Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- What is NetExtender?
- Benefits of NetExtender
- NetExtender Concepts
- NetExtender and IPv6
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Restful API - Phase 1 Support
- Restful API - Phase 2 Support
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication Support for NetExtender and Mobile Connect Clients
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- NetExtender Troubleshooting
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
HTML5 SSH Key File Authentication Support
Previously, user names and passwords were the only authentication methods supported by HTML SSH. However, more and more SSH servers are being used as key file authentication sites, especially within the cloud environment. SonicWall has now added support for that Key File authentication method.
- HTML5 SSH bookmarks support identity file authentication
- HTML5 SSH features can save the identity file and user information in a browser's local storage
- HTML5 SSH features can use the saved information to log in to an SSH server automatically
- Supported Platforms
- SSH Authentication Option
- Identity File Authentication
- Error Handling
- Configuring SSH Resources in SMA
- Accessing the SSH Resources
Supported Platforms
- Windows
- LINUX
- MAC
- Android
- iOS
SSH Authentication Option
A new option is introduced for HTML5 SSH bookmarks: SSHv2 Authentication Type.
There are two authentication types: Username + Password and Key File Authentication.
The Username + Password method is the default selection.
When devices are upgraded to 10.2.1, the authentication type is Username + Password as the default selection, but administrators can also select Key File Authentication to use identity file to login the SSH server.
When SSH key-based authentication is not configured on the server and key-based authentication is selected on the appliance, then it reverts back to username-password-based authentication.
Identity File Authentication
Administrators log in to an SSH server with the Key File Authentication type:
- When no identity file information is saved, a pop-up dialog box appears indicating a username, identity file, and passcode (if the identity file is protected by Passcode) are necessary to continue.
- After filling in the user and identity file information to login with identity file is required.
- After successfully logging in, if there is no record of the identity file for the user's bookmark, a confirmation dialog box appears for the user to confirm whether or not to save or not save that identity information in their browser's local storage for the next login.
- The passcode of the identity file will not be saved, even the user selects to save their identity file information in their browser's local storage. and the system always asks for the Passcode of the identity file (if the identity file is protected by passcode).
Error Handling
Authentication error handling methods and the associated UI messages have been updated:
- Authentication Type is Username+Password
- Update input password message to: Input <username>@<hostname>'s password
If the SSH server authentication method only supports a public key, update the error message to:
Need public key authenticate method. Please change the SSH Authentication Type to Key File Authentication in bookmark setting.
- Authentication Type is Key File Authentication:
-
The username or identity file is incorrect.
If SSH server supports the username+password method, a pop-up message appears showing the Input Password dialog and for the user to try using the username and password login.
Configuring SSH Resources in SMA
SSH resources can be configured either from the user interface or through an API. In the user interface, the SSH resource can be configured in the Global, Group, or User Level. The SSH resource can also be configured though an API.
To configure an SSH resource from the user interface
-
Login as Administrator from the SMA login screen.
-
Navigate to Users > Local Users or Users > Local Groups.
-
Edit a Local User or a Local Group.
-
From the Edit Local User page, click the Bookmarks tab.
-
Create an SSH Bookmark using an SSH server IP and set the SSHv2 Authentication Type option to Key File Authentication.
To configure an SSH resource from an API
-
Generate a Login ID using
https://<<appliance IP>>/__api__/v1/logon GET request
. -
Authenticate the appliance using
https://<<appliance IP>>/__api__/v1/logon/<<Logon ID>>/authenticate POST
. -
Create an SSH Bookmark using the
sshAuthType
parameter as thekeyfileauth
using the APIhttps://<<appliance IP>>/__api__/v1/management/bookmarks POST
.
Accessing the SSH Resources
To access the SSH resource from the user interface
-
Login as Administrator from the SMA login screen.
-
Access the SSH Bookmark.
-
Set the Username as the server username, set the Private Key as the Private Key of the server and the Passcode as the passphrase that was set during the creation of the RSA key pair.
Was This Article Helpful?
Help us to improve our support portal