Requirements and Recommendations for Using Explicit Proxy with
GlobalProtect and Third-Party VPNs
Follow these requirements and recommendations to use
Explicit Proxy with GlobalProtect or third-party VPNs.
Before you start your configuration, make sure that
you follow the requirements and recommendations that are required
to deploy Explicit Proxy with GlobalProtect or with a third-party
VPN:
You
configure a split tunnel configuration in GlobalProtect. The examples
in this section show traffic being split based on a
domain (URL) or application;
however, you can also split traffic based on
the access route.
You
can also configure
split DNS options in GlobalProtect
to configure which domains are resolved by the VPN assigned DNS
servers and which domains are resolved by the local DNS servers.
To use Explicit Proxy with a third-party VPN, you must deploy
the VPN solution.
Make a list of the applications that you want to secure with
the Mobile Users—GlobalProtect or third-party VPN deployment.
For
example, if you are configuring Explicit Proxy with GlobalProtect,
you should configure GlobalProtect to secure all access to private
apps or resources, while configuring the Explicit Proxy PAC file
to secure public apps or SaaS applications. The configuration examples
in this section have GlobalProtect resolving the internal domains
and Explicit Proxy resolving external domains.
Configure authentication for Explicit Proxy and GlobalProtect
or the third-party VPN.
Palo Alto Networks recommends that
you use the default browser on each mobile user’s endpoint for SAML
authentication so you can take advantage of single sign-on (SSO)
by editing the portal configuration as shown in
Secure Mobile Users with an Explicit Proxy.
You must make sure that the browsers used by the mobile users
honor the configuration in the PAC file. See
Planning Checklist—Explicit Proxy for Explicit
Proxy browser restrictions.