Secure Mobile Access 12.4 Administration Guide
- Secure Mobile Access 12.4.3
- Introduction
- About Secure Mobile Access
- Secure Mobile Access on SMA Appliances
- About SMA Documentation
- What’s New in This Release
- Discontinued Features
- Deprecated Features
- Features of Your SMA Appliance
- Related Documentation
- System Requirements
- About Secure Mobile Access
- Installation
- Installation and Initial Setup
- Network Architecture
- Preparing for the Installation
- Installation and Deployment Process
- Specifications and Rack Installation
- Front Panel Controls and Indicators
- Connecting the Appliance
- Powering Up and Configuring Basic Network Settings
- Web-Based Configuration Using Setup Wizard
- Configuring the Appliance Using the Management Console
- Moving the Appliance into Production
- Powering Down and Restarting the Appliance
- Next Steps
- Installation and Initial Setup
- Management
- Working with Appliance Management Console
- Logging In to AMC
- Logging Out
- AMC Basics
- Administrator Accounts
- Managing Multiple Secure Mobile Access Appliances
- Working with Configuration Data
- Deleting Referenced Objects
- User Management
- Users, Groups, Communities, and Realms
- Using Realms and Communities
- Configuring Realms and Communities
- Creating Realms
- Adding Communities to a Realm
- Creating and Configuring Communities
- Assigning Members to a Community
- Selecting Tunnel Access Methods for a Community
- Selecting Browser Access Methods for a Community
- Using End Point Control Restrictions in a Community
- Configuring the Appearance of WorkPlace
- WorkPlace and Small Form Factor Devices
- About WorkPlace and Small Form Factor Devices
- Optimizing WorkPlace for Display on Small Form Factor Devices
- Creating or Editing a WorkPlace Style
- Creating or Editing a WorkPlace Layout
- Network Tunnel Client Configuration
- Using the Default Community
- Changing the Order of Communities Listed in a Realm
- Configuring RADIUS Accounting in a Realm
- Editing, Copying and Deleting Communities
- Managing Users and Groups
- Integrating an SMA Appliance with a SonicWall Firewall
- Working with Appliance Management Console
- Authentication
- Network and Authentication Configuration
- About Configuring the Network
- Configuring Basic Network Settings
- Configuring Routing
- Configuring Name Resolution
- Certificates
- Let's Encrypt
- Server Certificates
- CA Certificates
- About Intermediate Certificates
- Working with Certificates FAQs
- How do I Obtain a Certificate from a Non-Commercial CA?
- When do Certificates and CRLs Expire?
- Does Secure Mobile Access support SAN Certificates?
- Are Intermediate Certificates supported for End-User Certificate Verification?
- What Are the Different CA Certificates on the Appliance and How Are They Used?
- How many CA Certificates can be Stored on the Appliance?
- Can Private Keys or CSRs Generated from Other Tools be Imported to the Appliance?
- Where Is the AMC Certificate Stored?
- Should I Keep All CA Certificates on the Appliance or Just the Ones I Need?
- Managing User Authentication
- Configuring Authentication Servers
- Configuring Microsoft Active Directory Servers
- Configuring LDAP and LDAPS Authentication
- Configuring RADIUS Authentication
- Integration of SMA with Cisco Duo Security MFA Server
- User-Mapped Tunnel Addressing
- Integration of SMA1000 with RSA SecurID Authentication Manager
- Configuring a PKI Authentication Server
- Additional Field for Custom Certificates
- Configuring a SAML-Based Authentication Server
- One Identity Defender
- Configuring Local User Storage
- Testing AD,LDAP,RADIUS and One Defender Authentication Configurations
- Configuring Chained Authentication
- Enabling Group Affinity Checking in a Realm
- Using One-Time Passwords for Added Security
- Configuring Personal Device Authorization
- Using Your SMA Appliance as a SAML Identity Provider
- Biometric Identification
- Next Steps
- Network and Authentication Configuration
- Administration
- Security Administration
- Creating and Managing Resources
- Resource Types
- Resources and Resource Groups
- Using Variables in Resource and WorkPlace Shortcut Definitions
- Using Session Property Variables
- Using Query-Based Variables
- Creating a Resource Pointing to Users’ Remote Desktops
- Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
- Creating a Variable Containing a Variable
- Modifying Query Results
- Displaying a Series of Shortcuts Using a Single Definition
- Creating and Managing Resource Groups
- Web Application Profiles
- Configuring a Single Sign-On Authentication Server
- Creating Forms-Based Dynamic Single Sign-On Profiles
- Dynamic SSO Profile for Microsoft RDWeb
- Configuring Microsoft RD Web Access in AMC
- Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
- Creating Web Application Profile
- Creating RDWeb URL resource with custom access
- Adding RDWeb in start page
- Dynamic SSO Profile for Citrix XenApp
- Configuring Citrix XenApp in AMC
- Creating Dynamic SSO Profile for Citrix XenApp
- Creating Web Application Profile
- Creating Citrix XenApp URL resource with custom access
- Adding Citrix Xenapp in start page
- Kerberos Constrained Delegation
- Configuring SMA Support for Microsoft Outlook Anywhere
- Viewing User Sessions
- Access Control Rules
- Configuring Access Control Rules
- Viewing Access Control Rules
- Access Control Rules for Bi-Directional Connections
- Requirements for Reverse and Cross-Connections
- Securing Application Ports for Reverse Connections
- Adding Access Control Rules for a Forward Connection
- Specifying Advanced Access Control Rule Attributes
- Adding Access Control Rules for a Reverse Connection
- Adding a Pair of Access Control Rules for a Cross-Connection
- Configuring Advanced Access Control Rule Attributes
- Access Methods and Advanced Options
- Adding Users and Resources From Within Access Control Rules
- Editing, Copying, and Deleting Access Control Rules
- Resolving Deny Rule Incompatibilities
- Resolving Invalid Destination Resources
- Configuring Access Control Rules
- Creating and Managing Resources
- System Administration
- Optional Network Configuration
- System Logging and Monitoring
- Overview: System Logging and Monitoring
- Log Files
- Viewing Logs
- Sorting, Searching, and Filtering Log Messages
- Sorting
- Filtering
- Searching
- Exporting Log Files
- Configuring Log Settings
- System Message Log
- Management Message Log
- Management Audit Log
- Network Tunnel Audit Log
- Web Proxy Audit Log
- Client Installation Logs (Windows)
- Configuring the logging settings for managed appliances
- Setting Log Levels
- Configuring Access Request Logging
- Sending messages to a syslog server
- Splunk Integration
- Monitoring the Appliance
- SNMP Configuration
- Managing Configuration Data
- Upgrading, Rolling Back, or Resetting the System
- SSL Encryption
- FIPS Certification
- Software Licenses
- Using Global Overrides
- Security Administration
- End Point Control
- About End Point Control
- Managing EPC with Zones and Device Profiles
- Enabling and Disabling End Point Control
- Configuring and Using Zones and Device Profiles
- Viewing Zones
- Viewing Device Profiles
- Creating a Device Zone
- Creating a Deny Zone
- Creating a Quarantine Zone
- Verifying the URLs
- Configuring the Default Zone
- Defining Device Profiles for a Zone
- Device Profile Attributes
- Advanced EPC: Extended Lists of Security Programs
- Advanced EPC: Using Fallback Detection
- Advanced EPC: Using Preconfigured Device Profiles
- Using Comparison Operators with Device Profile Attributes
- Using End Point Control with the Connect Tunnel Client
- Performing Recurring EPC Checks: Example
- Microsoft Intune
- Creating Zones for Special Situations
- Using End Point Control Agents
- Capture Advanced Threat Protection
- Components
- The WorkPlace Portal
- User Access Components and Services
- About User Access Components and Services
- User Access Agents
- Client and Agent Provisioning (Windows)
- WorkPlace
- WorkPlace Sites
- Adding WorkPlace Sites
- Modifying the Appearance of WorkPlace
- About Custom WorkPlace Templates
- How Template Files are Matched
- Customizing WorkPlace Templates
- Working with WorkPlace Shortcuts
- Adding Web Shortcuts
- Viewing Shortcuts
- Editing Shortcuts
- Creating a Group of Shortcuts
- Adding Network Shortcuts
- Adding a Virtual Desktop Shortcut
- Web Shortcut Access
- Configuring WorkPlace General Settings
- Web Only Access
- Citrix Configuration
- Adding a Text Terminal Shortcut
- Fully Customizing WorkPlace Pages
- WorkPlace Style Customization: Manual Edits
- Network Explorer
- Tunnel Clients
- Web Access
- WorkPlace Lite
- Translated ActiveSync Web Access
- Custom Port Mapped Web Access
- Custom FQDN Mapped Web Access
- Notes for Custom Port Mapped or Custom FQDN Mapped Web Access
- Configuration Requirements
- Known Behavior
- Seamless Editing in SharePoint
- Enabling Storage of Persistent Session Information
- Modifying a Zone to Allow Storing of Persistent Session Information
- Exchange ActiveSync access
- Enabling Exchange ActiveSync access on the appliance
- Exchange ActiveSync sessions
- Notes for Exchange ActiveSync device profiles
- ActiveSync Resource Configuration with SAN Certificates
- Outlook Anywhere Web Access
- Client Installation Packages
- Network Tunnel Client Branding
- The OnDemand Proxy Agent
- Managing Access Services
- About Access Services
- Stopping and Starting the Secure Mobile Access Services
- Configuring the Network Tunnel Service
- Configuring IP Address Pools
- Address Pool Allocation Methods
- Translated Address Pools (Source NAT)
- Routed Address Pools (DHCP)
- RADIUS-Assigned Address Pools
- Static Address Pools
- Best Practices for Configuring IP Address Pools
- Adding Translated IP Address Pools
- Adding Dynamic IP Address Pools
- Adding a Dynamic, RADIUS-Assigned IP Address Pools
- Adding Static IP Address Pools
- Configuring Web Resource Filtering
- Secure Network Detection
- Configuring Custom Connections
- Configuring the Web Proxy Service
- Verifying the Web Proxy Security headers
- Terminal Server Access
- Secure Endpoint Manager (SEM)
- Mobile Connect
- Appendix
- Appliance Command-Line Tools
- Troubleshooting
- About Troubleshooting
- General Networking Issues
- Verify a Downloaded Upgrade File
- AMC Issues
- Authentication Issues
- Using Personal Firewalls with Agents
- Secure Mobile Access Services Issues
- Client Troubleshooting
- Troubleshooting Tools in AMC
- Best Practices for Securing the Appliance
- Network Configuration
- Configure the Appliance to Use Dual Interfaces
- Configure the Appliance to Use Dual Network Gateways
- Protect both Appliance Interfaces with Firewalls
- Enable Strict IP Address Restrictions for the SSH Service
- Enable Strict IP Address Restrictions for the SNMP Service
- Use a Secure Passphrase for the SNMP Community String
- Disable or Suppress ICMP Traffic
- Use an NTP Server
- Protect the Server Certificate that the Appliance is Configured to Use
- Appliance Configuration
- Appliance Sessions
- Administrator Accounts
- Access Policy
- Set Up Zones of Trust
- Setting security level
- Client Access
- Network Configuration
- Configuring the SAML Identity Provider Service
- Configuring External SAML Identity Providers
- Log File Output Formats
- Internationalization Support
- SonicWall Support
Configuring Tunnel Client Settings
Connect Tunnel is a client application that is installed on a user’s device, and OnDemand Tunnel is the same CT client that is activated each time a user logs in to WorkPlace from supported device.
This section describes how to configure settings for the tunnel clients. For a more detailed description of these settings, see Network Tunnel Client Configuration.
To configure tunnel client or agent settings
-
In the AMC, navigate to User Access > Realms and click the link for the community you want to configure, and select Tunnel Access tab.
The Tunnel Access page displays.
-
-
By default, any configured IP address pool is available to the selected community. To select specific IP address pools, click Edit in the IP address pools area and then select from the list of configured pools.
-
Select the Redirection mode used to route client traffic to the appliance. The network tunnel service supports several two redirection modes. For a more detailed description of the supported redirection modes, see Redirection Modes.
- Split Tunnel (less secure): Traffic bound for resources defined in AMC is redirected through the tunnel, and all other traffic is routed as normal.
- Enable Use tunnel as primary network (Mobile Connect only)checkbox. The appliance will resolve all the DNS queries when you enable the checkbox.
- Redirect All (more secure): Traffic is redirected through the tunnel regardless of how resources are defined in AMC.
- Split Tunnel (less secure): Traffic bound for resources defined in AMC is redirected through the tunnel, and all other traffic is routed as normal.
-
You can override the behavior of Split Tunnel or Redirect All by specifying exclusions that will be used by this community.
In the Community Exclusions field, enter the host names, IP addresses, subnets, and IP ranges that you want to exclude from being redirected through the appliance. Wildcard characters (* and ?) are permitted.
Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.
For example, if you have three public web servers (www.YourCompany.com, www2.YourCompany.com, and www3.YourCompany.com), you can allow the network traffic associated with them to avoid the appliance, which will improve performance. Add all three public sites to the Exclusions by using a wildcard character: www?.YourCompany.com. Resources in this list can also contain variables; see Using Variables in Resource an WorkPlace Shortcut Definitions for more information.
Migration of prior versions of SMA that contains Resource Exclusion List to 12.4.1:
- All entries in Resource Exclusion List migrate to a single exclusion named Split Tunnel
- All Split tunnel communities use this exclusion named Split Tunnel
- For Redirect All communities, exclusions will not be migrated, which may affect browser-only sessions
Enable Exclude local network traffic by default checkbox if you want to allow users to access local printers and file shares. If corporate resources use the same address space as the local network, they will not be accessible.
Enable Allow users to exclude or include local network traffic if you want to allow users to choose local/remote network preference and add custom exclusions. Recommended for advanced users only.
-
-
Click to expand the Tunnel Client Options section:
-
Scroll down to the Cached Credentials section and select one of these options:
Option Description Always (if available) Always use cached credentials At user's discretion Choose no caching, biometric unlock required, or auto login from cache. Only with biometric verification Only use credential caching when biometric verification is supported and enabled. Cached credentials are only used after biometric identification verification. Username only Use cached username. Disabled Disable cached credentials in the Connect Tunnel client. On a Windows system, Connect Tunnel uses cached system credentials. On other systems, Connect Tunnel remembers the entered credentials and uses them on subsequent connection attempts.
-
Use one of the Software updates options to alert users when client updates are available or update their software automatically. This setting is available only when the network tunnel client is configured to provision client from Secure Mobile Access WorkPlace:
Option Description Manual
User must start updates manually. At user's discretion Allows users to decide when to install software updates. The update can be deferred indefinitely; however, the user will see the software-update alert when he or she starts the tunnel client (once per day) until the update is installed. Required User must accept updates in order to access VPN resources through the tunnel client. Forced Updates are required in order to connect. The update program starts, and a progress bar is visible during installation, but the user is not prompted during the process. - To automatically establish a tunnel connection when a user attempts to login from an unsecure location, check the Enable secure network detection check box in the Secure Network Detection section. For more information, see Secure Network Detection.
-
By default, the client is configured to access the realm and appliance name from which the client was downloaded. However, you can override this default behavior and configure the client to access a different realm or appliance. In the Custom connection area, select the Configure client with custom realm and appliance FQDN check box, and then specify these options as needed:
-
From the Realm name list, click the name of the default realm.
-
In the Appliance FQDN field, type the fully qualified domain name of the default appliance.
-
-
By default, a tunnel client session is time specified by Credential lifetimeby the appliance once it has been established. The default time, is set the Session Termination > Limit session length to credential lifetime. This requires users to re-authenticate once the amount of time specified by Credential lifetime (on the Configure General Appliance Options page) has passed. When this option is selected, users are notified when a session is nearing the inactivity threshold and users can avert the disconnect by performing any mouse or keyboard activity.
If you need a TCP connection or consistent UDP traffic flow between the same two address/port tuples to live longer than eight hours, you must put the user in a community that has this option unchecked. Even with the Limit session length to credential lifetime checkbox unchecked, users cannot authorize new flows within the tunnel after their credentials expire.
-
Scroll down to Always on VPN section and check the Enable Always On VPN box.
Selecting Enable Always On VPN option establishes a VPN connection between the user's device and the appliance whenever the device has a network connection to the internet. You can select the following check boxes, see Device VPN endpoint enrollment
Option Description Allow user to disconnect To allow users to unlock the Connect Tunnel client, disconnect the VPN connection, and modify the Always-on profile. Restrict network access when VPN is not Connected To restrict network access to the users until VPN is completely connected. Always On VPN is only supported for Connect Tunnel for Windows in SMA 12.4.
-
If you enabled Redirect all in the Redirection mode area, you can configure Internet traffic to be sent through an internal proxy server when the VPN connection is active. In the Proxy options area, select the Redirect Internet traffic through internal proxy server checkbox, and then select one of the proxy server options.
To specify a proxy auto-configuration (
.pac
) file, click Proxy auto-configuration file and then type the URL, preceded by thehttp://
protocol identifier, for the.pac
file. The.pac
file configures the user’s Web browser to load its proxy configuration settings from a JavaScript file rather than from information that you manually specify; the JavaScript file specifies which proxy servers can be used and can redirect specific URLs to specific proxy servers. For information about formatting.pac
files, see:http://en.wikipedia.org/wiki/Proxy_auto-confighttp://en.wikipedia.org/wiki/Proxy_auto-config
To manually specify a proxy server, click Proxy server and then type the server’s host name and port number in
host:port
format (for example,myhost:80
). Optionally, in the Exclusion list field, you can type the host names, IP addresses, or domain names of any resources that you do not want redirected through the proxy server. When defining these resources, wild cards are valid, and multiple entries must be separated by semicolons. -
To launch an executable file or script after the connection has been established:
-
Click to expand the Post-connection scripts area.
-
Select the Run a post-connection script checkbox that corresponds to your operating system.
-
Specify your settings. For more information, see Post-Connection Scripting.
-
In the Run this file field, type the path and name for the script file. For example:
%Program Files%\ACME\remote_access.bat
-
In the Command line arguments field, type any command-line arguments that you want to execute when running the script. For example:
-user=%USERNAME% -system=%OS%
-
In the Working directory field, type the directory in which the script will be executed. When defining the working directory, you can specify environment variables formatted as
%VariableName%
, whereVariableName
represents the actual environment variable name. For example:%USERPROFILE%\ACME
-
The post connection script file must be in a location on the client computer that the user can access and where that user can execute files.
-
-
In the Advanced area, Enable ESP encapsulation of tunnel network traffic is selected by default for all network traffic (for all tunnel traffic). ESP (Encapsulating Security Payload) is a way to encapsulate and decapsulate packets inside of UDP packets for traversing Network Address Translators (NATs). Using it can improve the performance of applications, especially UDP-streaming applications like VoIP.
For an ESP tunnel to function, UDP port 4500 needs to be open in the firewall for traffic to and from the SMA appliance external IP and Virtual IP addresses.
When ESP is enabled, the tunnel client tries to bring up an ESP tunnel, but falls back to a legacy SSL tunnel if there is a problem establishing the ESP tunnel. The typical reason for this failure is that UDP port 4500 is not open in the network firewall.
If you do not want to use ESP because you do not want to open UDP port 4500 in your firewall or for any reason, then clear the Enable ESP encapsulation of tunnel network traffic checkbox. To disable the default use of ESP in a community, clear the checkbox on the Realms > [your tunnel realm] > Communities > [your tunnel community] > Access Methods > Tunnel Access > Advanced.
-
Click OK.
- If users are running OnDemand Tunnel in “redirect all” mode, connections to translated Web
resources fail with
Page cannot be displayed
errors. To work around this issue, add an A (Address) record to the internal DNS servers to assign the appliance VIP or external IP to the appliance FQDN. - When At user’s discretion is enabled for Client software updates in the Software updates area, the user sees an upgrade notification, and the Connect Tunnel client caches the user’s response for 24 hours. If the setting is then changed to Required or Forced, a user who opted to delay updating may not be prompted again until the following day because the earlier response is still cached.
-
If you plan to run a VB script after a connection has been established, you cannot simply enter the path and name of the
.vbs
script file; you must use the Windows Script Host utility to invoke it. To work around this, configure the post-connection options as follows:-
Run this file:
<drive>:\windows\system32\cscript.exe
-
Command line arguments:
<Path to script>
. For example:c:\path\to\script.vbs or \\path\to\script.vbs
Leave Working directory empty.
-
- When you specify a
.pac
file location, be certain that your tunnel users have access to it. You can do this by defining a resource and creating an access rule. See Creating and Managing Resource Groups and Configuring Access Control Rules.
- If users are running OnDemand Tunnel in “redirect all” mode, connections to translated Web
resources fail with
Was This Article Helpful?
Help us to improve our support portal