• SonicWall Secure Mobile Access 1000 Series 12.4 Release Notes
  • 12.4.3 Hotfix
  • 12.4.3
  • 12.4.2
  • 12.4.1
  • SonicWall Support
    • About This Document

12.4.3

February 2024

About Secure Mobile Access

Secure Mobile Access (SMA) provides scalable, secure mobile access for your enterprise while blocking untrusted applications, WiFi pirates, and malware. SMA appliances provide a single gateway and a common user experience across all platforms, including managed and unmanaged devices. Traffic is encrypted using Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect it from unauthorized users.

SMA is available as a physical appliance or as a virtual appliance running on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

Central Management Server (CMS) can be run on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

Supported Platforms

The SMA 12.4 release is supported on the following SMA 1000 series appliances:

• SMA 6200 series (SMA 6200 and SMA 6210)
• SMA 7200 series (SMA 7200 and SMA 7210)
• SMA 8200v (ESXi/Hyper-V/AWS/Azure/KVM)
• Central Management Server (CMS) (ESXi/Hyper-V/AWS/Azure/KVM)

SMA 12.4 is not supported on EX6000, EX7000, and EX9000 appliances.

Supported Firmware Levels

Client systems running version 12.4 client software can be used with SonicWall SMA appliances running one of the following firmware versions:

• 12.4.1 + latest hotfixes -> 12.4.3
• 12.4.2 + latest hotfixes -> 12.4.3

• 12.1.0 + latest hotfixes -> 12.4.3

• It is recommended to upgrade to 12.4.3 from 12.4.2 with latest hotfixes.

For more information on supported platforms, clients, servers, IT infrastructure, and online services, refer to SMA 1000 12.4 Administration Guide.

Be sure to review the following Knowledge Base article for information on the SMA 1000 Series, and CMS.

• https://www.sonicwall.com/support/knowledge-base/sma-1000-series-and-cms-general-faq/200317200026571/

Any 12.4.x client can connect to version 12.4.3 as we support backward or forward compatibility. However, an older client may not support newer features like exclusion, and customers must upgrade to version 12.4.3 of the client to access them.

What's New

Secure Mobile Access (SMA) 12.4.3 includes these new features:

• Access Request Logging

  Admin can limit the types of access requests that are saved with User Sessions.

• Always On VPN Enhancements

  Following new options are available to admin under Always On VPN section:

  • Allow user to disconnect- Controls whether a user is allowed to disconnect from the VPN.

  • Restrict network access when VPN is not Connected- Allows admin to control whether user is allowed to access internet when the VPN is disconnected.

• Cached Credentials Enhancements

  Two new options are available under Cache Credential section:

  • Username only- Only username will be cached.

  • Disabled- Credential caching will be disabled.

• Cisco Duo Security Multi-factor Authentication Server

  In addition to using SAML and RADIUS protocols to integrate with Cisco Duo Security Multi-factor server for user authentication, administrators can now utilize Auth API integration to provide Multi-factor authentication using Cisco Duo Security Multi-factor server. A new Authentication server called Cisco Duo Security Multi-factor Authentication server is now available for that.

  Unlike RADIUS authentication, this authentication server allows users to choose their preferred second-factor authentication method to complete authentication process.

• CMS Alerts Logging

  Information about all alerts such as high CPU usage, disk usage, and so on is now sent to Syslog when configured.

• Copying Resources Groups

  Rather than creating a new resource group from scratch, you can save time by making a copy of an existing group and changing some parameters to fit the new group.

• Device VPN Enhancements

  The Device VPN Communities (under Services > Network Tunnel Service) has two

  additional check boxes that allows users to bypass entering VPN credentials for User VPN, when the client machine is powered on or restarts in secure network. Also, if Device VPN is enabled, Allow user to disconnect

  option takes precedence over Always On VPN configuration. Below are the two Device VPN options:

  • Allow user to disconnect

  • Do not connect in secure network

• Dynamic Form SSO Improvements

  New login experience is provided where admin can choose SSO or login behavior based on the resource application.

  • New option Login experience is available to configure how the user will be automatically logged in.
  • New login detection method Status code is added.

• Exclusions

  • Allows tunnel configurations with redirect-all and wildcard domain exclusions.

  • Connect Tunnel clients are capable of excluding the traffic on the fly.

• Global Overrides in AMC

  The Enable accounting records value for realms can now be overridden when set to different options accordingly under Global Overrides.

• Global Policy Settings in CMS

  The Global Policy settings and enabled options are introduced in the Resource Groups and Exclusions.

• Managing Administrator Account Settings

  The following options are available for administrators under the System Configuration > General Settings > Administrators > Authentication > Advance section.

  • Password Policy settings help to set strong password complexity settings for the primary administrator account.

  • Account lockout settings for administrators when there are multiple failed login attempts.

  • Session timeout settings for administrators to configure the session inactivity timeout.

  • Concurrent Session settings for administrators to configure the concurrent session to limit the number of sessions and admins that can be logged in to AMC.

• RSA Authentication Manager as Authentication server

  RSA Authentication Manager can now be integrated using superior SecurID Authentication API. This is an improvement over the older SDK integration, now termed Legacy, which was cumbersome and error-prone. Additionally, this new authentication server simplifies deployment by eliminating the DNS requirements that were necessary with SDK integration.

• Shell Access

  The ability to disable shell access on the appliance is now available. This feature can be valuable in secure environments where shell access via serial console and SSH needs to be restricted or removed.

• WorkPlace Enhancements

  Following file explorer improvements are added:

  • A search option allowing users to locate files or folders by name.

  • The current user name is shown on the hamburger menu.

  • If the browser is closed while an upload is in progress, a confirmation message is displayed.

  • The reload icon has been relocated to the address bar.

  • Column sizes can be resized.

What's Deprecated

• Legacy SSO is deprecated and enhanced with Dynamic Single Sign On.

• The integration method for RSA Authentication Manager using CSDK has been deprecated, now referred to as RSA Authentication Manager Legacy. Additionally, the RSA Authentication Manager authentication server now supports integration using the superior SecureID Authentication API.

Discontinued Features

• Discontinued features in SMA 1000 12.4.1 onwards are:

  • vWorkspace

  • Fallback Servers

  • Application Control

• Discontinued features in SMA 1000 12.4.3 onwards are:

  • RSA ClearTrust Authentication Server

  • Modern Workplace

  • Cache Cleaner

  When upgrading the SMA version with discontinued features, it is mandatory to remove the existing configuration and then proceed with the upgrade.

Resolved Issues

Issue ID	Issue Description
SMA1000-7082	The SSL gateway dropped a large number of users, causing the policy server to crash.
SMA1000-7041	The appliance dropped all users due to a particular functionality issue with Device VPN access.
SMA1000-7038	RSA authentication failed due to incompatibility between the outdated RSA-AM version 8.2. and the newer RSA-SDK version 8.6.
SMA1000-7037	SND fails to detect when one of the hosts becomes unreachable.
SMA1000-6980	The appliance dropped all users in a specific case involving Device VPN access.
SMA1000-6964	The appliance crashes in a rare condition scenario when operating over IPv6.
SMA1000-6954	Eliminate less secure ciphers utilized in SSH connections.
SMA1000-6949	AAR Push logs are not functioning with SMA 1000 version 12.4.2, even with the latest hotfix applied.
SMA1000-6916	The appliance dropped users and restarted due to a particular functionality issue with DNS.
SMA1000-6869	Unable to add large number of address pools in the CMS.
SMA1000-6860	Let's encrypt renewal is creating a Certificate Signing Request (CSR) instead of renewing.
SMA1000-6837	The CMS reporting is not displaying certain appliances due to a database issue.
SMA1000-6766	The appliance database failed, and the storage failed to recover.
SMA1000-6667	SSL Tunnel with high-volume UDP application and slow tunnel performance is leading to users disconnections.
SMA1000-6666	Opening multiple RDP session simultaneously results in internal errors.
SMA1000-6663	Adding an exclusions under community breaks the URL shortcuts on the Workplace home page.
SMA1000-6662	Attributes associated with the Group Affinity based authentication server are not linked to the realm.
SMA1000-6653	The Workplace page displays an error when the default realm is disabled on the SMA managed appliance nodes.
SMA1000-6652	EPC Zone classification with Intune fails to calssify zones.
SMA1000-6651	The appliance experiences random reboots daily due to a race condition.
SMA1000-6650	Certificate authentication fails when connected to Connect Tunnel on MacOS platform.
SMA1000-6649	When VPN is not connected, the internet access is also restricted.
SMA1000-6595	Remove Cache Cleaner feature.
SMA1000-6392	The setting Limit session length to credential lifetime under Configure Realm > Configure Community >Session Termination is not working as expected.
SMA1000-6364	The appliance names in CMS user sessions display extra names.
SMA1000-6362	Uploads of files using file shares are limited to the size of the root partition.
SMA1000-6349	The Upgrade from SMA 1000 version 12.4.1 to SMA 1000 version 12.4.2 failing due to a corner case issue in the database restore process.
SMA1000-6319	The custom MTU value configured for interface via CLI reverts to default value after reboot.
SMA1000-6221	The upgrade failure is attributed to an encoding issue.
SMA1000-6189	The Spike license is automatically activated following the upgrade.
SMA1000-6185	Let's encrypt certificate chain builds with an expired R3 certificate.
SMA1000-6164	The Checkhosts tool fails when encountering DNS failures.
SMA1000-6132	Snapshot takes a longer duration when executed from AMC or SSH.
SMA1000-5959	German localization files are causing the upgrade fail.
SMA1000-5952	Log all alert events in the management.log file and send them to all configured syslog hosts.
SMA1000-5943	CMS and managed appliances display a blank screen when navigating to the TOTP users page.
SMA1000-5942	CMS is unable to map address pools for UK SMA appliances, but can map others.
SMA1000-5939	CMS displays a blank screen when navigating to configure community and is unable to create communities.
SMA1000-5927	Option to disable sending the "X-Forwarded-For:" header to backend servers.
SMA1000-5736	Unable to deselect or delete the old expired workplace certificate.
SMA1000-5681	Unable to connect to RDP resource using a third-party HTML5 based application when configured to access via reverse proxy.
SMA1000-5629	Wildcard Exclusions does not work as expected with Redirect All Mode.
SMA1000-5580	An admin with only monitoring permission is unable to reset and unlock the TOTP data of a user in CMS and managed appliance.
SMA1000-5257	Support Network Logon on x86 and ARM64 devices.
SMA1000-3305	Support for more secure Let's Encrypt GTO certificates should be added.

Known Issues

No additional known issues

Additional References

SMA1000-6761, SMA1000-5786, SMA1000-5697, SMA1000-5695, SMA1000-5693, SMA1000-5692, SMA1000-5691, SMA1000-5690, SMA1000-5689, SMA1000-5688, SMA1000-5682, SMA1000-5679, SMA1000-5678, SMA1000-5675, SMA1000-5669, SMA1000-5661, SMA1000-5656, SMA1000-5651, SMA1000-5650, SMA1000-5648, SMA1000-5647, and SMA1000-5645.