en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Appendix

 

Appliance Command-Line Tools

About the Tools

Most of the configuration management tasks that you need to perform—backing up and restoring your appliance configuration, applying upgrades, and so on—can be done using the Web-based Appliance Management Console (AMC), on the Maintenance page. This section describes tools on the appliance that perform these same tasks and some others, for administrators who prefer to work on the command line. See Appliance command-line tools.

 

Appliance command-line tools

Tool

Purpose

Setup Tool
(
setup_tool)

Configure the appliance by running Setup Tool from a serial connection using a laptop computer or terminal.

NOTE: setup_tool and cluster_tool are integrated into config_reset.

Backup Tool
(
config_backup)

Save the current configuration file.

Host Validation Tool
(
checkhosts)

Show a list of the hosts referred to in your appliance resources, and find out if they are accessible and can be resolved in DNS.

See Managing Configuration Data and Upgrading, Rolling Back, or Resetting the System for a description of configuration data files and how to manage them in AMC.

Configuring a New Appliance Using Setup Tool

The recommended way to set up a new appliance is to use the LCD controls on the front of the appliance to enter information that will enable a Web browser to connect to your appliance so that you can connect to the Appliance Management Console and run Setup Wizard, as described in Powering Up and Configuring Basic Network Settings.

If you prefer using a command-line utility, you can configure the appliance by running Setup Tool from a serial connection using a laptop computer or terminal.

Topics:  

Tips for Working with Setup Tool

Here are some tips for working with Setup Tool:

Yes or no questions include a [y] or [n] at the end of the prompt; type the appropriate letter and then press Enter to display the next question.
To delete a character, press Backspace. (On a Windows-based PC, you can also press Delete to remove a character.)
When typing an IP address or netmask, use the standard IP address format of four octets (w.x.y.z). Setup Tool provides basic error checking (for example, validating that the gateway you type is on the same subnet as the appliance).
Type q to quit Setup Tool and discard your changes.

Using Setup Tool

When you run Setup Tool from the command line, it prompts you to accept the Secure Mobile Access End User License Agreement (EULA), create a root password, and provide an IP address, subnet mask, and internal default gateway.

To run Setup Tool:
1
Make a serial connection to the appliance (see Powering Up and Configuring Basic Network Settings), and then turn on the appliance using the power button.
2
If the appliance has not yet been configured, or if you have just reset it using either Factory Reset Tool or Config Reset, Setup Tool will run automatically.
3
When you’re prompted to log in, type root for the username; press Enter to move to the next page.
4
You’re prompted to type an IP address, subnet mask, and (optionally) a gateway for the internal interface. You use this interface to connect to the appliance from a Web browser and continue setup using AMC.

IP address:

Type an IP address for the internal interface connected to your internal (or private) network and then press Enter.

Subnet mask:

Type a netmask for the internal network interface and then press Enter.

Gateway:

If the computer from which you’ll access AMC is on a different network than the appliance, you must specify a gateway. Type the IP address of the gateway used to route traffic to the appliance and then press Enter.

If you’re accessing AMC from the same network on which the appliance is located, simply press Enter.

5
You’re prompted to review the information you provided. Press Enter to accept the current value, or type a new value and then press Enter.
6
Finally, you’re prompted to save and apply your changes.
Press Enter to save your changes.

At this point, Setup Tool saves your changes and restarts the necessary services. It also generates SSL keys using the information you provided (SSH requires security keys that it exchanges with remote SSH clients and servers). After SSH is configured using Setup Tool, it will display a message saying that it is generating these keys.

During this time, you will receive minimal feedback; be patient and do not assume that Setup Tool is not responding. When Setup Tool is finished, a message appears indicating that the initial setup is complete. This message also includes the URL for accessing AMC.

Saving and Restoring Configuration Data

Included on the appliance are a number of command-line administrative tools for saving and restoring configuration data:

Config Backup Tool—Saves the current configuration file
Config Restore Tool—Restores a saved configuration file

The AMC method for saving and restoring configuration data is more convenient, but it imports and exports a subset of the data that can be saved and restored using the command-line tools. AMC method vs. command-line tools compares the two methods.

 

AMC method vs. command-line tools

Configuration item

AMC

Command-line tools

Access policy

x

x

Certificates

x

x

WorkPlace customizations

x

x

Node-specific network settings

x

x

Topics:  

Saving Configuration Data

Backup files are saved to a compressed tar file (by default, /var/backups/cfgback.tgz). It is a good practice to back up your system regularly, especially when making many system customizations.

To back up your configuration using Backup Tool:
1
Connect to the appliance using SSH or a serial connection, and log in as root.
2
Type config_backup, specifying any of the following optional parameters:

config_backup [-t <tarfile>] [-q] [-d <debuglevel>] [-h]

 

Parameters for configuration backup

Parameter

Description

-t <tarfile>

Backs up your configuration to the specified file. This parameter is required only if you want to back up to a different backup file than the default file: /var/backups/cfgback.aea

Setting this parameter is not recommended, because the restore program normally looks for the default file when restoring.

-q

Turns off the confirmation prompts (making the backup “quiet”). Normally, you are prompted when you might overwrite an existing backup file.

-d <debuglevel>

Specifies how much information to display about the backup operation. Set <debuglevel> to an integer between 0 (no information) and 10 (complete information). The default is 1 (normal information).

-h

Shows help listing available parameters.

When you run Config Backup Tool, it saves your system configuration files to a backup file with the name and location specified above. If a backup file already exists at that location, you are prompted to confirm that you want to overwrite it (unless you use the -q parameter).

* 
NOTE: Your configuration is automatically backed up if you install a new system update using Update Tool. This will not overwrite manual backups created by an administrator.

For additional protection, use a program like SCP to copy the .tgz file from the appliance to a separate location, such as a drive on your network or removable media.

You can automate backups by adding Backup Tool to a script. In this case, use the -q parameter to suppress confirmation prompts.

Validating Hosts

Many of the access control rules that you create in AMC point to host resources; as each rule is evaluated, the appliance tries to resolve these hosts in DNS. When resources are added, deleted, and modified on an appliance, some may become outdated, or completely unreachable. If there are any hosts that can’t be resolved you may also find that performance slows down.

There is a script you can run from the command line on the appliance (using SSH) called checkhosts, located in /usr/local/extranet/bin. By reporting on hosts that may no longer be functional or reachable, this tool can help you update your resources and access control lists so that policy evaluation is more efficient.

For help with the command syntax, type the following:

<appliance prompt>:/usr/local/extranet/bin/checkhosts -h

 

Troubleshooting

About Troubleshooting

This Appendix provides general troubleshooting instructions and discusses the troubleshooting tools available in the Appliance Management Console (AMC). Failure in core networking services (such as DHCP, DNS, or WINS) will cause unpredictable failures.

The User Sessions page in AMC can be used to monitor, troubleshoot or terminate sessions on your appliance or HA pair of appliances. You can sort through the summary of session details and, if needed, display details on how a device was classified, and why. About 24 hours worth of data is kept; even items that have been deleted or modified are displayed. See Viewing User Access and Policy Details.

General Networking Issues

These troubleshooting tips for networking issues are grouped by type of solution. Before using the ping utility, make sure that Enable ICMP pings is enabled on the Configure Basic Network Settings page. Some tips are given in these tables:

 

Troubleshooting tips for networking issues

Utility

Troubleshooting tip

Ping the external interface

Ping the external interface to verify the network connection. If you can ping a host's IPv4 or IPv6 address, but not its fully qualified domain name, there is a problem with name resolution. You can issue the ping command from the command line or from within AMC (see Ping Command).

Capture network traffic on the external interface

To verify that traffic is reaching the appliance and being returned, use the network traffic utility in AMC, which is based on tcpdump. You can send this network traffic data to Technical Support, or review it using a network protocol analyzer like Wireshark. See Capturing Network Traffic for more information.

Ping the network gateway(s)

Ping the external gateway and/or internal gateway. You can issue the ping command from the command line or from within AMC. For more information, see Ping Command.

Use ping to test DNS

If you experience DNS problems, first determine whether client DNS resolution is working:

1
Make sure that the client machine has Internet access.
2
At a DOS command prompt, type ping google.com. You should see a response like this:
Pinging google.com [nnn.nnn.nnn.nnn]

If basic DNS functionality is available, the IP address in square brackets is resolved by DNS lookup, demonstrating that basic DNS is functioning at the client. If DNS is not available, the ping program will pause for a few seconds and then indicate that it could not find the host google.com.

Try to use DNS to resolve the appliance host name

If you continue to experience DNS problems, determine whether DNS can resolve the appliance host name. Repeat the ping procedure described above but replace google.com with the host name of your appliance.

If ping finds:

No address for your host name, troubleshoot the DNS server that should be serving that host name. Try working around client connection issues by replacing the host name with the IP address of the appliance’s external interface.
An address for your host name, but no replies appear (Request timed out), ICMP echoes may be blocked at any hop between the client and the appliance.

Clear the ARP

If you’ve recently assigned a new IP address to the appliance, be sure to clear the local Address Resolution Protocol (ARP) cache from network devices such as firewalls or routers. This ensures that these network devices are not using an old IP-to-MAC address mapping.

 

Troubleshooting tips for networking issues: hardware

Hardware

Troubleshooting tip

Cables

Check all network cables to be sure you don't have a bad cable.

Bypass the firewall

If you're using network address translation (NAT), you might be blocked by a firewall. Temporarily bypass the firewall by connecting a laptop to the appliance on the physical interface using a cable, and then verify network connectivity.

If this type of connection is impractical, try placing your laptop on the same network segment as the external interface of the appliance (to get as close to the appliance as possible).

Configure the switch port

If you experience network latency, such as slow SCP file copying or slow performance by the Web proxy or network tunnel service, the problem may be due to configuration differences between the appliance interface settings and the switch ports to which the appliance is connected. It’s possible for a switch to improperly detect duplex-mode settings (for example, the appliance is configured at full duplex but the switch detects half duplex). Cisco has documented such problems with its switches.

To resolve this problem, disable auto negotiation. Instead, configure the switch port to statically assign settings that match the appliance. You must check both switch ports and both appliance interface settings (internal and external, if applicable). If even one interface/switch port is mismatched, performance suffers.

If you are experiencing network latency but your appliance/switch ports are configured correctly, the problem lies somewhere else in the network. It could also be an application-level issue (such as slow name resolution on the DNS server being accessed by the Web proxy or network tunnel service).

 

Troubleshooting tips for networking issues: third-party solutions

Third-party solution

Troubleshooting tip

Verify that traffic is not being filtered out

Review the contents of the log file /var/log/kern.iptables while a connection attempt is failing. If packets are reaching the appliance but are being dropped or denied by iptables (a firewall running on the appliance), review the iptables ruleset by running the following command:

iptables -L -n -v

Traffic that is filtered by iptables is logged but not forwarded to an external syslog server.

Verify a Downloaded Upgrade File

You can use AMC to install version upgrades, as described in Upgrading, Rolling Back, or Resetting the System. To make sure that the update was successfully transferred to your local computer, compare its checksum against the one in the .md5 file you extracted from the .zip file.

To verify the MD5 checksum on your PC, use a Windows- or Java-based utility. Microsoft, for example, offers an unsupported command line utility on their site named File Checksum Integrity Verifier (FCIV):

To verify the downloaded file on a PC:
1
At the DOS command prompt, type the following, which returns a checksum for the downloaded file:
fciv <upgrade_filename>.bin
2
Open the associated .md5 file (which you downloaded from the MySonicWall Web site) using Notepad or another text editor:
notepad <upgrade_filename>.bin.md5
3
Compare the two check sums. If they match, you can safely continue with your update. If they differ, try the download again and compare the resulting check sums. If they still don't match, contact SonicWall Technical Support.
To verify the downloaded file on the appliance:
1
Type the following command, which returns a checksum for the downloaded file:
md5sum <upgrade_filename>.bin
2
Open the associated .md5 file:
cat <upgrade_filename>.md5
3
Compare the two checksums.

Troubleshooting Agent Provisioning (Windows)

Secure Endpoint Manager (SEM) is a component that provisions Windows users with EPC and access agents when they log in to WorkPlace. If something goes wrong during provisioning, the error is recorded in a client installation log (identified by username) that you can view in AMC.

To get to the App data folder, click Start -> Run, type in %appdata%, and press Enter.

Provisioning process presents a broad overview of the provisioning process. At Step 2 through Step 6, information is appended to a file named epiBoostrapper.log (stored in \Documents and Settings\<username>\Application Data\Secure Mobile Access\LogFiles\).

Provisioning process

To troubleshoot agent provisioning:
1
Micro-interrogation (JavaScript is used to get basic platform and browser information):
Is this a Microsoft OS? Is ActiveX enabled? If not, is Java enabled?
If neither is available, the user sees an error message.
2
Fetch epiBootstrapper.exe, a self-extracting executable in MSI (Microsoft Windows Installer) format; the executable also includes the macro-interrogator used inStep 5.
3
Fetch the list of Advanced EPC agents and install it. At a minimum, OPSWAT.msi is installed.
4
Fetch additional Advanced EPC agents as required by the community.
5
Macro-interrogation: Search for both Advanced EPC and other device profile attributes, such as a particular file name, or a Windows registry key.
6
Provision agents (for example, data protection, or OnDemand Tunnel).

For related topics, see:

AMC Issues

One of the most common errors in AMC is to make a configuration change and then forget to apply it. A Pending changes link appears in the top-right corner in AMC whenever changes have been made but not applied. Click the link, and then click Apply Changes to automatically restart the services.

 

Troubleshooting AMC issues

Issue

Solution

Can't access AMC

If you can't access AMC, connect a cable to the internal network interface on the appliance and verify that you can access AMC without any network. If this type of connection is impractical, put the laptop on the same network segment as the internal interface (to get as close to the appliance as possible).

If you still can't access AMC, make sure your URL includes the https:// protocol identifier. Also verify that you’ve included the port number 8443 in the URL.

Can’t log in to AMC on the internal network

If your browser cannot log in to AMC on the internal network, ensure that traffic from the client to the IP address of the appliance’s internal interface actually arrives at the internal interface. Using the network traffic utility in AMC, which is based on tcpdump, you can capture traffic on the internal interface (eth0). Any client attempts to reach AMC should show traffic TCP SYN packets from the client’s IP address directed to port 8443. See Capturing Network Traffic for more information.

Can’t log in

If AMC login fails with the error Invalid Login Credentials, verify the spelling of your username and password. Passwords are case-sensitive; ensure that Caps Lock and Num Lock are not enabled.

CPU utilization is spiking

If you are using nested group lookup on your LDAP or AD authentication server, make sure that you are also caching the lookup results: searching the entire directory tree takes time and increases the CPU usage on both the appliance and your authentication server.

Authentication Issues

An authentication server is referenced in a realm.

 

Troubleshooting authentication issues

Issue

Solution

Access to the external authentication server(s)

Verify that you can access the external authentication server by using the network traffic utility in AMC, which is based on tcpdump. You can send this network traffic data to Technical Support, or review it using a network protocol analyzer like Wireshark. See Capturing Network Traffic for more information.

Authentication server credentials

Verify that AMC contains the proper credentials for access to your external server. For LDAP, check the Login DN and Password settings, and click Test Connection. For RADIUS, check the Shared secret setting.

Authentication server logs

Review the authentication server logs. Make sure you're not entering invalid credentials or having connectivity problems.

User authentication using an LDAP or AD server takes too long or times out

If you are using nested group lookup on your LDAP or AD server, make sure that you are also caching the lookup results, because searching the entire directory tree takes time. To reduce the load on your directory and get better performance, cache the attribute group or static group search results by selecting the Cache group checking checkbox.

Using Personal Firewalls with Agents

Some firewall products display a security alert during the provisioning of Secure Mobile Access agents or EPC components. This is because the firewalls are regulating outbound connections by process (in addition to port and protocol). In most cases, the user can simply “unblock” or “permit” the outbound connection.

Connect Tunnel users should configure their personal firewalls to allow the Secure Mobile Access VPN service (ngvpnmgr.exe) and Secure Endpoint Manager (AventailComponents.exe) to access the Internet and to add the SMA appliance by host name or IP address as a trusted host or zone. In addition, Windows Vista users should make an exception for epiVista.exe.

There are a few firewalls, such as one supplied by Trend Micro, that do not permit a user with restricted rights to override the firewall settings. For corporate systems on which users have limited access rights, you may need to update the firewall settings before deploying the Secure Mobile Access VPN so that users won’t have to respond to security dialog prompts.

Consult the documentation for your corporate personal firewall to determine the firewall policy. If a firewall update proves necessary, a rule that allows all processes to communicate with the appliance over port 443 is recommended.

Secure Mobile Access Services Issues

To see a brief summary of which services are running, click Services on the main navigation menu.

Topics:  

Web Proxy Service Issues

Temporarily increase the server log level in AMC to Verbose. (Don’t forget to click Pending changes in the top-right corner of any AMC page, and then click Apply Changes to automatically restart the service.)
To see the Web proxy service log, click Logging in the main navigation menu, and then select Web proxy audit log from the Log file list. Verify that your connection request appears in the log.
Verify that your DNS server can resolve the Web proxy service Server name setting in AMC to the IP address of the Web proxy service interface. You can use the lookup tool within AMC (see Using DNS Lookup), or you can issue the nslookup or dig commands from a command prompt.
If your network uses NAT to translate IP addresses, make sure that the Web proxy service Server name setting contains the IP address of the outside (or public) IP address that is being substituted using NAT.

Web Proxy Agent Issues

The Web proxy agent provides access to URL resources on Windows systems with Internet Explorer 7.0 or later. WorkPlace indicates that Web proxy mode is active on a client by displaying Secure Mobile Access Web proxy in the Connection Status area.

To troubleshoot whether the Web proxy agent is running properly on a client machine, follow these steps:

1
On the client machine, press Ctrl+Alt Delete, and then click Task Manager.
2
Look in Windows Task Manager’s Processes list for the process ewpca.exe. If that file is present, the standard Web mode access agent is running, although it may not be receiving network traffic.
3
To confirm that the Web proxy agent is receiving traffic, start Internet Explorer and then select Tools > Internet Options. On the Connections tab, click LAN Settings or Settings for the dial-up/VPN connection you are using to connect to the appliance.
4
In the appropriate Settings dialog for your connection type, verify that the Use automatic configuration script checkbox is selected and that the Address field contains the following address:
http://127.0.0.1:<portnumber>/redirect.pac

Internet Explorer uses the redirect.pac file to determine which connections to send to the Web proxy agent.

5
To view the resource addresses that are redirected by the redirect.pac file, open the file in a text editor. The file is located on the client machine in this folder:
\Documents and Settings\<username>\Application Data\SMA1000\ewpca

The //Redirection Rules// section of the redirect.pac file lists the addresses defined as destinations that are sent through the standard Web proxy agent. These addresses come from the list of network and URL resources defined in AMC.

Tunnel Issues

This section describes how to troubleshoot problems with the network tunnel service and the tunnel clients.

Topics:  

See also:

Installation

 

Troubleshooting installation issues

Issue

Troubleshooting tips

Connect Tunnel client does not install

The provisioned client is delivered to client computers as an installation package. If the installation procedure fails, the following may explain the issue or offer a solution:

System is not supported: Ensure that the client computer’s system software is supported by the Connect Tunnel client.
Client software doesn’t match system requirements: If users can access WorkPlace, install the client that is available in WorkPlace.
User does not have local administrator rights: Users must have administrator rights to install the Connect Tunnel client.
The Connect Tunnel client installation log file (ngsetup.log) may contain information that can help troubleshoot installation issues. On Windows Vista, the file is located in the ProgramData folder, which is hidden by default:
[drive:]\ProgramData\SMA1000\ngsetup.log

OnDemand Tunnel agent does not install

The OnDemand Tunnel client is automatically installed and activated when a user browses to WorkPlace after authenticating in an appropriately configured realm. Typically, the OnDemand Tunnel agent operates without user intervention, providing secure, tunneled access to configured resources as long as WorkPlace is running. If the OnDemand Tunnel agent fails to install or activate, the following may explain the issue or offer a solution:

Installing OnDemand Tunnel requires administrator rights.
OnDemand Tunnel not enabled for this Workplace realm: On the main navigation menu in AMC, click Realms. The Realms page displays a list of all realms defined for the appliance. To review the settings affecting the network tunnel service for a particular realm, click the realm name. On the Communities tab of the Configure Realm page, click Edit in the Access Methods area. Ensure that the Network tunnel client checkbox is selected.
System is not supported: Ensure that the client computer’s system software is supported by the OnDemand Tunnel agent.
Browser is not supported: Ensure that the user is running a Web browser that is supported by the OnDemand Tunnel agent. See Client Components for system requirements.

Connectivity

 

Troubleshooting connectivity issues

Issue

Troubleshooting tips

Client does not connect

The OnDemand Tunnel agent starts automatically after users successfully authenticate to WorkPlace, if the community supports the OnDemand Tunnel agent.

The provisioned Connect Tunnel client requires you to activate it each time you want to begin a tunnel session. Tunnel sessions can remain active for many hours. Interrupting network connectivity for periods of more than a few seconds causes the tunnel session to end. Interruptions occur, for example, when a network cable is disconnected, a laptop is set to sleep, or the network link is so busy that it has high latencies and packet drop rates.

The following describes common failures that can prevent a Connect Tunnel client or OnDemand Tunnel agent connection from succeeding:

Appliance is unreachable: In the Connect Tunnel login dialog box, click Properties. In the Properties dialog box, under Login group, click Change. If the appliance is reachable over the network, the Select or enter your login box will be populated with a list of available realms. If the appliance is not reachable, after a few moments you will see an error message that reads “The remote network connection has timed out.”
Incorrect appliance address specified: In the Connect login dialog box, click Properties. In the Properties dialog box, ensure that the Host name or IP address of your VPN is correct. If a host name is entered instead of an IP address, ensure that the client can resolve the host name, and that the host name corresponds to the IP address of the appliance’s external interface.
Appliance is not running: Ensure that the appliance is running.
Invalid realm for user name: Ensure that a valid realm is configured for the user.
Authentication failure: Ensure that the user has specified the correct authentication credentials.
Client service failure: Retrieve the client log (ngsetup.log), and send the log file to SonicWall for analysis along with a description of the situation.
Personal firewall is not permitting tunnel traffic: Ensure that the user’s firewall is configured to allow connections to the appliance’s FQDN or IP address.

Client connects, but cannot access a resource

When a tunnel is established, an icon representing that tunnel appears in the taskbar notification area. At this point the client computer has access to all configured resources the appliance can reach and for which the user is authorized. If the client cannot reach a resource, the following may explain the issue or offer a solution:

Resource not defined: Ensure that the correct resource is defined in AMC.
User not authorized to access resource: In AMC, review access control rules, and realm and community assignments, to ensure that the user is allowed to access the resource.
Appliance routing cannot reach resource: Ensure that there isn’t a general networking problem between the appliance and back-end resources.
Server software failure: Note the time of the failure, determine whether the network tunnel service is functioning properly, and gather further troubleshooting information if necessary.

Client connects, but disconnects unexpectedly

Once connected, a Connect Tunnel or OnDemand Tunnel connection should remain active for many hours. However, the tunnel can end prematurely for several reasons. If a tunnel connection disconnects unexpectedly, the following may explain the issue or offer a solution:

Tunnel that was left idle timed out: To conserve appliance resources, idle tunnels can disconnect after an extended period of time.
Administrator stopped or restarted the network tunnel service: Normal configuration operations using AMC should not affect established tunnels; they continue to operate under the configuration that was in effect when they were established. However, configuration changes that affect basic appliance networking will cause existing tunnels to drop or hang, possibly requiring a disconnect at the client to recover.
With the network tunnel service logs set to Info level or higher, the message, Reset Internal Interface and Addressing Information, appears in the log any time the network tunnel service is stopped; in addition, the message, Internal Interface eth0 Address n.n.n.n Netmask n.n.n.n BCastAddr n.n.n.n Subnet n.n.n.n (with appropriate IP addressing values), appears any time the service is started from a stopped condition. In the ngutil log, the text, The server is shutting down, identifies this situation.
Internetwork carrying tunnel became unresponsive or unreliable: When traffic fills the available bandwidth on any hop between the client and the appliance, packets wait on queues in the end-point TCP stack or in intermediate routers. When queues fill, packets are dropped.
The network tunnel service carries traffic over a TCP SSL connection. TCP is designed to accept network unreliability by delivering traffic only when it is in sequence, it can be verified, and it is available. TCP implementations can drop connections when ACK responses are not returned soon enough; this is true of the Windows TCP implementation. After the connection drops, the tunnel client’s normal behavior is to attempt to resume the connection transparently for 20 seconds. If congestion caused the drop, resumption is likely to fail, and the user sees the tunnel terminate.
Cluster failover occurred, and client’s resumption failed: In a cluster configuration, when an active node fails over to the standby node, client connections are preserved by the client tunnel resumption mechanism. Clients will continue tunnel resumption attempts for 20 seconds, and then give up; if the failover is not complete within this time the tunnel connection is dropped. On orderly termination the client does not attempt resumption, so all tunnel connections are dropped.
In addition, a new client connection initiated after failover, but during the period in which tunnel clients are attempting resumption, might be assigned an address that an existing client is trying to resume using. Several characteristics of address assignment make this case unlikely, but if it occurs the resuming client’s tunnel is dropped.

Client connects, but disconnects unexpectedly (continued)

Client service failure: Failure of the client service software can cause the tunnel to drop, and an error dialog box to appear. Retrieve the client log, send the log file to SonicWall for analysis along with a description of the situation, and then restart the service.
Server software failure: Failure of the appliance tunnel software generally causes a spontaneous reboot of the appliance, or possibly an indefinite hang.
In the reboot case, a crash dump appears in a numbered directory in /var/log/dump; retrieve and analyze this information.
If the appliance hangs without rebooting, the crash dump may have succeeded before the hang; reboot the appliance and check /var/log/dump for a new crash dump, and then retrieve and analyze this information. You may need to reproduce the circumstances that led to the crash.

General server problems

Tunnel problems typically show up at the client first. Many possible problems can be identified only by an administrator in AMC or, sometimes, at an SSH console or the system serial console. For more information, see General Networking Issues.

Network tunnel service is not running

At the serial console or in an SSH session, type:

uscat /var/avt/vpn/status

If the network tunnel service is configured and running, client virtual address range information will appear. Otherwise, nothing will appear except another shell prompt. The following items can help you determine why the network tunnel service is not running.

License invalid or expired: If your appliance license is invalid, AMC displays a license warning at the top- right corner of every AMC page after login. You may need to contact SonicWall to resolve licensing issues.
Stopped in AMC or from console prompt: In the Network Tunnel Service area of the AMC Services page, you can stop the network tunnel service indefinitely, and you can view information that indicates whether the service has been stopped.
Service unconfigured, or incorrectly configured: The network tunnel service must be configured with virtual addresses and related information for assignment to clients. If tunnel service configuration is incomplete, the service will not run.
Server software failure: A failure of a userspace network tunnel service component will generally cause the failed component to restart. There may be helpful information in the log or in a corefile in /var/log/core. Serious failure of a kernel component will likely result in a crash dump.
Cluster issues: Clustered appliances must be able to communicate over their cluster interfaces. If they cannot communicate reliably, both nodes in the pair may attempt to provide service, resulting in failures, or both nodes may be on standby, so that neither is providing service.

OnDemand Issues

This section describes how to troubleshoot issues with OnDemand (port-mapped).

Topics:  

General OnDemand Issues

If OnDemand fails to work properly, perform the following diagnostics.

Testing OnDemand

Test OnDemand by connecting to the appropriate URLs to start the applet, and then running the supported applications.

When testing, make sure that:

OnDemand can communicate with required network access services.
Web proxy service authentication and access control are working.
OnDemand automatically redirects connections properly.
OnDemand creates connections for each configured application.
OnDemand starts any thin-client applications that are configured to start automatically.

Viewing OnDemand Log Files

For users running Windows, OnDemand creates a log file when it starts that contains troubleshooting messages. The log files are saved here:

%SystemRoot%\Documents and Settings\AllUsers\Application Data\SMA1000\Logfiles\
%SystemRoot%\Documents and Settings\<username>\Application Data\SMA1000\Logfiles\

Detecting the JRE Version

If OnDemand is not working properly, ensure that the user is running a version of the Java Runtime Environment (JRE) that is supported by OnDemand; see Client Components for system requirements. In addition, make sure the user has enabled Java in the browser; see Enabling Java in the Browser.

To detect the JRE version running on a client computer:
Internet Explorer for Windows: Open the browser’s Java Console to view information about your JRE; see Viewing the Java Console.
Browsers for Mac OS X: In the Applications folder, open the Utilities folder, and then open the Java folder. Run the Java Plugin Settings program, and then click About in the menu to see information about the version you are running.
* 
NOTE: Some versions of Windows may not include a JRE; in this case, you see an error message (jview.exe must exist in \path or you need to set JAVA_HOME). If you see this message, but you know that you have a JRE on your Windows computer, set the path to the JRE directory as JAVA_HOME in the Environment Variables dialog; see Windows Help for information. Otherwise, you must either install a JRE on your Windows computer or use a different computer.

Enabling Java in the Browser

Java must be enabled in the user’s browser for the OnDemand applet to run. In Internet Explorer, Java is enabled by default. If OnDemand doesn’t run, and you suspect the defaults have been changed, enable them as described in the browser’s documentation.

Viewing the Java Console

If the OnDemand applet doesn’t start, the Java Console might offer an explanation. Have your user follow the steps appropriate for his or her machine:

Viewing the Java console: Windows—Sun JRE users
1
Users who are running the Sun Java Runtime Environment can access the Java Console by right-clicking the Sun Java icon in the taskbar notification area.
2
Click Open Console.
Viewing the Java console: Internet Explorer for Windows
1
Click Tools > Internet Options, and then click the Advanced tab.
2
Under Microsoft VM, select the Java Console enabled and Java logging enabled checkboxes, and then click OK.
3
Close the browser and then reopen it.
4
Click Java Console on the View menu.
Viewing the Java console: Mac OS X
1
In the Applications folder, open the Utilities folder.
2
In the Java folder, run the Java Plugin Settings program.
3
In the Java Plug-in Control Panel, click Use Java console on the General page.

Specific OnDemand Issues

This section describes some troubleshooting tips for specific situations you may encounter when using OnDemand.

 

Troubleshooting specific OnDemand issues

Issue

Troubleshooting tip

OnDemand does not start

On the computer you are trying to start OnDemand, verify that Java or JavaScript is enabled in the Web browser.

If Java is enabled in the browser, also verify that the browser is using a version of the Java Runtime Environment (JRE) that is supported by OnDemand; see Client Components for system requirements.

If both of these options are enabled, and OnDemand still doesn’t start, open the Java Console on the user’s computer to see Java messages. If the problem requires a call to SonicWall Technical Support, you’ll be asked about these messages; see Viewing the Java Console.

An application does not run correctly over OnDemand

Have the user check the OnDemand Details page and verify whether the application name is active or inactive. Problems can occur when more than one application is configured to use the same local IP address and port. To see more details about the problem, ask the user to copy the log messages from the OnDemand Details page and email them to you.

OnDemand is installed but not activated

If both ActiveX and UAC (User Account Control) are disabled on a client computer running Vista SP1, OnDemand can be installed but fails to activate unless Java is configured to keep a cache of temporary files on the local computer. To select the cache setting, go to the Control Panel and open the Java Control panel. In the Temporary Internet Files area, click Settings, and then select Keep temporary files on my computer.

The server-certificate Accept button is unavailable

Under some circumstances, OnDemand may present the user with a server certificate that he or she cannot accept. If the Accept button on the certificate page is unavailable, OnDemand detects a problem with the server certificate. The most common causes of this problem are:

Date/time mismatches between client computer and server. Verify that the client computer and the Web proxy service have the correct date and time.
The certificate has expired or is not yet valid.
The certificate information does not match the server information.
The certificate chain is invalid.

Client Troubleshooting

This section provides client troubleshooting information for Windows, Mac, and Linux clients.

Topics:  

Windows Client Troubleshooting

The Secure Mobile Access installer software can be loaded on a user's computer by Java or by ActiveX. If you want to remove this installer, as well as all the other Secure Mobile Access software components, follow these steps:

Resetting Browser and Java Settings

Follow these steps to reset browser and Java settings. Where applicable, the instructions for Internet Explorer, Google Chrome, and Firefox Mozilla are given:

Clear Cookies and Cache
To clear browser cookies and cache in Internet Explorer:
1
Click Tools > Internet Options.
2
Click Delete Files and Delete Cookies.
To clear browser cookies and cache in Mozilla Firefox:
1
Click Tools > Clear Private Data.
2
Select at least these three checkboxes:
Cookies
Cache
Authenticated Sessions
3
Click Clear Private Data Now.
To clear browser cookies and cache in Google Chrome:
1
Click Tools > Clear browsing data.
2
Select at least these checkboxes:
Delete cookies and other site and plug-in data
Empty the cache
3
Click Clear browsing data.
Reset Security Zones to Defaults
To reset the security level for all Web content zones in Internet Explorer:
1
Click Tools > Internet Options > Security tab.
2
Highlight a Web content zone (for example, Internet), and then click the Default Level button. Do this for each zone.
Reset Advanced Settings to Defaults
To reset advanced Internet Explorer settings:
1
Click Tools > Internet Options > Advanced tab.
2
Click the Restore Defaults button.
Reset Privacy Settings to Defaults
To reset Internet Explorer privacy settings:
1
Click Tools > Internet Options > Privacy tab.
2
Click the Default button.
Clear your Java Cache
To clear the Java Cache on your Windows system:
1
In the Control Panel, double-click Java.
2
Click the Delete Files button.
3
Make sure that all three types of temporary files are selected for deletion, and then click OK.
Enable your Java Cache

By default, Java is configured to keep a cache of temporary files on the local computer. If you are using Java for remote access through an SMA appliance, make sure that this cache is enabled:

1
In the Windows Control Panel, open Java.
2
In the Java control panel, click Settings in the Temporary Internet Files area.
3
Select Keep temporary files on my computer.

Uninstalling Secure Mobile Access Components

To uninstall all Secure Mobile Access files:
1
Reboot your computer. This ensures that no files are loaded in memory and makes the uninstall easier.
2
Remove all Secure Mobile Access components:
a
In Windows Explorer, browse to %WINDIR%\Downloaded Program Files\.
b
Right-click the Secure Mobile Access Installer file, and select Remove.
c
Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.
d
In the Control Panel, open Add/Remove Programs.
e
Remove each Secure Mobile Access component.
3
The Secure Mobile Access software may have been installed using either ActiveX or Java (if you’re not sure, follow both sets of instructions):

ActiveX

If you have already done Step b, you can skip to the steps for Java.

a
In Windows Explorer, browse to %WINDIR%\Downloaded Program Files\.
b
Right-click on the Secure Mobile Access Installer file, select Remove, and then click OK.
c
Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.

Java

a
In Windows Explorer, browse to %HOMEPATH%\Application Data\Aventail\EP\.
b
Double-click uninstall_ep.exe.
c
Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.
4
In Windows Explorer, browse to %HOMEPATH%\Application Data\, right-click on the Aventail folder, and then select Delete.
5
Reboot the computer.

Logging Back In to WorkPlace

Log back in to WorkPlace, install Secure Endpoint Manager, and let the Secure Mobile Access components load.

If something goes wrong during client or agent installation, the error is recorded in a client installation log. This log is automatically uploaded to the appliance and listed in AMC if Secure Endpoint Manager is installed. Users who do not have Access Manager are prompted to upload the log file to the appliance when an installation error occurs.

To obtain additional log files:
1
Browse to %HOMEPATH%\Application Data\.
2
You should see a folder named Aventail: zip the folder contents up, and email it to SonicWall Technical Support.
3
Browse to %ALLUSERSPROFILE%\Application Data\.
4
You should see a folder named Aventail: zip the folder contents up, and email it to SonicWall Technical Support.
5
Open a DOS box (click Start > Run, type cmd, and then press Enter).
6
In the command prompt window, type ngutil -all > ngutil.txt.
7
Email the ngutil.txt file to SonicWall Technical Support.
8
Click Start > Run, type msinfo32, and then press Enter.
9
Highlight System Summary, and then select File > Export. Email the exported file to SonicWall Technical Support.

Macintosh and Linux Tunnel Client Troubleshooting

When troubleshooting Macintosh and Linux tunnel client problems, request the system and version information described in this section from your users. Before gathering this information, users should uninstall and re-install the software.

Topics:  

Macintosh System and Application Information

Have users specify the information listed in Macintosh system and application information.

 

Macintosh system and application information

System information

How to find it

Operating system

Select About this Mac from the Apple menu.

Hostfino command

Open the Terminal application (in the Applications > Utilities folder) and type hostfino. This displays processor and kernel information, along with the amount of available memory.

OpenSSL

Open the Terminal application (in the Applications > Utilities folder) and type the following to display information about OpenSSL:

openssl version

Safari browser

Select About Safari from the Safari menu.

Java Virtual Machine (JVM)

1
In the Applications folder, open the Utilities folder.
2
In the Java folder, run the Java Plugin Settings program.
3
In the Java Plug-in Control Panel, click Use Java console on the General page.

System Profiler

1
Select About this Mac from the Apple menu.
2
Click More Info to open the System Profiler. The profiler displays detailed information about the computer’s hardware and installed software. The complete report (if you choose to print it) can easily be over 100 pages long.

When you start Connect Tunnel, make sure that the log files /var/log/AvConnect.log and /var/log/AventailConnectUI.log are set to collect debugging information. You can enable debug mode in the Connect client itself, or go to a command prompt, and type the following:

/Applications/AventailConnect.app/Contents/MacOS/startct.sh -d

Linux System and Application Information

Have your users enable debug logging and clear the current set of logs before attempting to reproduce an issue. Once the issue is reproduced, export the logs to SonicWall Support.

Use the Enable Debug Logging checkbox, Clear Logs button, and Export Logs button on the General tab to perform these functions:

Troubleshooting Tools in AMC

You can monitor, troubleshoot or terminate sessions on your appliance, filtering them by user name, realm (authentication server), community, access agent, traffic load, and so on—and then get a quick summary of particular sessions. Several basic network tools are also available, including ping, traceroute, DNS lookup, a routing table viewer, and a way to capture and filter network traces for backend connectivity troubleshooting.

Topics:  

Using DNS Lookup

You can use AMC’s Lookup tool to determine how DNS is resolving an IP address or a host name. This tool is useful for troubleshooting various DNS problems (for example, it can determine whether your DNS server is running).

Use a fully qualified domain name or an IP address to specify a host in the Lookup tool. However, you can type a non-qualified host name as long as you have defined one or more default search domains on the Configure Name Resolution page (available from the Network Settings page in AMC). For details on name resolution, see Configuring Name Resolution.

To determine how DNS is resolving an IP address or host name:
1
From the main navigation menu, click Troubleshooting.
2
Click the Lookup tab.

3
In the Address field, type the IP address or host name of the machine against which you want to issue the command.
4
Click Go.

Viewing the Current Routing Table

You can view the current routing table from within AMC.

To view the current routing table:
1
From the main navigation menu, click Troubleshooting.
2
Click the Routes tab.
3
Click Go. The routing table is displayed.

Capturing Network Traffic

This network traffic utility, which is based on tcpdump, allows you to capture a packet-by-packet list of the data going in and out of the appliance. If you are new to troubleshooting, you can use this utility to generate a file of network traffic data that can be sent to Technical Support for troubleshooting network issues. If you are familiar with troubleshooting and reading trace files, you can analyze the traffic using a network protocol analyzer, such as Wireshark.

Capturing all network traffic on your appliance can quickly result in files that are too unwieldy to analyze. Where possible, use filters to restrict the traffic to issues you are troubleshooting.

The following sample procedure demonstrates how to filter by host and port (in this example, an Exchange server and Web traffic).

To filter and capture network traffic to a file on the appliance:
1
From the main navigation menu, click Troubleshooting.
2
Click the Network Traffic tab.

3
To restrict the capture to traffic coming from or going to your Exchange server, enter the server’s full qualified domain name or IPv4 or IPv6 address in the These hosts field. For example, exchange.mycompany.com.
4
To make sure that you are capturing only the HTTP traffic, select Web (HTTP or HTTP/S) from the Common ports list; only traffic to and from the HTTP and HTTPS ports (80, 443, 8080, and 8443) will be captured.
5
Click Start to begin capturing traffic. The size limit for a single capture is 500 MB of raw data; when the size of a capture file reaches 100 MB, it “rolls over” into a separate file (large files are difficult to process with packet analysis tools such as Wireshark). If the total size of a single capture reaches 500 MB (five files of 100 MB each), the capture automatically stops. During a capture, the Size column indicates how close you are to the limit.
6
Click Stop to stop capturing traffic. The capture file is a .zip file that is stored on the appliance and listed here. (The figure in the Size column indicates how much room the file is using on the appliance; this is the size of the compressed .zip file, not the raw data.) The maximum number of files you can store is ten; as more capture files are added, the oldest ones are dropped from the list.
7
To download captured data, click the button corresponding to the file you want to analyze or send to Technical Support, and then click Download. Each capture file is a .zip file containing the captured network traffic (for example, eth0.cap) and a readme text file outlining what filters were used, if any, and when the data was captured.
Comment: Internal interface, hosts: exchange.mycompany.com, selected ports
Internal interface (eth0): enabled
External interface (eth1): disabled
Protocol: <All>
Hosts: exchange.mycompany.com
Ports: 80,443, 8080, 8443
Start time: Wed Aug 15 2007 17:56:52 GMT
Stop time: Wed Aug 15 2007 17:58:31 GMT
* 
NOTE: Captured network traffic is not encrypted and may contain passwords and other sensitive information. If you have security concerns about storing a downloaded capture or sending it over an unsecured Internet connection, use Snapshot Tool in AMC instead. You can make a partial snapshot that includes only network captures, and then choose to encrypt the results. See Snapshot Tool for more information.

You can capture network traffic on either of the appliances in a high-availability pair (the master node or the slave node).

Logging Tools for Network Tunnel Clients

To capture a session during which a user is running either of the network tunnel clients, have users follow these steps and email you the results. The Windows procedure differs from the one for Macintosh and Linux users.

To run ngutil on a Windows client computer:
1
Go to a command prompt: Click Start > Run, and then type cmd in the Open field; if you are using Windows Vista, Click Start, and then type cmd in the Start Search field.
2
At the command prompt, clear the event log and set the severity level by typing the following command:
ngutil -reset -severity=debug
3
Start the network tunnel client and perform any actions the system administrator wants captured in the log.
4
At the command prompt, type ngutil > log.txt to write the buffered log messages to a file named log.txt in the current directory.
5
Send the log.txt file to the administrator.
6
Alternatively, you can run ngutil -poll to see real-time logging on the client computer. (Press Ctrl-C to stop logging.)
* 
NOTE: You can also have users type the ngutil -tail=1000>client-log.txt command; this sends the most recent 1000 lines in the client log to a file named client-log.txt in plain text.

For more information on the syntax for the ngutil command, type ngutil -help at the command prompt.

To save session information on a client computer (Macintosh or Linux):
1
Start the network tunnel client and perform any actions the system administrator wants captured in the log.
2
On the client device, locate the files AvConnect.log and AvConnectUI.log and send them to the administrator.

Using CEM Extensions

SonicWall Technical Support may ask you to use Secure Mobile Access Configuration Extension Mechanism (CEM) advanced URL extensions. These CEM extensions are used to access advanced AMC pages and should only be used when instructed to do so by Technical Support.

Contact SonicWall Support at https://support.sonicwall.com/.

CEM Advanced Features

The Configuration Extension Mechanism (CEM) is a generic mechanism to allow simple configuration to be done for features that appear in maintenance releases or hotfixes. The CEM page allows the configuration of arbitrary key-value pairs for enabling advanced functionality. These key-value pairs are read from the extension config file by each service that has a patch generated for it (custom drop, hotfix, or maintenance release).

Advanced features should be used only under SonicWall Support supervision. Contact SonicWall Support for additional instructions.

Ping Command

Use the ping command to verify a network connection. When you issue the ping command, it sends an ICMP ECHO_REQUEST packet to a target host and waits to see if the host answers.

To issue a ping command:
1
From the main navigation menu, click Troubleshooting.
2
In the Address field on the Ping page, type the IPv4 or IPv6 address or host name of the machine you want to ping.
3
Click Go. AMC issues the ping command. After about five seconds, the results appear in the large box at the bottom of the page. If the ping command cannot reach the host, it returns results resembling the following:

Traceroute Command

Use the traceroute command to see the sequence of gateways through which an IP packet travels to reach its destination. This can help you find a network failure point.

To issue a traceroute
1
From the main navigation menu, click Troubleshooting.

2
In the Address field on the Ping page, type the IP address or host name of the machine against which you want to issue the traceroute command.
3
Select the Use traceroute checkbox.
4
Click Go. Traceroute returns a list of hosts, starting with the first gateway and ending with the destination.

Snapshot Tool

A snapshot of your configuration can help SonicWall Technical Support or other IT professionals diagnose any problems you are having with the appliance. This file, especially if it includes core dump files, can be quite large (the File Download dialog in the final step will tell you how large).

To save a configuration snapshot:
1
From the main navigation menu, click Troubleshooting.
2
Click the Snapshot tab.

3
Select a full or partial snapshot.
4
Specify whether you will include all system logs, or just the four most recent ones.
5
Click Save snapshot. The files are saved in a zip archive named snapshot.tgz.
6
If you plan to send the file to SonicWall Technical Support, you should select Encrypt file to keep sensitive information secure. Technical Support will need the password you assigned to this archive so that they can decrypt the file. Make sure you send it in such a way that it meets your internal security requirements (over the phone or by secure email, for example).
7
Click the Download link to save the compressed file locally.

Best Practices for Securing the Appliance

Network Configuration

You can configure most of the settings in the following list of best practices on the Network Settings and Services pages in AMC:

Configure the Appliance to Use Dual Interfaces

The appliance optimizes firewall settings when it is configured with both an external and internal interface. Services are split between the interfaces so that management services, such as the AMC, listen only internally. Public services, such as the Secure Mobile Access access services, listen only externally.

Configure the Appliance to Use Dual Network Gateways

Dual network gateways allow you to leverage your existing network routers, which means less overhead for the appliance administrator, and provide a more manageable network configuration as your network grows and evolves.

Protect both Appliance Interfaces with Firewalls

Allow traffic from the Internet only on ports 80 and 443.
Give the appliance access to only the necessary resources on the customer network.
Allow only trusted IP addresses from the customer network to access AMC.

Enable Strict IP Address Restrictions for the SSH Service

If both network interfaces are enabled, Secure Shell (SSH) listens on both interfaces. Be sure to restrict SSH service access to the IP addresses of trusted management workstations or, at a minimum, the address range of the internal network.

Enable Strict IP Address Restrictions for the SNMP Service

If both network interfaces are enabled, Simple Network Management Protocol (SNMP) listens on both interfaces. Restrict SNMP service access to the IP addresses of trusted management workstations or, at a minimum, the address range of the internal network.

Use a Secure Passphrase for the SNMP Community String

By default, the SNMP configuration in AMC sets the string your network management tool uses to query the SMA appliance in the Community string field to public. Be sure to change this to a secure passphrase.

Disable or Suppress ICMP Traffic

If both network interfaces are enabled, enabling Internet Control Message Protocol (ICMP) makes it possible for someone to discover the appliance from the Internet. The most secure approach is to disable ICMP. If you do enable ICMP, you should suppress ICMP Echo Request traffic using a firewall or other network device.

Use an NTP Server

Synchronize with an external Network Time Protocol (NTP) server to ensure accurate timestamps in the system logs, and to ensure that time-based security checks—such as password and certificate expiration—occur properly.

Protect the Server Certificate that the Appliance is Configured to Use

Don’t leave the appliance server certificate where others can access it, and always make sure the key is encrypted with a strong password. If attackers obtain it, it will tell them which host it is associated with and will enable them to decrypt private data.

Appliance Configuration

You can configure most of the settings in the following list of best practices on the Maintenance page in AMC.

Keep the software image on the appliance updated

Use the Update page to apply hotfixes and upgrade files promptly because they often contain security fixes.

Make regular configuration backups

Periodically back up your current configuration using one of these methods in AMC:

The Export option on the Import/Export page; see Exporting the Current Configuration to a Local Machine.
If you prefer, you can save the backup to your appliance; see Saving the Current Configuration on the Appliance.

Appliance Sessions

Your AMC session automatically times out after 15 minutes of inactivity (the length of the timeout period is not configurable). To end an AMC session, click Log out in the top-right corner of AMC. (If you terminate a session by closing your Web browser instead, the session is listed as logged in until it times out 15 minutes later.)

There is an exception to this rule on the following pages, which both include an Auto-refresh setting:

 

AMC session exception

AMC page

Default auto-refresh setting

System Status

1 min.

Logging > View Logs

1 min.

When Auto-refresh is set to any time interval other than Off while one of these pages is displayed, the refresh activity prevents the AMC session from automatically timing out after 15 minutes. This means that if you leave AMC unattended while one of these pages is displayed and in auto-refresh mode, AMC will not time out. A good security practice is to switch to another page in AMC when you are done viewing system status or logs.

Administrator Accounts

To configure administrator accounts, click General Settings in the main AMC navigation menu, and then click Edit in the Administrators area.

Use a Strong Password

Your password should be at least eight characters long and should contain punctuation characters, a combination of uppercase and lowercase letters, and numbers.

Change the AMC Administrator Password

The AMC administrator password is set to the same value as the root password during the initial installation. It is good practice to change the AMC administrator password because it is transmitted in an SSL tunnel between the Web browser and the AMC server. If the password for the primary administrator (whose username is admin) is changed, the password for logging in to the appliance directly (as root) is also changed.

Change Administrator Passwords often and don’t Share Them

It is good practice not to share passwords with anyone unless necessary. If you need to enable access for other administrators, create individual administrative accounts. One person should own the administrator account, and the password should be kept in escrow or some other safe place.

Limit the Number of Administrative Accounts and Assign Administrative Privileges only to Trusted Individuals

Restrict the access of secondary administrators. AMC’s role-based administration enables the primary administrator to grant limited administrative control to secondary AMC administrators. For more information, see Defining Administrator Roles.

Access Policy

To create, edit, or reorder access rules, click Access Control in the main AMC navigation menu. Use the following guidelines when you create rules:

Follow the Principle of “Least Privilege”

The most secure approach to policy design is to specifically list the resources to which you want to permit access. Anything not accounted for in the “permit” rules is denied by the appliance. This approach follows one of the fundamental design principles of computer security: that access rights should be explicitly required, rather than given to users by default.

An alternate approach is to create “deny” rules for restricted resources, but permit access to everything else by default. Here, anything not accounted for in the “deny” rules is accessible, until the final “deny” rule is processed. This method may be easier to set up, but is more error-prone and thus not as secure.

Of course, you can also use a combination of permit and deny rules. In this case, users are permitted access to some resources, but denied access to others.

Pay Close Attention to Rule Order

Because the appliance processes your access control rules sequentially, the order in which you organize them has great significance in terms of whether access is permitted or denied. The appliance stops reading the rules as soon as it finds a match. Carefully review your security policy settings to avoid inadvertently placing rules in the wrong order.

Put your Most Specific Rules at the Top of the List

Putting broader rules that grant more permissions at the top of the list may cause the appliance to find a match before it has a chance to process your more restrictive rules. As a general rule, it is best to put your most specific rules at the top of the list.

Carefully Audit Rules Containing “Any”

If you create a rule that does not restrict access to a particular user or destination resource, the word “any” appears in the access control list.

Carefully consider the impact of “any” in your policy rules. For a “permit” rule, too many criteria that apply to “any” could expose a security hole. On the other hand, too many “deny” rules for “any” could unnecessarily restrict network access.

Set Up Zones of Trust

You can define “zones of trust” that provide different levels of access depending on the level of trust at the user’s end point. Connection requests are compared against device profiles you set up in AMC and are then assigned to the appropriate zone. See About End Point Control for more information.

To set up zones of trust:
1
Set up a Deny zone. Deny zones are evaluated first. If there is a device profile match (for example, a certain file or registry key is found on the device), the user is denied access and logged out. See Creating a Deny Zone for more information.
2
Set up a Quarantine zone. A device for which there is no profile match is placed in the quarantine zone (if one has been defined). You can customize the message users see; for example, you may want to explain why the user is quarantined and what is required to bring the user’s system into compliance with your security policies. See Creating a Quarantine Zone for more information.

Enabling SSL Ciphers

When you configure the protocols and compression settings for encrypting traffic, you can select one or more ciphers. The appliance will use these ciphers to provide the best combination of security and performance supported by the user’s Web browser. You can enable or disable the ciphers you want.

The AMC, WorkPlace, Extraweb, and Tunnel will all conform to the SSL protocols that are enabled on the Configure SSL Encryption page to enforce protocols and ciphers on connecting clients.

The AMC logs SSL connection failures if the client/browser fails to negotiate an SSL connection due to incompatible ciphers or protocols. These messages are logged at the ERROR level to help the administrator troubleshoot SSL compatibility problems.

To enable or disable the SSL ciphers you want:
1
Go to the System Configuration > SSL Settings page.

* 
NOTE: The warning appears only when you have a less secure protocol or cipher enabled.
2
Under SSL encryption, click Edit. The Configure SSL Encryption dialog appears. For new installations, the default SSL Encryption ciphers will appear as shown under SSL ciphers.

3
Under SSL ciphers, select the ciphers that you want.

All the enabled SSL ciphers will be enforced.

Suite B Support

Suite B is a set of security algorithms or ciphers approved by the National Security Agency (NSA) for assuring the security and integrity of information passed over public networks.

Suite B comprises these cipher combinations:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Suite B for SMA appliances supports these two cipher suites and the Elliptic Curve Digital Signature Algorithm (ECDSA) certificates that they require.

When you create a new certificate signing request or a new self-signed certificate, you have the option to choose an RSA certificate or an ECDSA certificate. The configuration options are different for the different types of certificates. See Configuring the Suite B ciphers for details.

If a mismatch occurs between an enabled cipher and an installed certificate, the AMC will display a warning and prevent the configuration from being enabled.

SMA Tunnel clients and Mobile Connect clients support the Suite B ciphers.

SSH connections will negotiate the cipher to use, including the two Suite B ciphers, by following the existing SSH negotiation rules.

The Suite B ciphers will be enabled and operational on all currently supported appliance models, including virtual appliances.

Configuring the Suite B ciphers

This section describes how to enable the Suite B ciphers and select the appropriate certificates.

Topics:  

Enabling the Suite B Ciphers

To enable the Suite B ciphers:
1
On the SMA appliance, go to the System Configuration > SSL Settings page.
2
Under SSL Encryption click the Edit icon. The Configure SSL Encryption page appears.

3
Click the Reset to defaults button. The available ciphers are listed, and the Suite B ciphers appear at the top of the list.

4
Select the checkboxes for the ciphers you want to enable. The SSL encryption panel on the SSL Settings page is updated to show the status of the newly added ciphers.

Selecting a Certificate

To select the certificate you want:
1
On the SMA appliance, go to the System Configuration > SSL Settings page.
2
Under SSL Certificates, click the Edit icon. The SSL Certificates page appears.

3
Click the New button and select Create self-signed certificate... The Create self-signed Certificate dialog appears.

4
If you want an RSA certificate, in the Key type drop-down menu, select RSA. The default key type is RSA, unless no RSA ciphers are enabled.
5
In the Key size drop-down menu, select the size you want: 2048 bits or 3072 bits.
6
In the Signature drop-down menu, select the signature you want: SHA-384 or SHA-256.
7
If you want ECDSA certificate, in the Key type drop-down menu, select EC.

When you select EC as the Key type, the only other option is Prime size.

8
Select the Prime size that you want: 256 bits or 384 bits.
9
To see the details for a certificate, go back to the SSL Certificates page and click on the plus sign for the device you want to view. The details view for:
RSA certificates shows the Key size and the Signature for the certificate.
ECDSA certificates shows the Prime size and the Signature for the certificate.

Client Access

Use these features to control a user’s access to WorkPlace and resources.

Change Timeout Settings

To force users to reauthenticate within a specific length of time, set the Credential lifetime. Click General Settings in the main AMC navigation menu, and then click Edit in the Appliance options area. This setting applies to all SSL sessions. To make it also apply to the tunnel client and OnDemand proxy sessions, select Limit session length to credential lifetime on the Network Tunnel Client Settings page.

Deploy End Point Control Components

Secure Mobile Access’s End Point Control components help protect sensitive data and ensure that your network is not compromised when accessed by PCs in untrusted environments. Cache Cleaner provides an inactivity timer that terminates user connections after a specified length of time elapses without cursor or pointer movement. EPC supplements user authentication: it does not replace it.

Use Chained Authentication

For increased security, you can require Connect Tunnel users and users with Web-based access to use two different authentication methods to log in to a single realm. For example, set up RADIUS or a digital certificate as the first authentication method, and LDAP or Active Directory as the second one. See Configuring Chained Authentication for information on how to do this.

Use Strong Two-Factor Authentication Mechanisms, such as SecurID

Two-factor authentication uses two independent means—which are usually something the user has and something the user knows—to establish a user’s identity and privileges. For example, you can authenticate users by requiring a SecurID token-code (something the user has) and a password or PIN (something the user knows).

Configuring SAML Identity Providers

About Configuring SAML Identity Providers

This appendix describes how to configure Security Assertion Markup Language (SAML) Identity Providers on an SMA Authentication Server.

 
* 
NOTE: The Identity Provider User Interface (UI) pages are subject to change without notice, and may be different than the UI pages used as examples in this document.

Some of configuration procedures in this document require that you download and install a security certificate from the internet before you can complete the procedure. The correct certificate must be available for selection from the Trust the following certificate drop-down menu on the Configure Authentication Server dialog of the System Configuration > Authentication Servers page on the SMA appliance.

The Downloading a Certificate procedure must be done before you can complete the configuration procedures in this document. Which certificate you need is given in the configuration procedure for the specific Identity Provider (IdP). See Configuring SAML Authentication Servers.

Downloading a Certificate

This procedure must be done before you can select a certificate from the Trust the following certificate drop-down menu in the configuration procedures.

To download and install a certificate:
1
Download the certificate you want from the Configure Single Sign-on at <APP_NAME> page that appears during the application registration.
2
Go to the System Configuration > SSL Settings page.

3
Under CA Certificates, click Edit for <number> certificates. The CA Certificates page displays.

4
Click New. The Import CA Certificate page displays.

5
Select one of the following options:
a
Certificate file and browse to select the certificate you want.
b
Certificate text and enter the certificate text that you want.
6
Click Import.

The certificate should now appear in the Trust the following certificate drop-down menu.

Configuring SAML Authentication Servers

This section describes how to configure the various SAML Authentication Servers (IDP).

Some of these configuration procedures require that you already have certain certificates downloaded and installed on your SMA appliance, so that they are available from the Trust the following certificate drop-down menu. See Downloading a Certificate for details on how to do this.

Topics:  

Azure Active Directory

This section describes how to configure the Azure Active Directory (AD) as an SMA Authentication Server.

Topics

Configuring Azure Active Directory as an SMA Authentication Server

In this procedure, you will configure Azure AD as an SAML Identity provider, and create and configure an Authentication server on an SMA appliance.

To configure Azure AD as an SMA Authentication Server:
1
On the SMA appliance, go to the System Configuration > Authentication Servers page.

2
Under Authentication servers, click New. The New Authentication Server page appears.

3
Select SAML 2.0 Identity Provider.
4
Click Continue. The Configure Authentication Server dialog appears.

The steps that follow explain how to configure the fields in the Configure Authentication Server page.

5
In the Name field, enter Azure AD.
6
In the Appliance ID field, enter the URL for the appliance from the App ID URL field or the Issuer URL field on the Configure App Settings page. For example: https://appliance.company.com.
7
In the Server ID field, enter the URL for the server from the Issuer URL field on the Configure Single Sign-on at <APP_NAME> page. For example: https://sts.windows.net/db675175-89e4-40f3-xxxx-/.
8
In the Authentication service URL field, enter the URL from the Single sign-on service URL field on the Configure Single Sign-on at <APP_NAME> page. For example: https://login.windows.net/db675175-89e4-40f3-xxxx-/saml2.
9
In the Logout service URL field, enter the URL from the Single sign-on service URL field on the Configure Single Sign-on at <APP_NAME> page. For example: https://login.windows.net/db675175-89e4-40f3-xxxx-/saml2.
10
From the Trust the following certificate drop-down menu, select the certificate you want. This should be the Download certificate from the Configure Single Sign-on at <APP_NAME> page.
* 
NOTE: You must first download and install the certificate you want before it can appear in the Trust the following certificate drop-down menu. See Downloading a Certificate for instructions on how to do this.
11
(Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the appropriate appliance certificate.
12
Click Save.

Adding the SMA Application to Azure Active Directory

After you configure Azure Active Directory (AD) as an SMA Authentication Server, you need to add the SMA application to the Azure AD service.

To add the SMA application to Azure AD:
1
Log in to Azure AD, and then select the Active Directory > [Directory] > Applications page.
2
Select Add an application from the gallery. In the Application Gallery, you can add a custom application using the Custom category on the left.
3
In the Name field, enter a name for the SMA application.

Configuring Single Sign-On for the SMA Application

After you enter the name for the SMA application, you can configure the single sign-on options.

To configure Single Sign-On for the SMA application:
1
In Azure AD, go to the SonicWall_SMA application page.
2
Select Configure single sign-on.
3
To configure SAML-based authentication, select the Microsoft Azure AD Single Sign-On option.
4
Click the Next arrow. The Configure App Settings dialog appears.
5
Enter the URLs you want in the three URL fields:
SIGN ON URL - The appliance URL, for example: https://appliance.company.com.
IDENTIFIER - The URL from the Appliance ID field from the Configure Authentication Server dialog. See Configuring Azure Active Directory as an SMA Authentication Server
REPLY URL - The appliance ACS URL, for example: https://appliance.company.com/saml2ssoconsumer.

You can click on the question mark icon for each field to view a tooltip that describes which URL is required for that field and how it is used.

6
Click the Next arrow. The Configure single sign-on at SonicWall_SMA page provides the information you need to enable the SMA application to accept a SAML token from Azure AD.

The values required will vary depending on the application. Check the SAML documentation for the application for details.

The SINGLE SIGN-ON SERVICE URL and SINGLE SIGN-OUT SERVICE URL both resolve to the same endpoint, which is the SAML request-handling endpoint for your instance of Azure AD.

The ISSUER URL is the URL from the Issuer field of the SAML token.

7
After the SMA application is configured, click the Next arrow. The Single Sign-On Confirmation page appears.
8
Click the check mark to close the dialog.

Assigning Users and Groups to the SMA Application

After the SMA application has been configured to use Azure AD as an SAML-based Identity Provider, then it is almost ready to test. As a security control, Azure AD will not issue a token allowing users to sign into the SMA application until they have been granted access using Azure AD, either directly or through a group.

To assign a user or group to the SMA application:
1
In Azure AD, click the Assign Users button.
2
Select the user or group you wish to assign, and then select the Assign button.

One Identity Cloud Access Manager

This section describes how to configure One Identity Cloud Access Manager (CAM) 7.0 as an SMA Authentication Server.

Topics

Configuring One Identity CAM as an SMA Authentication Server

Configuring the One Identity Cloud Access Manager (CAM) as an SMA appliance is done by setting up a One Identity CAM Authentication Server on an SMA appliance.

To configure the One Identity CAM as an SMA Authentication Server:
1
On the SMA appliance, go to the System Configuration > Authentication Servers page.

2
Under Authentication servers, click New. The New Authentication Server dialog appears.

3
Select SAML 2.0 Identity Provider.
4
Click Continue. The Configure Authentication Server page appears.

Some of the values for the fields in the Configure Authentication Server page can be obtained from the Application Created page of the One Identity Cloud Access Manager.

The steps that follow explain how to configure the fields in the Configure Authentication Server page.

5
In the Name field, enter CAM.
6
In the Appliance ID field, enter the Audience/SP Identity from the Application Created page. For example, https://appliance.company.com.
7
In the Server ID field, enter the Issuer Entity ID or IDP from the Application Created page. For example, urn:cam.test.com.test.com/CloudAccessManager/RPSTS.
8
In the Authentication service URL field, enter the IDP Login URL from the Application Created page. For example, https://sp16.test.com/CloudAccessManager/RPSTS/Saml2/Default.aspx.
9
In the Logout service URL field, enter the SSO URL. For example, https://cam.test.com.com/CloudAccessManager/RPSTS/Saml2/Default.aspx.
10
From the Trust the following certificate drop-down menu, select the certificate you want. This should be the certificate from the Certificate (Download Certificate) of the Application Created page.
* 
NOTE: You must first download and install the certificate you want before it can appear in this drop-down menu. See Downloading a Certificate for instructions on how to do this.
11
(Optional) Select the Sign AuthnRequest message using this certificate if you want it, and then select the appropriate certificate.
12
Click Save.

Adding the SMA Application to One Identity Cloud Access Manager

After you configure One Identity Cloud Access Manager (CAM) as an SMA Authentication Server, you need to add the SMA application to the One Identity CAM.

To add the SMA application to One Identity CAM:
1
In One Identity CAM, go to the Home page.
2
Under Applications, click Add New. The Create a New Application page appears.
3
Under Create a New Application, select Configure Manually. The Back-end SSO Method page appears.
4
Under Back-end SSO Method, select Using SAML.
5
Click Next. The Federation Settings page appears.
6
Under Federation Settings, enter the following URLs:
a
In the Recipient field, enter https://appliance.company.com/saml2ssoconsumer.
b
In the Audience/SP Identity field, enter https://appliance.company.com.
7
Click Next. The Subject Mapping page appears.
8
Under Subject Mapping, leave the default option selected, Users from “AD” can’t log into this application.
9
Click Next. The Claims Mapping page appears.
10
Leave the Claim Mapping section empty.
11
Click Next. The External Access page appears.
12
Under External Access, select This application is external to my network.
13
Click Next. The Permissions page appears.
14
On the Permissions page, select the Roles you want, using the Allow Role Access button.
15
Click Next. The Application Name dialog appears.
16
In the Application Name field, enter the name of your SMA application.
17
Click Next. The Application Portal page appears.
18
On the Application Portal page, under SSO Mode, select SP Initiated.
19
In the URL field, enter https://appliance.company.com.
20
Select any other options you want.
21
Click Finish. The Application Created page appears.

The Application Created page shows all the Single Sign-On details necessary to configure the SMA application.

OneLogin

This section describes how to configure OneLogin as an SMA Authentication Server and how to add the SMA application to the OneLogin service.

Topics:  

Configuring OneLogin as an SMA Authentication Server

Configuring OneLogin as an SAML Identity Provider is done by configuring a OneLogin Authentication server on an SMA appliance.

To configure OneLogin as an SMA Authentication Server:
1
On the SMA appliance, go to the System Configuration > Authentication Servers page.

2
Under Authentication servers, click New. The New Authentication Server dialog appears.

3
Select SAML 2.0 Identity Provider.
4
Click Continue. The Configure Authentication Server dialog appears.

The steps that follow explain how to configure the fields in the Configure Authentication Server dialog.

5
In the Name field, enter OneLogin_IDP.
6
In the Appliance ID field, enter the Audience/SP Identity from the Configuration tab of the SonicWall VPN page. For example, https://appliance.company.com.
7
In the Server ID field, enter the Issuer URL from the Configuration tab of the SonicWall VPN page. For example, https://app.onelogin.com/saml/metadata/xxxx.
8
In the Authentication service URL field, enter the IDP Login URL from the SSO tab of the SonicWall VPN page. For example, https://company.onelogin.com/trust/saml2/http-post/sso/xxxx.
9
In the Logout service URL field, enter the SLO Endpoint (HTTP) from the SSO tab of the SonicWall VPN page. For example, https://company.onelogin.com/trust/saml2/http-redirect/slo/xxxx.
 
10
From the Trust the following certificate drop-down menu, select the X.509 Certificate.
* 
NOTE: You must first download and install this certificate before it can appear in this drop-down menu. See Downloading a Certificate for instructions on how to do this.
11
(Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the appropriate certificate.
12
Click Save.

Adding the SMA Application to OneLogin

After you configure OneLogin as an SMA Authentication Server, you need to add the SMA application to the One Login service.

To add the SMA application to the OneLogin service:
1
In OneLogin, go to the Home page. The Find Applications page appears.
2
Under Find Applications, enter sonicwall in the search field and hit enter. The Add Sonicwall VPN page appears.
3
In the Portal panel, in the Display Name field, enter SonicWall VPN.
4
In the Connectors panel, for the Connector Version, select SAML 2.0.
5
Click Save. The Sonicwall VPN page appears.
6
Click the Configuration tab.
7
In the Appliance field, enter the FQDN for your appliance. For example, https://appliance.company.com.
8
Click the SSO tab.
9
In the Enable SAML 2.0 panel, under the X.509 Certificate field, click View Details. The Standard Strength Certificate dialog appears.
10
Click the Download button to upload the CA Certificate to the SMA appliance.

Ping Identity PingOne

This section describes how to configure Ping Identity PingOne as an SMA Authentication Server and how to add the SMA application to the Ping Identity PingOne service.

Topics:  

Configuring Ping Identity PingOne as an SMA Authentication Server

Configuring Ping Identity PingOne as an SAML Identity Provider is done by configuring a Ping Identity PingOne Authentication server on an SMA appliance.

To configure Ping Identity PingOne as an SMA Authentication Server:
1
On the SMA appliance, go to the System Configuration > Authentication Servers page.

2
Under Authentication servers, click New. The New Authentication Server page appears.

3
Select SAML 2.0 Identity Provider.
4
Click Continue. The Configure Authentication Server dialog appears.

Most of the values for the fields on this page can be obtained from the fields on the PingOne application page.

The steps that follow explain how to configure the fields in the Configure Authentication Server dialog.

5
In the Name field, enter PingOne_IDP.
6
In the Appliance ID field, enter the entityId from the PingOne application page. For example: https://appliance.company.com.
7
In the Server ID field, enter the value of the entityID of the EntityDescriptor tag from the downloaded XML file, for example, https://pingone.com/idp/company.
8
In the Authentication service URL field, enter the Initiate Single Sign-On (SSO) URL from the PingOne application page. For example, https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=734b784f-xxxxxx.
9
In the Logout service URL field, enter the value of the Logout Service URL from the Location attribute of SingleLogoutService tag from the downloaded XML file. For example, https://sso.connect.pingidentity.com/sso/SLO.saml2.
10
From the Trust the following certificate drop-down menu, select the certificate you want. This should be the Certificate downloaded from the PingOne application page.
* 
NOTE: You must first download and install the certificate you want before it can appear in this drop-down menu. See Downloading a Certificate for instructions on how to do this.
11
(Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the certificate.
12
Click Save.

Adding the SMA Application to Ping Identity PingOne

After you configure Ping Identity PingOne as an SMA Authentication Server, you need to add the SMA application to the Ping Identity PingOne service.

To add the SMA application to the Ping Identity PingOne service:
1
In PingOne, go to the My Applications page.
2
Under Add Application, select New SAML Application. The Applications Details panel opens.
3
Enter the Application Name.
4
Enter the Application Description.
5
Select the Category you want.
6
For Graphics, select the Application Logo and Application Icon you want.
7
Click Continue to Next Step. The Application Configuration panel opens.

 

8
For the Protocol Version, select SAML v2.0.
9
In the Assertion Consumer Service (ACS) field, enter the URL: https://appliance.company.com/saml2ssoconsumer.
10
Enter the Entity ID.
11
Enter the Application URL. This should be the same as appliance URL. For example, https://appliance.company.com.
12
For the Single Logout Binding Type, select Post.
13
Click Next. The SSO Attribute Mapping panel opens.
14
In the Status column, click in the row for the application to make it active.
15
Click Save & Publish
16
Click Add new attribute. The following panel opens.
17
To upload the CA Certificate to AMC, click Certificate Download.
18
Click SAML Metadata Download.
19
Click Finish.

Salesforce

This section describes how to configure Salesforce as an SMA Authentication Server and how to add the SMA application to the Salesforce service.

Topics:  

Configuring Salesforce as an SMA Authentication Server

This section describes how to configure Salesforce as an SMA Authentication Server.

To configure Salesforce as an SMA Authentication Server:
1
On the SMA appliance, go to the System Configuration > Authentication Servers page.

2
Under Authentication servers, click New. The New Authentication Server page appears.

3
Select SAML 2.0 Identity Provider.
4
Click Continue. The Configure Authentication Server page appears.

The steps that follow explain how to configure the fields in the Configure Authentication Server dialog.

5
In the Name field, enter Saleforce_IDP.
6
In the Appliance ID field, enter the Entity Id under Web App Settings from the Salesforce application page. For example, https://application.company.com.
7
In the Server ID field, enter the Issuer from the Salesforce application page, under Web App Settings. For example, https://company.my.salesforce.com as per application configuration in Salesforce.
8
In the Authentication service URL field, enter the IdP-Initiated Login URL from the Salesforce application page. For example, https://company.my.salesforce.com/idp/endpoint/HttpRedirect.
 
9
From the Trust the following certificate drop-down menu, select the certificate you want. This should be the certificate downloaded from the Identity Provider page.
* 
NOTE: You must first download and install this certificate before it can appear in this drop-down menu. See Downloading a Certificate for instructions on how to do this.
10
(Optional) Select the Sign AuthnRequest message using this certificate if you want it, then enter the IP address for the certificate.
11
Click Save.

Adding the SMA Application to Salesforce

After you configure Salesforce as an SMA Authentication Server, you need to add the SMA application to the Salesforce service.

To add the SMA application to the Salesforce service:
1
Login to Salesforce.
2
Go to the App Setup > Create > Apps > Connected Apps Detail page.
3
Click Add. The Settings dialog appears.
4
In the Web App Settings panel:
a
For Start URL, enter https://appliance.company.com.
b
Select Enable SAML.
c
For Entity ID, enter the Workplace URL: https://appliance.company.com.
d
For ACS URL, enter https://appliance.company.com.
e
For Subject Type, select Username.
f
For Name ID Format, enter urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
g
For Issuer, enter https://company.my.salesforce.com.
5
Click Save.
6
On the App Setup > Create > Apps > Connected Apps Detail page, click Manage Profiles.
7
Select the types of users you want to allow to access the Salesforce application.
8
Click Save. You can view the configured Sale force settings on the SonicWall SMA page.

 

Log File Output Formats

About Log Files

The SMA appliance records system and user events in a series of log files. You can view the log files in AMC or by sending the messages to an external syslog server—this process is described in System Logging and Monitoring. This section explains how to manually review log files from the command-line interface on the appliance itself and interpret the data.

File Locations

Log file names for SMA services lists the names of the log files on the appliance, which are initially stored locally (/var/log/aventail/).

 

Log file names for SMA services

Secure Mobile Access service

File format

File name

System messages

Contains message logs for the Web proxy service, the network tunnel service, and the policy server. Unregistered device messages are also in this log.

See System Message Log.

syslog

access_servers.log

Network tunnel service

Includes information about connection activity, a list of users accessing the network, and the amount of data transferred for the network tunnel service.

See Network Tunnel Audit Log.

SOCKS5LF

extranet_access.log

Web proxy service

See Web Proxy Audit Log.

W3C CLF

extraweb_access.log

Appliance Management Console (AMC)

See Management Console Audit Log.

syslog

policy_audit.log
management.log

Client installation

See Client Installation Logs (Windows).

syslog

<username>@<realm>.log

WorkPlace

See WorkPlace Logs.

syslog

workplace.log
wp_init.log

Upgrade log

This log is a record of any upgrades you have made to the appliance.

text

upgrade.log

Migration log

Stored in /var/log/, these are the logging messages recorded during migration from version <n.n.n>.

syslog

migrate_<n.n.n>.log

To minimize storage requirements for log files, the appliance rotates the files. The log rotation procedures vary, depending on the frequency you specify:

 

Log rotation procedures

Frequency

Procedure

Every 15 minutes

Rotate any log files that are larger than 750MB.
Force a rotation of the syslog log file.
Turn on Compression for rotated files.
Compression Ratio is set to 0.10 of actual file size.
Each file is compressed after rotation.

Every day

Force a rotation of all log files.
Delete any log files that are older than seven days.

Log files of more than one day old are stored in uncompressed format. The log file names contain a suffix that is numbered sequentially from 1 through 7, so that if the log rotation occurs daily, a log file with the suffix 7 is one week old. For example:

extraweb_access.log is the current log file for Web proxy service.
extraweb_access.log1 through extraweb_access.log.7 are the logs from the previous rotations.

System Message Log

The system message log (/var/log/aventail/access_servers.log) is generated in syslog format (see RFC 3164) and contains message logs for the Web proxy service, the network tunnel service, and the policy server (an internal service that controls policy for the other services). It also provides detailed messages about all access control decisions: each time a user request matches a policy rule, a log file entry is recorded explaining the action taken.

This sample message log entry is followed by descriptions of its elements:

[08/Nov/2016:07:16:24.312477 +0000] E-Class SRASSLVPN 002764 up 00000001 Info System CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0
 

System message log fields

Field

Description

[08/Nov/2016:07:16:24.312477 +0000]

Precise timestamp

This timestamp indicates when the message was generated by the service (Web proxy, network tunnel, network proxy, or policy). This is a more accurate timestamp than the one generated by syslog because the logging system buffers messages before sending them to syslog.

E-Class SRASSLVPN

Appliance name

This name can be changed on the Network Settings page in AMC (on the Configure Basic Network Settings page).

002764

Process ID (PID)

Every application that is running is assigned a process ID. This PID identifies the application that generated the log entry.

up

Application ID

Identifies the server process that generated the message. The possible IDs are:

ap (API server)
cp (SMA distributed cache client: policy server, client credential storage)
dc (SMA distributed cache server: policy server, client credential storage)
ev (network tunnel service—kernel component)
ew (Web proxy service)
fm (failover monitor)
kp (network tunnel kernel mode policy server interface)
ks (network tunnel kernel mode interface to SSL daemon)
kt (kernel tunnel component)
ls (log server)
ps (policy service) (Also see Auditing Access Policy Decisions)
pt (ping/traceroute tools)
uk (unknown)
up (network tunnel policy server daemon)
us (network tunnel user space SSL daemon)
00000001

Context ID

The context ID is a unique value used to tie related logs from all four services (Web proxy, network tunnel, network proxy, policy, and WorkPlace) together. You can use the context ID to search for all messages related to a single user session. If a message is not tied to a particular user session, it is assigned a number lower than 00000010. The first digit of this ID indicates which service originally generated the session:

0 (policy service)
1 (Web proxy service)
3 (WorkPlace service)
Info

Severity

The message severity levels are:

Error—A problem caused the server to shut down or fail to communicate with another component. A name resolution problem at startup is logged at this level.
Warning—Something unexpected occurred that does not adversely affect the operation of the server. For example, a single failed attempt to access a RADIUS server is logged at the Info level, but if all attempts fail, an entry is added to the log file at the Warning level.
Info—A normal event that you might want to track; for example, a specific user has logged in, or has matched a given access control rule.
Verbose—Like an Info message, this level identifies normal operations, but includes the steps in a process. For example, when processing access control rules a message for each non-match is at the Verbose level, while a matched rule is identified as Info.
System

Message type

Indicates what part of the server logged the message.

CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0

Message text

The text following all the identifying information is the message itself.

See Auditing Access Policy Decisions for an explanation of the message text for access policy decisions.

Topics:  

Auditing Access Policy Decisions

One of the main uses for the system message log is to audit access policy decisions. Each time a user request matches a policy rule, the appliance writes an entry to the message text field (the last field in the message log) explaining the action taken.

A sample message for an access policy decision looks like this:

[09/Nov/2016:02:45:32.282637 +0000] E-Class SRASSLVPN 002421 ps 100004b3 Info EWACL User '(192.168.136.70 (Dominique Daba)@(Students)' connecting from '192.168.136.70:37975' matched rule 'accessRule(AV1091719670706:preauth access rule)', access to '127.0.0.1:455' is permitted.

For each connection request that matches a rule, a log message is generated at the Info level. Requests that don’t match a rule are logged at the Verbose level, and when no rule match is found the request is logged at the Warning level.

For policy decisions, the logging message text field (everything after Info in the previous example) includes the information shown in Logging message text fields.

 

Logging message text fields

Field

Description

EWACL

Log type

The access policy being evaluated. The log types are:

CSACL—client/server access policy
EWACL—Web access policy
WPACL—WorkPlace access policy
NEACL—file system access policy (file shares accessed from the Network Explorer page in WorkPlace)
User '(192.168.136.70 (Dominique Daba)@(Students)'

User name

The user making the request. If the appliance is configured to use multiple realms, the username will appear in the format (user)@(realm).

connecting from '192.168.136.70:37975'

Source of request

The address of the user making the request.

matched rule 'accessRule(AV1091719670706:preauth access rule)'

Match status

Rule match status (either Matched or No Match) and the ID for the rule.

access to '127.0.0.1:455' is permitted

Rule outcome

Details

 

If the rule matched, this field will be empty. If the rule did not match, one of the following messages will appear:

Source Network is <network>
Date/time specification <time>
User <username> not in User/Group List
Destination network is <dest>
Virtual Host is <vhost>
Destination services dest is <dest>
Command is <command>
UDPEncrypt is <true or false>
Key Length <length from the policy rule> requires a stronger cipher

If no rule matched, an Info-level message is generated indicating that no matching rule was found.

Examples

Example 1—Success at Info Level
[09/Nov/2016:02:45:32.712860 +0000] E-Class SRASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors'
Example 2—Failure at Info Level
[09/Nov/2016:04:27:40.965127 +0000] E-Class SRASSLVPN 002873 ps 00000003 Info WPACL User '(kevin figment)@(Students)' connecting from '192.168.136.70:0' found no matching access rule, access to 'www.seattletimes.com:80' is denied.

Viewing Client Certificate Errors in the Log

If the appliance is unable to verify a certificate chain, a message such as this one appears in the system message log file:

[09/Nov/2016:21:28:14.610949 +0000] E-Class SRASSLVPN 001539 ps 10000042 Info System Auth: CRL-CERT: Cert verification status = 0, err = 20 'unable to get local issuer certificate'

This message includes an error code (in this case, 20) reporting why the certificate check failed. These error codes are described in Client certificate error codes.

 

Client certificate error codes

Code

Error message

Description

2

Unable to get issuer certificate

The issuer certificate of an untrusted certificate could not be found.

7

Certificate signature failure

The signature of the certificate is invalid.

9

Certificate is not yet valid

The certificate is not yet valid.

10

Certificate has expired

The certificate has expired.

18

Self-signed certificate

The passed certificate is self-signed and cannot be found in the list of trusted certificates.

19

Self-signed certificate in certificate chain

The certificate chain can be built using the untrusted certificates, but the root cannot be found locally.

20

Unable to get local issuer certificate

This normally means the list of trusted certificates is not complete. This error can also occur when an intermediate certificate is used for authentication (a root certificate is required).

21

Unable to verify the first certificate

No signatures could be verified because the chain contains only one certificate and is not self-signed.

22

Certificate chain too long

The certificate chain length is greater than the supplied maximum depth.

23

Certificate revoked

The certificate has been revoked.

24

Invalid CA certificate

A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.

End Point Control Interrogation

The system message log captures information during client EPC interrogation when the log level is set to verbose. The appliance checks for the presence of certain device profile attributes on the client, and the log file records the query and the results.

In the following example, EPC is checking for a certain antivirus application (Symantec Client Security, version 9.x or later). When the application is not found, this particular device is relegated to the Default zone:

[04/Oct/2016:22:29:23.867093 +0000] E-Class SRASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students)::CLIENT:: Interrogation: Evaluation of OPSWATAV AV1128462569762A [NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE] results: FALSE
04/Oct/2016:22:29:23.875781 +0000] E-Class SRASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students):: Classified into zone: Default zone

Unregistered Device Log Messages

Unregistered device log messages provide device IDs from login attempts by users on devices that are not registered. The AMC provides a way to export the unregistered device log messages in XML format. On the Logging page, select Unregistered device log from the Log file drop-down list and then click Export. You can reduce the size of the exported file by first applying filter or search criteria.

You can also access and export the list of unregistered devices to an XML format on another system. The list can be accessed directly in a Web browser using the following URL:

https://(internal IP address)/UnregisteredDevices.xml

This URL requires BASIC HTTP authentication, and the credentials must be an AMC user with at least View access to the Monitoring category.

A curl or wget command can be used to obtain the list programmatically from the external machine:

 

Command

Syntax

curl

curl -k3u (user):(password) https://(internal IP):8443/UnregisteredDevices.xml

wget

wget --no-check-certificate --http-user=(user) --http-password=(password) https://(internal IP address):8443/UnregisteredDevices.xml

Both of these commands turn off SSL certificate checking, which is useful when using a self-signed certificate.

A full definition of the URL used to fetch the XML version of the unregistered device report is provided in:

 

URL

https://<internal address>:8443/UnregisteredDevices.xml?parameter=value&parameter=value

Authentication

BASIC HTTP authentication, credentials must be AMC user with at least view access to the Monitoring category.

Parameters (all optional)

 

 

 

username

string, case insensitive, default * (all users)

 

 

Search for login attempts from users that contain this value as part of their username. Example: username=li will return entries for Linda and Melinda

 

realm

string, case insensitive, default * (all realms)

 

 

Search for login attempts to Realms that contain this value as part of the Realm name. Example: realm=Corp will return entries for Corporate and Non-Corporate

 

platform

string, enumerated values below

 

 

Search for login attempt from devices running only the specified platform:

 

 

 

all — all platforms (default)

 

 

 

windows —only Windows devices

 

 

 

mac — only Mac devices

 

 

 

linux — only Linux devices

 

 

 

activeSyncMobile — only Exchange ActiveSync devices

 

 

 

mobilePhone — only Mobile Phone devices

 

 

 

pda — only PDA devices

 

 

 

unknown — only devices on which the platform could not be determined

 

exported

string, enumerated values below

 

 

Search for entries that have or have not already been exported either in AMC or via an HTTP get command.

 

 

 

all — all entries, whether or not they have been exported (default)

 

 

 

exported — only entries that have already been exported

 

 

 

unexported — only entries that have not already been exported

 

limit

number, default 1000

 

 

Limit the search to this many entries.

 

deviceCount

number, 0-3, default all entries

 

 

Search for users with only the specified number of devices already registered in the external AD/LDAP store.

 

 

 

0 — user has no devices registered

 

 

 

1 — user has one device registered

 

 

 

2 — user has two devices registered

 

 

 

3 — user has three or more devices registered

 

lastLoginTime

string, enumerated values below, default all

 

 

Search for user login attempts that happened only in the time period specified, relative to the current time.

 

 

 

all — all login attempts

 

 

 

hour — attempts in the last hour

 

 

 

day — attempts in the last day (24 hour period)

 

 

 

week — attempts in the last week (7 days)

Network Tunnel Audit Log

The network tunnel audit log provides detailed information about connection activity, including the status of completed tunnel connections and the status of completed flows within tunnels.

* 
NOTE: The two record types can be distinguished by the word flow or tunnel appearing in the sixth field of the message.

Messages are stored on disk in the file /var/log/aventail/extranet_access.log and contain these parameters:

[source-ip:port] [authentication] "[username@realm]" "[date/time]" [version] [command] [destination-ip:port] [status code] [bytes-received] [bytes-sent] [connection duration] [imei]

This example illustrates a network tunnel service audit log file entry:

12.230.158.210:1110 ssl:LDAP "fred figment" "13/Sep/2016:19:18:28 -0700" v1.1 flow:tcp 192.168.136.254:22 0 21722 60631 263 490236207159217

The log entries contain the fields (separated by spaces) shown in Network tunnel audit log fields.

 

Network tunnel audit log fields

Field

Description

source-ip:port

For tunnel records this field contains the source address of the outer tunnel connection. For flows this field contains the inner flow source address, which is the virtual IP address assigned from a tunnel pool when the tunnel is established.

Example: 12.230.158.210:1110

authentication

A hyphen (-) indicates re-authentication via TEAM credential.

NOTE: An explicit value is not possible, because the tunnel does not know the authentication method used to negotiate the TEAM credential.
"username@realm"

User accessing the resource, and the realm he or she is logged in to. The format of this field varies, depending on the authentication method used.

Example: "mfigment@employees"

"date/time"

Date (in date/month/year format) and time (hours, minutes, seconds, and milliseconds in 24-hour-clock format and hours of time zone +/- GMT) the connection began.

NOTE: Records containing date/time may not be written immediately to the log.

Example: "13/Sep/2016:19:18:28 -0700"

version

The Connect or OnDemand Tunnel protocol version, with 1.1 for currently supported releases.

command

The type of command executed. These commands can appear in log file entries for the network tunnel service:

tunnel
flow:tcp
flow:udp
flow:icmp
destination-ip:port

IP address and port number of the resource being accessed. For flows, this is the destination of the TCP, UDP or ICMP flow. For tunnels, this is the external address of the appliance (port number is always 0).

Example: 192.168.136.254:22

status code

0 is success.

See \Auditing Connection Status Messages for more detail about the status codes.

bytes-received

Number of bytes read from source.

bytes-sent

Number of bytes written to destination.

connection duration

Connection duration (in seconds) based on the time the tunnel was closed, a TCP flow entered its TIME_WAIT state, or a UDP or ICMP flow timed out.

imei

Every mobile phone is assigned a unique, 15-digit IMEI code (device identifier) that indicates information like the manufacturer, model type, and country of approval. The IMEI can be displayed on most phones by dialling *#06#. It’s also shown on the compliance plate underneath the battery.

Example: 352711-01-521146-5

If the IMEI code is not provided by the device, a platform identifier is shown. Platform identifiers (first character) are:

W – Windows

M – Mac

L – Linux

P – PDA

A – AcitveSync Mobile

X – Unknown

(blank) – Mobile Phone

\Auditing Connection Status Messages

The network proxy/tunnel audit log includes a connection status code that is often useful in debugging client/server connection problems. The status code is the field immediately following the destination-ip:port field in the log file (see Network Tunnel Audit Log for a description of an entire log file entry). Connection status codes describes each code.

 

Connection status codes

Connection status code

Description

0

Successful connection attempt with no errors encountered

1

Client presented an invalid TEAM credential

2

Couldn't send TEAM request to client, error in tunnel auth exchange, or error in PS auth exchange

3

Tunnel protocol at client is below minimum supported by appliance

4

TP error, or unsupported feature requested

5

Session sat idle longer than allowed by configuration or defaults

6

Tunnel pools have no addresses available

9

No tunnel internal address (bad cfg); realm_list (shouldn't happen) problem; client rejected resource list

10

Client version mismatch

11

All available tunnel pool addresses conflict with the client's networking environment in fatal ways

12

Special error to client indicating it should attempt a resume immediately

65535

Permission denied

65524

Out of memory

65520

System busy, session dropped

65514

Internal inconsistency, unexpected condition encountered

65504

Tunnel service aborted

65432

Connection reset by peer

65429

Not connected (internal error)

65428

Tunnel service shutdown

65426

Timeout (not necessarily an error, esp. for UDP flows)

65279

No authentication method

65278

Authentication failed (for example, the user entered an invalid username/password)

65277

Authentication I/O fail

65276

Authentication quiet fail

65275

Lost client connection

65274

Cannot load module

65273

Not authorized (for example, access denied due to policy)

65272

Encrypt failure

65271

Unknown failure

Examples

If a user enters an invalid username/password, error number 65535 appears in the log:

192.168.2.69:3127 ssl "testing" "26/Feb/2017:21:31:51.947 +0000" none -:- 65535 385 0 14 352711-01-521146-5

If a timeout occurred, the message contains error number 65426:

192.168.2.69:3127 ssl "testing" "26/Feb/2017:21:31:51.947 +0000" none -:- 65426 385 0 1 352711-01-521146-5

All tunnel traffic originating from the client and destined for the Internet (running in redirect-all mode) is routed through an IP address you specify on the Configure Network Tunnel Service page in AMC (Enable route to Internet). If this route to the Internet is not available, you’ll see a connection status code of 65504:

151.219.76.85:4827 - "(l248411)@(Radius)" "26/Jun/2016:17:54:14.916 +0000" 1.1 Flow:TCP 165.170.0.1:1503 65504 0 0 60 352711-01-521146-5

Web Proxy Audit Log

The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred.

The /var/log/aventail/extraweb_access.log file messages are stored in the World Wide Web Consortium (W3C) Common Log Format (CLF). See http://httpd.apache.org/docs/logs.html for more information on CLF logs. The log message has these parameters:

[source-ip] [identity] [shortname@realm] [longname] [date/time] "[request]" [HTTP return code] [bytes-sent] [imei]

The following is a sample network proxy/tunnel service audit log file entry:

192.168.200.162 - (extranetuser)@(Translation) (uid=extranetuser,ou=Users,dc=indigo,dc=com) [31/Mar/2017:09:08:09 -0700] "GET http:/ /127.0.0.1:455/postauth/interrogator/AventailComponents.exe HTTP/1.1" 200 536016 "-"

The log entries contain the fields (separated by spaces) shown in Web Proxy audit log fields.

 

Web Proxy audit log fields

Field

Description

source-IP

IP address of the computer accessing the Web proxy service (this field may contain a translated address if NAT is in use).

Example: 192.168.200.162

identity

This field is not used by the Web proxy service; it always contain a dash (-).

shortname@realm

If the user has logged in, this field displays the user’s name and login realm in the form (username@realm).

If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-). In cases where no authentication is used (that is, the Authentication server for the realm in AMC is set to None), this field will contain anonymous-user.

Example: (extranetuser)@(Translation)

longname

If the user has logged in, this field displays the user’s long name. LDAP and Active Directory usernames are displayed using a DN. Other usernames are display using a CN.

If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-).

Example: (uid=extranetuser,ou=Users,dc=indigo,dc=com)

date/time

The date and time at which the request was received by the appliance.

Example: [16/Apr/2017:21:36:37 +0000]

request

First line of the HTTP request, containing the HTTP command (such as GET or POST), the requested resource, and the HTTP version number.

Example: "GET /alias1/foo.gif HTTP/1.1"

HTTP-return-code

The server responds with one of the following return codes:

2xx codes indicate a successful request.
3xx codes indicate some form of redirection or cached response.
4xx codes indicate an error (such as a resource that is not found or an unauthorized request).
5xx codes indicate a server error.

For more information on these codes, see http://www.ietf.org/rfc/rfc2616.txt.

bytes-sent

Number of bytes sent in the body of the response (this does not include the size of the HTTP headers).

imei

Every mobile phone is assigned a unique, 15-digit IMEI code that indicates information like the manufacturer, model type, and country of approval. The IMEI can be displayed on most phones by dialling *#06#. It’s also shown on the compliance plate underneath the battery. If there is no IMEI associated with the user, a dash (-) is entered in the log file.

Example: 352711-01-521146-5

Examples

If an authentication attempt fails—for example, because the user enters an invalid username or password—a single message appears in the log with a return code of 200 (OK), indicating the client request was understood). Notice that the source IP address in the message is the only way for you to identify who made the request:
192.168.2.69 - - [26/Feb/2017:21:43:30 +0000] "POST /__extraweb__authen
HTTP/1.1" 200 3610 352711-01-521146-5

For a successful authentication, a similar message appears, but with a return code of 302 (Found). It is immediately followed by another message that contains the user's authentication credentials and a return code of 200:

192.168.2.69 - - [26/Feb/2017:21:44:25 +0000] "POST /__extraweb__authen
HTTP/1.1" 302 206 352711-01-521146-5
192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:44:25 +0000] "GET
/workplace/access/home HTTP/1.1" 200 15424
If a user successfully authenticates, but is denied access to a Web resource by an access rule, a message containing a return code of 403 (Forbidden) is logged:
192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:52:25 +0000] "GET /dukes
HTTP/1.1" 403 3358 352711-01-521146-5
If a user successfully authenticates and is permitted to access a URL, a message appears that is identical to the one for a failed authentication (a return code of 200), except that this one includes the user’s credentials:
192.168.2.69 - (jdoe)@(AD) [26/Feb/2017:21:51:03 +0000] "GET /dukes
HTTP/1.1" 200 262 352711-01-521146-5

Management Console Audit Log

An individual with administrative privileges can view a history of configuration changes that were made to the appliance by reviewing the AMC audit log. This log provides an audit history of configuration changes made in AMC by administrators. Follow the steps in Management Audit Log to view the log (/var/log/aventail/policy_audit.log) in AMC.

An additional AMC-related log file in syslog format (/var/log/aventail/management.log) is also available.

WorkPlace Logs

The WorkPlace log (/var/log/aventail/workplace.log) is useful for troubleshooting access to file shares using Network Explorer, and also answering questions about what Web and network shortcuts are shown on the WorkPlace portal page. Accessing file resources is also logged to the Web proxy service log (extraweb_access.log).

WorkPlace Shortcut Examples

When a user logs in to Workplace and successfully sees shortcuts, the log file entries looks like this:

1
The username credentials are logged with a session ID (when troubleshooting, just look for the username):
Feb 26 22:03:03 127.0.0.1/127.0.0.1 local7.debug DEBUG [22:03:03,612] GOT:
CredentialsManager[teamSessionId=+kMs+1fJYyVOxJ8f/YO0gg==,teamcredentials=
{username=jdoe} ,credentials={}]
2
Later you see a message indicating a successful load of the shortcut (in this case a Web shortcut):
Feb 26 22:03:03 127.0.0.1/127.0.0.1 local7.debug DEBUG [22:03:03,615]
pcsession: <authorize:exit> uri=http://wemmet.internal.net status=SUCCESS
3
The successful load of a network shortcut looks like this:
Feb 26 22:03:03 127.0.0.1/127.0.0.1 local7.debug DEBUG [22:03:03,617]
pcsession: <authorize:exit> uri=smb://marshare01/marketing status=SUCCESS

If a user does not see shortcuts (because of an access rule you have set up, for example), the denial of access looks like this:

1
Look for the username at login:
Feb 26 22:12:15 127.0.0.1/127.0.0.1 local7.debug DEBUG [22:12:15,027] GOT:
CredentialsManager[teamSessionId=hZ98BEZxdyARJCtjkGl3lA==,teamcredentials=
{username=dsmith} ,credentials={}]
2
Look for the shortcut information that is failing to load on the user's WorkPlace portal page. This is an example of a Web shortcut failure:
Feb 26 22:12:15 127.0.0.1/127.0.0.1 local7.debug DEBUG [22:12:15,043]
pcsession: <authorize:exit> uri=http://wemmet.internal.net status=FAILURE
* 
NOTE:  
Access (permit/deny) to a resource share is also logged in extaweb_access.log:
192.168.2.69 - (jdoe)@(AD) [26/Feb/2017:22:19:21 +0000] "GET
/workplace/access/exec/file/view?path=smb://marshare01/marketing/
reports.doc/ HTTP/1.1" 200 4608
An additional WorkPlace-related log file in syslog format (/var/log/aventail/wp_init.log) is also available.

Internationalization Support

Support for Native Character Sets

The appliance provides support for extended character sets or double-byte character sets so that usernames, passwords, resources, WorkPlace shortcuts, and access control rules can be entered and displayed in AMC using native character sets that contain extended or double-byte characters. This also allows support for extended characters or double-byte characters in user authentication prompts, such as username and password fields.

RADIUS Policy Server Character Sets

The appliance supports character encoding for RADIUS policy servers that use non-English character sets. The most recent version of the RADIUS specification (RFC2865) calls for all text fields to contain UTF-8 encoded characters. However, older versions of the RADIUS protocol define text fields as 7-bit US-ASCII. To support RADIUS servers that use an older version of the protocol, AMC enables you to select from a list of the most commonly used character sets, and also lets you enter other character sets.

To change the language setting for a RADIUS server:
1
From the main navigation menu, click Authentication Servers.
2
Click Edit next to the RADIUS server you want to configure. (If you are configuring a RADIUS server in AMC for the first time, see Configuring RSA Server Authentication.)
3
On the Configure Authentication Server page, expand the Advanced area.
4
Under Locale encoding, do one of the following:

Choose a character set from the Selected list box (see Selected RADIUS Character Sets for the available character sets).
Click Other, and then type the name of a character set in the text box. See Other Supported RADIUS Character Sets for a list of those that can be entered.
5
Click Save.
Topics:  

Selected RADIUS Character Sets

The character sets shown in are available from the Selected list (under Advanced settings) on the Configure Authentication Server page.

 

Selected RADIUS character sets

Character set

Code page

Arabic

1256

Baltic

1257

Central European

1250

Chinese Simplified (GBK)

936

Chinese Traditional (Big5)

950

Cyrillic

1251

Greek

1253

Hebrew

1255

Japanese (Shift-JIS)

932

Korean

949

Turkish

1254

Unicode (UTF-8)

65001

Vietnamese

1258

Western

1252

Other Supported RADIUS Character Sets

To set the encoding scheme used by your RADIUS server, type one of the character sets shown in Other supported RADIUS character sets in the Locale encoding area on the Configure Authentication Server page.

 

Other supported RADIUS character sets

Language type

Supported character set

 

European languages

ASCII

ISO-8859-1

ISO-8859-2

ISO-8859-3

ISO-8859-4

ISO-8859-5

ISO-8859-7

ISO-8859-9

ISO-8859-10

ISO-8859-13

ISO-8859-14

ISO-8859-15

ISO-8859-16

KOI8-R

KOI8-U

KOI8-RU

CP850

CP866

MacRoman

MacCentralEurope

MacIceland

MacCroatian

MacRomania

MacCyrillic

MacUkraine

MacGreek

MacTurkish

Macintosh

Semitic languages

ISO-8859-6

ISO-8859-8

CP862

MacHebrew

MacArabic

 

Japanese

EUC-JP

ISO-2022-JP

ISO-2022-JP-2

ISO-2022-JP-1

 

 

Chinese

EUC-CN

HZ

GB18030

EUC-TW

CP950

BIG5-HKSCS

ISO-2022-CN

ISO-2022-CN-EXT

 

Korean

CP949

ISO-2022-KR

JOHAB

 

 

Armenian

ARMSCII-8

 

 

Georgian

Georgian-Academy

Georgian-PS

 

 

Tajik

KOI8-T

 

 

Thai

TIS-620

CP874

MacThai

 

 

Laotian

MuleLao-1

CP1133

 

 

Vietnamese

VISCII

TCVN

 

 

Unicode

UCS-2

UCS-2BE

UCS-2LE

UCS-4

UCS-4BE

UCS-4LE

UTF-16

UTF-16BE

UTF-16LE

UTF-32

UTF-32BE

UTF-32LE

UTF-7

 

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://support.sonicwall.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers through an online Service Request system.

The Support Portal enables you to:

View knowledge base articles and technical documentation
Download software
View video tutorials
Collaborate with peers and experts in user forums
Get licensing assistance
Access MySonicWall
Learn about SonicWall professional services
Register for training and certification

To contact SonicWall Support, refer to https://support.sonicwall.com/contact-support.

To view the SonicWall End User Product Agreement (EUPA), see https://www.sonicwall.com/legal/eupa.aspx. Select the language based on your geographic location to see the EUPA that applies to your region.

 

Warranty and Licensing

Limited Hardware Warranty

SonicWall Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWall), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWall and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWall's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWall's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWall's then-current Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWall.

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. SonicWall'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SonicWall OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SonicWall OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWall or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

End User License Agreement

Third-Party Components and Licenses

 

Component

License URL

DHCP client

http://roy.marples.name/projects/dhcpcd

Heimdal kerberos libraries

http://www.h5l.org/

Cyrus SASL libraries

https://cyrusimap.org/mediawiki/index.php/Downloads#Licensing

SSH library

http://www.libssh2.org

OpenLDAP libraries

http://www.openldap.org/

Apple ZeroConf responder

http://opensource.apple.com/source/mDNSResponder/

Balabit Syslog-NG server

http://www.balabit.com/

SSH daemon

http://www.openssh.org/

SSL libraries

http://www.openssl.org/

Regular expression library

http://www.pcre.org/

Tiny SSH daemon for recovery

https://matt.ucc.asn.au/dropbear/dropbear.html

MIT license

http://en.wikipedia.org/wiki/MIT_license

URL retrieval library

http://curl.haxx.se/

Java logging library

http://www.slf4j.org/

XML/XSLT parsing library

http://www.xmlsoft.org/

Java crypto library

http://www.bouncycastle.org/

INI parsing library

http://ndevilla.free.fr/iniparser/

Java HTML library

http://jsoup.org/

RADVD specific license

http://cvs.litech.org/viewcvs/radvd/COPYRIGHT?rev=1.2&view= markup

IPv6 routing daemon

http://www.litech.org/radvd/

NTP specific license

http://www.eecis.udel.edu/~mills/ntp/html/copyright.html

NTP daemon

http://www.ntp.org/

SNMP specific license

http://www.net-snmp.org/about/license.html

SNMP libraries & daemon

http://www.net-snmp.org/

LZ4 compression

http://fastcompression.blogspot.com/p/lz4.html

libgd graphics library

https://github.com/libgd/libgd/blob/4751b606fa38edc456d627140898a7ec679fcc24/docs/naturaldocs/license.txt

Apache HttpComponents

http://hc.apache.org/

Apache Commons Net

http://commons.apache.org/net/

Xerces2

http://xerces.apache.org/xerces2-j/

ActiveMQ

http://activemq.apache.org/

Apache Axis2

http://axis.apache.org/axis2/java/core/

Apache Rampart

http://axis.apache.org/axis2/java/rampart/

Grub2 Bootloader

http://www.gnu.org/software/grub/

JFreeChart

http://www.jfree.org/jfreechart/

Spin.js

http://fgnass.github.io/spin.js/

detect-element-resize.js

https://github.com/sdecima/javascript-detect-element-resize

Datatables

https://www.datatables.net

GNU General Public License (GPL) Source Code

SonicWall will provide a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or money order in the amount of US $25.00 payable to SonicWall, Inc. to:

General Public License Source Code Request
SonicWall, Inc. Attn: Jennifer Anderson
5455 Great America Parkway
Santa Clara, CA 95054

Open Source Licenses

This appendix provides a list of the open source licenses used by SonicWall.

======

Django

======

Copyright (c) Django Software Foundation and individual contributors.

All rights reserved.

 

Redistribution and use in source and binary forms, with or without modification,

are permitted provided that the following conditions are met:

 

1. Redistributions of source code must retain the above copyright notice,

this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

3. Neither the name of Django nor the names of its contributors may be used

to endorse or promote products derived from this software without

specific prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR

ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON

ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

PyMySQL

======

Copyright (c) 2010, 2013 PyMySQL contributors

 

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

 

The above copyright notice and this permission notice shall be included in

all copies or substantial portions of the Software.

 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

THE SOFTWARE.

 

======

Beautifulsoup

======

Beautiful Soup is made available under the MIT license:

 

Copyright (c) 2004-2015 Leonard Richardson

 

Permission is hereby granted, free of charge, to any person obtaining

a copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to

permit persons to whom the Software is furnished to do so, subject to

the following conditions:

 

The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.

 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE.

 

Beautiful Soup incorporates code from the html5lib library, which is

also made available under the MIT license. Copyright (c) 2006-2013

James Graham and other contributors

 

======

django-mysql-pymysql

======

Copyright (c) Django Software Foundation and individual contributors.

All rights reserved.

 

Redistribution and use in source and binary forms, with or without modification,

are permitted provided that the following conditions are met:

 

1. Redistributions of source code must retain the above copyright notice,

this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

 

3. Neither the name of Django nor the names of its contributors may be used

to endorse or promote products derived from this software without

specific prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR

ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON

ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

html5lib

======

Copyright (c) 2006-2013 James Graham and other contributors

 

Permission is hereby granted, free of charge, to any person obtaining

a copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to

permit persons to whom the Software is furnished to do so, subject to

the following conditions:

 

The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.

 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION

OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION

WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 

======

six

======

Copyright (c) 2010-2016 Benjamin Peterson

 

Permission is hereby granted, free of charge, to any person obtaining a copy of

this software and associated documentation files (the "Software"), to deal in

the Software without restriction, including without limitation the rights to

use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of

the Software, and to permit persons to whom the Software is furnished to do so,

subject to the following conditions:

 

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS

FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR

COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER

IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 

======

Flask

======

Copyright (c) 2013 by Armin Ronacher and contributors. See AUTHORS

for more details.

 

Some rights reserved.

 

Redistribution and use in source and binary forms of the software as well

as documentation, with or without modification, are permitted provided

that the following conditions are met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE AND DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER

OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE AND DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

 

 

======

Flask-RESTful

======

Copyright (c) 2013 by Armin Ronacher and contributors. See AUTHORS

for more details.

 

Some rights reserved.

 

Redistribution and use in source and binary forms of the software as well

as documentation, with or without modification, are permitted provided

that the following conditions are met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE AND DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER

OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE AND DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

 

 

======

Jinja2

======

Copyright (c) 2009 by the Jinja Team, see AUTHORS for more details.

 

Some rights reserved.

 

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are

met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

MarkupSafe

======

Copyright (c) 2010 by Armin Ronacher and contributors. See AUTHORS

for more details.

 

Some rights reserved.

 

Redistribution and use in source and binary forms of the software as well

as documentation, with or without modification, are permitted provided

that the following conditions are met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE AND DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER

OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE AND DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

 

======

Werkzeug

======

Copyright (c) 2014 by the Werkzeug Team, see AUTHORS for more details.

 

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are

met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

aniso8601

======

Copyright (c) 2014, Brandon Nielsen

All rights reserved.

 

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

 

1. Redistributions of source code must retain the above copyright notice, this

list of conditions and the following disclaimer.

 

2. Redistributions in binary form must reproduce the above copyright notice,

this list of conditions and the following disclaimer in the documentation

and/or other materials provided with the distribution.

 

3. Neither the name of the copyright holder nor the names of its contributors

may be used to endorse or promote products derived from this software

without specific prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

itsdangerous

======

Copyright (c) 2011 by Armin Ronacher and the Django Software Foundation.

 

Some rights reserved.

 

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are

met:

 

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

 

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

 

* The names of the contributors may not be used to endorse or

promote products derived from this software without specific

prior written permission.

 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

======

pytz

======

“Copyright 2015 Stuart Bishop <stuart@stuartbishop.net>”

 

======

UWSGI

======

----------------------------------------------------------------------

 

LINKING EXCEPTION

 

In addition to the permissions in the GNU General Public License,

the authors give you unlimited permission to link the compiled

version of this library into combinations with other programs,

and to distribute those combinations without any restriction

coming from the use of this file. (The General Public License

restrictions do apply in other respects; for example, they cover

modification of the file, and distribution when not linked into

a combined executable.)

 

----------------------------------------------------------------------

 

 

GNU GENERAL PUBLIC LICENSE

Version 2, June 1991

 

Copyright (C) 1989, 1991 Free Software Foundation, Inc.,

51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

Everyone is permitted to copy and distribute verbatim copies

of this license document, but changing it is not allowed.

 

Preamble

 

The licenses for most software are designed to take away your

freedom to share and change it. By contrast, the GNU General Public

License is intended to guarantee your freedom to share and change free

software--to make sure the software is free for all its users. This

General Public License applies to most of the Free Software

Foundation's software and to any other program whose authors commit to

using it. (Some other Free Software Foundation software is covered by

the GNU Lesser General Public License instead.) You can apply it to

your programs, too.

 

When we speak of free software, we are referring to freedom, not

price. Our General Public Licenses are designed to make sure that you

have the freedom to distribute copies of free software (and charge for

this service if you wish), that you receive source code or can get it

if you want it, that you can change the software or use pieces of it

in new free programs; and that you know you can do these things.

 

To protect your rights, we need to make restrictions that forbid

anyone to deny you these rights or to ask you to surrender the rights.

These restrictions translate to certain responsibilities for you if you

distribute copies of the software, or if you modify it.

 

For example, if you distribute copies of such a program, whether

gratis or for a fee, you must give the recipients all the rights that

you have. You must make sure that they, too, receive or can get the

source code. And you must show them these terms so they know their

rights.

 

We protect your rights with two steps: (1) copyright the software, and

(2) offer you this license which gives you legal permission to copy,

distribute and/or modify the software.

 

Also, for each author's protection and ours, we want to make certain

that everyone understands that there is no warranty for this free

software. If the software is modified by someone else and passed on, we

want its recipients to know that what they have is not the original, so

that any problems introduced by others will not reflect on the original

authors' reputations.

 

Finally, any free program is threatened constantly by software

patents. We wish to avoid the danger that redistributors of a free

program will individually obtain patent licenses, in effect making the

program proprietary. To prevent this, we have made it clear that any

patent must be licensed for everyone's free use or not licensed at all.

 

The precise terms and conditions for copying, distribution and

modification follow.

 

GNU GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

 

0. This License applies to any program or other work which contains

a notice placed by the copyright holder saying it may be distributed

under the terms of this General Public License. The "Program", below,

refers to any such program or work, and a "work based on the Program"

means either the Program or any derivative work under copyright law:

that is to say, a work containing the Program or a portion of it,

either verbatim or with modifications and/or translated into another

language. (Hereinafter, translation is included without limitation in

the term "modification".) Each licensee is addressed as "you".