Secure Mobile Access 100 10.2 Administration Guide

Introduction
Using Virtual Office
- Virtual Office Configuration
  - Virtual Office
    Virtual Office Overview
    Using the Virtual Office
  - SMA Connect Agent
    Supported Operating Systems
    Downloading and Installation
    Setting up the SMA Connect Agent
    Proxy Configuration
    Logs
    Browser Warning
    End Point Control (EPC)
    PDA (Personal Device Authorization)
    SonicWall Application
SonicWall Support
- About This Document

NetExtender Concepts

Stand-Alone Client

Secure Mobile Access provides a stand-alone NetExtender application. NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer first uninstalls the old NetExtender and installs the new version.

After the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots.

NetExtender can establish a VPN session before the user logs into the Windows domain. Users can click Switch User on the Windows login screen and click the blue computer icon that appears at the right bottom of the screen to view the dialup connection list, and then can select NetExtender to connect.

On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.

NetExtender is officially supported on the following client platforms:

Fedora 14+
Ubuntu 11.04+
OpenSUSE 10.3+
Windows 10 and Windows Server 2016.

NetExtender might work properly on other Linux distributions, but they are not officially supported by SonicWall Inc.

Pre-filling the Server and Domain Fields while Installing NetExtender through Microsoft Installer

Installing NetExtender through Microsoft Installer (MSI) now supports the use of default profile settings during the installation process where the default server and default domain can be pre-filled along with additional options that control whether the server and domain fields can be edited by a standard user. This feature is designed specifically for administrators who want their default servers and domains pre-set during the installation process.

To set the default server and domain during the NetExtender Installation with Microsoft Installer

On the Default Profile Setting page, enter the IP address of the Default Server in the appropriate field and the location of the Default Domain in the second field.
Disable Allow connections to other profiles to prevent users from connecting to other profiles. This setting disables the Server and Domain fields for editing on the login page of NetExtender.
Enable this option to allow those connections. If this option is not enabled, users are not able to add or delete profiles on the NetExtender properties page.

Multiple Ranges and Routes

Multiple range and route support for NetExtender on SMA appliances enables network administrators to easily segment groups and users without the need to configure firewall rules to govern access. This user segmentation allows for granular control of access to the network—allowing users access to necessary resources while restricting access to sensitive resources to only those who require it.

For networks that do not require segmentation, client addresses and routes can be configured globally.

IP Address User Segmentation

Administrators can configure separate NetExtender IP address ranges for users and groups. These settings are configured on the Users > Local Users and Users > Local Groups pages, using the NetExtender tab in the Edit User and Edit Group windows.

When configuring multiple user and group NetExtender IP address ranges, it is important to know how the SMA appliance assigns IP addresses. When assigning an IP address to a NetExtender client, the SMA appliance uses the following hierarchy of ranges:

An IP address from the range defined in the user’s local profile.
An IP address from the range defined in the group profile to which the user belongs.
An IP address from the global NetExtender range.

To reserve a single IP address for an individual user, the administrator can enter the same IP address in both the Client Address Range Begin and Client Address Range End fields on the NetExtender tab of the Edit Group window.

Client Routes

NetExtender client routes are used to allow and deny access to various network resources. Client routes can also be configured at the user and group level. NetExtender client routes are also configured on the Edit User and Edit Group windows. The segmentation of client routes is fully customizable, allowing the administrator to specify any possible permutation of user, group, and global routes (such as only group routes, only user routes, group and global routes, user, group, and global routes, and so on). This segmentation is controlled by Add Global NetExtender Client routes and Add Group NetExtender Client routes.

NetExtender with External Authentication Methods

Networks that use an external authentication server are not configured with local usernames on the SMA appliance. In such cases, when a user is successfully authenticated, a local user account is created when the Add Global NetExtender Client routes and Add Group NetExtender Client routes settings are enabled.

Point to Point Server IP Address

In Secure Mobile Access, the PPP server IP address is 192.0.2.1 for all connecting clients. This IP address is transparent to both the remote users connecting to the internal network and to the internal network hosts communicating with remote NetExtender clients. Because the PPP server IP address is independent from the NetExtender address pool, all IP addresses in the global NetExtender address pool are used for NetExtender clients.

Connection Scripts

SMA appliances provide users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

Tunnel All Mode

Tunnel All mode routes all traffic to and from the remote user over the Secure Mobile Access NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

Tunnel All Mode: Routes to be Added to Remote Client’s Route Table
IP Address	Subnet Mask
0.0.0.0	0.0.0.0
0.0.0.0	128.0.0.0
128.0.0.0	128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the Secure Mobile Access tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the Secure Mobile Access tunnel.

{{hostname}} is to be replaced with the IP address of the SMA appliance.

Tunnel All mode can be configured at the global, group, and user levels.

Proxy Configuration

SMA appliances support NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.

NetExtender provides three options for configuring proxy settings:

Automatically detect settings – To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)) that can push the proxy settings script to the client automatically.
Use automatic configuration script – If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
Use proxy server – You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a username and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window prompts you to enter them when you first connect.

When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SMA server directly. The proxy server then forwards traffic to the SMA server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

< Prev Section

Next Section >