Secure Mobile Access 12.4 Administration Guide

Table of Contents

Adding Resources

Creating application resources—Web, client/server, and file share resources—is the first step in forming access policies for your users.

To add a resource

  1. In the AMC, navigate to Security Administration > Resources.

  2. Click the + (New) icon and then choose a resource type from the drop-down menu:

  3. The Add Resource page is displayed.

    The options you see on the Add Resource page depend on the resource type you selected.

    The options shown in the below table are shared across the specified resource types:

    Shared options
    Option Description Resource type
    Name Resource name All
    Description Resource description All
    This destination is on the external network. Select this option if this resource is on an external network.  
    Variable

    Select a variable from the menu to define dynamic resources; see Using Variables in Resource and WorkPlace Shortcut Definitions.

    • Citrix server farm

    • Domain

    • Host name or IP

    • Matching URL

    • Network share

    • URL
    Create shortcut in WorkPlace Add a shortcut to a Web resource in WorkPlace. The name you assign to the resource will appear in the list of Shortcuts on the Secure Mobile Access WorkPlace page. You can add the shortcut to a new or existing shortcut group in order to keep shortcuts with similar usage requirements together on the WorkPlace portal page.

    • Domain

    • Network share

    • URL
    Web application profile (Web proxy options or Advanced area) This list contains preconfigured Web profiles that are recommended for several popular Web applications, custom Web profiles, and a default Web profile. If you are unsure about which profile to select, choose Default. To see a profile, click View selected profile. Also see Adding Web Application Profiles.

    • Domain

    • Host name or IP

    • IP range

    • Matching URL

    • Subnet

    • URL

    The options shown in the below table are unique to the URL resource type:

    URL resource type unique options
    Option Description
    URL If you do not enter a protocol identifier, AMC automatically inserts http://before the URL. If this is a URL for a secure site, you must include the https://protocol identifier. For example, type https://example.domain.com.
    Alias name (Web proxy)

    Specify a public alias to represent a private URL. The alias name is visible to users— make it short and descriptive so that it is easy to remember. You should specify an Alias name if:

    • You want to obscure the internal host name for this resource.

    • The URL resource is not contained within a search domain configured for Name resolution on the Network Settings page.

    • You normally redirect traffic through a network agent, but in this case you want to force the resource to be proxied using translated Web access. See Adding Web Shortcuts for more information.

     

    • The private URL that you are representing with the alias must point to a directory on the back-end server, not a particular file.

    • Use ASCII characters when specifying an alias. Users who connect to WorkPlace using translated Web access will see an error message if non-ASCII characters are used.

    • Creating an alias works only for URLs (addresses with an http or https prefix); you cannot specify an alias for a UNC path or FTP resource (ftp://), for example.

    Also see Example: Specifying a URL Alias for a detailed description of how an alias is used.
    Port (Web proxy) The Port option is available when you select Access this resource on a custom port under Custom access. Enter the custom port number. The resource becomes available at that port on each WorkPlace site. The port must be open on any firewalls and must not be already in use on the external side of the appliance. Actual delivery of Web content depends on policy checks in accordance with normal appliance operation.
    Custom FQDN (Web proxy)

    The Custom FQDN option is available when you select Access this resource using a custom FQDN under Custom access. Type the Custom FQDN name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance.

    By default, AMC listens on all interfaces for all services and connects the request to the correct service based on the FQDN being requested. The host name cannot be relative to any WorkPlace site. A maximum of 32 IPv4 or IPv6 addresses for externally defined host names are allowed between independently hosted Web application names and WorkPlace sites, supporting up to 64 total host names.

    Custom FQDN mapped Web access provides Single Sign-on support. If the host name or IP address on the certificate does not match the Custom FQDN or IP address that you specified for this site, a security warning is displayed when users access the site. Custom FQDNs are handled similar to configuring a WorkPlace site, as explained in Adding WorkPlace Sites.
    Synonyms (Web proxy)

    Define alternative names for the URL resource name. This is convenient for users if they access the server using a different name (perhaps an unqualified or condensed name), or if a Web page contains links pointing to a DNS alias and the name is not properly translated by the Web proxy service. Separate multiple synonyms with semicolons.

    The appliance automatically defines a shortened name for the resource as a synonym. For example, if the URL is http://mail.example.com, the appliance adds the synonym mail. This synonym does not, however, appear in the Synonyms field.

    When Translate this resource is selected and you specify Synonyms, there must be something in the Alias name field. For the other Custom access options, the Synonymsfield is independent of other fields.
    Provide Exchange ActiveSync and Outlook Anywhere access to this resource (Exchange Server)

    Select this check box to allow Exchange ActiveSync and Outlook Anywhere access to this resource. For more information, see Exchange ActiveSync access. For an example use case, see Example: Supporting Exchange on iPhones.

    For Outlook Anywhere, see Configuring SMA Support for Microsoft Outlook Anywhere.
    Exchange server FQDN (Exchange Server) Type the Exchange server FQDN (IPv4 or IPv6) name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance.
    Realm (Exchange Server) Select the realm from the drop-down list. ActiveSync access requires the use of a realm that uses a single Active Directory authentication server. The realm must be already configured.
    Fallback Exchange server URL (Exchange Server) Enter the URL for the Exchange Server you want to use as the fallback server.

    The options shown in the below table are unique to the Matching URL resource type.

    Matching URL resource type unique options
    Option Description
    URL

    If you do not enter a protocol identifier, AMC automatically inserts http://before the URL. If this is a URL for a secure site, you must include the https://protocol identifier. For example, type https://example.domain.com.

    The wildcard characters “*” and “?” can be used within address segments (between periods) of a Matching URL resource. Do not use the “?” character after the domain name—it indicates a URL query string.

    Use wildcard characters in the following situations:

    • Type www.yourcompany*.com to reference several domains that begin with yourcompany and end with.com, or type www.yourcompany.* to reference both http://www.yourcompany.com and http://www.yourcompany.de.
    • Create an entry, such as mail*.yourcompany.com, that gives the user access to anything in the yourcompany domain that begins with mail. This example provides access to mail.yourcompany.com and mail2.yourcompany.com, but not to mail3.wemmet.yourcompany.com.

    The URL is not case-sensitive.

    Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.
    Path and query string matching

    These options allow you to block email attachments, or prevent a Web-based application from displaying restricted data by matching a path element or query string value to a particular URL. SeeExample: Blocking Email Attachments and Example: Restricting Access to Sensitive Data for more information.

    The Query string value is case-sensitive, while the Path element is not.

    The options shown in the below table are unique to the Host name or IP resource type:

    Host name or IP resource type unique options
    Option Description
    Host name or IP

    A host can include any computer on your network; for example, bart.private.example.com or 192.0.34.72.

    When you specify a host name, the wildcard characters “*” and “?” can be used within an address segment (between periods). For example, the entry mail*.yourcompany.com gives the user access to anything in the yourcompany domain that begins with mail (for example, (mail.yourcompany.com and mail2.yourcompany.com), but not to mail3.wemmet.yourcompany.com. The host name is not case-sensitive.

    Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

    The option shown in the below table is unique to the Network share resource type:

    Network share resource type unique options
    Option Description
    Network share Type a UNC path. This can be an entire server (for example, \\ginkgo), a shared folder (\\john\public), or a network folder (\\ginkgo\news).

    The option shown in the below table is unique to the IP range resource type:

    IP range resource type unique options
    Option Description
    IP range An IP range typically identifies a partial range of computers within a subnet; for example, 192.0.34.72-192.0.34.74.

    The options shown in the below table is unique to the Subnet resource type:

    Subnet resource type unique options
    Option Description
    Subnet IP A subnet is a portion of a network that shares a common address component. For example, 192.26.34.0.
    Subnet mask For example, 255.255.255.0.

    The options shown in the below table are unique to the Domain resource type:

    Domain resource type unique options
    Option Description
    Domain

    A domain encompasses one or more hosts.

    If the Windows domain check box is cleared, the domain name must be in DNS syntax. For example, sampledomain.com.
    Windows domain To define an entire Windows domain, select the Windows domain check box, and then type the name of the Domain in either NetBIOS or DNS syntax (such as example or example.com). Defining a domain gives authorized users access to all the network file resources within the domain.

    The option shown in the below table is unique to the Server farm resource type:

    Server farm resource type unique option
    Option Description
    Server farm list Specify the Host name or IP address and service Port of up to six Citrix servers running the XML service or VMware servers running the XML service or VMware servers running the broker service. For more information, see Adding Citrix Server Farm Resources or Adding VMware View Resources.

  4. After you’ve finished defining a resource, click Save.