Table of Contents
Advertisement
Introduction
•
About This Guide
•
Secure Mobile Access Overview
About This Guide
This SonicWall Inc. Secure Mobile Access Administration Guide provides network administrators with a high-level overview of Secure Mobile Access
(SMA) technology, including activation, configuration, and administration of SonicWall Inc. SMA/SRA appliances using the Secure Mobile Access
management interface.
Refer to
SMA Documentation for the latest version of this guide as well as other SonicWall Inc. product and services documentation.
Guide Conventions
The following conventions are used in this guide:
Convention
Use
Bold
Highlights field, button, and tab names. Also highlights window,
dialog box, and screen names. Also used for file names and text or
values you are being instructed to type into the interface.
Italic
Indicates the name of a technical manual, emphasis on certain words
in a sentence, or the first instance of a significant term or concept.
Menu Item > Menu Item
Indicates a multiple step management interface menu choice. For
example, System > Status means select the Status page under the
System menu.
Secure Mobile Access Overview
This section provides an overview of the Secure Mobile Access (SMA) technology, concepts, basic navigational elements and standard deployment
guidelines.
Topics:
•
Overview of SMA/SRA Hardware and Components
•
•
•
Overview of SMA/SRA Hardware and Components
The SMA and SRA appliances provide organizations with a simple, secure and clientless method of access to applications and network resources
specifically for remote and mobile employees. Organizations can use SMA connections without the need to have a pre-configured, large-installation host.
Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any
location by accessing a standard Web browser.
This section contains the following subsections:
•
SMA Software Components
•
•
•
SMA Software Components
SMA/SRA appliances provide clientless identity-based secure remote access to the protected internal network. Using the Virtual Office environment,
SMA/SRA appliances can provide users with secure remote access to your entire private network, or to individual components such as File Shares, Web
servers, FTP servers, remote desktops, or even individual applications hosted on Citrix or Microsoft Terminal Servers.
Although SMA protocols are described as clientless, the typical SMA portal combines Web, Java, and ActiveX components that are downloaded from the
portal transparently, allowing users to connect to a remote network without needing to manually install and configure a VPN client application. In addition,
SMA enables users to connect from a variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only supported on
Windows platforms.
For administrators, the SMA web-based management interface provides an end-to-end SMA solution. This interface can configure SMA users, access
policies, authentication methods, user bookmarks for network resources, and system settings.
For clients, web-based SMA customizable user portals enable users to access, update, upload, and download files and use remote applications installed
on desktop machines or hosted on an application server. The platform also supports secure web-based FTP access, network neighborhood-like interface
for file sharing, Secure Shell version 2 (SSHv2), Telnet emulation, VNC (Virtual Network Computing) and RDP (Remote Desktop Protocol) support,
Citrix Web access, bookmarks for offloaded portals (external Web sites), and Web and HTTPS proxy forwarding.
Conventions used in this guide
Advertisement
Table of Contents
Related Manuals for SonicWALL SMA 400
Summary of Contents for SonicWALL SMA 400
-
Page 1: About This Guide
Secure Mobile Access Overview About This Guide This SonicWall Inc. Secure Mobile Access Administration Guide provides network administrators with a high-level overview of Secure Mobile Access (SMA) technology, including activation, configuration, and administration of SonicWall Inc. SMA/SRA appliances using the Secure Mobile Access management interface. - Page 2 Provides access to SafeMode. Power LED Indicates the SMA 400 is powered on. Test LED Indicates the SMA 400 is in test mode. Alarm LED Indicates a critical error or failure. Provides access to the X3 interface and to SMA resources.
- Page 3 Back Panel Feature Description Exhaust fans Provides optimal cooling for the SMA 400 appliance. Power supply plug Provides power connection using supplied power cord. SMA 200 Front and Back Panels Overview SMA 200 Front Panel Features Front Panel Feature Description...
- Page 4 SRA 4600 Front Panel Features Front Panel Feature Description Console Port RJ-45 port, provides access to console messages with serial connection (115200 Baud). Provides access to command line interface (for future use). USB Ports Provides access to USB interface (for future use). Reset Button Provides access to SafeMode.
- Page 5 The elements of basic VMware structure must be implemented prior to deploying the SMA 500v Virtual Appliance. For detailed information about deploying the SMA 500v Virtual Appliance, see the SonicWall Inc. SMA 500v Virtual Appliance Getting Started Guide, available at:...
- Page 6 A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public key encryption, an entity, such as a secure Web site, generates a public and a private key. A secure Web server sends a public key to a user who accesses the Web site.
- Page 7 Settings • Interface Settings – Define an IPv6 address for the interface. The link-local address is displayed in a tooltip on Interfaces page. • Route Settings – Define a static route with IPv6 destination network and gateway. • Network Object – Define the network object using IPv6. An IPv6 address and IPv6 network can be attached to this network object. NetExtender When a client connects to NetExtender, it can get an IPv6 address from the SMA/SRA appliance if the client machine supports IPv6 and an IPv6 address pool is configured on the SMA/SRA appliance.
- Page 8 Authentication. Supported Platforms Appliance Platforms Application Offloading and HTTP(S) bookmarks are supported on all the SMA/SRA appliances that support the Secure Mobile Access 8.6 release: • SMA 400 • SMA 200 • SRA 4600 • SRA 1600 • SMA 500v Virtual Appliance HTTP Versions HTTP(S) bookmarks and application offloading portals support both HTTP/1.0 and HTTP/1.1.
- Page 9 • Microsoft Outlook Web Access 2013 Microsoft Outlook Web Access 2010 Microsoft Outlook Web Access 2007 NOTE: Outlook Web Access is supported on the SMA 400/200, SRA 4600/1600, and the SMA 500v Virtual Appliance platforms. • Windows SharePoint 2013 (supported only using App Offloading) Windows SharePoint 2007 (supported only using App Offloading) Windows SharePoint Services 3.0...
- Page 10 • Internet Explorer 9.0 or newer • Windows 10 and Windows 7 NOTE: • The maximum number of users supported is limited by the number of applications being accessed and the volume of application traffic being sent. • Feature support varies based on your hardware and installation, see the respective sections for more detailed information about specific application support.
- Page 11 To configure ActiveSync authentication, clear Disable Authentication Controls to display the authentication fields. Select Enable ActiveSync authentication and then type the default domain name. The default domain name cannot be used when the domain name is set in the email client’s setting. ActiveSync Log Entries The Log >...
- Page 12 3 Set the Scheme to Secure Web (HTTPS). 4 Set the Application Server Host to your Exchange server, for example webmail.example.com. 5 Set the virtual host name, for example, webmail.example.com. The virtual host name should be resolved by the DNS server. Otherwise, modify the hosts file in the Android phone.
- Page 13 Java is being deprecated. Going forward, use HTML5 bookmarks. 8.6 utilizes HTML5 by default. To enable Java for legacy support, call SonicWall Customer Support for assistance. Note that Java will not be supported in the future. Telnet client is delivered through the remote user’s Web browser. The remote user can specify the IP address of any accessible Telnet server and the SMA/SRA appliance makes a connection to the server.
- Page 14 Java is being deprecated. Going forward, use HTML5 bookmarks. 8.6 utilizes HTML5 by default. To enable Java for legacy support, call SonicWall Customer Support for assistance. Note that Java will not be supported in the future. SSH clients delivered through the remote user’s Web browser. The remote user can specify the IP address of any accessible SSH server and the SMA/SRA appliance makes a connection to the server.
- Page 15 individual application, such as CRM or accounting software. When the application is closed, the session closes. The following RDP formats can be used as applications protocols: • RDP Native – Uses the native RDP client to connect to the terminal server, and to automatically invoke an application at the specified path (for example, C:\programfiles\microsoft office\office11\winword.exe) •...
-
Page 16: Dns Overview
What is NetExtender? SonicWall Inc. NetExtender is a transparent software application for Windows and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. - Page 17 • Windows 10, Windows 7, Windows 2012, Windows Server 2008 R2. NetExtender might work properly on other Linux distributions, but they are not officially supported by SonicWall Inc.. NOTE: The Mobile Connect application is now available for iOS 4.3 or higher and Android 4.0 or higher.
- Page 18 Administrators can configure separate NetExtender IP address ranges for users and groups. These settings are configured on the Users > Local Users and Users > Local Groups pages, using the NetExtender tab in the Edit User and Edit Group windows. When configuring multiple user and group NetExtender IP address ranges, it is important to know how the SMA/SRA appliance assigns IP addresses.
- Page 19 (the user’s password). SonicWall Inc.’s implementation of two-factor authentication partners with two of the leaders in advanced user authentication: RSA and VASCO. Two RADIUS servers can be used for two-factor authentication, allowing users to be authenticated through the Web portal or with an Secure Mobile Access client such as NetExtender or Secure Virtual Assist.
- Page 20 This section provides examples of the two-factor authentication login prompts when using Web login and NetExtender. With Web login, the Username and Password fields are used to enter the first-stage credentials. When prompting the user to input the challenge code, the message “Please enter the M.ID PIN:” is the reply message from the RADIUS server in this example;...
- Page 21 password expires. Benefits of One Time Passwords The Secure Mobile Access One Time Password feature provides more security than single, static passwords alone. Using a one-time password in addition to regular login credentials effectively adds a second layer of authentication. Users must be able to access the email address defined by the Secure Mobile Access administrator before completing the Secure Mobile Access One Time Password login process.
- Page 22 The SMA/SRA appliance provides end point security controls by completing host integrity checking and security protection mechanisms before a tunnel session is begun. Host integrity checks help ensure that the client system is in compliance with your organization’s security policy. SonicWall end point security controls are tightly integrated with access control to analyze the Windows client system and apply access controls based on the results.
- Page 23 • Greater flexibility for remote access - Using the Secure Virtual Access functionality, support staff can access their personal systems located outside the LAN of the SMA/SRA appliance. How Does Secure Virtual Assist Work? NOTE: Secure Virtual Assist is being deprecated. For legacy support, call SonicWall Customer Support for assistance. The following sections describe how the Secure Virtual Assist feature works: •...
- Page 24 NOTE: Secure Virtual Assist is being deprecated. For legacy support, call SonicWall Customer Support for assistance. From the technician view of Secure Virtual Assist, technicians can send email invitations to customers that contain a direct URL link to initiate a Secure Virtual Assist session.
- Page 25 6 When you see the confirmation screen, the installer is ready to install SonicWall Inc. Secure Virtual Assist on your computer. Click Next to begin the installation. 7 When Secure Virtual Assist launches for the first time, you might see a security warning pop-up window. De-select Always ask before opening this file to avoid this window in the future.
- Page 26 After the technician has launched the Secure Virtual Assist application, the technician can assist customers by completing the following tasks: • Inviting Customers by Email • Assisting Customers • Using the Secure Virtual Assist Taskbar • Controlling the Secure Virtual Assist Display •...
- Page 27 • Reboot Customer - Reboot the customer’s computer. Unless you have Requested full control, the customer is warned about and given the opportunity to deny the reboot. • Active Screens - Switches to a second monitor if the customer’s computer has more than one monitor configured. In MacOS, the taskbar contains the following buttons: •...
- Page 28 Enabling a System for Secure Virtual Access NOTE: Secure Virtual Access is being deprecated. For legacy support, call SonicWall Customer Support for assistance. If Secure Virtual Access has been enabled on the Virtual Assist tab on the Portals > Portals page of the Secure Mobile Access management interface, users should see a link on the portal to set-up a system for Secure Virtual Access.
- Page 29 Customer Support for assistance. Secure Virtual Meeting is a web-based management interface for the SMA 400, SRA 4600, and SMA 500v Virtual Appliance. Secure Virtual Meeting allows multiple users to view a desktop and interactively participate in a meeting from virtually anywhere with an Internet connection. Secure Virtual Meeting is similar to the one-to-one desktop sharing provided by Virtual Assist except multiple users can share a desktop.
- Page 30 Performing Participant Tasks Configuring Secure Virtual Meeting NOTE: Secure Virtual Meeting is being deprecated. For legacy support, call SonicWall Customer Support for assistance. Secure Virtual Meeting configuration and management tasks are done through the Secure Mobile Access web-based management interface and consist of the following: •...
- Page 31 View-only Participants. Performing Participant Tasks NOTE: Secure Virtual Meeting is being deprecated. For legacy support, call SonicWall Customer Support for assistance. Participants can be designated as View-only Participants or regular Participants. View-only Participants enter and exit meetings like other Participants, but cannot do most functions.
- Page 32 If authentication is enabled, a suitable domain needs to be associated with this portal and all SonicWall Inc. advanced authentication features such as One Time Password, Two-factor Authentication, and Single Sign-On apply to the offloaded host.
- Page 33 Cookie Tampering Protection Cookie Tampering Protection is an important item in the Payment Card Industry Data Security Standard (PCI DSS) section 6.6 requirements and part of the Web Application Firewall evaluation criteria that offers strict security for cookies set by the backend Web servers. Various techniques such as encryption and message digest are used to prevent cookie tampering.
- Page 34 Web applications vulnerable. New updates to these signatures are periodically downloaded from a SonicWall Inc. signature database server, providing protection from recently introduced attacks. How signatures are used to prevent attacks When input arrives from the Internet, Web Application Firewall inspects HTTP/HTTPS request headers, cookies, POST data, query strings, response headers, and content.
- Page 35 To maximize the benefits, typically, hackers targets actionable requests, such as data updates to carry out this attack. To prevent CSRF attacks, every HTTP request within a browser session needs to carry a token based on the user session. To ensure that every request carries this token, the Web Application Firewall feature rewrites all URLs contained in a Web page similarly to how they are rewritten by the Reverse Proxy for HTTP(S) Bookmarks feature.
- Page 36 You can generate and download the PCI report file on the Web Application Firewall > Status page. NOTE: This is not an official PCI Compliance report. It is for your self-assessment only. In the report cover, the following information is displayed: •...
- Page 37 Tamper Protection Mode – Three modes are available: • Prevent – Strip all the tampered cookies and log them. • Detect only – Log the tampered cookies only. • Inherit Global – Use the global setting for this portal. Encrypt Server Cookies – Choose to encrypt name and value separately. This affects client-side script behavior because it makes cookie names or values unreadable.
-
Page 38: Browser Requirements
changes are incorporated. How Does Rate Limiting for Custom Rules Work? The administrator can configure rate limiting when adding or editing a rule chain from the Web Application Firewall > Rules page. When rate limiting is enabled for a rule chain, the action for the rule chain is triggered only when the number of matches within a configured time period is above the configured threshold. - Page 39 For more detailed information on establishing a management session and basic setup tasks, refer to the Getting Started Guide for your platform. To access the Secure Mobile Access web-based management interface of the SonicWall SMA/SRA appliance: 1 Connect one end of a CAT-6 cable into the X0 port of your SMA/SRA appliance. Connect the other end of the cable into the computer you are using to manage the SMA/SRA appliance.
- Page 40 authentication domain. If you wish to log in as an administrator, make sure you select LocalDomain from the Domain drop-down list in the Login screen. The System, Network, Portals, NetExtender, Secure Virtual Assist, Web Application Firewall, Users and Log menu headings on the left side of the browser window configure administrative settings.
- Page 41 Click Accept at the top right corner of the main window to save any configuration changes you made on the page. If the settings are contained in a secondary window within the Secure Mobile Access management interface, Accept is still available at the top right corner of the window.
- Page 42 This sections provides information about deployment guidelines for the SMA/SRA appliance. This section contains the following subsections: • Support for Numbers of User Connections • Resource Type Support • Integration with other SonicWall Inc. Products • Typical Deployment • Two-armed Deployment Support for Numbers of User Connections The following table lists the maximum and recommended numbers of concurrent tunnels supported for each appliance.
-
Page 43: Typical Deployment
SonicWall Inc. network security appliance, such as a NSA 4600. This method of deployment offers additional layers of security control plus the ability to use SonicWall Inc.’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic. SonicWall Inc.
Need help?
Do you have a question about the SMA 400 and is the answer not in the manual?
Questions and answers