Secure Mobile Access 12.4 Release Notes

12.4.2

July 2022

About Secure Mobile Access

Secure Mobile Access (SMA) provides scalable, secure mobile access for your enterprise while blocking untrusted applications, WiFi pirates, and mobile malware. SMA appliances provide a single gateway and a common user experience across all platforms, including managed and unmanaged devices. Traffic is encrypted using Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect it from unauthorized users.

SMA is available as a physical appliance or as a virtual appliance running on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

CMS can be run on VMWare ESXi, Microsoft Hyper-V, Amazon Web Services (AWS), Azure, and KVM.

Supported Platforms

The SMA 12.4 release is supported on the following SMA 1000 series appliances:

  • SMA 6200 series (SMA 6200 and SMA 6210)
  • SMA 7200 series (SMA 7200 and SMA 7210)
  • SMA 8200v (ESXi/Hyper-V/AWS/Azure/KVM)
  • Central Management Server (CMS) (ESXi/Hyper-V/AWS/Azure/KVM)

SMA 12.4 is not supported on EX6000, EX7000, and EX9000 appliances.

Supported Firmware Levels

Client systems running version 12.4 client software can be used with SonicWall SMA appliances running one of the following firmware versions:

  • 12.4 and above + latest hotfixes -> 12.4.2
  • 12.1 + latest hotfixes -> 12.4.2

To upgrade from Secure Mobile Access 12.3, you must upgrade to version 12.4.0 first, then upgrade to 12.4.2.

You can directly upgrade to 12.4.2 from SMA 12.1 and 12.4.0 versions.

For more information on supported platforms, clients, servers, IT infrastructure, and online services, refer to Administration Guide.

Additional References

What's New

SonicWall Secure Mobile Access (SMA) 12.4.2 includes these new features:

  • Support multiple policies with CMS and shared licensing
    • Support CMS-based configuration of appliance-specific authentication servers.
    • Allow realms and access rules to be mapped to individual appliances.
    • Support more than one GTO service, and assign GTO services to one or more appliances.
    • Map GTO resources (WorkPlace sites, host-mapped resources) to one or more GTO services.
  • API Keys for Management API Access <![CDATA[ ]]>

    You can use API keys that allow use of the Management API without embedding user credentials in a script. API keys can be used to provide access to scripts when two-factor authentication is required for AMC access.

  • Improved troubleshooting with logs in a CMS environment
  • Connect Tunnel Enhancements
    • Connect Tunnel for MacOS does not require Java Runtime.
    • Connect Tuneel for Windows supports Network Logon.
  • Web Application Profile option to disable URL translations

    • Under Web Application Profile, you can disable URL translation for URL resources with split Domain Name System (DNS) approach. When configuring a URL resource, if both the resource's Fully Qualified Doamain Name (FQDN) and the appliance's FQDN for that resource are the same, then there is no need for translation. In such cases, you can disable the URL translation to improve the system performance.
    • Under Content translation, select the Enable Content translation checkbox and other Web proxy service to translate.
  • Allow Outlook Web App, Active Sync and Outlook Anywhere on same appliance-FQDN
  • Using Global Overrides

    Provide the ability to easily override community-specific settings to make it easier to troubleshoot issues. Global overrides are recommended to be used only during troubleshooting. Use it to override the following community settings:

    • ESP Mode
    • Software Updates
    • Limit session length to credential lifetime
  • Simplified SMS Gateway Service configuration
  • API JSON Schema should use a public standard

  • Host Connectivity Testing

    You can test all the resource hosts or URLs for connectivity. This feature helps to secure the system and verifies certificates of internal systems.

  • Import mapped accounts from CSV file

    • You can import the mapped accounts for users and groups via CSV file at once.
  • SAML Enhancements
    • AMC displays the SAML IdP Endpoint URLs in the IdP Configuration page and also provides an option to copy those URLs.
    • Import of SAML metadata file on SAML Service Provider Resource configuration page.
    • View and Import buttons for certificates on SAML Service Provider Resource configuration page.
  • Configuring ICMP

    From 12.4.2 onwards in AMC/CMC you can enable ICMP for internal only or external only or both interfaces.

  • Managing Snapshots

    • You can select one or more saved snapshots and delete or download them.
  • Support DHCP for internal and external interfaces

  • Managing saved captures

    • You can select one or more saved captures and delete or download them.
      • When multiple captures are selected, the Delete option is enabled.
      • When a single capture is selected, both the Download and the Delete options are enabled.
  • Deleting saved configuration data stored on the appliance

    • The options to Delete, Restore and Export saved configuration is enabled when a single configuration is selected.
    • When multiple configurations are selected, Restore and Export is graded out and Delete option is enabled.
  • Improved Network Traffic Filenames

    • You can edit the filename with a user friendly name and save. This enables the support team users to easily understand about the capture that you share.
  • External URLs as remediate links on quarantine zone

    • External URLs as remediate links on quarantine zone, when creating remediate links on quarantine zone, you can configure if the URL is hosted on external network.
  • Support for Windows 11 and MacOS Monterey

  • Secure Endpoint Manager(SEM)

    SEM is the client application responsible for evaluating EPC, launching agents and bookmarks. SEM registers a custom URL sceheme that gets invoked from browser for the specific tasks. SEM has two modules namely, Web Agent and Connect Agent.

    • Web Agent : This unified client is responsible for handling the following:
      • End point control: Perform the end point control checks.
      • Install and update Connect Tunnel.
      • Agent activation: Auto activate OnDemand Proxy and OnDemand Tunnel.
    • Connect Agent: This unified client is responsible for handling bookmarks from WorkPlace. This client also provides backward compatibility if someone accesses WorkPlace on prior 12.4 versions.
  • Splunk Integration

    The SonicWallSMA1000 Splunk Add-on is integrated in the Splunk Server using the Splunk Common Information Model (CIM).

    The SonicWallSMA1000 Splunk Add-on uses the following collection methods to collect the logs:

    • Logs collected via syslog are:
      • Authentication
      • Change
      • Network sessions
      • Network Traffic
    • Logs collected via API polling is:
      • Performance
  • Device VPN endpoint enrollment

    • Deploy client certificates on end devices for Device Tunnel authentication.
    • Get details of the list of enrolled device certificates such as device certificate subject DN, Device ID, Expiration date, and so on.
    • Revoke or delete enrolled device certificates.
  • Microsoft Intune

    The SMA and Microsoft Intune integration is supported for MacOS based managed devices.

  • Dynamic SSO Profile for Microsoft RDWeb and Citrix XenApp

    You can quickly configure Single Sign-On for Microsoft RDWeb and Citrix XenApp service by selecting Microsoft Remote Desktop Web Client and Citrix XenApp option respectively while creating a Dynamic Single Sign-On profile.

  • Web Security Headers

    You have an option to enable the web proxy security headers that sets the HTTP Respons headers and provides protection from attacks. As an admin, you can enable security headers on workplace login pages for added security.

What's Deprecated

  • Cache Cleaner functionality is no longer supported.

  • Fallback server is no longer supported.

  • Application Control, Application Zones, and Application Rules are no longer supported.

  • Change default policy in setup wizard from "allow" to "deny": The allow authenticated users access to all defined resources option is removed and no longer supported.

Resolved Issues

Issue ID Issue Description
SMA1000-2326 Connect Tunnel is supported for ARM Processor Based Architecture
SMA1000-2905 Managed Appliance supported with Single home to participate in GTO from 12.4.0
SMA1000-4225 Do not allow SSH to be enabled with no allowed hosts
SMA1000-4229

Able to select signatures updated and file system scanned on device profile, even if the settings were disabled.

SMA1000-4329 Linux vulnerability CVE-2021-33909 Sequoia
SMA1000-4347 CMS appliance list should include pool IP
SMA1000-4348 Add a duration to default alerts
SMA1000-4363 IP range is converted to a subnet and the last available address is blocked by treating it as a broadcast IP, resulting in a High Metric Value of 271
SMA1000-4391 AMC must normalize SND fingerprint in order for system to use it
SMA1000-4415 Add DNS authoritative server status to CMS dashboard
SMA1000-4430 Local user Group membership not working in ACL
SMA1000-4482 Post firmware upgrade the OD Portmap Application breaks and fails to work.
SMA1000-4500 The AD tree test connection and user & group browsing is not working when only AES ciphers is enabled in Backend Active Directory.
SMA1000-4501 Post firmware upgrade to 12.4.1 SMA6200 appliances restarts automatically with VMcores.
SMA1000-4503 Post firmware upgrade to 12.4.1, the AMC console does not display the username and password to login, however it is able to login into SMA console via CMS.
SMA1000-4522 Services should prefer time-valid certificates.
SMA1000-4577 Security headers are not sent and not observed in robots.txt
SMA1000-4580 WINS are enabled on Connect Tunnel even though not configured in AMC
SMA1000-4601 Misspelling in SMA 1000 Stop Network Capture dialog
SMA1000-4605 Post hotfix upgrade to 12.4.1 with security headers enabled, PKI authentication does not work.
SMA1000-4607 Cli commands to enable connect automatically at windows logon option.
SMA1000-4634 CT users fail SAML auth using OneLogin
SMA1000-4639 SEM crashes when accessing Citrix applications
SMA1000-4684 Initializing JitterEntropy failed (9): CATASTROPHIC installing 12.4.1 OVA on ESXi 7.0.2
SMA1000-4760 Provide clues in AMC SSL certificate selection UI
SMA1000-4799 Unregistered device log does not display any data,even EPC check for equipment ID failed.
SMA1000-4814 Worksplace takes abnormally longer time to load
SMA1000-4824 AMC should not redirect to IP address HTTP 1.0 request w/o host header
SMA1000-4845 Include the ForceAuthn = "true" parameter in the SAML Auth request made by the SMA
SMA1000-4876 Even when the SMA does not have any PKI auth server displays OCSP:: Could not verify response error message.
SMA1000-4910 Favicon.ico replace does not work with workplace style and displays an error.
SMA1000-4919 EPC Cookie Does Not Contain The "HTTPOnly" Attribute
SMA1000-4941 Application EPC check fails when process has custom extension
SMA1000-4967 Post upgrade to new version Connect automatically at Windows logon option is enabled.
SMA1000-5003 HTML5 RDP does not get disconnected even after the session is terminated with workplace
SMA1000-5079 CVE-2022-0847
SMA1000-5080 PS core found, trace to captcha lib(libgd)
SMA1000-5086 CT on MacOS displays an error message that cannot reach the Hostname/IP
SMA1000-5100 CVE-2022-0778 - OpenSSL BN_mod_sqrt DOS
SMA1000-5148 Allow control of whether an imported config overwrites existing CA certificates (RFE 4701)
SMA1000-5173 12.4.2:Tunnel connections are suddenly dropping and reconnecting
SMA1000-5174 12.4.2:Enable 10Gb connectivity over Internal and External Interface
SMA1000-5197 Certificate chain error occurs when connecting with Connect Tunnel in 12.4.1
SMA1000-5211 Equipment Identifier field is needed for user session no option to relate with user logged in from AMC
SMA1000-5267 Profile creation may take long without any progress indication to user
SMA1000-5272 Post upgrade from 12.3 to 12.4.1-02629 RDP function is not working.
SMA1000-5277 Access Rule when expanded gives extended error and no information is displayed.
SMA1000-5297 Windows CT - installer should not install credential provider by default, this is an advanced option
SMA1000-5305 12.4.2 Mac CT crashes during SND upon connecting to 12.1
SMA1000-5306 Mac CT thread/timing issue using 2FA prompts
SMA1000-5307 Mac CT - hangs when adding new configuration, or takes a long time
SMA1000-5319 On CMS GTO DNS delegations page, show all GTO services
SMA1000-5369 DynamicGroup AD group edit in Access control displays up page not found message
SMA1000-5382 Connect Tunnel crashes and fails to launch when user.config Settings file is corrupted
SMA1000-5404 Post upgrade from version-12.4.0-03189 to 12.4.1-02629 CMS fails to boot, it is in loop
SMA1000-5470 Redirect All mode with exclusions is not working as expected in MAC

Known Issues

Issue ID Issue Description
SMA1000-5257 Support Network Logon on x86 and arm64 devices
SMA1000-5433 CMS Reports page displays incorrect user counts
SMA1000-5513 Test connection under Intune MDM settings works only for in-built admin account

Additional References

SMA1000-5034, SMA1000-4987, SMA1000-4903

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden