Secure Mobile Access 100 10.2 Administration Guide
- Secure Mobile Access 10.2
- Introduction
- About This Guide
- New Features
- Deprecated Features
- Overview of SMA Components
- SMA Software Components
- SMA Hardware Components
- Client Versions Released with 10.2
- SMA 500v Virtual Appliances
- Increased Client Connections on SMA 210/410
- Capture ATP Integration Overview
- Always on VPN
- Encryption Overview
- SSL for Virtual Private Networking (VPN)
- SSL Handshake Procedure
- IPv6 Support Overview
- Portals Overview
- File Shares
- Domains Overview
- Application Offloading and HTTP(S) Bookmarks Overview
- Cross Domain Single Sign-On
- ActiveSync Authentication
- Network Resources Overview
- SNMP Overview
- DNS Overview
- Network Routes Overview
- NetExtender Overview
- What is NetExtender?
- Benefits of NetExtender
- NetExtender Concepts
- NetExtender and IPv6
- Two-Factor Authentication Overview
- One Time Password Overview
- End Point Control Overview
- Web Application Firewall Overview
- What is Web Application Firewall?
- Benefits of Web Application Firewall
- How Does Web Application Firewall Work?
- How are Signatures Used to Prevent Attacks?
- How is Cross-Site Request Forgery Prevented?
- How is Information Disclosure Prevented?
- How are Broken Authentication Attacks Prevented?
- How are Insecure Storage and Communications Prevented?
- How is Access to Restricted URLs Prevented?
- How are Slowloris Attacks Prevented?
- What Type of PCI Compliance Reports Are Available?
- How Does Cookie Tampering Protection Work?
- How Does Application Profiling Work?
- How Does Rate Limiting for Custom Rules Work?
- Restful API - Phase 1 Support
- Restful API - Phase 2 Support
- Navigating the Management Interface
- Deployment Guidelines
- Secure Mobile Access Dashboard
- Configuring Secure Mobile Access
- System Configuration
- System > Status
- System > Licenses
- System > Time
- System > Settings
- System > Administration
- System > Certificates
- System > Monitoring
- System > Diagnostics
- System > Restart
- System > About
- Network Configuration
- Portals Configuration
- Portals > Portals
- Portals > Application Offloading
- Portals > Domains
- Viewing the Domains Table
- Removing a Domain
- Adding or Editing a Domain
- Secure Hosts for Secure Network Detection
- Adding or Editing a Domain with Local User Authentication
- Adding or Editing a Domain with Active Directory Authentication
- Adding or Editing a Domain with RADIUS Authentication
- Adding or Editing a Domain with Digital Certificates
- Adding a Domain with SAML 2.0 Authentication
- Configuring SAML Authentication
- Configuring Two-Factor Authentication
- DUO Security Authentication Support for NetExtender and Mobile Connect Clients
- Portals > Load Balancing
- Portals > URL Based Aliasing
- System Configuration
- Configuring Services and Clients
- Services Configuration
- Services > Settings
- Services > Bookmarks
- Terminal Services (RDP-HTML5 and Native)
- Terminal Services (RDP-HTML5)
- Virtual Network Computing (VNC-HTML5)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Telnet HTML5 Settings
- Secure Shell Version 2 (SSHv2)
- Services > Policies
- Device Management Configuration
- Clients Configuration
- End Point Control
- Web Application Firewall Configuration
- Viewing and Updating Web Application Firewall Status
- Configuring Web Application Firewall Settings
- Enabling Web Application Firewall and Configuring General Settings
- Configuring Global Exclusions
- Configuring Intrusion Prevention Error Page Settings
- Configuring Cross-Site Request Forgery Protection Settings
- Configuring Cookie Tampering Protection Settings
- Configuring Web Site Cloaking
- Configuring Information Disclosure Protection
- Configuring Session Management Settings
- Configuring Web Application Firewall Signature Actions
- Configuring Custom Rules and Application Profiling
- Using Web Application Firewall Monitoring
- Licensing Web Application Firewall
- Capture ATP
- Geo IP and Botnet Filter
- High Availability Configuration
- Services Configuration
- Configuring Users & Logs
- Users Configuration
- Users > Status
- Users > Local Users
- Local Users
- Editing User Settings
- Adding User Policies
- Adding a Policy for an IP Address
- Adding a Policy for an IP Network
- Adding a Policy for All Addresses
- Setting File Share Access Policies
- Adding a Policy for a File Share
- Adding a Policy for a URL Object
- Policy URL Object Field Elements
- Adding a Policy for All IPv6 Addresses
- Adding a Policy for an IPv6 Address
- Adding a Policy for an IPv6 Network
- Adding or Editing User Bookmarks
- Terminal Services (RDP) or Terminal Services (RDP - HTML5)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP)
- SSH File Transfer Protocol (SFTP)
- Telnet
- Secure Shell Version 2 (SSHv2)
- HTML5 SSH Key File Authentication Support
- Creating a Citrix Bookmark for a Local User
- Creating Bookmarks with Custom SSO Credentials
- Configuring Login Policies
- Denying Mobile App Binding when Login is Attempted from any External Network
- Reusing Mobile App Binding Text Code
- Flexibility in Choosing Two-factor Authentication Method for NetExtender Login
- Configuring End Point Control for Users
- Configuring Capture ATP
- Users > Local Groups
- Deleting a Group
- Adding a New Group
- Editing Group Settings
- Editing General Local Group Settings
- Enabling Routes for Groups
- Adding Group Policies
- Editing a Policy for a File Share
- Configuring Group Bookmarks
- Terminal Services (RDP), Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
- Virtual Network Computing (VNC)
- Citrix Portal (Citrix)
- Web (HTTP)
- Secure Web (HTTPS)
- External Web Site
- Mobile Connect
- File Shares (CIFS)
- File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
- Secure Shell Version 2 (SSHv2) HTML5 Settings
- SSHv2 Common Settings
- Configuring Group End Point Control
- LDAP Attribute Information
- Group Configuration for Active Directory and RADIUS Domains
- Creating a Citrix Bookmark for a Local Group
- Global Configuration
- Log Configuration
- Users Configuration
- Using Virtual Office
- Appendices
- Using Online Help
- Configuring an SMA Appliance with a Third-party Gateway
- Printer Redirection
- Use Cases
- Secure Mobile Access Security Best Practices
- Multi-Factor Authentication
- Additional Configuration Recommendations for Security Best Practices
- Prohibit Saving Username and Password
- Hide Domain List on Portal Login Page
- Enable HTTP Strict Transport Security (HSTS) for SMA
- Enforce Login Uniqueness
- Enforce Client Source Uniqueness
- Enable “Login Schedule”
- Enable “Logout Schedule”
- Enforce Password Complexity
- Enable Client Certificate Enforcement (Advanced Security Feature)
- Restrict Request Headers
- Use a Public Certificate
- Allow Touch ID and Face ID on Mac, Apple IOS, and Android Devices
- Disconnection on Inactivity Timeout
- Disable the Default Admin Account
- Allow Policy Match Logging
- Setup Connection Policies
- Device Registration
- End Point Control
- GEO IP Fencing
- Capture ATP for the SMA 100 Series
- Security Enhancements
- General Considerations
- NetExtender Troubleshooting
- Frequently Asked Questions
- Using the Command Line Interface
- Using SMS Email Formats
- Support Information
- Glossary
- SonicWall Support
Configuring Login Policies
The Login Policies page provides configuration options for policies that allow or deny users with specific IP addresses from having login privileges to the SMA appliance.
To allow or deny specific users from logging into the appliance
- Navigate to the Users > Local Users page.
- Click the Configure icon for the user you want to configure. The Edit Local User page is displayed.
-
Click the Login Policies page. The Edit Local User - Login Policies page is displayed.
- To block the specified user or users from logging into the appliance, select Disable login.
-
Optionally select Enable from the Enable client certificate enforcement drop-down menu, to require the use of client certificates for login. By selecting this option, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
- Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
- Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
- Username: %USERNAME%
- Domain name: %USERDOMAIN%
- Active Directory username: %ADUSERNAME%
- Wildcard: %WILDCARD%
- To require the use of one-time passwords for the specified user to log in to the appliance, select Require one-time passwords.
- In the One-Time Password drop-down menu, select Use domain setting, Enable, or Disable. The default is Use domain setting.
-
From the One-Time Password drop-down menu, select one of the following:
- Use domain setting – Take the action specified by the domain setting. Use domain setting is the default setting for this option.
- Enabled – Enable this action for the user. Overrides the domain setting. When you select this option three additional fields appear:
- User discretion – Allow user to edit one-time password settings from the Users > Local Users > Edit Local User page. Users have the option of selecting one or both of the following one-time password methods:
- Use E-mail allows the user to select Use E-mail to enable this one-time password method.
- Use Mobile App allows the user to Use Mobile App to enable this one-time password method.
- User discretion – Allow user to edit one-time password settings from the Users > Local Users > Edit Local User page. Users have the option of selecting one or both of the following one-time password methods:
- Use E-mail – Optionally select Use E-mail to enable this one-time password method. The Email domain: window appears, in which you can enter an email address to send the one-time password.
- Use Mobile App – Optionally select Use Mobile App to enable this one-time password method to force users to use a one-time password. Users can use Google Authenticator, Duo Mobile, or any other compliant two-factor authentication service.
- Disabled – Disable this action for the user. Overrides the domain setting.
- Optionally click CLER APP INFO to clear mobile app binding information.
- To apply the policy you selected to a source IP address, select an access policy (Allow or Deny) in the Login From Defined Addresses drop-down menu under Login Policies by Source IP Address, and then click Add under the list box. The Define Address window is displayed.
-
In the Define Address window, select one of the source address type options from the Source Address Type drop-down menu.
- IP Address – Enables you to select a specific IP address.
- IP Network – Enables you to select a range of IP addresses. If you select this option, a Network Address field and Subnet Mask field appear in the Define Address window.
- IPv6 Address – This enables you to select a specific IPv6 address.
- IPv6 Network – This enables you to select a range of IPv6 addresses. If you select this option, a IPv6 Network field and Prefix field appear in the Define Address window.
-
Provide appropriate IP address(es) for the source address type you selected.
- IP Address – Type a single IP address in the IP Address field.
- IP Network – Type an IP address in the Network Address field and then supply a subnet mask value that specifies a range of addresses in the Subnet Mask field.
- IPv6 Address – Type an IPv6 address, such as 2007::1:2:3:4.
- IPv6 Network – Type the IPv6 network address into the IPv6 Network field, in the form 2007:1:2::. Type a prefix into the Prefix field, such as 64.
- Click Add. The address or address range is displayed in the Defined Addresses list in the Edit User Settings window. As an example, if you selected a range of addresses with 10.202.4.32 as the network address and 255.255.255.240 (28 bits) as the subnet mask value, the Defined Addresses list displays 10.202.4.32–10.202.4.47. In this case, 10.202.4.47 would be the broadcast address. Whatever login policy you selected is now applied to addresses in this range.
- To apply the policy you selected to a client browser, select an access policy (Allow or Deny) in the Login From Defined Browsers drop-down menu under Login Policies by Client Browser, and then click Add under the list. The Define Browser window is displayed.
- In the Define Browser window, type a browser definition in the Client Browser field and then click Add. The browser name appears in the Defined Browsers list.
- Click Accept. The new login policy is saved.
Was This Article Helpful?
Help us to improve our support portal