Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
Digital Certificates and Certificate Authorities FAQ
-
What do I do if when I log in to the SMA appliance my browser gives me an error, or if my Java components give me an error?
Answer: These errors can be caused by any combination of the following three factors:
- The certificate in the SMA appliance is not trusted by the browser
- The certificate in the SMA appliance could be expired.
- The site requested by the client Web browser does not match the site name embedded in the certificate.
Web browsers are programmed to issue a warning if the previous three conditions are not met precisely. This security mechanism is intended to ensure end-to-end security, but often confuses people into thinking something is broken. If you are using the default self-signed certificate, this error appears every time a Web browser connects to the SMA appliance. However, it is just a warning and can be safely ignored, as it does not affect the security negotiated during the SSL handshake. If you do not want this error to happen, you should purchase and install a trusted SSL certificate onto the SMA appliance.
-
I get the following message when I log in to my SMA appliance – what do I do?
Answer: It’s the same problem as noted in the previous topic, but this is the new “improved” security warning screen in Microsoft Internet Explorer. Whereas before IE5.x and IE6.x presented a pop-up that listed the reasons why the certificate is not trusted, IE simply returns a generic error page which recommends that the user close the page. The user is not presented with a direct ‘Yes’ option to proceed, and instead must click on the embedded Continue to this Website (not recommended) link. For these reasons, it is strongly recommended that all SMA appliances, going forward, have a trusted digital certificate installed.
-
I get the following message when I log in to my SMA appliance using Firefox– what do I do?
Answer: Much like the errors shown previously for Internet Explorer, Firefox has a unique error message when any certificate problem is detected. The conditions for this error are the same as for the previous Internet Explorer errors.
To get past this screen, click the Or you can add an exception link at the bottom, then click Add Exception that appears. In the Add Security Exception window that opens, click Get Certificate, ensure that Permanently store this exception is checked, and finally, click Confirm Security Exception. See the following:
To avoid this inconvenience, it is strongly recommended that all SMA appliances, going forward, have a trusted digital certificate installed.
-
When I launch any of the Java components it gives me an error – what should I do?
Answer: See the previous section. This occurs when the certificate is not trusted by the Web browser, or the site name requested by the browser does not match the name embedded in the site certificate presented by the SMA appliance during the SSL handshake process. This error can be safely ignored.
-
Do I have to purchase a SSL certificate?
Answer: Although the level of encryption is not compromised, users accepting an untrusted certificate introduces the risk of Man-in-the-Middle attacks. SonicWall Inc. recommends installing only trusted certificates or installing the default self-signed certificate in all the clients.
-
What format is used for the digital certificates?
Answer: X509v3.
-
Are wild card certificates supported?
Answer: Yes.
-
What CA’s certificates can I use with the SMA appliance?
Answer: Any CA certificate should work if the certificate is in X509v3 format, including Verisign, Thawte, Baltimore, RSA, and so on.
-
Does the SMA appliance support chained certificates?
Answer: Yes, it does. On the System > Certificates page, complete the following:
- Under “Server Certificates,” click Import Certificate and upload the SSL server certificate and key together in a .zip file. The certificate should be named ‘server.crt’. The private key should be named ‘server.key’.
- Under “Additional CA Certificates,” click Import Certificate and upload the intermediate CA certificate(s). The certificate should be PEM encoded in a text file.
After uploading any intermediate CA certificates, the system should be restarted. The web server needs to be restarted with the new certificate included in the CA certificate bundle.
-
Any other tips when I purchase the certificate for the SMA appliance?
Answer: We recommend you purchase a multi-year certificate to avoid the hassle of renewing each year (most people forget and when the certificate expires it can create an administrative nightmare). It is also good practice to have all users that connect to the SMA appliance run Windows Update (also known as Microsoft Update) and install the ‘Root Certificates’ update.
-
Can I use certificates generated from a Microsoft Certificate Server?
Answer: Yes, but to avoid a browser warning, you should install the Microsoft CA’s root certificate into all Web browsers that connect to the appliance.
-
Why can’t I import my new certificate and private key?
Answer: Be sure that you upload a .zip file containing the PEM formatted private key file named “server.key” and the PEM formatted certificate file named “server.crt.” The .zip file must have a flat file structure (no directories) and contain only “server.key” and “server.crt” files. The key and the certificate must also match, otherwise the import fails.
-
Why do I see the status “pending” after importing a new certificate and private key?
Answer: Click the ‘configure’ icon next to the new certificate and enter the password you specified when creating the Certificate Signing Request (CSR) to finalize the import of the certificate. After this is done, you can successfully activate the certificate on the SMA appliance.
-
Can I have more than one certificate active if I have multiple virtual hosts?
Answer: It is possible to select a certificate for each Portal under the Portals > Portals| Edit Portal - Virtual Host tab. The portal Virtual Host Settings fields allow you to specify separate IP address, and certificate per portal. If the administrator has configured multiple portals, it is possible to associate a different certificate with each portal. For example,
sslvpn.test.sonicwall.com
might also be reached by pointing the browser tovirtualassist.test.sonicwall.com
. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?” -
I imported the CSR into my CA’s online registration site but it’s asking me to tell them what kind of Webserver it’s for. What do I do?
Answer: Select ‘Apache.’
-
Can I store the key and certificate?
Answer: Yes, the key is exported with the CSR during the CSR generation process. It’s strongly recommended that you can keep this in a safe place with the certificate you receive from the CA. This way, if the SMA appliance ever needs replacement or suffers a failure, you can reload the key and cert. You can also always export your settings from the System > Settings page.
-
Does the SMA appliance support client-side digital certificates?
Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local Users: Edit User – Login Policies tab.
- Per Domain/Per User client certificate enforcement settings:
- Option to Verify the username matches the Common Name (CN) of the client certificate
Option to Verify partial DN in the client certificate subject (optional). The following variables are supported:
Username: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory username: %ADUSERNAME%
Wildcard: %WILDCARD%
- Support for Microsoft CA Subject Names where CN=<Full username>, for example CN=John Doe. Client certificate authentication attempts for users in Active Directory domains should have the CN compared against the user’s full name in AD.
- Detailed client certificate authentication failure messages and log messages are available in the Log > View page.
- Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional CRL through file import or periodic import through URL.
The client certificate must be loaded into the client’s browser. Also, remember that any certificates in the trust chain of the client certificates must be installed onto the SMA appliance.
- Per Domain/Per User client certificate enforcement settings:
-
When client authentication is required my clients cannot connect even though a CA certificate has been loaded. Why?
Answer: After a CA certificate has been loaded, the SMA appliance must be rebooted before it is used for client authentication. Failures to validate the client certificate also causes failures to logon. Among the most common are certificate is not yet valid, certificate has expired, login name does not match common name of the certificate, certificate not sent.
Was This Article Helpful?
Help us to improve our support portal