Explicit Proxy Best Practices

• General Explicit Proxy Deployment Best Practices:
  • Deploy Explicit Proxy in at least two regions for redundancy.
  • If all your users are behind a NAT device, and if Explicit Proxy sees the IP address of the NAT device as the source IP address, you should allocate one NAT IP address per 500 mobile users.
  • Use forwarding profiles to configure a PAC file.
• PAC File Best Practices—When setting up the PAC file, bypass all SAML, CIE, and Authentication Cache Service (ACS) URLs.
• SAML Authentication Best Practices:
  • Set the SAML Authentication Cookie Lifetime to 24 hours to have the best user experience without authentication interruptions.
  • If you have configured GlobalProtect in Proxy Mode or GlobalProtect in Tunnel and Proxy Mode, set the Cookie Lifetime on the GlobalProtect portal to 12 hours.
• Kerberos Authentication Best Practices—The keytab file should be less than 60 KB in size.
• Security Policy Rule Best Practices—Use security policy rule best practices by setting the Action in policies to Deny instead of Drop or Reset. This actions helps in releasing the resources quickly inside the Explicit Proxy Security Processing Node (EP-SPN) for optimal performance.
• Decryption Best Practices—Configure at least one decryption policy and one decryption certificate.
• IP Source Address Best Practices—To restrict access to Explicit Proxy to specific source IP addresses, use special objects, which include Address Objects, Address Groups, and External Dynamic Lists (EDLs).