• Secure Mobile Access
• About this Guide
  • Organization of this Guide
  • Guide Conventions
• About SonicWall Secure Mobile Access
  • About the SMA Appliance
  • Key SSL VPN Concepts and SMA Features
    • Resources
    • Users and Groups
    • Authentication
    • Communities
    • Access Policy
    • End Point Control (EPC)
    • SSL/TLS and Encryption
    • Single Sign-On
    • Sharing Configuration Data
    • Role-based Administration
    • System Monitoring and Logging
  • SonicWall SMA Components
    • Client Components and Access Methods
      • WorkPlace
      • Network Explorer
      • Connect Tunnel Clients
      • Mobile Connect App
      • Translated Web Access
      • Custom Port Mapping
      • Custom FQDN Mapping
    • End Point Control Components
    • Administrator Components
      • Setup Wizard
      • Appliance Management Console (AMC)
      • Access Services
  • Managing Multiple Appliances
    • Central Management Server
    • Global Traffic Optimizer
• Planning Your VPN
  • About Designing Your VPN
    • Who Will Access Your VPN?
    • Which Types of Resources Should Users Have Access To?
      • How Will Users Access Your Resources?
      • Tunnel, Proxy, or Web: Which Access Method is Best?
    • Security Administration
      • Defining Resources
        • Web Resources
        • Client/Server Resources
        • File Shares
      • Managing Access Control with an Access Policy
      • Access Control for Bi-Directional Connections
      • Design Guidelines for Access Rules
  • End Point Control
    • Advanced EPC
  • Putting It All Together: Using Realms and Communities
• Common VPN Configurations
  • About the Configurations
  • Deployment Scenario: Remote Access for Employees and Partners
    • Establishing an Authentication Realm
    • Identifying Users
    • Adding Resources
    • Creating Zones of Trust
      • Creating a Device Zone for Trusted Users
      • Creating a Device Zone for Partners
      • Creating a Quarantine Zone for Untrusted Users
  • Customizing WorkPlace
    • Modifying the Default Style and Layout
    • Creating a New WorkPlace Style and Layout
      • Creating a WorkPlace Style
      • Creating a Workplace Layout
    • Creating an Employee Community
      • Specifying Access Methods for Employees
      • Configuring End Point Control for Employees
      • Configuring the WorkPlace Appearance for Employees
    • Creating a Partner Community
      • Specifying an Access Method for Partners
      • Configuring End Point Control for Partners
      • Configuring WorkPlace Appearance for Partners
    • Access Control Lists
      • Adding a Rule for Limited Resources
      • Adding an Unrestricted Rule
  • Testing the Deployment Scenario
  • Other Remote Access VPN Scenarios
    • Providing Access to Web Resources
      • Defining Specific Web Resources
      • Web Resources on a Portion of Your Network
      • All Web Resources on Your Network
    • Web-Based File Access to Entire Networks
    • Broad Access to Network Resources
    • Remote Access for Mobile Users
  • Additional Partner VPN Scenarios
    • Access to a Specific Web Resource Using an Alias
    • Web-Based Access to a Client/Server Application
  • End Point Control Scenarios
    • Quarantining Employees on Untrusted Systems
    • Denying Access
  • Access Policy Scenarios
  • Application-Specific Scenarios
    • Providing Access to Outlook Web Access (OWA)
    • Providing Access to Voice Over IP (VoIP)
    • Providing Access to Windows Terminal Services or Citrix Resources
  • Authentication Scenarios
    • Using Multiple Realms vs Single Realm
  • Access Component Provisioning
    • Deploying the Same Agents to All Users
    • Deploying Different Agents to Different Users
• SonicWall Support
  • About This Document

Putting It All Together: Using Realms and Communities

Realms are the top-level objects that tie together authentication, user management, access agent provisioning, and End Point Control restrictions.

A realm references one authentication server or a pair of them (for chained authentication). Authentication servers must first be defined in AMC, and they are then referenced by a realm that users log in to.

After users log in to the appliance, they are assigned to a community based on the identity supplied during login. By default, all users are assigned to a default community, but you can sort users into different groups based on individual identity or group memberships. In turn, the community defines a default set of access methods and the set of end point restrictions placed on client devices. The community can also determine the appearance of WorkPlace: the layout and style of WorkPlace pages can be tailored to a particular community.

The below image shows how a realm authenticates users, assigns them to communities to provision access agents and, with End Point Control enabled, assigns community members to different zones based on the trustworthiness of their computers.

If your network uses a single authentication server to store user information, you’ll probably need to create only one realm in AMC. That realm could then reference the global community that is configured by default in AMC. This would be useful if you have a homogenous user population with identical access requirements.

Using only one realm doesn’t limit your ability to configure more granular levels of user access and End Point Control. AMC allows you to create communities of users within a realm based on their access needs or other security considerations. A community can consist of all the users in a realm, or only selected users or groups.

For example, you might have two distinct groups of users—employees and business partners—requiring different forms of VPN access. The below tables contrast the access agents that are made available to these two groups, and how EPC is used to secure their connections. By creating different WorkPlace styles and layouts you also can determine how WorkPlace looks to members of these two communities.

Employee community

Access Agent	EPC
A tunnel client, enabling them to access Web, network, and file share resources.	EPC is used to detect whether employees’ computers are running an antivirus program and firewall before placing them in a trusted zone.
Users connect from trusted computing environments (such as laptops provided by your IT department) and require broad access to your network resources.

Business partner community

Access Agent	EPC
Limited, Web-only access	Business partners are assigned to a less-trusted zone.
Partners connect through unsecured computing environments and require access only to specific, limited resources.