Planning Checklist—Explicit Proxy

• Explicit Proxy supports a subset of Prisma Access locations.
  If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for each (five locations maximum for Mobile Users—GlobalProtect and five locations maximum for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
• Explicit Proxy supports multitenancy under the following conditions: if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.
  In addition, group-based security policies will not work in a multitenant deployment. Explicit Proxy uses the Directory Sync component of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud Identity Engine.
• When onboarding an Explicit Proxy deployment, Palo Alto Networks recommends that all the configuration be performed in a single browser. You can, however, add security policies from multiple browsers or browser sessions.

• You must configure an SSL decryption policy for all Explicit Proxy traffic.
  Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
  To prevent users from accessing undecrypted sites, be sure to leave the Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users check box selected when you configure Explicit Proxy.
• Explicit Proxy does not support HTTP/2 natively. HTTP/2 protocol requests will be downgraded to HTTP/1.1. Explicit Proxy strips out application-layer protocol negotiation (ALPN) headers from uploaded files, regardless of your configuration.
• The maximum supported TLS version is 1.3. When creating a decryption profile, specify a Max Version of TLS v1.3.

• If mobile users are connecting from remote sites or headquarters/data center locations using an Explicit Proxy, the mobile user endpoint must be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access. To find the ACS FQDN and the Explicit Proxy URL, select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy.

• Explicit Proxy requires a minimum Panorama version of 10.0.5.
• Explicit Proxy requires a minimum antivirus Content Version of 3590 to be installed on the Panorama to support the predefined security policies. Install the required Content Version before committing the Mobile Users—Explicit Proxy configuration.

• Explicit Proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
• Explicit Proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
• Explicit Proxy does not provide access to private applications.
• Mobile users will be unidentified in the traffic logs for sites that are not decrypted, with some exceptions. See How Explicit Proxy Identifies Users for more information.
• Make a note of the following browser requirements and usage guidelines:
  • If you use Explicit Proxy, do not disable cookies in your browser; if you do, you cannot browse any web pages.
  • If you are using Explicit Proxy with Microsoft Edge, be sure that SettingsPrivacy, Search, and ServicesTracking prevention is set to Basic.
  • If you use Safari with Explicit Proxy, you might experience issues when accessing websites. Instead of Safari, use Microsoft Edge, Firefox, Chrome, or Internet Explorer as your browser.
  • When using Firefox with an Explicit Proxy, go to about:config and set security.csp.enable to false. In addition, some add-ons, such as ones that perform ad blocking or tracking protection, might interfere with tracking protection.
  • To support desktop applications, or applications that do not send HTTP traffic, you can configure GlobalProtect in split tunnel mode and use GlobalProtect in conjunction with Explicit Proxy.
  • If you visit a website for the first time, are prompted to enter Explicit Proxy credentials, then refresh the browser, you might receive an error. If this condition occurs, re-visit the website without refreshing and retry the authentication operation.