12.4.2

July 2022

About Secure Mobile Access

Secure Mobile Access (SMA) provides scalable, secure mobile access for your enterprise while blocking untrusted applications, WiFi pirates, and mobile malware. SMA appliances provide a single gateway and a common user experience across all platforms, including managed and unmanaged devices. Traffic is encrypted using Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect it from unauthorized users.

SMA is available as a physical appliance or as a virtual appliance running on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

CMS can be run on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

Supported Platforms

The SMA 12.4 release is supported on the following SMA 1000 series appliances:

• SMA 6200 series (SMA 6200 and SMA 6210)
• SMA 7200 series (SMA 7200 and SMA 7210)
• SMA 8200v (ESXi/Hyper-V/AWS/Azure/KVM)
• Central Management Server (CMS) (ESXi/Hyper-V/AWS/Azure/KVM)

SMA 12.4 is not supported on EX6000, EX7000, and EX9000 appliances.

Supported Firmware Levels

Client systems running version 12.4 client software can be used with SonicWall SMA appliances running one of the following firmware versions:

• 12.4 and above + latest hotfixes -> 12.4.2

• 12.1 + latest hotfixes -> 12.4.2

To upgrade from Secure Mobile Access 12.3, you must upgrade to version 12.4.0 first, then upgrade to 12.4.2.

You can directly upgrade to 12.4.2 from SMA 12.1 and 12.4.0 versions.

For more information on supported platforms, clients, servers, IT infrastructure, and online services, refer to Administration Guide.

Additional References

• https://www.sonicwall.com/support/knowledge-base/sma-1000-series-and-cms-general-faq/200317200026571/
• https://www.sonicwall.com/support/knowledge-base/sma-1000-series-support-matrix/170919113911935/

What's New

SonicWall Secure Mobile Access (SMA) 12.4.2 includes these new features:

• Support multiple policies with CMS and shared licensing
  • Support CMS-based configuration of appliance-specific authentication servers.
  • Allow realms and access rules to be mapped to individual appliances.
  • Support more than one GTO service, and assign GTO services to one or more appliances.
  • Map GTO resources (WorkPlace sites, host-mapped resources) to one or more GTO services.
• API Keys for Management API Access

  You can use API keys that allow use of the Management API without embedding user credentials in a script. API keys can be used to provide access to scripts when two-factor authentication is required for AMC access.

• Improved troubleshooting with logs in a CMS environment
• Connect Tunnel Enhancements
  • Connect Tunnel for MacOS does not require Java Runtime.
  • Connect Tuneel for Windows supports Network Logon.

• Web Application Profile option to disable URL translations

  • Under Web Application Profile, you can disable URL translation for URL resources with split Domain Name System (DNS) approach. When configuring a URL resource, if both the resource's Fully Qualified Doamain Name (FQDN) and the appliance's FQDN for that resource are the same, then there is no need for translation. In such cases, you can disable the URL translation to improve the system performance.
  • Under Content translation, select the Enable Content translation checkbox and other Web proxy service to translate.
• Allow Outlook Web App, Active Sync and Outlook Anywhere on same appliance-FQDN
• Using Global Overrides

  Provide the ability to easily override community-specific settings to make it easier to troubleshoot issues. Global overrides are recommended to be used only during troubleshooting. Use it to override the following community settings:

  • ESP Mode
  • Software Updates
  • Limit session length to credential lifetime
• Simplified SMS Gateway Service configuration

• API JSON Schema should use a public standard

• Host Connectivity Testing

  You can test all the resource hosts or URLs for connectivity. This feature helps to secure the system and verifies certificates of internal systems.

• Import mapped accounts from CSV file

  • You can import the mapped accounts for users and groups via CSV file at once.
• SAML Enhancements
  • AMC displays the SAML IdP Endpoint URLs in the IdP Configuration page and also provides an option to copy those URLs.
  • Import of SAML metadata file on SAML Service Provider Resource configuration page.
  • View and Import buttons for certificates on SAML Service Provider Resource configuration page.
• Configuring ICMP

  From 12.4.2 onwards in AMC/CMC you can enable ICMP for internal only or external only or both interfaces.

• Managing Snapshots

  • You can select one or more saved snapshots and delete or download them.

• Support DHCP for internal and external interfaces

• Managing saved captures

  • You can select one or more saved captures and delete or download them.
    • When multiple captures are selected, the Delete option is enabled.
    • When a single capture is selected, both the Download and the Delete options are enabled.

• Deleting saved configuration data stored on the appliance

  • The options to Delete, Restore and Export saved configuration is enabled when a single configuration is selected.
  • When multiple configurations are selected, Restore and Export is graded out and Delete option is enabled.

• Improved Network Traffic Filenames

  • You can edit the filename with a user friendly name and save. This enables the support team users to easily understand about the capture that you share.

• External URLs as remediate links on quarantine zone

  • External URLs as remediate links on quarantine zone, when creating remediate links on quarantine zone, you can configure if the URL is hosted on external network.

• Support for Windows 11 and MacOS Monterey

• Secure Endpoint Manager(SEM)

  SEM is the client application responsible for evaluating EPC, launching agents and bookmarks. SEM registers a custom URL sceheme that gets invoked from browser for the specific tasks. SEM has two modules namely, Web Agent and Connect Agent.

  • Web Agent : This unified client is responsible for handling the following:
    • End point control: Perform the end point control checks.
    • Install and update Connect Tunnel.
    • Agent activation: Auto activate OnDemand Proxy and OnDemand Tunnel.
  • Connect Agent: This unified client is responsible for handling bookmarks from WorkPlace. This client also provides backward compatibility if someone accesses WorkPlace on prior 12.4 versions.
• Splunk Integration

  The SonicWallSMA1000 Splunk Add-on is integrated in the Splunk Server using the Splunk Common Information Model (CIM).

  The SonicWallSMA1000 Splunk Add-on uses the following collection methods to collect the logs:

  • Logs collected via syslog are:
    • Authentication
    • Change
    • Network sessions
    • Network Traffic
  • Logs collected via API polling is:
    • Performance

• Device VPN endpoint enrollment

  • Deploy client certificates on end devices for Device Tunnel authentication.
  • Get details of the list of enrolled device certificates such as device certificate subject DN, Device ID, Expiration date, and so on.
  • Revoke or delete enrolled device certificates.

• Microsoft Intune

  The SMA and Microsoft Intune integration is supported for MacOS based managed devices.

• Dynamic SSO Profile for Microsoft RDWeb and Citrix XenApp

  You can quickly configure Single Sign-On for Microsoft RDWeb and Citrix XenApp service by selecting Microsoft Remote Desktop Web Client and Citrix XenApp option respectively while creating a Dynamic Single Sign-On profile.

• Web Security Headers

  You have an option to enable the web proxy security headers that sets the HTTP Respons headers and provides protection from attacks. As an admin, you can enable security headers on workplace login pages for added security.

What's Deprecated

• Cache Cleaner functionality is no longer supported.

• Fallback server is no longer supported.

• Application Control, Application Zones, and Application Rules are no longer supported.

• Change default policy in setup wizard from "allow" to "deny": The allow authenticated users access to all defined resources option is removed and no longer supported.

Resolved Issues

Known Issues

Additional References

SMA1000-5034, SMA1000-4987, SMA1000-4903