• Secure Mobile Access 12.4.3
• Introduction
  • About Secure Mobile Access
    • Secure Mobile Access on SMA Appliances
    • About SMA Documentation
      • Document Conventions
    • What’s New in This Release
      • Cisco Duo Security Multi-factor Authentication Server
      • RSA SecurID Authentication Manager
      • Dynamic Form SSO Improvements
      • Exclusions
      • Supportability Enhancements
        • Always On VPN Enhancements
        • Device VPN Enhancements
        • Configuring Cached Credentials
        • Configuring Global Overrides in AMC
        • Downloading the SMA1000 Client Installation Packages
        • Managing Administrator Account Settings
        • Configuring Access Request Logging
        • Configuring Shell Access
        • Copying Resources Groups
    • Discontinued Features
    • Deprecated Features
    • Features of Your SMA Appliance
      • SonicWall SMA Appliance Models
      • Administrator Components for Managing Appliances and Services
      • User Access Components
        • WorkPlace
          • WorkPlace Lite
          • WorkPlace Enhancements
        • Connect and OnDemand Tunnel Clients
        • Mobile Connect Clients
        • End Point Control (EPC)
    • Related Documentation
    • System Requirements
      • Client Components
        • WorkPlace Lite Access
        • Web-Based Clients
          • Web Application Services
        • Tunnel Clients
        • Proxy Clients
        • End Point Control
      • Server Components
        • System Administration
        • Authentication Servers
        • ActiveSync Clients
        • ActiveSync Servers
        • Outlook Anywhere
        • Citrix Server Farms
        • Server Farms
        • Graphical Terminal agents
        • SMA 8200v and CMS Platforms
        • API Support
      • Capacity Report
• Installation
  • Installation and Initial Setup
    • Network Architecture
    • Preparing for the Installation
      • Gathering Information
      • Verifying Your Firewall Policies
        • External Firewall
        • Internal Firewall
    • Installation and Deployment Process
      • Specifications and Rack Installation
      • Front Panel Controls and Indicators
        • SMA 6200/6210/7200/7210 Front Panels
        • LCD Controls for the SMA 7200,7210 and SMA 6200,6210
      • Connecting the Appliance
        • Connecting the SMA 6200,6210 or SMA 7200,7210 Appliance
      • Powering Up and Configuring Basic Network Settings
        • Configuring Basic Network Settings
          • Configuring Basic Network Settings Using the X0 Interface
          • Configuring Basic Network Settings using the LCD Controls
          • Configuring an Appliance Using Setup Tool on the Command Line
      • Web-Based Configuration Using Setup Wizard
      • Configuring the Appliance Using the Management Console
      • Moving the Appliance into Production
      • Powering Down and Restarting the Appliance
    • Next Steps
• Management
  • Working with Appliance Management Console
    • Logging In to AMC
    • Logging Out
    • AMC Basics
      • A Quick Tour of the AMC Interface
        • Summary Pages
        • Tables and Tabs
        • Filters
        • Page Links
        • Editing an Object
        • Changing the Page View
        • Expanded View of List Details
        • Required Fields and Errors
        • Assigning Names and Descriptions
        • Saving Changes on a Page
        • AMC Status Area
        • Version Number and Product Serial Number
      • Adding, Editing, Copying, and Deleting Objects in AMC
      • Getting Help
    • Administrator Accounts
      • Managing Administrator Accounts and Roles
        • Adding Administrator Accounts
        • Editing Administrator Accounts
        • Editing Administrator Roles
        • Defining Administrator Roles
        • API Keys for Management API Access
          • Adding API Keys
          • Modifying API key
          • Regenerating API key value
          • Deleting API key
          • Usage of API Keys to access Management API
      • Managing Administrator Account Settings
        • Adding Authentication Server
        • Configuring Password Policy
        • Configuring Account Lockout
        • Configuring Session Timeout
        • Configuring Concurrent Sessions
      • Avoiding Configuration Conflicts with Multiple Administrators
    • Managing Multiple Secure Mobile Access Appliances
      • Central Management Server (CMS)
    • Working with Configuration Data
      • Saving Configuration Changes
      • Applying Configuration Changes
      • Discarding Pending Configuration Changes
      • Scheduling Pending Changes
    • Deleting Referenced Objects
  • User Management
    • Users, Groups, Communities, and Realms
      • Users and groups
      • Communities
      • Realms
    • Using Realms and Communities
      • Viewing Realms
      • Default, Visible, and Hidden Realms
      • Specifying the Default Realm
      • Enabling and Disabling Realms
      • Best Practices for Defining Realms
    • Configuring Realms and Communities
      • Creating Realms
      • Adding Communities to a Realm
      • Creating and Configuring Communities
        • Assigning Members to a Community
        • Selecting Tunnel Access Methods for a Community
        • Selecting Browser Access Methods for a Community
        • Using End Point Control Restrictions in a Community
        • Configuring the Appearance of WorkPlace
        • WorkPlace and Small Form Factor Devices
        • About WorkPlace and Small Form Factor Devices
        • Optimizing WorkPlace for Display on Small Form Factor Devices
        • Creating or Editing a WorkPlace Style
        • Creating or Editing a WorkPlace Layout
      • Network Tunnel Client Configuration
        • IP Address Allocation
        • Session Persistence
        • Redirection Modes
          • Split Tunnel
          • Redirect All
        • Exclusions
        • Proxy Server Redirection
          • Tunnel Clients and Proxy Auto-Configuration Files (Linux Platform)
        • ESP Mode
        • Secure Network Detection
        • Post-Connection Scripting
        • Windows Tunnel Client Automatic Client Updating
        • Session Termination
        • Configuring Tunnel Client Settings
        • Connect Tunnel and Captive Portals
      • Using the Default Community
      • Changing the Order of Communities Listed in a Realm
      • Configuring RADIUS Accounting in a Realm
      • Editing, Copying and Deleting Communities
    • Managing Users and Groups
      • Viewing Users and Groups
      • Managing Users and Groups Mapped to External Repositories
        • Adding Users or Groups Manually
        • Importing users and groups csv file in mapped accounts
        • Adding Users or Groups by Searching a Directory
        • Advanced Search Methods
        • Creating Dynamic Groups Using a Directory
        • Editing Users or Groups
        • Deleting Users or Groups
        • Certificate Group
      • Managing Local User Accounts
        • Adding Local Users
        • Editing Local Users
        • Deleting Local Users
        • Adding Local Groups
        • Editing Local Groups
        • Deleting Local Groups
      • Importing and Exporting Local Accounts
        • Importing New Local Users and Groups
          • Creating the CSV File
          • Downloading a CSV Template
        • Importing Data for Existing Local Users
        • Importing New Groups
        • Exporting Local User Accounts
        • Import and Export Error Messages
    • Integrating an SMA Appliance with a SonicWall Firewall
      • Configuring a Firewall to Receive RADIUS Accounting Records from an SMA Appliance
      • Configuring an SMA Appliance to Send RADIUS Accounting Records to a Firewall
      • Viewing SMA Users on the Firewall
• Authentication
  • Network and Authentication Configuration
    • About Configuring the Network
    • Configuring Basic Network Settings
      • Specifying System Identity
      • Configuring Network Interfaces
      • Configuring ICMP
      • Viewing Fully Qualified Domain Names and Custom Ports
    • Configuring Routing
      • About Routing
      • Configuring Network Gateways
        • Choosing a Network Gateway Option
        • Configuring Network Gateways in a Dual-Homed Environment
        • Configuring Network Gateways in a Single-Homed Environment
      • Enabling a Route to the Internet
      • Configuring Static Routes
    • Configuring Name Resolution
      • Configuring Domain Name Service
      • Configuring Windows Network Name Resolution
    • Certificates
      • Let's Encrypt
        • Creating a Let's Encrypt certificate in CMS
      • Server Certificates
        • Certificate Strategy
        • Obtaining a Certificate from a Commercial CA
        • Creating a Self-Signed Certificate
        • Managing Server Certificates in AMC
          • Importing an Existing Certificate from Another Computer
          • Exporting an SSL Certificate
      • CA Certificates
        • Importing CA Certificates
        • Configuring Client Certificate Revocation
          • Managing Certificates with a CRL
          • Configuring an OCSP Responder
        • Managing CA Certificates
          • Viewing CA Certificate Details
          • Mapping Certificates to Hosts
          • Exporting CA Certificates
          • Deleting CA Certificates
      • About Intermediate Certificates
      • Working with Certificates FAQs
        • How do I Obtain a Certificate from a Non-Commercial CA?
        • When do Certificates and CRLs Expire?
        • Does Secure Mobile Access support SAN Certificates?
        • Are Intermediate Certificates supported for End-User Certificate Verification?
        • What Are the Different CA Certificates on the Appliance and How Are They Used?
        • How many CA Certificates can be Stored on the Appliance?
        • Can Private Keys or CSRs Generated from Other Tools be Imported to the Appliance?
        • Where Is the AMC Certificate Stored?
        • Should I Keep All CA Certificates on the Appliance or Just the Ones I Need?
    • Managing User Authentication
      • Configuring Authentication Servers
        • Defining Multiple Authentication Servers
        • Disabling Authorization Checks
      • Configuring Microsoft Active Directory Servers
        • Configuring Active Directory with Username and Password
        • Configuring Multiple Active Directory (Advanced)
          • Configure AD Forest Authentication Server
          • Configure Groups Using Multiple Trees
          • Configure Groups Using Trees from Trusted Forests
          • User Login
        • Configuring LDAP to Authenticate Against Active Directory
        • LDAP Examples for Active Directory Authentication
      • Configuring LDAP and LDAPS Authentication
        • Configuring LDAP with Username and Password
      • Configuring RADIUS Authentication
        • Configuring RADIUS with User or Token-Based Credentials
        • Configuring Advanced RADIUS Settings
      • Integration of SMA with Cisco Duo Security MFA Server
        • Configuring Cisco Duo security MFA server
        • Configuring Cisco Duo Security MFA Server in SMA1000
        • Enrolling users for Cisco Duo Security MFA Server
        • Additional Authentication Methods
        • SMA1000 Clients and AMC Authentication Support
      • User-Mapped Tunnel Addressing
      • Integration of SMA1000 with RSA SecurID Authentication Manager
        • Configuring RSA Server Authentication
        • Configuring the RSA SecurID Authentication Manager
        • SMA1000 Clients and AMC Authentication support
      • Configuring a PKI Authentication Server
      • Additional Field for Custom Certificates
      • Configuring a SAML-Based Authentication Server
        • Configuring a SAML 2.0 Identity Provider Authentication Server
        • Group Management with SAML IdP authentication server
        • Using Group Affinity checking
        • Using SAML Attributes during authentication
        • Configure SAML IdP
        • Update SMA SAML IdP authentication server
      • One Identity Defender
      • Configuring Local User Storage
      • Testing AD,LDAP,RADIUS and One Defender Authentication Configurations
      • Configuring Chained Authentication
        • Chained Authentication Login Example
      • Enabling Group Affinity Checking in a Realm
      • Using One-Time Passwords for Added Security
        • Configuring SMTP to Deliver One-Time Passwords
        • Configuring SMS based Authentication
        • Using Time-Based One-Time Passwords
          • Configuring Time-Based One-Time Passwords Settings
          • Managing Users of Time-Based One-Time Passwords
        • Configuring an Authentication Server for email-basedOne-Time Passwords
        • Configuring the AD or LDAP Directory Server
      • Configuring Personal Device Authorization
      • Using Your SMA Appliance as a SAML Identity Provider
        • Support for User Groups in SAML IdP Authentication
        • Configuring Your SMA Appliance to be a SAML IdP
    • Biometric Identification
      • About Biometric Identification
      • Configuring Biometric Identification
    • Next Steps
• Administration
  • Security Administration
    • Creating and Managing Resources
      • Resource Types
        • Built-In Resources
        • Secure Mobile Access WorkPlace (Resource Type: URL)
        • Connect Tunnel (Resource Type: URL)
        • Network Explorer (Resource Type: Network Share)
        • Web Resources
        • Client/Server Resources
        • File Share Resources
      • Resources and Resource Groups
        • Viewing Resources and Resource Groups
        • Adding Resources
        • Example: Specifying a URL Alias
        • Example: Blocking Email Attachments
        • Example: Supporting Exchange on iPhones
        • Example: Restricting Access to Sensitive Data
        • Editing Resources
        • Deleting Resources
        • Configuring a Resource as a SharePoint Web Service
        • Exclusions
          • Using the Exclusions
      • Using Variables in Resource and WorkPlace Shortcut Definitions
        • Using Session Property Variables
        • Using Query-Based Variables
        • Creating a Resource Pointing to Users’ Remote Desktops
        • Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
        • Creating a Variable Containing a Variable
        • Modifying Query Results
        • Displaying a Series of Shortcuts Using a Single Definition
      • Creating and Managing Resource Groups
        • Adding Resource Groups
        • Example: Working with a URL Redirect
        • Editing, Deleting and Copying Resource Groups
      • Web Application Profiles
        • Viewing Web Application Profiles
        • Adding Web Application Profiles
        • Preconfigured Web Application Profiles
        • Web Application Profile Examples
        • How Requests for Web Resources are Evaluated
        • Associating one profile with an entire domain
        • Editing and Deleting Web Application Profiles
      • Configuring a Single Sign-On Authentication Server
        • Forms-Based Single Sign-On
        • Basic Authentication Forwarding
        • NTLM Authentication Forwarding
      • Creating Forms-Based Dynamic Single Sign-On Profiles
        • Dynamic SSO Profile for Microsoft RDWeb
        • Configuring Microsoft RD Web Access in AMC
        • Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
        • Creating Web Application Profile
        • Creating RDWeb URL resource with custom access
        • Adding RDWeb in start page
        • Dynamic SSO Profile for Citrix XenApp
        • Configuring Citrix XenApp in AMC
        • Creating Dynamic SSO Profile for Citrix XenApp
        • Creating Web Application Profile
        • Creating Citrix XenApp URL resource with custom access
        • Adding Citrix Xenapp in start page
      • Kerberos Constrained Delegation
        • Configuring Kerberos Constrained Delegation
      • Configuring SMA Support for Microsoft Outlook Anywhere
      • Viewing User Sessions
    • Access Control Rules
      • Configuring Access Control Rules
        • Viewing Access Control Rules
        • Access Control Rules for Bi-Directional Connections
        • Requirements for Reverse and Cross-Connections
        • Securing Application Ports for Reverse Connections
        • Adding Access Control Rules for a Forward Connection
        • Specifying Advanced Access Control Rule Attributes
        • Adding Access Control Rules for a Reverse Connection
        • Adding a Pair of Access Control Rules for a Cross-Connection
        • Configuring Advanced Access Control Rule Attributes
        • Access Methods and Advanced Options
        • Adding Users and Resources From Within Access Control Rules
        • Editing, Copying, and Deleting Access Control Rules
      • Resolving Deny Rule Incompatibilities
      • Resolving Invalid Destination Resources
        • Invalid Resource Examples
  • System Administration
    • Optional Network Configuration
      • Enabling SSH Access from Remote Hosts
      • Configuring ICMP
      • Configuring Time Settings
    • System Logging and Monitoring
      • Overview: System Logging and Monitoring
      • Log Files
        • Viewing Logs
        • Sorting, Searching, and Filtering Log Messages
        • Sorting
        • Filtering
        • Searching
        • Exporting Log Files
        • Configuring Log Settings
        • System Message Log
        • Management Message Log
        • Management Audit Log
        • Network Tunnel Audit Log
        • Web Proxy Audit Log
        • Client Installation Logs (Windows)
        • Configuring the logging settings for managed appliances
        • Setting Log Levels
        • Configuring Access Request Logging
        • Sending messages to a syslog server
      • Splunk Integration
        • Sending log files to Splunk server
        • Installing Sonicwall SMA1000 Technical Add-on for Splunk
        • Setting up new polling input in Splunk server
        • Configuring syslog data input in Splunk server
        • Searching the logs
        • Reports provided in search
      • Monitoring the Appliance
        • Monitoring Overall Activity
        • Monitoring System Status
        • Viewing User Sessions
        • Open vs Licensed Sessions
        • Licensed Sessions
        • All Open Sessions
        • Authorization Terms Not Accepted
        • All Sessions
        • Ending User Sessions
        • Viewing User Access and Policy Details
        • Exporting User Session Data
      • SNMP Configuration
        • Configuring SNMP
        • Downloading the MIB File
        • Retrieving Management Data Using SNMP
        • MIB Data
        • MIB Data: System Information Module
        • MIB Data: System Health Module
        • MIB Data: Service Health
        • MIB Data: Security History Module
        • MIB Data: Network Tunnel Service Module
        • MIB Data: Traps
        • MIB Data: Other SNMP Data
    • Managing Configuration Data
      • Exporting the Current Configuration to a Local Machine
      • Importing Configuration Data
      • Saving the Current Configuration on the Appliance
      • Deleting or Restoring or Exporting Configuration Data Stored on the Appliance
    • Upgrading, Rolling Back, or Resetting the System
      • Updating the System
        • Naming Conventions for Upgrades
        • Naming Conventions for Hotfixes
        • Installing System Updates
      • Rolling Back to a Previous Version
      • Resetting the Appliance
        • Permanently Disabling the Appliance
    • SSL Encryption
      • Configuring SSL Encryption
    • FIPS Certification
      • Requirements for FIPS
      • Managing FIPS-Compliant Certificates
      • FIPS Violations
      • Enabling FIPS
      • Exporting and Importing FIPS-Compliant Certificates
      • Disabling FIPS
      • Zeroization
    • Software Licenses
      • How Licenses Are Calculated
      • Viewing License Details
      • Managing Licenses
        • Creating a MySonicWall Account
        • Registering Your SMA Appliance
        • Downloading and applying SMA license
        • Managing a Spike License
    • Using Global Overrides
      • Configuring Global Overrides in AMC
• End Point Control
  • About End Point Control
    • End Point Control and OESIS
    • How the Appliance Uses Zones and Device Profiles for End Point Control
      • Defining Zones
    • End Point Control Scenarios
      • Scenario 1: Employees Connecting from IT-Managed Laptops
      • Scenario 2: Employees Connecting from a Home PC
      • Scenario 3: Employees Connecting from a Public Kiosk
      • Scenario 4: Employee Connects from a PC with Google Desktop
      • Scenario 5: Employee Connects from a Mobile Device
  • Managing EPC with Zones and Device Profiles
    • Enabling and Disabling End Point Control
    • Configuring and Using Zones and Device Profiles
      • Viewing Zones
      • Viewing Device Profiles
      • Creating a Device Zone
      • Creating a Deny Zone
      • Creating a Quarantine Zone
      • Verifying the URLs
      • Configuring the Default Zone
      • Defining Device Profiles for a Zone
      • Device Profile Attributes
      • Advanced EPC: Extended Lists of Security Programs
      • Advanced EPC: Using Fallback Detection
      • Advanced EPC: Using Preconfigured Device Profiles
      • Using Comparison Operators with Device Profile Attributes
      • Using End Point Control with the Connect Tunnel Client
      • Performing Recurring EPC Checks: Example
      • Microsoft Intune
        • Configuring Microsoft Intune
        • Configuring Microsoft Intune in AMC
        • Creating Windows Profile with Intune Attributes
        • Creating Mac Profile with Intune Attributes
        • Configuring MSIntune in Client
    • Creating Zones for Special Situations
      • Defining Zones for Non-Standard Browsers
      • Collecting Equipment IDs from Unregistered Devices
      • Creating Device Profiles that Allow Unregistered Devices
      • Disabling Match Profile if User has no Registered Devices in the Device Profile
        • Quarantining Unregistered Devices
        • Locking Out Unregistered Devices
        • Exporting the Unregistered Device Log for External Processing
      • Defining Zones for Special Classes of Users
    • Using End Point Control Agents
      • Using the Virtual Keyboard to Enter Credentials
  • Capture Advanced Threat Protection
    • Enabling Capture ATP
    • File Options
      • Setting the File Types
      • Setting the Maximum File Size
    • Web Services
    • Advanced Settings
• Components
  • The WorkPlace Portal
    • A Quick Tour of WorkPlace
      • Home Page
        • Configurable WorkPlace Elements
        • Built-In WorkPlace Elements
        • WorkPlace Status Bar
      • Intranet Address Field
      • Bookmarks
      • Custom RDP Bookmarks
      • Network Explorer Page
        • The Network Explorer
  • User Access Components and Services
    • About User Access Components and Services
    • User Access Agents
      • Client and Agent Provisioning (Windows)
        • Secure Endpoint Manager
        • Installing Secure Endpoint Manager
        • Enabling Secure Endpoint Manager Software Update Policies
        • Provisioning and Personal Firewalls
        • Client Installation Logs
      • WorkPlace
        • WorkPlace Sites
        • Adding WorkPlace Sites
        • Modifying the Appearance of WorkPlace
        • About Custom WorkPlace Templates
        • How Template Files are Matched
        • Customizing WorkPlace Templates
        • Working with WorkPlace Shortcuts
        • Adding Web Shortcuts
        • Viewing Shortcuts
        • Editing Shortcuts
        • Creating a Group of Shortcuts
        • Adding Network Shortcuts
        • Adding a Virtual Desktop Shortcut
        • Web Shortcut Access
        • Configuring WorkPlace General Settings
        • Web Only Access
        • Citrix Configuration
        • Adding a Text Terminal Shortcut
        • Fully Customizing WorkPlace Pages
        • WorkPlace Style Customization: Manual Edits
        • Network Explorer
      • Tunnel Clients
        • OnDemand Tunnel Agent
        • Connect Tunnel Client
      • Web Access
        • WorkPlace Lite
        • Translated ActiveSync Web Access
        • Custom Port Mapped Web Access
        • Custom FQDN Mapped Web Access
        • Notes for Custom Port Mapped or Custom FQDN Mapped Web Access
        • Configuration Requirements
        • Known Behavior
        • Seamless Editing in SharePoint
        • Enabling Storage of Persistent Session Information
        • Modifying a Zone to Allow Storing of Persistent Session Information
        • Exchange ActiveSync access
        • Enabling Exchange ActiveSync access on the appliance
        • Exchange ActiveSync sessions
        • Notes for Exchange ActiveSync device profiles
        • ActiveSync Resource Configuration with SAN Certificates
        • Outlook Anywhere Web Access
    • Client Installation Packages
      • Downloading the Secure Mobile Access Client Installation Packages
    • Network Tunnel Client Branding
    • The OnDemand Proxy Agent
      • About OnDemand Proxy
        • OnDemand Mapped Mode
        • Activating OnDemand
      • How OnDemand Redirects Network Traffic
        • Overview: Loopback Proxying
        • Hosts File Redirection
      • Configuring OnDemand to Access Specific Applications
        • About Port Mapping
        • Configuring an Application for Use with OnDemand
      • Client Configuration
        • Configuring a Proxy Server in the Web Browser
    • Managing Access Services
      • About Access Services
      • Stopping and Starting the Secure Mobile Access Services
      • Configuring the Network Tunnel Service
      • Configuring IP Address Pools
        • Address Pool Allocation Methods
        • Translated Address Pools (Source NAT)
        • Routed Address Pools (DHCP)
        • RADIUS-Assigned Address Pools
        • Static Address Pools
        • Best Practices for Configuring IP Address Pools
        • Adding Translated IP Address Pools
        • Adding Dynamic IP Address Pools
        • Adding a Dynamic, RADIUS-Assigned IP Address Pools
        • Adding Static IP Address Pools
      • Configuring Web Resource Filtering
      • Secure Network Detection
        • Device VPN
        • Device VPN endpoint enrollment
        • Configuring Local CA in AMC
        • Configuring a PKI Authentication Server for Local CA
        • Creating Device VPN Realms
        • Configuring Device VPN
        • Viewing and Deleting or Revoking Device VPN certificate
      • Configuring Custom Connections
      • Configuring the Web Proxy Service
      • Verifying the Web Proxy Security headers
    • Terminal Server Access
      • Providing Access to Terminal Server Resources
      • Server Farm Resources
        • Adding Citrix Server Farm Resources
        • Adding VMware View Resources
      • Browser-Only Mode for Citrix Access
        • Configuring the Citrix HTML Receiver URL
        • Configuring a Shortcut for Citrix HTML Receiver in Workplace
      • Defining an Access Control Rule and Resource for Terminal Server Access
      • Managing Graphical Terminal Agents
        • Managing the Citrix Agent
        • Managing the VMware View Clients
      • Graphical Terminal Shortcuts
        • Adding Graphical Terminal Shortcuts to Individual Hosts
        • Adding Graphical Terminal Shortcuts to Server Farms
  • Secure Endpoint Manager (SEM)
    • Supported Operating Systems
    • Downloading and Installation
    • Installing Secure Endpoint Manager from Client Installation Package
    • Setting up the Secure Mobile Access Connect Agent
      • Proxy Configuration
      • Logs
      • Exporting logs in SEM
      • Browser Warning
      • End Point Control
      • Personal Device Authorization
• Mobile Connect
  • Using SMA with Mobile Connect
    • About using SMA with Mobile Connect
    • General Limitations
      • Hostname Redirection
      • DNS Routing with Split Tunnel
      • DNS Routing with Redirect-All
      • File Bookmarks
    • Supported EPC Profiles
    • IPV6 Limitations
    • URL Control Caveats
    • Configuring Trusted Network Detection
• Appendix
  • Appliance Command-Line Tools
    • Configuring a New Appliance Using Setup Tool
      • Tips for Working with Setup Tool
      • Using Setup Tool
    • Saving and Restoring Configuration Data
      • Saving Configuration Data
  • Troubleshooting
    • About Troubleshooting
    • General Networking Issues
    • Verify a Downloaded Upgrade File
    • AMC Issues
    • Authentication Issues
    • Using Personal Firewalls with Agents
    • Secure Mobile Access Services Issues
      • Web Proxy Service Issues
      • Tunnel Issues
        • Installation
        • Connectivity
    • Client Troubleshooting
      • Windows Client Troubleshooting
        • Resetting Browser
        • Clear Cookies and Cache
        • Reset Security Zones to Defaults
        • Reset Advanced Settings to Defaults
        • Reset Privacy Settings to Defaults
        • Uninstalling Secure Mobile Access Components
        • Logging Back In to WorkPlace
      • MacOS and Linux Tunnel Client Troubleshooting
        • MacOS System and Application Information
        • Linux System and Application Information
    • Troubleshooting Tools in AMC
      • Using DNS Lookup
      • Viewing the Current Routing Table
      • Capturing Network Traffic
      • Logging Tools for Network Tunnel Clients
      • Using CEM Extensions
        • CEM Advanced Features
      • Ping Command
      • Traceroute Command
      • Snapshot Tool
      • Host Connectivity Testing
  • Best Practices for Securing the Appliance
    • Network Configuration
      • Configure the Appliance to Use Dual Interfaces
      • Configure the Appliance to Use Dual Network Gateways
      • Protect both Appliance Interfaces with Firewalls
      • Enable Strict IP Address Restrictions for the SSH Service
      • Enable Strict IP Address Restrictions for the SNMP Service
      • Use a Secure Passphrase for the SNMP Community String
      • Disable or Suppress ICMP Traffic
      • Use an NTP Server
      • Protect the Server Certificate that the Appliance is Configured to Use
    • Appliance Configuration
      • Keep the software image on the appliance updated
      • Make regular configuration backups
    • Appliance Sessions
    • Administrator Accounts
      • Use a Strong Password
      • Change the AMC Administrator Password
      • Change Administrator Passwords often and don’t Share Them
      • Limit the Number of Administrative Accounts and Assign Administrative Privileges only to Trusted Individuals
    • Access Policy
      • Follow the Principle of “Least Privilege”
      • Pay Close Attention to Rule Order
      • Put your Most Specific Rules at the Top of the List
      • Carefully Audit Rules Containing “Any”
    • Set Up Zones of Trust
    • Setting security level
    • Client Access
      • Change Timeout Settings
      • Deploy End Point Control Components
      • Use Chained Authentication
      • Use Strong Two-Factor Authentication Mechanisms, such as TOTP
  • Configuring the SAML Identity Provider Service
    • Prerequisites
    • Enabling the SAML Identity Provider Service
    • Configuring the SAML Application
    • Downloading certificate from service provider
    • Adding SAML Applications as SAML Resources
    • Downloading metadata from SAML service provider
    • Importing metadata in AMC
  • Configuring External SAML Identity Providers
    • Downloading a Certificate
    • Configuring SAML Authentication Servers
      • Azure Active Directory
        • Configuring Azure Active Directory as an SMA Authentication Server
        • Adding the SMA Application to Azure Active Directory
        • Configuring Azure Active Directory as an SAML Identity provider
        • Assigning Users and Groups to the SMA Application
        • Sending User Groups to SMA
      • Integrating SMA with Duo SSO Server using SAML
      • Integrating with Duo Access Gateway Serverusing SAML
      • One Identity Cloud Access Manager
        • Configuring One Identity CAM as an SMA Authentication Server
        • Adding the SMA Application to One Identity Cloud Access Manager
      • OneLogin
        • Configuring OneLogin as an SMA Authentication Server
        • Adding the SMA Application to OneLogin
      • Ping Identity PingOne
        • Configuring Ping Identity PingOne as an SMA Authentication Server
        • Adding the SMA Application to Ping Identity PingOne
      • Salesforce
        • Configuring Salesforce as an SMA Authentication Server
        • Adding the SMA Application to Salesforce
  • Log File Output Formats
    • About Log Files
    • File Locations
    • System Message Log
      • Access Policy Decisions
      • Viewing Client Certificate Errors in the Log
      • End Point Control Interrogation
      • Unregistered Device Log Messages
    • Network Tunnel Audit Log
      • Auditing Connection Status Messages
    • Web Proxy Audit Log
    • Management Console Audit Log
    • WorkPlace Logs
      • WorkPlace Shortcut Examples
  • Internationalization Support
    • Support for Native Character Sets
    • RADIUS Policy Server Character Sets
      • Selected RADIUS Character Sets
      • Other Supported RADIUS Character Sets
• SonicWall Support
  • About This Document

Device VPN endpoint enrollment

The device VPN feature depends on the client certificate to authenticate endpoint or a device for device-level VPN access.

Unless the customer has an existing Certificate Enrollment Web Service (CES) or Certificate Enrollment Policy (CEP) web service setup, deployment of device certificates is complex and becomes a hurdle for using Device VPN.

From 12.4.2. onwards, you can:

• Deploy client certificates on end devices for Device Tunnel authentication.

• Get details of the list of enrolled device certificates such as device certificate subject DN, Device ID, expiration date, and so on.

• Revoke or delete enrolled device certificates.

• An enrolled device certificate expires in 90 days and is auto-renewed 15 days prior to the expiry.

Topics

• Configuring Local CA in AMC

• Configuring a PKI Authentication Server

• Creating Device VPN Realms

• Configuring Device VPN

• Viewing and Deleting or Revoking Device VPN certificate

Refer to Establishing a Device VPN connection section Connect Tunnel guide to deploy client certificates on end devices for Device Tunnel authentication.