• Secure Mobile Access
• About this Guide
  • Organization of this Guide
  • Guide Conventions
• About SonicWall Secure Mobile Access
  • About the SMA Appliance
  • Key SSL VPN Concepts and SMA Features
    • Resources
    • Users and Groups
    • Authentication
    • Communities
    • Access Policy
    • End Point Control (EPC)
    • SSL/TLS and Encryption
    • Single Sign-On
    • Sharing Configuration Data
    • Role-based Administration
    • System Monitoring and Logging
  • SonicWall SMA Components
    • Client Components and Access Methods
      • WorkPlace
      • Network Explorer
      • Connect Tunnel Clients
      • Mobile Connect App
      • Translated Web Access
      • Custom Port Mapping
      • Custom FQDN Mapping
    • End Point Control Components
    • Administrator Components
      • Setup Wizard
      • Appliance Management Console (AMC)
      • Access Services
  • Managing Multiple Appliances
    • Central Management Server
    • Global Traffic Optimizer
• Planning Your VPN
  • About Designing Your VPN
    • Who Will Access Your VPN?
    • Which Types of Resources Should Users Have Access To?
      • How Will Users Access Your Resources?
      • Tunnel, Proxy, or Web: Which Access Method is Best?
    • Security Administration
      • Defining Resources
        • Web Resources
        • Client/Server Resources
        • File Shares
      • Managing Access Control with an Access Policy
      • Access Control for Bi-Directional Connections
      • Design Guidelines for Access Rules
  • End Point Control
    • Advanced EPC
  • Putting It All Together: Using Realms and Communities
• Common VPN Configurations
  • About the Configurations
  • Deployment Scenario: Remote Access for Employees and Partners
    • Establishing an Authentication Realm
    • Identifying Users
    • Adding Resources
    • Creating Zones of Trust
      • Creating a Device Zone for Trusted Users
      • Creating a Device Zone for Partners
      • Creating a Quarantine Zone for Untrusted Users
  • Customizing WorkPlace
    • Modifying the Default Style and Layout
    • Creating a New WorkPlace Style and Layout
      • Creating a WorkPlace Style
      • Creating a Workplace Layout
    • Creating an Employee Community
      • Specifying Access Methods for Employees
      • Configuring End Point Control for Employees
      • Configuring the WorkPlace Appearance for Employees
    • Creating a Partner Community
      • Specifying an Access Method for Partners
      • Configuring End Point Control for Partners
      • Configuring WorkPlace Appearance for Partners
    • Access Control Lists
      • Adding a Rule for Limited Resources
      • Adding an Unrestricted Rule
  • Testing the Deployment Scenario
  • Other Remote Access VPN Scenarios
    • Providing Access to Web Resources
      • Defining Specific Web Resources
      • Web Resources on a Portion of Your Network
      • All Web Resources on Your Network
    • Web-Based File Access to Entire Networks
    • Broad Access to Network Resources
    • Remote Access for Mobile Users
  • Additional Partner VPN Scenarios
    • Access to a Specific Web Resource Using an Alias
    • Web-Based Access to a Client/Server Application
  • End Point Control Scenarios
    • Quarantining Employees on Untrusted Systems
    • Denying Access
  • Access Policy Scenarios
  • Application-Specific Scenarios
    • Providing Access to Outlook Web Access (OWA)
    • Providing Access to Voice Over IP (VoIP)
    • Providing Access to Windows Terminal Services or Citrix Resources
  • Authentication Scenarios
    • Using Multiple Realms vs Single Realm
  • Access Component Provisioning
    • Deploying the Same Agents to All Users
    • Deploying Different Agents to Different Users
• SonicWall Support
  • About This Document

Managing Access Control with an Access Policy

After you’ve defined your VPN resources, you control which ones are available to users by creating an access policy.

After a user successfully authenticates (that is, his or her identity is verified), the appliance evaluates the rules that control access to specific resources. Rules appear on the Access Control page (see below image).

Access Control rules

Access control rules are displayed as an ordered list in AMC. When the appliance evaluates a connection request, it begins at the top of the list and works its way down until it finds a match. When it finds a match, the action required by the rule—either Permit or Deny—is applied and no further rules are evaluated.

Access to a resource can be based on several criteria. Most rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource. (If you don’t restrict access to a particular user or destination resource, the word Any appears in the access control list.)

With Tunnel Access, an access control rule that allows access to “Any resource” allows access to everything behind the SMA, not only the defined resources.

In addition, you can control access based on several other criteria such as:

• The EPC zone from which the connection request originates. Suppose you want to require users accessing a sensitive financial application. If so, you could configure a rule that allows access only to systems in a trusted zone that are running a particular program.

  In Access Control rules page, access to Remote office desktops is restricted to users in the Remote group who have device profiles that place them in the Trusted laptop zone.

• The address from which the connection request originates. You might want to control access to a resource based on the names of any source networks you want evaluated in the rule.
• The access method used to reach the resource. You might want to enable broad access to resources within an internal domain from the network tunnel or proxy agents, but prevent browser-based access to Web servers within the domain.
• The day or time of the request. For example, you might give business partners access to a particular application on weekdays from only 9:00 A.M. to 5:00 P.M.

A connection request can be summarized as follows:

1. A user is authenticated and initiates a connection.
2. The appliance analyzes the connection request to identify its attributes (including user and group information, the destination being requested, the source network from which the request originates, and the day or time of the request).

3. The appliance reads the first rule in the access control list and compares it to the request criteria:

   • If a match is found, the action (Permit or Deny) specified in the rule is applied and no further rules are evaluated.
   • If no match is found, the appliance evaluates the next rule in the list to see if it matches the request.

4. If the appliance processes all of the rules without finding a match, an implicit Deny rule is applied.