Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
22
Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections
over a public networking infrastructure, allowing them to reduce their communications expenses and to provide
private, secure connections between a user and a site in the organization. By offering Secure Socket Layer (SSL)
VPN, without the expense of special feature licensing, the SMA/SRA appliance provides customers with cost-
effective alternatives to deploying parallel remote-access infrastructures.
SSL Handshake Procedure
The following procedure is an example of the standard steps required to establish an SSL session between a user
and an SMA/SRA gateway using the Secure Mobile Access web-based management interface:
1 When a user attempts to connect to the SMA/SRA appliance, the user’s Web browser sends information
about the types of encryption supported by the browser to the appliance.
2 The appliance sends the user its own encryption information, including an SSL certificate with a public
encryption key.
3 The Web browser validates the SSL certificate with the Certificate Authority identified by the SSL
certificate.
4 The Web browser generates a pre-master encryption key, encrypts the pre-master key using the public
key included with the SSL certificate and sends the encrypted pre-master key to the SMA/SRA gateway.
5 The SMA/SRA gateway uses the pre-master key to create a master key and sends the new master key to
the user’s Web browser.
6 The browser and the SMA/SRA gateway use the master key and the agreed upon encryption algorithm to
establish an SSL connection. From this point on, the user and the SMA/SRA gateway encrypts and
decrypts data using the same encryption key. This is called symmetric encryption.
7 After the SSL connection is established, the SMA/SRA gateway encrypts and sends the Web browser the
SMA/SRA gateway login page.
8 The user submits their user name, password, and domain name.
9 If the user’s domain name requires authentication through a RADIUS, LDAP, or Active Directory Server,
the SMA/SRA gateway forwards the user’s information to the appropriate server for authentication.
10 After being authenticated, the user can access the Secure Mobile Access portal.
IPv6 Support Overview
Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently used on networked
devices. IPv6 is a suite of protocols and standards developed by the Internet Engineering Task Force (IETF) that
provides a larger address space than IPv4, additional functionality and security, and resolves IPv4 design issues.
You can use IPv6 without affecting IPv4 communications.
IPv6 supports stateful address configuration that is used with a DHCPv6 server, and stateless address
configuration, where hosts on a link automatically configure themselves with IPv6 addresses for the link, called
link-local
addresses.
In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the 32-bit IPv4
address is represented in dotted-decimal format, divided by periods along 8-bit boundaries. The 128-bit IPv6
address is divided by colons along 16-bit boundaries, where each 16-bit block is represented as a 4-digit
hexadecimal number. This is called colon-hexadecimal.
The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by removing the leading zeros
within each 16-bit block, as long as each block has at least one digit. When suppressing leading zeros, the
address representation becomes: 2008:AB1:0:1E2A:123:45:EE37:C9B4
When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can be compressed to
::
, a double-colon. For example, the link-local address of 2008:0:0:0:B67:89:ABCD:1234 can be compressed to
2008::B67:89:ABCD:1234. The multicast address 2008:0:0:0:0:0:0:2 can be compressed to 2008::2.