Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- What is NetExtender?
- Benefits of NetExtender
- NetExtender Concepts
- NetExtender and IPv6
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Restful API - Phase 1 Support
- Restful API - Phase 2 Support
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication Support for NetExtender and Mobile Connect Clients
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- NetExtender Troubleshooting
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
Modifying Clients Settings
This feature is for external users, who inherits the settings from their assigned group upon login. NetExtender client settings can be specified for the user or use the group settings.
To enable NetExtender/Mobile Connect ranges and configure Static client settings for a user
- Navigate to Users > Local Users.
- Click the configure icon next to the user you want to configure.
- On the Edit Local User page, select the Clients page.
- Under Client Address Range, select Use Static Pool from the drop-down menu.
- Supply a beginning client IPv4 address in the Client Address Range Begin field.
- Supply an ending client IPv4 address in the Client Address Range End field.
- Under Client IPv6 Address Range, optionally select Use Static Pool from the drop-down menu.
- Supply a beginning client IPv6 address in the Client Address Range Begin field.
- If using IPv6, supply an ending client IPv6 address in the Client Address Range End field.
-
Under DNS Settings:
Enter the following:
- Primary DNS Server: Type the address of the primary DNS server in the Primary DNS Server field.
- Secondary DNS Server: Optionally, type the IP address of the secondary server in the Secondary DNS Server field.
- DNS Search List (in order): Type the DNS domain suffix and click Add. Next, use the up and down arrows to prioritize multiple DNS domains in the order they should be used.
- For SMA appliances supporting connections from Apple iPhones, iPads, or other iOS devices using SonicWall Mobile Connect, use this DNS Search List. This DNS domain is set on the VPN interface of the iPhone/iPad after the device makes a connection to the appliance. When the mobile device user accesses a URL, iOS determines if the domain matches the VPN interface’s domain, and if so, uses the VPN interface’s DNS server to resolve the hostname lookup. Otherwise, the Wi-Fi or 3G/4G DNS server is used that is not able to resolve hosts within the company intranet.
-
Under Client Settings:
Select one of the following from the Exit Client After Disconnect drop-down menu:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Uninstall Client After Exit drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Allow Client to Turn Off Auto Update drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Create Client Connection Profile drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Username & Password Caching drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Allow saving of username only – Allow caching of the username. The user only needs to enter a password when starting NetExtender. Overrides the group setting.
- Allow saving of username & password – Allow caching of the username and password. The user is automatically logged in when starting NetExtender. Overrides the group setting.
- Prohibit saving of username & password – Do not allow caching of the username and password. The user is required to enter both username and password when starting NetExtender. Overrides the group setting.
- In Allow client to use Touch ID on IOS devices, the control only blocks future attempts to log in with fingerprint technology on IOS devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Fingerprint Authentication on Android devices, the control only blocks future attempts to log in with fingerprint technology on Android devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Touch ID on macOS devices, the control only blocks future attempts to log in with fingerprint technology on macOS devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Face ID on iOS devices, the control only block future attempts to log in with Face ID technology on iOS devices when the option is disabled there is no method for the server to change client settings until the client attempts connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
-
In the Always on VPN section, configure the following:
- For Enable Always on VPN, select one of the following:
- Use global setting – Take the action specified by the global setting.
- Enabled – Enable this action for the user. Overrides the global setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Allow User to Disconnect select one of the following:
- Use global setting – Take the action specified by the global setting.
- Enabled – Enable this action for the user. Overrides the global setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Allowing accessing network if VPN fail to connect select one of the following:
- Use global setting – Take the action specified by the global setting.
- Enabled – Enable this action for the user. Overrides the global setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Don’t connect VPN in trusted network select one of the following:
- Use global setting – Take the action specified by the global setting.
- Enabled – Enable this action for the user. Overrides the global setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Enable Always on VPN, select one of the following:
- In the Internal Proxy Settings section, select from the drop-down menu to apply global settings or to enable or disable the Internal Proxy feature. Click Accept.
To enable client ranges and configure DHCP client settings for a user
- Navigate to Users > Local Users.
- Click the configure icon next to the user you want to configure.
- In the Edit Local User page, select the Clients page.
- Under Client Address Range, select Use DHCP from the drop-down menu.
- Under Select Interface, use the drop-down menu to select the interface to use for DHCP.
- Supply the DHCP Server in the field provided.
- Under Client IPv6 Address Range, optionally select Use DHCPv6 from the drop-down menu.
- Under Select Interface, use the drop-down menu to select the interface to use for DHCPv6.
- Optionally supply the DHCPv6 Server in the field provided.
-
Under DNS Settings:
Enter the following:
- Primary DNS Server: Type the address of the primary DNS server in the Primary DNS Server field.
- Secondary DNS Server: Optionally, type the IP address of the secondary server in the Secondary DNS Server field.
- DNS Search List (in order): Type the DNS domain suffix and click Add. Next, use the up and down arrows to prioritize multiple DNS domains in the order they should be used.
For SMA appliances supporting connections from Apple iPhones, iPads, or other iOS devices using SonicWall Mobile Connect, use this DNS Search List. This DNS domain is set on the VPN interface of the iPhone/iPad after the device makes a connection to the appliance. When the mobile device user accesses a URL, iOS determines if the domain matches the VPN interface’s domain, and if so, uses the VPN interface’s DNS server to resolve the hostname lookup. Otherwise, the Wi-Fi or 3G/4G DNS server is used that is not able to resolve hosts within the company intranet.
-
Under Client Settings, select one of the following from the Exit Client After Disconnect drop-down menu:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Uninstall Client After Exit drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Create Client Connection Profile drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
-
In the Username & Password Caching drop-down menu, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Allow saving of username only – Allow caching of the username. The user only needs to enter a password when starting NetExtender. Overrides the group setting.
- Allow saving of username & password – Allow caching of the username and password. The user is automatically logged in when starting NetExtender. Overrides the group setting.
- Prohibit saving of username & password – Do not allow caching of the username and password. The user is required to enter both username and password when starting NetExtender. Overrides the group setting.
- In Allow client to use Touch ID on IOS devices, the control only blocks future attempts to log in with fingerprint technology on IOS devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Fingerprint Authentication on Android devices, the control only blocks future attempts to log in with fingerprint technology on Android devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Touch ID on macOS devices, the control only blocks future attempts to log in with fingerprint technology on macOS devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
- In Allow client to use Face ID on iOS devices, the control only block future attempts to log in with Face ID technology on iOS devices when the option is disabled there is no method for the server to change client settings until the client attempts connection. So, in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
-
In the Always on VPN section, configure the following:
- For Enable Always on VPN, select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Allow User to Disconnect select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Allowing accessing network if VPN fail to connect select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Don’t connect VPN in trusted network select one of the following:
- Use group setting – Take the action specified by the group setting.
- Enabled – Enable this action for the user. Overrides the group setting.
- Disabled – Disable this action for all members of the group. Overrides the global setting.
- For Enable Always on VPN, select one of the following:
- In the Internal Proxy Settings section, select from the drop-down menu to enable or disable the Internal Proxy feature.
- Click Accept.
To select user-mapped address settings for a user
- In the SMA management interface, navigate to Users > Local Users.
- Hover over a user and click the Edit icon.
-
Click Clients tab.
- In the CLIENT ADDRESS RANGE section, select Use user-mapped address.
- Click Submit.
Was This Article Helpful?
Help us to improve our support portal