en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Administration

 

Security Administration

Creating and Managing Resources

Managing security is perhaps your most important job as an administrator. The Appliance Management Console (AMC) makes it easy for you to manage the fundamental elements of security administration: resources and access control rules.

This section explains how to create and manage individual resources, resource groups, and configuration settings for resources. You can define a resource before referencing it in an access control rule, or define it directly from the access control rule interface. (For more information about the latter, see Adding Users and Resources From Within Access Control Rules.)

There’s a tool you can use on the appliance command line to see whether you reference any hosts that cannot be resolved in DNS, or whether your access control rules contain any unreferenced resources. See Validating Hosts for more information.

Topics:  

Resource Types

The SMA appliance provides access to a wide variety of corporate resources, which fall into these categories:

Built-In Resources

There are several resources that are built into your appliance to help you get a WorkPlace portal set up quickly. These built-in resources cannot be deleted—access to some of them is granted through WorkPlace shortcuts:

Secure Mobile Access WorkPlace (Resource Type: URL)

The WorkPlace portal gives users access to Web-based resources. This particular resource is used by another built-in item, which you can modify: an access permit-all rule that allows any user from any zone to have access to the default WorkPlace portal.

Value: http://127.0.0.1:8085/workplace/

Connect Tunnel (Resource Type: URL)

Connect Tunnel is an application that provides broad access to network resources. You determine how users access the Connect Tunnel client:

Allow users to download the Connect Tunnel client and activate it from a link (shortcut) in WorkPlace. Keep in mind that when you give users access to this resource, you allow them to both install and use the client: a user without access to this resource cannot use Connect Tunnel for access to network resources. The WorkPlace shortcut for this resource (Install Connect Tunnel) can be modified or deleted; the resource itself cannot.
Deploy the Connect Tunnel client setup package without requiring users to log in to Secure Mobile Access WorkPlace.

Value: http://127.0.0.1:8085/ctdownload/

Network Explorer (Resource Type: Network Share)

Network Explorer is a Web-based extension, accessible from WorkPlace, that provides access to any Windows file system resources that the user has permission to use (even from desktop browsers on non-Windows platforms). These resources can include servers, computers, workgroups, folders, and files. The WorkPlace shortcut for this resource (Network Explorer) can be modified or deleted; the resource itself cannot.

Value: smb://127.0.0.1/networkexplorer/

Web Resources

Web resources include Web-based applications or services that are accessed using HTTP or HTTPS. Examples include Microsoft Outlook Web Access and other Web-based email programs, Web portals, corporate intranets, and standard Web servers.

Web traffic is proxied through the Web proxy service, a secure gateway through which users can access private Web resources from the Internet. When you define a Web resource as a destination in an access control rule, make sure that Web browser is among the client software agents available for the rule. For more information, see Resolving Invalid Destination Resources.

A Web resource can be defined in various ways, as shown in Web resource example definitions

 

Web resource example definitions

URL Type

Example

Standard URL

http://host.example.com/index.html

Standard URL with port number

http://host.example.com:8445/index.html

URL for secure site

https://host.example.com/index.html

URL containing IP address

http://192.0.34.0/index.html

Matching URL

Use wildcards to refer to a group of Web resources:

http://mailserver*.company.com/
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

URL with path and query string matching

Block email attachments, or prevent a Web-based application from displaying restricted data by matching a path element or query string value to a particular URL:

http://www.patient-records.com/reports.aspx?last_name=
* 
NOTE: Some Web-based applications use Java applets or other browser extensions using protocols other than HTTP. Although these applications are accessed using a Web browser, they must be defined as client/server (not Web resources), and they must be accessed using either a network tunnel client or client/server proxy agent. Examples of such applications include Citrix NFuse, Oracle J-Initiator, and certain versions of SAP and PeopleSoft.

Client/Server Resources

Client/server resources are enterprise applications that run over TCP/IP (including applications that use UDP). Examples include thin-client applications such as Citrix; full client/server applications such as Microsoft Outlook; Lotus Notes; SAP; and terminal servers.

You define these types of client/server applications by specifying a host name, an IP address or IP range, a subnet IP address, or a DNS domain. These resources can also be used to define a network object containing multiple Web resources (such as a domain), or to define a network object that can be used to control access based on the source of a connection request.

Resource type syntax explains the syntax used to define each of these resource types. Host names can be fully qualified or unqualified.

 

Resource type syntax

Resource type

Example

Domain

private.example.com

Host name

bart.private.example.com

Host IP address

192.0.34.72

IP range

192.0.34.72 - 192.0.34.74

Subnet

192.0.34.0 / 255.255.255.0
Example

In this example, a Web development team has a single Web server with three virtual Web servers, one for each stage in their development process. Each virtual Web server listens on a different port.

Rather than creating three different URL resources, the Web development team can define the Web server, which proxies traffic on all ports, as a resource type of Host name or IP (for example, webdev.yourcompany.com). In addition, they attach a single sign-on Web application profile to it, and now all three of the virtual Web servers are defined at once, and they share the same SSO profile:

webdev.yourcompany.com
webdev.yourcompany.com:8080
webdev.yourcompany.com:8443
* 
NOTE: Microsoft Outlook connects to Microsoft Exchange using an unqualified host name. When defining a Microsoft Exchange server as a resource, define it as an unqualified name (for example, CorpMail).

To use Exchange on Symbian, Android, iPad and iPhone devices, create a URL resource of the type ActiveSync for Exchange.

File Share Resources

When users log in to WorkPlace, they have access to file system resources that you set up. These can include computers containing shared folders and files and Windows network servers.

You can define a specific file system share by typing a UNC path, or you can define an entire Windows domain:

A specific file system resource can be an entire server (for example, \\ginkgo), a shared folder (\\john\public), or a network folder (\\ginkgo\news).
Defining an entire Windows domain gives authorized users access to all the network file resources within the domain. These resources are the same ones you would see if you were to browse the network using Windows Explorer (My Network Places > Entire Network > Microsoft Windows Network).

You can use resource variables to dynamically reference multiple folders on the network. For example, to give each user access to a personal folder, create a resource using a variable for the user name, and then use that variable when you create a shortcut on WorkPlace. See the example in Using Session Property Variables for more information.

Resources and Resource Groups

Topics:  

Viewing Resources and Resource Groups

You can view and define individual resources or groups of them in AMC by selecting Security Administration > Resources.

To view the list of available resources and resource groups:
1
From the main navigation menu in AMC, click Resources.
2
On the Resources tab, review the list of available individual resources. (The Resource Groups tab displays collections of resources.)
3
Use the Filters settings at the top of the page to filter the resources that are displayed here. For information about using filters, see Filters:
The Type column displays the type of each resource (such as Domain name, Host name). Remember that a client/server resource can contain both Web and client/server applications.
The Used column indicates whether a resource has been specified in a shortcut on WorkPlace.
4
For an overview of a particular resource, click the plus sign (+) next to it. This shows the resource type, its value, and whether it is used by a WorkPlace shortcut or access rule.

* 
NOTE: By default, there are some read-only resource definitions included with the appliance, for example, Secure Mobile Access WorkPlace and Connect Tunnel Download. These definitions are required by the appliance services and cannot be deleted (a read-only resource has no checkbox next to it).
5
To edit a resource, click its link in the resource list.

Adding Resources

Creating application resources—Web, client/server, and file share resources—is the first step in forming access policies for your users.

To add a resource:
1
From the main navigation menu in AMC, click Resources.
2
Click New and then choose a resource type from the drop-down menu:

3
The Add Resource page is displayed. The options you see on the Add Resource page depend on the resource type you selected.

The options shown in Shared options are shared across the specified resource types:

 

Shared options

Option

Description

Resource type

Name

Resource name

All

Description

Resource description

All

URL

URL of the resource

 

This destination is on the external network.

Select this option if this resource is on an external network.

 

Variable

Select a variable from the menu to define dynamic resources; see Using Variables in Resource and WorkPlace Shortcut Definitions.

Citrix server farm
Domain
Host name or IP
Matching URL
Network share
URL

Create shortcut in WorkPlace

Add a shortcut to a Web resource in WorkPlace. The name you assign to the resource will appear in the list of Shortcuts on the Secure Mobile Access WorkPlace page. You can add the shortcut to a new or existing shortcut group in order to keep shortcuts with similar usage requirements together on the WorkPlace portal page.

Domain
Network share
URL

Web application profile (Web proxy options or Advanced area)

This list contains preconfigured Web profiles that are recommended for several popular Web applications, custom Web profiles, and a default Web profile. If you are unsure about which profile to select, choose Default. To see a profile, click View selected profile. Also see Adding Web Application Profiles.

Domain
Host name or IP
IP range
Matching URL
Subnet
URL

The options shown in URL resource type unique options are unique to the URL resource type:

 

URL resource type unique options

Option

Description

URL

If you do not enter a protocol identifier, AMC automatically inserts http:// before the URL. If this is a URL for a secure site, you must include the https:// protocol identifier. For example, type https://example.domain.com.

Custom access area (Web Proxy Options)

You can choose to Translate this resource or Access this resource on a custom port or Access this resource using a custom IPv4 or IPv6 FQDN.

Translation uses URL rewriting, but the other alternatives provide clientless Web application access and do not incur the limitations of URL rewriting. URL rewriting can have problems with Web programming technologies such as AJAX.

The options below will vary according to your choice.

Alias name (Web proxy)

Specify a public alias to represent a private URL. The alias name is visible to users—make it short and descriptive so that it is easy to remember. You should specify an Alias name if:

You want to obscure the internal host name for this resource.
The URL resource is not contained within a search domain configured for Name resolution on the Network Settings page.
You normally redirect traffic through a network agent, but in this case you want to force the resource to be proxied using translated Web access. See Adding Web Shortcuts for more information.
NOTE:  
The private URL that you are representing with the alias must point to a directory on the back-end server, not a particular file.
Use ASCII characters when specifying an alias. Users who connect to WorkPlace using translated Web access will see an error message if non-ASCII characters are used.
Creating an alias works only for URLs (addresses with an http or https prefix); you cannot specify an alias for a UNC path or FTP resource (ftp://), for example.

Also see Example: Specifying a URL Alias for a detailed description of how an alias is used.

Port (Web proxy)

The Port option is available when you select Access this resource on a custom port under Custom access. Enter the custom port number. The resource becomes available at that port on each WorkPlace site. The port must be open on any firewalls and must not be already in use on the external side of the appliance. Actual delivery of Web content depends on policy checks in accordance with normal appliance operation.

Custom FQDN (Web proxy)

The Custom FQDN option is available when you select Access this resource using a custom FQDN under Custom access. Type the Custom FQDN name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance.

By default, AMC listens on all interfaces for all services and connects the request to the correct service based on the FQDN being requested. The host name cannot be relative to any WorkPlace site. A maximum of 32 IPv4 or IPv6 addresses for externally defined host names are allowed between independently hosted Web application names and WorkPlace sites, supporting up to 64 total host names.

Custom FQDN mapped Web access provides Single Sign-on support. If the host name or IP address on the certificate does not match the Custom FQDN or IP address that you specified for this site, a security warning is displayed when users access the site. Custom FQDNs are handled similar to configuring a WorkPlace site, as explained in To add a WorkPlace site:.

Listen on an additional IP address (Web proxy)

(Migrated/imported configurations only) https://10.4.124.222/workplace/assets/help/index.html. An additional listening address can be specified if AMC was upgraded from a previous version where a virtual IP address is configured for the WorkPlace site or the CEM is used. To listen on an additional address, check the Listen on an additional IP address checkbox and type the IP address.

For new installations, the Listen on an additional IP address fields are hidden. On a partial import, virtual IP address information is lost, and applying pending changes forces the Administrator to fix any WorkPlace site or URL resource configured to use a different IP address. In this case, the Listen on an additional IP address fields are visible, with the checkbox checked to enable listening on an additional address. Either enter an IP address or uncheck the checkbox.

For migrated/imported configurations with existing virtual hosts, the UI section is visible, but the Administrator cannot create new virtual addresses. If necessary, use CEM to create virtual host addresses in a new or migrated/imported configuration.

If the host name or IP address on the certificate does not match the IP address that you specified for this site, a security warning is displayed when users access the site.

IP address (Web proxy)

(Migrated/imported configurations only)

Select an existing IP address or select (New) to add an IP address in the New IP address field.

New IP address (Web proxy)

Type in the IP address of the resource in dotted decimal form (w.x.y.z). This address must be on the same subnet as the appliance interface.

SSL certificate (Web proxy)

Select an existing SSL certificate or select (New) to add a new SSL certificate for this resource. If a certificate that matches the name is already available on the appliance, it is selected. Otherwise, select one from the SSL certificate list or import a certificate.

Organization (Web proxy)

Type in your company or organization name.

Country (Web proxy)

Type in the 2-letter abbreviation for your country (such as US or AU).

Synonyms (Web proxy)

Define alternative names for the URL resource name. This is convenient for users if they access the server using a different name (perhaps an unqualified or condensed name), or if a Web page contains links pointing to a DNS alias and the name is not properly translated by the Web proxy service. Separate multiple synonyms with semicolons.

The appliance automatically defines a shortened name for the resource as a synonym. For example, if the URL is http://mail.example.com, the appliance adds the synonym mail. This synonym does not, however, appear in the Synonyms field.

When Translate this resource is selected and you specify Synonyms, there must be something in the Alias name field. For the other Custom access options, the Synonyms field is independent of other fields.

Provide Exchange ActiveSync and Outlook Anywhere access to this resource (Exchange Server)

Select this checkbox to allow Exchange ActiveSync and Outlook Anywhere access to this resource. For more information, see Exchange ActiveSync Web Access. For an example use case, see Example: Supporting Exchange on iPhones. For Outlook Anywhere, see Configuring SMA Support for Microsoft Outlook Anywhere.

Exchange server FQDN (Exchange Server)

Type the Exchange server FQDN (IPv4 or IPv6) name (such as custom.mydomain.com) to be hosted by an externally accessible Web server on the appliance. By default, AMC listens on all interfaces for all services and connects the request to the correct service based on the FQDN being requested.

Listen on an additional IP address (Web proxy)

(Migrated/imported configurations only)

An additional listening address can be specified if AMC was upgraded from a previous version where a virtual IP address is configured for the WorkPlace site or the CEM is used. To listen on an additional address, check the Listen on an additional IP address checkbox and type the IP address.

For new installations, the Listen on an additional IP address fields are hidden. On a partial import, virtual IP address information is lost, and applying pending changes forces the Administrator to fix any WorkPlace site or URL resource configured to use a different IP address. In this case, the Listen on an additional IP address fields are visible, with the checkbox checked to enable listening on an additional address. Either enter an IP address or uncheck the checkbox.

For migrated/imported configurations with existing virtual hosts, the UI section is visible, but the Administrator cannot create new virtual addresses. If necessary, use CEM to create virtual host addresses in a new or migrated/imported configuration.

If the host name or IP address on the certificate does not match the IP address that you specified for this site, a security warning is displayed when users access the site.

IP address (Exchange Server)

(Migrated/imported configurations only)

Select an existing IP address or select (New) to add a new IP address.

Realm (Exchange Server)

Select the realm from the drop-down list. ActiveSync access requires the use of a realm that uses a single Active Directory authentication server. The realm must be already configured.

Fallback Exchange server URL (Exchange Server)

Enter the URL for the Exchange Server you want to use as the fallback server. See Configuring Fallback Servers for details on configuring a fallback server.

The options shown in Matching URL resource type unique optionsare unique to the Matching URL resource type.

 

Matching URL resource type unique options

Option

Description

URL

If you do not enter a protocol identifier, AMC automatically inserts http:// before the URL. If this is a URL for a secure site, you must include the https:// protocol identifier. For example, type https://example.domain.com.

The wildcard characters “*” and “?” can be used within address segments (between periods) of a Matching URL resource. Do not use the “?” character after the domain name—it indicates a URL query string.

Use wildcard characters in the following situations:

Type www.yourcompany*.com to reference several domains that begin with yourcompany and end with.com, or type www.yourcompany.* to reference both http://www.yourcompany.com and http://www.yourcompany.de.
Create an entry, such as mail*.yourcompany.com, that gives the user access to anything in the yourcompany domain that begins with mail. This example provides access to mail.yourcompany.com and mail2.yourcompany.com, but not to mail3.wemmet.yourcompany.com.

The URL is not case-sensitive.

NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

Path and query string matching

These options allow you to block email attachments, or prevent a Web-based application from displaying restricted data by matching a path element or query string value to a particular URL. See Example: Blocking Email Attachments and Example: Restricting Access to Sensitive Data for more information.

The Query string value is case-sensitive, while the Path element is not.

The options shown in Host name or IP resource type unique options are unique to the Host name or IP resource type:.

 

Host name or IP resource type unique options

Option

Description

Host name or IP

A host can include any computer on your network; for example, bart.private.example.com or 192.0.34.72.

When you specify a host name, the wildcard characters “*” and “?” can be used within an address segment (between periods). For example, the entry mail*.yourcompany.com gives the user access to anything in the yourcompany domain that begins with mail (for example, (mail.yourcompany.com and mail2.yourcompany.com), but not to mail3.wemmet.yourcompany.com. The host name is not case-sensitive.

NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

The option shown in Network share resource type unique options is unique to the Network share resource type:

 

Network share resource type unique options

Option

Description

Network share

Type a UNC path. This can be an entire server (for example, \\ginkgo), a shared folder (\\john\public), or a network folder (\\ginkgo\news).

The option shown in IP range resource type unique options is unique to the IP range resource type:

 

IP range resource type unique options

Option

Description

IP range

An IP range typically identifies a partial range of computers within a subnet; for example, 192.0.34.72-192.0.34.74.

The options shown in Subnet resource type unique options is unique to the Subnet resource type:

 

Subnet resource type unique options

Option

Description

Subnet IP

A subnet is a portion of a network that shares a common address component. For example, 192.26.34.0.

Subnet mask

For example, 255.255.255.0.

The options shown in Domain resource type unique options are unique to the Domain resource type:

 

Domain resource type unique options

Option

Description

Domain

A domain encompasses one or more hosts.

If the Windows domain checkbox is cleared, the domain name must be in DNS syntax. For example, sampledomain.com.

Windows domain

To define an entire Windows domain, select the Windows domain checkbox, and then type the name of the Domain in either NetBIOS or DNS syntax (such as example or example.com). Defining a domain gives authorized users access to all the network file resources within the domain.

The option shown in Server farm resource type unique option is unique to the Server farm resource type:

 

Server farm resource type unique option

Option

Description

Server farm list

Specify the Host name or IP address and service Port of up to six Citrix servers running the XML service or VMware servers running the XML service or VMware servers running the broker service. For more information, see Adding Citrix Server Farm Resources or Adding VMware View Resources.

4
After you’ve finished defining a resource, click Save.

Example: Specifying a URL Alias

Any Web resource—such as a Web application, a Web portal, or a Web server—can be defined as a URL resource. Defining a Web resource as a URL provides several advantages:

You can create a Web shortcut for WorkPlace to give users quick access to a URL resource.
You can define very specific access rules to control which users can access the URL.
You have the option of obscuring (or “aliasing”) the internal host name so it is not publicly exposed. When a user accesses an alias, the request is proxied to the downstream Web resource and its private URL is translated using the alias you specify. The user sees only the public (or aliased) URL.

Private address translated to a public URL illustrates how the private address for an inventory application might be translated into a public URL.

Private address translated to a public URL

The private URL for this resource is http://inventory.example.com, and the administrator has created an alias for it named supplier.

Instead of using the private URL (which would publicly expose a sensitive host name), suppliers access a public URL: https://vpn.example.com/supplier.

A public URL consists of the following:

An https:// prefix rather than http://: this is because all traffic to and from the SMA appliance is secured using SSL
The appliance’s fully qualified domain name (in this example, vpn.example.com)
The resource’s alias name (in this example supplier)
 
* 
NOTE:  
Some Web-based applications use Java applets or other browser extensions that submit traffic using protocols other than HTTP. Examples of such applications include Citrix NFuse and certain versions of SAP. Although accessed using a Web browser, these applications may need to be defined as a client/server resource and proxied through OnDemand using the client/server access service.
The private URL for which you create an alias must be a directory on the back-end server; it cannot be a file, and it must begin with either http:// or https://.
Use ASCII characters when specifying an alias. Users who connect to WorkPlace using translated Web access will see an error message if non-ASCII characters are used.
For information on defining URL resources, see Adding Resources.

Example: Blocking Email Attachments

Your organization may need to restrict access to sensitive data for users working from an unmanaged or untrusted public system. For example, you may want to allow users to view email messages, but prevent them from downloading email attachments that could be left behind on the computer and accessible to unauthorized users.

The following example demonstrates how to use an access control rule, together with a Matching URL resource and End Point Control zone, to block attachments from being downloaded to untrusted devices. For an overview of access control, see Access Control Rules.

The example assumes that you have an EPC zone configured (named Untrusted in this example) into which devices that are not IT-managed are classified; see Managing EPC with Zones and Device Profiles for information about configuring and using zones.

To block email attachments using a Matching URL resource:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add/Edit Access Rule page appears.
3
In the Position field, type a number to specify the rule’s position in the access rule list.
4
Use the Action buttons to specify Deny. This will deny users access to any resource that matches the pattern you specify in the next step.
5
Complete the information under Basic settings:
a
Leave User selected (so that the rule users trying to access a resource).
b
The From field specifies the users to whom the rule applies. For this example, leave the value as Any user.
c
In the To field, click Edit to specify the target resource for this rule. A Resources window appears.
d
Click New, and then select Matching URL. The Add Resource - Matching URL page appears.
e
Type a name for the resource. For example, Block email attachments.
f
In the URL box, type the URL address of your mail server.
g
In the Path and query string matching area, select Exchange/OWA attachments from the Type of match list.
h
Click Save. The Add Resource - Matching URL dialog closes.
6
In the End Point Control zones area, click Edit to select the zone from which you will deny access to the resource (Untrusted).
7
When you create a rule that specifies a Matching URL resource type, the user must be allowed to use a browser as an access method. On the Advanced tab, in the Access method restrictions area, make sure that the Client software agents are either set to Any, or that Web browser is among the selected agents.
8
Click Finish.
 
* 
NOTE:  
Some Web-based applications automatically redirect users to other Web pages. Be certain to use the target URL address (the Web page to which users are redirected) when configuring the appliance to block email attachments. See Example: Working with a URL Redirect for more information.
You cannot configure a Matching URL resource to block attachments for users who connect to the appliance using OnDemand Tunnel or Connect Tunnel.

Example: Supporting Exchange on iPhones

Exchange ActiveSync Email and related functions are supported on Android, Windows Mobile, and Apple iPad and iPhone.

The following example describes configuring a URL resource to support iPhone users who wish to access Microsoft Exchange.

* 
NOTE: This example assumes you have a realm which uses single Active Directory authentication.
Allow iPhone users to access corporate Exchange server:
1
From the main navigation menu in AMC, click Resources.
2
Click New. Select URL. The Add Resource URL page appears.
3
Enter the name, description, and externally-facing URL. Enter only the server name without a starting or index page. In this example, we will use internalexchangeserver.SMA.com.
4
Choose a group to add this resource to. In this example, we have left this in the default group.
5
Click Exchange Server options. The Exchange Server options section appears.
6
Select the Enable Exchange ActiveSync and Outlook Anywhere access to this resource checkbox.
7
In the Host and domain name field, type the external host name and domain that will be accessed by iPhone users.
8
Select the realm from the Realm drop-down menu. Only realms that use Active Directory for authentication are available as choices.
9
Click Save.
10
To configure an ActiveSync device profile for iPhones, click End Point Control in the main navigation menu in AMC.
11
On the Device Profiles tab, click New and select Exchange Activesync.
12
Enter a name and description for the device profile in the Name and Description fields.
13
In the Add attribute(s) section, select Equipment ID for the Type.
14
In the Device identifier field, enter the user attribute variable that contains the device identifier. For iPhone, the identifier is the serial number of the device. For details, see the Equipment ID table under Device Profile Attributes.
15
Click Save.
16
Notify your iPhone users of the externally-facing URL and instruct them to log in using their Active Directory credentials. Users must configure ActiveSync for Exchange on the device:
a
On the iPhone, navigate to Settings > Mail > Contacts and Calendars > Add Account > User’s account info.
b
Set the server name to the URL (external host name and domain) provided by the administrator.
* 
NOTE: To ensure that your Exchange server is correctly configured to work with iPhones, it is recommended that you test iPhone access with the Exchange server directly. After confirming iPhone access to email, then add the SMA appliance between the iPhone and the Exchange server. If your Exchange server is not accessible from the Internet, you can set up a WiFi access point to test iPhone access to it.

For details about setting up an Exchange server for iPhone access, refer to the iPhone OS Enterprise Deployment Guide, available at: http://images.apple.com/ie/iphone/business/docs/Enterprise_Deployment_Guide.pdf.

Example: Restricting Access to Sensitive Data

The following example demonstrates how to use an access control rule, together with a Matching URL resource and End Point Control zone, to prevent a Web-based application from displaying restricted data to untrusted devices.

For an overview of access control, see Access Control Rules.
The example assumes that you have an EPC zone configured (named Untrusted in this example) into which devices that are not IT-managed are classified; see Managing EPC with Zones and Device Profiles for information about configuring and using zones.
Prevent a Web-based application from retrieving data using a Matching URL resource:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add/Edit Access Rule page appears.
3
In the Position field, type a number to specify the rule’s position in the access rule list.
4
Use the Action buttons to specify Deny. This will deny users access to any resource that matches the pattern you specify in the next step.
5
Complete the information under Basic settings:
a
Leave User selected (so that the rule applies to users trying to access a resource).
b
The From field specifies the users to whom the rule applies. For this example, leave the value as Any user.
c
In the To field, click Edit to specify the target resource for this rule. A Resources dialog appears.
d
Click New, and then select Matching URL. The Add Resource - Matching URL page appears.
e
Type a name for the resource. For example, Patient Records.
f
In the URL field, type the URL address of your Web-based application. For example, www.patient-records.com.
g
In the Path and query string matching area, select Custom from the Type of match list.
h
Click New, and then select Path element. Type reports.aspx and then click OK (the path is not case-sensitive).
i
Click New again, and select Query string. Type last_name=, and then click OK (the query string is case-sensitive).
j
Click Save. The Add Resource - Matching URL dialog closes.
6
In the End Point Control zones area, click Edit to select the zone from which you will deny access to the resource (Untrusted).
7
When you create a rule that specifies a Matching URL resource type, the user must be allowed to use a browser as an access method. On the Advanced tab, in the Access method restrictions area, make sure that the Client software agents are either set to Any, or that Web browser is among the selected agents.
8
Click Finish.

After you save and apply your changes, users who attempt to open the Patient Records resource (using a URL that matches http://www.patient-records.com/reports.aspx?last_name=) and who are classified into the Untrusted zone will be denied access.

* 
NOTE:  
Some Web-based applications automatically redirect users to other Web pages. Be certain to use the target URL address (the Web page to which users are redirected) when configuring the appliance to block email attachments. See Example: Working with a URL Redirect for more information.
You cannot configure a Matching URL resource to restrict access to sensitive data for users who connect to the appliance using OnDemand Tunnel or Connect Tunnel.

Editing Resources

Before modifying a resource, carefully examine any Access Control rules associated with it to understand how your changes will affect your security policy.

To edit a resource:
1
From the main navigation menu in AMC, click Resources.
2
Click the name of the resource that you want to edit.
3
On the Add/Edit Resource page, make your edits as needed.
4
Click Save.
* 
NOTE: You cannot change an existing client/server resource’s definition setting (for example, change a host name to an IP range); instead, you must create a new resource and apply the appropriate definition setting.

Deleting Resources

You cannot delete a resource that is referenced in an access control rule, resource group, or WorkPlace shortcut. Before deleting a resource, you must first remove it from any rules in which it is referenced. See Deleting Referenced Objects for more details.

To delete a resource:
1
From the main navigation menu in AMC, click Resources.
2
On the Resources page, select the checkbox to the left of any resources that you want to delete.
3
Click the Delete button. If this resource is still referenced by an access control rule, resource group, or WorkPlace shortcut, AMC displays an error message. Click the link in the error message to see a list of all references to this resource.

Using the Resource Exclusion List

By default, access agents and Web browsers redirect connections through the appliance for destination resources that you’ve defined in AMC. This redirection is a little different, depending on the user’s means of access:

The tunnel access agent redirects connections through the appliance for any destination resource that the user is permitted to access.
A Web browser redirects to the appliance all destination resources that have been defined in AMC; if the user does not have access, a “permission denied” Web page is displayed.

There may, however, be resources that you don’t want redirected through the appliance. For example, a user starts Outlook Web Access through the appliance and reads an email message with a link to a public site that is within a domain resource configured on the appliance. The traffic generated by following that link would be sent through the appliance. You can prevent this by specifying the public resource in the exclusion list.

Use the resource exclusion list to specify any resources (including host names, IP addresses, or domains) from being redirected through the appliance. When specifying a domain, you can also use the wildcard characters asterisk (*) and question mark (?). This list is global and all access services.

* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

The resource exclusion list does not affect access control or security. If you want to prevent access to particular resources, add a Deny rule to the access control list.

To see which resources are configured to be redirected through the appliance, click the Show network redirection list link. This displays the Redirection List page.

To delete a resource from the exclusion list, select its checkbox and then click Delete.

If you exclude a resource by specifying its fully qualified domain name (FQDN), users who connect to WorkPlace from a realm that provides access using translated Web mode can still access the resource if they type its unqualified domain name in the WorkPlace Intranet Address field.

To add a resource to the resource exclusion list:
* 
CAUTION: If you create a Domain resource in AMC (for example, win.yourcompany.com) and you exclude a resource from that domain using its IP address (10.20.30.40), the resource can still be accessed using its FQDN (server.win.yourcompany.com). This note of caution applies only to agents that use the Web proxy service, not the tunnel clients.
1
From the main navigation menu in AMC, click Resources.
2
Click the Resource exclusion list link at the bottom of the page.
3
In the Exclusion list field, click New, and then type the host name, IP address, or domain that you want to exclude from being redirected through the appliance. Wildcard characters (* and ?) are permitted.
* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

For example, if you have three public web servers (www.YourCompany.com, www2.YourCompany.com, and www3.YourCompany.com), you can allow the network traffic associated with them to avoid the appliance, which will improve performance. Add all three public sites to the Exclusion list by using a wildcard character: www*.YourCompany.com. Resources in this list can also contain variables; see Using Variables in Resource and WorkPlace Shortcut Definitions for more information.

4
Click OK after each addition to the Exclusion list.
5
Click Save.

Using Variables in Resource and WorkPlace Shortcut Definitions

Using variables, you can define a single resource or WorkPlace shortcut that derives its value from a property that is unique for each user. Variables can be defined by a property associated with the session a user has started (the user name, for example, or the name of the zone to which he or she has been assigned), or by querying an external LDAP store for a specific set of attributes, such as a group or computer name.

Variables can be used for all resource types except IP range and Subnet. If a variable resolves to nothing, any configuration item using it will be undefined. For example, you might query an LDAP store for a user’s IMEI number (the built-in ID number on a mobile device). In the case of a user who does not have an IMEI number, the variable would not resolve to anything during that user session. A WorkPlace shortcut that uses the variable would not be displayed, for example, and a policy rule that uses it will also fail.

Topics:  

Using Session Property Variables

After a user has started a WorkPlace session by logging in, there are several session properties that are known, such as the name of the community to which the user has been assigned. You can use these properties to create dynamic resources.

For example, you might want mobile users to have access to a different network share than users with desktop computers. The way you would do this is as roughly as follows:

Define two communities (Mobile and Desktop).
Set up two file shares on your network. For example, \\company\Mobile and \\company\Desktop.
Define a resource for WorkPlace: \\company\{Session.communityName}.

A single resource can in this manner present both kinds of users with the link that’s appropriate for their devices. Use the variables in Built-in variables.

 

Built-in variables

Built-in variables

Description

{Session.activeDirectoryDomain}

The FQDN or IP address of the AD domain to use as a search base.

{Session.activeDirectoryDomain2}

The FQDN or IP address of a second AD domain to use as a search base (if you’re using chained authentication).

{Session.communityName}

The name of the community to which the user was assigned when he or she logged in. The community controls which access agents are available and the end point.

{Session.ntDomain}

The login domain. For example, server3 in this FQDN: server3.uk.company.com.

{Session.password}

The password from the first authentication method.

{Session.password2}

The password from the second authentication method, if used.

{Session.qualifiedName}

For your primary (or only) authentication method, this is the fully qualified user name (username@userdomain.company.com).

{Session.qualifiedName2}

For your secondary authentication method, this is the fully qualified user name.

{Session.realmName}

The name of the realm the user is logged in to.

{Session.remoteAddress}

The IPv4 or IPv6 address of the user's host as seen by the appliance.

{Session.userName}

The short name for the user from the first authentication method. The short name is usually used for both the user’s email address and home folder.

{Session.userName2}

The user’s short name from the second authentication method, if used.

{Session.zoneName}

The name of the zone to which the user has been assigned, based on the profile of his or her device.

To create a WorkPlace shortcut to a network share based on user name:
1
From the main navigation menu in AMC, click Resources.
2
Click New, and then select Network share.
3
Give this resource a name (for example, Personal Folder), and then type the UNC path for the user folders on your network in the Network share field. For example, \\marine_lab\users\.
4
Click {variable} and select Session.userName to add a variable that represents the short login name for the user. When you click Insert, the entry for Network share looks like this: \\marine_lab\users\{Session.userName}
5
Select the Create shortcut on WorkPlace checkbox, and then click Save. By default, the resource you created will be displayed as a link in WorkPlace titled Personal Folder. If you want to change the link text, go to the WorkPlace page in AMC, and then click the link for the new shortcut.

When the user jdoe connects to WorkPlace, the variable is automatically replaced with the name entered during login and provides access to a folder named \\marine_lab\users\jdoe. When user rsmith follows the same link, he has access to the \\marine_lab\users\rsmith folder.

* 
NOTE:  
For instructions on defining a new variable based on an LDAP query, see Using Query-Based Variables.
There is an additional built-in variable named {URL_REF_VALUE}, which is the value of the first variable in the URL of a shortcut. See Displaying a Series of Shortcuts Using a Single Definition for an example of how to use this.

Using Query-Based Variables

When you configure a realm to use an Active Directory or LDAP authentication server, resources can be defined by querying the external LDAP store for a specific attribute or set of attributes. For example, you can use an LDAP query to create a single resource offering each user a WorkPlace link to his or her personal desktop from home or elsewhere, using the remote desktop protocol (RDP) that is built into Windows.

Topics:  
Creating a Resource Pointing to Users’ Remote Desktops
To create a resource variable that points to users’ remote desktops:
1
Modify your LDAP store and add an attribute named rdp.
2
From the main navigation menu in AMC, click Resources.
3
Click the Variables tab, and then click New.

4
Enter a name for the variable (for example, Desktop), and then select User attribute as the Type. The options change.

5
Enter rdp in the Attribute field.
6
From the Output drop-down menu, leave Single result (default) selected if each user has only one computer associated with him or her in the LDAP store.
7
Select the realm to which this new variable applies, and then enter the username of someone who has access to that realm in the User field.
8
Click Test to make sure that the user attribute you specified returns a value for this user.

9
Click Save.
10
On the Resources tab, click New, and then select Host name or IP.
11
Give a name to this resource (for example, Personal computer).
12
In the Host name or IP address field click {variable}, and then select {Desktop}, the variable you created earlier. Click Insert.
13
Edit the entry for Host name or IP address to add the portion of the address that the personal computers on your network share. The completed entry might look something like this:

{Desktop}.dept.company.com

As each user logs in, {Desktop} is replaced by the machine name associated with him or her in the LDAP store using the rdp attribute.

14
Click Save.
Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
To create a WorkPlace link to give users access to their remote desktops:
1
From the main navigation menu in AMC, click WorkPlace.
2
Click New, and then select Graphical terminal shortcut.
3
In the Resource list, select Personal computer, and then specify what the link text will be in WorkPlace. For example, My remote desktop.
4
Click Save. By default, the resource you created will be displayed as a link in WorkPlace titled My remote desktop.

When the user John Doe connects to WorkPlace from home or on the road, {Desktop} is replaced by the contents of the rdp attribute associated with him in the LDAP store, and he sees a WorkPlace link (My remote desktop) that points to his office computer (john_doe-340.dept.company.com). When Paula Smith follows the same link, she has access to paula_smith-452.dept.company.com. If the rdp attribute is empty for a given user, then that user will not see a WorkPlace shortcut when he or she logs in.

Creating a Variable Containing a Variable
To create a variable that contains a variable:

You can simplify the creation of user-specific links or shortcuts by using one or more variables to define another one. For example, in the procedure above, a Host name or IP address resource was defined as follows, using a variable named {Desktop} followed by a string, in this case the path:

{Desktop}.dept.company.com

You could instead create a variable named {Desktop_path} that resolves to the entire path above.

In another example of using multiple variables to create a single variable, you could replace dept in the path above with the user’s ou (organizational unit) attribute in the LDAP store. AMC variables summarizes the possibilities in the examples outlined here:

 

AMC variables

AMC variable name

Resolves to...

Based on...

{Desktop}

john_doe-340

rdp (LDAP attribute)

{dept}

Sales

ou (LDAP attribute)

{Desktop_path}

john_doe-340.dept.company.com

AMC variable defined as follows:

{Desktop}.dept.company.com

{Desktop_by_dept}

john_doe-340.Sales.company.com

AMC variable defined as follows:

{Desktop}.{ou}.company.com

Variables cannot be nested more than two deep: you cannot create a variable that refers to a variable that in turn refers to another variable.

Modifying Query Results

You can create a variable by querying an external AD/LDAP store for a specific attribute or set of attributes. To make the query results more useful, you can automatically extract data from them: after the query is sent and the full variable string has been determined, you can perform search and replace operations on its value.

For example, let’s say you have a company with offices in multiple locations, and each office uses a different Exchange server for email. Using some editing options, you can define a single variable that represents both Exchange servers, regardless of location.

To define a variable by automatically editing the results of a query:
1
From the main navigation menu in AMC, click Resources.
2
Click the Variables tab, and then click New.
3
Enter a name for your variable. For example, Exchange_server.
4
In the Type list, select User attribute.
5
Select the appropriate realm from the list: it should point to the AD/LDAP store that you will query.
6
In the Attribute list, select msExchHomeServerName.
7
Query the directory server for two different employees—for example, one at headquarters in London, and one in California—by entering the user name and clicking Test for each one. In this example the only difference is in the server name at the end of the resulting strings:
/o=Your Company, Inc./ou=UK/cn=Configuration/cn=Servers/cn=LN0EXL09
/o=Your Company, Inc./ou=UK/cn=Configuration/cn=Servers/cn=CA0EXV08
8
Modify the query results by clicking New in the Editing options area:

a
In the Search field, enter:
/o=Your Company, Inc./ou=UK/cn=Configuration/cn=Servers/cn=
b
Leave the Replace field empty, and then click OK.

For an employee in the London office or one in California, the variable named Exchange_server will contain the appropriate name, either LN0EXL09 or CA0EXV08, depending on the user.

Using the same query, you can create an additional variable that indicates where an employee is based. For example, create a new variable named Location and replace the name of each directory server with its location.

The Location variable will resolve to London or California, depending on the user.

For example, when you enter a London employee’s name in the User field and click Test, you’ll see the following results:

Displaying a Series of Shortcuts Using a Single Definition

When you create a variable based on a user’s session properties or the results of a query, the variable can resolve to one value per user attribute (for example, sAMAccountName and lastLogon), or multiple values (such as a list of groups to which a user belongs, or the workstations a user is permitted to log in to). When a variable can have multiple values, you have the option of creating one shortcut for it that is automatically displayed as a series of shortcuts in WorkPlace.

In this example, we’ll create a single shortcut that will result in a series of WorkPlace shortcuts, one for each workstation the user is allowed to access. Here’s an overview of the process:

 

Shortcut creation process

Step

Description

A

Create a variable named User_workstations that points to a multi-valued attribute in an AD or LDAP server named userWorkstations. In the directory store, this attribute lists the workstations a user is allowed to access. For example, a user might have a personal workstation at work, and another workstation that’s used for order inventory.

B

Create a host resource named Workstation_list that points to the User_workstations variable. For the user in this example, the resource has two possible values.

C

Create a WorkPlace graphical terminal shortcut that points to the Workstation_list resource. The link for this shortcut will refer to a special, built-in variable named {URL_REF_VALUE}, which will automatically result in separate links in WorkPlace for each of the workstations a user is permitted to use.

D

Test WorkPlace. If the shortcut does not appear, it may be because the directory store query is not returning any results. Testing it will also help you see whether you need to adjust the location of the shortcuts in your WorkPlace layout.

A: Create a variable that points to a user attribute in the AD server:
1
From the main navigation menu in AMC, click Resources, and then go to the Variables page.
2
Click New, and then enter a name for the variable: User_workstations.
3
Select User attribute in the Type list, and then specify the realm that uses the directory store you want to query.
4
In the drop-down menu of attributes returned from the AD store, select userWorkstations.
5
In the Output list, select Multiple results.
6
In the User field, enter the name of a representative user (someone who is likely to use this shortcut), and then query the AD/LDAP store for the values of userWorkstations by clicking Test.
7
The test results will indicate what character (for example, a comma or a semicolon) you should enter in the Delimiter field.
8
Click Save. The new variable ({User_workstations}) appears in the list and can now be used to define or describe other variables, resources, or WorkPlace shortcuts.
B: Create a host resource that points to the {User_workstations} variable:
1
From the main navigation menu in AMC, click Resources.
2
Click New, and then select Host Name or IP Address.
3
Enter Workstation_list as the resource name.
4
In the Host name or IP address field, click {variable}, and then select {User_workstations}, the variable you created in step A.
5
Click Insert, and then click {variable} again to close the list.
6
Edit the entry for Host name or IP address to add the portion of the address that the computers on your network share. The completed entry might look something like this:
{User_Workstations}.dept.company.com
C: Create a WorkPlace shortcut that points to the Workstation_list resource
1
From the main navigation menu, click WorkPlace.
2
On the Shortcuts page, click New, and then select Graphical terminal shortcut from the list. The General tab of the Add Graphical Terminal Shortcut page appears.

3
In the Position field, specify the shortcut’s position in the list. The default is 1. (It’s possible to change its position later in your WorkPlace layout.)
4
In the Resource drop-down menu, select the resource to which this shortcut will be linked: Workstation_list.
5
In the Link text field, type the first part of the hyperlink users will see. For example, enter My workstation(s): followed by a space.
6
Using a variable you can have the link end in each succeeding value for Workstation_list; if there is more than one, then more than one shortcut will be displayed in WorkPlace. Click {variable}, and then select {URL_REF_VALUE} from the list. Click Insert to add the variable to the link text, and then close the list by clicking {variable} again. The entry for Link now looks like this:
My workstation(s): {URL_REF_VALUE}
7
Click Finish to save the shortcut. (For a description of the settings on the Advanced page, see Adding Graphical Terminal Shortcuts to Individual Hosts.)

This shortcut will automatically result in separate links in WorkPlace for each of the workstations a user is permitted to use. The two WorkPlace links in our example—one to a personal workstation and one to a workstation for entering orders—would look like this for the user ageorge.

D: Troubleshooting WorkPlace
1
If users log in to WorkPlace and do not see the shortcut you created, check the following:
Is the user in the right community? In the main navigation menu in AMC, click User Sessions, and then click the user’s name to get session details. The user may not be assigned to the right community, or there may be a rule preventing him or her from accessing the resource.
Does the variable return a result for this user? In the main navigation menu in AMC, click Resources, and then go to the Variables page. Click the variable named User_workstations, enter the name of the person who is not seeing the shortcut, and then click Test. If no result is returned, the shortcut will not be displayed.
2
Check your WorkPlace layout. When you create a shortcut, you have the opportunity to add it to a group of shortcuts or to the default group (Standalone shortcuts). To change the position of the shortcut, click Realms, and then click the name of the community to which this user belongs. The WorkPlace Appearance page indicates which layout is being used. To modify page content, click Manage layouts.

Creating and Managing Resource Groups

You can define individual resources or manage them in resource groups, which are collections of individual resources. Grouping resources provides a convenient way to manage access to a set of resources with similar characteristics. For example, you might define a resource group containing applications that are important only to your remote employee, simplifying the process of managing access to those resources.

There is no limit to the number of resources that a resource group can contain. When you create a new resource group, it is added to your list of available resources and groups; you can then use the resource group in access control rules.

Topics:  

Adding Resource Groups

When you create a new resource group, it is added to the list of available groups on the Resource Groups tab of the Resources page.

To add a resource group:
1
From the main navigation menu in AMC, click Resources.
2
Click the Resource Groups tab.

3
Click New to add a resource group.

4
Type a Name for the resource group.
5
In the Description field, type a descriptive comment about the group.
6
Select the checkbox for each resource you want to include in the group, or leave the group empty and add resources to it later. There is no limit to the number of resources that a group can contain.
7
After you have finished, click Save.

Example: Working with a URL Redirect

Some Web-based applications automatically redirect users to other Web pages. A user accessing the application may browse to a particular Web address, but then be redirected to a different address.

For example, an organization has a mail server with the following URL:

http://domino.example.com/dwa.nsf

A user who accesses this site is then automatically redirected to a different URL:

http://domino.example.com/mail/dwa1.nsf

To give users access to the application using the SMA appliance, you need to add both the original and the redirected URLs as resources.

The following example demonstrates how to add your Web-based application as a pair of URL resources, how to group the resources together, and then how to define an access control rule so that your users have access to the application.

Configure URL resources for your Web-based application:
1
From the main navigation menu in AMC, click Resources.
2
Click New, and then select URL from the drop-down menu. The Add/Edit Resource – URL page appears.
3
In the Name field, type a name for the resource. For example, Mail Web App.
4
In the URL field, type the address of the mail server. For example,
http://domino.example.com/dwa.nsf.
5
Click Save.
6
Repeat Step 2 through Step 5 to create a second Web resource specifying the redirected URL address. If your application uses more than one redirected URL, create an additional URL resource for each address; this example assumes there are only two URLs involved.
Create a resource group for both URL resources:
1
From the main navigation menu in AMC, click Resources.
2
Click the Resource Group tab, and then click New. The Add/Edit Resource Group page appears.
3
In the Name field, type a name for the group resource. For example, Mail Web App Group.
4
Select the checkboxes for each of the Web resources previously created.
5
Click Save.
Define an access control rule for the resource group:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add/Edit Access Rule page appears.
3
In the Position field, type a number to specify the rule’s position in the access rule list.
4
Use the Action buttons to specify Permit. This will allow users to access the group resource that you specify in the next step.
5
Complete the information under Basic settings:
a
Leave User selected (so that the rule applies to users trying to access a resource).
b
The From field specifies the users to whom the rule applies. For this example, leave the value as Any user.
c
In the To field, click Edit to specify the target resource for this rule. A Resources dialog appears.
d
Select the resource group previously created. In this example, Mail Web App Group.
6
Click Save.

For an overview of access control, see Access Control Rules.

Editing and Deleting Resource Groups

Before modifying a resource group, carefully examine the associated rules to understand how your changes will affect your security policy. You cannot delete a resource group that is referenced in an access control rule. Before deleting a resource group, you must first remove it from any rules in which it is referenced. See Deleting Referenced Objects for more details.

Web Application Profiles

Web application profiles provide single sign-on and translation control for Web applications that use Windows NTLM authentication (v1 and v2 are both supported), or basic authentication.

With a Web application that uses Windows NTLM authentication, access is granted only to users whose Windows credentials can be verified. Support for NTLM is built into Microsoft IIS (Internet-based services for Windows machines) and supported in Internet Explorer.
Basic authentication is supported on a wide variety of platforms (note, however, that it sends passwords in the clear across the network).

You can also configure the Web proxy service in AMC to support forms-based authentication, in which users authenticate by filling out a standard HTML form Web using any combination of browser and Web server. See Creating Forms-Based Single Sign-On Profiles for more information.

Topics:  

Viewing Web Application Profiles

Web application profiles are listed on the Configure Web Proxy Service page.

To view your list of available Web application profiles:
1
From the main navigation menu in AMC, click Services.
2
In the Access Services area, click the Configure link for Web proxy service.
3
To view your available Web profiles, click the Web Application Profiles tab. The Configure Web Proxy Service page appears.

4
The list includes preconfigured Web application profiles that are recommended for several popular Web applications, any custom Web profiles you created, and a default Web profile. To view the settings for a Web application profile, click its name.

Adding Web Application Profiles

* 
IMPORTANT: The Web translation that AMC performs is more complete and robust in recent versions of the appliance software. Beginning in version 10.x, it is no longer possible to revert to the legacy translation for Web application profiles that worked in version 8.6.x.

Web application profiles control single sign-on characteristics, as well as content translation options for a particular Web resource. Each Web resource should have a Web application profile associated with it.

Single sign-on options control whether and how a user’s login credentials are forwarded to downstream Web applications. These options are disabled by default. In addition, one of the following is required to configure single sign-on:
Click Use Web content translation on the Configure WorkPlace page in AMC.
Define a WorkPlace link as an aliased URL. This is the approach you should take if you normally redirect traffic through a network agent, but in this case you want to force the resource to be proxied using translated, custom port mapped, or Exchange server FQDN mapped Web access for single sign-on.

For more information, see Web Shortcut Access and Configuring WorkPlace General Settings.

* 
NOTE: You can configure single sign-on when you create a WorkPlace shortcut for accessing a Windows Terminal Services or Citrix host. See Adding Graphical Terminal Shortcuts to Individual Hosts.
Content translation options control whether hyperlinks in JavaScript code, in cookie bodies, and in cookie paths are translated by the Web proxy service. The options are used only by the translated Web access agent: they are ignored by standard Web access.

Web application profiles are not used if Web shortcut access is set to Redirect through network agent on the Configure WorkPlace page in AMC. See Configuring WorkPlace General Settings.

To add a Web application profile:
1
From the main navigation menu in AMC, click Services.
2
In the Access Services area, click the Configure link for Web proxy service. The Configure Web Proxy Service page appears.
3
Click the Web Application Profiles tab, and then click New. The Add Web Application Profile page appears.

4
In the Name field, type a name for the profile. If you are creating a profile to associate with a specific application, you might want to give it a name similar to that of the application.
5
In the Description field, type a descriptive comment about the profile.
6
In the Single Sign-On area, specify if and how you want user credentials to be passed along to the Web resource. Forwarding user credentials prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource).

If you select the Forward each user’s individual username and password checkbox, the username and password used to authenticate to WorkPlace are forwarded to the back-end Web server.
If you select the Forward static credentials checkbox, the appliance forwards the same username and password for all users. This is useful for Web sites that require HTTP basic authentication, but don’t provide personalized content for each user based on the login name. It’s also useful for users who authenticate with a client certificate or token.
If you do not select either option, single sign-on functionality is disabled. If you select both options, the individual username and password option takes precedence. For example, if the user provides a username/password pair, it is forwarded, but if username/password is not provided, the Web proxy service forwards the static credentials.
If you select the Enable Kerberos single sign-on checkbox and specify the Kerberos realm where the resources are hosted, WorkPlace and Connect Tunnel users can access http resources. This realm is used for authenticating environments like Active Directory, Active Directory Tree, and Active Directory Forest where Kerberos is configured as a preferred authentication mechanism.
7
In the Content translation area, select the items that you want the Web proxy service to translate.

Select the Translate JavaScript code checkbox if you want the Web proxy service to translate links embedded in JavaScript code used by the Web resource. This is useful for JavaScript that contains absolute URLs or absolute references (/to/path/xyz), or that dynamically generates URLs (for example, location=“http://” + host name + “/index.html”). This improves compatibility with Microsoft Outlook Web Access and other applications that rely on JavaScript. This option is enabled by default.

However, if you notice problems with searching mail based on the Subject, From, or Sent To fields, or if you see an error after logging in when you access OWA using a WorkPlace shortcut, clear the Translate JavaScript code checkbox for the OWA profile.

Select the Translate content based on file extension checkbox if you want the Web proxy service to determine content type by examining the file extension, not the MIME type. Normally, the Web proxy service translates certain content types (including text and HTML). It determines the content type from the MIME type in the HTTP header. If a Web resource is sending the incorrect MIME type, select this option and the Web proxy service will decide whether or not to translate a file based on its file extension. This option is disabled by default.
Select the Translate cookie body checkbox if you want the Web proxy service to translate URLs embedded in the body of a cookie. If a Web resource uses embedded URLs in the body of a cookie (which is not common practice), and you do not have this option enabled, users can experience problems. A common symptom is being unexpectedly redirected to another URL. This option is enabled by default.
Select the Translate cookie path checkbox if you want the Web proxy service to translate the path attribute of cookies sent by back-end resources. The browser uses cookie paths to determine when to send a cookie back to the server. The appliance changes the path that the browser sees, so if the cookie path is not translated, the browser will never send the cookie. A common symptom of this situation is a user being prompted repeatedly for login credentials after already entering valid ones. If this occurs, you should enable this option. This option is enabled by default.
8
Click Save.

Preconfigured Web Application Profiles

Several preconfigured Web application profiles are included with the appliance and are recommended for certain commonly used Web applications. (More can be added; see Adding Web Application Profiles.) Preconfigured profiles are shown in Preconfigured Web Application profiles.

 

Preconfigured Web Application profiles

Web application profile

Description

Default

A default profile that you can use for most Web applications or sites that don’t use NTLM or basic authentication single sign-on

Domino Web Access 6.x

A profile for Lotus Domino Web Access (versions 6.x only)

iNotes 5.x

A profile for Lotus iNotes (versions 5.x only)

Onyx CRM

A profile for the Onyx CRM Employee Portal (versions 4 and later)

OWA/Single Sign-On

A profile for Microsoft Outlook Web Access and other sites that use NTLM or basic authentication single sign-on

WorkPlaceCfg

A read-only profile for WorkPlace

Web Application Profile Examples

This section explains how the appliance determines which Web application profile to apply to an incoming request, and demonstrates the flexibility of using profiles when specifying resources.

How Requests for Web Resources are Evaluated

Because Web resources can be defined quite broadly, the appliance follows a rule for determining which Web application profile to apply to an incoming request: it chooses the profile associated with the most specific resource.

For example, suppose you’ve defined these two resources:

A DNS domain (xyz.com) with Web application profile A attached
A specific Web server (web1.xyz.com) with Web application profile B attached

If a user request comes in for https://web1.xyz.com/timesheet.html, the appliance uses Web application profile B because it is associated with a more specific resource (the Web server) than Web application profile A (the domain). The actual order that the appliance uses is as follows:

URL —> Host name —> IP address —> Subnet/IP range —> DNS domain

Associating one profile with an entire domain

If you want to associate the same Web application profile to all resources within a single domain, associate a profile with that domain, and then select None as the profile for any individual resources you define that are within that domain. The individual resource will inherit the domain’s profile. If there is no profile associated with a particular resource, and there is no profile to inherit, the appliance uses the system defaults for the profile.

Editing and Deleting Web Application Profiles

Before modifying a profile, confirm that the changes will be compatible with its associated applications.

If a profile is still associated with one or more resources, AMC prevents you from deleting it. You must remove all associations before you can delete the profile. See Deleting Referenced Objects for more details.

Creating Forms-Based Single Sign-On Profiles

Many Web applications use forms-based authentication, in which the user enters a set of credentials into HTML form fields, and a session token is stored in a browser cookie. This type of authentication is popular because it is supported on any combination of browser and Web server. The other benefit is that you can customize the login page.

Use AMC to set up a single sign-on profile that will forward a user’s appliance credentials to a Web application that uses forms-based authentication. This process is not automated and may require help from SonicWall Technical Support; you should be familiar with the HTML code and know things like the form element names and the name of the cookie that stores user credentials.

There are also some built-in profiles that you can modify for your environment:

OWA 2003
OWA 2007/2010
OWA 2013
Citrix Nfuse 1.7
Citrix XenApp
Citrix XenDesktop
To modify the built-in single sign-on profile for Outlook Web Access:
1
From the main navigation menu in AMC, click Services.
2
In the Access services area, under Web proxy service, click Configure.
3
Click the Single Sign-On Profiles tab, and then click New. The Configure Single Sign-On Profile page appears.

4
Type a Name and Description, and then select the applicable OWA (Outlook Web Access) application from the Application list. (To start from scratch and specify elements from a custom form, select Other.)
5
In the Application URL field, type the URL for the application type (for example, the Citrix XenApp/XenDesktop site or the Microsoft Exchange OWA form-based authentication DLL). For an OWA DLL this is usually the FQDN of your Exchange server followed by /exchweb/bin/auth/owaauth.dll. For example:
https://owaserver.domain.com/exchweb/bin/auth/owaauth.dll
6
In the Cookie name field type the file name of the cookie used to store user credentials. The cookie name for OWA 2013 is cadata.
7
Make changes to the form elements by clicking a link. (At a minimum, you must change the destination element to match the Application URL.)
8
Click Save.

After a profile is set up, a user’s credentials are automatically sent to the back-end server every time the user logs in, regardless whether the WorkPlace link is clicked. This can be a problem where there is a limit to the number of allowed licenses.

When a user logs in, his or her credentials are sent to all Web applications for which an a single sign-on profile is configured. Unlike a Web application profile, a single sign-on profile is not associated with a resource in AMC—the application resource is defined within the profile.

For information on configuring SSO for a Web application that uses Windows NTLM or basic authentication, see Web Application Profiles.

Kerberos Constrained Delegation

SMA supports Kerberos Constrained Delegation (KCD). Kerberos Constrained Delegation (KCD) provides authentication support using an existing Kerberos infrastructure, which does not need to trust front-end services to delegate a service.

With Kerberos Constrained Delegation (KCD), users who are authenticated using non-Kerberos methods, such as Certificate, Smart Card, or RADIUS, can gain access to Kerberos protected resources without having to enter any additional credentials. For example, a user that authenticates using Single Sign-On (SSO), rather than Kerberos, is allowed access to Kerberos protected web resources.

Most Single Sign-On (SSO) methods rely on the conventional username/password credentials. However, these credentials do not work with Certificate, Smart Card, or RADIUS authentication. With Kerberos Constrained Delegation (KCD), the administrator configures the usernames and passwords for Kerberos Constrained Delegation (KCD).

Microsoft’s Kerberos v5 extension is called Services for Users (S4U) and is compromised of two parts:

S4U2Self
S4U2Proxy

S4U2Self allows a service to obtain a service ticket to itself on behalf of a client and is usually used with a client certificate. S4U2Self is the Kerberos Protocol Transition extension.

S4U2Proxy allows a service to obtain a service ticket to an arbitrary service on behalf of a user with only the user's service ticket. The services are constrained by the administrator. S4U2Proxy is the Kerberos Constrained Delegation (KCD) extension.

Configuring Kerberos Constrained Delegation

To enable Kerberos Constrained Delegation (KCD):
1
Go to the Services > Access services page.

2
Under Web proxy service, click Configure.
3
In the Configure Web Proxy Service dialog, select Web Application Profiles.
4
From the list of Web Proxy Services, select the Web Proxy Service you want. The Edit Web Application Profile dialog appears.

5
Select the checkboxes for the options you want:
Enable Kerberos Constrained Delegation – The Enable Kerberos Constrained Delegation option should be checked only if the Kerberos Single Sign-On option is checked.
Enable fallback fl The Enable fallback option should be checked only if the Enable Kerberos Constrained Delegation option is checked.

The Enable fallback option prompts the user to enter their credentials again if KCD has failed for some reason. If Enable fallback is unchecked and KCD has failed, an error page is displayed.

* 
NOTE: On Firefox, Enable fallback works only if both Negotiate and NTLM are enabled on the backend resource, in their respective order. Enable fallback does not work on Safari in this case. Safari displays a prompt to re-enter credentials, but it keeps failing. Enable fallback works only when NTLM is the only authentication provider on the backend, which is not a supported configuration for KCD.
6
Click Save.

Configuring SMA Support for Microsoft Outlook Anywhere

SMA supports Microsoft Outlook Anywhere for Windows Outlook Clients. Outlook Anywhere is basically an Outlook client that connects to the Microsoft Exchange server using one of these protocols:

Remote Procedure Call (RPC) over HTTP
MAPI over HTTP

Microsoft Outlook Anywhere allows end users with Microsoft Office Outlook to connect to their Exchange servers over the Internet from outside the corporate network.

To configure SMA Support for Outlook Anywhere:
1
On your SMA device, go to the Security Administration > Resources page.

2
Click on the resource you want to edit. The Edit Resource dialog appears.

3
Click on the Web proxy options panel to open it.

4
In Web application profile drop-down menu, select OWA/Single Sign-on.
5
Click on the Exchange Server options panel to open it.
6
Select the checkbox for Enable Exchange ActiveSync and Outlook Anywhere access to this resource.
7
In the Exchange server FQDN field, enter the external FQDN URL of the user’s Exchange server.

This should be the same value that is configured as the external FQDN URL for Outlook Anywhere services (RPC/HTTP and MAPI/HTTP protocols and EWS service) at the Exchange server.

8
In the Realm drop-down menu, select the Realm that you want.
9
In the Exchange Autodiscover FQDN, enter the FQDN of the Exchange Autodiscover service, for example: autodiscover.example.com.

The Autodiscover FQDN is used by the Outlook client to determine the Autodiscover service which enables Outlook to configure the Outlook options by just accepting the user’s Email address. For example, the email address, user@yourcompany.com, would have an Autodiscover FQDN of autodiscover.yourcompany.com.

The name autodiscover.yourcompany.com must be configured in a public DNS server with the public IP address of the appliance.

10
Leave the Fallback Exchange server URL field blank for Outlook Anywhere.
 
* 
NOTE: For Outlook Anywhere using RPC over HTTP, only basic authentication is supported. So, the backend exchange server should be configured to support basic authentication for Outlook Anywhere - ExternalClientAuthenticationMethod. For MAPI over HTTP, any authentication method can be configured.
 
* 
NOTE: For requests coming from the Outlook client, zone classification is done without any attributes, and the user is classified into whichever zone it matches.

The Autodiscover FDQN is also displayed on the System Configuration > Network Settings page.

Viewing User Sessions

SMA users that are using Exchange ActiveSync and Outlook Anywhere can be displayed on the Monitoring > User > Sessions page by selecting Exchange as the filter from the Agents drop-down menu. The Exchange filter will filter Exchange ActiveSync and Outlook Anywhere users. The detailed view will show what the Access Agent is for that user.

To view Outlook Anywhere user sessions:
1
Go to the Monitoring > User Sessions page.

2
In the Agents drop-down menu, select Exchange.

If you hover over the Exchange Server option, it shows that Exchange ActiveSync and Outlook Anywhere users will be displayed for this option.

3
Click Refresh to see the new list of users.
4
To see a detailed view of any user listed, click on that user.

The Access Agent field in the detailed view shows which agent the user is using. Outlook Anywhere will be shown in the Access-Agent field.

Access Control Rules

Access control rules determine which resources are available to users or groups. Rules can be defined broadly to provide access using any method, or defined narrowly so that only a specific access method—Web browser, Connect and OnDemand, or Network Explorer—is permitted.

In addition to evaluating whether users can access resources based on who they are, access control rules can also factor in the trustworthiness of users’ access points using End Point Control zones and device profiles, which are described in Managing EPC with Zones and Device Profiles.

Topics:  

Configuring Access Control Rules

As your network changes over time, you will need to configure the access control rules that determine what application resources are available to your various users and groups.

Before adding an access control rule, carefully examine your existing rules; you might find that you can modify a rule instead of creating a new one. You can also copy an existing rule and then modify its parameters.

If you decide to add a new rule, review your current configuration to determine where the new rule should fit in the rule order. New rules are added to the top of the list by default; you can then move them to their proper positions.

Topics:  

Viewing Access Control Rules

Access control rules are displayed in numerical order on the Access Control page. The appliance evaluates the rules in numbered order. All access control rules are displayed by default, but you can use the Filters settings to filter them by resource type or other criteria.

To view access control rules:
1
From the main navigation menu in AMC, click Access Control.

2
By default, all rules that you have created, regardless of resource type, are displayed. Use the Filters section to display a subset of rules. For information about using filters, see Filters. To see a particular rule set, select one of the following from the Method drop-down menus in Filters; see Rule set descriptions.
 

Rule set descriptions

Method

Description

Web browser

Display rules controlling access to Web-based (HTTP and HTTPS) resources.

Connect Tunnel/OnDemand Mapped Mode

Display rules controlling access to client/server (TCP/IP) resources.

Network Explorer

Display rules controlling access to Windows file system resources using WorkPlace.

3
Review the data shown in the access control rule list:
Use the checkbox column to select one or more rules to delete, copy, or reorder (using the Move Up and Move Down buttons).
The number column indicates the order in which the rule will be evaluated. To edit a rule, click its corresponding number.
To display configuration details and the objects referenced in a rule, click the plus sign (+) next to it.
The Action column indicates whether a rule permits or denies access, or is ignored; see Rule action indicators.
 

Rule action indicators

Indicator

Description

Green

Access is permitted.

Red

Access is denied.

Gray

The rule is not evaluated. (Disabling a rule is a convenient way to temporarily stop using a rule without deleting it.)

The Description column lists the descriptive text you typed when creating the rule.
The From column indicates the users to whom the rule applies (Any: all users). In the case of a reverse connection, this column indicates the resource that is connecting to a user or group. See Access Control Rules for Bi-Directional Connections.
The To column lists the destination resources to which the rule applies (Any: all users). In the case of a reverse connection, this column can also indicate the user or group that is connecting back to a resource. See Access Control Rules for Bi-Directional Connections.
The Method column indicates whether a specific access method is associated with a rule. A globe icon signifies Web browser-based HTTP access; a globe icon with a folder represents Network Explorer, which provides Web access to file system resources; the Secure Mobile Access logo indicates access using the Connect Tunnel or proxy clients, or the OnDemand Tunnel or proxy agents. Any indicates that the rule applies to all access methods.
The Zone column indicates whether an access rule is associated with a particular End Point Control zone. EPC zones are used to classify a connection request based on the attributes of the client device. Any indicates the rule applies to all EPC zones; a red Restricted icon indicates that the rule controls access for one or more specific zones.

Access Control Rules for Bi-Directional Connections

VPN connections typically involve forward connections, which are initiated by a user to a client/server resource. However, if you deploy SonicWall’s network tunnel clients (Connect Tunnel or OnDemand Tunnel) to your users, bi-directional connections are enabled.

With the SonicWall VPN, bi-directional connections encompass:

Forward connections from a VPN user to a client/server resource. See Adding Access Control Rules for a Forward Connection.
Reverse connections from a client/server resource to a VPN user. An example of a reverse connection is an SMS server that “pushes” a software update to a user’s machine. See Adding Access Control Rules for a Reverse Connection.
Cross-connections refer specifically to VoIP (Voice over Internet Protocol) applications that enable one VPN user to telephone another VPN user. Cross-connections require a pair of access control rules: one for the forward connection and one for the reverse connection. See Adding a Pair of Access Control Rules for a Cross-Connection.

Other examples of bi-directional connections include an FTP server that downloads files to or uploads files from a VPN user, and remote Help Desk applications.

Requirements for Reverse and Cross-Connections

Before you can configure access control rules for reverse connections and cross-connections, these requirements must be met:

The network tunnel service must be running on the appliance. On the Services page in AMC, check the status for Network tunnel service; it should be Running.
An IP address pool for the network tunnel clients must be configured. See Configuring IP Address Pools for information on how to set one up.
Users who have access to a VoIP application must belong to a community that is configured to deploy the network tunnel clients (Connect Tunnel or OnDemand Tunnel) to their computers. See Creating and Configuring Communities.

Securing Application Ports for Reverse Connections

By default, reverse connections from resources to users have access to all ports on users’ computers. For enhanced security, create access control rules for reverse connections that confine access to the ports that an application specifically uses. Consult the application’s documentation for information about which firewall ports must be open in order to use the application.

When configuring an access rule for a reverse connection, use the Destination restrictions option to confine access to the ports required by the application making the reverse connection. See Configuring Advanced Access Control Rule Attributes for information on this option.

Adding Access Control Rules for a Forward Connection

Perform the following steps to add an access control rule for a forward connection from users to destination resources. For information about creating an access control rule for a cross-connection (for example, for a VoIP application), see Adding a Pair of Access Control Rules for a Cross-Connection.

To add an access control rule for a forward connection:
1
From the main navigation menu in AMC, click Access Control.

2
Click New. The Add Access Rule page appears.

3
Type a number in the Number field to specify the rule’s position in the access rule list. By default, new rules are added to the top of the list, but you can use this box to place the rule anywhere you want. For example, if you assign the number 3 to a new rule, the new rule will be inserted before the current rule 3 (which will become rule 4). This field is required.

To the right of the Number field is a unique identifier for the rule, which you can use for troubleshooting. When you add or change a rule, for example, the Management Console audit log shows a record of the change using this ID. Logging is described in detail in System Logging and Monitoring.

4
In the Description field, type a descriptive comment about the rule. This step is optional, but a description can be helpful when viewing your list of rules later; it also appears in log files where can be useful for debugging. The ID is a unique identifier automatically assigned by AMC; it cannot be edited.
5
Use the Action buttons to specify whether the rule will be used to Permit or Deny access, or if the rule is Disabled.
6
Complete the information listed under Basic settings:
Click User to configure a forward connection (from a user to a resource).
If you deploy a network tunnel client, click Resource to create a rule controlling a reverse connection (resource to user) or a cross-connection (user to user). The network tunnel service must be configured with an IP address pool before you can use reverse connections (see Configuring IP Address Pools).
The From field specifies the users or user groups to whom the rule applies. Click Edit to select from a list of users and groups. If no users or groups are specified, the value for this field is Any user.
The To field specifies the destination resources or resource groups for the rule. Click Edit to select from a list of resources. If no destination resources are selected, the value for this field is Any resource. A warning appears if the destination resource contains a wildcard indicating a Mobile Connect incompatibility.
* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.
7
In the End Point Control zones area, select the zones from which you will permit or deny access to the resources. Click Edit to select from a list. The default for this field is Any zone. See Managing EPC with Zones and Device Profiles for information about configuring and using zones.

8
Click Next to configure additional settings (see Specifying Advanced Access Control Rule Attributes), or click Finish to save the current settings.

Specifying Advanced Access Control Rule Attributes

For most rules, a basic configuration that includes users or groups, destination resources, and access methods is sufficient. However, additional options are available to provide even tighter access. For example, you can control a connection based on the location of the user (by IP address). Source networks are referenced in an access rule to permit or deny a connection to a destination resource based on the location from which the request originates, provides even greater security.

To configure advanced settings for an access control rule:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add Access Rule page appears.
3
Click Next to display the Advanced tab.
4
In the Access method restrictions area, select one or more methods for access to the resource. Any is the recommended setting in most circumstances, unless your security environment requires you to use a particular method for access to a resource.

a
When you select access methods, the advanced options are enabled or disabled based on whether they apply to the methods you specified. Click Selected to choose the access methods this rule will require; see Client software agents.
 

Client software agents

Access method

Description

Web browser (HTTP/HTTPS)

Manages access from HTTP or HTTPS resources for users connecting using a Web browser.

The available Advanced settings are:

User’s network address
Time and date restrictions

Network Explorer

Manages access from Windows file system resources for WorkPlace users connecting using Network Explorer.

The available Advanced settings are:

User’s network address
Read/write permissions
Time and date restrictions

Connect Tunnel and/or OnDemand (TCP/IP)

Manages access from TCP/IP resources such as client/server applications, file servers, or databases, for users connecting with one of the following:

The Connect Tunnel or proxy clients
The OnDemand Tunnel or proxy agents

For example, suppose you want to provide access to a network domain for users who have Connect or OnDemand, but you don’t want to allow browser access to Web resources within that domain. You can do that by creating a rule that specifies Connect Tunnel and/or OnDemand Mapped Mode as the only access method, and specifies the network domain in the Client restrictions area.

The available Advanced settings are:

Protocols
User’s network address
Destination restrictions (ports)
Time and date restrictions
b
Click Selected to specify the Protocols (see Protocol selecting) that the network tunnel or proxy service will accept from the client. A brief description of each command is included here, but for more details, see http://www.ietf.org/rfc/rfc1928.txt.
 

Protocol selecting

Protocol

Description

TCP

Enables normal TCP connections (for example, SSH, telnet, SCP, and so forth).

UDP

Allows the network tunnel or proxy service to make a UDP data transfer. This is necessary for operations such as streaming audio and Microsoft Outlook new-mail notification.

ICMP

(Internet Control Message protocol) Enables the ping and traceroute network troubleshooting commands. Selecting this option will configure the network tunnel or proxy service to allow these operations on your behalf. This option also enables ICMP packets to flow through the network tunnel or proxy service.

5
Under Client restrictions, in the User’s network address field, specify the names of any source networks you want evaluated in the rule.

This is useful for controlling access based on the origin of the connection request. Click Edit to select from the list of resources. If no source network is specified, the default value of this field is Any. For reverse connections, this option can be used to block access requests to users’ computers that originate from specific ports or application resources.

6
Use Destination restrictions to restrict access over individual Ports or a range of ports. To enable access on any port, click Any. To specify multiple ports, click Selected and type the port numbers, separated by semicolons. To specify a port range, type the beginning and ending numbers separated by a hyphen. For example, if you are building a policy to control access to an SMTP mail server, you might allow access only over port 25 (the well-known port for SMTP traffic). A list of the latest port number assignments is available at http://www.iana.org/assignments/port-numbers.

Use Permissions to specify whether the rule will allow Read or Read/Write access to the file system resources. These access privileges work in conjunction with Windows access control rules. For a user to have certain file permissions, both entities (that is, Windows and the appliance) must allow them. If you disable file uploads, no user can write to a file, although users with write access will be able to move and delete files. These settings are ignored by reverse connections.

7
Under Time and date restrictions, specify when the rule will be in effect. (The time zone for the time restriction fields is your local time.) You can specify a Shift or a Range, or you can specify that the rule remain in effect at all times.
8
Click Save or, if you want to define another rule, click Finish and Add Another.

Because AMC gives you the flexibility to assign multiple access methods to resources, situations may arise in which there is a mismatch between access methods and resources. This happens if you create a rule that assigns an access method that is incompatible with the specified resource. For example, designating Web browser as the method for accessing a Windows domain resource will trigger an “Invalid destination resources” error message in AMC. For more information, see Resolving Invalid Destination Resources.

In some cases you can create a Deny rule that contains a mix of resources and access methods that may prevent subsequent rules from being evaluated. This could inadvertently block user access to other resources referenced in the access policy. The logic used to determine access method and resource compatibility is described in Resolving Deny Rule Incompatibilities.

Reverse connections are available only when IP address pools are configured for the network tunnel clients. AMC displays an error message if you attempt to change the rule from a forward connection to a reverse connection and no IP address pools are configured.

Adding Access Control Rules for a Reverse Connection

Perform the following steps to add an access control rule for a reverse connection from a destination resource to users. Examples of reverse connections include IBM’s Tivoli provisioning products, and Microsoft’s Systems Management Server (SMS). For more information, see Requirements for Reverse and Cross-Connections.

To add an access control rule for a reverse connection:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add Access Rule page appears.

3
In the Number field, type a number to specify the rule’s position in the access rule list. By default, new rules are added to the top of the list, but you can use this box to place the rule anywhere you want. For example, if you have four rules and you assign the number 3 to a new one, it is inserted before the current rule 3 (which will become rule 4). This field is required.
4
In the Description field, type a descriptive comment about the rule. This step is optional, but a description can be helpful when viewing your list of rules later, and also appears in log files where it is useful in debugging. The ID is a unique identifier automatically assigned by AMC; it cannot be edited.
5
Use the Action buttons to specify whether the rule will be used to Permit or Deny access, or if the rule is Disabled.
6
Complete the information listed under Basic settings:

Select the Resource button to create a rule controlling a reverse connection from a resource to a user. The User and Resource buttons toggle between forward-connection and reverse-connection rules.

Reverse connections are available only when IP address pools are configured for the network tunnel clients. If you attempt to create a reverse connection with no IP address pools configured, AMC displays an error message. For more information, see Access Control Rules for Bi-Directional Connections.

The From field specifies the resources that will connect to users. Click Edit to select from a list of resources. If no resources are specified, the default value for this field is Any resource.
The To field specifies the users to which the resource will connect. Click Edit to select from a list. If no users are selected, the default value for this field is Any user.
7
Click Next to display the Advanced page.
8
In the Access methods area, select Any to automatically manage access to all resources in the rule regardless of the access method making the request. This ensures that either the Connect Tunnel client or the OnDemand Tunnel agent, which is required for reverse connections, is managed by the rule. The other access methods do not support reverse connections and will be bypassed.

9
When you are finished creating the rule, click Save.

Adding a Pair of Access Control Rules for a Cross-Connection

Most of the steps involved in creating an access control rule for a cross-connection are the same as those for creating a rule for a forward connection or a reverse connection. However, there are some key differences and requirements.

For example, to permit your VPN users to call each other using a VoIP application, create one rule for your users to connect to an IP address pool on the appliance, and a second rule for the IP address pool to connect to the users.

You would also need to follow this procedure to create a pair of rules to permit bi-directional connections between an FTP server and users.

To add an access control rule for a cross-connection:
1
Ensure that the requirements for configuring a reverse connection are met. For more information, see Requirements for Reverse and Cross-Connections.
2
From the main navigation menu in AMC, click Access Control.
3
Click New. The Add Access Rule page appears.
4
Type a number in the Position field to specify the rule’s position in the access rule list. By default, new rules are added to the top of the list, but you can use this box to place the rule anywhere you want. For example, if you have four rules and you assign the number 3 to a new one, it is inserted before the current rule 3 (which will become rule 4). This field is required.
5
In the Description field, type a descriptive comment about the rule. This step is optional, but a description can be helpful when viewing your list of rules later. The description also appears in log files where it is useful when examining logs to determine why a connection did not match a specific rule. The ID is a unique identifier automatically assigned by AMC; it cannot be edited.

Since a cross-connection requires a pair of forward-connection and reverse-connection rules, you should assign similar names to the two rules to make it easy to locate them in the list of access control rules.

6
Use the Action buttons to specify whether the rule will be used to Permit or Deny access, or if the rule is Disabled.
7
Under Basic settings, use the User and Resource buttons to select forward-connection or reverse-connection rules.

To create a forward-connection rule from the users to the IP address pool, click User.
To create a reverse-connection rule from the IP address pool to the users, click Resource.
8
In the From field under Basic settings, specify the users or resources to which this rule applies:
For a forward-connection rule, specify the users or user groups to whom the rule applies. Click Edit to select from a list of users or groups. The default value is Any user.
For a reverse-connection rule, specify the address pool that will be used for the VoIP application. Click Edit to select the address pool from a list of resources. The default value is Any resource.
9
In the To box under Basic settings, specify the users or resources to which this rule applies:
For a forward-connection rule, specify the address pool that will be used for the VoIP application. Click Edit to select the address pool from a list of resources. The default value is Any resource.
For a reverse-connection rule, specify the users to whom the rule applies. Click Edit to select from a list of users or groups. The default value is Any user.
10
In the Access method restrictions area, select Any. This enables the appliance’s Smart Access feature to determine the appropriate access method for the users’ end point devices, which for a reverse connection is either the Connect Tunnel client or the OnDemand Tunnel agent. The other access methods do not support cross-connections or bi-directional connections and will be bypassed.
11
In the Access method restrictions area, select Any to automatically manage access to all resources in the rule regardless of the access method making the request. This ensures that either the Connect Tunnel client or the OnDemand Tunnel agent, which are required for reverse connections, are managed by the rule. The other access methods do not support reverse connections and will be bypassed.
12
Click Finish after you have created the first rule in the pair of cross-connection rule, and then create and save the second rule. (Alternatively, you can save the first rule in the pair, make a copy of it, and then reverse the user and resource settings.)

After you have configured the forward-connection rule and the reverse-connection rule that make up the cross-connection rule pair, you should position the two rules next to each other in the access control list. That will make it easier to identify them as related rules.

AMC displays an error message if you attempt to create a cross-connection rule with no IP address pools configured. For more information, see Access Control Rules for Bi-Directional Connections.

Adding Access Control Rules for Application Access Control

Perform the following steps to add an access control rule to control which users or groups are allowed to access which resources using a specific application from a personal device (within the context of a specific Application Zone). For more information, see Application Access Control.

To add an access control rule for Application Access Control:
1
From the main navigation menu in AMC, click Access Control.
2
Click New. The Add Access Rule page appears.

3
In the Position field, type a number to specify the rule’s position in the access rule list. By default, new rules are added to the top of the list, but you can use this box to place the rule anywhere you want. For example, if you have four rules and you assign the number 3 to a new one, it is inserted before the current rule 3 (which will become rule 4). This field is required.
4
In the Description field, type a descriptive comment about the rule. This step is optional, but a description can be helpful when viewing your list of rules later, and also appears in log files where it is useful in debugging. The ID is a unique identifier automatically assigned by AMC; it cannot be edited.
5
Use the Action field to specify whether the rule will be used to Permit or Deny access. The default is Permit.
6
In the Applies to field, select Device zones, Device and Application zones, or Application zones as the type of zone associated with the rule. The default is Device Zones.
* 
NOTE: Access Control rules can apply to Device zones, Application zones, or Device and Application zones (any of the Applies to options). Individual user connections apply to a single Device zone or Application zone at any given time. Thus, user connections apply for a single zone at any one time, but the Access Control List can be written to apply to Device zones, Application zones, or Device and Application zones.
7
Complete the information listed under Basic settings:

Select the Direction to create a rule controlling a connection from a resource or a user. The User and Resource buttons toggle. The default is User.
The From field specifies the users or groups allowed or denied access to the related Resource list using an application on the selected Application list. Click Edit to select from a list. If no resources are specified, the default value for this field is Any user.
The To field specifies the required resources to which the user or group can access using an application on the selected Application list. Click Edit to select from a list. If no users are selected, the default value for this field is Any resource.
8
Complete the information listed under End Point Control zones.

For Applications zones either use the default of Any application zone or click the Application zone Edit button and select the application zones that will use this rule.
For Applications click the Applications Edit button and select at least one application that users are permitted to use when contacting the corporate network with this rule. You must choose at least one application from the displayed list before the rule can be saved.
* 
NOTE: Applications must be learned before they are listed, as explained in Application Access Control
9
Click the Next> button at the bottom to display the Advanced tab.

10
In the Access method restrictions section, select Any or Selected for Client software agents, Client platforms, and Protocols to permit or deny access based on the software agent or client initializing the connection. If you choose Selected, check all desired types from the options that are displayed; see Option types.
 

Option types

Client software agents

Client platforms

Protocols

Web browser (HTTP/HTTPS)

Windows

TCP

Network Explorer (Web access to file system resources)

Mac OS

UDP

Connect Tunnel and/or SonicWall OnDemand VPN Connection (TCP/IP)

iOS

ICMP

Android

 

 

Linux

 

 

ChromeOS

 

11
In the Client restrictions section either use the default of Any User’s network address or click the Edit button and select the resources that will use this rule.
12
In the Destination restrictions section either use the default of Any port to enable access on any port or select Selected to restrict access over individual Ports or a range of ports and type the ports to allow. For example, if you are building a policy to control access to an SMTP mail server, you might allow access only over port 25 (the well-known port for SMTP traffic). A list of the latest port number assignments is available at http://www.iana.org/assignments/port-numbers.

To specify multiple ports, separate the port numbers with a semicolon. To specify a port range, type the beginning and ending numbers separated by a hyphen.

13
In the Permissions field specify whether the rule will allow Read or Read/Write access to the file system resources. These access privileges work in conjunction with Windows access control rules. For a user to have certain file permissions, both Windows and the appliance must allow them. If you disable file uploads, user cannot write to a file, although users with write access will be able to move and delete files.
14
In the Time and date restrictions section, specify when the rule will be in effect. (The time zone for the time restriction fields is your local time.) You can specify a Shift, Range, or use the default of Any to use the rule at all times.
15
Click Finish to save your entries.

Configuring Advanced Access Control Rule Attributes

For most rules, a basic configuration that includes users or groups, destination resources, and access methods is sufficient. Settings that provide even tighter access are available on the Advanced page for Add/Edit Access Rule.

For example, if you want to restrict connections to those coming from an individual IP address, select the User’s network address option. Source networks are referenced in an access rule to permit or deny a connection to a destination resource based on the location from which the request originates, which provides you with even greater security.

To configure advanced settings for an access control rule:
1
From the main navigation menu in AMC, click Access Control.
2
Click the link for an existing rule.
3
On the Edit Access Rule page, click the Advanced tab.
4
Under Access method restrictions, permit or deny access based on the software agent or client initializing the connection. In most cases, you can leave this set to Any.
5
To restrict the Protocols that the network tunnel or proxy service will accept from the client, click Selected. A brief description of each command is included in Advanced Access Control Rule Attributes, but for more details, see http://www.ietf.org/rfc/rfc1928.txt.
 

Advanced Access Control Rule Attributes

Protocol

Description

TCP

Enables normal TCP connections (for example, SSH, telnet, SCP, and so forth).

UDP

Allows the network tunnel or proxy service to make a UDP data transfer. This is necessary for operations such as streaming audio and Microsoft Outlook new-mail notification.

ICMP

(Internet Control Message protocol) Enables the ping and traceroute network troubleshooting commands. Selecting this option will configure the network tunnel or proxy service to allow these operations on your behalf. This option also enables ICMP packets to flow through the network tunnel or proxy service.

Accept bind requests from server

Used in protocols that require the client to accept connections from the server. FTP is a notable example: bind usually occurs with a Connect/Bind pair of connections.

6
Specify the names of any source networks you want evaluated in the rule with the User’s network address option. This is useful for controlling access based on the origin of the connection request. Click Edit to select from the list of resources. If no source network is specified, the default value of this field is Any. For reverse connections, this option can be used to block access requests to users’ computers that originate from specific ports or the application resources.
7
Use Destination restrictions to restrict access over individual Ports or a range of ports. For example, if you are building a policy to control access to an SMTP mail server, you might allow access only over port 25 (the well-known port for SMTP traffic). A list of the latest port number assignments is available at http://www.iana.org/assignments/port-numbers.

To enable access on any port, click Any. To specify multiple ports, click Selected and type the port numbers, separating each with a semicolon. To specify a port range, type the beginning and ending numbers separated by a hyphen.

8
Use Permissions to specify whether the rule will allow Read or Read/Write access to the file system resources. These access privileges work in conjunction with Windows access control rules. For a user to have certain file permissions, both entities (that is, Windows and the appliance) must allow them. If you disable file uploads, no user can write to a file, although users with write access will be able to move and delete files. These settings are ignored by reverse connections.
9
Under Time and date restrictions, specify when the rule will be in effect. (The time zone for the time restriction fields is your local time.) You can specify a Shift or a Range, or you can specify that the rule remain in effect at all times.
10
When you are finished creating the rule, click Save.

Access Methods and Advanced Options

When you restrict your access methods, the advanced options are enabled or disabled based on which ones remain selected (if you select Any as the access method, all the advanced options are available). When AMC validates the rule it prevents you from selecting rule attributes that are not relevant to the access methods. Access method advanced options shows the advanced options that apply to each access method.

 

Access method advanced options

Access method

Applicable advanced options

Web browser (HTTP/HTTPS)

User’s network address
Time and date restrictions

Network Explorer (Web access to file system resources)

User’s network address
Read/write permissions
Time and date restrictions

Connect Tunnel and/or OnDemand (TCP/IP)

Protocols
User’s network address
Destination restrictions (ports)
Time and date restrictions

Adding Users and Resources From Within Access Control Rules

Some administrators prefer to define all policy objects (users, groups, and resources) before creating access control rules. Although this structured approach works particularly well for the initial configuration, you may find it inconvenient for ongoing management. If so, you can define new resources directly from the interface used to create access control rules.

To add a user or resource to an existing access control rule:
1
From the main navigation menu in AMC, click Access Control.
2
Click the link for an existing rule. The Edit Access Rule page appears.
3
In the Basic settings area, click Edit beside the From field. A separate page appears displaying your current users and groups. For the meaning of the icons, see Icon descriptions.

 

Icon descriptions

Icon

Description

Community

Any user belongs to the specific realm

User or local user

4
In the Basic settings area, click Edit beside the To field. A separate page appears displaying your resources and resource groups.

5
Click New. The page displayed next depends on the type of object you are creating.
6
Define the settings for the new user, group, or resource.
7
When you are finished creating the object, click Save.
8
Select the checkbox beside the object you want to add to the access rule and then click Save.

Editing, Copying, and Deleting Access Control Rules

Before modifying or deleting an access control rule, carefully examine your existing rules to understand how your changes will affect your security policy.

* 
CAUTION: Use caution when deleting rules because you are not prompted to confirm the deletion.
You can reorder the placement of rules in the access control list. But before you do any reordering, carefully examine them to understand how the new order will affect your security policy.
Rather than creating a new access control rule from scratch, you can save time by making a copy of an existing rule and changing some parameters to fit the new rule. Choose a rule that shares characteristics with the rule you plan to create.

Copying is also useful when experimenting with a new access rule: you can edit the copied rule and disable the original rule during your testing. This way you can roll back to your original rule if necessary.

For more information on editing, deleting, and copying access control rules, see Deleting Referenced Objects.

When you use the Filters settings to filter the view of the access rules by a specific access method or other criteria, you cannot use the Move Up and Move Down buttons to reorder the list. You can move an access control rule only when Method is set to All.

To move a rule more than one position in the list, it’s usually faster to change the Number box on the Add/Edit Access Rule page.

Resolving Deny Rule Incompatibilities

In a Permit rule, you can safely mix and match resources and access methods. However, Deny rules containing specific combinations of resources and access methods may prevent subsequent rules from being evaluated. This can inadvertently block user access to resources referenced later in your access policy.

During its policy evaluation, the appliance may in some cases be unable to determine whether a Deny rule matches an incoming connection request. As a security precaution, it stops processing your rule set and blocks user access.

If you attempt to define a Deny rule referencing any of the three combinations described in the following table, AMC displays this warning message:

“Some of the resources in this rule are not supported by the selected access method(s), which could inadvertently deny access to some resources.”

Rule Incompatibilities lists the rule combinations that trigger this warning>

 

Rule Incompatibilities

Rule action

Resource type

Access methods

Deny

Windows domain

Any
Connect and OnDemand
WorkPlace

Deny

URL

Any
Connect and OnDemand

Deny

File share

Any
Connect and OnDemand

Example

Suppose you create a Deny rule blocking access to a Windows domain and you leave Access methods set to Any. A Windows domain is accessible from WorkPlace, so when the appliance receives a connection attempt from WorkPlace, it matches the rule and denies access.

However, if the user makes a connection request from Connect or OnDemand, the appliance is unable to determine whether the Windows domain rule matches the request (regardless of which destination resource is requested). The appliance then stops evaluating any further rules in your policy and immediately denies access. If the Windows domain rule is at the top of your access control rule list, it prevents the user from accessing any VPN resources. And if the next rule in the list is a Permit rule allowing the user to access a VPN resource, it is not evaluated.

Resolving the Problem

To resolve rule incompatibilities, modify the rule so it doesn’t reference indeterminate access methods. In the case of a Windows domain or network share, select Network Explorer as the only access method. For a URL, select only Web browser or Connect Tunnel and/or OnDemand Mapped Mode.

Resolving Invalid Destination Resources

If you attempt to create a rule that assigns an access method to an incompatible destination resource, AMC prevents the conflict and displays an Invalid resources warning.

Invalid access method/destination resource combinations lists the access method/destination resource combinations that trigger this warning.

 

Invalid access method/destination resource combinations

Access method

Invalid destination resource

Web browser

Windows domain
Network share

Network Explorer

URL (and Matching URL)

Connect or OnDemand

URL (and Matching URL)
Windows domain

Invalid Resource Examples

AMC will not permit you to save a rule that contains a method/resource conflict: if you click Save, AMC removes the invalid resource from the rule. If the rule contains only one mismatched resource, it is replaced with Any. Examples of method/resource conflict are:

If a rule specifies Web browser as the only available access method, it cannot refer to a Windows domain resource. (A Windows domain resource is one that has Domain as its type, and for which the Windows domain checkbox is selected).
A rule that specifies a Matching URL resource requires Web browser as an access method; if the allowed access methods for a rule don’t include Web browser, the Invalid resource warning appears.

To resolve a destination resource error, modify the rule so that the type of access method is compatible with the destination resource. The simplest way to avoid an access method/destination resource conflict is to remove any Access method restrictions on the Advanced tab of the Add/Edit Access Rule page by leaving both Client software agents and Protocols set to Any.

 

System Administration

Optional Network Configuration

This section describes how to configure and use system logging and monitoring, and how to configure Secure Sockets Layer (SSL) encryption options. It also describes how to use a variety of tools to upgrade, roll back, or reset software versions and to back up or reset configuration files.

It explains how to enable SSH access from remote hosts, and how to enable Internet Control Message Protocol (ICMP) so you can ping the appliance. It also describes how to configure the time settings on the appliance.

For information about configuring and using SNMP, see SNMP Configuration.

Topics:  

Enabling SSH Access from Remote Hosts

Enabling SSH provides an easy way to access the appliance console from another system. You can enable SSH access from your internal or external network. The local SSH server daemon (sshd) listens on port 22 (the well-known port number for SSH).

To enable SSH access
1
From the main navigation menu, click Services.
2
In the Network Services area, click the Configure link for SSH.
3
To enable SSH, select the Enable SSH checkbox.

4
To add a host from which you want to enable SSH access, click New, type the IP address and subnet mask for the host you want to add, and then click OK.
5
Click Save.
To delete a host:
1
Select the checkbox to left of any hosts you want to remove.
2
Click Delete, and then click Save.
* 
NOTE: You can enable SSH access from any host by typing 0.0.0.0 for both the IP address and the subnet mask. Keep in mind, however, that the trade-off for this convenience is decreased appliance security.

Enabling ICMP

Enabling ICMP allows you to use the ping command to test network connectivity to the appliance from another computer on the same subnet. This will not enable broadcast pings.

* 
CAUTION: Enabling ICMP makes it possible to ping the appliance from both network interfaces (external and internal). Unless you suppress ICMP Echo Request traffic using a firewall or other network device, it will be possible to discover the appliance from the Internet.
To enable ICMP:
1
From the main navigation menu, click Network Settings.
2
In the Basic area, click the Edit link. The Configure Basic Network Settings page appears.
3
In the ICMP area, select the Enable ICMP pings checkbox.

4
Click Save.

Configuring Time Settings

* 
IMPORTANT: Changing the time or time zone immediately restarts the appliance. All current user sessions will be closed.

To set the date and time referenced on the appliance and in system logs, select a time zone and then set the local time, if necessary. There are two ways to set the current time: manually, or by synchronizing with one or more Network Time Protocol (NTP) servers.

To change the time zone:
1
From the main navigation menu, click General Settings.
2
In the Appliance options area, click Edit.
3
In the Date/time area, click Change for Time zone. The Set Current Time Zone dialog displays.

4
Select your current local time zone from the Time zone drop-down menu, which shows the time as Greenwich Mean Time (GMT).
5
Apply your pending changes.
To manually configure the system time:
 
* 
NOTE: If you are using a SonicWall-provided evaluation license, do not move your system time backward from the current time; doing so will disable all services on your appliance for licensing reasons.
1
From the main navigation menu, click General Settings.
2
In the Appliance options area, click Edit.
3
In the Date/time area, click Change for Current time. The Set Current Time dialog displays.

4
Enter the current date and time. Click Set to apply your changes immediately.
To configure the system time using NTP:
1
From the main navigation menu, click Services.
2
In the Network services area, click the Configure link for NTP. The Configure NTP Settings page displays.

3
To enable NTP, select the Enable NTP checkbox.
4
To configure NTP, type the IP addresses for one or more NTP servers in the Primary server and Backup server fields. The appliance attempts to synchronize with the primary server, and uses the secondary servers as needed if the primary server is unavailable.
5
Click Save.
* 
NOTE: The appliance does not use NTP authentication keys, making it possible for someone to spoof an NTP server and provide the appliance with incorrect time settings. We recommend that you synchronize only with NTP servers on your internal network.

System Logging and Monitoring

The SMA appliance logs a variety of useful information, including user access, system events, and changes in AMC. This section explains how to configure and view logs in AMC, and how to send messages to an external syslog server. It also describes the system status information displayed by AMC.

If a central syslog server is not available, you can review log files from the command-line interface on the appliance itself using standard UNIX commands. For information on how to manually view and interpret raw log data, see Log File Output Formats.

Topics:  

Overview: System Logging and Monitoring

The appliance logs data for the operation of AMC and the services on the appliance; it also collects data on how administrators have used and changed the system. All system logs are collected and stored in the syslog format, and log messages are handled using an updated version of the standard syslog format.

The appliance is initially configured to store log files locally. If you configure it to send log files to a central syslog server, you can monitor system-level events in near real time, and receive notifications about significant events. You can also export log message data to a comma-separated values (.csv) file for viewing and analysis with other applications.

Log Files

The appliance generates several types of log files that can be viewed and exported from the Logging page in AMC. There are also two log files related to WorkPlace that can’t be viewed in AMC; they are described in WorkPlace Logs.

Topics:  

Viewing Logs

There are several log files generated by the SMA appliance, and AMC enables you to sort, search, and filter them.

To view logs:
1
From the main navigation menu, click Logging. The View Logs page appears.

2
Select the system or service log file you want to view from the Log file drop-down menu. The columns of information displayed are different for each type of log file, as described in Log file descriptions
 

Log file descriptions

Log file

Description

System message log

Displays server processing and diagnostic information about the network tunnel service and the Web proxy service. It also provides detailed messages about all access control decisions: each time a user request matches a policy rule, a log file entry is recorded explaining the action taken.

For details, see System Message Log.

Management message log

Displays entries regarding the operation of AMC, including when the console was started and stopped, and what errors occurred during administration of the appliance.

For details, see Management Message Log.

Management audit log

Displays an audit history of configuration changes made in AMC by administrators, showing when changes were made and by which administrator.

For details, see Management Audit Log.

Network proxy/tunnel audit log

Web proxy audit log

There are two access service audit logs: one for the Web proxy service (called ExtraWeb in the log files), and one that combines messages from both the network proxy and network tunnel services (called Anywhere VPN in the log files). These two logs provide detailed information about connection activity, including a list of users and the amount of data transferred.

For details, see Network Tunnel Audit Log and Web Proxy Audit Log.

Client installation logs

If something goes wrong during client or agent installation on a computer running Windows, the error is recorded in a client installation log. These logs are automatically uploaded to the appliance and listed in AMC if the user has Secure Endpoint Manager installed.

For details, see Client Installation Logs (Windows).

Unregistered device log

Displays a list of login attempts from users on devices that are not registered. You can export the list to an XML format that can be used to register these devices.

3
Use the Show last drop-down menu to select the number of log messages you want to display. You can choose 50 (default), 100, 250, 500, or 1000 messages.
4
Click the Refresh button to update the page to show the most recent log messages, or to view the results of any filtering selections you’ve made.

By default, the log viewer’s Auto-refresh option is set to 1 min. You can optionally set the refresh time to 30 sec., 5 min., 10 min., 15 min., or turn it Off during your AMC session.

5
Use the optional Search for and Level, Source, and Status sorting options to find log messages that meet specific criteria. See Sorting, Searching, and Filtering Log Messages.
6
A plus sign (+) is displayed in the first column when a log entry is more than a few lines long: click it to expand the entry.

 
* 
NOTE: When Auto-refresh is set to any time interval other than Off and the View Logs page is displayed, the refresh activity prevents the AMC session from automatically timing out after the default inactivity period (15 minutes). This means that if you leave AMC unattended while the View Logs page is displayed and in auto-refresh mode, AMC will not time out. A good security practice is to always switch to another page in AMC when you are done viewing log messages. See Appliance Sessions for more information.

Sorting, Searching, and Filtering Log Messages

The AMC log viewer allows you to customize the display of log message data using sorting, searching, and filtering options. You can use these options separately or in any combination.

Sorting

Data displayed in each of the columns in the log table can be sorted in ascending or descending order by clicking the column heading. By default, log messages are sorted by the Time column, with the most recent messages shown at the top.

Searching

To search for text strings in the log files, such as an IP address or a user ID, type the (case-sensitive) search criteria in the Search for field and then click Refresh to view the results. You can use the wildcard characters * and ? in your search criteria. To clear the search criteria, click the reset link.

When you’re viewing a system message log, you can click a session ID number in the ID column to automatically search for all log messages that share the same session ID. For information on session ID see the table of field descriptions in System Message Log.

In the Web proxy audit log and the network proxy/tunnel audit log, you can click a user ID in the Username column to automatically search for all log messages about a specific user.

Filtering

With the filtering options, you can include or exclude certain types of logging data for each log file. For example, if you want to see Management message log entries that are not AMC-related (such as system control authority messages), select all of the Level checkboxes and make sure the AMC checkbox under Source is cleared. The available options vary depending on the type of log file you are viewing.

Exporting Log Files

If you need to perform additional analysis of the log message data, or display the data differently, you can export selected data to files for use by another application, such as Microsoft Excel (in the case of logs with comma-separated values) or an XML editor (in the case of the log for unregistered devices).

You can reduce the size of the exported file by first applying filter or search criteria. The Show last <n> messages setting determines the maximum number of messages included in the exported log file.

To export a log file:
1
From the main navigation menu, click Logging. The View Logs page appears.
2
Use the Log file list to select the system or service log file you want to view.
3
Apply any filter or search criteria to the log data. See Sorting, Searching, and Filtering Log Messages.
4
Click Export.
5
You are prompted to save or open the file. Click Save.
6
In the Save As dialog box, browse for the location where the file will be saved, optionally rename the file, and then click Save. By default, AMC assigns the file names shown in File names for the exported logs to the exported files:
 

File names for the exported logs

File name

Description

sysmessage.csv

System message log

management.csv

Management message log

consoleaudit.csv

Management audit log

netaudit.csv

Network proxy/tunnel audit log

webaudit.csv

Web proxy audit log

UnregisteredDevices.xml

Log of devices with an equipment ID that is not recognized. For the steps necessary for collecting device identifiers in this log, see Collecting Equipment IDs from Unregistered Devices.

Configuring Log Settings

If you are debugging the system, you can set the message log level for the services in AMC. Additionally, you can configure the appliance to send log files to an external syslog server.

Setting Log Levels

You can specify how much detail is written to the message logs for each service. Increasing the message log detail requires more disk space and has a greater impact on system performance.

To set the logging level:
1
From the main navigation menu, click Logging. The View Logs page appears.
2
Click the Configure Logging tab.

3
Select the appropriate level of message detail for the services on the appliance, which are listed in order of increasing detail. The highest detail log levels (Verbose and Debug) are valuable for troubleshooting purposes, but they require more disk space and can have a significant performance impact: they should not be used in normal operation.
4
You can also configure the appliance to send system logs to one or more syslog servers. Type the IP addresses and port numbers for the syslog servers in the Syslog configuration area. port 514 is the standard syslog-ng port, but you can use another port as needed to match your server configuration. Regardless of whether you configure syslog, all system events are logged locally.
5
Click Cancel to discard any changes you’ve made, or click Save.
Sending Log Files to a Syslog Server

The SMA appliance can send system logs to a syslog server. Regardless of whether you configure syslog, all system events are logged locally. To avoid flooding the network with log information, the appliance forwards log messages for only the three highest severity levels (fatal, error, and warning).

For information on the syslog protocol, see RFC 3164 (http://www.ietf.org/rfc/rfc3164.txt).

To send log files to a syslog server:
1
From the main navigation menu, click Logging. The View Logs page appears.
2
Click the Configure Logging tab.
3
Under Syslog configuration, type the IP address and port numbers for one or more syslog servers. The default for the syslog-ng port is 514, but you can use another port as needed to match your server configuration. Use the Protocol list to specify whether the appliance will communicate with syslog using the TCP or UDP protocol.
4
Click Cancel to discard any changes you’ve made, or click Save.
* 
NOTE: Because syslog data is not encrypted, sending log messages to an external server is a potential security issue.

System Message Log

The system message log displays server processing and diagnostic information about the Web proxy service, network proxy, and the network tunnel service. It also provides detailed messages about all access control decisions: each time a user request matches a policy rule, a log file entry is recorded explaining the action taken. To view this log, select System message log from the Log file drop-down menu on the View Logs page in AMC.

The View Logs page displays the information shown in System message log file information from the system message log file.

 

System message log file information

Column

Description

Level

Log message detail level: Fatal, Error, Warning, Info, Debug, or Verbose.

Time

Date and time when the message was generated by the service.

Source

Indicates which service generated the message: Network proxy, Network tunnel, Web proxy, or Policy server.

ID

The unique ID number assigned to each user session. Click a session ID number to automatically search for all log messages associated with it. For more information on session ID numbers, see System Message Log.

Message

Message text.

* 
NOTE: For information on manually reviewing log files from the command-line interface on the appliance, see System Message Log.

Management Message Log

The Management message log contains entries regarding the operation of AMC, including when the console was started and stopped, and what errors occurred during administration of the appliance. To view this log, select Management message log from the Log file list on the View Logs page in AMC.

The View Logs page displays the information shown in Management message log information about the Management message log.

 

Management message log information

Column

Description

Level

Log message detail level: Error, Warning, Info, Verbose, or Debug.

Time

Date and time message was logged.

Source

Shows the source for the change: AMC or Other, which includes WEEKPRUN and sysctrl.

Message

Describes the log entry in more detail.

Management Audit Log

The Management audit log provides an audit history of configuration changes made in AMC by administrators, showing when changes were made and by which administrator. Configuration changes are either active or pending:

Active configuration: Configuration items that precede the log message Applied configuration changes are ones that have been applied and are currently active.
Pending changes: As changes are made, they are saved to disk but not immediately applied. In the Management audit log, these pending changes follow the Applied configuration changes message and can be discarded. See Discarding Pending Configuration Changes to find out how to do so.

To view this log, select Management audit log from the Log file drop-down menu on the View Logs page in AMC.

The View Logs page displays the information shown in Management audit log information about the Management audit log.

 

Management audit log information

Column

Description

Level

Log message detail level: Fatal, Error, Warning, or Info.

Time

Date and time of the AMC configuration change.

Username

Shows the name of the administrator as it is configured on the Manage Administrator Accounts page.

Message

Shows configuration changes made in AMC.

* 
NOTE: For information on manually reviewing log files from the command-line interface on the appliance, see Management Console Audit Log.

Network Tunnel Audit Log

The network proxy/tunnel audit log provides detailed information about connection activity for users who are accessing resources using Connect Tunnel or OnDemand Tunnel, including a list of users and the amount of data transferred. To view this log, select Network tunnel audit log from the Log file drop-down menu on the View Logs page in AMC.

The View Logs page displays the information shown in Network proxy/tunnel audit log information about the network proxy/tunnel audit log file.

 

Network proxy/tunnel audit log information

Column

Description

Status

Displays color-coded connection status for each connection request:

Red: Error
Orange: Information
Green: Success

When you move the pointer over a connection status code for a specific log message, AMC displays explanatory text below the message.

Time

Date and time of the connection.

Source

Indicates which service generated the message: Network proxy, Network Tunnel, Web proxy, or Policy server.

Source IP

The IP address and port number of the computer using the network proxy or tunnel service.

Destination IP

Indicates the IP address and port number of the resource being accessed.

Bytes

Shows three sets of values:

The number of bytes sent
The number of bytes received
The connection duration (in seconds)

Username

The user who requested the resource. You can search for all log messages for a specific user by clicking a username link.

* 
NOTE: For information on manually reviewing log files from the command-line interface on the appliance, see Network Tunnel Audit Log.

Web Proxy Audit Log

The Web proxy audit log provides detailed information about connection activity for users who are accessing resources using Web Proxy Access or Translated Access, including a list of users and the amount of data transferred. To view this log, select Web proxy audit log from the Log file list on the View Logs page in AMC.

The View Logs page displays the information shown in Web Proxy audit log information about the Web proxy audit log file.

 

Web Proxy audit log information

Column

Description

Status

Displays color-coded return codes for each HTTP request. Move the pointer over an HTTP return code number to see explanatory text. The code numbers are in the following ranges and colors:

500: server error (red)
400: client error (orange)
300: redirection (green)
200: success (green)

Time

The date and time at which the request was received by the appliance.

Source IP

The IP address and port number of the computer that used the Web proxy service.

Bytes

The number of bytes sent in the body of the response, excluding the size of the HTTP headers.

Username

The name with which the user authenticated to the Web proxy service. You can search all log messages related to a specific user by clicking a username link.

Request

Shows the first line of the HTTP request, which contains the HTTP command (such as GET or POST), the requested resource, and the HTTP version number.

* 
NOTE: For information on manually reviewing log files from the command-line interface on the appliance, see Web Proxy Audit Log.

Client Installation Logs (Windows)

When users log in to a realm, the access methods available to them depend on a few different things:

The network access agents or clients that are permitted for a particular community, which is something that you specify when you set up a realm
The user’s environment: the operating system, browser, the availability of ActiveX or Java, and whether any clients or agents are already present

If something goes wrong during client or agent installation on a computer running Windows, the error is recorded in a client installation log. These logs are automatically uploaded to the appliance and listed in AMC if the user has Secure Endpoint Manager installed. See Client and Agent Provisioning (Windows) for details about Secure Endpoint Manager.

To see the list of client logs for all users, select Client installation logs from the Log file list on the View Logs tab in AMC.

You can sort the client installation logs by time or username; to download a log file, click on it. The log appends information about each step in the provisioning process: bootstrapping, provisioning new components, and interrogating the device (for device profile matching). The last set of information is probably where the installation problem occurred.

When troubleshooting, first look at a user’s client installation log in AMC, and then (if necessary) the log file, epiBootstrapper.log, stored on the user’s local machine in the \Documents and Settings\<username>\Application Data\SMA1000\LogFiles folder.

Monitoring the Appliance

AMC displays a variety of information that is helpful in monitoring basic system settings, disk and memory usage, current connections, and network bandwidth use.

This section describes how to monitor system status and active users, and how to terminate VPN connections for selected users.

Topics:  

Monitoring Overall Activity

The AMC home page (also known as Dashboard) displays a graphical summary of information that is helpful in monitoring system status. The graphs show average usage for the selected interval and is optionally refreshed at intervals based on your Auto-refresh selection.

* 
NOTE: Warnings are displayed based on the selected interval. Change the interval to increase or decrease warnings.

AMC home page

Click the Home link at the top right of an AMC page to display the AMC home page. In addition to the system status graphs, this page provides a convenient access point to:

Often used functions, such as starting and stopping services and viewing logs.
Hardware and licensing information.
Links to the default WorkPlace, MySonicWall.com, online help, and support options.

Monitoring System Status

1
From the main navigation menu, click System Status. The System Status page appears, displaying information about the appliance’s current status, such as memory utilization.

2
In the Show drop-down menu, select the type of data you want to view; see System status data.
 

System status data

Type of data

Description

Active users (default)

Displays the number of active user sessions for the specified time period. This graph includes a horizontal line that indicates the maximum number of concurrent users allowed by your license.

NOTE: Active user sessions are not the same as licensed ones; for more information, see Open vs. Licensed Sessions.

CPU utilization

Displays the percentage of the CPU capacity that was used for the specified time period.

Memory utilization

Displays the percentage of memory that was used for the specified time period. The percentage is calculated from information returned by the meminfo utility on the appliance:

((MemTotal - Cached - MemFree) / MemTotal) * 100

Network bandwidth

Displays the network bandwidth in Mbps for the specified time period. If both the internal and external interfaces are enabled, graph data for the internal interface is represented by a green line and data for the external interface is displayed in blue. The scale of this graph automatically adjusts to reflect the amount of traffic (for example, the graph might use a 1 Mbps scale or a 100 Mbps scale, depending on traffic).

Swap utilization

Displays the amount of free swap space available for the specified time period.

Disk space utilization

Displays the percentage of disk space used for the specified time period.

3
In the second Show drop-down menu, indicate the time interval you want to show; see Time interval selection.
 

Time interval selection

Interval

Description

Hourly

Displays average activity during the last hour based on samples collected every 20 seconds.

Daily

Displays average activity for the last day based on samples collected every ten minutes.

Weekly

Displays average activity for the last week based on samples collected every 60 minutes.

Monthly

Displays average activity for the last 32 days based on samples collected every four hours (six samples per day).

4
In the Auto-refresh drop-down menu, select a value that indicates how often AMC will automatically update the selected data.
5
Optionally, in the Also show drop-down menu, you can select another type of data graph. This can be useful if you want to compare two types of data for a given time period. The default is None.
6
To update the page at any time, click Refresh.
* 
NOTE: When Auto-refresh is set to any time interval other than Off and the System Status page is displayed, the refresh activity prevents the AMC session from automatically timing out after the default inactivity period (15 minutes). This means that if you leave AMC unattended while this page is displayed and in auto-refresh mode, AMC will not time out. A good security practice is to always switch to another page in AMC when you are done reviewing status. See Appliance Sessions for more information.

Viewing User Sessions

You can monitor, troubleshoot or terminate user sessions on your appliance, or HA pair of appliances, in AMC. By sorting through the list and filtering the sessions—by user name, realm (authentication server), community, access agent, traffic load, and so on—you can narrow your search to particular sessions and view further details about them. Here are two filtering examples.

To view all open user sessions:
1
From the main navigation menu, click User Sessions.

You can get a quick read on what state a session is in by looking at its icon. See Open vs. Licensed Sessions for a complete description of each state.

2
In the View list, select All open sessions. This displays sessions that are either licensed or idle. An idle session is one that can be resumed: its license is released after the connection is inactive for more than 15 minutes, but up until that moment the session can be resumed. See Open vs. Licensed Sessions for more information on what sessions are considered open.
3
You can filter your list of sessions further using a combination of other properties, such as realm and zone. Click Refresh to update the list of sessions based on your filters.
4
Review the session list. To resort the list, click the heading at the top of a column.
5
For a quick summary of a particular session, expand the item in the session list.

For complete session details, such as the resource a user attempted to access and what policy rules were applied in the process, click the username link. See Viewing User Access and Policy Details for more information on this troubleshooting tool.

To search for sessions with a high traffic load:
1
From the main navigation menu, click User Sessions.
2
In the View list, select All sessions.
3
If you plan to end sessions that are taking up too much bandwidth, restrict the list to licensed sessions: in the Filters area, select Licensed in the Status list, and then click Refresh.
4
To isolate the time range you’re interested in, make a selection in the Time period drop-down menu. Select:
All to see data from sessions that are up to one week old.
Last 24 hours to see user activity for the last day.
Custom to specify a particular range by date and time.
5
Click Refresh to view updated results.
6
To find out which sessions involve the most traffic, sort the list by clicking Avg data (the amount of traffic for the last hour) or Total data (the total amount for the session) at the top of the column.

Open vs. Licensed Sessions

When you look at user sessions in AMC it’s important to understand the distinction between different types of sessions. For example, if a user has a question about access to a resource, you will want to see all sessions associated with that user (even the failed ones), not just the ones that are licensed. Session types are defined as:

Licensed Sessions

A licensed session does not represent a person, but rather a user authentication. A user who is logged in on two devices, for example, consumes two licenses as soon as a resource protected by the appliance is accessed.

Until the user explicitly logs out of a session or the session has timed out (after 15 minutes of inactivity), a license is consumed (simply closing the browser window in WorkPlace, for example, does not free up a license).

All Open Sessions

An open session is defined as a session that is either licensed or that can be resumed. This idle, can-be-resumed, state is different for browser and tunnel sessions:

A browser session will have its license released after the connection is inactive for more than 15 minutes.
A Connect Tunnel session will have its license released 15 minutes after the tunnel has been disconnected due to a network event, for example, when a mobile user moves out of range or a laptop lid is closed. (Even when the user has stopped using a tunnel session, it remains active because of network traffic, such as keep-alive packets.)

Unlicensed sessions in this open state can be resumed as long as the authentication token remains valid and a license is available when the session is resumed. By default, the authentication token is valid several hours after a session is started.

Authorization Terms Not Accepted

This category is used for sessions that were blocked because the user was using a personal device and did not accept the authorization terms.

All Sessions

This category includes all open sessions, plus sessions that were ended or where the login has failed after successive retries. If the user abandons his or her login attempts before receiving a final failure message, no information about those attempts is displayed in this list. Data about sessions that ended more than 7 days ago is discarded.

* 
NOTE: See How Licenses Are Calculated for more information.

Ending User Sessions

You can immediately terminate a user’s session, even if the user has multiple connections on different services or nodes, or temporarily disable a user’s network access for 10 minutes (the user can log in to the network again after that period if your access policy allows it). To permanently prevent a user from logging in to your VPN, you must do one of the following:

Modify the applicable access control rules
Modify or delete the applicable user and group definitions
Delete the user from your user directory
To end open user sessions:
1
From the main navigation menu, click User Sessions.
2
In the View lists, select the number of sessions you want to display, and then select All open (only sessions that are open can be terminated).
3
You can filter the list of sessions using a combination of other properties:
User: Enter all or part of a user name. You can use wildcard characters (* or ?) anywhere in the search string.
Realm: Select a realm, or all realms.
Community: Select a community, or all communities. If you selected a realm, the communities you see in this list are restricted to those that are associated with it.
Zone: Select a zone, or all zones.
Agent: Select an agent or All access agents, or specify that none have been activated (translation only).
Platform: Select a platform or All platforms.
4
There are two ways to terminate sessions manually in AMC. Only open sessions—those for which there is either a license or those that can be resumed—can be terminated. Select the checkbox next to any session you want to end, or select the checkbox at the top to select all the users in the list, and then click one of the session termination buttons:
Terminate session – When you click Terminate session, all connections associated with the selected sessions are terminated. This is a good way to free up a license from an idle session, for example. Termination occurs on a session-by-session basis, so if a user has several sessions you can be selective about which ones you end. The user whose session was terminated can immediately reauthenticate and log in to the appliance.
Terminate session - restrict logins – This type of termination is the same as above, but there is a ten-minute interval during which the user is not allowed to generate new sessions. If there are any existing sessions, they can be used, but until ten minutes elapse, no new sessions can be created. This is the type of termination you would use, for example, if you wanted to end all of a user’s sessions and prevent any new ones from being established while you remove his or her credentials from the authentication store.

Viewing User Access and Policy Details

If a user is experiencing trouble with a session—for example, he is logged in but cannot establish a connection or is denied access to resources—you can use the Session Details page to diagnose the problem. It enables you to troubleshoot a session, whether or not it’s still active, by assessing its status, determining why a user’s device is classified into a particular zone, and discovering what policy rules are applied, editing them as needed.

To view user session details:
1
From the main navigation menu, click User Sessions.
2
Click the username link for the session you want more details about; if needed, narrow the displayed list by setting filters, and then click Refresh.
To troubleshoot access to resources, look at the Access requests list. You can expand a list item to see the access control rule that determined whether this particular connection request should be allowed or denied. If the rule still exists, you’ll also see a link for editing the item.
Information for resources accessed using application access control identify the client software and platform for the session, the application used to access the resource, and the rule that allowed or denied access.
An End Point Control zone classifies a connection request based on the presence or absence of a device profile. On the Zone classification page you can see what EPC zones (if any) were evaluated during this session and what the outcome of each evaluation was. In this example, the mobile device was placed in the Pocket PC zone, but it did not match the Equipment ID device profile.
If the user’s session has any current Connect Tunnel connections, they are listed by IP address on the Active connections page. Other access agents are not listed here because they do not keep the VPN connection open.
If the user connected using a personal device, device and authorization information is provided on the Device Authorization page. Users who were denied access because they did not accept the authorization terms are also identified on this page.
If the user connected using application access control, information about the applications found on the end point that are under control are also identified.

Exporting User Session Data

User session data can be exported from AMC to a comma-separated (CSV) file that can be displayed and edited in Microsoft Excel. Once user session data is exported to a CSV file, you may archive user session data indefinitely, create custom reports without using Secure Mobile Access Advanced Reporting (AAR), or use the file for any other special needs.

To export user session data to a CSV file:
1
From the main navigation menu, click User Sessions.
2
Optionally, filter the displayed user data so that only the data you want to export is displayed. See Viewing User Sessions for additional filtering information.
3
Click the Export button located at the top of the user session data.
* 
NOTE: The Export button is enabled only if the Administrator has view access to the User Sessions page.
4
When the Windows File Download dialog appears, click the Save button.
5
Select the location on the local computer and file name where user data should be saved or use the defaults. The default file name is UserSessions.csv and default location is your Downloads folder.
6
Click the Save button to export user session data to the csv file. All user sessions that meet the current filter criteria are exported.

The CSV file may include the information shown in User session data for each user session, depending on the filters used.

 

User session data

Type of data

Description

System Version

Secure Mobile Access version number

Session ID

Unique numeric ID used to identify the session internally

State

State of user session: Login Failed, Licensed, Idle, or Ended

Username

Short username

Long Username

Full username and realm, including Common Name (CN) for AD/LDAP sessions

Start Time

Session start time in MM/DD/YYYY HH:MM:SS format, uses appliance local time

End Time

Session end time in MM/DD/YYYY HH:MM:SS format or blank if session is Idle or Licensed

Elapsed Seconds

Seconds between the session start and end times or start and current time for active and idle sessions

Average Bytes per Minute (Last Hour)

Average bytes (upload and download) per minute used by session over the last hour, used to determine high-usage users/sessions

Total bytes

Total number of bytes uploaded and downloaded by session

Realm

Realm name used to authenticate the user

Community

Community name the user was placed in

Zone

Zone the user/device was placed in

EPC Agent

End Point Control Agent used: Cache Cleaner

Access Agents

Access Agents used: Web only, Tunnel, Tunnel (ESP), OnDemand, Web Proxy, or Exchange

Remote Address

IP address of the client computer

Local Address

Local address assigned to the client connection, left blank for non-tunnel sessions

Following is an example of a user session csv file generated by AMC:

Version,SessionID,State,Username,LongUsername,StartTime,EndTime,ElapsedSeconds,AverageBytesPerMinuteLastHour,TotalBytes,Realm,Community,Zone,EPCAgent,AccessAgents,RemoteAddress,LocalAddress

10.6.1-auto404320,7,Ended,"ljones@am.us.SonicWall.com","(ljones)@(snwl) (CN=Laura Jones,OU=Users,OU=Engineering,OU=AM Domain Users,DC=am,DC=us,DC=SonicWall,DC=com)",03/09/2012 03:35:05,03/09/2012 03:36:41,96,120750,205276,"snwl","Default community","Default Zone","","Web only",10.10.10.1,

SNMP Configuration

If you have an SNMP (Simple Network Management Protocol) tool, you can use it to monitor the appliance as an SNMP agent. The appliance supports SNMP versions 2 and 3, and provides a variety of management data in Management Information Base (MIB) II format.

You can enable SNMPv2 or SNMPv3, but not both at the same time. When SNMPv2 is enabled, SNMPv3 requests are ignored. When SNMPv3 is enabled, SNMPv2 requests are ignored. You can also disable SNMP support entirely, in which case any SNMP request directed at the system will be ignored and no traps will be generated.

SNMPv3 addresses the security deficiencies that have plagued both SNMPv1 and SNMPv2. SNMPv3 supports all the operations defined by versions 1 and 2. The new security functionality provided by SNMPv3 can be generally divided into three principle areas: authentication, privacy (encryption), and access control.

Where authentication in SNMPv2 was provided, insecurely, by the clear text community string, authentication in SNMPv3 uses the SHA algorithm to provide secure authentication. For each SNMP user, both a username and a passcode as well as the desired algorithm are configured on the agent (in our case, the SMA appliance) and must match the username, passcode, and algorithm choice provided to the management software that will be communicating with the appliance.

Prior to SNMPv3, all communications were unencrypted. In SNMPv3, the AES algorithm is used to encrypt and decrypt SNMP messages. As with authentication, a username, password and encryption algorithm are used to seed the encryption and must be configured on both the agent and the management station.

The combined authentication and encryption levels supported by Secure Mobile Access for SNMPv3 are shown in Combined authentication and encryption levels.

 

Combined authentication and encryption levels

Level

Authentication

Encryption

Effect

noAuthNoPriv

Username

No

Uses a username match for authentication.

authNoPriv

SHA

No

Provides authentication based on the HMAC-SHA algorithm.

authPriv

SHA

AES

Provides authentication based on the HMAC-SHA algorithm. Provides AES encryption in addition to authentication.

The SMA EX Series supports a subset of SNMPv3 functionality, designed to utilize the security benefits of the protocol while minimizing administrative complexity. At this time, access control as defined in the SNMPv3 specification is not supported. The addition of SNMPv3 functionality does not change in any way the management information that is reported by the appliance – this is exactly the same as it was in prior releases.

Topics:  

Configuring SNMP

This section describes how to configure SNMP settings in AMC.

* 
NOTE:  
You must configure your SNMP manager with the Management Information Base (MIB) used by the appliance. The appliance supports version 4.2.3 of the University of California, Davis (UCD) MIB, and MIB II. For SNMPv2, you must also configure your SNMP manager with the community string required to query the appliance. For SNMPv3, configure your SNMP manager with the same username, passcode, and algorithm choice as configured on the appliance.
Ensure that your internal firewalls are configured to allow port 161/udp traffic.
To configure SNMP:
1
From the main navigation menu, click Services.
2
Under Network services, click the Configure link for SNMP.

3
To enable SNMP, select either the Enable SNMPv2 or the Enable SNMPv3 radio button. (If you leave this page to configure SNMP hosts before clicking Save, the status of this setting will not be saved.) To disable SNMP, select the Disable SNMP radio button and then click Save.
4
Select the network interface you want SNMP to use by selecting the appropriate option (Internal, External, or Both) from the Interface selection drop-down menu.
5
Under Agent properties, describe the appliance agent in the System location and System contact fields. For example, you might specify the physical location of the appliance (for example, Server lab) and the system administrator contact information (such as Jim Jamerson, 206-555-1212).
6
If using SNMPv2, under SNMPv2 Agent properties, type the string your network management tool uses to query the SMA appliance in the Community string field. This field is required, and set to public by default. It is a good security practice to change your community string to a different passphrase because public is not secure.
7
If using SNMPv3, under SNMPv3 Agent properties, type the user name your network management tool uses to query the SMA appliance in the Username field.
8
To enable secure authentication, select the Enable authentication (SHA-1) checkbox, and type the password into the Password and Confirm password fields. MD5 is not supported, as SHA-1 is more secure.
9
To enable encryption for privacy, select the Enable privacy (AES) checkbox, and type the password into the Password and Confirm password fields. DES is not supported, as AES is more secure.
10
Under SNMP Hosts, define the management systems from which the appliance will allow SNMP requests. You can allow the request to come from any host by typing 0.0.0.0 for both the IP address and the subnet mask. Keep in mind, however, that the trade-off for this convenience is decreased appliance security.

a
In the SNMP hosts area, click New.
b
Type the IP address and a Netmask for the host, and then click OK.
11
Under Trap receivers, select the Enable support for SNMP traps checkbox to enable traps being sent. You can clear the checkbox to disable traps from being sent.

If traps are enabled then all traps will be sent to all hosts defined in the list. If traps are disabled then the list of hosts will be ignored.

12
Define the management systems to which the appliance will send SNMP traps.
a
In the Trap receivers area, click New.
b
Type the IP address and a Netmask for the host, and then click OK.
13
Click Save.

Downloading the MIB File

AMC enables you to download the Secure Mobile Access MIB file, which adds VPN-specific data to already supported MIBs. See MIB Data for details on the information provided by the MIB.

To download the MIB:
1
From the main navigation menu, click Services.
2
Under Network Services, click the Configure link for SNMP.
3
Click the Download MIB button. A file download message appears.
4
Click Save, browse to the correct directory, and then save the SMA1000CustomMibs.tar file.

Retrieving Management Data Using SNMP

SNMP data is arranged in a standardized hierarchy made up of structured text files that describe valuable management data. These text files (called MIBs) contain descriptions of specific data variables, such as system information or status.

* 
NOTE: For more information on MIB II (including an explanation of the MIB II variable names), see http://www.ietf.org/rfc/rfc1213.txt.

To retrieve information through SNMP, you query the system for an object identifier, or OID. Each OID includes a text name, but is usually referenced using a number. For example, the OID for system uptime (sysUpTime) is 1.3.6.1.2.1.1.3.

If you don’t have an SNMP management package, you can retrieve SNMP data by connecting to the appliance, logging in as root, and then running the snmpwalk or snmpget command. For example, to retrieve information about disk space availability, you could type the following snmpwalk command to query OID 1.3.6.1.4.1.2021.9:

# snmpwalk -v 2c -c public localhost 1.3.6.1.4.1.2021.9

To view a list containing all MIB variables, type:

snmpwalk -v 1 -O n localhost -c public |more

This command returns a list like this:

.1.3.6.1.2.1.1.1.0 = Linux E-Class SRAvpn 2.4.20_004 #1 SMP Thu Apr 10 14:35:50 PDT 2017 i686
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.2021.250.10
.1.3.6.1.2.1.1.3.0 = Timeticks: (1707979) 4:44:39.79
.1.3.6.1.2.1.1.4.0 = Root < root@localhost> (configure /etc/snmp/snmp.local.conf)
.1.3.6.1.2.1.1.5.0 = E-Class SRAvpn
.1.3.6.1.2.1.1.6.0 = Unknown (configure /etc/snmp/snmp.local.conf)
.1.3.6.1.2.1.1.8.0 = Timeticks: (7) 0:00:00.07
.1.3.6.1.2.1.1.9.1.2.1 = OID: .1.3.6.1.2.1.31
..

To view a list containing all MIB names (which are helpful for use with the snmpget command) type:

snmpwalk -O S localhost -c public |more

This command returns a list like the following:

SNMPv2-MIB::sysDescr.0 = Linux E-Class SRAvpn 2.4.20_004 #1 SMP Thu Apr 10 14:35:50 PDT 2003 i686
SNMPv2-MIB::sysObjectID.0 = OID : SNMPv2-SMI::enterprises.2021.250.10
SNMPv2-MIB::sysUpTime.0 = Timeticks: (1712451) 4:45:24.51
SNMPv2-MIB::sysContact.0 = Root (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = E-Class SRAvpn
SNMPv2-MIB::sysLocation.0 = Unknown (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (7) 0:00:00.07
SNMPv2-MIB::sysORID.1 = OID: IF-MIB::ifMIB
..

MIB Data

The MIB modules reference object identifiers (OIDs) or text names that provide information about the SMA appliance; see MIB data.

 

MIB data

MIB data

For more detailed information

System information

MIB Data: System Information Module

System health

MIB Data: System Health Module

Service health

MIB Data: Service Health

Security history

MIB Data: Security History Module

Network tunnel service

MIB Data: Network Tunnel Service Module

System traps

MIB Data: Traps

Other SNMP data

MIB Data: Other SNMP Data

MIB Data: System Information Module

The OIDs in the System Information module provide basic information about the appliance.

 

MIB Data: System Information module

Item

OID

Description

version

1.3.6.1.4.1.674.1.1.0

The version of Secure Mobile Access firmware running on this node in major.minor.micro-hotfix-build format (for example, 12.0.1.1-145).

Hardware model

1.3.6.1.4.1.674.1.2.0

The model number of the appliance (for example, EX9000, EX7000, EX6000, SMA 7200, or SMA 6200). New model numbers may be added in the future.

MIB Data: System Health Module

The OIDs in the System Health module provide information about the operational status of the appliance.

 

MIB Data: System Health module

Item

OID

Description

Currently logged in

1.3.6.1.4.1.674.2.1.1.0

The number of currently authenticated active user sessions.

Maximum licensed users

1.3.6.1.4.1.674.2.1.3.0

The maximum number of active user sessions for which the appliance (or cluster of appliances) is licensed.

Current connections

1.3.6.1.4.1.674.2.2.1.0

The number of concurrent connections currently being serviced by the appliance (or cluster of appliances).

CPU utilization

1.3.6.1.4.1.674.2.3.0

The percentage of the CPU (or sum of CPUs, on a dual-processor machine) being used on a single appliance node over a time span of five seconds.

RAM utilization

1.3.6.1.4.1.674.2.4.1.0

The current virtual memory (RAM) percentage in use.

Swap utilization

1.3.6.1.4.1.674.2.4.2.0

The current virtual memory (swap) percentage in use.

Log utilization

1.3.6.1.4.1.674.2.9.0

The percentage of the log file disk partition being used.

Peak logged in

1.3.6.1.4.1.674.2.1.2.0

The maximum number of authenticated, active user sessions since the last reset; the reset interval is 24 hours.

Peak connections

1.3.6.1.4.1.674.2.2.2.0

The maximum number of concurrent appliance connections since the last reset; the reset interval is 24 hours.

Internal interface current throughput

1.3.6.1.4.1.674.2.5.1.0

Over a time span of five seconds, the current VPN throughput (inbound and outbound) in megabits per second as measured on the internal interface of the node.

Internal interface peak throughput

1.3.6.1.4.1.674.2.5.2.0

The peak VPN internal interface throughput (inbound and outbound) in megabits per second since the last reset.

External interface current throughput

1.3.6.1.4.1.674.2.5.3.0

Over a time span of five seconds, the current VPN throughput (inbound and outbound) in megabits per second as measured on the external interface of the node.

External interface peak throughput

1.3.6.1.4.1.674.2.5.4.0

The peak VPN external interface throughput (inbound and outbound) in megabits per second since the last reset.

Cluster interface current throughput

1.3.6.1.4.1.674.2.5.5.0

Over a time span of five seconds, the current mean average VPN cluster interface throughput (inbound and outbound) in megabits per second. The reset interval is 24 hours.

Cluster interface peak throughput

1.3.6.1.4.1.674.2.5.6.0

The peak VPN cluster interface throughput (inbound and outbound) in megabits per second since the last reset. The reset interval is 24 hours.

MIB Data: Service Health

The OIDs in the Service Health module shown in MIB Data: Service Health module provide information about the status of each service running on the appliance. For each service, the MIB provides a service ID, service description, and a service state of up or down.

 

MIB Data: Service Health module

Item

OID

Description

Service ID

1.3.6.1.4.1.674.3.1.1.1.1

The service ID for the AMC is 1.

1.3.6.1.4.1.674.3.1.1.1.3

The service ID for the SonicWall Web proxy service is 3.

1.3.6.1.4.1.674.3.1.1.1.4

The service ID for WorkPlace is 4.

1.3.6.1.4.1.674.3.1.1.1.5

The service ID for syslog-ng (the process that writes out the E-Class SMA appliance log files) is 5

Service description

1.3.6.1.4.1.674.3.1.1.2.1

Appliance Management Console (AMC)

 

1.3.6.1.4.1.674.3.1.1.2.2

(Obsolete) Client /Server Access Service (AVPN)

 

1.3.6.1.4.1.674.3.1.1.2.3

Secure Web access service (ExtraWeb). This is also referred to as “Web proxy service.”

 

1.3.6.1.4.1.674.3.1.1.2.4

ASAP WorkPlace; this is the same as WorkPlace.

 

1.3.6.1.4.1.674.3.1.1.2.5

Syslog-ng (the process that writes out the E-Class SMA appliance log files)

Service state

1.3.6.1.4.1.674.3.1.1.3.1

The current state of AMC: 1 (up) or 2 (down).

 

1.3.6.1.4.1.674.3.1.1.3.3

The current state of the Web proxy service: 1 (up) or 2 (down).

 

1.3.6.1.4.1.674.3.1.1.3.4

The current state of WorkPlace: 1 (up) or 2 (down).

 

1.3.6.1.4.1.674.3.1.1.3.5

The current state of syslog-ng: 1 (up) or 2 (down).

MIB Data: Security History Module

The OIDs in the Security History module provide information on login and access denials.

 

MIB Data: Security History module

Item

OID

Description

Number of login denials

1.3.6.1.4.1.674.4.1.0

The number of login denials in the last 24 hours.

Last user denied login

1.3.6.1.4.1.674.4.2.1.0

The last user who was denied authentication, shown in the format user@realm.

Last denied login time

1.3.6.1.4.1.674.4.2.2.0

The time and date when the last user was denied authentication. The string is in the form Wed May 30 21:49:08 2017, in the same time zone for which the appliance is configured.

Number of access denials

1.3.6.1.4.1.674.4.3.0

The number of access denials in the last 24 hours.

Last user denied access

1.3.6.1.4.1.674.4.4.1.0

The last user who was denied access, shown in the format user@realm.

Last resource access denied

1.3.6.1.4.1.674.4.4.2.0

The URL, host:port or host of the last resource to which access was denied.

Last access denied time

1.3.6.1.4.1.674.4.4.3.0

The time and date when the last user was denied access. The string is in the form Wed May 30 21:49:08 2017, in the same time zone for which the appliance is configured.

MIB Data: Network Tunnel Service Module

The OIDs in the NG Server module provide information status of the network tunnel service.

 

MIB Data: Network Tunnel Service module

Item

OID

Description

NG server state

1.3.6.1.4.1.674.5.1.0

The current state of the network tunnel service: Active, Down, or Crashed.

Number of client address pools

1.3.6.1.4.1.674.5.2.0

The number of client address pools assigned to the network tunnel service.

Client address pool range table

1.3.6.1.4.1.674.5.3

A table showing how many IP address pools are currently active and their IP address ranges.

Client address pool entry

1.3.6.1.4.1.674.5.3.1

The number of currently active IP address pools.

Client address pool ID

1.3.6.1.4.1.674.5.3.1.1.0

An ID number assigned to an IP address pool.

Client address pool utilization

1.3.6.1.4.1.674.5.3.1.2.0

Percentage of virtual IP addresses (VIPs) that are issued from a client address pool.

Client IP address pool start range

1.3.6.1.4.1.674.5.3.1.3.0

The starting IP address of a client IP address pool range

Client address pool end range

1.3.6.1.4.1.674.5.3.1.4.0

The ending IP address of a client IP address pool range.

Number of NG SLL tunnels

1.3.6.1.4.1.674.5.4.0

Total number of active network tunnels.

SSL tunnel table

1.3.6.1.4.1.674.5.5

A table showing network tunnel statistics.

SSL tunnel ID

1.3.6.1.4.1.674.5.5.1.1.0

An ID number assigned to a network tunnel session.

SSL tunnel user

1.3.6.1.4.1.674.5.5.1.2.0

The user name associated with a network tunnel session.

SSL tunnel VIP

1.3.6.1.4.1.674.5.5.1.3.0

The virtual IP address (VIP) associated with a network tunnel session.

Number of flows per tunnel

1.3.6.1.4.1.674.5.5.1.4.0

The number of data flows in a network tunnel session.

SSL Tunnel Uptime

1.3.6.1.4.1.674.5.5.1.5.0

Uptime statistics for a network tunnel session.

MIB Data: Traps

A trap is a message the SNMP agent sends to indicate that a significant event has occurred that needs an administrator’s attention. To download the Secure Mobile Access MIBs, click Services in the main navigation menu, and then click Configure in the SNMP area. Click Download MIB to save a copy of the file (SMA1000CustomMibs.tar).

 

MIB Data: Traps

Item

MIB filename

Description

ngServerStateChange

SonicWallNGServer

The server core functionality depends on user space processes (avssld and avpsd) and two avevent kernel threads. The SNMP agent monitors these processes and when any of these go down this trap is triggered. The trap description specifies the component; for example, avssld(0).

ngclientAddrPoolUtilizationWarning

SonicWallNGServer

This trap is triggered when the use of the client address pool exceeds the threshold.

asapServiceUp

SonicWallServiceHealth

A service on a single node system, identified by the IP address from which the trap is sent, is up. The serviceDescription OID is sent along with the trap.

asapServiceDown

SonicWallServiceHealth

A service on a single node system, identified by the IP address from which the trap is sent, has gone down. The serviceDescription OID is sent along with the trap.

cpuCapacityWarning

SonicWallSystemHealth

The heuristically determined percentage of CPU capacity used on a single node system has exceeded the capacity for a single node (cpuCapacityUtilization). cpuCapacityUtilization OID is sent along with the trap.

memoryCapacityWarning

SonicWallSystemHealth

The heuristically determined percentage of memory capacity used on a single node system has exceeded 90 percent of capacity (memoryCapacityUtilization). memoryCapacityUtilization OID is sent along with the trap.

logCapacityWarning

SonicWallSystemHealth

The percentage of log file disk space used on a single node system has exceeded 90 percent of the total capacity. logUtilization OID is sent along with the trap.

userLimitWarning

SonicWallSystemHealth

Notification is generated if the concurrent number of authenticated users on a single node system (currentlyLoggedIn) has reached 90 percent of the license capacity limit. currentlyLoggedIn OID is sent along with the trap.

userLimitReached

SonicWallSystemHealth

The number of currently authenticated, active user sessions on a single node system (currentlyLoggedIn) has reached the current license capacity limit. currentlyLoggedIn OID is sent along with the trap.

userLimitExceeded

SonicWallSystemHealth

The number of concurrent, authenticated users on a single node system has reached the current license capacity limit (currentlyLoggedIn), plus grace count, for authorized users. currentlyLoggedIn OID is sent along with the trap.

asapSystemUp

SonicWallSystemInfo

For a single appliance (not in an HA pair): the appliance from which the notification is sent (identified by IP address) is back online.

asapSystemDown

SonicWallSystemInfo

For a single appliance (not in an HA pair): the appliance from which the notification is sent (identified by IP address) is going offline.

MIB Data: Other SNMP Data

MIB Data: Other SNMP data shows some other information about the appliance that you can retrieve from the standard MIB file using SNMP.

 

MIB Data: Other SNMP data

Item

OID

Description

Service status table

1.3.6.1.4.1.2021.2

Checks the status of any of the following services. The return data references the following process names. If a process status is listed as not running, an error is flagged.

apache2 (Web proxy service)
logserver (log server)
syslog-ng (syslog)
policyserver (policy server)

In appliance version 8.9.0 and later, srvcmond (cluster manager) is replaced with a service named AVFM (Secure Mobile Access Flow Manager). AVFM does not appear in a process list on the appliance because it is run as a kernel module.

Disk space availability table

1.3.6.1.4.1.2021.9

Checks disk space availability for the following partitions: “/”, “/var/log”, and “/upgrade”. If the disk space on a partition drops below 10MB, an error is flagged.

Load average checks table

1.3.6.1.4.1.2021.10

Checks the load average for intervals of one, five, or 15 minutes. An error is flagged if the load average is greater than 12 at the one-minute interval, or greater than 14 for the five- and 15-minute intervals.

Software version number table

1.3.6.1.4.1.2021.50

Checks the current version of the SonicWall system software.

System name

1.3.6.1.2.1.1.1.0

Checks the name of the system.

Managing Configuration Data

The configuration data for your appliance is stored in a single export archive (.aea) file that includes the types of configuration data shown in Configuration Data types.

 

Configuration Data types

Type of configuration data

Description

Access policy

Rules, resources, users and groups, WorkPlace shortcuts, and EPC signatures and zones.

Certificates

Certificates, private keys, and certificate passwords.

WorkPlace customization

General appearance settings, custom content, and custom templates.

Node-specific and network-specific settings

Host names, IP addresses, default route information, DNS settings, and cluster settings.

It’s a good practice to back up the configuration data on your appliance, especially if you are working on system changes and may need to revert to an earlier configuration. For example, if you plan to add new access control rules, first save your configuration, and then make your changes: you can then revert to the saved (working) configuration if the new rules don’t work as expected.

There are several options for saving and restoring configuration data:

Export configuration data to a local machine, and later import it. Exporting involves the complete set of configuration data, but it is possible to do just a partial import. See Exporting the Current Configuration to a Local Machine and Importing Configuration Data for more information.
Save and restore configuration data files on the appliance. This involves the complete set of configuration data: you cannot save or restore a partial configuration. For more information, see Saving the Current Configuration on the Appliance and Restoring or Exporting Configuration Data Stored on the Appliance.
You can export the policy from an older SonicWall Secure Mobile Access appliance and import it to a newer one, provided the older appliance predates the newer one by no more than three versions. For example, if you own a version 9.0.0 appliance and you deploy a new appliance, you can import the policy configuration from your v9.0.0 appliance to the new one. See Updating the System for a description of the version number conventions that SonicWall uses.
* 
CAUTION: Only configuration data that was generated by AMC is saved or exported. If you have made manual edits (by editing the SonicWall files on your appliance directly), these changes are not included. Manual changes are rare and usually done with the help of SonicWall Technical Support.
Topics:  

Exporting the Current Configuration to a Local Machine

You can export your complete set of appliance configuration data to a local machine (you cannot export a partial configuration). Only saved changes are included; changes that are pending when you export a configuration are discarded.

To export the current configuration:
1
From the main navigation menu, click Maintenance.
2
In the System configuration area, click Import/Export.

3
Click Export. The Export Configuration page appears, and a File Download dialog prompts you to open the SonicWallSMAAppliance-<date>-<nnn>.aea file or save it to your hard drive.
4
Click Save, browse to the correct directory, and then save the .aea file.
5
Click OK on the Export page.

Saving the Current Configuration on the Appliance

In contrast to exporting, saving configuration data stores it on your appliance (up to 20 saved configurations can be stored). You cannot save a partial configuration, and only changes that have been applied are included.

To save configuration data on the appliance:
1
From the main navigation menu, click Maintenance.
2
In the System configuration area, click Import/Export.
3
Click New in the Saved Configurations list.
4
Describe this configuration in the Description field and (if there are multiple administrators) it is a good practice to identify who is saving it. For example, an entry might read as follows: Saved by MIS before adding access control rules for mobile devices.
5
Click Save. The current configuration data is stored on the appliance and added to the Saved Configurations list.

Importing Configuration Data

Exporting always involves the complete set of configuration data, but it is possible to do just a partial import (for example, if you want to import only policy and WorkPlace settings).

Configuration Data for importing describes the types of data that you can import into an existing AMC configuration:

 

Configuration Data for importing

Type of configuration data

Description

Partial configuration

Access policy: Includes rules, resources, users and groups, and EPC device profiles and zones.
WorkPlace customization: Includes general appearance settings, custom content, shortcuts, and custom templates.
CA certificates: Includes the CA certificates that are used to secure authentication server connections, or back-end Web resources, with SSL.
End Point Control: If you use client certificates in device profiles, a partial configuration includes the CA that issued them to your users.

Entire configuration

Partial configuration data (see Partial configuration).
SSL certificates: Includes certificates for AMC and the appliance, along with private keys and passwords.
Node-specific and network-specific settings: Includes host names, IP addresses, default route information, DNS settings, administrator accounts, and cluster settings.
To import a full or partial configuration:
1
From the main navigation menu, click Maintenance.
2
In the System configuration area, click Import/Export.
3
In the File name box, type the path of the appropriate file (SonicWallSMAApplianceVPN-<date>-<nnn>.aea), or click Browse to locate it.
4
Click Partial configuration if you want to import just the items listed in the table above.
5
Click Import. To activate the imported configuration, you must apply changes. See Applying Configuration Changes for more information.
* 
NOTE:  
If an import fails, you can view details in the Management message log file.
If you import a configuration while other configuration changes are pending in AMC, the pending changes are overwritten.
You can import the policy from an older Secure Mobile Access appliance, provided the older appliance predates the newer one by no more than three versions. For example, you cannot import the policy configuration from versions earlier than 11.4 to your 12.0.1 appliance.
You cannot import a configuration from a single node onto a high-availability cluster, or from a cluster configuration onto a single node.

Restoring or Exporting Configuration Data Stored on the Appliance

Follow these steps to restore a configuration file that is stored on the appliance. (To specify configuration data that is stored on a local machine instead of the appliance, use the import feature. See Importing Configuration Data for more information.) Only a full configuration data file can be restored; you cannot restore a partial configuration.

To restore or export configuration data stored on the appliance:
1
From the main navigation menu, click Maintenance.
2
In the System configuration area, click Import/Export.
3
Select a configuration from the Saved Configurations list.
4
Restore the configuration or export it to a local machine:
Click Restore. Restoration of the selected configuration begins immediately. After the restore is complete, click Pending changes to apply the new configuration. The restored configuration remains in the list.
Click Export to save a copy of the configuration to a local machine.

Upgrading, Rolling Back, or Resetting the System

SonicWall periodically offers software updates that add new functionality or address existing issues. An update is delivered as a compressed .bin file and can be in the form of:

A hotfix, which addresses issues with a particular version of the appliance software and typically contains only the files that have changed from the original version.
An upgrade, which is a new version of the software (the version number on the appliance is incremented).

Installing either kind of update, or rolling back to a previous version, can be done using AMC.

To view the current version of the system, click System Status or Maintenance from the main navigation menu. If any hotfixes have been applied, you can view the list by clicking the hotfixes link.

Topics:  

Updating the System

You can find system updates (hotfixes and upgrades) on the MySonicWall Web site. To access www.mysonicwall.com, you must first create an account, which is described in Creating a MySonicWall Account. After you have an account, new system updates and documentation are available in the Download Center on the Web site.

Topics:  

Naming Conventions for Upgrades

SonicWall uses this syntax, described in Naming conventions for upgrades to describe version numbers for upgrade files:

upgrade-<major>.<minor>.<micro>-<build>.bin

* 
NOTE: To find out if any hotfixes have been applied, click System Status or Maintenance from the main navigation menu.

The version number for AMC (displayed in the bottom-left corner of every AMC page) and client software follows a similar pattern:

<major>.<minor>-<micro>-<build>
 

Naming conventions for upgrades

Name

Description

major

The major release number. If this is the only number that is present, it indicates that this release contains significant new features plus fixes. It also indicates that it contains a full image of the entire system.

minor

The minor release number. If the version number contains only the major and minor numbers, it indicates that this release contains incremental features plus fixes. It also indicates that it contains a full image of the entire system.

micro

The micro release number. If the version number contains only the major, minor, and micro numbers, it indicates that this release contains a small number of features plus fixes. It also indicates that it contains a full image of the entire system.

build

An internal build number used by SonicWall. All releases contain a build number.

Naming Conventions for Hotfixes

Between releases, SonicWall may issue a hotfix that replaces a subset of the software files on your SMA appliance. Hotfix filenames use this naming convention:

<component>-hotfix-<version>-<hotfix number>

where Naming conventions for hotfixes defines <component>.

 

Naming conventions for hotfixes

Component

Description

Pform

Appliance Management Console

clt

Client software

* 
NOTE: To check whether any hotfixes have been applied, click System Status or Maintenance from the main navigation menu. If any hotfixes have been incorporated, you’ll see a hotfixes link next to the version number. Click the link for more information about which ones have been applied.

For example, Pform-hotfix-12.0.1,1-279 is hotfix 001 for version 12.0.1 that fixes a problem in Appliance Management Console.

Installing System Updates

You can use AMC to install version upgrades and hotfixes manually or automatically at a scheduled time.

To download and install a system upgrade or hotfix manually:
1
From the main navigation menu in AMC, click Maintenance.

2
In the System software updates area, click Update.

3
If you have not already downloaded the upgrade or hotfix file, click the Web site link (login required) and download the appropriate file from www.mysonicwall.com to your local file system.
4
Type the path of the file, or click Browse to locate it.
5
Click Install Update. A file upload status indicator appears. If necessary, you can click Cancel to stop the upload process.

After the file upload process is complete, the update is automatically installed on the appliance. You cannot cancel the installation process. After the installation process is complete, the appliance automatically restarts.

6
After the appliance restarts, log in to AMC and verify the new version number in the bottom-left corner of the AMC home page.
* 
NOTE: If you see an error message indicating that a upgrade file is invalid or corrupt, follow the steps in Verify a Downloaded Upgrade File to see if the checksum for the file is correct.

Rolling Back to a Previous Version

From AMC, you can undo the most recent update installed on the system. If you experience problems after installing an upgrade or hotfix, you may want to use this feature to roll back to a known state. Each time you roll back, the most recent update is removed.

* 
CAUTION: If you have made any configuration changes since you updated the appliance they will be lost if you restore a previous version of the system software. When you remove a hotfix, on the other hand, your configuration changes are preserved.
To roll back to a previous version:
1
From the main navigation menu in AMC, click Maintenance.
2
In the System configuration area, click Rollback.
3
To roll back to the version displayed on the Rollback page, click OK. After the rollback process is complete, the appliance automatically restarts and applies the changes.
4
After the appliance restarts, verify the new version number in the bottom-left corner of the AMC home page.

Resetting the Appliance

From AMC, you can reset your appliance using one of three reset levels. The mildest level erases your configuration information, log files, and the current firmware, but leaves you the option to roll back to a previous version, if one is loaded.

The second level removes all configuration, log files, and firmware from the appliance. With this option, you cannot roll back to a previous version.

The third level also removes all configuration, log files, and firmware from the appliance, and then securely erases the hard drive, which can take up to 45 minutes. If you select this option, you cannot roll back to a previous version.

There are a couple of scenarios in which a reset may be appropriate:

You want to completely clean the machine and reuse it elsewhere.
The appliance is in an unrecoverable state. In this case, you should contact SonicWall Technical Support and confirm that there is no other solution to your problem. A reset should be used only as a last resort to restore the appliance to a working condition.

To configure the appliance after it has been reset, you will need to use the LCD panel or serial console.

To reset the appliance:
1
Back up the configuration data on the appliance. You can do this:
By using Backup Tool (see Saving Configuration Data).
2
From the main navigation menu in AMC, click Maintenance.
3
Near the top of the page, click Reset.
4
On the Maintenance > Reset page, select one of the following three radio buttons under Reset Options:
Reset the current configuration – This option erases your current configuration. If you upgraded from a previous version, selecting this option retains the ability to roll back.
Reset the entire appliance – This option erases your configuration and deletes all firmware versions on the appliance. If you select this option, you cannot roll back to a previous version.
Securely erase the hard drive and reset the entire appliance – This option erases your configuration, deletes all firmware versions, and securely erases the hard drive. If you select this option, you cannot roll back to a previous version.
* 
NOTE: Securely erasing the hard drive can take up to 45 minutes.
5
At the bottom of the page, click Reset to proceed with the reset. To cancel the reset, click Cancel.

SSL Encryption

Encryption is used to ensure data security for all traffic on the appliance. The appliance encrypts all data using SSL. You must configure at least one cipher to be used with SSL to secure your network traffic. Select the “best” cipher from the available set, balancing security and performance trade-offs (security is weighted much more heavily than performance).

SSL provides some degree of protection from downgrade attacks, but in general you should configure your servers to permit only those ciphers that you consider strong enough for your needs. The cipher order, from most to least preferred, is:

AES 256-bit, with SHA-256
AES 128-bit, with SHA-256
AES 256-bit, with SHA-1
AES 128-bit, with SHA-1
Triple DES, with SHA-1
* 
NOTE: It may appear that the AMC always uses the AES 256-bit with SHA256 cipher for SSL handshaking irrespective of the cipher that is selected. However, the AMC actually uses the highest secure cipher for SSL handshaking, no matter which cipher is selected.

Configuring SSL Encryption

The appliance uses SSL encryption and other cryptographic algorithms—or ciphers—to secure data transfer. When configuring the encryption settings for the appliance, you must enable at least one cipher to be used in conjunction with SSL to secure your network traffic. The default settings are typically sufficient for most deployments.

To configure SSL encryption settings:
1
From the main navigation menu, click SSL Settings, and then click the Edit link in the SSL Encryption area. The Configure SSL Encryption page appears.

2
Check the Use only government-recommended encryption checkbox to enable FIPS 140-2 compliant encryption settings. This configures the appliance to use only the TLS protocol and enables only FIPS-compliant ciphers.

This option is often used to disable TLS 1.1 and 1.2 and the corresponding certificate notifications when SSL and CA certificates haven’t been upgraded from TLS 1.0.

3
To enable FIPS 140-2 compliant encryption, check the transport protocols used to encrypt traffic. This configures the appliance to use only the TLS protocol and enables only FIPS-compliant ciphers.
4
Select the version of TLS transport protocol that the appliance will use.
5
Select the ciphers that the access services (Web proxy, network proxy, and network tunnel) on the appliance will accept for SSL connections.
6
To compress encrypted SSL data using LXS compression, check the Enable cipher compression checkbox.
7
In the SSL handshake timeout box, type the number of seconds that an SSL handshake can last before timing out. The default is 300.
8
Click Save.

FIPS Certification

This section describes configuring your SMA appliance to use FIPS mode.

FIPS (Federal Information Processing Standard) 140-2 Level 2 is a validation standard for evaluating cryptographic modules, and includes stringent reviews of source code, algorithms, physical security, and operational testing on cryptographic security products. The United States Federal Government is required to purchase cryptographic products validated to the FIPS 140-2 standard. In the international marketplace, ISO19790 is being adopted as a standard and is a direct adaptation of FIPS 140-2.

The SonicWall E-Class SMA EX9000, EX7000, EX6000, SMA 7200, and SMA 6200 appliances have FIPS 140-2 Level 2 certification from NIST (the National Institute of Standards and Technology, the United States FIPS 140-2 Cryptographic Module Validation Authority) and CSE (the Communications Security Establishment, the Canadian FIPS 140-2 Cryptographic Module Authority).

* 
NOTE: Version 10.7.2 and later are FIPS certified.

FIPS mode is transparent to end users. Internally, FIPS mode enforces secure communication and system integrity.

Topics:  

Requirements for FIPS

These items are required to properly configure FIPS for full compliance:

An EX9000, EX7000, EX6000, SMA 7200, or SMA 6200 appliance. No other appliances are FIPS-certified.
* 
CAUTION: If you have purchased an EX9000, EX7000, EX6000, SMA 7200, or SMA 6200 appliance with 140-2 Level 2 FIPS certification, the tamper-evident sticker affixed to it must remain in place.
A license to run FIPS
A secure connection to your authentication server
A strong administrator password, which should be at least 14 characters long and contain punctuation characters, numbers, and a combination of uppercase and lowercase letters. In addition, you must specify an authentication server when you set up a realm; null auth is not allowed.
When in FIPS mode, the Grub shell MUST be disabled in order to prevent a user from gaining unauthorized access to its shell.
* 
CAUTION: Modification of any Grub configuration files IS NOT allowed. Modification makes the device Non-FIPS compliant and causes the device to become inoperable.

These states prevent FIPS from being activated, or from reaching full compliance:

Unsecured connections with authentication servers
Use of RADIUS authentication servers