• Secure Mobile Access 12.4.3
• Introduction
  • About Secure Mobile Access
    • Secure Mobile Access on SMA Appliances
    • About SMA Documentation
      • Document Conventions
    • What’s New in This Release
      • Cisco Duo Security Multi-factor Authentication Server
      • RSA SecurID Authentication Manager
      • Dynamic Form SSO Improvements
      • Exclusions
      • Supportability Enhancements
        • Always On VPN Enhancements
        • Device VPN Enhancements
        • Configuring Cached Credentials
        • Configuring Global Overrides in AMC
        • Downloading the SMA1000 Client Installation Packages
        • Managing Administrator Account Settings
        • Configuring Access Request Logging
        • Configuring Shell Access
        • Copying Resources Groups
    • Discontinued Features
    • Deprecated Features
    • Features of Your SMA Appliance
      • SonicWall SMA Appliance Models
      • Administrator Components for Managing Appliances and Services
      • User Access Components
        • WorkPlace
          • WorkPlace Lite
          • WorkPlace Enhancements
        • Connect and OnDemand Tunnel Clients
        • Mobile Connect Clients
        • End Point Control (EPC)
    • Related Documentation
    • System Requirements
      • Client Components
        • WorkPlace Lite Access
        • Web-Based Clients
          • Web Application Services
        • Tunnel Clients
        • Proxy Clients
        • End Point Control
      • Server Components
        • System Administration
        • Authentication Servers
        • ActiveSync Clients
        • ActiveSync Servers
        • Outlook Anywhere
        • Citrix Server Farms
        • Server Farms
        • Graphical Terminal agents
        • SMA 8200v and CMS Platforms
        • API Support
      • Capacity Report
• Installation
  • Installation and Initial Setup
    • Network Architecture
    • Preparing for the Installation
      • Gathering Information
      • Verifying Your Firewall Policies
        • External Firewall
        • Internal Firewall
    • Installation and Deployment Process
      • Specifications and Rack Installation
      • Front Panel Controls and Indicators
        • SMA 6200/6210/7200/7210 Front Panels
        • LCD Controls for the SMA 7200,7210 and SMA 6200,6210
      • Connecting the Appliance
        • Connecting the SMA 6200,6210 or SMA 7200,7210 Appliance
      • Powering Up and Configuring Basic Network Settings
        • Configuring Basic Network Settings
          • Configuring Basic Network Settings Using the X0 Interface
          • Configuring Basic Network Settings using the LCD Controls
          • Configuring an Appliance Using Setup Tool on the Command Line
      • Web-Based Configuration Using Setup Wizard
      • Configuring the Appliance Using the Management Console
      • Moving the Appliance into Production
      • Powering Down and Restarting the Appliance
    • Next Steps
• Management
  • Working with Appliance Management Console
    • Logging In to AMC
    • Logging Out
    • AMC Basics
      • A Quick Tour of the AMC Interface
        • Summary Pages
        • Tables and Tabs
        • Filters
        • Page Links
        • Editing an Object
        • Changing the Page View
        • Expanded View of List Details
        • Required Fields and Errors
        • Assigning Names and Descriptions
        • Saving Changes on a Page
        • AMC Status Area
        • Version Number and Product Serial Number
      • Adding, Editing, Copying, and Deleting Objects in AMC
      • Getting Help
    • Administrator Accounts
      • Managing Administrator Accounts and Roles
        • Adding Administrator Accounts
        • Editing Administrator Accounts
        • Editing Administrator Roles
        • Defining Administrator Roles
        • API Keys for Management API Access
          • Adding API Keys
          • Modifying API key
          • Regenerating API key value
          • Deleting API key
          • Usage of API Keys to access Management API
      • Managing Administrator Account Settings
        • Adding Authentication Server
        • Configuring Password Policy
        • Configuring Account Lockout
        • Configuring Session Timeout
        • Configuring Concurrent Sessions
      • Avoiding Configuration Conflicts with Multiple Administrators
    • Managing Multiple Secure Mobile Access Appliances
      • Central Management Server (CMS)
    • Working with Configuration Data
      • Saving Configuration Changes
      • Applying Configuration Changes
      • Discarding Pending Configuration Changes
      • Scheduling Pending Changes
    • Deleting Referenced Objects
  • User Management
    • Users, Groups, Communities, and Realms
      • Users and groups
      • Communities
      • Realms
    • Using Realms and Communities
      • Viewing Realms
      • Default, Visible, and Hidden Realms
      • Specifying the Default Realm
      • Enabling and Disabling Realms
      • Best Practices for Defining Realms
    • Configuring Realms and Communities
      • Creating Realms
      • Adding Communities to a Realm
      • Creating and Configuring Communities
        • Assigning Members to a Community
        • Selecting Tunnel Access Methods for a Community
        • Selecting Browser Access Methods for a Community
        • Using End Point Control Restrictions in a Community
        • Configuring the Appearance of WorkPlace
        • WorkPlace and Small Form Factor Devices
        • About WorkPlace and Small Form Factor Devices
        • Optimizing WorkPlace for Display on Small Form Factor Devices
        • Creating or Editing a WorkPlace Style
        • Creating or Editing a WorkPlace Layout
      • Network Tunnel Client Configuration
        • IP Address Allocation
        • Session Persistence
        • Redirection Modes
          • Split Tunnel
          • Redirect All
        • Exclusions
        • Proxy Server Redirection
          • Tunnel Clients and Proxy Auto-Configuration Files (Linux Platform)
        • ESP Mode
        • Secure Network Detection
        • Post-Connection Scripting
        • Windows Tunnel Client Automatic Client Updating
        • Session Termination
        • Configuring Tunnel Client Settings
        • Connect Tunnel and Captive Portals
      • Using the Default Community
      • Changing the Order of Communities Listed in a Realm
      • Configuring RADIUS Accounting in a Realm
      • Editing, Copying and Deleting Communities
    • Managing Users and Groups
      • Viewing Users and Groups
      • Managing Users and Groups Mapped to External Repositories
        • Adding Users or Groups Manually
        • Importing users and groups csv file in mapped accounts
        • Adding Users or Groups by Searching a Directory
        • Advanced Search Methods
        • Creating Dynamic Groups Using a Directory
        • Editing Users or Groups
        • Deleting Users or Groups
        • Certificate Group
      • Managing Local User Accounts
        • Adding Local Users
        • Editing Local Users
        • Deleting Local Users
        • Adding Local Groups
        • Editing Local Groups
        • Deleting Local Groups
      • Importing and Exporting Local Accounts
        • Importing New Local Users and Groups
          • Creating the CSV File
          • Downloading a CSV Template
        • Importing Data for Existing Local Users
        • Importing New Groups
        • Exporting Local User Accounts
        • Import and Export Error Messages
    • Integrating an SMA Appliance with a SonicWall Firewall
      • Configuring a Firewall to Receive RADIUS Accounting Records from an SMA Appliance
      • Configuring an SMA Appliance to Send RADIUS Accounting Records to a Firewall
      • Viewing SMA Users on the Firewall
• Authentication
  • Network and Authentication Configuration
    • About Configuring the Network
    • Configuring Basic Network Settings
      • Specifying System Identity
      • Configuring Network Interfaces
      • Configuring ICMP
      • Viewing Fully Qualified Domain Names and Custom Ports
    • Configuring Routing
      • About Routing
      • Configuring Network Gateways
        • Choosing a Network Gateway Option
        • Configuring Network Gateways in a Dual-Homed Environment
        • Configuring Network Gateways in a Single-Homed Environment
      • Enabling a Route to the Internet
      • Configuring Static Routes
    • Configuring Name Resolution
      • Configuring Domain Name Service
      • Configuring Windows Network Name Resolution
    • Certificates
      • Let's Encrypt
        • Creating a Let's Encrypt certificate in CMS
      • Server Certificates
        • Certificate Strategy
        • Obtaining a Certificate from a Commercial CA
        • Creating a Self-Signed Certificate
        • Managing Server Certificates in AMC
          • Importing an Existing Certificate from Another Computer
          • Exporting an SSL Certificate
      • CA Certificates
        • Importing CA Certificates
        • Configuring Client Certificate Revocation
          • Managing Certificates with a CRL
          • Configuring an OCSP Responder
        • Managing CA Certificates
          • Viewing CA Certificate Details
          • Mapping Certificates to Hosts
          • Exporting CA Certificates
          • Deleting CA Certificates
      • About Intermediate Certificates
      • Working with Certificates FAQs
        • How do I Obtain a Certificate from a Non-Commercial CA?
        • When do Certificates and CRLs Expire?
        • Does Secure Mobile Access support SAN Certificates?
        • Are Intermediate Certificates supported for End-User Certificate Verification?
        • What Are the Different CA Certificates on the Appliance and How Are They Used?
        • How many CA Certificates can be Stored on the Appliance?
        • Can Private Keys or CSRs Generated from Other Tools be Imported to the Appliance?
        • Where Is the AMC Certificate Stored?
        • Should I Keep All CA Certificates on the Appliance or Just the Ones I Need?
    • Managing User Authentication
      • Configuring Authentication Servers
        • Defining Multiple Authentication Servers
        • Disabling Authorization Checks
      • Configuring Microsoft Active Directory Servers
        • Configuring Active Directory with Username and Password
        • Configuring Multiple Active Directory (Advanced)
          • Configure AD Forest Authentication Server
          • Configure Groups Using Multiple Trees
          • Configure Groups Using Trees from Trusted Forests
          • User Login
        • Configuring LDAP to Authenticate Against Active Directory
        • LDAP Examples for Active Directory Authentication
      • Configuring LDAP and LDAPS Authentication
        • Configuring LDAP with Username and Password
      • Configuring RADIUS Authentication
        • Configuring RADIUS with User or Token-Based Credentials
        • Configuring Advanced RADIUS Settings
      • Integration of SMA with Cisco Duo Security MFA Server
        • Configuring Cisco Duo security MFA server
        • Configuring Cisco Duo Security MFA Server in SMA1000
        • Enrolling users for Cisco Duo Security MFA Server
        • Additional Authentication Methods
        • SMA1000 Clients and AMC Authentication Support
      • User-Mapped Tunnel Addressing
      • Integration of SMA1000 with RSA SecurID Authentication Manager
        • Configuring RSA Server Authentication
        • Configuring the RSA SecurID Authentication Manager
        • SMA1000 Clients and AMC Authentication support
      • Configuring a PKI Authentication Server
      • Additional Field for Custom Certificates
      • Configuring a SAML-Based Authentication Server
        • Configuring a SAML 2.0 Identity Provider Authentication Server
        • Group Management with SAML IdP authentication server
        • Using Group Affinity checking
        • Using SAML Attributes during authentication
        • Configure SAML IdP
        • Update SMA SAML IdP authentication server
      • One Identity Defender
      • Configuring Local User Storage
      • Testing AD,LDAP,RADIUS and One Defender Authentication Configurations
      • Configuring Chained Authentication
        • Chained Authentication Login Example
      • Enabling Group Affinity Checking in a Realm
      • Using One-Time Passwords for Added Security
        • Configuring SMTP to Deliver One-Time Passwords
        • Configuring SMS based Authentication
        • Using Time-Based One-Time Passwords
          • Configuring Time-Based One-Time Passwords Settings
          • Managing Users of Time-Based One-Time Passwords
        • Configuring an Authentication Server for email-basedOne-Time Passwords
        • Configuring the AD or LDAP Directory Server
      • Configuring Personal Device Authorization
      • Using Your SMA Appliance as a SAML Identity Provider
        • Support for User Groups in SAML IdP Authentication
        • Configuring Your SMA Appliance to be a SAML IdP
    • Biometric Identification
      • About Biometric Identification
      • Configuring Biometric Identification
    • Next Steps
• Administration
  • Security Administration
    • Creating and Managing Resources
      • Resource Types
        • Built-In Resources
        • Secure Mobile Access WorkPlace (Resource Type: URL)
        • Connect Tunnel (Resource Type: URL)
        • Network Explorer (Resource Type: Network Share)
        • Web Resources
        • Client/Server Resources
        • File Share Resources
      • Resources and Resource Groups
        • Viewing Resources and Resource Groups
        • Adding Resources
        • Example: Specifying a URL Alias
        • Example: Blocking Email Attachments
        • Example: Supporting Exchange on iPhones
        • Example: Restricting Access to Sensitive Data
        • Editing Resources
        • Deleting Resources
        • Configuring a Resource as a SharePoint Web Service
        • Exclusions
          • Using the Exclusions
      • Using Variables in Resource and WorkPlace Shortcut Definitions
        • Using Session Property Variables
        • Using Query-Based Variables
        • Creating a Resource Pointing to Users’ Remote Desktops
        • Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
        • Creating a Variable Containing a Variable
        • Modifying Query Results
        • Displaying a Series of Shortcuts Using a Single Definition
      • Creating and Managing Resource Groups
        • Adding Resource Groups
        • Example: Working with a URL Redirect
        • Editing, Deleting and Copying Resource Groups
      • Web Application Profiles
        • Viewing Web Application Profiles
        • Adding Web Application Profiles
        • Preconfigured Web Application Profiles
        • Web Application Profile Examples
        • How Requests for Web Resources are Evaluated
        • Associating one profile with an entire domain
        • Editing and Deleting Web Application Profiles
      • Configuring a Single Sign-On Authentication Server
        • Forms-Based Single Sign-On
        • Basic Authentication Forwarding
        • NTLM Authentication Forwarding
      • Creating Forms-Based Dynamic Single Sign-On Profiles
        • Dynamic SSO Profile for Microsoft RDWeb
        • Configuring Microsoft RD Web Access in AMC
        • Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
        • Creating Web Application Profile
        • Creating RDWeb URL resource with custom access
        • Adding RDWeb in start page
        • Dynamic SSO Profile for Citrix XenApp
        • Configuring Citrix XenApp in AMC
        • Creating Dynamic SSO Profile for Citrix XenApp
        • Creating Web Application Profile
        • Creating Citrix XenApp URL resource with custom access
        • Adding Citrix Xenapp in start page
      • Kerberos Constrained Delegation
        • Configuring Kerberos Constrained Delegation
      • Configuring SMA Support for Microsoft Outlook Anywhere
      • Viewing User Sessions
    • Access Control Rules
      • Configuring Access Control Rules
        • Viewing Access Control Rules
        • Access Control Rules for Bi-Directional Connections
        • Requirements for Reverse and Cross-Connections
        • Securing Application Ports for Reverse Connections
        • Adding Access Control Rules for a Forward Connection
        • Specifying Advanced Access Control Rule Attributes
        • Adding Access Control Rules for a Reverse Connection
        • Adding a Pair of Access Control Rules for a Cross-Connection
        • Configuring Advanced Access Control Rule Attributes
        • Access Methods and Advanced Options
        • Adding Users and Resources From Within Access Control Rules
        • Editing, Copying, and Deleting Access Control Rules
      • Resolving Deny Rule Incompatibilities
      • Resolving Invalid Destination Resources
        • Invalid Resource Examples
  • System Administration
    • Optional Network Configuration
      • Enabling SSH Access from Remote Hosts
      • Configuring ICMP
      • Configuring Time Settings
    • System Logging and Monitoring
      • Overview: System Logging and Monitoring
      • Log Files
        • Viewing Logs
        • Sorting, Searching, and Filtering Log Messages
        • Sorting
        • Filtering
        • Searching
        • Exporting Log Files
        • Configuring Log Settings
        • System Message Log
        • Management Message Log
        • Management Audit Log
        • Network Tunnel Audit Log
        • Web Proxy Audit Log
        • Client Installation Logs (Windows)
        • Configuring the logging settings for managed appliances
        • Setting Log Levels
        • Configuring Access Request Logging
        • Sending messages to a syslog server
      • Splunk Integration
        • Sending log files to Splunk server
        • Installing Sonicwall SMA1000 Technical Add-on for Splunk
        • Setting up new polling input in Splunk server
        • Configuring syslog data input in Splunk server
        • Searching the logs
        • Reports provided in search
      • Monitoring the Appliance
        • Monitoring Overall Activity
        • Monitoring System Status
        • Viewing User Sessions
        • Open vs Licensed Sessions
        • Licensed Sessions
        • All Open Sessions
        • Authorization Terms Not Accepted
        • All Sessions
        • Ending User Sessions
        • Viewing User Access and Policy Details
        • Exporting User Session Data
      • SNMP Configuration
        • Configuring SNMP
        • Downloading the MIB File
        • Retrieving Management Data Using SNMP
        • MIB Data
        • MIB Data: System Information Module
        • MIB Data: System Health Module
        • MIB Data: Service Health
        • MIB Data: Security History Module
        • MIB Data: Network Tunnel Service Module
        • MIB Data: Traps
        • MIB Data: Other SNMP Data
    • Managing Configuration Data
      • Exporting the Current Configuration to a Local Machine
      • Importing Configuration Data
      • Saving the Current Configuration on the Appliance
      • Deleting or Restoring or Exporting Configuration Data Stored on the Appliance
    • Upgrading, Rolling Back, or Resetting the System
      • Updating the System
        • Naming Conventions for Upgrades
        • Naming Conventions for Hotfixes
        • Installing System Updates
      • Rolling Back to a Previous Version
      • Resetting the Appliance
        • Permanently Disabling the Appliance
    • SSL Encryption
      • Configuring SSL Encryption
    • FIPS Certification
      • Requirements for FIPS
      • Managing FIPS-Compliant Certificates
      • FIPS Violations
      • Enabling FIPS
      • Exporting and Importing FIPS-Compliant Certificates
      • Disabling FIPS
      • Zeroization
    • Software Licenses
      • How Licenses Are Calculated
      • Viewing License Details
      • Managing Licenses
        • Creating a MySonicWall Account
        • Registering Your SMA Appliance
        • Downloading and applying SMA license
        • Managing a Spike License
    • Using Global Overrides
      • Configuring Global Overrides in AMC
• End Point Control
  • About End Point Control
    • End Point Control and OESIS
    • How the Appliance Uses Zones and Device Profiles for End Point Control
      • Defining Zones
    • End Point Control Scenarios
      • Scenario 1: Employees Connecting from IT-Managed Laptops
      • Scenario 2: Employees Connecting from a Home PC
      • Scenario 3: Employees Connecting from a Public Kiosk
      • Scenario 4: Employee Connects from a PC with Google Desktop
      • Scenario 5: Employee Connects from a Mobile Device
  • Managing EPC with Zones and Device Profiles
    • Enabling and Disabling End Point Control
    • Configuring and Using Zones and Device Profiles
      • Viewing Zones
      • Viewing Device Profiles
      • Creating a Device Zone
      • Creating a Deny Zone
      • Creating a Quarantine Zone
      • Verifying the URLs
      • Configuring the Default Zone
      • Defining Device Profiles for a Zone
      • Device Profile Attributes
      • Advanced EPC: Extended Lists of Security Programs
      • Advanced EPC: Using Fallback Detection
      • Advanced EPC: Using Preconfigured Device Profiles
      • Using Comparison Operators with Device Profile Attributes
      • Using End Point Control with the Connect Tunnel Client
      • Performing Recurring EPC Checks: Example
      • Microsoft Intune
        • Configuring Microsoft Intune
        • Configuring Microsoft Intune in AMC
        • Creating Windows Profile with Intune Attributes
        • Creating Mac Profile with Intune Attributes
        • Configuring MSIntune in Client
    • Creating Zones for Special Situations
      • Defining Zones for Non-Standard Browsers
      • Collecting Equipment IDs from Unregistered Devices
      • Creating Device Profiles that Allow Unregistered Devices
      • Disabling Match Profile if User has no Registered Devices in the Device Profile
        • Quarantining Unregistered Devices
        • Locking Out Unregistered Devices
        • Exporting the Unregistered Device Log for External Processing
      • Defining Zones for Special Classes of Users
    • Using End Point Control Agents
      • Using the Virtual Keyboard to Enter Credentials
  • Capture Advanced Threat Protection
    • Enabling Capture ATP
    • File Options
      • Setting the File Types
      • Setting the Maximum File Size
    • Web Services
    • Advanced Settings
• Components
  • The WorkPlace Portal
    • A Quick Tour of WorkPlace
      • Home Page
        • Configurable WorkPlace Elements
        • Built-In WorkPlace Elements
        • WorkPlace Status Bar
      • Intranet Address Field
      • Bookmarks
      • Custom RDP Bookmarks
      • Network Explorer Page
        • The Network Explorer
  • User Access Components and Services
    • About User Access Components and Services
    • User Access Agents
      • Client and Agent Provisioning (Windows)
        • Secure Endpoint Manager
        • Installing Secure Endpoint Manager
        • Enabling Secure Endpoint Manager Software Update Policies
        • Provisioning and Personal Firewalls
        • Client Installation Logs
      • WorkPlace
        • WorkPlace Sites
        • Adding WorkPlace Sites
        • Modifying the Appearance of WorkPlace
        • About Custom WorkPlace Templates
        • How Template Files are Matched
        • Customizing WorkPlace Templates
        • Working with WorkPlace Shortcuts
        • Adding Web Shortcuts
        • Viewing Shortcuts
        • Editing Shortcuts
        • Creating a Group of Shortcuts
        • Adding Network Shortcuts
        • Adding a Virtual Desktop Shortcut
        • Web Shortcut Access
        • Configuring WorkPlace General Settings
        • Web Only Access
        • Citrix Configuration
        • Adding a Text Terminal Shortcut
        • Fully Customizing WorkPlace Pages
        • WorkPlace Style Customization: Manual Edits
        • Network Explorer
      • Tunnel Clients
        • OnDemand Tunnel Agent
        • Connect Tunnel Client
      • Web Access
        • WorkPlace Lite
        • Translated ActiveSync Web Access
        • Custom Port Mapped Web Access
        • Custom FQDN Mapped Web Access
        • Notes for Custom Port Mapped or Custom FQDN Mapped Web Access
        • Configuration Requirements
        • Known Behavior
        • Seamless Editing in SharePoint
        • Enabling Storage of Persistent Session Information
        • Modifying a Zone to Allow Storing of Persistent Session Information
        • Exchange ActiveSync access
        • Enabling Exchange ActiveSync access on the appliance
        • Exchange ActiveSync sessions
        • Notes for Exchange ActiveSync device profiles
        • ActiveSync Resource Configuration with SAN Certificates
        • Outlook Anywhere Web Access
    • Client Installation Packages
      • Downloading the Secure Mobile Access Client Installation Packages
    • Network Tunnel Client Branding
    • The OnDemand Proxy Agent
      • About OnDemand Proxy
        • OnDemand Mapped Mode
        • Activating OnDemand
      • How OnDemand Redirects Network Traffic
        • Overview: Loopback Proxying
        • Hosts File Redirection
      • Configuring OnDemand to Access Specific Applications
        • About Port Mapping
        • Configuring an Application for Use with OnDemand
      • Client Configuration
        • Configuring a Proxy Server in the Web Browser
    • Managing Access Services
      • About Access Services
      • Stopping and Starting the Secure Mobile Access Services
      • Configuring the Network Tunnel Service
      • Configuring IP Address Pools
        • Address Pool Allocation Methods
        • Translated Address Pools (Source NAT)
        • Routed Address Pools (DHCP)
        • RADIUS-Assigned Address Pools
        • Static Address Pools
        • Best Practices for Configuring IP Address Pools
        • Adding Translated IP Address Pools
        • Adding Dynamic IP Address Pools
        • Adding a Dynamic, RADIUS-Assigned IP Address Pools
        • Adding Static IP Address Pools
      • Configuring Web Resource Filtering
      • Secure Network Detection
        • Device VPN
        • Device VPN endpoint enrollment
        • Configuring Local CA in AMC
        • Configuring a PKI Authentication Server for Local CA
        • Creating Device VPN Realms
        • Configuring Device VPN
        • Viewing and Deleting or Revoking Device VPN certificate
      • Configuring Custom Connections
      • Configuring the Web Proxy Service
      • Verifying the Web Proxy Security headers
    • Terminal Server Access
      • Providing Access to Terminal Server Resources
      • Server Farm Resources
        • Adding Citrix Server Farm Resources
        • Adding VMware View Resources
      • Browser-Only Mode for Citrix Access
        • Configuring the Citrix HTML Receiver URL
        • Configuring a Shortcut for Citrix HTML Receiver in Workplace
      • Defining an Access Control Rule and Resource for Terminal Server Access
      • Managing Graphical Terminal Agents
        • Managing the Citrix Agent
        • Managing the VMware View Clients
      • Graphical Terminal Shortcuts
        • Adding Graphical Terminal Shortcuts to Individual Hosts
        • Adding Graphical Terminal Shortcuts to Server Farms
  • Secure Endpoint Manager (SEM)
    • Supported Operating Systems
    • Downloading and Installation
    • Installing Secure Endpoint Manager from Client Installation Package
    • Setting up the Secure Mobile Access Connect Agent
      • Proxy Configuration
      • Logs
      • Exporting logs in SEM
      • Browser Warning
      • End Point Control
      • Personal Device Authorization
• Mobile Connect
  • Using SMA with Mobile Connect
    • About using SMA with Mobile Connect
    • General Limitations
      • Hostname Redirection
      • DNS Routing with Split Tunnel
      • DNS Routing with Redirect-All
      • File Bookmarks
    • Supported EPC Profiles
    • IPV6 Limitations
    • URL Control Caveats
    • Configuring Trusted Network Detection
• Appendix
  • Appliance Command-Line Tools
    • Configuring a New Appliance Using Setup Tool
      • Tips for Working with Setup Tool
      • Using Setup Tool
    • Saving and Restoring Configuration Data
      • Saving Configuration Data
  • Troubleshooting
    • About Troubleshooting
    • General Networking Issues
    • Verify a Downloaded Upgrade File
    • AMC Issues
    • Authentication Issues
    • Using Personal Firewalls with Agents
    • Secure Mobile Access Services Issues
      • Web Proxy Service Issues
      • Tunnel Issues
        • Installation
        • Connectivity
    • Client Troubleshooting
      • Windows Client Troubleshooting
        • Resetting Browser
        • Clear Cookies and Cache
        • Reset Security Zones to Defaults
        • Reset Advanced Settings to Defaults
        • Reset Privacy Settings to Defaults
        • Uninstalling Secure Mobile Access Components
        • Logging Back In to WorkPlace
      • MacOS and Linux Tunnel Client Troubleshooting
        • MacOS System and Application Information
        • Linux System and Application Information
    • Troubleshooting Tools in AMC
      • Using DNS Lookup
      • Viewing the Current Routing Table
      • Capturing Network Traffic
      • Logging Tools for Network Tunnel Clients
      • Using CEM Extensions
        • CEM Advanced Features
      • Ping Command
      • Traceroute Command
      • Snapshot Tool
      • Host Connectivity Testing
  • Best Practices for Securing the Appliance
    • Network Configuration
      • Configure the Appliance to Use Dual Interfaces
      • Configure the Appliance to Use Dual Network Gateways
      • Protect both Appliance Interfaces with Firewalls
      • Enable Strict IP Address Restrictions for the SSH Service
      • Enable Strict IP Address Restrictions for the SNMP Service
      • Use a Secure Passphrase for the SNMP Community String
      • Disable or Suppress ICMP Traffic
      • Use an NTP Server
      • Protect the Server Certificate that the Appliance is Configured to Use
    • Appliance Configuration
      • Keep the software image on the appliance updated
      • Make regular configuration backups
    • Appliance Sessions
    • Administrator Accounts
      • Use a Strong Password
      • Change the AMC Administrator Password
      • Change Administrator Passwords often and don’t Share Them
      • Limit the Number of Administrative Accounts and Assign Administrative Privileges only to Trusted Individuals
    • Access Policy
      • Follow the Principle of “Least Privilege”
      • Pay Close Attention to Rule Order
      • Put your Most Specific Rules at the Top of the List
      • Carefully Audit Rules Containing “Any”
    • Set Up Zones of Trust
    • Setting security level
    • Client Access
      • Change Timeout Settings
      • Deploy End Point Control Components
      • Use Chained Authentication
      • Use Strong Two-Factor Authentication Mechanisms, such as TOTP
  • Configuring the SAML Identity Provider Service
    • Prerequisites
    • Enabling the SAML Identity Provider Service
    • Configuring the SAML Application
    • Downloading certificate from service provider
    • Adding SAML Applications as SAML Resources
    • Downloading metadata from SAML service provider
    • Importing metadata in AMC
  • Configuring External SAML Identity Providers
    • Downloading a Certificate
    • Configuring SAML Authentication Servers
      • Azure Active Directory
        • Configuring Azure Active Directory as an SMA Authentication Server
        • Adding the SMA Application to Azure Active Directory
        • Configuring Azure Active Directory as an SAML Identity provider
        • Assigning Users and Groups to the SMA Application
        • Sending User Groups to SMA
      • Integrating SMA with Duo SSO Server using SAML
      • Integrating with Duo Access Gateway Serverusing SAML
      • One Identity Cloud Access Manager
        • Configuring One Identity CAM as an SMA Authentication Server
        • Adding the SMA Application to One Identity Cloud Access Manager
      • OneLogin
        • Configuring OneLogin as an SMA Authentication Server
        • Adding the SMA Application to OneLogin
      • Ping Identity PingOne
        • Configuring Ping Identity PingOne as an SMA Authentication Server
        • Adding the SMA Application to Ping Identity PingOne
      • Salesforce
        • Configuring Salesforce as an SMA Authentication Server
        • Adding the SMA Application to Salesforce
  • Log File Output Formats
    • About Log Files
    • File Locations
    • System Message Log
      • Access Policy Decisions
      • Viewing Client Certificate Errors in the Log
      • End Point Control Interrogation
      • Unregistered Device Log Messages
    • Network Tunnel Audit Log
      • Auditing Connection Status Messages
    • Web Proxy Audit Log
    • Management Console Audit Log
    • WorkPlace Logs
      • WorkPlace Shortcut Examples
  • Internationalization Support
    • Support for Native Character Sets
    • RADIUS Policy Server Character Sets
      • Selected RADIUS Character Sets
      • Other Supported RADIUS Character Sets
• SonicWall Support
  • About This Document

Adding Resources

Creating application resources—Web, client/server, and file share resources—is the first step in forming access policies for your users.

To add a resource

1. In the AMC, navigate to Security Administration > Resources.

2. Click the + (New) icon and then choose a resource type from the drop-down menu:

   

3. The Add Resource page is displayed.

   The options you see on the Add Resource page depend on the resource type you selected.

   

   The options shown in the below table are shared across the specified resource types:

   Shared options

   Option	Description	Resource type
   Name	Resource name	All
   Description	Resource description	All
   This destination is on the external network.	Select this option if this resource is on an external network.
   Variable	Select a variable from the menu to define dynamic resources; see Using Variables in Resource and WorkPlace Shortcut Definitions.	Citrix server farm Domain Host name or IP Matching URL Network share URL
   Create shortcut in WorkPlace	Add a shortcut to a Web resource in WorkPlace. The name you assign to the resource will appear in the list of Shortcuts on the Secure Mobile Access WorkPlace page. You can add the shortcut to a new or existing shortcut group in order to keep shortcuts with similar usage requirements together on the WorkPlace portal page.	Domain Network share URL
   Web application profile (Web proxy options or Advanced area)	This list contains preconfigured Web profiles that are recommended for several popular Web applications, custom Web profiles, and a default Web profile. If you are unsure about which profile to select, choose Default. To see a profile, click View selected profile. Also see Adding Web Application Profiles.	Domain Host name or IP IP range Matching URL Subnet URL

   The options shown in the below table are unique to the URL resource type:

   URL resource type unique options

   Option	Description
   URL	If you do not enter a protocol identifier, AMC automatically inserts http://before the URL. If this is a URL for a secure site, you must include the https://protocol identifier. For example, type https://example.domain.com.
   Alias name (Web proxy)	Specify a public alias to represent a private URL. The alias name is visible to users— make it short and descriptive so that it is easy to remember. You should specify an Alias name if: You want to obscure the internal host name for this resource. The URL resource is not contained within a search domain configured for Name resolution on the Network Settings page. You normally redirect traffic through a network agent, but in this case you want to force the resource to be proxied using translated Web access. See Adding Web Shortcuts for more information. The private URL that you are representing with the alias must point to a directory on the back-end server, not a particular file. Use ASCII characters when specifying an alias. Users who connect to WorkPlace using translated Web access will see an error message if non-ASCII characters are used. Creating an alias works only for URLs (addresses with an http or https prefix); you cannot specify an alias for a UNC path or FTP resource (ftp://), for example. Also see Example: Specifying a URL Alias for a detailed description of how an alias is used.
   Port (Web proxy)	The Port option is available when you select Access this resource on a custom port under Custom access. Enter the custom port number. The resource becomes available at that port on each WorkPlace site. The port must be open on any firewalls and must not be already in use on the external side of the appliance. Actual delivery of Web content depends on policy checks in accordance with normal appliance operation.
   Custom FQDN (Web proxy)	The Custom FQDN option is available when you select Access this resource using a custom FQDN under Custom access. Type the Custom FQDN name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance. By default, AMC listens on all interfaces for all services and connects the request to the correct service based on the FQDN being requested. The host name cannot be relative to any WorkPlace site. A maximum of 32 IPv4 or IPv6 addresses for externally defined host names are allowed between independently hosted Web application names and WorkPlace sites, supporting up to 64 total host names. Custom FQDN mapped Web access provides Single Sign-on support. If the host name or IP address on the certificate does not match the Custom FQDN or IP address that you specified for this site, a security warning is displayed when users access the site. Custom FQDNs are handled similar to configuring a WorkPlace site, as explained in Adding WorkPlace Sites.
   Synonyms (Web proxy)	Define alternative names for the URL resource name. This is convenient for users if they access the server using a different name (perhaps an unqualified or condensed name), or if a Web page contains links pointing to a DNS alias and the name is not properly translated by the Web proxy service. Separate multiple synonyms with semicolons. The appliance automatically defines a shortened name for the resource as a synonym. For example, if the URL is http://mail.example.com, the appliance adds the synonym mail. This synonym does not, however, appear in the Synonyms field. When Translate this resource is selected and you specify Synonyms, there must be something in the Alias name field. For the other Custom access options, the Synonymsfield is independent of other fields.
   Provide Exchange ActiveSync and Outlook Anywhere access to this resource (Exchange Server)	Select this check box to allow Exchange ActiveSync and Outlook Anywhere access to this resource. For more information, see Exchange ActiveSync access. For an example use case, see Example: Supporting Exchange on iPhones. For Outlook Anywhere, see Configuring SMA Support for Microsoft Outlook Anywhere.
   Exchange server FQDN (Exchange Server)	Type the Exchange server FQDN (IPv4 or IPv6) name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance.
   Realm (Exchange Server)	Select the realm from the drop-down list. ActiveSync access requires the use of a realm that uses a single Active Directory authentication server. The realm must be already configured.
   Fallback Exchange server URL (Exchange Server)	Enter the URL for the Exchange Server you want to use as the fallback server.

   The options shown in the below table are unique to the Matching URL resource type.

   Matching URL resource type unique options

   Option	Description
   URL	If you do not enter a protocol identifier, AMC automatically inserts http://before the URL. If this is a URL for a secure site, you must include the https://protocol identifier. For example, type https://example.domain.com. The wildcard characters “*” and “?” can be used within address segments (between periods) of a Matching URL resource. Do not use the “?” character after the domain name—it indicates a URL query string. Use wildcard characters in the following situations: Type www.yourcompany*.com to reference several domains that begin with yourcompany and end with.com, or type www.yourcompany.* to reference both http://www.yourcompany.com and http://www.yourcompany.de. Create an entry, such as mail*.yourcompany.com, that gives the user access to anything in the yourcompany domain that begins with mail. This example provides access to mail.yourcompany.com and mail2.yourcompany.com, but not to mail3.wemmet.yourcompany.com. The URL is not case-sensitive. Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.
   Path and query string matching	These options allow you to block email attachments, or prevent a Web-based application from displaying restricted data by matching a path element or query string value to a particular URL. SeeExample: Blocking Email Attachments and Example: Restricting Access to Sensitive Data for more information. The Query string value is case-sensitive, while the Path element is not.

   The options shown in the below table are unique to the Host name or IP resource type:

   Host name or IP resource type unique options

   Option

   Description

   Host name or IP

   A host can include any computer on your network; for example, bart.private.example.com or 192.0.34.72. When you specify a host name, the wildcard characters “*” and “?” can be used within an address segment (between periods). For example, the entry mail*.yourcompany.com gives the user access to anything in the yourcompany domain that begins with mail (for example, (mail.yourcompany.com and mail2.yourcompany.com), but not to mail3.wemmet.yourcompany.com. The host name is not case-sensitive. Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

   The option shown in the below table is unique to the Network share resource type:

   Network share resource type unique options

   Option	Description
   Network share	Type a UNC path. This can be an entire server (for example, \\ginkgo), a shared folder (\\john\public), or a network folder (\\ginkgo\news).

   The option shown in the below table is unique to the IP range resource type:

   IP range resource type unique options

   Option	Description
   IP range	An IP range typically identifies a partial range of computers within a subnet; for example, 192.0.34.72-192.0.34.74.

   The options shown in the below table is unique to the Subnet resource type:

   Subnet resource type unique options

   Option	Description
   Subnet IP	A subnet is a portion of a network that shares a common address component. For example, 192.26.34.0.
   Subnet mask	For example, 255.255.255.0.

   The options shown in the below table are unique to the Domain resource type:

   Domain resource type unique options

   Option	Description
   Domain	A domain encompasses one or more hosts. If the Windows domain check box is cleared, the domain name must be in DNS syntax. For example, sampledomain.com.
   Windows domain	To define an entire Windows domain, select the Windows domain check box, and then type the name of the Domain in either NetBIOS or DNS syntax (such as example or example.com). Defining a domain gives authorized users access to all the network file resources within the domain.

   The option shown in the below table is unique to the Server farm resource type:

   Server farm resource type unique option

   Option	Description
   Server farm list	Specify the Host name or IP address and service Port of up to six Citrix servers running the XML service or VMware servers running the XML service or VMware servers running the broker service. For more information, see Adding Citrix Server Farm Resources or Adding VMware View Resources.

4. After you’ve finished defining a resource, click Save.