Why not just use Remote network SPN connection if you need firewall capabilities (this is needed if you don't have next generation Firewall in the data center otherwise the service connection is used) for filtering traffic going out of the Data Center ? With Remote Network again the internal DNS servers, Ldap servers and etc that are behind the Remote Network SPN can be accessed by Prisma Access or mobile users or other Remote Network Sites? Just as an info If you need a service infrastructure/connection because of the mobile users routing you can create a fake one without the ipsec tunnel being up and use the SPN for filtering traffic comming from your DC and allowing traffic to your DC from mobile users or other SPN remote networks for services like internal DNS , LDAP etc.
... View more