tunnel for the Canada East and the US Northeast
locations. The use of Unicast IPs ensures that users are always
sent to the preferred regional Remote Network tunnel and Explicit
Proxy location.
Prisma Access uses the Remote Network
EBGP
Router
address ()
as the unicast address. If you have changed the EBGP router address
in your Prisma Access configuration, you can retrieve the loopback
IP address using the Prisma Access API. 
You
can also use anycast addresses to provide regional isolation. For
example, you could specify anycast addresses only in Canada to deploy
the Explicit Proxy solution only in Canada.
Integrate Explicit Proxy With a Remote Networks Deployment
In Panorama Managed Prisma Access
To configure an Explicit Proxy deployments
in a Remote Network deployment, complete the following steps.
- Retrieve the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
- Select .
- Select the gear icon to edit theSettings.
- SelectForward Remote Network traffic to Explicit Proxy.
- Select .
- Onboard your Remote Network locations if you have not done so already.
- Click .
- Edit Selectionsand, in thePrisma Accesstab, make surePrisma Access for networksis selected in thePush Scope, then clickOK.
- Commit and Pushyour changes.You must perform a commit and push for your Remote Networks for Prisma Access to retrieve the IP addresses used in an Explicit Proxy/Remote Network deployment.
- Return to the Explicit ProxySettings() and make a note of theALLOCATED ADDRESSESthat display in underRemote Networks Configuration.
- (Optional) Find the unicast address you use for your Explicit Proxy/Remote Network deployment.Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
- Select .
- Make a note of theEBGP Routeraddress.If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.This address is also known as the loopback address. If you have made configuration changes that changed the EBGP router address, you can retrieve the loopback IP address using the Prisma Access legacy API.
- Configure your Explicit Proxy deployment and onboard the Explicit Proxy locations you want to add.
- Ensure that your Explicit Proxy PAC file does not bypass the anycast and unicast IP addresses.If you created a hostname for Explicit Proxy-directed traffic and added the Explicit Proxy unicast and anycast IP addresses to that hostname, be sure that the PAC file does not bypass this hostname and that it is sent to Explicit Proxy. Any traffic sent to the anycast and unicast IP addresses must be sent to Explicit Proxy.
- Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to Explicit Proxy via the anycast and unicast IP addresses.