Typical Deployment of SMA/SRA appliance

03/26/2020 156 People found this article helpful 485,760 Views

Description

The SMA and SRA appliances provide organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use Secure Mobile Access connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.

The SMA/SRA appliance is commonly deployed in tandem in one-armed mode over the DMZ interface on an accompanying gateway appliance, for example, a SonicWall network security appliance.

This method of deployment offers additional layers of security control plus the ability to use SonicWall’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic. SonicWall recommends one-armed mode deployments over two-armed for the ease-of-deployment and for use in conjunction with UTM GAV/IPS for clean VPN.

Resolution

Deployment

As shown in the above figure, in one-armed mode the primary interface (X0) on the SMA/SRA appliance connects to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SMA/SRA appliance. The SMA/SRA appliance decrypts the session and determines the requested resource. The Secure Mobile Access session traffic then traverses the gateway appliance to reach the internal network resources. While traversing the gateway, security services, such as Intrusion Prevention, Gateway Anti-Virus and Anti-Spyware inspection can be applied by appropriately equipped gateway appliances. The internal network resource then returns the requested content to the SMA/SRA appliance through the gateway where it is encrypted and returned to the client.

Configuration

Both NSA and SMA/SRA appliances need to be configured in the deployment. In this case NSA 4600 and SRA 4600 are used for demonstration.

On NSA appliance:

Web management HTTPS port

Navigate to System > Administration, under Web Management Settings section, change the HTTPS Port value from 443(default value) to 4333 for example. This is to avoid port conflict because SSL VPN service port on SRA is 443 too and cannot be changed.

Interface

Navigate to Network > Interfaces, edit X2 interface as following:

NAT Policies

Navigate to Network > NAT Polices, click Add to create the NAT couple as following:

Access Rules

Navigate to Firewall > Access Rules, select Matrix and then DMZ to LAN, click Add to create an allow entry as following(RDP service used here for demonstration):