Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
General FAQ
-
Is the SMA appliance a true reverse proxy?
Answer: Yes, the HTTP, HTTPS, CIFS, FTP are web-based proxies, where the native Web browser is the client. VNC, RDP, Citrix, SSHv2, SSHv2, and Telnet use browser delivered HTML5 clients. NetExtender on Windows uses a browser-delivered client.
-
What browser and version do I need to successfully connect to the SMA appliance?
Answer: Currently supported browsers and versions are listed in the Browser Requirements section of this document.
-
What needs to be activated on the browser for me to successfully connect to the SMA appliance?
Answer:
- TLS
- Enable cookies
- Enable pop-ups for the site
- Enable Java
- Enable Javascript
- Enable ActiveX
-
What version of Java do I need?
Answer: You should install SUN’s JRE 1.6.0_10 or higher (available at http://www.java.com) to use some of the features on the SMA appliance. On Google Chrome, you need Java 1.6.0 update 10 or higher.
-
What operating systems are supported?
Answer:
- Microsoft Windows 10
- Apple OSX 10.9 and newer
- Linux kernel 2.6.x and newer
-
Why does the ‘File Shares’ component not recognize my server names?
Answer: If you cannot reach your server by its NetBIOS name, there might be a problem with name resolution. Check your DNS and WINS settings on the SMA appliance. You might also try manually specifying the NetBIOS name to IP mapping in the Network > Host Resolution section, or you could manually specify the IP address in the UNC path, for example
\\192.168.100.100\sharefolder
.Also, if you get an authentication loop or an error, is this File Share a DFS server on a Windows domain root? When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA appliance is not a domain member and is not able to connect to the DFS shares. DFS file shares on a stand-alone root are not affected by this Microsoft restriction.
-
Does the SMA appliance have an SPI firewall?
Answer: No. It must be combined with a SonicWall Inc. security appliance or another third-party firewall/VPN device.
-
Can I access the SMA appliance using HTTP?
Answer: No, it requires HTTPS. HTTP connections are immediately redirected to HTTPS. You might wish to open both 80 and 443, as many people forget to type
https:
and instead typehttp://
. If you block 80, it is not redirected. -
What is the most common deployment of the SMA appliances?
Answer: One-port mode, where only the X0 interface is utilized, and the appliance is placed in a separated, protected “DMZ” network/interface of a SonicWall Inc. security appliance, such as a SonicWall Inc. TZ or NSA appliance.
-
Why is it recommended to install the SMA appliance in one-port mode with a SonicWall Inc. security appliance?
Answer: This method of deployment offers additional layers of security control plus the ability to use SonicWall Inc.’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering, and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic.
-
Is there an installation scenario where you would use more than one interface or install the appliance in two-port mode?
Answer: Yes, when it would be necessary to bypass a firewall/VPN device that might not have an available third interface, or a device where integrating the SMA appliance might be difficult or impossible.
-
Can I cascade multiple SMA appliances to support more concurrent connections?
Answer: No, this is not supported.
-
Why can’t I log in to the Secure Mobile Access management interface of the SMA appliance?
Answer: The default IP address of the appliance is
192.168.200.1
on the X0 interface. If you cannot reach the appliance, try cross-connecting a system to the X0 port, assigning it a temporary IP address of192.168.200.100
, and attempt to log in to the SMA appliance athttps://192.168.200.1
. Then verify that you have correctly configured the DNS and default route settings on the Network pages. -
Can I create site-to-site VPN tunnels with the SMA appliance?
Answer: No, it is only a client-access appliance. If you require this, you need a SonicWall Inc. TZ, NSA, or SuperMassive series security appliance.
-
Can the SonicWall Inc. Global VPN Client (or any other third-party VPN client) connect to the SMA appliance?
Answer: No, only NetExtender and proxy sessions are supported.
-
Can I connect to the SMA appliance over a modem connection?
Answer: Yes, although performance is slow, even over a 56K connection it is usable.
-
What SSL ciphers are supported by the SMA appliance?
Answer: Starting with 7.5 firmware or newer, SonicWall Inc. only uses HIGH security ciphers with TLSv1.2 and newer. In 8.0 firmware or newer, SSL Perfect Forward Secrecy (PFS) is supported.
-
Is AES supported in the SMA appliance?
Answer: Yes, if your browser supports it.
-
Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?
Answer: Yes, you might see better performance as NetExtender uses multiplexed PPP connections and runs compression over the connections to improve performance.
-
Is Two-factor authentication (RSA SecurID, and so on) supported?
Answer: Yes, this is supported.
-
Does the SMA appliance support VoIP?
Answer: Yes, over NetExtender connections.
-
Is Syslog supported?
Answer: Yes.
-
Does NetExtender support multicast?
Answer: Not currently. Look for this in a future firmware release.
-
Are SNMP and Syslog supported?
Answer: Syslog forwarding to up to two external servers is supported in the current software release. SNMP is supported beginning in the 5.0 release. MIBs can be downloaded from MySonicWall.
-
Does the SMA appliance have a Command Line Interface (CLI)?
Answer: Yes, the SMA appliances have a simple CLI when connected to the console port. The SMA 500v Virtual Appliance is also configurable with the CLI. The Secure Mobile Access CLI allows configuration of only the X0 interface on the SMA appliances or SMA 500v Virtual Appliance.
-
Can I Telnet or SSH into the SMA appliance?
Answer: No, neither Telnet or SSH are supported in the current release of the SMA appliance software as a means of management (this is not to be confused with the Telnet and SSH proxies that the appliance does support).
-
What does the Web cache cleaner do?
Answer: The Web cache cleaner is an ActiveX-based applet that removes all temporary files generated during the session, removes any history bookmarks, and removes all cookies generated during the session.
-
Why didn’t the Web cache cleaner work when I exited the Web browser?
Answer: For the Web cache cleaner to run, you must click Logout. If you close the Web browser using any other means, the Web cache cleaner cannot run.
-
What does the ‘encrypt settings file’ check box do?
Answer: This setting encrypts the settings file so that if it is exported it cannot be read by unauthorized sources. Although it is encrypted, it can be loaded back onto the SMA appliance (or a replacement appliance) and decrypted. If this box is not selected, the exported settings file is clear-text and can be read by anyone.
-
What does the ‘store settings’ button do?
Answer: By default, the settings are automatically stored on a SMA appliance any time a change to programming is made, but this can be shut off if desired. If this is disabled, all unsaved changes to the appliance are lost. This feature is most useful when you are unsure of making a change that could result in the box locking up or dropping off the network. If the setting is not immediately saved, you can power-cycle the box and it returns to the previous state before the change was made.
-
What does the ‘create backup’ button do?
Answer: This feature allows you to create a backup snapshot of the firmware and settings into a special file that can be reverted to from the management interface or from SafeMode. SonicWall Inc. strongly recommends creating system backup right before loading new software or making significant changes to the programming of the appliance.
-
What is ‘SafeMode’?
Answer: SafeMode is a feature of the SMA appliance that allows administrators to switch between software image builds and revert to older versions in case a new software image turns out to cause issues. In cases of software image corruption, the appliance boots into a special interface mode that allows the administrator to choose which version to boot or load a new version of the software image.
-
How do I access the SafeMode menu?
Answer: In emergency situations, you can access the SafeMode menu by holding in Reset on the SMA appliance (the small pinhole button located on the front of the SMA appliances) for 12-14 seconds until the ‘Test’ LED begins quickly flashing yellow. After the SMA appliance has booted into the SafeMode menu, assign a workstation a temporary IP address in the 192.168.200.x subnet, such as 192.168.200.100, and attach it to the X0 interface on the SMA appliance. Then, using a modern Web browser (Microsoft IE6.x+, Mozilla 1.4+), access the special SafeMode GUI using the appliance’s default IP address of 192.168.200.1. You are able to boot the appliance using a previously saved backup snapshot, or you can upload a new version of software with Upload New Software image.
-
Can I change the colors of the portal pages?
Answer: This is not supported in the current releases but is planned for a future software release.
-
What authentication methods are supported?
Answer: Local database, RADIUS, Active Directory, and LDAP.
-
I configured my SMA appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why?
Answer: The appliances must be precisely time-synchronized with each other or the authentication process fails. Ensure that the SMA appliance and the Active Directory server are both using NTP to keep their internal clocks synchronized.
-
I created a FTP bookmark, but when I access it, the filenames are garbled – why?
Answer: If you are using a Windows-based FTP server, you should change the directory listing style to ‘UNIX’ instead of ‘MS-DOS’.
-
Where can I get a VNC client?
Answer: SonicWall Inc. has done extensive testing with RealVNC. It can be downloaded at:
-
Does the SMA appliance support printer mapping?
Answer: Yes, this is supported with the ActiveX-based RDP client only. The Microsoft Terminal Server RDP connector must be enabled first for this to work. You might need to install the correct printer driver software on the Terminal Server you are accessing.
-
Can I integrate the SMA appliance with wireless?
Answer: Yes, refer to the SonicWall Inc. Secure Wireless Networks Integrated Solutions Guide, available through Elsevier, http://www.elsevierdirect.com/.
-
Can I manage the appliance on any interface IP address of the SMA appliance?
Answer: Yes, you can manage on any of the interface IP addresses.
-
Can I allow only certain Active Directory users access to log in to the SMA appliance?
Answer: Yes. On the Users > Local Groups page, edit a group belonging to the Active Directory domain used for authentication and add one or more AD Groups under the AD Groups tab.
-
Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?
Answer: Yes.
-
Why are my RDP sessions dropping frequently?
Answer: Try adjusting the session and connection timeouts on both the SMA appliance and any appliance that sits between the endpoint client and the destination server. If the SMA appliance is behind a firewall, adjust the TCP timeout upwards and enable fragmentation.
-
Can I create my own services for bookmarks rather than the services provided in the bookmarks section?
Answer: This is not supported in the current release of software but could be supported in a future software release.
-
Why can’t I see all the servers on my network with the File Shares component?
Answer: The CIFS browsing protocol is limited by the server's buffer size for browse lists. These browse lists contain the names of the hosts in a workgroup or the shares exported by a host. The buffer size depends on the server software. Windows personal firewall has been known to cause some issues with file sharing even when it is stated to allow such access. If possible, try disabling such software on either side and then test again.
-
What port is the SMA appliance using for the Radius traffic?
Answer: It uses port 1812.
-
Do the SMA appliances support the ability for the same user account to login simultaneously?
Answer: Yes. On the portal layout, you can enable or disable ‘Enforce login uniqueness’ option. If this box is unchecked, users can log in simultaneously with the same username and password.
-
Does the SMA appliance support NT LAN Manager (NTLM) Authentication?
Answer: No.
-
I cannot connect to a web server when Windows Authentication is enabled. I get the following error message when I try that: ‘It appears that the target web server is using an unsupported HTTP(S) authentication scheme through the SMA that currently supports only basic and digest authentication schemes. Contact the administrator for further assistance.’ - why?
Answer: In SRA 3.5 and earlier releases, the HTTP proxy does not support Windows Authentication (formerly called NTLM). Only basic authentication is supported.
-
Why do Java Services, such as Telnet or SSH, not work through a proxy server?
Answer: When the Java Service is started it does not use the proxy server. Transactions are done directly to the SMA appliance.
-
There is no port option for the service bookmarks – what if these are on a different port than the default?
Answer: You can specify in the IP address box an ‘IPaddress:portid’ pair for HTTP, HTTPS, Telnet, Java, and VNC.
-
What if I want a bookmark to point to a directory on a Web server?
Answer: Add the path in the IP address box: IP/mydirectory/.
-
When I access Microsoft Telnet Server using a telnet bookmark it does not allow me to enter a username -- why?
Answer: This is not currently supported on the appliance.
-
What versions of Citrix are supported?
Answer: Citrix Portal Bookmarks have been tested and verified to support the following Citrix Application Virtualization platforms through the Citrix Web Interface:
Servers:
- XenApp 7.6 (HTML5 and ActiveX only)
- XenApp 6.5
- XenApp 6.0
- XenApp 5.0
Clients:
- Receiver for Windows 4.2, 4.1, or 4.0
- Receiver for Java 10.1.006
- XenApp Web Plugiin version 14.2, 14.1, 14.0
For browsers requiring Java to run Citrix, you must have Sun Java 1.6.0_10 or higher.
-
What applications are supported using Application Offloading?
Answer: Application Offloading should support any application using HTTP/HTTPS. SMA has limited support for applications using Web services and no support for non-HTTP protocols wrapped within HTTP.
One key aspect to consider when using Application Offloading is that the application should not contain hard-coded self-referencing URLs. If these are present, the Application Offloading proxy rewrites the URLs. Because Web site development does not usually conform to HTML standards, the proxy can only do a best-effort translation when rewriting these URLs. Specifying hard-coded, self-referencing URLs is not recommended when developing a Web site because content developers must modify the Web pages whenever the hosting server is moved to a different IP or hostname.
For example, if the backend application has a hard-coded IP and scheme within URLs as follows, then Application Off-loading needs to rewrite this URL.
<a href="http://1.1.1.1/doAction.cgi?test=foo">
This can be done by enabling the Enable URL Rewriting for self-referenced URLs setting for the Application Off-loading Portal, but all the URLs might not be rewritten, depending on how the Web application has been developed. (This limitation is usually the same for other WAF/SMA vendors employing reverse proxy mode.)
-
Is SSHv2 supported?
Answer: Yes, this is supported.
-
Should I create a Global Deny ALL policy?
Answer: Yes, SonicWall Inc. recommends that administrators set up a Global Deny ALL policy that allows access to only trusted hosts. This prevents outbound requests to malicious hosts from Secure Mobile Access. For more information on how to set up a Global Deny ALL policy, see the section Adding a Policy.
Was This Article Helpful?
Help us to improve our support portal