• Secure Mobile Access 10.2
• Introduction
  • About This Guide
    • Guide Conventions
  • New Features
  • Deprecated Features
    • Deprecate Legacy User Interface (UI)
  • Overview of SMA Components
    • SMA Software Components
    • SMA Hardware Components
    • Client Versions Released with 10.2
      • NetExtender Client Versions
      • SMA Connect Agent Versions
    • SMA 500v Virtual Appliances
    • Increased Client Connections on SMA 210/410
    • Capture ATP Integration Overview
    • Always on VPN
      • Secure Network Detection
      • AOV Controls
      • AOV Logs
      • Anti-Tampering Protection
    • Encryption Overview
    • SSL for Virtual Private Networking (VPN)
    • SSL Handshake Procedure
    • IPv6 Support Overview
    • Portals Overview
      • Custom Portals
    • File Shares
    • Domains Overview
    • Application Offloading and HTTP(S) Bookmarks Overview
      • Benefits of HTTP(S) Bookmarks
      • Benefits of Application Offloading
      • Software Prerequisites
      • Supported Application Deployment Considerations
    • Cross Domain Single Sign-On
    • ActiveSync Authentication
      • ActiveSync Log Entries
      • Configuring a Portal to Check Email from an Android Device
    • Network Resources Overview
      • HTTP (Web) and Secure HTTPS (Web)
      • Telnet
      • SSHv2
      • FTP
      • File Shares (CIFS)
      • Remote Desktop Protocols
      • Virtual Network Computing
        • RDP 7 Support
      • Application Protocols Using RDP
      • Microsoft Outlook Web Access
      • Windows SharePoint Services
      • Lotus Domino Web Access
      • Citrix Portal
    • SNMP Overview
    • DNS Overview
    • Network Routes Overview
    • NetExtender Overview
      • What is NetExtender?
      • Benefits of NetExtender
      • NetExtender Concepts
      • NetExtender and IPv6
      • Two-Factor Authentication Overview
        • Benefits of Two-Factor Authentication
        • How Does Two-Factor Authentication Work?
        • Supported Two-Factor Authentication Providers
        • Two-Factor Authentication Login Processes
      • One Time Password Overview
        • What is One Time Password?
        • Benefits of One Time Passwords
        • How Does the One Time Password Feature Work?
        • Configuring One Time Passwords for SMS-Capable Phones
        • Verifying Administrator One Time Password Configuration
      • End Point Control Overview
        • What is End Point Control?
        • Benefits of End Point Control
        • How Does End Point Control Work?
        • Configuring End Point Control
      • Web Application Firewall Overview
        • What is Web Application Firewall?
        • Benefits of Web Application Firewall
        • How Does Web Application Firewall Work?
        • How are Signatures Used to Prevent Attacks?
        • How is Cross-Site Request Forgery Prevented?
        • How is Information Disclosure Prevented?
        • How are Broken Authentication Attacks Prevented?
        • How are Insecure Storage and Communications Prevented?
        • How is Access to Restricted URLs Prevented?
        • How are Slowloris Attacks Prevented?
        • What Type of PCI Compliance Reports Are Available?
        • How Does Cookie Tampering Protection Work?
        • How Does Application Profiling Work?
        • How Does Rate Limiting for Custom Rules Work?
      • Restful API - Phase 1 Support
      • Restful API - Phase 2 Support
  • Navigating the Management Interface
    • Browser Requirements
      • Browser Requirements for the Administrator
      • Browser Requirements for the End User
    • Management Interface Introduction
      • Understanding the Management Interface
        • Dashboard
        • Navigation Bar
        • Status Bar
        • Accepting Changes
        • Navigating Tables
        • Restarting
        • Common Icons in the Management Interface
        • Tool tip in the Management Interface
        • Getting Help
        • Logging Out
  • Deployment Guidelines
    • Support for Numbers of User Connections
    • Resource Type Support
    • Integration with other SonicWall Products
    • Typical Deployment
    • Two-armed Deployment
    • Virtual Platforms
• Secure Mobile Access Dashboard
  • System Report
• Configuring Secure Mobile Access
  • System Configuration
    • System > Status
      • System Status Overview
        • System Messages
        • System Information
        • Latest Alerts
        • Licenses & Registration
      • Registering SMA Appliance with System Status
        • Before You Register
        • Registering with MySonicWall
      • Configuring Network Interfaces
    • System > Licenses
      • System > Licenses Overview
        • Security Services Summary
        • Manage Security Services Online
        • Using a Spike License
        • Manual Upgrade
      • Registering the SMA Appliance and Managing Security/Support Services with System > Licenses
      • Activating or Upgrading Licenses
    • System > Time
      • System > Time Overview
        • System Time
        • NTP Settings
      • Setting the Time
      • Enabling Network Time Protocol
    • System > Settings
      • System > Settings Overview
        • Firmware Management
      • Managing Configuration Files
        • Encrypting the Configuration File
        • Importing a Configuration File
        • Importing Partial Configurations
        • Exporting a Backup Configuration File
        • Emailing Configuration Settings
        • Enabling Scheduled Backups
        • Emailing New Settings
      • Managing Firmware
        • Setting Firmware Notification
        • Creating a Backup
        • Downloading Firmware
        • Booting a Firmware Image
        • Uploading New Firmware
    • System > Administration
      • System > Administration Overview
        • Login Security
        • HTTP DOS Settings
        • Content Security Policy Setting
        • Global SSL/TLS Settings
        • Transport Layer Security (TLS) 1.3 Support
        • Capacity Matrix
        • Web Management Settings
        • SNMP Settings
      • Configuring Login Security
        • Enabling Lockout for Source IP Address
      • Configuring HTTP DOS Settings
      • Blocking Source IP Address for Continuous Login Failures
      • Configuring Web Management Settings
      • Configuring SNMP Settings
      • Enabling GMS Settings
      • About External FTP/TFTP Server
      • Enabling Cloud Management and Reporting
    • System > Certificates
      • System > Certificates Overview
        • Server Certificates
        • Additional CA Certificates
        • SAML Certificates
      • Certificate Management
      • Generating a Certificate Signing Request
      • Generating a Certificate Using Let's Encrypt
      • Viewing and Editing Certificate Information
      • Importing a Certificate
      • Adding Additional CA Certificates
    • System > Monitoring
      • Monitoring Graphs
      • Setting the Monitoring Period
      • Refreshing the Monitors
    • System > Diagnostics
      • Downloading & Generating the Tech Support Report
      • Using iPerf Performance Diagnostics for NetExtender
      • Performing Diagnostic Tests
    • System > Restart
      • System > Restart Overview
      • Restarting the SMA Appliance
    • System > About
  • Network Configuration
    • Network > Interfaces
      • Network > Interfaces Overview
      • Configuring Network Interfaces
    • Network > DNS
      • Network > DNS Overview
        • DNS Settings
        • WINS Settings
      • Configuring Hostname Settings
      • Configuring DNS Settings
      • Customize DNS Settings for the SMA Appliance Using Azure/AWS Platform
      • Configuring WINS Settings
    • Network > Routes
      • Network > Routes Overview
        • Default Route
        • Static Routes
      • Configuring a Default Route for the SMA Appliance
      • Customize a Default gateway for the SMA Appliance Using Azure/AWS Platform
      • Configuring Static Routes for the Appliance
    • Network > Host Resolution
      • Network > Host Resolution Overview
        • Host Name Settings
      • Configuring Host Resolution
    • Network > Network Objects
      • Network > Network Objects Overview
      • Adding Network Objects
      • Editing Network Objects
      • Defining an Object Address
  • Portals Configuration
    • Portals > Portals
      • About Portal Home Page
      • Adding Portals
      • Configuring General Portal Settings
        • Enforcing Login Uniqueness
        • Enforcing Client Source Uniqueness
      • Configuring Login Schedules
      • Configuring the Home Page
        • Enabling NetExtender to Launch Automatically in the User Portal
      • Configuring Virtual Host Settings
      • Adding a Custom Portal Logo
    • Portals > Application Offloading
      • Configuring with the Offloading Portal Wizard
      • General Server Settings
      • Load Balancing Server Settings
      • URL-based Aliasing Server Settings
      • Remote Desktop Web Access Server Settings
      • Configuring the Security Settings
      • Configuring the Miscellaneous Settings
      • Using Offloaded Applications
        • Configuring Application Offloading with SharePoint 2013
        • Microsoft Outlook Anywhere with Autodiscover Overview
    • Portals > Domains
      • Viewing the Domains Table
      • Removing a Domain
      • Adding or Editing a Domain
      • Secure Hosts for Secure Network Detection
      • Adding or Editing a Domain with Local User Authentication
      • Adding or Editing a Domain with Active Directory Authentication
      • Adding or Editing a Domain with RADIUS Authentication
        • Portal Name Added to Client Identifier for RADIUS
      • Adding or Editing a Domain with Digital Certificates
      • Adding a Domain with SAML 2.0 Authentication
      • Configuring SAML Authentication
        • Configuring SAML Authentication with Azure
        • Configuring SAML Authentication with OneLogin
        • Configuring SAML Authentication with G Suite
        • Configuring SAML Authentication with Office 365
        • Configuring SAML Authentication with Okta
      • Configuring Two-Factor Authentication
      • DUO Security Authentication Support for NetExtender and Mobile Connect Clients
    • Portals > Load Balancing
      • Configuration Scenarios
      • Load Balancing Settings
      • Configuring a Load Balancing Group
        • Adding a New Load Balancing Group
        • Configuring Probe Settings
        • Adding New Members to a Load Balancing Group
    • Portals > URL Based Aliasing
      • Adding a URL-based Aliasing Group
        • Adding Members
        • Deleting a Group
        • Deleting a Member
      • Default Site Settings
• Configuring Services and Clients
  • Services Configuration
    • Services > Settings
      • HTTP/HTTPS Service Settings
      • NetExtender/Mobile Connect Service Settings
      • Mobile Connect Default Policy Settings
      • Global Portal Settings
      • One Time Password Settings
      • Policy Match Log Settings
      • FTP Settings
      • File Share Settings
    • Services > Bookmarks
      • Terminal Services (RDP-HTML5 and Native)
      • Terminal Services (RDP-HTML5)
      • Virtual Network Computing (VNC-HTML5)
      • Citrix Portal (Citrix)
      • Web (HTTP)
      • Secure Web (HTTPS)
      • External Web Site
      • Mobile Connect
      • File Shares (CIFS)
      • File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
      • Telnet HTML5 Settings
      • Secure Shell Version 2 (SSHv2)
    • Services > Policies
      • Adding a Policy
      • Editing a Policy
      • Deleting a Policy
      • Adding an SMS Template
  • Device Management Configuration
    • Device Management > Devices
      • Adding a Device
      • Importing a Device
      • Exporting Selected Devices
      • Deleting Selected Devices
      • Approving Selected Devices
      • Rejecting Selected Devices
    • Device Management > Settings
      • Register Settings
      • ActiveSync Provision Settings
      • Notification Settings
    • Device Management > Policies
  • Clients Configuration
    • Clients > Status
    • Clients > Settings
      • Configuring the Global NetExtender/Mobile Connect IP Address Range
      • Configuring Global NetExtender/Mobile Connect Settings
      • Configuring Internal Proxy Settings
      • Configuring Post-Connection Scripts
    • Clients > Routes
      • Clients > Routes Overview
      • Adding Clients Routes
    • Clients > Advanced Settings
      • NetExtender/Mobile Connect Traffic Log
      • Post Connection Script Files
    • Clients > Log
  • End Point Control
    • End Point Control > Status
    • Configuring End Point Control Settings
    • Configuring EPC Device Profiles
    • Users > Local Groups > Edit EPC Settings
    • Users > Local Users > Edit EPC Settings
  • Web Application Firewall Configuration
    • Viewing and Updating Web Application Firewall Status
      • Viewing Status and Synchronizing Signatures
      • Downloading a PCI Compliance Report
    • Configuring Web Application Firewall Settings
      • Enabling Web Application Firewall and Configuring General Settings
      • Configuring Global Exclusions
      • Configuring Intrusion Prevention Error Page Settings
      • Configuring Cross-Site Request Forgery Protection Settings
      • Configuring Cookie Tampering Protection Settings
      • Configuring Web Site Cloaking
      • Configuring Information Disclosure Protection
      • Configuring Session Management Settings
    • Configuring Web Application Firewall Signature Actions
      • Enabling Performance Optimization
      • Configuring Signature Based Custom Handling and Exclusions
      • Reverting a Signature to Global Settings
      • Removing a Host from a Per-Signature Exclusion
    • Configuring Custom Rules and Application Profiling
      • Configuring Rule Chains
      • Adding or Editing a Rule Chain
      • Cloning a Rule Chain
      • Deleting a Rule Chain
      • Correcting Rule Chains
    • Using Web Application Firewall Monitoring
      • Monitoring on the Local page
        • Using the Control Buttons
        • Monitoring Web Server Status
        • Monitoring Detected and Prevented Threats
        • Viewing Threats in List Format
      • Monitoring on the Global Page
    • Licensing Web Application Firewall
  • Capture ATP
    • Capture ATP > Settings
      • General Settings
      • File Type Settings
      • File Size Settings
      • Custom Blocking Behavior
    • Capture ATP > Report
      • Files Scanned in the Last 30 Days
      • Viewing Files Scanned
      • Filtering Files
      • Adding a New Filter
      • Uploading a File
    • Capture ATP > Licensing
      • SonicWall Capture ATP Service
      • License Status
  • Geo IP and Botnet Filter
    • Status
      • General Status
      • Botnet Status
    • Settings
      • General Settings
      • Remediation Settings
    • Policies
    • Licensing
  • High Availability Configuration
    • High Availability Overview
      • Supported Platforms
    • Preparing for High Availability
    • Configuring Settings
      • Enabling Interface Monitoring
      • Configuring Network Monitoring Addresses
      • Configuring Management Settings for Idle Unit
      • Synchronizing Firmware
      • Synchronizing Settings
    • Synchronizing Licenses
    • High Availability FAQS
• Configuring Users & Logs
  • Users Configuration
    • Users > Status
      • Access Policies Concepts
      • Access Policy Hierarchy
    • Users > Local Users
      • Local Users
        • Removing a User
        • Adding a Local User
        • Importing Local Users
        • Exporting Local Users
      • Editing User Settings
        • Modifying General User Settings
        • Modifying Group Settings
        • Modifying Portal Settings
        • Modifying Clients Settings
        • Modifying NetExtender Client Routes
      • Adding User Policies
        • Adding a Policy for an IP Address
        • Adding a Policy for an IP Network
        • Adding a Policy for All Addresses
        • Setting File Share Access Policies
        • Adding a Policy for a File Share
        • Adding a Policy for a URL Object
        • Policy URL Object Field Elements
        • Adding a Policy for All IPv6 Addresses
        • Adding a Policy for an IPv6 Address
        • Adding a Policy for an IPv6 Network
      • Adding or Editing User Bookmarks
        • Terminal Services (RDP) or Terminal Services (RDP - HTML5)
        • Virtual Network Computing (VNC)
        • Citrix Portal (Citrix)
        • Web (HTTP)
        • Secure Web (HTTPS)
        • External Web Site
        • Mobile Connect
        • File Shares (CIFS)
        • File Transfer Protocol (FTP)
        • SSH File Transfer Protocol (SFTP)
        • Telnet
        • Secure Shell Version 2 (SSHv2)
        • HTML5 SSH Key File Authentication Support
      • Creating a Citrix Bookmark for a Local User
      • Creating Bookmarks with Custom SSO Credentials
      • Configuring Login Policies
      • Denying Mobile App Binding when Login is Attempted from any External Network
      • Reusing Mobile App Binding Text Code
      • Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
      • Configuring End Point Control for Users
      • Configuring Capture ATP
        • General Settings
        • File Type Settings
        • File Size Settings
        • Custom Blocking Behavior
    • Users > Local Groups
      • Deleting a Group
      • Adding a New Group
      • Editing Group Settings
        • Editing General Local Group Settings
        • Enabling Routes for Groups
          • Enabling Group Client Routes
          • Enabling Tunnel All Mode for Local Groups
        • Adding Group Policies
        • Editing a Policy for a File Share
        • Configuring Group Bookmarks
          • Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
          • Virtual Network Computing (VNC)
          • Citrix Portal (Citrix)
          • Web (HTTP)
          • Secure Web (HTTPS)
          • External Web Site
          • Mobile Connect
          • File Shares (CIFS)
          • File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
          • Secure Shell Version 2 (SSHv2) HTML5 Settings
          • SSHv2 Common Settings
        • Configuring Group End Point Control
      • LDAP Attribute Information
        • Example of LDAP Users and Attributes
        • Sample LDAP Attributes
        • Querying an LDAP Server
      • Group Configuration for Active Directory and RADIUS Domains
        • Bookmark Support for External (Non-Local) Users
        • Adding a RADIUS Group
        • Adding an Active Directory Group
      • Creating a Citrix Bookmark for a Local Group
    • Global Configuration
      • Edit Global Policies
      • Edit a Policy for a File Share
      • Edit Global Bookmarks
      • Edit EPC Settings
  • Log Configuration
    • Log > View
    • Log > View Overview
    • Log > Settings Overview
      • Log and Alert Levels
      • Syslog Settings
      • Event Logging and Alerts
      • Configuring Log Settings
      • Configuring the Mail Server
    • Log > Categories
    • Log > Analyzer Overview
• Using Virtual Office
  • Virtual Office Configuration
    • Virtual Office
      • Virtual Office Overview
      • Using the Virtual Office
    • SMA Connect Agent
      • Supported Operating Systems
      • Downloading and Installation
      • Setting up the SMA Connect Agent
        • Proxy Configuration
        • Logs
        • Browser Warning
        • End Point Control (EPC)
        • PDA (Personal Device Authorization)
        • SonicWall Application
• Appendices
  • Using Online Help
  • Configuring an SMA Appliance with a Third-party Gateway
    • Cisco PIX Configuration for SMA Appliance Deployment
      • Before you Begin
        • Management Considerations for the Cisco Pix
      • Method One – SMA Appliance on LAN Interface
      • Method Two – SMA Appliance on DMZ Interface
    • Linksys WRT54GS
    • WatchGuard Firebox X Edge
    • NetGear FVS318
    • NetGear Wireless Router MR814 SSL Configuration
    • Check Point AIR 55
      • Setting up an SMA Appliance with Check Point AIR 55
      • Static Route
      • ARP
    • Adding the Allowed Host Option in the Content Security Policy Header
  • Printer Redirection
    • Enable the Redirection Printers
    • Time-Zone Redirection
  • Use Cases
    • Importing CA Certificates on Windows
      • Importing a goDaddy Certificate on Windows
      • Importing a Server Certificate on Windows
    • Creating Unique Access Policies for AD Groups
      • Creating the Active Directory Domain
      • Adding a Global Deny All Policy
      • Creating Local Groups
      • Adding the SSHv2 PERMIT Policy
      • Adding the OWA PERMIT Policies
      • Verifying the Access Policy Configuration
  • Secure Mobile Access Security Best Practices
    • Multi-Factor Authentication
      • Enable One-Time Password (OTP) Using Phone or Email
        • Configuring One-Time Passwords for Email
        • Configuring One-Time Passwords for SMS
      • Enabling One-Time Password
      • 2FA and OTP User Experience
      • User Backup Codes
    • Additional Configuration Recommendations for Security Best Practices
      • Prohibit Saving Username and Password
      • Hide Domain List on Portal Login Page
      • Enable HTTP Strict Transport Security (HSTS) for SMA
      • Enforce Login Uniqueness
      • Enforce Client Source Uniqueness
      • Enable “Login Schedule”
      • Enable “Logout Schedule”
      • Enforce Password Complexity
      • Enable Client Certificate Enforcement (Advanced Security Feature)
      • Restrict Request Headers
      • Use a Public Certificate
      • Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
      • Disconnection on Inactivity Timeout
      • Disable the Default Admin Account
      • Allow Policy Match Logging
      • Setup Connection Policies
      • Device Registration
      • End Point Control
      • GEO IP Fencing
      • Capture ATP for the SMA 100 Series
    • Security Enhancements
      • New Firmware Availability Notifications
      • OpenSSL Version Upgrade
      • Additional Security Enhancements
        • Enforce WAF to Protect the SMA100
        • Warning on Security Configurations
          • Warning for 2FA on Domains
          • Warning for Password Expiration of Local Domains
          • Warning for WAF on Web Application Portals
        • Disable User Data for Deploying SMA 500v in Azure or AWS
    • General Considerations
  • NetExtender Troubleshooting
  • Frequently Asked Questions
    • Hardware FAQ
    • Digital Certificates and Certificate Authorities FAQ
    • NetExtender FAQ
    • General FAQ
  • Using the Command Line Interface
    • SafeMode
  • Using SMS Email Formats
  • Support Information
    • GNU General Public License (GPL) Source Code
    • Limited Hardware Warranty
    • End User License Agreement
  • Glossary
• SonicWall Support
  • About This Document

Configuring Group End Point Control

To configure the End Point Control profiles used by local groups

1. Navigate to either the Users > Local Users or Users > Local Groups page.
2. Click the Configure icon next to the group to be configured for EPC. The Edit Local Group window is displayed.
3. Click the EPC page. The EPC window is displayed.
4. Configure EPC group settings and add or remove device profiles, Group Configuration for LDAP Authentication Domains.

Lightweight Directory Access Protocol (LDAP) is a standard for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for example, groups or organizational units), the SMA appliance can query this information and provide specific group policies or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SMA appliance administrator can leverage the groups that have already been configured in an LDAP or Active Directory database, rather than needing to manually recreate the same groups in the SMA appliance.

After an LDAP authentication domain is created, a default LDAP group is created with the same name as the LDAP domain name. Although additional groups can be added or deleted from this domain, the default LDAP group cannot be deleted. If the user for which you created LDAP attributes enters the Virtual Office home page, the bookmark you created for the group the user is in displays in the Bookmarks Table.

For an LDAP group, you can define LDAP attributes. For example, you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server. Or you can specify a unique LDAP distinguished name.

To add an LDAP attribute for a group so that a user has a bookmark assigned when entering the Virtual Office environment, complete the following steps

1. Navigate to the Portals > Domains page and click Add Domain to display the Add New Domain window.

2. Select LDAP from the Authentication Type menu. The LDAP domain configuration fields are displayed.

   

3. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users select to log in to the Secure Mobile Access user portal. It can be the same value as the Server address field.
4. Enter the IP address or domain name of the server in the Server address field.
5. Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.
6. Enter a Server address that has been delegated control of the container that server is in.
7. Enter the username along with the corresponding password in the Login username and Login password fields.
8. Enter a Backup Server address.
9. Enter the backup username along with the corresponding backup password in the Login username and Login password fields.
10. Select the name of the portal in the Portal name field. Additional layouts can be defined in the Portals > Portals page.
11. Select Allow password changes (if allowed by LDAP server) if you want to be able to change user’s passwords. The admin account must be used when changing user passwords.
12. Optionally select Use SSL/TLS. This option allows for the needed SSL/TLS encryption to be used for Active Directory password exchanges. This check box should be enabled when setting up a domain using Active Directory authentication.

13. Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:

    • Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
    • Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
      • Username: %USERNAME%
      • Domain name: %USERDOMAIN%
      • Active Directory username: %ADUSERNAME%
      • Wildcard: %WILDCARD%
14. Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
15. Select Only allow users listed locally to allow only users with a local record in the Active Directory to login.

16. Select Auto-assign groups at login to assign users to a group when they log in.

    Users logging into Active Directory domains are automatically assigned in real time to Secure Mobile Access groups based on their external AD group memberships. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

17. Optionally, select One-time passwords to enable the One Time Password feature. A drop-down menu appears, in which you can select if configured, required for all users, or using domain name. These are defined as:

    • if configured – Only users who have a One Time Password email address configured uses the One Time Password feature.
    • required for all users – All users must use the One Time Password feature. Users who do not have a One Time Password email address configured are not allowed to login.
    • using domain name – Users in the domain uses the One Time Password feature. One Time Password emails for all users in the domain are sent to username@domain.com.

18. If you selected if configured or required for all users in the One-time passwords drop-down menu, the Active Directory AD e-mail attribute drop-down menu appears, in which you can select mail, mobile, pager, userPrincipalName, or custom. These are defined as:

    • mail – If your AD server is configured to store email addresses using the “mail” attribute, select mail.
    • mobile or pager – If your AD server is configured to store mobile or pager numbers using either of these attributes, select mobile or pager, respectively. Raw numbers cannot be used, however, SMS addresses can.
    • userPrincipalName – If your AD server is configured to store email addresses using the “userPrincipalName” attribute, select userPrincipalName.
    • custom – If your AD server is configured to store email addresses using a custom attribute, select custom. If the specified attribute cannot be found for a user, the email address assigned in the individual user policy settings is used. If you select custom, the Custom attribute field appears. Type the custom attribute that your AD server uses to store email addresses. If the specified attribute cannot be found for a user, the email address is taken from their individual policy settings.

    If you select using domain name, an E-mail domain field appears following the drop-down menu. Type in the domain name where one-time password emails are sent (for example, abc.com).

19. Select the type of user from the User Type drop-down menu. All users logging in through this domain are treated as this user type. The choices depend on user types defined already. Some possible choices are:

    • External User – Users logging into this domain are treated as normal users without administrative privileges.

    • External Administrator – Users logging into this domain are treated as administrators, with local Secure Mobile Access admin credentials. These users are presented with the admin login page.

      This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain.

      SonicWall Inc. recommends adding filters that allow administrative access only to those users who are in the correct group. You can do so by editing the domain on the Users > Local Groups page.

    • Read-only Administrator – Users logging into this domain are treated as read-only administrators and can view all information and settings but cannot apply any changes to the configuration. These users are presented with the admin login page.
20. Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.
21. Navigate to the Users > Local Groups page and click the Configure icon. The Edit Group Settings page is displayed, with fields for LDAP attributes on the General page.

22. On the General page, you can optionally fill out one or multiple LDAP Attribute fields with the appropriate names where name=value is the convention for adding a series of LDAP attributes. To see a full list of LDAP attributes, refer to the SonicWall Inc. LDAP Attribute document.

    As a common example, fill out an attribute field with the memberOf= attribute which can bundle the following common variable types:

    CN= - the common name. DN= - the distinguished name. DC= - the domain component.

    You need to provide quote delimiters around the variables you bundle in the memberOf line. You separate the variables by commas. An example of the syntax using the CN and DC variables would be:

    memberOf="CN=<string>, DC=<string>"

    An example of a line you might enter into the LDAP Attribute field, using the CN and DC variables would be:

    memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"

23. Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to use the global inactivity timeout setting.

24. Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of the following:

    • Use global policy – Use the global policy for using SSO to log in to bookmarks.
    • User-controlled (enabled by default for new users) – Enable SSO to log in to bookmarks for new users and allow users to change this setting.
    • User-controlled (disabled by default for new users) – Disable SSO to log in to bookmarks for new users and allow users to change this setting.
    • Enabled – Enable SSO to log in to bookmarks
    • Disabled – Disable SSO to log in to bookmarks
25. Click Accept when done.