Dell SMA 200 Administration Manual Download Page 305 | Manualshive

Page: 305 / 514

background image

Dell SonicWALL Secure Mobile Access 8.5

Administration Guide

305

Example Use Cases for Rules

This section provides examples of positive and negative security models, as well as several examples showing
the use of anti-evasive measures to provide a deeper understanding of these anti-evasive techniques.

Example – Positive Security Model: Blocking Bad Logins

To prevent log in to an Application Offloaded Web site if the length of the password is less than 8 characters,
you would create a rule chain containing the following two rules:

1 Select

Host

as the

Variable

and click

+

to add it, set the

Operator

to

Equals String

, and set

Value

to

the Virtual Host name of the portal. This checks that the Host header of the login request matches the
site you are trying to protect. In this case, the rule chain is only being applied to one site.

2 Select

Parameter Value

as the

Variable

and type

password

into the selection field, then click +

to add

the variable and selected item to the rule, set the

Operator

to

<

(less than), and set

Value

to

8

. Select

String Length

in the

Anti-Evasive Measures

list to compute the length of the password form

parameter.

The action for the rule chain would be set to

Prevent

.

shows the rule chain for this example.

URL Decode
URL Decode (Unicode)

Use the

URL Decode

measure to decode URL encoded strings in the input. Use the

URL Decode (Unicode)

measure to handle

%uXXXX

encoding. URL encoding is used

to safely transmit data over the Internet when URLs contain characters outside the
ASCII character set.

NOTE

: Do not use these measures against an input that has been decoded already.

This is an anti-evasive measure to prevent hackers from using URL encoding to bypass
rules, knowing that the backend Web server can interpret their malicious input after
decoding it.
For example, the URI

www.eshop.com/hack+URL%3B

is converted to

www.eshop.com/hack URL

by this operator before the comparison is made.

Trim

Use the

Trim

measure to remove spaces before and after the input data before the

comparison. Extra spaces can cause a rule to not match the input, but are
interpreted by the backend Web application.
This is an anti-evasive measure to prevent hackers from adding spaces before and
after the input data to bypass the rule.

Table 36. Anti-Evasive Measures for Rules (Continued)

Measure

Description

«
...
303
304
305
306
307
...
»

Summary of Contents for SMA 200

Page 1: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide SMA 200 400 SRA 1600 4600 SMA 500v Virtual Appliance ...

Page 2: ...rks of their respective companies For more information go to http software dell com legal Secure Mobile Access Administration Guide Updated August 2016 Software Version 8 5 232 003313 00 Rev C Legend CAUTION A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed WARNING A WARNING icon indicates a potential for property damage personal injury or death...

Page 3: ...HTTP S Bookmarks Overview 25 Cross Domain Single Sign On 29 ActiveSync Authentication 30 Network Resources Overview 35 SNMP Overview 40 DNS Overview 40 Network Routes Overview 40 NetExtender Overview 40 Two Factor Authentication Overview 44 One Time Password Overview 46 End Point Control Overview 48 Secure Virtual Assist Overview 49 Secure Virtual Meeting Overview 59 Web Application Firewall Overv...

Page 4: ...ministration Overview 105 Configuring Login Security 108 Configuring HTTP DOS Settings 108 Configuring Web Management Settings 108 Configuring SNMP Settings 109 Enabling GMS Management 109 External FTP TFTP Server 109 Configuring External FTP TFTP Server Settings 110 System Certificates 110 System Certificates Overview 110 Certificate Management 111 Generating a Certificate Signing Request 112 Vie...

Page 5: ...ortals 135 Configuring General Portal Settings 137 Configuring Login Schedules 139 Configuring the Home Page 139 Configuring Per Portal Virtual Assist Settings 143 Configuring Virtual Meeting Settings 144 Configuring Virtual Host Settings 146 Adding a Custom Portal Logo 147 Portals Application Offloading 149 Application Offloading Overview 150 Configuring an HTTP HTTPS Application Offloading Porta...

Page 6: ... 198 URL Based Aliasing overview 198 Adding a URL Based Aliasing group 198 Default Site Settings 201 URL Based Aliasing Group with Application Offloading 202 Part 3 Configuring Services Clients Services Configuration 205 Services Settings 205 Services Bookmarks 210 Feature comparison between HTML5 JAVA and ActiveX bookmarks 211 SSHv2 feature comparison between HTML5 and JAVA bookmarks 212 Adding o...

Page 7: ... 246 End Point Control 249 Configuring End Point Control 249 End Point Control Device Profiles 250 Users Local Groups Edit EPC Settings 251 Users Local Users Edit EPC Settings 253 End Point Control Status 256 End Point Control Settings 257 End Point Control Log 258 Secure Virtual Assist Configuration 259 Secure Virtual Assist Status 259 Secure Virtual Assist Settings 260 General Settings 260 Reque...

Page 8: ...et Status 321 Settings 322 General Settings 322 Remediation Settings 323 Access Policies 324 Log 325 Licensing 328 High Availability Configuration 329 High Availability Overview 329 Supported Platforms 330 Configuring High Availability 330 Physical Connectivity 330 Preparing for High Availability 330 Configuring High Availability Settings on a hardware appliance 331 Configuring High Availability S...

Page 9: ...gs 417 Log Configuration 418 Log View 418 Log View Overview 418 Viewing Logs 420 Emailing Logs 421 Log Settings 421 Log Settings Overview 422 Configuring Log Settings 422 Configuring the Mail Server 424 Log Categories 424 Log ViewPoint 425 Log ViewPoint Overview 426 Adding a ViewPoint Server 426 Log Analyzer 426 Log Analyzer Overview 426 Adding an Analyzer Server 427 Part 5 Using Virtual Office Vi...

Page 10: ... Certificates on Windows 451 Importing a goDaddy Certificate on Windows 451 Importing a Server Certificate on Windows 454 Creating Unique Access Policies for AD Groups 454 Creating the Active Directory Domain 455 Adding a Global Deny All Policy 456 Creating Local Groups 457 Adding the SSHv2 PERMIT Policy 459 Adding the OWA PERMIT Policies 460 Verifying the Access Policy Configuration 462 NetExtend...

Page 11: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide 11 Contacting Dell 514 Technical support resources 514 ...

Page 12: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide Part 1 12 Introduction About This Guide Secure Mobile Access Overview ...

Page 13: ...e as well as other Dell SonicWALL product and services documentation Guide Conventions The following conventions are used in this guide Table 1 Conventions used in this guide Convention Use Bold Highlights field button and tab names Also highlights window dialog box and screen names Also used for file names and text or values you are being instructed to type into the interface Italic Indicates the...

Page 14: ...n page 15 SRA Hardware Components on page 18 SMA 500v Virtual Appliance on page 20 Secure Mobile Access Software Components SMA SRA appliances provide clientless identity based secure remote access to the protected internal network Using the Virtual Office environment SMA SRA appliances can provide users with secure remote access to your entire private network or to individual components such as F...

Page 15: ...re complex software providing a secure means to access any type of data on the remote network NetExtender supports IPv6 client connections from Windows systems running Vista or newer and from Linux clients SMA Hardware Components See the following sections for descriptions of the hardware components on SMA appliances SMA 400 Front and Back Panels Overview on page 15 SMA 200 Front and Back Panels O...

Page 16: ...t mode Alarm LED Indicates a critical error or failure X3 Provides access to the X3 interface and to SMA resources X2 Provides access to the X2 interface and to SMA resources X1 Provides access to the X1 interface and to SMA resources X0 Default management port Provides connectivity between the SMA 400 and your gateway Table 3 SMA 400 Back Panel Features Back Panel Feature Description Exhaust fans...

Page 17: ...ess 200 O O X0 X1 Ethernet Ports X0 X1 Provide 1000 Mbps 1 Gb Ethernet connectivity USB SSD ports 2 External USB and SSD hard drive support Console Port Access the Command Line Interface CLI using a compatible console cable Power Button Press button to turn appliance on or off Reset Button Press and hold for several seconds to set the appliance into SafeMode Appliance LEDs Power LED Indicates Powe...

Page 18: ...ides connectivity between the SMA 200 and your gateway Table 5 SMA 200 Back Panel Features Back Panel Feature Description Exhaust fans Provides optimal cooling for the SMA 200 appliance Power supply plug Provides power connection using supplied power cord Table 4 SMA 200 Front Panel Features Continued Front Panel Feature Description Console Port Provides serial access to console messages USB Ports...

Page 19: ...r or failure X3 Provides access to the X3 interface and to SRA resources X2 Provides access to the X2 interface and to SRA resources X1 Provides access to the X1 interface and to SRA resources X0 Default management port Provides connectivity between the SRA 4600 and your gateway Table 7 SRA 4600 Back Panel Features Back Panel Feature Description Exhaust fan Provides optimal cooling for the SRA 460...

Page 20: ...ler Security The SMA 500v Virtual Appliance provides the same hardened operating system that comes with the SMA SRA hardware appliances The elements of basic VMware structure must be implemented prior to deploying the SMA 500v Virtual Appliance For detailed information about deploying the SMA 500v Virtual Appliance see the Dell SonicWALL SMA 500v Virtual Appliance Getting Started Guide available a...

Page 21: ...horized viewers Encryption provides a private and secure method of communication over the Internet A special type of encryption known as Public Key Encryption PKE comprises a public and a private key for encrypting and decrypting data With public key encryption an entity such as a secure Web site generates a public and a private key A secure Web server sends a public key to a user who accesses the...

Page 22: ...s established the SMA SRA gateway encrypts and sends the Web browser the SMA SRA gateway login page 8 The user submits their user name password and domain name 9 If the user s domain name requires authentication through a RADIUS LDAP or Active Directory Server the SMA SRA gateway forwards the user s information to the appropriate server for authentication 10 After being authenticated the user can ...

Page 23: ...v2 Bookmark Define an SSHv1 or SSHv2 bookmark using an IPv6 address Reverse proxy for HTTP HTTPS Bookmark Define an HTTP or HTTPS bookmark using an IPv6 address Citrix Bookmark Define a Citrix bookmark using an IPv6 address RDP Bookmark Define an RDP bookmark using an IPv6 address VNC Bookmark Define a VNC bookmark using an IPv6 address Settings Interface Settings Define an IPv6 address for the in...

Page 24: ...de support when using IPv6 addresses Rules Policy rule User or Group Policies Three IPv6 options in the Apply Policy To drop down list IPv6 Address IPv6 Address Range All IPv6 Address Login rule Use IPv6 for address fields Define Login From Defined Addresses using IPv6 Two IPv6 options in the Source Address drop down list IPv6 Address IPv6 Network Virtual Hosts An administrator can assign an IPv6 ...

Page 25: ...NetExtender is displayed on a Virtual Office portal and if you want NetExtender to automatically launch when users log in to the portal The administrator configures which elements each portal displays through the Portal Settings window For information on configuring portals refer to Portals Portals on page 134 Domains Overview A domain in the Secure Mobile Access environment is a mechanism that en...

Page 26: ...0 1 8 5 1 and 8 5 2 Web mail interfaces These interfaces are easier to use and provide more enhanced features than their basic counterparts Benefits of Application Offloading An offloaded Web application has the following advantages over configuring the Web application as an HTTP S bookmark in Secure Mobile Access No URL rewriting is necessary thereby improving throughput significantly The functio...

Page 27: ...P S bookmarks The following features have been tested and verified as working well on the indicated browsers The following Web applications have been tested and verified to work with HTTP S bookmarks and as offloaded applications Microsoft Outlook Web Access 2013 Microsoft Outlook Web Access 2010 Microsoft Outlook Web Access 2007 Windows SharePoint 2013 supported only using App Offloading Windows ...

Page 28: ... Web Access is supported on the SMA 400 200 SRA 4600 1600 and the SMA 500v Virtual Appliance platforms NOTE Application Offloading supports authentication for ActiveSync ActiveSync is a protocol used by a mobile phone s email client to synchronize with an Exchange server The Administrator can create an offloading portal and set the application server host to the backend Exchange server Then a user...

Page 29: ...on Offloading Portal but all the URLs might not be rewritten depending on how the Web application has been developed This limitation is usually the same for other vendors employing reverse proxy mode Cross Domain Single Sign On External Website Bookmarks can be created for application offloading portals to achieve a single point of access for users This allows users to automatically log in to appl...

Page 30: ...hronize with the backend Exchange server through the SMA SRA appliance ActiveSync is managed through the Portals Offload Web Application Offloading Security Settings page To configure ActiveSync authentication clear Disable Authentication Controls to display the authentication fields Select Enable ActiveSync authentication and then type the default domain name The default domain name cannot be use...

Page 31: ...webmail example com Set the Active Directory domain and Server address to webmail example com Set the Portal name to webmail NOTE A user s credential in the Exchange server must be the same as the one in the SMA SRA appliance Many authentication types are available for each domain in the appliance If using the Local User Database make sure the user name and password is the same as the one for the ...

Page 32: ...ading portal with the name sales 3 Set the Scheme to Secure Web HTTPS 4 Set the Application Server Host to your Exchange server for example webmail example com 5 Set the virtual host name for example webmail example com The virtual host name should be resolved by the DNS server Otherwise modify the hosts file in the Android phone ...

Page 33: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide 33 6 Select Enable Email Clients Authentication Leave the default domain name blank or input webmail example com ...

Page 34: ...r No domain name is displayed so use the default domain name specified in the offloading portal s setting Select Accept all SSL certificates and click Next 10 If the AD authentication times out the Setup could not finish message is displayed Wait about 20 seconds and try again You can also check the Secure Mobile Access log to see if the user logged in successfully You might not encounter this pro...

Page 35: ...rk resources supported by the SMA SRA appliance HTTP Web and Secure HTTPS Web on page 35 Telnet Java on page 36 SSHv1 and SSHv2 Java on page 36 FTP Web on page 36 File Shares CIFS on page 36 Remote Desktop Protocols and Virtual Network Computing on page 37 Application Protocols Using RDP on page 37 Microsoft Outlook Web Access on page 38 Windows SharePoint Services on page 38 Lotus Domino Web Acce...

Page 36: ...wser The remote user can specify the IP address of any accessible Telnet server and the SMA SRA appliance makes a connection to the server Communication between the user over SSL and the server is proxied using native Telnet The Telnet applet supports MS JVM Microsoft Java Virtual Machine in Internet Explorer and requires Sun Java Runtime Environment JRE 1 1 or higher for other browsers Telnet als...

Page 37: ...ailable as open source software Any one of the many variants of VNC servers available can be installed on most any workstation or server for remote access The VNC client to connect to those servers is delivered to remote users through the Web browser as a Java client RDP 7 Support The SMA SRA appliance supports connections with RDP 7 clients and supports the RDP 7 feature set RDP 7 is available on...

Page 38: ...OWA Microsoft OWA Premium includes features such as spell check creation and modification of server side rules Web beacon blocking support for tasks auto signature support and address book enhancements Secure Mobile Access HTTP S reverse proxy supports Microsoft OWA Premium See Creating Unique Access Policies for AD Groups on page 454 for a use case involving configuring group based access policie...

Page 39: ...ious versions of Citrix the Citrix ICA Client was renamed as the Citrix XenApp plug in Secure Mobile Access supports Citrix XenApp Server 7 6 6 5 XenApp Server 6 0 and XenApp Server 5 0 Secure Mobile Access supports Citrix Receiver for Windows 4 2 4 1 4 0 Online Plug in 14 2 14 1 14 0 Java client version 10 1 006 or higher Table 12 Lotus Domino web access Supported features 8 5 1 and 8 5 2 Feature...

Page 40: ...er than using the default gateway NetExtender Overview This section provides an overview to the NetExtender feature Topics What is NetExtender on page 40 Benefits on page 41 NetExtender Concepts on page 41 For information on using NetExtender refer to the NetExtender Status on page 233 or refer to the Dell SonicWALL Secure Mobile Access User s Guide What is NetExtender Dell SonicWALL NetExtender i...

Page 41: ...Client Secure Mobile Access provides a stand alone NetExtender application NetExtender is a browser installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application The first time a user launches NetExtender the NetExtender stand alone client is automatically installed on the user s PC The installer creates a profi...

Page 42: ... in the group profile to which the user belongs 3 An IP address from the global NetExtender range To reserve a single IP address for an individual user the administrator can enter the same IP address in both the Client Address Range Begin and Client Address Range End fields on the NetExtender tab of the Edit Group window Client Routes NetExtender client routes are used to allow and deny access to ...

Page 43: ...proxy access NetExtender automatically inherits the proxy settings The proxy settings can also be manually configured in the NetExtender client preferences NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery WPAD Protocol NetExtender provides three options for configuring proxy settings Automatically detect settings To use this setting th...

Page 44: ...d How Does Two Factor Authentication Work Two factor authentication requires the use of a third party authentication service or two separate RADIUS authentication servers With two factor authentication users must enter a valid temporary passcode to gain access A passcode consists of the following The user s personal identification number PIN A temporary token code or password When two RADIUS serve...

Page 45: ...SS concept that uses One Time Passwords that are assigned for time segments that provide easy and secure remote access The One Time Password within the authentication request is verified on the VASCO IdentiKey After verification a RADIUS access accept message is sent to the SMA SRA server for authentication Two Factor Authentication Login Processes This section provides examples of the two factor ...

Page 46: ...ge credentials This is followed by the PIN challenge Last the Passcode challenge is displayed One Time Password Overview This section provides an introduction to the One Time Password feature This section contains the following topics What is One Time Password on page 47 Benefits of One Time Passwords on page 47 How Does the One Time Password Feature Work on page 47 Configuring One Time Passwords ...

Page 47: ...so enter an external email address for each user who is enabled for One Time Passwords For users of Active Directory and LDAP the administrator can enable the One Time Password feature on a per domain basis Enabling the One Time Password feature on a per domain basis overrides individual enabled or disabled One Time Password settings Enabling the One Time Password feature for domains does not over...

Page 48: ...ave correctly used the One Time Password feature If you cannot login using One Time Password verify the following Are you able to login without being prompted to check your email for One time Password The user account has not been enabled to use the One time Password feature Is the email address correct If the email address for the user account has been entered incorrectly log in to the management...

Page 49: ...ghtly integrated with access control to analyze the Windows client system and apply access controls based on the results End Point Control is supported on Mac iOS and Android mobile devices using Mobile Connect allowing device profiles to be created for these devices This provides security protection from threats against client devices and protection to the SMA SRA appliance from threats originati...

Page 50: ...are who they say they are Alternatively the local database of the SMA SRA appliance and tokenless two factor authentication can be utilized Secure connections 256 bit AES SSL encryption of the data by the SMA SRA appliance provides a secure environment for the data and assists in the effort to be compliant with regulations like Sarbanes Oxley and HIPAA Greater flexibility for remote access Using t...

Page 51: ...sion they can take control and click End Virtual Assist in the bottom right corner of the screen 10 When the session ends the customer resumes sole control of the computer Remote File Transfer Secure Virtual Assist includes a Remote File Transfer feature that enables the technician to transfer files directly to and from the customer s computer The technician launches the File Transfer process by c...

Page 52: ...ure Mobile Access management interface click Virtual Office 2 Click on Virtual Assist 3 If the Virtual Assist plug in is installed the Virtual Assist window is displayed automatically See Step 9 4 If the Virtual Assist plug in is not installed the File Download window displays and Secure Virtual Assist attempts to automatically install Click Run to launch the program directly or click Save to save...

Page 53: ... a link to the application is added to the program list on your Start Menu Click No to launch Secure Virtual Assist without saving the application for future use 7 If you clicked Yes to save the application you are prompted to select a location to save the file Select an appropriate location such as C Program Files SonicWALL 8 When Secure Virtual Assist launches for the first time you might see a ...

Page 54: ...Virtual Assist application the technician can assist customers by completing the following tasks Inviting Customers by Email on page 54 Assisting Customers on page 55 Using the Secure Virtual Assist Taskbar on page 55 Controlling the Secure Virtual Assist Display on page 56 Request Full Control on page 57 Inviting Customers by Email To invite a customer to a Secure Virtual Assist session by email ...

Page 55: ...is not locked out of their computer Both the technician and customer can control the computer although this might cause confusion and consternation if they both attempt to drive at the same time The customer has a small tool bar in the bottom right of their screen with three options The customer has the following options during a Secure Virtual Assist session each enabled after clicking the corres...

Page 56: ... the taskbar contains the following buttons Refresh Refreshes the display of the customer s computer System Info Displays detailed information about the customer s computer similar to that shown for a Windows computer Reboot Reboot the customer s computer Unless you have Requested full control the customer is warned about and given the opportunity to deny the reboot Chat Launches the text chat win...

Page 57: ...u to issue a request that appears on the customer s desktop Using the Secure Virtual Assist File Transfer The File Transfer window is used to transfer files to and from the customer s computer The file directory of the technician s computer is shown on the left and the customer s computer on the right The File Transfer window functions in much the same manner as Windows Explorer or an FTP program ...

Page 58: ...within the Secure Mobile Access management interface see Configuring Per Portal Virtual Assist Settings on page 143 To configure Secure Virtual Access on a system 1 Log in to the portal through the system you wish to configure for Secure Virtual Access and click the Virtual Access link 2 A file should download with parameters to install the VASAC exe file that provides the needed client for Secure...

Page 59: ...double clicking the system listing the technician is prompted to provide the password established during system set up to gain Secure Virtual Access to the system Ending Secure Virtual Access Mode Disconnecting from a Secure Virtual Access session places the system back in the support queue for later access by the technician From the personal system side the user technician might uninstall or term...

Page 60: ...ddition to meeting configurations that apply to all virtual meetings Meeting functions Meeting attendees can complete several functions such as polling meeting attendees text chatting and switching who shares their desktop or controls the meeting User Roles Secure Virtual Meeting has several user roles Coordinator Owner of the meeting The Coordinator must be a Secure Mobile Access user on the appl...

Page 61: ... with necessary privileges can change the roles of any Participant during the meeting A Participant wishing to become the Host must request permission from the Coordinator How Does a Secure Virtual Meeting Work See the following sections Configuring Secure Virtual Meeting on page 61 Performing Coordinator Tasks on page 61 Performing Participant Tasks on page 63 Configuring Secure Virtual Meeting S...

Page 62: ...ng is only available during a meeting Clicking Stop Sharing stops sharing the Host System desktop Only the Host can stop sharing and only while in the sharing state after Start Sharing has been selected Clicking Request Control requests that the Host give you control of the keyboard and mouse Only Participants who are not the Host can request control Using the Control Menu during a Meeting The Con...

Page 63: ...y Participants Performing Participant Tasks Participants can be designated as View only Participants or regular Participants View only Participants enter and exit meetings like other Participants but cannot do most functions However they can be kicked out of meetings like other regular Participants Regular Participants can also Respond to polls Text chat Request control of the Host keyboard and mo...

Page 64: ...ing in devastating attacks such as total server compromise Malicious file execution attacks affect PHP XML and any framework which accepts filenames or files from users A4 Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file directory database record or key as a URL or form parameter Attackers can...

Page 65: ...me Password Two factor Authentication and Single Sign On apply to the offloaded host Application Profiling Application Profiling Phase 1 allows the administrator to generate custom rules in an automated manner based on a trusted set of inputs This is a highly effective method of providing security to Web applications because it develops a profile of what inputs are acceptable by the application Ev...

Page 66: ...based policy controls are core to Web Application Firewall and this is easily achievable using Secure Mobile Access technology Secondly there are lower latencies because of the existing hardware based SSL offloading Most importantly SMA SRA appliances run Web applications and must be protected from such attacks As small businesses adopt hosted services to facilitate supplier collaboration inventor...

Page 67: ...e 3 How signatures are used to prevent attacks When input arrives from the Internet Web Application Firewall inspects HTTP HTTPS request headers cookies POST data query strings response headers and content It compares the input to both a black list and a white list of signatures If pattern matching succeeds for any signature the event is logged and or the input is blocked if so configured If block...

Page 68: ...e of a user While a victim user is authenticated to a Web site under attack the user can unwittingly load a malicious Web page from a different site within the same browser process context for instance by launching it in a new tab part of the same browser window If this malicious page makes a hidden request to the victim Web server the session cookies in the browser memory are made part of this re...

Page 69: ...tion For example credit cards follow the Luhn s algorithm to determine if an n digit number could be a credit card number or not The administrator can set an appropriate action such as detect log prevent or just mask the digits that can reveal the user identity Masking can be done fully or partially and you can select any of the following characters for masking x X and The resulting masked number ...

Page 70: ...b Application Firewall uses a rate limiter to thwart Slowloris HTTP Denial of Service attacks What Type of PCI Compliance Reports Are Available Payment Card Industry Data Security Standard PCI DSS 6 5 Version 2 0 and PCI DSS 6 6 Version 1 2 are covered in PCI reporting The administrator can configure Web Application Firewall to satisfy these PCI requirements You can generate and download the PCI r...

Page 71: ...s in user browsers They are not safe and can be easily tampered with This feature is found on the Web Application Firewall Settings page This page contains the following options Portals A list of all application offloading portals Each portal has its own settings The item Global is the default setting for all portals Tamper Protection Mode Three modes are available Prevent Strip all the tampered c...

Page 72: ...cation content that you want to profile You can choose HTML XML JavaScript CSS or All that includes all content types such as images HTML and CSS HTML XML content is the most important from a security standpoint because it typically covers the more sensitive Web transactions This content type is selected by default Then the SMA SRA appliance is placed in learning mode by clicking Begin Profiling t...

Page 73: ...ain the action for the rule chain is triggered only when the number of matches within a configured time period is above the configured threshold This type of protection is useful in preventing Brute Force and Dictionary attacks An example rule chain with a Rule Chain ID of 15002 is available in the Secure Mobile Access management interface for administrators to use as reference The associated fiel...

Page 74: ...figure an SMA SRA appliance using the Secure Mobile Access web based management interface an administrator must use a Web browser with Java JavaScript ActiveX cookies pop ups TLS 1 0 TLS 1 1 and TLS 1 2 enabled Java is only required for various aspects of the Secure Mobile Access Virtual Office not the Secure Mobile Access management interface Browser Requirements for the End User The following is...

Page 75: ...e to manage your SMA SRA appliance to have a static IP address in the 192 168 200 x 24 subnet such as 192 168 200 20 For help with setting up a static IP address on your computer refer to the Getting Started Guide for your model Browser Operating System Internet Explorer 11 Windows 10 Mozilla Firefox latest version Windows Vista Windows 10 Windows 7 Linux MacOS X Google Chrome latest version Windo...

Page 76: ...orner of the management interface opens a separate browser window that displays Secure Mobile Access Help Logout in the upper right corner of the management interface terminates the management session and closes the browser window Navigating the Management Interface The Secure Mobile Access web based management interface allows the administrator to configure the SMA SRA appliance The Secure Mobile...

Page 77: ...ple configuration window For descriptions of the elements in the Secure Mobile Access management interface see the following sections Status Bar on page 78 Accepting Changes on page 78 Navigating Tables on page 78 Restarting on page 79 Common Icons in the Management Interface on page 79 Tooltips in the Management Interface on page 79 Getting Help on page 79 Logging Out on page 80 Navigation Bar St...

Page 78: ...ht corner of the main window to save any configuration changes you made on the page If the settings are contained in a secondary window within the Secure Mobile Access management interface Accept is still available at the top right corner of the window Navigating Tables Navigating tables with large number of entries is simplified by navigation buttons located above the table For example the Log Vi...

Page 79: ...er right corner of the Secure Mobile Access management interface opens a separate Web browser that displays the main Secure Mobile Access Help Table 17 Navigation Buttons in the Log View Page Navigation Button Description Find Allows the administrator to search for a log entry containing the content specified in the Search field The search is applied to the element of the log entry specified by th...

Page 80: ...m heading the System Status page is displayed The navigation menu headings are System Network Portals Services NetExtender End Point Control Secure Virtual Assist Secure Virtual Meeting Web Application Firewall High Availability Users Log and Virtual Office Deployment Guidelines This sections provides information about deployment guidelines for the SMA SRA appliance This section contains the follo...

Page 81: ...own in Figure 9 in one armed mode the primary interface X0 on the SMA SRA appliance connects to an available segment on the gateway device The encrypted user session is passed through the gateway to the SMA SRA appliance step 1 The SMA SRA appliance decrypts the session and determines the requested resource The Secure Mobile Access session traffic then traverses the gateway appliance step 2 to rea...

Page 82: ...ld need to access the Internet or other network resources DNS NTP through a different gateway If you have an internal router as well as an Internet router you can use a two armed deployment to leverage your internal router to access your internal resources Sample Scenario Company A has resources and a number of subnets on their internal network and they already have a robust routing system in plac...

Page 83: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide Part 2 83 Configuring Secure Mobile Access System Configuration Network Configuration Portals Configuration ...

Page 84: ...e 97 System Administration on page 105 System Certificates on page 110 System Monitoring on page 115 System Diagnostics on page 116 System Restart on page 120 System About on page 120 System Status This section provides an overview of the System Status page and a description of the configuration tasks available on this page System Status Overview on page 84 Registering Your SMA SRA Appliance with ...

Page 85: ...ample if you do not set an outbound SMTP server you will see the message Log messages and one time passwords cannot be sent because you have not specified an outbound SMTP server address System Information The System Information section displays details about your specific SMA SRA appliance The following information is displayed in this section Table 20 System Information Field Description Model T...

Page 86: ...m Status on page 86 To register your appliance on MySonicWALL from the System Licenses page and allow the appliance to automatically synchronize registration and license status with the Dell SonicWALL server see Registering the SMA SRA Appliance with System Licenses on page 90 Network Interfaces The Network Interfaces section provides the administrator with a list of SMA SRA appliance interfaces b...

Page 87: ...n to your MySonicWALL account directly from a browser or click the Dell SonicWALL link on the System Status page to access MySonicWALL enter the appliance serial number and other information there and then enter the resulting registration code into the field on the System Status page This manual registration procedure is described in this section Use the link on the System Licenses page to access ...

Page 88: ...igured by clicking on the blue arrow in the corner of the Network Interfaces section of the System Status page The link redirects you to the Network Interfaces page that can also be accessed from the navigation bar From the Network Interfaces page a SMA SRA appliance administrator can configure the IP address of the primary X0 interface and also optionally configure additional interfaces for opera...

Page 89: ...ess management interface you can manage all the Dell SonicWALL Security Services licenses for your SMA SRA appliance Figure 11 System Licenses Page Security Services Summary The Security Services Summary table lists the number of Nodes Users licenses and the available and activated security services on the SMA SRA appliance The Security Service column lists all the available Dell SonicWALL Securit...

Page 90: ... it hourly or you can click Synchronize to synchronize immediately Manage Security Services Online You can log in to MySonicWALL directly from the System Licenses page by clicking the link Activate Upgrade or Renew services You can click this link to register your appliance to purchase additional licenses for upgrading or renewing services or to activate free trials Registering the SMA SRA Applian...

Page 91: ...91 2 The License Management page is displayed 3 Click Activate Upgrade or Renew on your existing license 4 Enter your license key in the spaces provided 5 Click Submit 6 The display changes to inform you that your SMA SRA appliance is registered 7 Click Continue ...

Page 92: ...also upgrade a license from this page For example if your appliance is licensed for a single Virtual Assist technician you can upgrade the license for multiple technicians You must purchase the license subscription on MySonicWALL or from a reseller before you can activate or upgrade You will receive an activation key to enter into the License Manager page NOTE After registration some network envir...

Page 93: ...an existing license with a new license that you have already purchased click Upgrade next to the service that you want to upgrade Type or paste one or more new activation keys into the New License Key field s and then click Submit 6 After completing the activation or upgrading process click Synchronize to update the appliance license status from the Dell SonicWALL licensing server Rebooting the ap...

Page 94: ... and import it to the appliance as described in Activating or Upgrading Licenses on page 92 After licensing the status is updated to Licensed and the total users supported and number of usage days remaining in the Spike License are shown on the System Licenses page 2 After reloading the page the Spike License is listed as Off on the System Licenses page 3 When you need to accommodate more users cl...

Page 95: ...ity Services Summary You should now see the upgraded license in the Security Services Summary System Time This section provides an overview of the System Time page and a description of the configuration tasks available on this page System Time Overview on page 95 Setting the Time on page 96 Enabling Network Time Protocol on page 96 System Time Overview The System Time page provides the administrat...

Page 96: ... ss field and the current date in the Date mm dd yyyy field 4 Click Accept to update the configuration Enabling Network Time Protocol If you enable Network Time Protocol NTP then the NTP time settings overrides the manually configured time settings The NTP time settings are determined by the NTP server and the time zone that is selected in the Time Zone drop down list To set the time and date for ...

Page 97: ... 97 Managing Configuration Files on page 100 Managing Firmware on page 102 System Settings Overview The System Settings page allows the administrator to import and export the settings of the SMA SRA appliance Options to automatically send your settings to an external FTP server after a firmware upgrade and upon generation are included SMA already had a period backup of the appliance settings but t...

Page 98: ...ure 13 System Settings Page Physical Appliance Configure the FTP server on the System Administration page to automatically send new settings to the external FTP server Refer to the Configuring External FTP TFTP Server Settings on page 110 On an SMA 500v Virtual Appliance the System Settings page allows for settings management but does not provide any firmware management because the SMA 500v Virtua...

Page 99: ...tion to be notified when new firmware becomes available Firmware Management The Firmware Management section allows the administrator to control the firmware that is running on the SMA SRA appliance This section provides buttons for uploading new firmware creating a backup of current firmware downloading existing firmware to the management computer rebooting the appliance with current or recently u...

Page 100: ...n click Import Settings The Import Settings dialog box is displayed 3 Click Browse to navigate to a location that contains the file that includes settings you want to import The file can be any name but is named sslvpnSettings serialnumber zip by default 4 Click Upload Secure Mobile Access imports the settings from the file and configures the appliance with those settings 5 After the file has been...

Page 101: ...p version of the configuration click Export Settings The browser you are working in displays a pop up asking you if you want to open the configuration file 3 Select the option to Save the file 4 Choose the location to save the configuration file The file is named sslvpnSettings serialnumber zip by default but it can be renamed 5 Click Save to save the configuration file Emailing Configuration Sett...

Page 102: ...ailable select Notify me when new firmware is available Creating a Backup To create a system backup of the current firmware and settings click Create Backup The backup might take up to two minutes When the backup is complete the Status at the bottom of the screen displays the message System Backup Successful Downloading Firmware To download firmware click the download icon next to the Firmware Ima...

Page 103: ...appliances allow you to import and apply new language packs to the firmware The language packs are stored on the back end server The Secure Mobile Access firmware is scheduled to check the back end server every hour for updates to existing or new language packs These tasks are described in the following sections Downloading a language pack on page 103 Importing a language pack on page 103 Selectin...

Page 104: ...k end server of the SMA SRA appliance The default language is English Select the language from the drop down menu then click Apply This process can take a few minutes Querying for new languages To manually query available language packs on the back end server click Query Now If there are any new language packs available they are listed under Available New Language Packs ...

Page 105: ...ttings on page 109 Enabling GMS Management on page 109 Configuring External FTP TFTP Server Settings on page 110 System Administration Overview This section provides the administrator with information about and instructions to complete the configuration tasks on the System Administration page The System Administration page allows the administrator to configure login security Web management setting...

Page 106: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide 106 SNMP Settings on page 108 GMS Settings on page 108 Figure 16 System Administration page ...

Page 107: ... When this option is enabled the connection is dropped if the backend SSL TLS server certificate is not trusted The verification depth is 10 Alert level log messages are also generated when this option is enabled Capacity Matrix The Secure Mobile Access Capacity Matrix Report is a downloadable PDF file that allows you to view the total number of various connections interfaces portals domains group...

Page 108: ...is five minutes The maximum is 9999 minutes 5 Click Accept to save your changes Configuring HTTP DOS Settings HTTP DPS setting is used to configure the maximum concurrent TCP connections per IP address Complete the following steps to change the maximum number of connections at any one time 1 Navigate to System Administration 2 In the Max Concurrent TCP connections Per IP field type the maximum num...

Page 109: ...MS is a web based application that can configure and manage thousands of Dell SonicWALL Internet Security appliances including global administration of multiple site to site VPNs from a central location Complete the following steps to enable GMS management of your SMA SRA appliance 1 Navigate to System Administration 2 Select Enable GMS Management 3 Type the host name or IP address of your GMS ser...

Page 110: ...s This section provides an overview of the System Certificates page and a description of the configuration tasks available on this page System Certificates Overview on page 110 Certificate Management on page 111 Generating a Certificate Signing Request on page 112 Viewing and Editing Certificate Information on page 113 Importing a Certificate on page 114 Adding Additional CA Certificates on page 1...

Page 111: ...browser to virtualassist test sonicwall com Each of those portal names can have its own certificate This is useful to prevent the browser from displaying a certificate mismatch warning such as This server is abc but the certificate is xyz are you sure you want to continue A CSR is a certificate signing request When preparing to get a certificate from a CA you first generate a CSR with the details ...

Page 112: ...sign com and Thawte www thawte com Virtual Assist verifies the server certificate that provides a safer environment for the appliance If the certificate is not issued by an authorized organization an alert message is displayed to notify the user of the risk View Click for detailed information about the server certificate Information displays as shown in the following image OK Click to accept the c...

Page 113: ...mation The Current Certificates table in System Certificates lists the currently loaded SSL certificates To view certificate and issuer information and edit the Common Name in the certificate 1 Click the configure icon for the certificate The Edit Certificate window is displayed showing issuer and certificate subject information 2 From the Edit Certificate window you can view the issuer and certif...

Page 114: ...ficate must be at the root of the zip or the file is not uploaded 5 Click Upload After the certificate has been uploaded the certificate is displayed in the Certificates list in the System Certificates page Adding Additional CA Certificates You can import additional CA certificates for use with chained certificates for example when the issuing CA uses an intermediate chained signing certificate To...

Page 115: ...A SRA appliance provides configurable monitoring tools that enable you to view usage and capacity data for your appliance The System Monitoring page provides the administrator with four monitoring graphs Active Concurrent Users Bandwidth Usage CPU Utilization Memory Utilization The administrator can configure the following monitoring periods last 30 seconds last 30 minutes last 24 hours last 30 da...

Page 116: ...117 Downloading Generating the Tech Support Report on page 117 Performing Diagnostic Tests on page 118 Table 21 Monitoring Graph Types Graph Description Active Concurrent Users The number of users who are logged into the appliance at the same time measured over time by seconds minutes hours or days This figure is expressed as an integer for example 2 3 or 5 Bandwidth Usage Kbps Indicates the amoun...

Page 117: ... useful to Dell SonicWALL Technical Support when analyzing system behavior The following options are available for Tech Support Reports Download Current Report Clicking this button prompts a Windows pop up to display confirming the download Click Save to save the report The Tech Support Report is saved as a zip file containing graphs event logs and other technical information about your SMA SRA ap...

Page 118: ...latest scheduled Tech Support Reports to your local system Delete This button allows you to delete the latest scheduled Tech Support Reports Email Click this button to email the latest scheduled Tech Support Reports to the values specified in the Mail Server field on the Log Settings page Automatically email new reports upon generation Select this check box to enable automatic emailing of the late...

Page 119: ...Ping Tests the connection to a host or IP address Ping6 Tests the connection to an IPv6 address or domain Ping6 is meant for use with IPv6 addresses and networks Traceroute Identifies the route and number of hops needed to connect to a host or IP address Traceroute6 Identifies the route and number of hops needed to connect to an IPv6 address or domain Traceroute 6 is meant for use with IPv6 addres...

Page 120: ...rning is displayed that restarting takes one or two minutes and causes all current users to be disconnected Restarting the SMA SRA Appliance To restart the SMA SRA appliance complete the following steps 1 Navigate to System Restart 2 Click Restart 3 In the confirmation dialog box click OK System About The System About page provides the End User License Agreement for using the SMA SRA appliance Cli...

Page 121: ...erfaces on page 121 Network DNS on page 123 Network Routes on page 126 Network Host Resolution on page 128 Network Network Objects on page 129 Network Interfaces This section provides an overview of the Network Interfaces page and a description of the configuration tasks available on this page Network Interfaces Overview on page 121 Configuring Network Interfaces on page 122 Network Interfaces Ove...

Page 122: ...ess and a subnet mask to the interface To configure these settings for an interface on the SMA SRA appliance 1 Navigate to the Network Interfaces page and click the configure icon next to the interface you want to configure 2 In the Edit Interfaces dialog box on the SMA SRA appliance type an unused static IP address in the IP Address field This IP address should reside within the local subnet to w...

Page 123: ...y auto negotiated If you want to force a certain link speed and duplex mode select one of the following options 1000 Mbps Full Duplex 100 Mbps Full Duplex 100 Mbps Half Duplex 10 Mbps Full Duplex 10 Mbps Half Duplex 6 For the Management options if you want to enable remote management of the SMA SRA appliance from this interface select the supported management protocol s HTTP HTTPS and or Ping 7 Cl...

Page 124: ...mary DNS Server Secondary DNS Server optional and DNS Domain optional The Primary DNS Server is required For SMA SRA appliances supporting connections from Apple iPhones iPads or other iOS devices using Dell SonicWALL Mobile Connect the DNS Domain is a required field This DNS domain is set on the VPN interface of the iPhone iPad after the device makes a connection to the appliance When the mobile ...

Page 125: ... domain suffix in the Domain Search List and click Add The suffix is appended with the host name to make a Fully Qualified Domain Name FQDN that is used in host resolution b To remove a DNS suffix select the domain suffix from the list and click Remove c Use the up and down arrow keys to arrange the DNS domain suffixes in the order that is used to resolve host names For example your host name is S...

Page 126: ...figuration tasks available on this page Network Routes Overview on page 126 Configuring a Default Route for the SMA SRA Appliance on page 127 Configuring Static Routes for the Appliance on page 127 Network Routes Overview The Network Routes page allows the administrator to assign a default gateway and interface and to add and configure static routes For more information on default or static routes...

Page 127: ...In the Interface drop down list select the interface that serves as the IPv4 connecting interface to the network In most cases the interface is X0 4 In the Default IPv6 Gateway field type the IPv6 address of the firewall or other gateway device through which the SMA SRA appliance connects to the network This address acts as the default IPv6 route for the appliance 5 In the Interface drop down list...

Page 128: ...op down list select the interface that connects the appliance to the desired destination network 6 Click Accept Network Host Resolution This section provides an overview of the Network Host Resolution page and a description of the configuration tasks available on this page Network Host Resolution Overview on page 128 Configuring Host Resolution on page 129 Network Host Resolution Overview The Netw...

Page 129: ...age now displays the new host name 7 Optionally select Configure auto added hosts on the Network Host Resolution page If this option is selected you can edit or delete automatically added Host entries such as for IPv6 This option is not recommended as host mis configuration could lead to undesirable results Network Network Objects This section provides an overview of the Network Network Objects pa...

Page 130: ...ion 1 SSHv1 Secure Shell Version 2 SSHv2 File Shares CIFS Citrix Portal Web Access Port or port range settings are available for all services allowing the administrator to configure a port range such as 80 443 or a port number 80 for a Network Object You can use this feature to create port based policies For example you can create a Deny All policy and allow only HTTP traffic to reach port 80 of a...

Page 131: ...screen is displayed If you just created a network object the Edit Network Object screen is displayed as soon as you clicked Accept The Edit Network Object shows the network object name and the service associated with it It also contains an address list that displays existing addresses mapped to the network object 2 To change the service select the desired service from the Service drop down list an...

Page 132: ...mation pertaining to the object type you have selected For the IP Address object type type an IP address in the IP Address field For the IP Network object type in the Network Address field type an IP Address that resides in the desired network subnet and type a subnet mask in the Subnet Mask field In the Port Range Port Number field optionally enter a port range in the format 80 443 or enter a sin...

Page 133: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide 133 3 When finished adding addresses click Done in the Edit Network Object dialog box ...

Page 134: ...erview of the Portals Portals page and a description of the configuration tasks available on this page Portals Portals Overview on page 134 Adding Portals on page 135 Configuring General Portal Settings on page 137 Configuring Login Schedules on page 139 Configuring the Home Page on page 139 Configuring Per Portal Virtual Assist Settings on page 143 Configuring Virtual Meeting Settings on page 144...

Page 135: ...l content on the user portal review the following information With the Tips Help sidebar enabled the width of the workspace is 561 pixels With the Tips Help sidebar disabled the width of the workspace is 712 pixels No IFRAME is used You can upload a custom HTML file which is displayed following all other content on the home page You can also add HTML tags and JavaScript to the Home Page Message fi...

Page 136: ...le The title that appears on the Web browser title bar of users access this portal Portal Banner Title The welcome text that appears on top of the portal screen Login Message Optional text that appears on the portal login page above the authentication area Portal URL The URL that is used to access this specific portal Display custom login page Displays the customized login page rather than the def...

Page 137: ...tent Enable ActiveX Web cache cleaner Loads an ActiveX control browser support required that cleans up all session content after the Secure Mobile Access session is closed Enforce login uniqueness If enforced login uniqueness restricts each account to one session at a time Select to Automatically logout existing session or Confirm logout of existing session as the preferred Enforcement Method If n...

Page 138: ...is the Portal Name Enforcing Login Uniqueness Login uniqueness when enforced restricts each account to a single session at a time When login uniqueness is not enforced each account can have multiple simultaneous sessions To enforce login uniqueness 1 Navigate to Portals Portals 2 For an existing portal click the configure icon next to the portal you want to configure Or for a new portal click Add ...

Page 139: ...Accept to save changes made to the login schedule Configuring the Home Page The home page is an optional starting page for the Secure Mobile Access appliance portal The home page enables you to create a custom page that mobile users see when they log in to the portal Because the home page can be customized it provides the ideal way to communicate remote access instructions support information tech...

Page 140: ...er Mobile Connect connections to this portal If selected activates the following two check box options If not selected NetExtender and Mobile Connect are not available on the portal Display NetExtender Mobile Connect Icon Displays the icon to NetExtender or Mobile Connect allowing users to install and invoke the clientless NetExtender virtual adapter or the Mobile Connect application for mobile de...

Page 141: ...right footer Displays Dell SonicWALL copyright footer on portal If unchecked the footer is not shown Show Tips Help sidebar Displays a sidebar in the portal with tips and help links This option is not available when Legacy Look Feel is selected on the General tab Show Help Button Displays the Help button Help Page URL Specify the URL for the Help Page Leave this field blank to use the default Dell...

Page 142: ...t users on this portal 5 To launch NetExtender automatically when users log in to the portal select Launch NetExtender after login 6 Click Accept File Sharing Using Applet as Default The Java File Shares Applet option provides users with additional functionality not available in standard HTML based file sharing including Overwriting of existing files Uploading directories Drag and drop capability ...

Page 143: ... selected Virtual Assist is hidden and technicians are required to login directly through a downloaded client 6 Select Display Request Help Button to allow users to request assistance through the portal 7 Select Enable Virtual Access Mode to allow Secure Virtual Access connections to be made to this portal This must be enabled per portal for Secure Virtual Access to function If this box is selecte...

Page 144: ...s allowed on this portal or enter zero for no limitation 11 Check Enable Assistance Code to require a user to enter the designated code before requesting assisting Checking this check box displays an Assistance Code field where you specify the code users must enter 12 See Secure Virtual Assist Settings on page 260 for information about all other configuration settings on the Virtual Assist tab 13 ...

Page 145: ...l setting for this option 10 Set the maximum number of concurrent systems for a meeting in the Max Attendees per Meeting field Set this field to 0 to allow an unrestricted amount of meeting attendees If this field is left blank Virtual Meeting uses the global setting for this option 11 Set the maximum concurrent active meetings at a time for this appliance in the Max Concurrent Meeting Room field ...

Page 146: ...or this portal if using IP based virtual hosting If your virtual host implementation uses name based virtual hosts where more than one hostname resides behind a single IP address choose All Interfaces from the Virtual Host interface 6 If you selected a specific Virtual Host Interface for this portal enter the desired Virtual Host IP Address in the field provided This is the IP address users use in...

Page 147: ... able to connect to the SMA SRA appliance The performance of this feature can decline depending on the ciphers that the client browser supports 10 Verify Backend SSL Server Certificate for Proxy connections When this option is enabled the connection is dropped if the backend SSL TLS server certificate is not trusted The verification depth is 10 Alert level log messages are also generated when this...

Page 148: ...rk from the Background drop down list Select a background shade that helps set off your logo from the rest of the portal page 6 Click Update Logo to transfer the logo to the SMA SRA appliance 7 Click Default Logo to revert to the default Dell SonicWALL logo 8 Click Accept to save changes NOTE The custom logo must be in GIF format In a modern portal there is a hard size limit of 155x68 pixels Anyth...

Page 149: ...ile Access management interface provides an overview of the Application Offloading functionality available from the Portals Portals page No configuration is available on this page Click any of the screenshots on this page to go to the Portals Portals page where you can click Offload Web Application to configure an offloaded application See the following sections Application Offloading Overview on ...

Page 150: ...ble to disable authentication and access policy enforcement for such an offloaded host Web transactions can be centrally monitored by viewing the logs In addition Web Application Firewall can protect these hosts from any unexpected intrusion such as Cross site scripting or SQL Injection Access to offloaded Web applications happens seamlessly as URLs in the proxied page are not rewritten in the man...

Page 151: ...g from the Scheme drop down list Web HTTP access the Web application using HTTP default scheme Secure Web HTTPS access the Web application using HTTPS Auto HTTP HTTPS allows the user to determine the actual scheme used to talk to the backend server when accessing an offloading portal Access is still under the control of the access policy NOTE The maximum number of users supported is limited by the...

Page 152: ... have a default redirect from the root folder to the home page URL Outlook Web Access is one example but note that most public sites do have a default redirect a Under Security Settings select Enable Web Application Firewall to enable the feature b Select Disable Authentication Controls Access Policies and CSRF Protection if enabled if you need no authentication access policies or CSRF protection ...

Page 153: ...al Host Alias field If you need to associate a certificate to this host you should additionally set a virtual interface and import the relevant SSL certificate You could avoid creating a virtual interface by importing a wildcard certificate for all virtual hosts on the SMA SRA appliance See Configuring Virtual Meeting Settings on page 144 for more instructions on configuring the fields on this tab...

Page 154: ...cation Offloading Portal type Options include General portal Can be selected for most scenarios Load Balancing portal This type of portal is used to setup a Load Balancing Offloading portal URL based Aliasing portal Use to setup a URL based Aliasing Offloading portal Select URL Based Aliasing if you want the ability to access several Web sites using one portal and domain name If this option is ena...

Page 155: ...ortal is bound If one specific network interface is selected a new IP address is assigned to the portal 4 The Portal Certificate drop down lists all certificates that have been imported 5 The Application Server Address field accepts settings relevant to the application server This can simply be the IP address of the application server The scheme of the address is HTTPS by default The port and defa...

Page 156: ...l certificates that have been imported 5 The Load Balancing Group field replaces the Application Server Address field to show the existing Load Balancing Group to which you can assign to this portal If no Load Balancing Group exists you can create a new one by clicking click here to create All these settings are verified instantly from the Appliance when the mouse leaves the input field green chec...

Page 157: ... to the portal 4 The Portal IP Address field is not required if All Interfaces is selected in the Portal Interface field but you need to enter the Portal IP Address of specific X0 X1 X2 and X3 interfaces 5 The Portal Certificate drop down lists all certificates that have been imported 6 Any existing URL Based Aliasing Group s are listed in the drop down and available to assign to this portal If no...

Page 158: ...dministration Guide 158 Configuring the Security Settings The third step is for the Security settings including Enable Web Application Firewall and Disable Authentication Controls However both options require a Web Application Firewall license ...

Page 159: ...efault but they can still be customized Restart Now Gracefully restarts the appliance immediately after clicking Finish More advanced options can be fine tuned by editing this portal after the wizard has finished Changing the Portal settings requires a web server restart that could disconnect any active NetExtender connections and certain Bookmarks If you want to proceed with restarting the web se...

Page 160: ... check box to display the login message from the Login Message field when users log into the custom login page 4 Select the Hide Domain list on portal login page check box to replace the Domain list box displayed on the login page to a text box for you to type in the correct domain name 5 Select Enable HttpOnly for SMA cookies to secure SMA cookies using the HTTPOnly flag Some client side technolo...

Page 161: ...connects after an unexpected network interruption For example a user on an unreliable network is disconnected due to a network issue If login uniqueness is NOT enabled the user session on the appliance stays active for this type of disconnect until the timeout value is reached The user reconnects and consumes a second license with the potential of consuming more licenses before the original connec...

Page 162: ...com or https www example virtual host com in browser s address bar to test this feature Even scheme set to Auto it s still under the control of the access policy 7 Enter the host name or private IP address of the backend host into the Application Server Host field 8 Optionally enter the IPv6 address of the backend host into the Application Server IPv6 Address field 9 In the Port Number optional fi...

Page 163: ...ection if enabled check box if you need no authentication access policies or CSRF protection enforced This is useful for publicly hosted Web sites 4 To configure ActiveSync authentication clear the Disable Authentication Controls check box to display the authentication fields Select the Enable ActiveSync authentication check box and then type the default domain name The default domain name will no...

Page 164: ...uthentication Controls are already disabled and WAF is not licensed after upgrading to 8 5 an Action Required message appears on the Portal page The Disable Authentication Controls option is also disabled Click Save to finalize the Authentication Controls setting If you access the portal under these conditions an error message displays A log message is generated at the Notice level that reads Anon...

Page 165: ...should additionally set a virtual interface and import the relevant SSL certificate You could avoid creating a virtual interface by importing a wildcard certificate for all virtual hosts on the SMA SRA appliance 4 If authentication is disabled for this portal you have the option to Enable HTTP access for this Application Offloaded Portal This feature is useful for setting up offloading in trial de...

Page 166: ...ePoint must be the same If the back end SharePoint is running on HTTP the offloaded portal must enable HTTP access and be accessed with HTTP The same Scheme between the offloaded portal and the back end SharePoint means that URL Rewriting for the offloaded portal does not need to be enabled The Share session with other local application option must be enabled This check box is located on the Porta...

Page 167: ...rent URL for fetching configuration set the Autodiscover URL as the Virtual Host Alias name Verify that the Autodiscover URL is aligned with the Exchange Server settings 3 Specify the Virtual Host Certificate A wildcard certificate is preferred if Autodiscover is enabled 4 Navigate to the Offloading tab 5 Select Enable Email Clients Authentication 6 Select the Default Domain Name from the drop dow...

Page 168: ...enabled or does not function properly select Manually configure server settings or additional server types to specify Outlook Anywhere settings manually Then click Next 9 On the Microsoft Exchange Settings window click More Settings 10 Under the Connection tab select Connect to Microsoft Exchange using HTTP under the Outlook Anywhere section 11 Next click Exchange Proxy Settings 12 On the Microsof...

Page 169: ...ain with Active Directory Authentication on page 174 Adding or Editing a Domain with LDAP Authentication on page 177 Adding or Editing a Domain with RADIUS Authentication on page 180 Adding or Editing a Domain with Digital Certificates on page 183 Portals Domains Overview The Portals Domains page allows the administrator to add and configure a domain including settings for Authentication type loca...

Page 170: ... listed in the order in which they were created You can reverse the order by clicking the up down arrow next to the Domain Name column heading Removing a Domain To delete a domain 1 Navigate to Portals Domains 2 In the table click the delete icon in the same row as the domain that you wish to delete 3 Click OK in the confirmation dialog box After the SMA SRA appliance has been updated the deleted ...

Page 171: ...d that require authentication to remote authentication servers The SMA SRA appliance supports RADIUS LDAP Active Directory and Digital Certificate authentication in addition to internal user database authentication You can create multiple domains that authenticate users with user names and passwords stored on the SMA SRA appliance to display different portals such as a Secure Mobile Access portal ...

Page 172: ...domain select Local User Database from the Authentication Type drop down list 3 If adding the domain enter a descriptive name for the authentication domain in the Domain Name field maximum 24 characters This is the domain name users select to log in to the Secure Mobile Access portal 4 Select the name of the layout in the Portal Name field Additional layouts can be defined in the Portals Portals p...

Page 173: ...7 Optionally add the number of unique new passwords that is associated with a user account before an old password can be re used for the account in the Enforce password history x passwords remembered field The value specified must be between 0 and 10 passwords 8 Optionally Enforce password minimum length by entering a value between 1 and 14 characters This is the minimum amount of characters accep...

Page 174: ...n E mail domain field appears following the drop down list Type in the domain name where one time password emails are sent for example abc com 13 If Technician Allowed is enabled Secure Virtual Assist can log in as a technician role in this domain 14 Click Accept to update the configuration After the domain has been added the domain is added to the table on the Portals Domains page Adding or Editi...

Page 175: ...login in the Login password field 9 Enter the name of the layout in the Portal Name field Additional layouts can be defined in the Portals Portals page 10 Optionally select the Allow Password Changes Check Box Enabling this feature allows a user to change their password through the Virtual Office portal by selecting Options on the top of the portal page User must submit their old password along wi...

Page 176: ...If you selected if configured or required for all users in the One time passwords drop down list the Active Directory AD e mail attribute drop down list appears in which you can select mail mobile pager userPrincipalName or custom These are defined as mail If your AD server is configured to store email addresses using the mail attribute select mail mobile or pager If your AD server is configured t...

Page 177: ...Accept to update the configuration After the domain has been added the domain is added to the table on the Portals Domains page Active Directory Troubleshooting If your users are unable to connect using Active Directory verify the following configurations The time settings on the Active Directory server and the SMA SRA appliance must be synchronized Kerberos authentication used by Active Directory...

Page 178: ...main name of the Primary LDAP server in the Server Address field 6 Enter the common name and password of a user that has been delegated control of the primary server in the Login Username and Login Password fields 7 Optionally enter the IP address or domain name of a backup LDAP server in the Server Address field under the Backup LDAP server section TIP It is possible for multiple OUs to be config...

Page 179: ...Mobile Access group membership automatically changes to match the external group membership 14 Optionally select One time passwords to enable the One Time Password feature A drop down list appears in which you can select if configured required for all users or using domain name These are defined as if configured Only users who have a One Time Password email address configured uses the One Time Pas...

Page 180: ...min login page This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain Dell SonicWALL recommends adding filters that allow administrative access only to those users who are in the correct group You can do so by editing the domain on the Users Local Groups page Read only Administrator Use...

Page 181: ...d 6 Enter the RADIUS server port in the RADIUS server port field 7 If required by your RADIUS configuration enter an authentication secret in the Secret Password field 8 Enter a number in seconds for RADIUS timeout in the RADIUS Timeout Seconds field 9 Enter the maximum number of retries in the Max Retries field 10 Under Backup Radius Server enter the IP address or domain name of the backup RADIUS...

Page 182: ... real time to Secure Mobile Access groups based on their external RADIUS filter IDs If a user s external group membership has changed their Secure Mobile Access group membership automatically changes to match the external group membership 19 Optionally select One time passwords to enable the One time password feature A drop down list appears in which you can select if configured required for all u...

Page 183: ...ion Type menu The Digital Certificate configuration field is displayed 3 If adding the domain enter a descriptive name for the authentication domain in the Domain Name field This is the domain name users selects in order to log in to the Secure Mobile Access portal 4 Select one or more certificates from the All CA certificates list to be added to the Trusted CA certificates list The All CA certifi...

Page 184: ...8 5 Administration Guide 184 5 Enter the Username Attribute as CN This uses the CN attribute of the client certificate as the login username 6 Click Accept to save changes Next you need to import the client certificate to your Web browser ...

Page 185: ...rowser s settings 2 Select the CA domain A dialogue window displays Choose a client certificate to authenticate Click OK The authentication completes if the CA of the client certificate is on the Trusted CA certificates list If the client certificate is not on the Trusted CA certificates list the appliance blocks access and displays an error message ...

Page 186: ... the RSA Authentication Manager and RSA SecurID tokens If you are using VASCO you must have the VASCO IdentiKey and Digipass tokens To configure two factor authentication you must first configure a RADIUS domain For information see Adding or Editing a Domain with RADIUS Authentication on page 180 The following sections describe how to configure the supported third party authentication servers Conf...

Page 187: ... Agent Host window displays 3 Enter a hostname for the SMA SRA appliance in the Name field 4 Enter the IP address of the SMA SRA appliance in the Network address field 5 Select Communication Server in the Agent type window 6 By default the Enable Offline Authentication and Enable Windows Password Integration options are enabled Dell SonicWALL recommends disabling all of these options except for Op...

Page 188: ... appliance 5 Enter the IP address of the SMA SRA appliance in the IP Address field 6 Enter the shared secret that is configured on the SMA SRA appliance in the Shared secret field 7 Click OK and close the RSA RADIUS Manager Setting the Time and Date Because two factor authentication depends on time synchronization it is important that the internal clocks for the RSA Authentication Manager and the ...

Page 189: ...d add users to the RSA Authentication Manager To import tokens and add users 1 To import the token file select Token Import Tokens 2 When you purchase RSA SecurID tokens they come with an XML file that contains information on the tokens Navigate to the token XML file and click Open The token file is imported 3 The Import Status window displays information on the number of tokens imported to the RS...

Page 190: ...n the Default Login field 7 Select either Allowed to Create a PIN or Required to Create a PIN Allowed to Create a PIN gives users the option of either creating their own PIN or having the system generate a random PIN Required to Create a PIN requires the user to create a PIN 8 To assign a token to the user click Assign Token Click Yes on the confirmation window that displays The Select Token windo...

Page 191: ...ntication on page 192 Configuring a Policy on VASCO IdentiKey on page 192 Registering the SMA SRA as a VASCO Client on page 192 Configuring a VASCO IdentiKey User on page 193 Importing DIGIPASS on page 193 Assigning a DIGIPASS to a User on page 193 Verifying Two Factor Authentication on page 193 If you are using RSA instead of VASCO see Configuring the RSA Authentication Manager on page 186 Settin...

Page 192: ...ure Mobile Access portal Configuring a Policy on VASCO IdentiKey To add a new policy in the VASCO Identikey Web Administration interface 1 Log in to the Vasco Identikey Web Administration window 2 Click the Policies tab and select Create 3 Fill in a policy name and choose the option most suitable in your situation If you want the policy to inherit a setting from another policy choose the inherit o...

Page 193: ...two ways to assign a DIGIPASS to a user You can search for a DIGIPASS and assign it to a user or search for a user and assign the user to a DIGIPASS 1 Do one of the following On the Users tab select the check box next to the user and then click Assign DIGIPASS On the DIGIPASS tab select the check box next to the DIGIPASS and then click NEXT When a user is assigned to a DIGIPASS a confirmation mess...

Page 194: ...eral properties of any existing load balancing groups Figure 27 Portals Load Balancing Page Configuration Scenarios Load Balancing for Secure Mobile Access is a robust feature that has multiple uses including Balancing a Farm of Web Servers This is useful when the SMA SRA appliance with a higher horse power is offering protection and balancing the load of a relatively low powered farm of Web serve...

Page 195: ...a Load Balancing Group on page 195 Configuring a Load Balancing Group This section provides configuration details for creating a new load balancing group and consists of the following sections Adding a New Load Balancing Group on page 196 Configuring Probe Settings on page 197 Adding New Members to a Load Balancing Group on page 197 Table 28 Load balancing configuration options Option Description ...

Page 196: ...coming request The LB Ratio decides the percentage distribution Weighted Traffic Keeps track of the number of bytes of inbound outbound data to decide which member should handle the next incoming request Least Requests Keeps track of the number of incoming requests excluding successfully completed requests that are currently being serviced to decide which Member should handle the next incoming req...

Page 197: ...sed intervals required to fail the node The default value is 2 3 In the Reactivate Member after field enter the number of successful intervals required to reinstate the node as functional The default value is 2 4 In the Display error page when there is no resource available to fail over text box enter a custom message or Web page to display in the event that all of the configured backend nodes hav...

Page 198: ...RL Based Aliasing group on page 198 Default Site Settings on page 201 URL Based Aliasing Group with Application Offloading on page 202 URL Based Aliasing overview URL Based Aliasing provides the ability to access several different Web sites through one portal using one domain name This feature is designed to be consistent with the Load Balancing setting Because URL Based Aliasing involves rewritin...

Page 199: ...group 1 Navigate to the Portals URL Based Aliasing page 2 Under the URL Based Aliasing Groups section click Add Group The New URL Based Aliasing Group page displays 3 Enter a Group Name in the field provided Then click Accept The newly added group displays on the URL Based Aliasing Groups list ...

Page 200: ...ng entered in this field displays on the Index page Scheme Select from the drop down list the scheme of the backend server Select between HTTP HTTPS or AUTO Application Server Host Enter a Hostname IPv4 address or IPv6 address of the host Port Specify the port number The default value is 443 4 Click Accept to save changes and add a member to the group The newly added member appears on the URL Base...

Page 201: ... 2 Click the Delete icon of the member you wish to delete 3 A confirmation for deleting the member appears Click OK Repeat these procedures for each group you want to delete Default Site Settings The Default Site Settings section provides the ability to set a default site when accessing the portal without any URL specified The default value in the drop down list is Index Page The Default Site Sett...

Page 202: ... portal for a URL Based Aliasing Group 1 Navigate to the Portals Portals page 2 Click Offload Web Application 3 The Portals Portals Add Portal page displays 4 Click the General tab The Portal Settings page displays NOTE Using the URL https portal sonicwall com webmail displays the same page that you can access from webmail sonicwall com However if only https portal sonicwall com is entered you are...

Page 203: ...7 In the Application Offloader Settings section select Enable URL Based Aliasing As a result Enable URL Rewriting for self referenced URLs is automatically selected 8 Select the group you wish to add a portal for from the URL Based Aliasing Group drop down list 9 Click Accept to save changes The portal now displays in the Portals Portals page ...

Page 204: ...iguring Services Clients Services Configuration Device Management Configuration NetExtender Configuration End Point Control Secure Virtual Assist Configuration Secure Virtual Meeting Web Application Firewall Configuration Geo IP and Botnet Filter High Availability Configuration ...

Page 205: ... Services Settings on page 205 Services Bookmarks on page 210 Services Policies on page 225 Services Settings This section provides an overview of the Services Settings page and a description of the configuration tasks available on this page HTTP HTTPS Service Settings on page 206 Citrix Service Settings on page 207 Global Portal Settings on page 207 One Time Password Settings on page 209 Policy M...

Page 206: ...ecure Mobile Access Services including the web server In the Cache Size field define the size of the desired content cache 5 MB is the default setting but administrators can set any size in the valid range from two to 20 MB Select Flush to flush the content cache 2 Check Enable Custom HTTP HTTPS Response Buffer Size if you wish to establish a response buffer Set the desired buffer size using the B...

Page 207: ...configure Citrix Service Settings complete the following steps 1 The SMA SRA appliance always does Citrix client detection when using Citrix Bookmarks Click Disable client detection by Citrix server to disable this feature wen using Citrix Bookmarks Note that this feature is compatible with Citrix XenAPP 5 0 or later 2 Select Enable custom URL for Citrix Java client downloads to use your own HTTP ...

Page 208: ...is shown beside the S shield Copy Paste text across the RDP session The Bookmark administrator can also enable or disable the copy paste functionality in the bookmark settings with the Redirect clipboard option as well as enable or disable the copy paste feature between local and remote sessions with Redirect clipboard and Remote Copy When enabled after launching the bookmark and attempting to cop...

Page 209: ...ne time password email OneTimePassword The user s one time password This should appear at least once in either the email subject or body AD mobile The user s mobile phone as configured in Active Directory AD AD ________ Any other Active Directory AD user attribute See the Microsoft documentation link following the Email Body field for additional attributes 3 In the One Time Password Format drop do...

Page 210: ...ify the amount of days you want the data to be kept in the log The default value is 0 Services Bookmarks The Services Bookmarks page within the Secure Mobile Access web based management interface provides a single interface for viewing bookmarks and access to configure bookmarks for users and groups ...

Page 211: ...pplication Yes Yes No No Remote Audio Yes Yes No No Single Sign on Yes Yes Yes Yes Colors up to 32 bit up to 32 bit up to 32 bit up to 32 bit Resolution Up to 1920x1080 set values Up to 1920x1080 set values Up to 1920x1080 set values Up to 1920x1080 set values Notes Requires Plug in installation Utilizes an installed mstsc client on a remote system Requires Java installed Utilizes an installed mst...

Page 212: ...able 30 SSHv2 feature comparison Feature HTML5 version Java Applet version Automatically Accept Host Key Yes Yes Public Private Keys Authentication No Yes Bypass Username No Yes Adjustable Window Size No Fixed window size in option Yes Log Session No Yes Scroll back No Yes Clipboard No Yes Highlight No Yes Color Options No Yes Store Accepted Host Key Yes No SSO Yes No ...

Page 213: ...ed as a Global Bookmark a Local Domain group bookmark or a bookmark assigned to an individual User 2 Specify the Bookmark Name field with a friendly name for the service bookmark 3 Fill in the Name or IP Address field with hostname IP address or IPv6 address for the desired bookmark IPv6 addresses should begin with and end with Some services can run on non standard ports and some expect a path whe...

Page 214: ...able FTP IP Address IPv6 Address IP Port non standard FQDN Host name 10 20 30 4 2008 1 2 3 4 10 20 30 4 6818 or 2008 1 2 3 4 6818 JBJONES PC sv us sonicwall com JBJONES PC Telnet IP Address IPv6 Address IP Port non standard FQDN Host name 10 20 30 4 2008 1 2 3 4 10 20 30 4 6818 or 2008 1 2 3 4 6818 JBJONES PC sv us sonicwall com JBJONES PC SSHv1 SSHv2 IP Address IPv6 Address IP Port non standard F...

Page 215: ... Folder IP File server 3 sharedfolder server 3 inventory xls server 3 company net sharedfolder server 3company net inventory xls 10 20 30 4 sharedfolder 10 20 30 4 status doc NOTE Use backslashes even on Linux or Mac computers these use the Windows API for file sharing Citrix Citrix Web Interface IP Address IPv6 Address IP Port IP Path or File IP Port Path or File FQDN URL Path or File URL Port UR...

Page 216: ...r features on the local network for use in this bookmark session You can hover your mouse pointer over the Help icon next to certain options to display tooltips that indicate requirements To see local printers show up on your remote machine Start Settings Control Panel Printers and Faxes select Redirect Ports as well as Redirect Printers Select the check boxes for any of the following additional f...

Page 217: ...ally log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server Select Use custom credentials to enter a custom username password and domain for this bookmark For more information about custom credentials see Creating Bookmarks with Custom SSO Credentials on page 379 Virtual Network Computing VNC In the Encodi...

Page 218: ... the Citrix ICA session select Always use specified Citrix ICA Server and then type the server IP address into the ICA Server Address field Some Citrix deployments have the Citrix Web Interface on one IP address and the ICA server listening on a different address If the Citrix Web Interface and Citrix ICA server do not share the same IP address use this setting to explicitly set the ICA server add...

Page 219: ...an Application Offloaded Web site and this check box is disabled then a security warning dialog is displayed Automatically log in Enable Virtual Host Domain SSO for this bookmark If the host in the bookmark refers to a portal which has the same shared domain with this portal it could be logged in automatically with this portal s credential Mobile Connect The Mobile Connect bookmark allows a custom...

Page 220: ...ully configured the bookmark displays on your mobile device The following example of a Mobile Connect bookmark shows how a user can create a bookmark using Google Earth to display a map with specific directions First the user must create the bookmark with the URL scheme This bookmark is now available to access from your mobile device ...

Page 221: ...irections to Office bookmark a Google Map displays The following example shows another way to use the Mobile Connect bookmark In this example the user adds a bookmark that launches the Phone app on iOS to make a call to the IT Support Hotline This bookmark is now available to access from your mobile device ...

Page 222: ...cess session for log in to the RDP server Select Use custom credentials to enter a custom username password and domain for this bookmark For more information about custom credentials see Creating Bookmarks with Custom SSO Credentials on page 379 Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients When creating a File Share do not configure a Dis...

Page 223: ...le or disable the launch methods The up and down arrows are used to adjust the launch priority Fork and tick are used to disable or enable the modes Disabled modes are put at the bottom of the list with a gray font color The Choose during Launch option is not enabled by default under the Manual mode In this setting while launching the bookmark the first available mode in the configured list is run...

Page 224: ...available for the client a menu is provided from which you can choose within a five second count down When only one mode is available the bookmark is also run immediately SSHv2 Java Settings Select Authentication with public private keys to support RSA or DSA keys If using an SSHv2 server without authentication such as a Dell SonicWALL appliance you can select Bypass username SSHv2 HTML5 Settings ...

Page 225: ...ns and asks if you are sure you want to delete the specified bookmark Click OK to delete the bookmark The bookmark no longer appears in the Services Bookmarks screen Services Policies The Services Policies page within the Secure Mobile Access web based management interface provides a single interface for viewing service policies and access to configure policies for users and groups See Adding a Po...

Page 226: ...e path into the Server Path field Network Domain list Servers Computer list See Setting File Shares Access Policies on page 351 URL Object If your policy applies to a predefined URL object type the URL into the URL field See Adding a Policy for a URL Object on page 352 IPv6 Address If your policy applies to a specific host enter the IPv6 address of the local host machine in the IPv6 Address field ...

Page 227: ...o delete the specified policy Click OK to delete the policy The policy no longer appears in the Services Policies screen TIP When using Citrix bookmarks in order to restrict proxy access to a host a DENY rule must be configured for both Citrix and HTTP services NOTE Dell SonicWALL recommends that administrators set up a Global Deny ALL policy that allows access to only trusted hosts This prevents ...

Page 228: ... Management Devices on page 228 Device Management Devices Dell SonicWALL Secure Mobile Access obtains the client device s unique Device ID With that information you can view all devices change device status and delete unwanted devices This section provides an overview of the Device Management Devices page and a description of the configuration tasks available on this page Device Management Setting...

Page 229: ...o and Manual 1 The Manual mode means that each device first registered by one user is set to the pending or wait for the administrator to approve status 2 The device will be set as approved by the system in auto mode Auto mode can reduce the workload of the administrator Maximum Device per User This option limits the maximum devices each user can register Security Statement This alert message appe...

Page 230: ...tings at domain level when you enable device register The domain level settings have a higher priority than the global settings ActiveSync Provision Settings ActiveSync Provision Settings can be applied specifically to ActiveSync devices Provision settings can override the settings on a backend Exchange server Mobile devices are not able to sync when the Provision settings are not satisfied Notifi...

Page 231: ...hed the device gets it s status according to the option of the approved method This can reduce the workload of administrator There are two types of device policies Device Id and OS The Device Id has a higher priority than OS by default There are also two Operators Matches Regex and Equals String Equals String is case sensitive Equals String has priority to Matches Regex by default The Action optio...

Page 232: ... Administration Guide 232 Device Management Log The Device Management Log helps you acquire additional information about your devices including logs on new device register requests device status changes deleted devices and mail notifications ...

Page 233: ...appliance supports client certificates in both the standalone Windows NetExtender client and the NetExtender Mobile client On Windows systems NetExtender supports establishing a VPN session before logging in to Windows NetExtender supports IPv6 client connections from Windows systems running Vista or newer and from Linux clients An IPv6 address pool for NetExtender is optional while an IPv4 addres...

Page 234: ...Global NetExtender IP Address Range on page 235 Configuring Global NetExtender Settings on page 236 Table 33 NetExtender Status Status Item Description Name The user name NetExtender Client IP Address The IP address assigned by NetExtender to the client machine User s Source IP Address The IP address of the workstation which the user is logged into Location The geographical location of the source ...

Page 235: ...IPv4 address pool is required The global NetExtender IP range defines the IP address pool from which addresses is assigned to remote users during NetExtender sessions The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one for example the range for 15 users requires 16 addresses such as 192 168 200 100 to 192 168 200 115 The...

Page 236: ...e Client Address Range End field 8 Click Accept 9 The Status message displays Update Successful Restart for current clients to obtain new addresses To specify your global NetExtender address range using a DHCP 1 Navigate to the NetExtender Client Settings page 2 Under NetExtender Client Address Range select Use DHCP from the drop down list 3 Under Select Interface use the drop down list to select ...

Page 237: ...xy server After enabling the Internal Proxy feature users are able to specify which Proxy server to use After NetExtender connects to the SMA SRA appliance the internal proxy settings are pushed to the client and used as proxy settings for the NetExtender virtual adapter To configure Internal Proxy settings 1 Navigate to the NetExtender Client Settings page 2 Under Internal Proxy Settings select E...

Page 238: ...se Files boxes and vice versa The script files in the In Use Files box runs after the client is connected 8 Click Accept to save settings Figure 32 NetExtender Client Settings Post Connection Scripts NetExtender Client Routes This section provides an overview of the NetExtender Client Routes page and a description of the configuration tasks available on this page NetExtender Client Routes Overview...

Page 239: ...te dialog box displays 4 In the Add Client Route dialog box in the Destination Network field type the IP address of the trusted network to which you would like to provide access with NetExtender For example if you are connecting to an existing DMZ with the network 192 168 50 0 24 and you want to provide access to your LAN network 192 168 168 0 24 you would enter 192 168 168 0 You can enter an IPv6...

Page 240: ...tExtender Traffic Log Traffic logging allows you log traffic information over the NetExtender tunnel by enabling the Allow logging Nx Traffic You can configure how many days to keep the log data where expired data is automatically removed Leave the value as 0 to keep log data forever View the log data in the NetExtender Log page Post Connection Scripts Administrators are now able to upload or dele...

Page 241: ...64 bit Android Apple iOS NetExtender Log The NetExtender Log page allows you to view and search for data logs If you enabled logging NetExtender traffic on the NetExtender Advanced Settings page you are able to view the data logs on this page The following options are available Search Enter a value you want to search for in the Logs then click Search Optionally you can select a specific field in t...

Page 242: ...ecessary resources while restricting access to sensitive resources to only those who require it This section contains the following subsections Configuring User Level NetExtender Settings on page 242 Configuring Group Level NetExtender Settings on page 246 Configuring User Level NetExtender Settings All of the global settings for NetExtender IP address ranges DNS settings client routes and client ...

Page 243: ...ration Guide 243 3 Click on the Nx Settings tab See also Configuring User Client IP Address Range on page 244 Configuring User DNS Settings on page 244 Configuring User NetExtender Settings on page 244 Configuring User NetExtender Routes on page 245 ...

Page 244: ...pposed to simply disconnecting To reconnect users should return to the Secure Mobile Access portal and click NetExtender This option only applies to Windows clients It does not apply to Android Mac or Linux clients Create Client Connection Profile The NetExtender client creates a connection profile recording the SMA SRA server name the domain name and optionally the username and password The User ...

Page 245: ...at steps 1 through 5 for all necessary routes 7 Select Enabled from the Tunnel All Mode drop down list to force all traffic for this user including traffic destined to the remote users local network over the Secure Mobile Access NetExtender tunnel 8 To also add the global NetExtender client routes which are configured on NetExtender Client Routes page to the user select Add Global NetExtender Clie...

Page 246: ...rators to easily segment groups and users without the need of configuring firewall rules to govern access This user segmentation allows for granular control of access to the network allowing users access to necessary resources while restricting access to sensitive resources to only those who require it To configure custom settings for groups 1 Navigate to the Users Local Groups page ...

Page 247: ...tender settings can be configured for the group Exit Client After Disconnect The NetExtender client exit when it becomes disconnected from the SMA SRA server To reconnect users in the group should either return to the Secure Mobile Access portal and click NetExtender or launch NetExtender from their Programs menu Uninstall Client After Exit The NetExtender client automatically uninstalls when it t...

Page 248: ...der Routes To configure NetExtender client routes 1 To add a NetExtender client route that is only added to this user click the Nx Routes tab in the Edit User Settings window 2 To add a NetExtender client route that is only added to users in this group click Add Client Route 3 Type the IPv4 or IPv6 address of the trusted network to which you would like to provide access with NetExtender in the Des...

Page 249: ...vices participating in the SMA SRA EPC is checked when users log in to the web portal from a web browser that blocks any access to the private network from untrusted sites The EPC portal checking process uses the browser plug ins on your system EPC is supported on iOS and Android mobile devices using Mobile Connect allowing device profiles to be created for these mobile devices This provides secur...

Page 250: ... on various global group or user attributes For example you can select groups that use an Antivirus program or users with a specific Windows version Two kinds of profiles are available Allow profiles and Deny profiles Allow profiles identify attributes of the client s network that must be present before a user is authenticated and Deny profiles identify attributes of the network that cannot be pre...

Page 251: ...ows the user the EPC check has failed The Administrator could enter text to indicate how to fix the issue or the reason the policy failed 9 To complete the profile click Accept at the upper right of the page Users Local Groups Edit EPC Settings After creating device profiles assign them to the local groups that uses them to authenticate users Device profiles can be Allow profiles and Deny profiles...

Page 252: ...ins from these portals when EPC is enabled 5 EPC is supported for iOS and Android mobile clients In the Enable Mobile Client Login field set the default action to Enabled to allow or Disabled to block logins from these clients when EPC is enabled 6 Fields in the Recurring EPC section vary depending on whether you are configuring EPC for the Global group or a local group To configure EPC for the Gl...

Page 253: ...move a Deny profile for the group click Add Deny Profiles and follow the preceding steps b and d 8 Click Accept to save your changes Users Local Users Edit EPC Settings After creating device profiles assign them to the local users Device profiles can be Allow profiles and Deny profiles Allow profiles identify attributes of the client s network that must be present before a user is authenticated an...

Page 254: ...hen users login or select Check endpoint at login and every x minutes thereafter to also do EPC checks at set intervals For example to do EPC checks whenever a user logs in and every x minutes thereafter while the user is logged in select Check endpoint at login and every x minutes thereafter and type the number of minutes to wait between EPC checks 7 Fields in the Recurring EPC section vary depen...

Page 255: ...age select the profiles from the All Profiles list that you want to add for the user and click Add selected profiles Selected profiles are then moved to the In Use Profiles list on the page that lists all device profiles that are used for the user c To remove an Allow profile for the user select the profile from the In Use Profiles list and click Remove selected profiles d To add or remove a Deny ...

Page 256: ...Figure 35 End Point Control Status 1 Select Allow auto update to enable the OPSWAT to update automatically 2 The Installed version displays the current version being used 3 Click Check Update to instantly query if there are any available updates If there is a new update available the button changes to Apply Update 4 The Service Expiration Date displays when the current service expires 5 Click Prev...

Page 257: ...globally enabled or disabled on the End Point Control Settings page When EPC is disabled it is disabled at the global group and user level The Settings page also is used to customize the message displayed when a NetExtender client login fails EPC security checking Figure 36 End Point Control Settings ...

Page 258: ...g to send the log to the e mail address configured on the Log Settings page Use the Search options to filter log messages Note that the search is case sensitive In the drop down menu select the field you want to search in Click Search to only display messages that match the search string Click Exclude to hide messages that match the search string Click Reset to display all messages Change the valu...

Page 259: ...ion on Secure Virtual Assist concepts see Secure Virtual Assist Overview on page 49 You can also view the Secure Mobile Access Secure Virtual Meeting and Secure Virtual Assist Feature Module for additional information Topics Secure Virtual Assist Status on page 259 Secure Virtual Assist Settings on page 260 Secure Virtual Assist Log on page 266 Secure Virtual Assist Licensing on page 266 Secure Vi...

Page 260: ...echnician Session on page 52 Performing Secure Virtual Assist Technician Tasks on page 54 Secure Virtual Assist Settings This section describes the Secure Virtual Assist Settings page and the configuration tasks available on this page The Virtual Assist options are divided into the following tabs General Settings on page 260 Request Settings on page 262 Notification Settings on page 263 Customer P...

Page 261: ...e beginning a Virtual Assist session 8 Optional To change the URL that customers use to access Virtual Assist enter it in the Customer Access Link field This might be necessary if your SMA SRA appliance requires a different access URL when outside the network The default URL is https server name cgi bin supportLogin When entering a URL the https are automatically prepended to your entry and cgi bi...

Page 262: ... the Virtual Assist queue enter a value in the Maximum Request field 4 Optionally you can customize the message that is displayed to customers when the queue is full in the Limit Message field The message is limited to 256 characters 5 Entering a value in the Maximum requests From One IP field can be useful if individual customers are repeatedly requesting help However this might cause problems fo...

Page 263: ...ail Address for Invitation The default source email These three fields support the following variables to customize and personalize the invitation EXPERTNAME The name of the technician sending the invitation email CUSTOMERMSG The disclaimer configured on the General Settings tab SUPPORTLINK The URL for accessing Virtual Assist ACCESSLINK The URL for accessing the Secure Mobile Access Virtual Offic...

Page 264: ...rtal 1 On the Secure Virtual Assist Settings page click the Customer Portal Settings tab at the bottom of the page 2 Configure the following options to customize the appearance of the customer portal Show Company Logo Displays the company logo that is configured on the Logo tab of the Edit Portal window Show Company Copyright Displays the copyright at the bottom of the page ...

Page 265: ...equests from specific IP addresses or networks select Deny from the Request From Defined Addresses drop down menu 3 To allow Virtual Assist requests only from specific IP addresses or networks select Allow from the Request From Defined Addresses drop down menu 4 To add an IP address or network to the Deny or Allow list click Add The Admin Addresses window displays See Adding an Address to Restrict...

Page 266: ...e Virtual Assist Log summary page click Back Click Export Log to save a zip file containing the full text of all logged sessions The log contains a summary file and a detail file for each session The files can be viewed in Microsoft Word Click Clear Log to erase all log messages Click Email Log to send the log to the email address configured on the Log Settings page The Search options allow you to...

Page 267: ...ministrator rights are not required for basic screen sharing support For full installation of the client admin rights might be necessary but full installation is not necessary to use the service Secure Virtual Access or unattended mode requires admin rights To configure Virtual Assist 1 To purchase and activate a Secure Virtual Assist license navigate to System Licensing and click on the link to A...

Page 268: ...ugh the client 6 Select Display Request Help Button to display the help button on the Virtual Office for users to launch Virtual Assist 7 Select Enable Virtual Access Mode to allow Secure Virtual Access connections to be made to this portal This must be enabled for Virtual Assist to function on this portal 8 Select Display Virtual Access Setup Link to display the Secure Virtual Access Setup link o...

Page 269: ...Status on page 269 Secure Virtual Meeting Settings on page 270 Secure Virtual Meeting Log on page 272 Secure Virtual Meeting Licensing on page 272 For information about using Virtual Meeting see the Dell SonicWALL Secure Mobile Access User Guide You can also view the Secure Mobile Access Secure Virtual Meeting and Secure Virtual Assist Feature Module for additional information Secure Virtual Meeti...

Page 270: ...llow Participants to join the meeting without clicking the link in the e mail invitation Participants run the Virtual Meeting client and join the meeting directly with a meeting code set by the Coordinator 3 Select Allow starting meeting without meeting creator to allow a meeting to start without the Coordinator present If enabled and a scheduled meeting has no Coordinator in the meeting room at t...

Page 271: ...ers in the lobby is limited to nine 5 2 3 licenses available 3x3 9 licenses for meeting users available Notification Settings To configure Virtual Meeting notification settings 1 On the Secure Virtual Meeting Settings page click the Notification Settings tab at the bottom of the page 2 In the Subject of Invitation field type the subject used for Virtual Meeting e mail invitations sent to Participa...

Page 272: ...rch to display only messages that match the search string Click Exclude to hide messages that match the search string Click Reset to display all messages Change the value in the Items per page field to display more or fewer log messages Click the forward or backward arrows to scroll through the pages of the log messages Click any of the headings to sort the displayed log messages by heading Secure...

Page 273: ...ection is active and screen sharing is occurring Licensing Information The Secure Virtual Meeting Licensing page displays the Secure Virtual Assist license status that is also displayed on the System Licenses page See Licensing Overview on page 272 for an explanation of how Secure Virtual Assist licenses are used for Secure Virtual Meeting The Licensing page also contains links to the System Licen...

Page 274: ...plication Firewall Overview on page 63 Topics Licensing Web Application Firewall on page 274 Configuring Web Application Firewall on page 277 Verifying and Troubleshooting Web Application Firewall on page 318 Licensing Web Application Firewall The Secure Mobile Access Web Application Firewall must be licensed before you can begin using it You can access the MySonicWALL Web site directly from the S...

Page 275: ...click the System Licenses link The System Licenses page is displayed 3 Under Manage Security Services Online click the Activate Upgrade or Renew services link The MySonicWALL Login page is displayed 4 Type your MySonicWALL credentials into the fields and then click Submit 5 The System Licenses page is displayed ...

Page 276: ... for 1 year The screen that follows is displayed after selecting the free trial 7 Click Synchronize to view the license on the System Licenses page Web Application Firewall is now licensed on your SMA SRA appliance Navigate to Web Application Firewall Settings to enable it and then restart your appliance to completely activate Web Application Firewall ...

Page 277: ...tion Firewall service and signature database and displays the license status and expiration date Synchronize allows you to download the latest signatures from the Dell SonicWALL online database You can use Download to generate and download a PCI compliance report file Viewing Status and Synchronizing Signatures To view the status of the signature database and Web Application Firewall service licen...

Page 278: ...e If this automatic update option is enabled Apply disappears from the Web Application Firewall Status screen as soon as the new signatures are automatically applied 3 To synchronize the signature database with the Dell SonicWALL online database server click Synchronize The timestamp is updated Downloading a PCI Compliance Report To download a PCI DSS 6 5 6 6 compliance report 1 Navigate to Web Ap...

Page 279: ...ng Global Exclusions on page 280 Configuring Intrusion Prevention Error Page Settings on page 281 Configuring Cross Site Request Forgery Protection Settings on page 282 Configuring Cookie Tampering Protection Settings on page 283 Configuring Web Site Cloaking on page 284 Configuring Information Disclosure Protection on page 285 Configuring Session Management Settings on page 286 Enabling Web Appli...

Page 280: ...ilable You do not have to click Apply on the Web Application Firewall Status page to apply the new signatures 5 Select the desired level of protection for High Priority Attacks in the Signature Groups table Select one of the following options Select Prevent All to block access to a resource when an attack is detected Selecting Prevent All automatically selects Detect All turning on logging Clear P...

Page 281: ... path to a particular folder or file along with the host The protocol port and the request parameters are simply ignored in the URL If a path is configured then the exclusion is recursively applied to all subfolders and files For instance if Host is set to webmail company com exchange then all files and folders under exchange are also excluded 5 Click Add to move the host name into the list box 6 ...

Page 282: ... log entries are created in both the Web Application Firewall Logs and Logs View pages For more information about CSRF XSRF attacks see How is Cross Site Request Forgery Prevented on page 68 To configure the settings for CSRF protection with the URL Rewrite based Protection Method 1 Expand the Cross Site Request Forgery CSRF XSRF Protection section 2 In the Portals drop down list select the Portal...

Page 283: ...l of protection against cookie tampering You can select Detect Only to log these attacks or Prevent to log and block them Select Disabled to disable cookie tampering protection on the portal 4 For Encrypt Server Cookies select Name to encrypt cookie names and or select Value to encrypt cookie values This affects client side script behavior because it makes cookie names or values unreadable Only se...

Page 284: ...e 11 To clear the Detected Cookies list click Clear 12 When finished click Accept Configuring Web Site Cloaking Under Web Site Cloaking you can filter out headers in response messages that could provide information to clients about the backend Web server that could possibly be used to find a vulnerability To configure Web site cloaking 1 Expand the Web Site Cloaking section 2 In the Block Response...

Page 285: ...ation Disclosure Protection section The table contains a row for each possible pattern or representation of a social security number or credit card number that Web Application Firewall can detect in the HTML response 2 Select Enable Credit Card SSN Protection 3 In the Mask Character drop down list select the character to be substituted when masking the SSN or credit card number 4 In the table sele...

Page 286: ... you can control whether the logout dialog window is displayed when a user logs into the user portal or into an application offloaded portal You can also set the inactivity timeout for users in this section To configure session management settings 1 Expand the Session Management section 2 Select Launch Logout Dialog Window after Login to display the session logout popup dialog box when the user po...

Page 287: ...earch and click Search Or click Exclude to display only signatures that do not contain the key word Click Reset to display all signatures All matches are highlighted The default is 50 signatures per page On the Web Application Firewall Settings page global settings must be set to either Prevent All or Detect All for the Signature Group to which the specific signature belongs If neither is set that...

Page 288: ... host or for all hosts If the signature group to which the signature belongs is set globally to Detect All you can raise the level of protection to Prevent for the configured hosts If no hosts are configured the action is applied to the signature itself and acts as a global setting for all hosts This change blocks access to a host when the attack signature is detected Similarly you can lower the l...

Page 289: ...e Access verifies that each host entry is valid If no hosts were specified a dialog box confirms that this is a global action to be applied to the signature itself 7 Click OK in the confirmation dialog box 8 Click Accept on the Web Application Firewall Signatures page to apply the updated settings New settings are applied to any new HTTP connections and requests The existing HTTP connections and r...

Page 290: ...uests The existing HTTP connections and requests continue to use the old settings until they are terminated Determining the Host Entry for Exclusions When configuring an exclusion either globally or per signature you must provide the host name or IP address The affected hosts must match the host names used in your HTTP S bookmarks and Citrix bookmarks and the virtual host domain name configured fo...

Page 291: ...he Host Entry in an Off loaded Application You can determine exactly what host name to enter in your exclusion by viewing the configuration details of the off loaded application In an off loaded application you use the virtual host domain name To view the virtual host domain name in an off loaded application 1 Navigate to the Portals Portals page and click Configure next to the off loaded applicat...

Page 292: ...ptable by an application Other inputs are denied providing positive security enforcement When you place the SMA SRA appliance in learning mode in a staging environment it learns valid inputs for each URL accessed by the trusted users At any point during or after the learning process custom rules can be generated based on the learned profiles For more information about application profiling see How...

Page 293: ...n to take when the rule chain matches some traffic Figure 45 shows all rule chain fields Rules in the Web Application Firewall Rules page can be divided into pages and filtered by searching for a key word To display only rules containing a key word in all fields or a specific field type the key word in the Search field select All Fields or a specific field to search and click Search Or click Exclu...

Page 294: ...t matches an undesirable value for another element of the HTTP S traffic When the rule chain both rules matches some traffic the configured action is done to block or log the bad traffic from that URI or portal When the request is blocked the user sees a custom block page such as that in Figure 46 Figure 46 Block Page The Web Application Firewall Monitoring page also shows the activity in the grap...

Page 295: ...g Application Profiling You can create URL profiles by putting the SMA SRA appliance into learning mode while applications are in use by trusted users and then use those URL profiles to generate rule chains that prevent malicious misuse of the applications To configure application profiling and automatically generate rules 1 Navigate to the Web Application Firewall Rules page 2 Under Application P...

Page 296: ...rocess Trusted users should be using the relevant applications on the selected portal during the active profiling period Begin Profiling changes to End Profiling Profiling continues until you click End Profiling During profiling the Secure Mobile Access records inputs and stores them as URL profiles The URL profiles are listed as a tree structure on the Web Application Firewall Rules page in the A...

Page 297: ...dified those changes are incorporated If rule chains are successfully generated the status bar indicates how many rule chains were generated including any that were overwritten 12 If you do not want to accept the generated rule chains click Delete Selected Rule Chains that is available following the rule chain list All of the automatically added rule chains are pre selected right after generation ...

Page 298: ...sabled The rule chain should not take effect The Disabled option allows you to temporarily deactivate a rule chain without deleting its configuration 5 In the Description field type a short description of what the rule chain matches or other information 6 Select a category for this threat type from the Category drop down list This field is for informational purposes and does not change the way the...

Page 299: ...configured rule chains are not automatically detected at the time of configuration When a misconfiguration occurs the administrator must log in and fix or delete the bad rules It is difficult to detect a false positive from a misconfigured rule chain unless a user runs into it and reports it to the administrator If the rule chain has been set to PREVENT then the user sees the Web Application Firew...

Page 300: ...e security model In a positive security model policies are written only to allow known traffic and block everything else A rule has several components Variables These are HTTP protocol entities that are scanned by Web Application Firewall to help identify legitimate or illegitimate traffic Multiple variables can be matched against the configured value in the Value field The and buttons allow you t...

Page 301: ... Application Firewall to help identify legitimate or illegitimate traffic Multiple variables can be matched against the configured value in the Value field The and buttons allow you to add variables from the Variables drop down list or delete them from the list of selected variables You can combine multiple variables as required to match the specified value If multiple variables are configured the...

Page 302: ...ame in the selection field to the right of the colon Remote Address No Refers to the client s IP address This variable allows you to allow or block access from certain IP addresses Request Header Values Yes Refers to the collection of all HTTP S request header values for the current request To match against some aspect of the entire list of request header values leave the selection field empty To ...

Page 303: ...atch the host and another would specify other criteria for the match Portal Address No Refers to the IP address or virtual IP address of the Secure Mobile Access portal which accepts the request from the client Request Path No Refers to the relative path used to access a particular resource in a Web site Table 35 Rule Operators Operator Type Description Contains String One or more of the scanned v...

Page 304: ...ator Convert to Lowercase Use the Convert to Lowercase measure when you want to make case insensitive comparisons by converting the input to all lowercase before the comparison When you use this measure make sure that strings entered in the Value field are all in lowercase This is an anti evasive measure to prevent hackers from changing case to bypass the rule Normalize URI Path Use the Normalize ...

Page 305: ...Anti Evasive Measures list to compute the length of the password form parameter The action for the rule chain would be set to Prevent Figure 49 shows the rule chain for this example URL Decode URL Decode Unicode Use the URL Decode measure to decode URL encoded strings in the input Use the URL Decode Unicode measure to handle uXXXX encoding URL encoding is used to safely transmit data over the Inte...

Page 306: ... does not match the name of the valid parameter formId It uses the Equals String operator with the Not inversion check box selected 2 The second rule chain contains two rules The first rule identifies the URL where the form is submitted The second rule checks if the value contained by the Parameter Value formId variable matches the regular expression d 1 4 which matches anything that consists of 1...

Page 307: ...pass foo BAR in the request and evade the rule To prevent this evasion the administrator specifies Convert to Lowercase as an anti evasive measure and configures the value as foo bar in all lower case This causes all request parameter values to be converted to lower case and compared against the value for a case insensitive check Similarly the hacker could pass foo 20BAR which is the URL encoded v...

Page 308: ... blank For example to test whether a certain parameter exists in the request you could select the Parameter Names variable and then type the specific parameter name into the Value field but not into the variable selection field 5 Click Plus to add the variable to the rule Repeat Step 2 through Step 5 to add more variables To delete a variable select it in the large text box and click Minus 6 Selec...

Page 309: ...the page that is currently displayed 2 To turn streaming on or off click the ON or OFF indicator next to Streaming Updates 3 To refresh the display click Refresh 4 To clear all Web Application Firewall statistics from the graphs and list click Clear Graphs 5 To generate a PDF report containing Web Application Firewall statistics click Download Report 6 If prompted to install Adobe Flash Player cli...

Page 310: ...Web server status graphs the Web Application Firewall Monitoring page displays graphs indicating the number of detected and prevented threats Two graphs are presented one showing the number of threats over time and the other showing the top ten threats that were detected and prevented during that time frame You can change the time frame displayed in both graphs or change the view to display all th...

Page 311: ...ph select All in Lists from the Monitoring Period drop down list Figure 54 shows the list format The Severity column of the threat list is color coded for quick reference as follows High severity threats Red Medium severity threats Orange Low severity threats Black The initial default sorting order lists the high severity threats with highest frequency values first You can change the order of list...

Page 312: ...ls about a threat click on the threat The details include the following URL The URL to the Dell SonicWALL knowledge base for this threat Category The category of the threat Severity The severity of the threat either high medium or low Summary A short description of how the threat behaves 3 To collapse the threat details click the threat link again Changing Perspective For the Top 10 Threats graph ...

Page 313: ...y control the statistics that are displayed on this page On the Global tab you can use the control buttons to turn streaming updates on or off refresh the data on the page and download a report If streaming is turned on Web Application Firewall statistics information is fetched periodically and displayed in the graphs and threat list If streaming is turned off no new information can be displayed T...

Page 314: ...ted and prevented threats Two graphs are presented one showing the number of threats over time and the other showing the top ten threats that were detected and prevented during that time frame You can change the time frame displayed in both graphs by selecting one of the following options from the Monitoring Period drop down list Last 12 Hours Last 14 Days Last 21 Days Last 6 Months Figure 55 show...

Page 315: ...current Synchronize the Database from the Web Application Firewall Status page Using Web Application Firewall Logs The Web Application Firewall Log page provides a number of functions including a flexible search mechanism and the ability to export the log to a file or email it The page also provides a way to clear the log Clicking on a log entry displays more information about the event See the fo...

Page 316: ...k the left most button in the arrow control pad 4 To view the previous page of log entries click the left arrow in the arrow control pad 5 To view the next page of log entries click the right arrow in the arrow control pad 6 To view the last page of log entries click the right most button in the arrow control pad Viewing Log Entry Details The log entry details vary with the type of log entry The U...

Page 317: ...do one of the following To open the file click Open To save the file click Save then browse to the folder where you want to save the file and click Save 3 To email the log contents click E Mail Log in the top right corner of the Web Application Firewall Log page The log contents are emailed to the address specified in the Log Settings page Clearing the Log You can remove all entries from the Web A...

Page 318: ...ookup diagnostic utilities to ensure that there is connectivity to the backend server License Manager Peer Identity failed Check certs and time The License Manager server or the signature database server might not have a valid SSL Certificate License Manager Reset called The device licenses have been reset Navigate to the System Licenses page to activate upgrade or renew licenses Web Application F...

Page 319: ...for traffic inspection This could imply that no new signatures were found since the firmware update If an attempt to download is revealed in the logs earlier then this message could also imply that the update could not be processed successfully because of database errors and as a precautionary measure the factory default database has been used NOTE You can select the Apply Signature Updates Automa...

Page 320: ... a strong and anti evasive defense against any rogue activity from Botnets using a dynamically updated database maintained by Dell SonicWALL Botnets pose huge security risks such as Denial of Service DoS attacks and Data Leakage They are hard to identify and control because of the transient nature of their origins These features are disabled by default Topics Status on page 320 Settings on page 32...

Page 321: ...plays the most recent timestamp of the cache Service Expiration Date shows the license expiration date of the Geo IP Botnet Filter service License Status identifies whether the Geo IP Botnet Filter service is licensed The Geo IP Botnet Filter is a subscription service that includes a free trial When the Geo IP Botnet Filter is licensed but disabled the Status page displays a warning that contains ...

Page 322: ...eeting Status and User Status pages that identifies the location of users source IP addresses Mousing over an icon in the Location column displays the City if applicable Region and Country of the source IP 2 Click Accept When this feature is enabled the General Settings section displays four sub features that can be individually enabled or disabled Enforce Geo IP Policy Select this option to enfor...

Page 323: ...e IP addresses For web access user are redirected to the CAPTCHA page as shown in the following figure A countdown timer tells the time that remained for the user to complete remediation The user must finish remediation within limited time otherwise user IP address is added to the block list and all access from the aggressive IP address is blocked for a period of time If remediation is successful ...

Page 324: ... on the Settings page Botnet Filter policies have a higher priority than Geo IP policies Geo IP policies are prioritized by the time they were created with those created first having the higher priority Botnet Filter policies defined for a single IP address have a higher priority than Botnet Filter policies defined for a subnet and each type is then prioritized based on the time they were created ...

Page 325: ...P Botnet Filter Log page lists information detected by the Geo IP Botnet Filter Location information that identifies the geographical location of the source IP for each event log message generated by Geo IP Location information is also displayed on applicable Secure Mobile Access log and status pages If Geo IP Logging is disabled this column contains a Not Logged icon If a location or country flag...

Page 326: ... down list to the right of the Search field 3 Do one of the following To start searching for log entries containing the search value click Search To start searching for log entries that do not contain the search value click Exclude To clear the Search field and display the first page of log entries click Reset Controlling the Log Pagination To adjust the number of entries on the log page and displ...

Page 327: ... in the top right corner of the Geo IP Botnet Filter Log page The File Download dialog box is displayed 2 In the File Download dialog box do one of the following To open the file click Open To save the file click Save then browse to the folder where you want to save the file and click Save 3 To email the log contents click E Mail Log in the top right corner of the Geo IP Botnet Filter Log page The...

Page 328: ... a free trial that expires one year after the release date The licensing status of the Geo IP Botnet Filter subscription service is shown on the Geo IP Botnet Filter Licensing page The Licensing page also includes a brief description of the feature and a link to the System Licenses page where you can activate upgrade and renew licenses ...

Page 329: ...cal FAQ on page 336 High Availability Overview High Availability requires one SMA SRA appliance configured as the primary device and an identical SMA SRA configured as the backup device Figure 57 High availability configuration During normal operation the primary device is in an active state and services all connections The backup device is in an idle state When the primary device loses connectivi...

Page 330: ...trol traffic The HA link should connect the identical ports of the SMA SRA HA Pair for example X3 of the primary appliance to X3 of the backup appliance During normal operation the primary device is in an active state and services all connections while the backup device is in an idle state When the primary device loses connectivity the backup transitions to the active state and begins to service o...

Page 331: ...High Availability To enable High Availability and configure the options in the High Availability Settings section 1 In a browser log in to the primary unit and navigate to the High Availability Settings page 2 Select Enable High Availability NOTE The contents of this page vary slightly for a Virtual Appliance as explained in Configuring High Availability Settings on a Virtual Appliance on page 333...

Page 332: ...gger Level This is the number of heartbeats that must be missed before failover occurs The minimum is four and the maximum is 99 6 In the Primary Serial Number field type in the serial number of the primary device The maximum length is 12 characters 7 In the Backup Serial Number field type in the serial number of the backup device The maximum length is 12 characters 8 Click Accept 9 In the browser...

Page 333: ...ty for a Virtual Appliance and configure the options in the High Availability Settings section 1 In a browser log in to the primary unit and navigate to the High Availability Settings page 2 Select Enable High Availability The HA interface can only be set when the unit is in the HA unconnected mode and both units must be set to the same interface 3 Select Primary Appliance if this Virtual Applianc...

Page 334: ...h Availability on the backup unit When you click Accept the backup device becomes IDLE and you are no longer able to access it with its IP address The primary device is now Active with the same settings it had before the HA configuration The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit When failover occurs and the primary is down the backup un...

Page 335: ...eld 3 Click Accept Configuring Management Settings for Idle Unit In the Network Monitoring Address section you can configure management settings for the idle unit High Availability configuration is limited for SMA 500v Virtual Appliances Use the High Availability Settings page to enable High Availability on the SMA 500v Virtual Appliance designate it as the primary or secondary unit and select the...

Page 336: ...an the idle device be used separately No After HA is configured only one device can be in use at any one time During failover the Idle device becomes Active Two devices in HA mode cannot be used as separate SMA SRA appliances 2 What happens if we remove the HA interface cable from the devices If you remove the HA interface cable then the IDLE device can be re configured to work as a standalone How...

Page 337: ...When settings are changed clicking Accept synchronizes settings 8 Does the HA configuration for SMA SRA appliances differ from the HA configuration of Dell SonicWALL firewall devices Yes HA configuration on a firewall is very different Along with other items firewall HA is also available in Active Active state and can be assigned a virtual IP address HA with SMA SRA appliances is currently availab...

Page 338: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide Part 4 338 Configuring Users Logs Users Configuration Log Configuration ...

Page 339: ...on provides general information about how the SMA SRA appliance manages users through a set of hierarchical policies This section contains the following sub sections Access Policies Concepts on page 340 Access Policy Hierarchy on page 340 Figure 58 Users Status Page When Streaming Updates is set to ON the Users Status page content is automatically refreshed so that the page always displays current...

Page 340: ...wo or more IP address ranges are configured then the smallest address range takes precedence Host names are treated the same as individual IP addresses Network objects are prioritized just like other address ranges However the prioritization is based on the individual address or address range not the entire network object For example Policy 1 A Deny rule has been configured to block all services t...

Page 341: ...341 Removing a User on page 342 Adding a Local User on page 342 Editing User Settings on page 343 For global configuration settings see Global Configuration on page 413 Users Local Users Overview The Users Local Users page allows the administrator to add and configure users Local Users The Local Users section allows the administrator to add and configure users by specifying a user name selecting a...

Page 342: ...r password at set intervals or the next time they login To force a user to change their password at set intervals type the expiration interval in the Passwords expire in x days field 8 If you set a password expiration interval type the number of days before expiration that users should receive notifications in the Show warning x days before password expiration field When configured and a password ...

Page 343: ...e then global policies and bookmarks applies to users authenticating to an external authentication server When working with external non LocalDomain users a local user entity must exist so that any user created personal bookmarks can be stored within the Secure Mobile Access configuration files Bookmarks must be stored on the SMA SRA appliance because LDAP and RADIUS external domains do not provid...

Page 344: ... Edit User Settings window displays The General tab displays the following non configurable fields User Name Primary Group In Domain and User Type If information supplied in these fields needs to be modified then remove the user as described in Removing a User on page 342 and add the user again 3 To set or change the user password type the password in the Password field Re type it in the Confirm P...

Page 345: ...cy select Use group policy 8 To allow users to add new bookmarks select Allow from the Allow user to add bookmarks drop down menu To prevent users from adding new bookmarks select Deny To use the group policy select Use group policy Bookmark modification controls provide custom access to predetermined sources and can prevent users from needing support 9 Under Single Sign On Settings select one of ...

Page 346: ...groups upon login 7 Click Accept Modifying Portal Settings The Portal tab provides configuration options for portal settings for this user To configure portal settings for this user 1 On the Portal tab under Portal Settings select one of the following portal settings for this user Use group setting The setting defined in the group to which this user belongs are used to determine if the portal feat...

Page 347: ...ld f If using IPv6 supply an ending client IPv6 address in the Client Address Range End field 4 Under NetExtender Client Settings Select one of the following from the Exit Client After Disconnect drop down list Use group setting Take the action specified by the group setting See Editing Group Settings on page 384 Enabled Enable this action for the user Overrides the group setting Disabled Disable ...

Page 348: ...nfiguration is allowed globally by group or per user 10 In the Internal Proxy Settings section select from the drop down list to enable or disable the Internal Proxy feature See NetExtender Client Settings on page 234 for more information 11 Click Accept To enable NetExtender ranges and configure DHCP client settings for a user 1 Navigate to Users Local Users 2 Click the configure icon next to the...

Page 349: ...r more information 9 Click Accept Modifying NetExtender Client Routes The Nx Routes tab provides configuration options for NetExtender client routes For procedures on modifying NetExtender client route settings see NetExtender Client Routes on page 238 Adding User Policies The Policies tab provides policy configuration options To add a user access policy 1 On the Policies tab click Add Policy The ...

Page 350: ...n page 352 IPv6 Address If your policy applies to a specific host enter the IPv6 address of the local host machine in the IPv6 Address field Optionally enter a port range for example 4100 4200 or a single port number into the Port Range Port Number field See Adding a Policy for an IPv6 Address on page 354 IPv6 Address Range If your policy applies to a range of addresses enter the beginning IPv6 ad...

Page 351: ...net Mask field in the form 255 255 255 0 5 In the Port Range Port Number field optionally enter a port range or an individual port 6 In the Service drop down list click on a service option 7 In the Status drop down list click on an access action either Allow or Deny 8 Click Accept Adding a Policy for All Addresses 1 In the Apply Policy to field select the All Addresses option 2 Define a name for t...

Page 352: ...cy in the Policy Name field 7 In the Server Path field enter the server path in the format servername share path or servername share path The prefixes and are acceptable 8 Select Allow or Deny from the Status drop down list 9 Click Accept Adding a Policy for a URL Object To create object based HTTP or HTTPS user policies 1 Navigate to Users Local Users 2 Click the configure icon next to the user y...

Page 353: ...age Host Can be a hostname that should be resolved or an IP address Host information has to be present Port If port is not mentioned then all ports for that host are matched Specify a specific port or port range using digits 0 9 and or wildcard elements Zero 0 must not be used as the first digit in this field The least possible number matching the wildcard expression should fall within the range o...

Page 354: ...cy Name field 3 Type a starting IPv6 address in the IPv6 Network Address field 4 Type a prefix value in the IPv6 Prefix field such as 64 or 112 5 In the Port Range Port Number field optionally enter a port range or an individual port 6 In the Service drop down list click on a service option 7 In the Status drop down list click on an access action either Allow or Deny 8 Click Accept Adding a Policy...

Page 355: ...okmark Name field 2 Enter the fully qualified domain name FQDN or the IPv4 or IPv6 address of a host machine on the LAN in the Name or IP Address field In some environments you can enter the host name only such as when creating a VNC bookmark in a Windows local network If a Port number is included with an IPv6 address in the Name or IP Address field the IPv6 address must be enclosed in square brac...

Page 356: ...P IP Address IPv6 Address IP Port non standard FQDN Host name 10 20 30 4 2008 1 2 3 4 10 20 30 4 6818 or 2008 1 2 3 4 6818 JBJONES PC sv us sonicwall com JBJONES PC Telnet Telnet HTML5 IP Address IPv6 Address IP Port non standard FQDN Host name 10 20 30 4 2008 1 2 3 4 10 20 30 4 6818 or 2008 1 2 3 4 6818 JBJONES PC sv us sonicwall com JBJONES PC SSHv1 SSHv2 IP Address IPv6 Address IP Port non stan...

Page 357: ...doc NOTE Use backslashes even on Linux or Mac computers these use the Windows API for file sharing Citrix Citrix Web Interface IP Address IPv6 Address IP Port IP Path or File IP Port Path or File FQDN URL Path or File URL Port URL Port Path or File Note Port refers to the HTTP S port of Citrix Web Interface not to the Citrix client port 172 55 44 3 2008 1 2 3 4 172 55 44 3 8080 or 2008 1 2 3 4 808...

Page 358: ...to configure the modes their priorities and the choose method At least one mode should be enabled in the selection box The launch sequence is as follows HTML5 Native and ActiveX Selecting Manual allows you to change enable or disable the launch methods If you select Native to launch the Citrix bookmark then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix co...

Page 359: ...figuration the following notice appears Select Enable wake on LAN to enable waking up a computer over the network connection Selecting this check box causes the following new fields to be displayed Options available for all Terminal Services MAC Ethernet Address Enter one or more MAC addresses separated by spaces of target hosts to wake Wait time for boot up seconds Enter the number of seconds to ...

Page 360: ...nce obtains the redirected address and connects the user to the correct server Note that Interactive Login might need to be disabled for this feature to work properly Option is available for ActiveX or Java only For RDP HTML5 select the Default Language from the drop down menu For RDP Java bookmarks select Force Java Client Usage to force the use of the Java RDP client rather than the locally inst...

Page 361: ...ty with the Terminal Server Spam Monitors Desktop Composition Select the Connection Speed from the drop down list for optimized performance Option available for all Terminal Services Select the action from the drop down list that happens in the event that the Server Authentication fails Server authentication verifies that you are connecting to the intended remote computer The strength of the verif...

Page 362: ...le Remote Desktop Services session to Enabled Note that we create a new session request when connecting to the RDP server and are unable to clear the old session through the bookmark There might be some issues with your server setup depending on your available licenses and how disconnected sessions are handled Ensure SSO is correct if that option is enabled Improper SSO credentials prevents the bo...

Page 363: ...the launch time the selected mode is remembered through a cookie That means when next launching the bookmark the remembered mode is run directly within two seconds Clicking anywhere in the HTML can forget the remembered mode so you can re choose Editing or deleting the bookmark in the same browser can also reset the remembered mode When no modes are able to run on the client with the configuration...

Page 364: ... switch the right click and left click buttons Select View Only if the user is not making any changes on the remote system Select Share Desktop to allow multiple users to view and use the same VNC desktop Check Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices Virtual Network Computing VNC HTML5 Select View Only to disable keyboard and mouse events in the desktop...

Page 365: ... Manual mode In this setting while launching the bookmark the first available mode in the configured list is run at once after auto detection After the Choose during Launch option is enabled while launching the unified bookmark if there are multiple modes available for the client a menu is provided from which you can choose within a five second count down When only one mode is available the bookma...

Page 366: ... same as the name or id attribute of the HTML element representing Password in the Login form for example input type password name PASSWORD id PASSWORD maxlength 128 Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices Secure Web HTTPS Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Sec...

Page 367: ...s to send bookmark information to Mobile Connect clients When creating a File Share do not configure a Distributed File System DFS server on a Windows Domain Root system Because the Domain Root allows access only to Windows computers in the domain doing so disables access to the DFS file shares from other domains The SMA SRA appliance is not a domain member and is not able to connect to the DFS sh...

Page 368: ... default under the Manual mode In this setting while launching the bookmark the first available mode in the configured list is run at once after auto detection After the Choose during Launch option is enabled while launching the unified bookmark if there are multiple modes available for the client a menu is provided from which you can choose within a five second count down When only one mode is av...

Page 369: ...mark must be configured enabling the Automatically log in option in the bookmark settings If the correct username and password are set the session is logged in automatically Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices Secure Shell Version 2 SSHv2 Single sign on is supported for SSH bookmarks The bookmark must be configured enabling the Automatically ...

Page 370: ... launch methods If you select Native to launch the SSHv2 bookmark then the SMA Connect Agent launches the SSHv2 Receiver on the local machine to do the SSHv2 connection The up and down arrows are used to adjust the launch priority Fork and tick are used to disable or enable the modes Disabled modes are put at the bottom of the list with a gray font color The Choose during Launch option is not enab...

Page 371: ...so reset the remembered mode When no modes are able to run on the client with the configuration the following notice appears Optionally select Automatically accept host key This option allows the browser to keep the server s public host key in local storage automatically Select Authentication with public private keys to support RSA or DSA keys If using an SSHv2 server without authentication such a...

Page 372: ...vated and enough Remote Desktop Services RDS Per Device Client Access Licenses CALs are available the license server issues the client computer or device a permanent RDS Per Device CAL If the license server is not activated or does not have any RDS Per Device CALs available the device continues to use the temporary license The temporary license is valid for 90 days A permanent RDS Per Device CAL i...

Page 373: ...dministration Guide 373 3 The Add License Server dialog appears Select the License server name or IP address field and click Add To configure a license server 1 On the Server Manager screen click Licensing Diagnosis in the left navigation pane ...

Page 374: ...74 2 In the middle pane under license server s specified select the desired server name or IP address The right pane displays additional actions 3 In the right pane click Start RD Licensing Manager 4 The next screen lists the available licenses shown as Temporary ...

Page 375: ...nistration Guide 375 Manage your Per Device license from this screen Every remote connection from different web browsers consumes a device license You can revoke the licenses within the previous screen but only a few times within a certain period ...

Page 376: ...Java can be used with IE by selecting an option in the Bookmark configuration The server automatically decides which Citrix client version to use For browsers requiring Java to run Citrix you must have Java 10 1 or higher When using the Java applet the local printers are available in the Citrix client However under some circumstances it might be necessary to change the Universal Printer Driver to ...

Page 377: ...gure the modes their priorities and the choose method At least one mode should be enabled in the selection box The launch sequence is as follows HTML5 Native and ActiveX Selecting Manual allows you to change enable or disable the launch methods If you select Native to launch the Citrix bookmark then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection...

Page 378: ...lect the box next to HTTPS Mode to securely access the Citrix portal 12 Optionally select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session By default the bookmark uses the information provided in the ICA configuration on the Citrix server Windows...

Page 379: ...tion FBA 1 Create or edit a Citrix HTTP S RDP File Shares CIFS or FTP bookmark as described in Adding or Editing User Bookmarks on page 354 2 For A Citrix bookmark enable the Automatically log in option Only Forms based Authentication can be used for a Citrix SSO bookmark 3 In the Bookmarks tab select the Use Custom Credentials option 4 In the Username and Domain fields enter the custom text to be...

Page 380: ...an automatically log in to the Citrix StoreFront portal as shown in the following image and it is ready to use the XenApp or XenDesktop Configuring Login Policies The Login Policies tab provides configuration options for policies that allow or deny users with specific IP addresses from having login privileges to the SMA SRA appliance To allow or deny specific users from logging into the appliance ...

Page 381: ...CARD 6 To require the use of one time passwords for the specified user to log in to the appliance select Require one time passwords 7 Enter the user s email address into the E mail address field to override any address provided by the domain For more information about one time passwords see One Time Password Overview on page 46 8 To apply the policy you selected to a source IP address select an ac...

Page 382: ...10 202 4 32 10 202 4 47 In this case 10 202 4 47 would be the broadcast address Whatever login policy you selected is now applied to addresses in this range 12 To apply the policy you selected to a client browser select an access policy Allow or Deny in the Login From Defined Browsers drop down list under Login Policies by Client Browser and then click Add under the list The Define Browser window ...

Page 383: ...s Additional Groups Multiple additional groups could be assigned but in the case of conflicting policies the primary group takes precedence over any additional groups Keep in mind that users can only belong to groups within a single domain Deleting a Group To delete a group click the delete icon in the row for the group that you wish to remove in the Local Groups table on the Users Local Groups pa...

Page 384: ...ttings for a group click the configure icon in the row for the group that you wish to edit in the Local Groups table on the Users Local Groups page The Edit Group Settings window contains six tabs General Portal NxSettings NxRoutes Policies and Bookmarks See the following sections for information about configuring settings Editing General Group Settings on page 384 Modifying Group Portal Settings ...

Page 385: ...to allow users to enable or disable single sign on SSO for bookmarks This setting disables SSO by default for new users Enabled Select this option to enable single sign on for bookmarks Disabled Select this option to disable single sign on for bookmarks 5 Click Accept to save the configuration changes Modifying Group Portal Settings The Portal tab provides configuration options for portal settings...

Page 386: ...le this portal feature for this group Disabled Disable this portal feature for this group Because Mobile Connect acts as a NetExtender client when connecting to the appliance the setting for NetExtender also controls access by Mobile Connect users 5 To allow users in this group to add new bookmarks select Allow from the Allow user to add bookmarks drop down menu To prevent users from adding new bo...

Page 387: ...13 To enable NetExtender ranges and configure DNS and client settings for a group 1 Navigate to Users Local Groups 2 Click the configure icon next to the group you want to configure 3 In the Edit Local Group page select the Nx Settings tab 4 Choose the Client address pool setting Options include using the global settings the DHCP settings or a Static Pool 5 Choose the IPv6 address pool setting Opt...

Page 388: ...ble this action for all members of the group Overrides the global setting Disabled Disable this action for all members of the group Overrides the global setting 11 In the Create Client Connection Profile drop down list select one of the following Use global setting Take the action specified by the global setting See Edit Global Settings on page 413 Enabled Enable this action for all members of the...

Page 389: ...stination network in the Destination Network field For example enter the IPv4 network address 10 202 0 0 For IPv6 enter the IPv6 network address in the form 2007 1 2 3 0 8 For an IPv4 destination network type the subnet mask in the Subnet Mask Prefix field using decimal format 255 0 0 0 255 255 0 0 or 255 255 255 0 For an IPv6 destination network type the prefix such as 112 9 On the Add Client Rou...

Page 390: ...to Users Local Groups 2 Click the configure icon next to the group you want to configure 3 In the Edit Local Group page select the Policies tab 4 On the Policies tab click Add Policy The Add Policy screen is displayed 5 Define a name for the policy in the Policy Name field 6 In the Apply Policy To drop down list select whether the policy is applied to an individual host a range of addresses all ad...

Page 391: ...licy applies to a specific host enter the IPv6 address of the local host machine in the IPv6 Address field Optionally enter a port range for example 4100 4200 or a single port number into the Port Range Port Number field IPv6 Address Range If your policy applies to a range of addresses enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address r...

Page 392: ... Select Allow or Deny from the Status drop down list 10 Click Accept Configuring Group Bookmarks SMA SRA appliance bookmarks provide a convenient way for Secure Mobile Access users to access computers on the local area network that they connect to frequently Group bookmarks apply to all members of a specific group To define group bookmarks 1 Navigate to the Users Local Groups window 2 Click the co...

Page 393: ...es RDP Terminal Services RDP HTML5 Terminal Services RDP Native or Terminal Services RDP Java In the Screen Size drop down menu select the default terminal services screen size to be used when users execute this bookmark Because different computers support different screen sizes when you use a remote desktop application you should select the size of the screen on the computer from which you are ru...

Page 394: ...bled in the selection box The launch sequence is as follows HTML5 Native and ActiveX Selecting Manual allows you to change enable or disable the launch methods If you select Native to launch the RDP bookmark then the SMA Connect Agent launches the RDP Receiver on the local machine to do the RDP connection The up and down arrows are used to adjust the launch priority Fork and tick are used to disab...

Page 395: ...un on the client with the configuration the following notice appears Optionally enter the local path for this application in the Application and Path field Select Enable wake on LAN to enable waking up a computer over the network connection Selecting this check box causes the following new fields to be displayed MAC Ethernet Address Enter one or more MAC addresses separated by spaces of target hos...

Page 396: ...distinguished with tips like non html5 or for html5 By default the bookmark only connects to the provided name and IP address If you enable this feature the SMA SRA appliance obtains the redirected address and connects the user to the correct server Note that Interactive Login might need to be disabled for this feature to work properly Option is available for ActiveX or Java only For RDP HTML5 sel...

Page 397: ...cation monitors server and client connection activity to use it you need to register remote applications in the Windows 2008 RemoteApp list If Remote Application is selected the Java Console displays messages regarding connectivity with the Terminal Server Spam Monitors Desktop Composition Select the Connection Speed from the drop down list for optimized performance Option available for all Termin...

Page 398: ...he Internet or other low bandwidth network environments Uses zlib library to compress pre processed pixel data to maximize compression ratios and minimize CPU usage In the Compression Level drop down list select the level of compression as Default or from 1 to 9 where 1 is the lowest compression and 9 is highly compressed The JPEG Image Quality option is not editable and is set at 6 In the Cursor ...

Page 399: ...s Disabled modes are put at the bottom of the list with a gray font color The Choose during Launch option is not enabled by default under the Manual mode In this setting while launching the bookmark the first available mode in the configured list is run at once after auto detection After the Choose during Launch option is enabled while launching the unified bookmark if there are multiple modes ava...

Page 400: ...me and id attribute of the HTML element representing User Name in the Login form for example input type text name userid Configure the Password Form Field to be the same as the name or id attribute of the HTML element representing Password in the Login form for example input type password name PASSWORD id PASSWORD maxlength 128 Select Display Bookmark to Mobile Connect clients to display the bookm...

Page 401: ...SO option to pass the user s domain to the RDP server Select Use custom credentials to enter a custom username password and domain for this bookmark For more information about custom credentials see Creating Bookmarks with Custom SSO Credentials on page 379 Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients When creating a File Share do not con...

Page 402: ...fter the Choose during Launch option is enabled while launching the unified bookmark if there are multiple modes available for the client a menu is provided from which you can choose within a five second count down When only one mode is available the bookmark is also run immediately Telnet HTML5 Settings Optionally select Automatically log in and select Use SSL VPN account credentials to forward c...

Page 403: ...WALL appliance you can select Bypass username SSHv2 HTML5 Settings Select the Default Font Size Supported options range from 12 to 99 points Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the secure Web server Select Use custom credentials to enter a custom username password and do...

Page 404: ...nters the Virtual Office home page the bookmark you created for the group the user is in displays in the Bookmarks Table For an LDAP group you can define LDAP attributes For example you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server Or you can specify a unique LDAP distinguished name To add an LDAP attribute for a group ...

Page 405: ...quire the use of client certificates for login By checking this box you require the client to present a client certificate for strong mutual authentication Two additional fields appear Verify user name matches Common Name CN of client certificate Select this check box to require that the user s account name match their client certificate Verify partial DN in subject Use the following variables to ...

Page 406: ... appears Type the custom attribute that your AD server uses to store email addresses If the specified attribute cannot be found for a user the email address is taken from their individual policy settings If you select using domain name an E mail domain field appears following the drop down list Type in the domain name where one time password emails are sent for example abc com 19 If Technician All...

Page 407: ...eout field Enter 0 zero to use the global inactivity timeout setting 25 Under Single Sign On Settings in the Automatically log into bookmarks list select one of the following Use global policy Use the global policy for using SSO to log in to bookmarks User controlled enabled by default for new users Enable SSO to log in to bookmarks for new users and allow users to change this setting User control...

Page 408: ...erson is defined for group Group1 and an LDAP attribute memberOf CN WINS Users DC sonicwall DC net is defined for Group2 If user Jane is defined by an LDAP server as a member of the Person object class but is not a member of the WINS Users group Jane is a member of SMA SRA appliance Group1 But if the administrator manually adds the user Jane to SMA SRA appliance Group2 then the LDAP attributes is ...

Page 409: ...okmark system allows bookmarks to be created at both the group and user levels The administrator can create both group and user bookmarks which are propagated to applicable users while individual users can create only personal bookmarks Because bookmarks are stored within the SMA SRA appliance s local configuration files it is necessary for group and user bookmarks to be correlated to defined grou...

Page 410: ...displays 3 Enter the Active Directory Group name in the corresponding field 4 Optionally select Associate with AD group if you wish to associate the Secure Mobile Access group with your AD group This step can also be completed at a later time in the Edit Group page under the AD Groups tab 5 Click Accept The group displays in the Active Directory Groups section The process of adding a group can tak...

Page 411: ... the launch methods If you select Native to launch the Citrix bookmark then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection The up and down arrows are used to adjust the launch priority Fork and tick are used to disable or enable the modes Disabled modes are put at the bottom of the list with a gray font color The Choose during Launch option is n...

Page 412: ...get the remembered mode so you can re choose Editing or deleting the bookmark in the same browser can also reset the remembered mode When no modes are able to run on the client with the configuration the following notice appears 10 Optionally select HTTPS Mode to enable HTTPS mode 11 Optionally select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field...

Page 413: ...edit or delete user owned bookmarks select Allow from the Allow User to Edit Delete Bookmarks drop down menu To prevent users from editing or deleting user owned bookmarks select Deny 6 In the Automatically log into bookmarks drop down list select one of the following options User controlled enabled by default for new users Select this option to allow users to enable or disable single sign on SSO ...

Page 414: ...l All Mode is disabled by default 17 To add a client route click Add Client Route 18 In the Add Client Route window enter a destination network in the Destination Network field For example enter the IPv4 network address 10 202 0 0 For IPv6 enter the IPv6 network address in the form 2007 1 2 3 0 19 For an IPv4 destination network type the subnet mask in the Subnet Mask Prefix field using decimal fo...

Page 415: ...e Apply Policy To drop down list select one of the following IP Address IP Address Range All Addresses Network Object Server Path URL Object All IPv6 Address IPv6 Address or IPv6 Address Range 5 Type a name for the policy in the Policy Name field If your policy applies to a specific IPv4 host select the IP Address option from the Apply Policy To drop down list and enter the IPv4 address of the loc...

Page 416: ...cy Edit a Policy for a File Share To edit file share access policies 1 Navigate to either the Users Local Users or Users Local Groups window 2 Click the configure icon next to Global Policies The Edit Global Settings window is displayed 3 Select the Policies tab 4 Click Add Policy 5 Select Server Path from the Apply Policy To drop down list 6 Type a name for the policy in the Policy Name field 7 I...

Page 417: ...for local groups or users 1 Navigate to either the Users Local Users or Users Local Groups page 2 Click the configure icon next to Global Policies The Edit Global Policies window is displayed 3 Click the EPC tab The EPC window is displayed 4 Configure EPC global settings and add or remove device profiles as explained in Users Local Groups on page 382 and Users Local Groups on page 382 NOTE Dependi...

Page 418: ...s web based logging syslog logging and email alert messages In addition The SMA SRA appliance can be configured to email the event log file to the Secure Mobile Access administrator before the log file is cleared This section provides an overview of the Log View page and a description of the configuration tasks available on this page Log View Overview on page 418 Viewing Logs on page 420 Emailing ...

Page 419: ... of the SMA SRA gateway which is configured in the System Time page Priority The level of severity associated with the event Severity levels can be Emergency Alert Critical Error Warning Notice Information and Debug Category The category of the event message Categories include Authentication Authorization Access GMS NetExtender System Virtual Assist and Web Application Firewall Source The Source I...

Page 420: ...rmat of the logs included in the email in line text appearing within the email body or as a zipped attachment default Each log entry contains the date and time of the event and a brief message describing the event After the log file reaches the 50 MB log size limit the log entry is cleared and optionally emailed to the Secure Mobile Access administrator Table 44 Log Table Navigation Facilities Nav...

Page 421: ...he local time of the SMA SRA gateway which is configured in the System Time page Priority Displays the level of severity associated with the event Severity levels can be Emergency Alert Critical Error Warning Notice Information and Debug Category The category of the event message Source Displays the IP address of the appliance of the user or administrator that generated the log event The source IP...

Page 422: ...vent log and Alerts The categories are emergency alert critical error warning notice info and debug Syslog Settings The Syslog Settings section allows the administrator to specify the primary and secondary Syslog servers Event Logging and Alerts The Event Logging and Alerts section allows the administrator to configure email alerts by specifying the email address for logs to be sent to the mail se...

Page 423: ... sent if the log file is full before the end of the period In the Log View page you can click Clear Log to delete the current event log The event log is not emailed in this case 6 To receive event log files through email enter your full email address username domain com in the Email Event Logs to field in the Event Logging and Alerts region The event log file is emailed to the specified email addr...

Page 424: ... the Secure Mobile Access management interface using administrator credentials 2 Navigate to Log Settings 3 Type the email address where you want logs sent to in the Email Events Logs to field 4 Type the email address where you want alerts sent to in the Email Alerts to field 5 Type the IP address for the mail server you are using in the Mail Server field 6 Type the email address for outgoing mail...

Page 425: ...Extender System Virtual Assist Web Application Firewall High Availability SMA 400 200 SRA 4600 Geo IP Botnet Filter End Point Security Device Management Reverse Proxy After all selections have been made click Accept in the upper right corner of the screen to finish configuring the desired categories Log ViewPoint This section provides an overview of the Log ViewPoint page and a description of the ...

Page 426: ...ings section click Add The Add ViewPoint Server screen displays 3 In the Add ViewPoint Server screen enter the Hostname or IP Address of your ViewPoint server 4 Enter the Port which your ViewPoint server communicates with managed devices 5 Click Accept at the top of the page to add this server 6 To start ViewPoint report logging for the server you just added select Enable ViewPoint Log Analyzer Th...

Page 427: ...r This feature requires an Analyzer license key To add the SMA SRA appliance to an Analyzer server and enable Analyzer reporting on your SMA SRA appliance 1 Navigate to the Log Analyzer page in the Secure Mobile Access web based management interface 2 In the Analyzer Settings section click the Add The Add Analyzer Server screen displays 3 In the Add Analyzer Server screen enter the Hostname or IP ...

Page 428: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide Part 5 428 Using Virtual Office Virtual Office Configuration ...

Page 429: ...Virtual Office page and a description of the configuration tasks available on this page Virtual Office Overview on page 429 Using the Virtual Office on page 430 Virtual Office Overview The Virtual Office option is located in the navigation bar of the Secure Mobile Access management interface The Virtual Office option launches the Virtual Office user portal in a separate Web browser window The Virt...

Page 430: ... the browser window 3 From the Virtual Office home page you can Launch and install Secure Mobile Access Connect Agents Launch and install NetExtender Use File Shares Launch a Virtual Assist session Add and configure bookmarks Add and configure bookmarks for offloaded portals Follow bookmark links Import certificates Get Virtual Office help Configure a system for Secure Virtual Access mode if allow...

Page 431: ...chemes already defined in the Windows OS X such as mailto The SMA Connect Agent uses the Scheme URL to replace the Browser Plug ins The SMA Connect Agent is like a bridge that receives the Scheme URL requests and launches the specific native application To launch the Citrix Receiver through a Citrix bookmark you must first install the SMA Connect Agent Topics Supported Operating Systems on page 43...

Page 432: ...the Installer The Windows installer is SMAConnectAgent msi the Macintosh installer is SMAConnectAgent dmg The Windows installer needs your permission to install the Macintosh installer guides you to put the SMA Connect Agent in the Application directory Setting up the SMA Connect Agent Proxy Configuration SMA supports proxy deployment where all client browsers are configured to redirect to a proxy...

Page 433: ...cache is off The SMA Connect Agent can setup the proxy by user There are four options to setup the proxy configuration No Proxy When no proxy server is configured IPv6 attributes are discarded Use system proxy settings Manual proxy configuration Automatic proxy configuration URL Logs There is a Log tray on the system tool bar You can right click the tray and select the popup menu to view the logs ...

Page 434: ...unch the SMA Connect Agent To launch the Citrix Native Bookmark after logging in to the StoreFront launch any Citrix desktops or applications such as other Citrix bookmarks A browser confirmation message might appear In a Chrome warning window press Launch Application to launch the Citrix or SMA Connect Agent ...

Page 435: ...gent does the EPC check If the EPC feature Appliance side enables the Show EPC failed message in detail at client side the SMA Connect Agent records the detailed fail message in the log Then you can view the tray Log PDA Personal Device Authorization The PDA is a new feature The SMA Connect Agent helps the PDA feature get the local machine s information In the login page if the user enables the PD...

Page 436: ...ion Guide Part 6 436 Appendices Using Online Help Configuring the SMA SRA Appliance with a Third Party Gateway Use Cases NetExtender Troubleshooting Frequently Asked Questions Using the Command Line Interface Using SMS Email Formats Support Information ...

Page 437: ...ment Using Context Sensitive Help Context sensitive help is available on most pages of the Secure Mobile Access web based management interface Click the context sensitive help button in the top right corner of the page to get help that corresponds to the Secure Mobile Access management page you are using Clicking the context sensitive help button launches a separate browser window to the correspon...

Page 438: ...ppliance on DMZ Interface on page 441 Before you Begin Make sure you have a management connection to the PIX s console port or the ability to Telnet SSH into one of the PIX s interfaces You will need to know the PIX s global and enable level passwords in order to access the device and issue changes to the configuration If you do not have these contact your network administrator before continuing D...

Page 439: ...d When done click Accept in the upper right corner to save and activate the change 5 Navigate to the NetExtender Client Routes page Add a client route for 192 168 100 0 If there is an entry for 192 168 200 0 delete it 6 Navigate to the Network DNS page and enter your internal network s DNS addresses internal domain name and WINS server addresses These are critical for NetExtender to function corre...

Page 440: ...1 140 167 eq www access list sslvpn permit tcp any host 64 41 140 167 eq https pager lines 24 logging on logging timestamp logging buffered warnings logging history warnings mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 64 41 140 167 255 255 255 224 ip address inside 192 168 100 1 255 255 255 0 no ip address dmz ip audit info action alarm ip audit attack action alarm pdm history...

Page 441: ...e By default the management interface is X0 and the default IP address is 192 168 200 1 2 Navigate to the Network Routes page and make sure the Default Gateway is set to 192 168 200 2 When done click Accept in the upper right corner to save and activate the change 3 Navigate to the NetExtender Client Addresses page Enter 192 168 200 201 in the field next to Client Address Range Begin and enter 192...

Page 442: ...0 netmask 255 255 255 0 0 0 21 Issue the command access group sslvpn in interface outside 22 Issue the command access group dmz to inside in interface dmz 23 Exit config mode and issue the command wr mem to save and activate the changes 24 From an external system attempt to connect to the SMA SRA appliance using both HTTP and HTTPS If you cannot access the SMA SRA appliance check all previous step...

Page 443: ...tmask 255 255 255 0 0 0 access group sslvpn in interface outside access group dmz to inside in interface dmz route outside 0 0 0 0 0 0 0 0 64 41 140 166 1 timeout xlate 3 00 00 timeout conn 1 00 00 half closed 0 10 00 udp 0 02 00 rpc 0 10 00 h225 1 00 00 timeout h323 0 05 00 mgcp 0 05 00 sip 0 30 00 sip_media 0 02 00 timeout sip disconnect 0 02 00 sip invite 0 03 00 timeout uauth 0 05 00 absolute ...

Page 444: ...ard Firebox X Gateway is configured with an IP of 192 168 100 1 and your SMA SRA appliance is configured with an IP of 192 168 100 2 Before you get started take note of which port the WatchGuard is using for management If the WatchGuard is not being managed on HTTPS 443 perform the following steps If the WatchGuard is being managed on HTTPS 443 you ll need to first review the notes within this gui...

Page 445: ...dy configured to accept HTTPS on port 443 you need to change the port in order to be able to manage both the SMA SRA and WatchGuard appliances 3 Navigate to Administration System Security Figure 62 WatchGuard Administration System Security Dialog Box 4 Clear Use non secure HTTP instead of secure HTTPS for administrative Web site 5 Change the HTTP Server Port to 444 and click Submit The WatchGuard ...

Page 446: ...d with an IP of 192 168 100 1 and your SMA SRA appliance is configured with an IP of 192 168 100 2 1 Click Remote Management from the left index of your Netgear management interface In order for the SMA SRA appliance to function with your Netgear gateway device you must verify that the NetGear s management port does not conflict with the management port used by the SMA SRA appliance 2 Clear the Al...

Page 447: ...Add 8 Select HTTPS from the Service Name drop down list 9 Select ALLOW always in the Action drop down list 10 Enter the WAN IP address of the SMA SRA appliance ex 192 168 100 2 in the Local Server Address field 11 Click Accept to save changes Your Netgear gateway device is now ready for operations with the SMA SRA appliance Name HTTPS Type TCP UDP Start Port 443 Finish Port 443 ...

Page 448: ...gear management interface 2 Click Add Custom Service in the middle of the page 3 Enter a service name in the Service Name field ex SMA 4 Enter 443 in the Starting Port field 5 Enter 443 in the Ending Port field 6 Enter the WAN IP address of the SMA SRA appliance ex 192 168 100 2 in the Local Server Address field 7 Click Accept Your Netgear wireless router is now ready for operations with the SMA S...

Page 449: ...nu Manage and Network Objects Figure 63 Check Point Host Node Object Dialog Box Next select the NAT tab for the object you have created NOTE The object is defined as existing on the internal network Should you decide to locate the SMA SRA appliance on a secure segment sometimes known as a demilitarized zone then subsequent firewall rules have to pass the necessary traffic from the secure segment t...

Page 450: ...etmask 255 255 255 255 192 168 100 2 ARP Check Point AIR55 contains a feature called auto ARP creation This feature automatically adds an ARP entry for a secondary external IP address the public IP address of the SMA SRA appliance If running Check Point on a Nokia security platform Nokia recommends that users disable this feature As a result the ARP entry for the external IP address must be added ...

Page 451: ...ate See the following sections Importing a goDaddy Certificate on Windows on page 451 Importing a Server Certificate on Windows on page 454 Importing a goDaddy Certificate on Windows In this use case we format a goDaddy Root CA Certificate on a Windows system and then import it to our Dell SonicWALL Secure Mobile Access SMA and Secure Remote Access SRA appliance 1 Double click on the goDaddy p7b f...

Page 452: ...tificate file and select the Details tab 3 Click Copy to File The Certificate Export Wizard launches 4 In the Certificate Export Wizard click Next 5 Select Base 64 encoded X 509 CER and then click Next 6 In the File to Export screen type the file name in as goDaddy cer and then click Next ...

Page 453: ...ox The certificate is exported in base 64 encoded format You can view it in a text editor 9 In the Secure Mobile Access management interface navigate to System Certificates 10 In the Additional CA Certificates section click Import CA Certificate The Import Certificate window appears 11 In the Import Certificate window click Browse and navigate to the goDaddy cer file on your Windows system and dou...

Page 454: ...pb7 file and navigate to the certificate 2 Double click the certificate file and select the Details tab 3 Click Copy to File 4 In the Certificate Export Wizard select Base 64 encoded X 509 CER 5 Click Next and save the file as server crt on your Windows system The certificate is exported in base 64 encoded format 6 Add the server crt file to a zip file 7 Separately save the private key in base 64 ...

Page 455: ...ver using SSH Allow Mega Group in Active Directory to access Outlook Web Access OWA at 10 200 1 10 Allow IT Group in Active Directory to access both SSH and OWA resources defined previously Deny access to these resources to all other groups This example configuration is provided courtesy of Vincent Cai June 2008 Figure 67 Network Topology Perform the tasks in order of the following sections Creati...

Page 456: ... 8 View the new domain in the Portals Domains page Adding a Global Deny All Policy This procedure creates a policy that denies access to the OWA resources to all groups except groups configured with an explicit Permit policy The Secure Mobile Access default policy is Allow All In order to have more granular control we add a Deny All policy here Later we can add Permit policies for each group one a...

Page 457: ... In the Status drop down list select DENY 11 Click Add 12 In the Edit Global Policies window verify the Deny All policy settings and then click OK Creating Local Groups This procedure creates Local Groups that belong to the SNWL_AD domain on the SMA SRA appliance We create one local group for each Active Directory group Adding the Local Groups 1 Navigate to the Users Local Groups page and click Ad...

Page 458: ...o add the second local group 10 In the Add Local Group window type IT_Group into the Group Name field 11 Select SNWL_AD from the Domain drop down list 12 Click Add 13 View the added groups on the Users Local Groups page Configuring the Local Groups In this procedure we will edit each new local group and associate it with the corresponding Active Directory Group 1 Click Configure in the Acme_Group ...

Page 459: ...it Group Settings window click the AD Groups tab and then click Add Group 13 In the Edit Active Directory Group window select IT Group from the Active Directory Group drop down list and then click Edit IT Group is listed in the Active Directory Groups table on the AD Groups tab 14 In the Edit Group Settings window click OK At this point we have created the three Local Groups and associated each wi...

Page 460: ...e Active Directory group Mega Group To access the Exchange server adding a PERMIT policy to the 10 200 1 10 exchange URL Object itself is not enough Another URL Object policy is needed that permits access to 10 200 1 10 exchweb because some OWA Web contents are located in the exchweb directory Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group IT Gro...

Page 461: ...dit Group Settings window on the Policies tab click Add Policy 9 In the Add Policy window select URL Object in the Apply Policy To drop down list 10 In the Policy Name field enter the descriptive name OWA exchweb 11 In the Service drop down list select Secure Web HTTPS 12 In the URL field enter the URL of the target application 10 200 1 10 exchweb 13 In the Status drop down list select PERMIT and ...

Page 462: ...ess OWA at 10 200 1 10 IT_Groups users are allowed to access both SSH and OWA as defined previously The configuration can be verified by logging in as different AD group members to the SNWL_AD domain on the SMA SRA appliance and attempting to access the resources Test Result Try Acmeuser Access Acmeuser logs into the SNWL_AD domain The Users Status page shows that acmeuser is a member of the local...

Page 463: ...Dell SonicWALL Secure Mobile Access 8 5 Administration Guide 463 Acmeuser can access SSH as expected Acmeuser tries to access to other resources like OWA 10 200 1 10 but is denied as expected ...

Page 464: ...e 464 Test Result Try Megauser Access Megauser logs into the SNWL_AD domain The Users Status page shows that megauser is a member of the local group Mega_Group Megauser can access OWA resources as expected Megauser tries to access SSH but is denied as expected ...

Page 465: ...ion Guide 465 Test Result Try Ituser Access Ituser logs into the SNWL_AD domain The Users Status page shows that ituser is a member of the local group IT_Group Ituser can access SSH to 10 200 1 102 as expected Ituser can access OWA resources as expected ...

Page 466: ...i386 compatible Linux distribution is required along with Sun Java 1 6 0_10 2 Check that the user has administrator privilege NetExtender can only install work under the user account with administrator privileges 3 Check if ActiveX has been blocked by Internet Explorer or third party blockers 4 If the problem still exists obtain the following information and send to support The version of Secure M...

Page 467: ...rogram files SonicWALL SMA NetExtender dbg The event logs in Control Panel Administrator Tools Event Viewer Select Applications and System events and use the Action Save Log File as menu to save the events in a log file Table 50 NetExtender Cannot Connect Problem Solution NetExtender cannot connect 1 Navigate to Device Manager and check if the Secure Mobile Access NetExtender Adapter has been inst...

Page 468: ... at C Program files SonicWALL SMA NetExtender dbg Windows memory dump file located at C Windows MEMORY DMP If you cannot find this file then you should open System Properties click Startup and Recovery Settings under the Advanced tab Select Complete Memory Dump Kernel Memory Dump or Small Memory Dump in the Write Debugging Information drop down list Of course you should also reproduce the BSOD to ...

Page 469: ...When I launch any of the Java components it gives me an error what should I do on page 478 5 Do I have to purchase a SSL certificate on page 478 6 What format is used for the digital certificates on page 478 7 Are wild card certificates supported on page 478 8 What CA s certificates can I use with the SMA SRA appliance on page 478 9 Does the SMA SRA appliance support chained certificates on page 4...

Page 470: ...cations on page 482 18 Why is it required that an ActiveX component be installed on page 482 19 Does NetExtender support desktop security enforcement such as AV signature file checking or Windows registry checking on page 482 20 Does NetExtender work with the 64 bit version of Microsoft Windows on page 482 21 Does NetExtender work 32 bit and 64 bit version of Microsoft Windows 7 on page 482 22 Doe...

Page 471: ...ited the Web browser on page 484 29 What does the encrypt settings file check box do on page 485 30 What does the store settings button do on page 485 31 What does the create backup button do on page 485 32 What is SafeMode on page 485 33 How do I access the SafeMode menu on page 485 34 Can I change the colors of the portal pages on page 485 35 What authentication methods are supported on page 485...

Page 472: ...ased SSHv1 and Telnet proxies on page 486 54 There is no port option for the service bookmarks what if these are on a different port than the default on page 487 55 What if I want a bookmark to point to a directory on a Web server on page 487 56 When I access Microsoft Telnet Server using a telnet bookmark it does not allow me to enter a user name why on page 487 57 What versions of Citrix are sup...

Page 473: ...ss A ICES Class A CE C Tick VCCI Class A KCC ANATEL BSMI NOM UL cUL TUV GS CB Environment Temperature SMA 200 400 32 105ª F 0 40ª C Relative Humidity SMA 200 400 5 95 percent RH non condensing MTBF SMA 200 7 060 years SMA 400 6 870 years 2 What are the hardware specs for the SRA 4600 and SRA 1600 Answer Interfaces SRA 1600 2 gigabit Ethernet 2 USB 1 console SRA 4600 4 gigabit Ethernet 2 USB 1 cons...

Page 474: ...ized environment requirements Hypervisor VMWare ESXi version 5 0 and newer Appliance size on disk 2 GB Allocated memory 2 GB 4 Do the SMA SRA appliances have hardware based SSL acceleration onboard Answer The SRA 4600 and SRA 1600 do not have a hardware based SSL accelerator processor however the SMA 400 200 processor includes AES NI instructions to accelerate AES encryption 5 What operating syste...

Page 475: ...000 NetExtender global client routes 100 100 100 100 100 NetExtender group client routes 100 100 100 100 100 NetExtender user client routes 100 100 100 100 100 Maximum concurrent Nx connections 50 250 50 500 250 Route entries 32 32 32 32 32 Host entries 32 32 32 32 32 Bookmark entries 500 500 500 500 500 User Policy entries 64 64 64 64 64 Group Policy entries 64 64 64 64 64 Global Policy entries 6...

Page 476: ...y This security mechanism is intended to ensure end to end security but often confuses people into thinking something is broken If you are using the default self signed certificate this error appears every time a Web browser connects to the SMA SRA appliance However it is just a warning and can be safely ignored as it does not affect the security negotiated during the SSL handshake If you do not w...

Page 477: ...g forward have a trusted digital certificate installed 3 I get the following message when I log in to my SMA SRA appliance using Firefox what do I do Answer Much like the errors shown previously for Internet Explorer Firefox has a unique error message when any certificate problem is detected The conditions for this error are the same as for the previous Internet Explorer errors To get past this sc...

Page 478: ...ogether in a zip file The certificate should be named server crt The private key should be named server key Under Additional CA Certificates click Import Certificate and upload the intermediate CA certificate s The certificate should be PEM encoded in a text file After uploading any intermediate CA certificates the system should be restarted The web server needs to be restarted with the new certif...

Page 479: ...eds replacement or suffers a failure you can reload the key and cert You can also always export your settings from the System Settings page 17 Does the SMA SRA appliance support client side digital certificates Answer Yes client certificates are enforced per Domain or per User on the Users Local Users Edit User Login Policies tab Per Domain Per User client certificate enforcement settings Option t...

Page 480: ... clients are assigned NetExtender clients actually appear as though they are on the internal network much like the Virtual Adapter capability found in Dell SonicWALL s Global VPN Client You should dedicate one IP address for each active NetExtender session so if you expect 20 simultaneous NetExtender sessions to be the maximum create a range of 20 open IP addresses Make sure that these IP addresse...

Page 481: ...aded with a new MSI package The MSI package is designed for the administrator to deploy NetExtender through Active Directory allowing full version control through Active Directory 11 How is NetExtender different from a traditional IPSec VPN client such as Dell SonicWALL s Global VPN Client GVC Answer NetExtender is designed as an extremely lightweight client that is installed through a Web browser...

Page 482: ... 64 bit version of Microsoft Windows Answer Yes NetExtender supports 64 bit Windows 7 and Vista 21 Does NetExtender work 32 bit and 64 bit version of Microsoft Windows 7 Answer Yes NetExtender supports 32 bit and 64 bit Windows 7 22 Does NetExtender support client side certificates Answer Yes Windows NetExtender client supports client certificate authentication from the stand alone client Users ca...

Page 483: ... other third party firewall VPN device 8 Can I access the SMA SRA appliance using HTTP Answer No it requires HTTPS HTTP connections are immediately redirected to HTTPS You might wish to open both 80 and 443 as many people forget to type https and instead type http If you block 80 it is not redirected 9 What is the most common deployment of the SMA SRA appliances Answer One port mode where only the...

Page 484: ...ntication RSA SecurID etc supported Answer Yes this is supported 21 Does the SMA SRA appliance support VoIP Answer Yes over NetExtender connections 22 Is Syslog supported Answer Yes 23 Does NetExtender support multicast Answer Not at this time Look for this in a future firmware release 24 Are SNMP and Syslog supported Answer Syslog forwarding to up to two external servers is supported in the curre...

Page 485: ...n to boot or load a new version of the software image 33 How do I access the SafeMode menu Answer In emergency situations you can access the SafeMode menu by holding in Reset on the SMA SRA appliance the small pinhole button located on the front of the SMA SRA appliances for 12 14 seconds until the Test LED begins quickly flashing yellow After the SMA SRA appliance has booted into the SafeMode men...

Page 486: ...component Answer The CIFS browsing protocol is limited by the server s buffer size for browse lists These browse lists contain the names of the hosts in a workgroup or the shares exported by a host The buffer size depends on the server software Windows personal firewall has been known to cause some issues with file sharing even when it is stated to allow such access If possible try disabling such ...

Page 487: ...lications using Web services and no support for non HTTP protocols wrapped within HTTP One key aspect to consider when using Application Offloading is that the application should not contain hard coded self referencing URLs If these are present the Application Offloading proxy rewrites the URLs Because Web site development does not usually conform to HTML standards the proxy can only do a best eff...

Page 488: ...ical appliances console access is achieved by connecting a computer to the serial port Use the following settings Baud 115200 Data Bits 8 Parity None Stop Bits 1 No flow control For the Virtual Appliance the following login prompt is displayed after the firmware has fully booted In the following examples user input is highlighted in bold to indicate text entered by the user To access the CLI login...

Page 489: ...1 X0 Subnet Mask default 255 255 255 0 255 255 0 0 Default Gateway default 192 168 200 2 192 168 200 1 Primary DNS 10 50 128 52 Secondary DNS optional enter none to disable 4 2 2 2 Hostname default sslvpn sslvpn New Network Settings X0 IP Address 192 168 200 201 X0 Subnet mask 255 255 0 0 Default Gateway 192 168 200 1 Primary DNS 10 50 128 52 Secondary DNS 4 2 2 2 Hostname sslvpn Would you like to...

Page 490: ... confirmation prompt and then restarts the Web server and the related Secure Mobile Access daemon services This command is equivalent to issuing the EasyAccessCtrl restart command Restart SSL VPN Services Are you sure you want to restart the SSL VPN services y n y Restarting SSL VPN services please wait Stopping SMM OK Stopping Firebase OK Stopping FTP Session OK Stopping HTTPD OK Cleaning Apache ...

Page 491: ...to recover quickly from uncertain configuration states with a simplified management interface that includes the same settings available on the System Settings page You can get to the SafeMode CLI by pressing the SafeMode switch to reboot to SafeMode and then logging in as admin The password is the same as the password for the admin account that is configured on the appliance The default is passwor...

Page 492: ...login prompt is displayed again When the correct password is entered the SafeMode CLI is launched The numbered options explain themselves Select the number of the option you would like to perform For the first option to Manage Firmware Images press 1 The following screen appears with five additional options ...

Page 493: ...to perform For the first option to Boot Current Firmware press 1 The following screen appears with three additional options The three additional options explain themselves Select the number of the option you would like to perform For more instructions on how to restart your firewall in SafeMode refer to the Getting Started Guide for your particular appliance ...

Page 494: ...ea Cellular 4085551212 ideacellular net Alltel PC 4085551212 message alltel com Alltel 4085551212 alltelmessage com Arch Wireless 4085551212 archwireless net BeeLine GSM 4085551212 sms beemail ru BeeLine Moscow 4085551212 sms gate ru Bell Canada 4085551212 txt bellmobility ca Bell Canada 4085551212 bellmobility ca Bell Atlantic 4085551212 message bam com Bell South 4085551212 sms bellsouth com Bel...

Page 495: ...ms emt ee Eurotel Czech Republic 4085551212 sms eurotel cz Europolitan Sweden 4085551212 europolitan se Escotel 4085551212 escotelmobile com Estonia EMT 4085551212 sms m emt ee Estonia RLE 4085551212 rle ee Estonia Q GSM 4085551212 qgsm ee Estonia Mobil Telephone 4085551212 sms emt ee Fido 4085551212 fido ca Georgea geocell 4085551212 sms ge Goa BPLMobil 4085551212 bplmobile com Golden Telecom 408...

Page 496: ...1212 mymeteor ie Metro PCS 4085551212 mymetropcs com Metro PCS 4085551212 metorpcs sms us MiWorld 4085551212 m1 com sg Mobileone 4085551212 m1 com sg Mobilecomm 4085551212 mobilecomm net Mobtel 4085551212 mobtel co yu Mobitel Tanazania 4085551212 sms co tz Mobistar Belgium 4085551212 mobistar be Mobility Bermuda 4085551212 ml bm Movistar Spain 4085551212 correo movistar net Maharashtra Airtel 4085...

Page 497: ...mail com Qwest 4085551212 qwestmp com Riga LMT 4085551212 smsmail lmt lv Rogers AT T Wireless 4085551212 pcs rogers com Safaricom 4085551212 safaricomsms com Satelindo GSM 4085551212 satelindogsm com Simobile Slovenia 4085551212 simobil net Sunrise Mobile 4085551212 mysunrise ch Sunrise Mobile 4085551212 freesurf ch SFR France 4085551212 sfr fr SCS 900 4085551212 scs 900 ru Southwestern Bell 40855...

Page 498: ...12 sms uraltel ru US Cellular 4085551212 email uscc net US West 4085551212 uswestdatamail com Uttar Pradesh West Escotel 4085551212 escotelmobile com Verizon 4085551212 vtext com Verizon PCS 4085551212 myvzw com Virgin Mobile 4085551212 vmobl com Vodafone Omnitel Italy 4085551212 vizzavi it Vodafone Italy 4085551212 sms vodafone it Vodafone Japan 4085551212 pc vodafone ne j Vodafone Japan 40855512...

Page 499: ...nicWALL and continuing for a period of twelve 12 months that the product is free from defects in materials and workmanship under normal use This Limited Warranty is not transferable and applies only to the original end user of the product Dell SonicWALL and its suppliers entire liability and Customer s sole and exclusive remedy under this limited warranty will be shipment of a replacement product ...

Page 500: ...N IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT OR THE APPLICABLE VERSION OF THIS AGREEMENT FOR YOUR REGION DO NOT DOWNLOAD INSTALL OR USE THIS PRODUCT IF YOU HAVE A SIGNED AGREEMENT WITH DELL THAT IS SPECIFICALLY REFERENCED IN AN ORDER THAT IS EXECUTED BETWEEN YOU AND DELL THEN THAT SIGNED AGREEMENT WILL SUPERSEDE THIS AGREEMENT This Software Transaction Agreement the Agreemen...

Page 501: ...and its worldwide Affiliates b On Premise Software If Software is delivered to Customer for Customer s installation and use on its own equipment On Premise Software the License shall be perpetual unless otherwise stated on the Order and shall also include the right to i make a reasonable number of additional copies of the On Premise Software to be used solely for non productive archival or passive...

Page 502: ...eware Licenses are provided AS IS and that Dell does not provide warranties or Maintenance Services for Freeware Licenses g Use by Service Providers If Customer contracts with a third party who performs Software implementation configuration consulting or outsourcing services a Service Provider the Service Provider may use the Software and Documentation provided to Customer hereunder solely for pur...

Page 503: ...not apply to taxes based on Dell s income 8 Termination This Agreement or the Licenses granted hereunder may be terminated i by mutual written agreement of Dell and Customer or ii by either party for a breach of this Agreement by the other party or its Service Provider that the breaching party fails to cure to the non breaching party s reasonable satisfaction within thirty 30 days following its re...

Page 504: ...y Customer regarding Software failures iii Respond to requests from Customer s technical coordinators for assistance with the operational technical aspects of the Software unrelated to a Software failure Dell shall have the right to limit such responses if Dell reasonably determines that the volume of such non error related requests for assistance is excessive or overly repetitive in nature iv Pro...

Page 505: ...ts Documentation the Operational Warranty ii the Software as provided by Dell will not contain any viruses worms Trojan Horses or other malicious or destructive code designed by Dell to allow unauthorized intrusion upon disabling of or erasure of the Software except that the Software may contain a key limiting its use to the scope of the License granted and license keys issued by Dell for temporar...

Page 506: ...se of the applicable Product or by using the Product in a manner that is inconsistent with this Agreement or the Documentation or iii arising from the modification of the Product by anyone other than Dell f Third Party Products Certain Software may contain features designed to interoperate with third party products If the third party product is no longer made available by the applicable provider D...

Page 507: ... or B for SaaS Software discontinue Customer s right to access and use the enjoined Software and refund the unused pro rated portion of any license fees pre paid by Customer for such Software This Section states Dell s entire liability and its sole and exclusive indemnification obligations with respect to a Claim 14 Limitation of Liability EXCEPT FOR A ANY BREACH OF THE RESTRICTIONS OR CONFIDENTIA...

Page 508: ...s permitted in subsection c below ii only use the Disclosing Party s Confidential Information to exercise the rights granted to it under this Agreement and iii protect the Disclosing Party s Confidential Information from unauthorized use or disclosure by exercising at least the same degree of care it uses to protect its own similar information but in no event less than a reasonable degree of care ...

Page 509: ...ases to which it is entitled Dell or its designated auditing agent shall have the right to audit Customer s deployment of the Software or if applicable use of the SaaS Software for compliance with the terms and conditions of this Agreement and the applicable Order s Any such audits shall be scheduled at least ten 10 days in advance and shall be conducted during normal business hours at Customer s ...

Page 510: ...lleging harm to such third party caused by Customer s breach of any of the provisions of this Section Additionally Customer shall pay any judgments or settlements reached in connection with the Third Party Claim as well as Dell s costs of responding to the Third Party Claim c Suspension Dell may suspend Customer s use of SaaS Software a if so required by law enforcement or legal process b in the e...

Page 511: ...entitled to seek immediate injunctive relief without limiting its other rights and remedies i Force Majeure Each party will be excused from performance for any period during which and to the extent that it is prevented from performing any obligation or service as a result of causes beyond its reasonable control and without its fault or negligence including without limitation acts of God strikes lo...

Page 512: ... be sufficient to create an enforceable and valid agreement In the event of a conflict between the terms of this Agreement and the terms contained in an Order the terms of a Signed Order shall control for all other Orders the terms of this Agreement shall control Neither this Agreement nor an Order may be modified or amended except by a writing executed by a duly authorized representative of each ...

Page 513: ...ture on the SMA SRA appliance This uses the Web browser to browse shared files on the network L Lightweight Directory Access Protocol LDAP An Internet protocol that email and other programs use to retrieve data from a server O One time Password A randomly generated single use password One time Password can be used to refer to a particular instance of a password or to the feature as a whole S Simpl...

Page 514: ...software with a valid maintenance contract and to customers who have trial versions The Support Portal provides self help tools you can use to solve problems quickly and independently 24 hours a day 365 days a year In addition the portal provides direct access to product support engineers through an online Service Request system To access the Support Portal go to https support software dell com Th...

Reviews:

No comments

Related manuals for SMA 200

Brand: Datavideo Pages: 2

Brand: Fema Pages: 96

Brand: CoolGear Pages: 2

Brand: Broadcast Tools Pages: 28

Brand: Teseq Pages: 60

VEEMUX SM-nXm-15V-LC

Brand: Network Technologies Pages: 46

Brand: Clas Ohlson Pages: 5

Brand: GE Pages: 2

Brand: Cabletron Systems Pages: 170

Brand: Davey Pages: 2

Brand: Maiwe Pages: 5

Hi-Speed USB 2.0 Hub

Brand: Saitek Pages: 14

IPES-5208T-X Series

Brand: Lantech Pages: 39

Brand: AV-Box Pages: 11

QSW-4600 Series

Brand: QTech Pages: 58

Brand: Abtus Pages: 4

Brand: PortaOne Pages: 78

Brand: ALFAtron Pages: 45

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands