Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- What is NetExtender?
- Benefits of NetExtender
- NetExtender Concepts
- NetExtender and IPv6
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Restful API - Phase 1 Support
- Restful API - Phase 2 Support
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication Support for NetExtender and Mobile Connect Clients
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- NetExtender Troubleshooting
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
DUO Security Authentication Support for NetExtender and Mobile Connect Clients
The SMA series supports DUO Security Authentication during user login. DUO Security Authentication login is now supported for different clients such as web browsers and Mobile Connect clients.
- About DUO Authentication
- About RADIUS
- DUO Security Authentication with SMA appliance
- Duo Security Authentication with Web Browser Login
- DUO Security Authentication with NetExtender Windows
- DUO Security Authentication with NetExtender Linux
- DUO Security Authentication with Mobile Connect for iOS
- DUO Security Authentication with Mobile Connect for macOS
- DUO Security Authentication with Mobile Connect for Android
About DUO Authentication
DUO has several options for securing your authentication of users. Refer to information on the DUO website to determine which method works best for your SonicWall solution.
There are three main methods the receiver can use to authenticate with DUO :
- DUO push: A prompt comes up on the screen from the DUO app that has been downloaded on the user’s mobile device.
- Phone call: A call comes to the mobile device requesting the user to click one or more buttons to authenticate.
- Passcode: A passcode comes by email or SMS/Text to the user’s mobile device, which the user then enters as part of the authentication process.
About RADIUS
RADIUS is a protocol or language SMA uses to authenticate users through the DUO authentication process. The SMA appliance uses RADIUS to communicate with the DUO authentication system.
DUO Security Authentication with SMA appliance
Configure SMA for multi-factor authentication using the following steps
-
Log in to the SMA appliance and navigate to Portals > Domains.
-
Add a new domain by clicking Add Domain.
-
Create a new RADIUS domain for DUO Authentication.
-
Navigate to Portals > Portals and modify the default portal for duo authentication.
-
On the General tab, select Display login message on custom login page to display custom login messages at login.
-
Remove the default Login Message and paste in the “
<script src="https://api-f74dbf3b.duosecurity.com/frame/hosted/Duo-SonicWall-SRA-v1.js"></script>
” message. -
Access the user portal and choose DUO Authentication using the Radius credential for authentication.
-
Choose an authentication method for DUO Authentication and proceed with the login.
-
All three options, DUO Push, Call Me, or Passcode can be approved through a DUO application installed on a mobile device to proceed with the authentication.
Creating an Offloaded Web Application Portal
Log in to the user portal with DUO Authentication as the default user portal.
- Navigate to Portals > Portals after logging in to the appliance using the Admin portal.
-
Click Offload Web Application to create an offloaded portal.
-
Click Next. On the Server page, enter the Application Server Address along with options selected as shown here.
-
Click Next twice. Remove the default Login Message and paste in the “
<script src="https://api-f74dbf3b.duosecurity.com/frame/hosted/Duo-SonicWALL-SRA-v1.js"></script>
” message. -
Edit the DUO Radius domain to associate it with the DUO offloaded portal.
-
Edit the duo portal and paste the “
<script src="https://api-f74dbf3b.duosecurity.com/frame/hosted/Duo-SonicWall-SRA-v1.js"></script>
”duo security portal API configuration script into the Login Message field. -
Enable Display custom login page and select Display login message on custom login page.
-
Access the offloaded portal (host entry is required if the DNS is not being used) and choose the duo authentication domain for duo authentication.
-
DUO Push, Call Me, or Passcode can be approved from a duo application installed on a mobile device to proceed with the authentication.
-
Ensure you have successfully accessed the offloaded portal with duo authentication.
Duo Security Authentication with Web Browser Login
For Duo Security Authentication with a Web Browser Login, after setting up the DUO portal configuration, you can login to a portal with DUO authentication in a web browser. Input a User Name and Password within a Radius domain. Prompt the DUO authentication page and select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. After completing the DUO authentication, you should be redirected back to the portal.
DUO Security Authentication with NetExtender Windows
For DUO Security Authentication with NetExtender Windows
-
Open NetExtender and input a Server IP/Hostname, along with RADIUS authentication credentials Username, Password, and Domain name.
- Click Connect for NetExtender.
-
Open the DUO Security Authentication page in your default browser. Select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. NetExtender returns an error message if all conditions are not met.
-
DUO Push, Call Me, or Passcode can be approved from a duo application installed on a mobile device to proceed with the authentication.
- DUO Authentication is successful in the Windows NetExtender client.
-
DUO Authentication fails in the Windows NetExtender client when the EPC check has failed.
-
DUO Authentication fails in the Windows NetExtender client when a device is prohibited.
DUO Security Authentication with NetExtender Linux
For DUO Security Authentication with NetExtender Linux, input a User Name and Password. Click the Connect button for an SMA connection.
DUO Authentication with NetExtender in Ubuntu Linux with Device management enabled.
DUO Authentication with NetExtender successful in Ubuntu Linux.
Open the DUO Security Authentication page in your default browser. If using Firefox, the following is default user portal from Linux in Firefox with DUO Authentication.
Login and select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. Click Login. After completing the DUO authentication, you should be redirected back to the portal.
The following screen indicates successful DUO authentication with the user portal.
DUO Security Authentication with Mobile Connect for iOS
For DUO Security Authentication with Mobile Connect for iOS, click connect for an SMA connection. Input a User Name and Password. Open the DUO Security Authentication page as a WKWebview page in your default browser. Select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. WKWebview returns an error message if all conditions are not met.
DUO Security Authentication with Mobile Connect for macOS
For DUO Security Authentication with Mobile Connect for macOS, click connect for an SMA connection. Input a User Name and Password. Open the DUO Security Authentication page in your default browser. Select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. After completing the DUO authentication, you should be redirected back to the portal.
DUO Security Authentication with Mobile Connect for Android
For DUO Security Authentication with Mobile Connect for Android, click connect for an SMA connection. Input a User Name and Password. Open the DUO Security Authentication page in your default browser. Select one authentication method such as Send Me a Push, Call Me, or Enter a Passcode. Click Login. After completing the DUO authentication with Mobile Connect, you should be redirected back to the portal.
Was This Article Helpful?
Help us to improve our support portal