en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Components

 

The WorkPlace Portal

A Quick Tour of WorkPlace

This section gives a general overview of WorkPlace from the customer perspective.

The WorkPlace portal provides your users with dynamically personalized access to Web-based (HTTP) resources. It also gives users access from their Web browsers to files and folders on Windows file servers, and to TCP/IP resources through Secure Mobile Access agents that can be provisioned from WorkPlace.

The SMA appliance includes a default WorkPlace portal that you can modify. Additional sites can be set up for different user populations, each with its own appearance; see WorkPlace Sites for more information. For details on client system requirements for WorkPlace, see System Requirements.

When users log into the browser address for WorkPlace, they will be presented with an Authentication Page. Users then log in to the Authentication page, using their Username and Password. This page also allows users the option of changing their password.

If users authenticating with a client certificate do not see this page, in lieu of the Authentication page, a one-time password may be required. The administrator sends an email containing the password, which is requested through this screen,

* 
NOTE: If you’ve configured the system to use End Point Control, see End Point Control and the User Experience for information on how it affects the way users access the system.

After supplying their authentication credentials, WorkPlace checks for a current licensing agreement. If there is a problem with licensing, a message appears, indicating this is a licensing failure and not some other kind of authentication failure, such as a mis-typed password. Users should contact their administrator.

Depending on how the system is configured, users may be required to agree to an Acceptable Use Policy or other licensing agreement.

The AUP may display specific messages or instructions the user needs to agree to. Users who do not accept the license agreement will not be able to access WorkPlace.

* 
NOTE: If a realm is configured with an AUP, login attempts from tunnel clients older than version 11.4 will fail. Users must upgrade their client to version 12.0.1 or better to connect. If tunnel client auto-upgrades are enabled in the AUP realm users will be unable to connect to upgrade. In this case, the Administrator must configure a separate realm without an AUP (to allow for automated client upgrades) or upgrade the clients via other means.
Topics:  

Home Page

After a user has provided authentication, providing licensing is up-to-date, the WorkPlace home page appears. WorkPlace could include a personal bookmarks area, with relevant links to other resources.This area may contain pre-configured bookmarks from the administrator, or users can add their own links to resources or web sites.

* 
NOTE: If you are using Firefox on a Linux system with Java 1.7u71 installed, you will not be able to launch Workplace. You will get an error message, Unable to authorize request. Zone classification process has not completed.

Configurable WorkPlace Elements

Most of the features on the home page are configurable; see Configurable WorkPlace elements.

 

Configurable WorkPlace elements

WorkPlace element

Description

Layout

WorkPlace page content and layout can be customized on a per-community basis. These layout elements include:

Content (what shortcuts and shortcut groups are displayed)
Pages (single vs. multiple)
Columns (single vs. multiple)
Navigation (on the left or along the top)

See Modifying the Appearance of WorkPlace for details.

Shortcuts

Shortcut groups

These are administrator-defined shortcuts to the Web, file system, and terminal server resources that the user is allowed to access. Shortcuts are dynamically displayed based on your access policy: each user sees only those resources he or she has privileges to use.

Each type of shortcut behaves differently:

Web resource: Opens in a new browser window.
Terminal server resource: Opens in a new browser window and the appropriate graphical terminal agent is automatically started or, if necessary, provisioned.
Shared folder or file: Opens the WorkPlace Network Explorer page, which appears in a new browser window. Network shortcuts, which point to file system resources, do not appear if you have disabled all access to file system resources (disabling access to file system resources is described in Configuring WorkPlace General Settings).
Bookmarks: Provides all basic bookmark functionality (RDP, Citrix, VNC, Telnet, and SSHv2) of Workplace User defined bookmarks.
Custom Shortcuts: Behaves according to the custom configuration.

For information about creating shortcuts, see Working with WorkPlace Shortcuts.

Connect Tunnel

You can define custom connections for the Connect Tunnel client from the WorkPlace portal.

Help button

The Help system included with WorkPlace contains all the basic information that a user will need. If you would like to make a custom HTML help file available to users instead, you can specify it when you confiigure your WorkPlace style. This is a convenient way to add information that is unique to your environment (for example, information about the resources available on your VPN, and technical support details). This file must be a well-formed, single HTML file.

Built-In WorkPlace Elements

When you set up a WorkPlace portal for users, you can choose from among several built-in resources and WorkPlace elements; see Built-in WorkPlace elements. If you offer these resources, they can be configured on a per-community basis.

 

Built-in WorkPlace elements

WorkPlace element

Description

Intranet Address

You can specify whether you want this box to appear and configure whether it can be used to access Web resources (by typing a URL), file system resources (by typing a UNC path name), or both.

See Intranet Address Field for details.

Personal Bookmarks

You can allow users to create and manage personal links (similar to bookmarks) that point to URLs and other resources, such as SMB hosts, protected by the SMA appliance. Personal links are stored on the appliance; users have access to them whenever they are logged in to WorkPlace, regardless of the computer they are using.

See Bookmarks for more information.

Connect Tunnel

You can make the built-in Install Connect Tunnel shortcut available to enable users to download and install the Connect Tunnel client from the WorkPlace portal.

Network Explorer

You can offer users the ability to browse a Windows network containing shared folders and files.

See Network Explorer Page for more information.

WorkPlace Status Bar

The WorkPlace pages have a status bar; see WorkPlace status bar elements.

WorkPlace status bar elements

WorkPlace element

Description

Access

Indicates which user access methods are currently running.

For more information about user access agents, see User Access Components and Services.

User

The username used during login.

Session start

The time at which the current session began, in 24-hour format.

Log out button

Users can log out of WorkPlace using this button, but this does not necessarily log them out of any applications that are running (depending on which user access agent is being used). To increase security, users should log out of or quit applications when they finish working with them, particularly when working on computers that are shared with other users.

Details

Users can click this button for system status information (not items appear for all users):

Zone: Security zones are used to allow or deny access to members of each community.
Realm: A realm allows users to authenticate using credentials stored on an external authentication server.
Community: Communities allow you to group realm members based on different security needs.
Data protection: Cache Cleaner.
* 
NOTE:  
For users accessing WorkPlace on small form factor devices, the WorkPlace appearance varies depending on the capabilities of the device. For more information, see End Point Control and the User Experience.
On Windows systems, using browser toolbars with popup blocking enabled may prevent WorkPlace from closing any open Network Explorer and graphical terminal session windows when the main WorkPlace window is closed.
Logging out of Outlook Web Access (OWA) during a WorkPlace session also logs the user out of WorkPlace. This is because the OWA logoff script clears all browser cookies, including the one used by WorkPlace. Users can simply close the browser window instead of logging out of OWA to work around this issue.

Intranet Address Field

If enabled, the Intranet Address field appears along the bottom of the WorkPlace page, except on small form factor devices, and gives users an alternate method to access Web resources, Windows network resources, and terminal servers.

When you set up communities within a realm (for example, a community of employees and one of partners), you can give each one a unique appearance, using WorkPlace styles and layouts. The WorkPlace layout determines whether the Intranet Address box is displayed for a particular community. See Creating or Editing a WorkPlace Layout for more information.

Configuring the functionality of the Intranet Address field is a global configuration setting. Depending on the configuration, users can type URLs to reach Web resources if WorkPlace is running in translated mode, or they can type UNC paths to reach file system resources. (If WorkPlace is running in non-translated mode, users can type URLs directly in the Internet Explorer Address field.) This is especially useful if you have defined an entire DNS or Windows domain as a resource and want to give a group of users direct access to all the resources in that domain.

To access a Web resource or terminal server when WorkPlace is running in translated mode, the user types the URL in the Intranet Address field, and then clicks Go. If the user has appropriate access privileges, the resource then opens in a new browser window.

The Intranet Address field accepts a variety of user input for accessing Web resources and terminal servers. Here are some guidelines, as shown in Intranet address input guidelines.

 

Intranet address input guidelines

Element

Description

Resource address

A user can access a resource by typing a complete URL (domain and host name) or just a host name. For example, a user could access a resource named CRM on a host named fred using a full URL (such as http://fred.example.com/CRM/) or a host name (such as http://fred/CRM/ or fred/CRM/).

UNC path

To access a file system resource, the user types the UNC path (for example, \\jax\software\download) in the Intranet Address field, and then clicks Go. If the user has appropriate access privileges, the Network Explorer page appears, displaying the contents of the requested file system resource.

Protocol

The user does not need to include the http:// protocol identifier to access a standard Web resource. To access a secure Web site, however, the user must include the https:// protocol identifier.

When specifying a terminal server resource name, users must include the appropriate protocol identifier in the URL. Supported terminal server types are Windows Terminal Services, which uses the rdp:// identifier, and Citrix, which uses citrix://.

Port number

To access a Web resource on a non-standard port (that is, other than 80), the user must type the port number after the host name. For example, fred:8080/SAP and https://fred:443/SAP are both valid entries.

For information about configuring the Intranet Address field to allow access to UNC pathnames, URLs, or both, see Configuring WorkPlace General Settings.

Bookmarks

Users can create personal links in WorkPlace for quick access to any resources that they have privileges to use. This can include Workplace user-defined Web URL, RDP, VNC, Citrix, FTP, SSH, and Telnet bookmarks. Users can also minimize their bookmark list, edit the bookmark list, and edit individual RDP bookmarks

WorkPlace personal links are similar to Web browser bookmarks or favorites lists except that they are stored on the SMA appliance, while standard browser bookmarks are stored on a specific computer. Users can access and manage their WorkPlace personal links whenever they are logged in to WorkPlace, regardless of the computer they are using.

When you set up communities within a realm (for example, a community of employees and one of partners), you can give each one a unique appearance, using WorkPlace styles and layouts. The WorkPlace layout determines whether the Personal Bookmarks group is displayed for a particular community. See Creating or Editing a WorkPlace Layout for more information.

* 
NOTE: To access non-HTTP resources (for example, an SMB host) through WorkPlace bookmarks, users must be running an access agent, such as one of the tunnel clients. For more information, see User Access Agents.

Custom RDP Bookmarks

Custom settings for user remote desktop links are managed through the Custom RDP Link window. Screen resolution and color depth can be controlled by either the user or administrator. Single sign-on allows the administrator to customize the user sign on to request specific credentials or enable specific domains.

Network Explorer Page

When a user accesses a file system resource (by clicking a network shortcut, typing a UNC path in the Intranet Address box, or clicking the Network Explorer link on the WorkPlace home page), the Network Explorer page appears. The capabilities of the Network Explorer depend on whether the user has Sun JRE Version 1.6 update 34 or newer installed. If this Java version is present, the enhanced form appears. If these updates are not installed, the html version of Network Explorer appears. This html version is limited in capability. To take full advantage of the enhanced Network Explorer, download the latest Java updates. The Network Explorer page is not available on small form factor devices.

* 
NOTE: The latest Java and JRE versions can be downloaded from http://www.java.com.
Topics:  

The Enhanced Network Explorer

The latest WorkPlace Explorer allows users to browse domains, servers, shares, folders, and files by clicking links or using drag-and-drop and multiple file selection capabilities. Bookmarks can be used to quickly navigate through networks from the portal level. This feature saves time in moving through network and server paths.

The Network Explorer window has a right and left pane, allowing resources to be moved between the user’s computer and the local network.

If directories are drag-and-dropped between resources, all resources under that directory will be recursively moved. A status bar appears to show the progress of the operation.

The window on the left shows the file system on the local machine. The window on the right, allows you to browse network domains and computers, and their associated file shares. Using these windows, you can manipulate files and copy between the remote and local file systems. Both windows have a tool bar at the top, which allows you to easily navigate through the items in the window.

Moving resources will cause all resources under them to be transferred recursively.

The HTML Network Explorer

This version of Network Explorer is the default if the user does not have the necessary Java installed. In the html version, the page displays the contents of the requested file system resource and, depending on the user’s access privileges, allows the user to perform the following actions on a file:

View contents and properties, rename, copy, move, download, and delete.
Create new folders.
If the administrator has enabled upload functionality, and the user has write privileges, the user can upload files. See Configuring WorkPlace General Settings for more information.

RDP, VNC, SSH, and Telnet Using HTML5

Topics:  

About HTML5 and RDP, VNC, SSH, and Telnet

HTML5 clients can connect to backend systems using RDP, VNC, SSH, and Telnet. HTML5 clients can use Single Sign-On (SSO), copy and paste, multiple language keyboard support, scroll back, and dynamic window resizing. Users also have wider connectivity, such as cross-browser, cross-OS support.

 
* 
NOTE: RDP, VNC, SSH and Telnet using HTML5 can be configured in SMA 12.0.1 on an SMA 1000 series appliance or in SMA 12.0.1 WorkPlace.

HTML5 clients eliminate the management of the endpoint clients, such as Java and ActiveX.

HTML5 features shows the HTML5 features for RDP, SSH and Telnet, and VNC.

 

HTML5 features

RDP

SSH and Telnet

VNC

Keyboard - AMC Support

SSO

SSO

Keyboard enhancements

Scroll back

Performance improvements for Mac screen sharing

TLS/NLA - AMC Support

RDP Certificate identity warning

Dynamic Window Resize (remove Window size AMC option)

Window Control

Copy-Paste

Copy-Paste

Encoding, Compression Level, JPEG iMage Quality, Cursor Shape Update, Use CopyRect, Restricted Colors, View Only, Share Desktop

Optimize for tablets/phones

Zoom-in and Zoom-out

 

Per Device License

Host Key - SSH default font size

 

RDP Using HTML5

Topics:  

Server Authentication for RDP

Server authentication verifies that users are connecting to the intended remote computer or server.

You can choose what actions the system will take if server authentication fails by setting the certificate verification options.

On the Graphical Terminal Shortcut > Advanced page of the AMC, you can select from these options:

Connect and do not warn the user
Warn the user
Do not connect

On the Remote Desktop Connection page of your RDP device, you can select from these options:

Connect and don’t warn me
Warn me
Do not connect

Keyboard Support for RDP

Keyboard support for WorkPlace and AMC has been enhanced with support for additional languages. You can select the keyboard language from a drop-down menu in WorkPlace and in AMC. The language that the browser is set to, is used as the default keyboard language.

These keyboard languages are supported in SMA 12.0.1:

 
Danish
German (Germany)
Dutch
German (Switzerland)
English (United Kingdom)
Hungarian
English (United States)
Italian
Finnish
Luxembourgish
French (Belgium)
Norwegian
French (Canada)
Russian
French (France)
Spanish
French (Switzerland)
Swedish

Copy and Paste in HTML5 RDP

You can copy and paste text from one RDP device to another as follows:

Local to local
Local to Remote
Remote to local

VNC Using HTML5

Topics:  

Adding or Editing VNC Options

On the Add Graphical Terminal Shortcut > Advanced page, you can add or edit the VNC Single Sign On (SSO) options and choose the type of VNC display password to use:

None (prompt user)
Use user’s session password
Use custom password

Configuring VNC Display Properties

On the Add Graphical Terminal Shortcut > Advanced page, you can configure the following VNC display properties:

Encoding
Compression Level
JPEG iMage Quality
Cursor Shape Update
Use CopyRect
Restricted Colors
View Only
Share Desktop

Scaling the VNC Window

You can scale the VNC window by choosing from the following options:

No scaling: The size of the VNC window is fixed. The size of the browser window can be changed by user actions, but the screen size of the VNC remote desktop window will stay the same value as specified by the VNC server.
Scale to window: The size of the VNC window is not fixed. It is scaled to the size of the browser window. The user can change the VNC window size by changing the browser window size.
Full screen: When the browser is in full screen mode, the VNC window will also be scaled to the same size of browser window. This option will not be shown on browsers which do not support full screen mode, such as Safari on iOS.
Keep aspect ratio: The aspect ratio of the VNC window stays the same as specified by the VNC server. This option is only available when Scale to window or Full screen is selected.

SSH and Telnet Using HTML5

Topics:  

Configuring Single Sign On for SSH and Telnet

You can configure Single Sign On (SSO) for SSH or Telnet on the Add Text Terminal Shortcut > Advanced page.

You can configure SSO with the following options:

None (prompt user)
Forward user’s session credentials
Forward static credentials
You must define a static username and password.

Scrolling and Zoom in SSH and Telnet

Scrolling is possible in SSH and Telnet. You can scroll backward and forward and see all the entries and text in the current SSH or Telnet window session. You can also zoom in and out on the text and resize the window itself.

Copy and Paste for SSH and Telnet

You can copy and paste to or from an SSH window or a Telnet window to or from another window.

Configuring the Host Key and Font Size for SSH

In SSH only, you can configure the following options (in WorkPlace or in AMC):

Automatically accept host key
Default font size

Web Shortcut Access

The SMA appliance offers two options for providing access to basic Web (HTTP) resources through WorkPlace shortcuts for users who are running the OnDemand Tunnel agent:

Redirect through network agent: When this method is enabled, Web content is proxied through the appliance for users running the OnDemand Tunnel agent, provided that the agent is loaded. In this method, Web traffic from Workplace links does not use translation, does not support single sign-on, and does not use URL-based rules to control access. However, this method generally provides better application compatibility than the Web content translation option does.

If you enable this setting, you can optionally configure selected WorkPlace resources to be translated by defining aliases for those specified resources. You can also enforce policy at the URL level and support single sign-on using this approach. For more information, see Adding Web Application Profiles.

Web content translation: Web content is translated using the Secure Mobile Access Web translation engine, a reverse proxy that provides single sign-on and fine-grained access control. When this method is enabled, you can provide single sign-on and use URL-based rules to control access; however, this method provides more limited application compatibility than the Redirect through network agent option does. To provide single sign-on, you must specify an alias to the resource; for more information, see Adding Resources.

The Web shortcut access method you choose will depend on several factors, including the network protocols used by your applications, your security requirements, convenience for end users, and the target platforms. This option is configured on the WorkPlace Settings page.

Configuring WorkPlace General Settings

This section describes how to configure the WorkPlace general settings that apply to any WorkPlace site that you create. You decide here whether to enable access to UNC pathnames, URLs, or both in the Intranet Address box, but your WorkPlace layout determines whether the Intranet Address box is displayed for a particular community.

You can customize WorkPlace to varying degrees:

You can modify the appearance of WorkPlace by setting up a style that uses a particular logo, color scheme, and greeting text. For a consistent look, this same style can be specified for the site’s login, error, and notification pages. See WorkPlace Sites for more information.
For sites that require even more control over the look and feel of WorkPlace, see Fully Customizing WorkPlace Pages.
To configure WorkPlace general settings:
1
From the main navigation menu, click Services, and then, in the Access services section, under WorkPlace, click Configure. The Settings tab for WorkPlace appears.
2
Select one of the Web shortcut access options. This setting determines how URL resources are accessed if WorkPlace activates the tunnel agent. For information about these options, see Web Shortcut Access.
Redirect through network agent: Web content is proxied through the appliance for users running the OnDemand Tunnel agent.
Use Web content translation: Web content is translated using the Secure Mobile Access Web translation engine.
3
If the layout specified for your WorkPlace site includes the Network Explorer resource, users will have access to file system resources from the Network Explorer page in WorkPlace. Select Enable file uploads to < > megabytes to enable users to upload files to a Windows file system resource. This setting takes precedence over any permissions you set in a file system access control rule. If an access rule grants a user write access to a file system but file uploads are disabled for the WorkPlace service, the user can only move and delete files, not write to them.

A single file upload cannot exceed the number of megabytes you specify. Enabling users to upload large files may have a negative effect on the performance of the appliance.

4
In the Intranet Address box area, specify settings that control the functionality of the Intranet Address box in WorkPlace. (Whether the Intranet Address field is available is specified in your WorkPlace layout and also depends on your device: it cannot be displayed on mobile devices.)

Select Enable access to UNC pathnames and Enable access to URLs if you want to enable users to reach a Web resource by typing its UNC pathname or URL in the Intranet Address field on WorkPlace. This can be useful if, for example, you have defined an entire DNS domain as a resource and want to provide access to all Web servers within the domain without needing to define each individual Web resource in the domain. This setting applies only when WorkPlace is running in translated mode.

For information about defining Web resources, see Adding Resources.

* 
NOTE:  
The settings that you specify in the Intranet Address field have no effect on your access control policy. For a detailed discussion of this feature, see Intranet Address Field.
If you are concerned that user credentials may be stolen, you can offer (or require) that users logging in to WorkPlace provide their credentials by pointing to characters on a keyboard display instead of typing them. See Using the Virtual Keyboard to Enter Credentials for more information.
Topics:  

Working with WorkPlace Shortcuts

WorkPlace enables users with appropriate access privileges to use a Web browser to access Web resources, terminal servers, and files and folders on a Windows file server. Even though you may have defined your resources in AMC, none of them appear in WorkPlace until you create corresponding shortcuts. This section explains how to create and manage the shortcuts and shortcut groups in WorkPlace.

For information about enabling access to file system resources, file uploads, and the Intranet Address field, see Configuring WorkPlace General Settings.

Viewing Shortcuts

As the administrator, you see the entire list of shortcuts you have configured in AMC; however, when a user logs into WorkPlace, the list is filtered to display only the resources that he or she has permission to use, based on your policy and the type of device for which the shortcut is enabled. All types of shortcuts (Web, network, and graphical terminal) and groups of shortcuts are displayed in AMC and WorkPlace. How they are laid out is determined by the WorkPlace layout in use for a given community.

To view shortcuts in AMC:
1
From the main navigation menu, click WorkPlace.
2
Optionally use the Filters settings to display only the objects you are interested in. For information about using filters, see Filters.
3
Review the data in the Shortcuts list:
4
Use the checkboxes to select the shortcuts you want to move or delete.
To display configuration details about a shortcut, click the plus sign (+) next to it. You’ll see the description, what shortcut group it belongs to, if any, whether it is restricted by device type, and the names of any WorkPlace layouts to which it belongs.
The number indicates the order in which the shortcut is listed in WorkPlace; you can change this order here, or edit the list of shortcuts associated with a layout on the Configure WorkPlace Layout page. For more information about changing a layout, see Creating or Editing a WorkPlace Layout.
The Link text column displays the hyperlink text that users see.
The Resource column displays the name of the resource as defined on the Resources page in AMC. For more information about configuring resources, see Creating and Managing Resources.
The Type column indicates the type of shortcut. The supported shortcut types are Web, network, and graphical terminal.
The Used column indicates whether the shortcut is included in a group or WorkPlace layout.

Viewing Shortcut Groups

To view shortcut groups in AMC:
1
From the main navigation menu, click WorkPlace.
2
Click the Shortcut Groups tab.
3
Optionally use the Filters settings to display only the objects you are interested in. For information about using filters, see Filters.
4
Review the data in the list of groups:
5
Use the checkboxes to select the groups you want to move or delete.
To display configuration details about a shortcut group, click the plus sign (+) next to it. You’ll see what shortcuts it includes, and the names of any WorkPlace layouts to which it belongs.
The number indicates the order in which the shortcut group is listed in WorkPlace; you can change this order here, or edit the list of groups associated with a layout on the Configure WorkPlace Layout page.
The Name column displays the group heading that users see.
The Description column contains the description, if any, that you gave this group.
The Used column indicates whether the shortcut group is used by a WorkPlace layout.

Adding Web Shortcuts

Web shortcuts give your users quick access to Web resources. Before you can create a shortcut to a Web resource, you must first define the resource; for more information, see Adding Resources.

To add a Web shortcut:
1
From the main navigation menu, click WorkPlace.
2
On the Shortcuts page, click New. A drop-down menu appears.

3
Then select Web shortcut from the list. The Add Web Shortcut page appears.
4
In the Position field, type a number that specifies the shortcut’s position in the list.
5
In the Resource drop-down menu, select the resource to which this shortcut will be linked. This list contains the available URL resources that are defined on the Resources page in AMC. For example, when adding a shortcut to SharePoint, you could define a URL resource specifying the resource Name as SharePoint and the resource URL as http://intranet.sharepoint.com. Then, you would select SharePoint in the Resource drop-down menu.

For more information about defining resources, see Creating and Managing Resources.

6
Specify the link and descriptive text that users will see in WorkPlace. The entries can include variables to make them even more user- or session-specific; see Using Variables in Resource and WorkPlace Shortcut Definitions for more information.
In the Link text field, type the hyperlink text that users will click to access the Web resource. The Link text should be no longer than 25 characters.
In the Description field, type a descriptive comment about the shortcut. Although optional, a description helps users identify the Web resource. The comment appears next to the link.
7
Use the Shortcut group area to either add this shortcut to an existing group, or put it in a new one. Groups are one of the organizational elements in a WorkPlace layout. You could, for example, put all client downloads for users in a group, and then (on the Configure WorkPlace Layout page) put the group in a column or on its own WorkPlace page.
8
To specify additional options, click Next. The Advanced tab of the Add Web Shortcut page appears.
9
Under Make link available to these devices, associate the WorkPlace shortcut with the device types that can be used to access it:
If you select All devices, the shortcut will appear on all devices types, regardless of whether the Web resource itself is supported on all device types.
To restrict display of the shortcut to only certain types of devices, clear the All devices checkbox, and then select just the device types that are supported.

For example, WorkPlace supports a variety of small form factor devices, but not all Web resources are compatible with all devices. Outlook Web Access is available only on standard browsers, while Outlook Mobile is available only on small form factor devices. So if you have Outlook Mobile set up as a resource, you should select both the basic and advanced mobile devices.

10
Use the Start page field, if necessary, to append more specific information to the selected URL. For example, if you want the link to point to a directory or file other than the root, type a relative path in the Start page field.

This is useful for Web applications that store their content in a location other than the root. For example, if the selected URL is for Outlook Web Access and it points to mail.example.com, you could set the start page to /exchange/root.asp. The resulting URL would be https://mail.example.com/exchange/root.asp.

For SharePoint, set the start page to the extended path, such as Pages/Default.aspx or SitePages/Home.aspx. For SharePoint shortcuts, the basic hostname/<IP address> of the SharePoint server is defined on the Resources page in AMC. The extended path is configured here as the Start Page.

Creating a Group of Shortcuts

You can group Web and network shortcuts together for better WorkPlace organization and a more streamlined look. The WorkPlace user has the option of collapsing a group of file shares.

Users see only the groups to which they are permitted access. To create a group, you select from among existing WorkPlace shortcuts (not resources). Shortcuts can be members of more than one group.

To create a group of shortcuts:
1
From the main navigation menu, click WorkPlace.
2
On the Shortcut Groups tab, click New.
3
Enter a name and (optionally) a description for the group. The description appears below the group’s name in WorkPlace. In the example above, Domain and stand-alone shares is the description.
4
In the Position field, type a number that specifies the shortcut group’s position in the list. The order of shortcuts and groups can be changed later in the layout you choose for this WorkPlace site, on the Configure WorkPlace Layout page.
5
Existing shortcuts are listed: select the ones that you want to add to this group and click Save. An individual shortcut can be a member of more than one group. You can also opt to save an empty group (without any shortcuts selected), and then edit it later.

Adding Network Shortcuts

Network shortcuts provide your users with quick access to file system resources. Before you can create a shortcut to a file system resource, you must first define the resource (see Adding Resources for more information).

To add a network shortcut:
1
From the main navigation menu, click WorkPlace.
2
On the Shortcuts page, click New. A drop-down menu appears.
 
3
Select Network shortcut from the menu. The Add Network Shortcut page displays.
4
In the Position field, type a number that specifies the shortcut’s position in the list.
5
In the Resource drop-down menu, select the file system resource to which this shortcut should be linked. This menu contains the file system resources that are defined on the Resources page in AMC; Network Explorer, for example, is a built-in resource for which you can configure a shortcut here. For more information about defining resources, see Creating and Managing Resources.
6
Specify the link and descriptive text that users will see in WorkPlace. The entries can include variables to make them even more user- or session-specific:
In the Link text field, type the hyperlink text that users will click to access the file system resource. The Link text should be no longer than 25 characters.
In the Description field, type a descriptive comment about the shortcut. Although optional, a description helps users identify the file system resource. This comment appears beside the link in WorkPlace.
7
Groups are one of the organizational elements in a WorkPlace layout. Use the Shortcut group area to either add this shortcut to an existing group, or put it in a new one. You could, for example, put all file system-related shortcuts in a group, and then (on the Configure WorkPlace Layout page) put the group in a column or on its own WorkPlace page.

Web Only Access

The Web Only Access feature for SMA supports HTML5 and enables users to access HTML5 Web sites. Web Only Access for SMA also enables users to access on-demand computing services using only a web browser. Users can use Connect Tunnel (CT) and Native Access Methods (NAMs) to access back-end applications.

Web Only Access for SMA supports the following clientless NAM applications:

Remote Desktop Protocol (RDP)
* 
NOTE: On Terminal Server connections, HTML5 RDP bookmarks are not supported for per-device licensing. HTML5 RDP bookmarks are only supported for per-user licensing. ActiveX and Java RDP bookmarks are supported for both per-user and per-device licensing on Terminal Server connections.
Secure Shell (SSH)
Telnet
Virtual Network Computing (VNC)
Citrix
* 
NOTE: SMA 11.3 and higher do not support Java clients, and Java deprecation warnings are shown on AMC screens.

WorkPlace Lite is an access mode for the Secure Mobile Access (SMA) appliance that bypasses all Access and EPC Agents and logs the user in to WorkPlace. The only prerequisite for logging in to a WorkPlace Lite enabled WorkPlace site is that you must use a modern web browser that supports HTML5. Web only access is more commonly referred to as Reverse Proxy access.

The AMC administrator can:

Grant the user access to WorkPlace Lite.
Force the user to use WorkPlace Lite only.
Disable the user from accessing WorkPlace Lite.

Users can select a checkbox or go to a specific WorkPlace site for Lite access. If the user checks WorkPlace Lite mode, then the system allows access to browser based graphical and text-terminal shortcuts as well as Web URL and HTML file share shortcuts.

Topics:  

Adding a Text Terminal Shortcut using SSH or Telnet

To add a Text Terminal Shortcut that uses SSH or Telnet:
1
Go to the User Access > WorkPlace > Shortcuts page.

2
Click the New button. The New drop-down menu appears.

3
From the New drop-down menu, select Text terminal shortcut. The Add Text Terminal Shortcut page appears.

4
From the Resources menu, select the resource you want for this shortcut.
5
In the Link text field, enter the text you want to display for this shortcut.
6
(Optional) In the Description field, enter a description of this shortcut.
7
In the Add this shortcut to group drop-down menu, select one of the following options:
a
If you do not want to make this shortcut part of a group, select Standalone shortcuts.
b
If you want to make this shortcut part of an existing group, select one of the existing groups from the list.
c
If you want to create a new group, enter a name for the new group in the New group name field.
8
Click Next. The Add Text Terminal Shortcut > Advanced page appears.

9
Select the Session type that you want, Secure Shell (SSHv2) or Telnet.
10
In the Port field, enter the port number.
11
Click Finish. The Shortcuts page appears with the new shortcut listed at the top.

Adding a Graphical Terminal Shortcut for a VNC

Graphical terminal shortcuts provide your users with quick access to gain easy access to backend servers (Microsoft RDP, Citrix, VNC), regardless of the type of transport (proxy or tunnel). Most often, some type of Single Sign-On (SSO) credentials will be enabled so that the user does not have to re-enter their username and password after launching the GTS. Some Graphical Terminal Shortcuts have very basic features configured by the AMC Administrator, such as IP/Hostname and Port. Others have very complex configurations (custom configuration file uploads (.RDP/.ICA), multi-monitor support, high-resolution display support, for example).

To add a Graphical Terminal Shortcut to a VNC:
1
Go to the User Access > WorkPlace > Shortcuts page.

2
Click the New button. The New drop-down menu appears.

3
From the New drop-down menu, select Graphical terminal shortcut. The Add Graphical Terminal Shortcut > General page appears.

4
From the Position drop-down menu, select the position number for the link to appear in Workplace.
5
From the Resources drop-down menu, select the resource you want for this shortcut. If necessary, configure the resource, as explained in Security Administration.
6
In the Link field, enter the hyperlink text you want to display for this shortcut.
7
(Optional) In the Description field, enter a description of this shortcut.
8
In the Add this shortcut to group drop-down menu, select one of the following options:
a
If you do not want to make this shortcut part of a group, select Standalone shortcuts.
b
If you want to make this shortcut part of an existing group, select one of the existing groups from the list.
c
If you want to create a new group, enter a name for the new group in the New group name field.
9
Click Next. The Add Graphical Terminal Shortcut > Advanced page appears.

10
Click Finish. The Shortcuts page appears with the new shortcut listed at the top.

Configuring Windows Terminal Services

* 
NOTE: ActiveX and Java RDP bookmarks are supported for both per-user and per-device licensing on Terminal Server connections.
To configure Windows Terminal Service:
1
Go to the User Access > WorkPlace page.

2
Click the New button. The New drop-down menu appears.

3
From the shortcut drop-down menu, select Graphical terminal shortcut. The Add Graphical Terminal Shortcut > General page appears.

4
From the Position drop-down menu, select the position number for the link to appear in Workplace.
5
From the Resources drop-down menu, select the resource you want for this shortcut. If necessary, configure the resource, as explained in Security Administration.
6
In the Link field, enter the hyperlink text you want to display for this shortcut.
7
(Optional) In the Description field, enter a description of this shortcut.
8
In the Add this shortcut to group drop-down menu, select one of the following options:
a
If you do not want to make this shortcut part of a group, select Standalone shortcuts. This is the default.
b
If you want to make this shortcut part of an existing group, select one of the existing groups from the list.
c
If you want to create a new group, enter a name for the new group in the New group name field.
9
Click Next. The Add Graphical Terminal Shortcut > Advanced page appears.

Topics:  
Session Type
* 
NOTE: Options change with the Resources selection on the General page. For some selections, only the Port field is available.
1
From the Type drop-down menu, select Windows Terminal Services.
2
In the Port field, type the port number to use for RDP communication. The default is 3389.
3
Select the type of RDP client used by the shortcut:
Use Browser based client — All end point devices will use a browser-based RDP client. A browser-based RDP client does not support advanced session options such as Forms.
Use Native client on user’s PC (Windows/Mac/Linux) — (default) Makes the shortcut use whatever is the native RDP client on the user's PC.
Upload RDP file — Browse to the location where the RDP file is located and upload the RDP file.
Single Sign-On
1
Select one of the following options for how end users will sign on:
* 
NOTE: If you are concerned that user credentials may be stolen, you can offer (or require) that users logging in to WorkPlace provide their credentials by pointing to characters on a keyboard display instead of typing them. See Using the Virtual Keyboard to Enter Credentials for more information.
None (prompt user) - Prompts the end-user for credentials.
Forward user's session credentials - Uses the user’s session credentials (username/password) to login to the backend RDP machine. In the Domain field, specify the Windows domain that should be forwarded to the backend RDP machine when attempting to log on.
Forward static credentials - Defines static credentials (either manually or via policy variables) to be sent to the backend server during the logon request. To forward static credentials, specify the static Username, Password, and Domain to be used.
Server Authentication
1
From the If the identity of the remote computer cannot be verified drop-down menu, select whether remote user access is allowed or disallowed when server authentication fails:
Connect and do not warn the user
Warn the user, who must choose whether or not to proceed with the connection (default)
Do not connect
Resource Redirection
1
Select the Bring remote audio to local computer checkbox to enable users to access remote audio during the session. Note that audio redirection is network intensive and can affect performance. The default is off.
2
Select the Share clipboard between local and remote computers checkbox to enable clipboard copy/paste in both directions for the user. The default is to allow this feature.
3
Under Allow access to local, select the checkboxes for the devices the user will be able to access during the session:
Drives
Printers
SmartCards (used for authentication)
Plug-and-play devices
Ports (port redirection from the local computer to the remote computer).
Connection Properties

1
Check the Automatically reconnect if session is interrupted checkbox to have the RDP client reconnect without prompting when the connection is dropped.
2
Check the Connect to admin/console session checkbox to allow the AMC Administrator to define whether the AMC session should be used to establish a connection.
3
To send Wake-on-LAN packets to the corresponding MAC address and/or the resource’s hostname/IP address, check the Enable Wake-on-LAN (WoL) checkbox and type the Mac/Ethernet address, which is the corresponding hardware address that the WoL packet should be sent to. To change the Wait time for boot-up, type the number of seconds (default 90) to wait to see if the client machine has woken up from the WoL packet.
4
Check the Send WoL packet to hostname or IP address checkbox to also send the WoL packet to this resource's associated hostname/IP address.
Keyboard Languages
1
From the Keyboard Layout drop-down menu, select a language. The default is Use browser locale.
Display properties
1
From the Screen resolution drop-down menu, select the desired screen resolution, or select Custom and enter the custom resolution (default 1024 x 768 pixels). The administrator can also let the Workplace User choose.
2
From the Color Depth drop-down menu, Select the color depth for the display (default 16-bit).
3
Select any of the other display properties that you want:
Show connection bar - Allows the AMC Administrator to define whether the connection bar at the top of the screen is displayed, once the GTS session is successfully established. Default: Checked
Multiple monitor support - Controls whether RDP7 multi-monitor support is enabled. If RDP7 is not available, and multi-monitor is enabled, the GTS falls back to RDP6 dual-monitor mode. Default: Unchecked
Remote application - Allows the AMC Administrator to launch an application remotely, via the GTS session (without actually launching the terminal). Default: Unchecked.
* 
IMPORTANT: Remote applications through an RDP file are not supported with ODMM or HTML5.
* 
NOTE: If this is enabled, Start application, Application Arguments, and Working directory in the Startup Options section must be defined.
Third-Party Plugin DLLs
* 
NOTE: DLLs must be pre-installed on the client machine. The terminal service does not do any provisioning of DLLs.
1
To load third-party plugin DLLs into WorkPlace when the RDP GTS session starts, select the Enable third-party plugin DLLs checkbox.
2
Enter the DLLs to load, separating them with commas. By clicking on the {variable} button, you can select pre-defined variables from the pop-up list:

Startup Options
* 
NOTE: For any of these options, you can use pre-defined variables by clicking the {variable} button associated with the option:
1
To start an application when the GTS RDP session is started, in the Start application field, type the full path to an application on the client machine.
2
To add any command line arguments that must be specified to start the application correctly, in the Arguments field type the application arguments.
3
If you specified a start application, in the Working directory field, enter the directory from which to start the application.
4
Click Finish to save the settings, Cancel to delete your entries, or Back to return to the General tab.
* 
NOTE: The startup options are supported via HTML5 RDP.
* 
NOTE: Java-based RDP is not supported in SMA 11.3 and higher.

Configuring WorkPlace Lite

WorkPlace Lite mode is configured on a per-WorkPlace site basis.

To configure WorkPlace Lite:
1
In AMC browse to WorkPlace > WorkPlace Sites > <Your WorkPlace Site> > Advanced.

2
Under WorkPlace Lite access, select one of these options:
Automatic — The user-selection checkbox for WorkPlace Lite mode on WorkPlace is not visible and WorkPlace Lite access will be enabled for mobile devices only. This is the default for upgrades from previous firmware versions and new installations. Label and Help text controls are disabled.
Always — The user-selection checkbox for WorkPlace Lite mode on WorkPlace is not visible, but WorkPlace Lite access is always enabled when the user logs in to this WorkPlace site. Label and Help text controls are disabled.
Let user choose — The checkbox on WorkPlace for enabling or disabling WorkPlace Lite access is visible, along with the label text and help text. The AMC Administrator can modify or adjust the Label and Help text as needed.
3
Click Save.

TLS and NLA support for HTML5 RDP

Secure Mobile Access (SMA) provides Transport Layer Security (TLS) and Network Level Authentication (NLA) for HTML5 browser clients that want to connect to remote hosts via the Remote Desktop Protocol (RDP).

RDP negotiates the encryption level between a remote client and the RDP host server. You can enhance the security of RDP sessions by configuring RDP to use TLS to identify the RDP host server and encrypt all communication between the RDP host server and the client. You can also configure RDP to use NLA, which forces the client to present user credentials for authentication before the RDP host server will create a session for that user.

To enable TLS and NLA for HTML5 browser support for RDP, you must configure TLS and RDP on the RDP host server and then set the keyboard language for the client’s browser locale on the Manage Bookmarks page in WorkPlace.

TS-Farm servers enable RDP sessions to be load balanced. TS-Farm consists of numerous remote desktop servers (farm servers) with additional licensing capabilities and a session broker. The session broker does the book keeping and makes the load balancing decisions.

Configuring TLS and NLA Support for HTML5 RDP
To configure TLS and NLA on an RDP host server:
1
On your RDP host server, open the RDP-Tcp Properties dialog.
2
In the Security layer drop-down menu, select SSL (TLS 1.0).
3
Select the checkbox for Allow connections only from computers running Remote Desktop with Network Level Authentication.
4
Click Apply.
5
Click OK.

Citrix Configuration

Selecting Citrix from the drop-down menu alters the Advanced options menu and pre-populates that section with default settings.

To configure a Citrix server farm:
1
In the Port field, type the port number that should be used for Citrix server farm (default 1494 for Citrix).
2
In the Single Sign-on section, select how end users will sign on:
* 
NOTE: Single sign-on fields on the Advanced page can be completed with absolute values or by clicking the Variable button to the right of the field, selecting the desired variable from the displayed list, and clicking Insert.
None (prompt user) - Prompts the end-user for credentials.
Forward user's session credentials - Uses the user’s session credentials (username/password) to login to the backend RDP machine. In the Domain field, specify the Windows domain that should be forwarded to the backend RDP machine when attempting to log on.
Forward static credentials - Defines static credentials (either manually or via policy variables) to be sent to the backend server during the logon request. To forward static credentials, specify the static Username, Password, and Domain to be used.
3
Select the Enable SSO to Citrix application checkbox to allow credentials to be submitted to the published applications. The default is off.
4
Select the Bring remote audio to local computer checkbox to enable users to access remote audio during the session. The default is off.
* 
NOTE: Audio redirection is network intensive and can affect performance.
5
Select the Share clipboard between local and remote computers checkbox to enable clipboard copy/paste in both directions for the user. The default is to allow this feature.
6
To change the Screen resolution, select the desired screen resolution from the drop-down menu or select Custom and type the custom resolution (default 1024 x 768). The administrator can also let the Workplace User choose.
7
To change the color depth for the display, select the desired color depth from the Color Depth drop-down menu (default 16-bit).
8
Click Finish to save the settings, Cancel to delete your entries, or Back to return to the General tab.

Adding a Virtual Desktop Shortcut

Use this page to create or edit the virtual desktop shortcuts appearing in WorkPlace. These shortcuts enable users to easily connect to VMware View resources.

To add a virtual desktop shortcut:
1
From the main navigation menu, click WorkPlace.
2
On the Shortcuts page, click New. A drop-down menu appears.

3
Select Virtual Desktop Shortcut. The Add Virtual Desktop Shortcut page displays.
4
On the General tab, select the resource from the Resources list.

5
In the Link Text field, type in the hyperlink text that will appear as the shortcut for a VMware View host.
6
Type a description for the shortcut into the Description field.
7
In the Add this shortcut to group drop-down menu, select Standalone shortcuts if you do not want to make this shortcut part of a group, or select an existing group from the list. To create a new group, select New.
8
If you selected New, type a name for the new group in the New group name field.
9
Click Next. The Advanced tab displays.

10
Select the session type, such as Citrix XenDesktop or VMware View.
11
In the Single sign-on area, specify how you want user credentials to forwarded to the host:
Click None to disable single sign-on and prompt the user for credentials.
Click Forward user’s session credentials to pass the username and password used to authenticate to WorkPlace along to the host.
Click Forward static credentials to forward the same username and password for all users. Type the static Username, Password, and Domain to be forwarded for all users.
Click the associated {variable} button to expose the variable list and insert a variable into the above fields.
12
In the Resource redirection area, specify how you want the Virtual Desktop to interface with the to the host:
a
To play audio generated by the remote device on the local computer, check the Bring remote audio to local computer checkbox.
b
To copy the clipboard contents between computers, check the Share clipboard between local and remote computers checkbox.
c
To access drives and/or printers on the remote device, check the Drives and/or Printers checkbox.
13
In the Display properties area, specify how you want the Virtual Desktop display to look:
a
Use the Screen resolution drop-down menu to select the screen resolution for the Virtual Desktop display.
b
Use the Color depth drop-down menu to select the color depth for the Virtual Desktop display.
14
Click Finish.

Adding a Text Terminal Shortcut

Use this page to create or edit the text terminal shortcuts appearing in WorkPlace. These shortcuts enable users to easily connect to SSH or Telnet resources.

To add a text terminal shortcut:
1
From the main navigation menu, click WorkPlace.
2
On the Shortcuts page, click New. A drop-down menu appears.
3
Select Text Terminal Shortcut. The Add Text Terminal Shortcut page displays.
4
On the General tab, select the resource from the Resource drop-down menu.
5
In the Link Text field, type in the hyperlink text that will appear as the shortcut for a SSH or Telnet host.
6
Type a description for the shortcut into the Description field.
7
In the Add this shortcut to group drop-down menu, select Standalone shortcuts if you do not want to make this shortcut part of a group, or select an existing group from the list. To create a new group, select New.
8
If you selected New, type a name for the new group in the New group name field.
9
Click Next. The Advanced tab displays.

SSHv2 Configuration

The Secure Shell (SSH) session type affects the Advanced tab options section, and pre-populates that section with appropriate default settings.

The Port defines which port should be used for FTP communication. Default: 22

In the Advanced Session Options area, checking:

Automatically accept host key lets the administrator control whether or not a mis-matched host-key displays an acceptance prompt to the Workplace user. Default: Checked
Bypass username for SSHv2 only controls whether the username field should be ignored/empty during login. Only valid for Secure Mobile Access firewalls. Default: Not selected

To return to the General Menu, click Back. To enable the new settings, click Finish.

Telnet Configuration

The Telnet session type affects the options section and pre-populates it with default settings.

The Port option defines which port should be used for Telnet communication. Default: 23

To return to the General Menu, click Back. To enable the new settings, click Finish.

Editing Shortcuts

You can create new WorkPlace shortcuts when defining resources, but to edit or delete them, you must use the Shortcuts page.

To edit a shortcut:
1
From the main navigation menu, click WorkPlace.
2
Click the number or the link text of the shortcut that you want to edit.
3
Make edits as needed, and then click Save.

If you delete a shortcut, users will no longer see it in WorkPlace. To delete a shortcut, you must use the Shortcuts page.

To delete a shortcut:
1
From the main navigation menu, click WorkPlace.
2
Select the checkbox to the left of any shortcuts that you want to delete, and then click Delete. Deleting a shortcut does not delete the resource to which it refers.

WorkPlace displays the list of shortcuts in the same order as they appear on the Shortcuts page. You can move one or more shortcuts at the same time. The order of shortcuts (and groups of shortcuts) can be changed later in the layout you choose for your WorkPlace site, on the Configure WorkPlace Layout page.

To move one or more shortcuts:
1
From the main navigation menu, click WorkPlace.
2
Select the checkbox to the left of any shortcuts that you want to move.
3
Click Move Up or Move Down as appropriate. Each click of the button moves the selected shortcuts up or down one row.

To reorder an individual WorkPlace shortcut, an alternative method is to click its number or link text and then type its new list position in the Position field.

WorkPlace Sites

You can create multiple WorkPlace sites for different user segments, such as employees, business partners, and suppliers. Each site can have a unique external URL and a unique appearance, or bypass the WorkPlace portal and redirect the user to a different start page.

For example, you could create a WorkPlace site for your employees with a customized title and logo, and a URL of http://employees.headquarters.com, and create a different site for your partners at http://partners.subsidiary.com. If you create multiple WorkPlace sites with unique external URLs, you can import a wildcard certificate to the appliance and designate it as the server certificate for multiple WorkPlace sites, or procure a separate SSL certificate for each site whose FQDN is different from the appliance’s domain name. For more information, see Certificates.

* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

Optionally, if you have configured multiple realms, you can associate a WorkPlace site with a realm; this enables users to bypass the portion of the authentication process in which they would normally specify a realm to log in to. If you associate a WorkPlace site with a realm, users cannot select a different realm to log in to; a user who does not belong to the specified realm cannot log in to the specified WorkPlace site.

You can customize the following components of WorkPlace:

Company logo
WorkPlace title
Greeting at top of page
Color scheme
Help file
Font family

You can have users bypass the WorkPlace portal and go directly to a different start page, provided that the realm they log in to allows translated, custom port mapped, or custom FQDN mapped Web access exclusively. See Adding WorkPlace Sites for more information.

You may also want to set up custom licensing agreements that they will have to accept before getting started.

The URL a user types to log in to WorkPlace is preceded by the http:// protocol identifier. The Web session is then redirected to a site that uses secure HTTP (HTTPS) and uses the https:// protocol identifier.

* 
NOTE:  
If you do not specify a custom WorkPlace site, or if users access the appliance using its default name, the default WorkPlace site is automatically used.
Rather than creating a new WorkPlace site from scratch, you can save time by making a copy of an existing site and changing some parameters to fit the new site. For information about copying a WorkPlace site, see Adding, Editing, Copying, and Deleting Objects in AMC.
You can delete a WorkPlace site if you no longer need it, but you cannot delete the default WorkPlace site. For information about deleting WorkPlace sites, see Adding, Editing, Copying, and Deleting Objects in AMC.
Topics:  

Adding WorkPlace Sites

AMC includes a preconfigured default WorkPlace site. You can create additional WorkPlace sites as needed; this section describes how to do so.

You can make WorkPlace look different, on a per-community basis, if you set up different styles and layouts. For more information, see Modifying the Appearance of WorkPlace. For information about configuring WorkPlace sites for small form factor devices, see WorkPlace and Small Form Factor Devices.

The fully qualified domain name (FQDN) for the WorkPlace site can include one of the following:

A host within the same domain name as the SMA appliance. Optionally, you can configure a separate SSL certificate for this type of site.
A custom FQDN. This option can use a wildcard SSL certificate when its IP address is the same as another WorkPlace site that uses the wildcard certificate, or you can use a separate SSL certificate for the site. Before creating the site, you must obtain the certificate. For more information, see Certificates.
* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

In either case, you must communicate the external FQDN to users so they know how to access WorkPlace. You must also add this FQDN to your public DNS.

To add a WorkPlace site:
1
On the main navigation menu, click WorkPlace, and then click the WorkPlace Sites tab.
2
Click New. The Configure WorkPlace Site page opens with the General settings displayed.

3
In the Name field, type a unique name for the WorkPlace site.
4
(Optional) In the Description field, type a descriptive comment about the WorkPlace site.
5
Type the IPv4 or IPv6 Custom FQDN name. By default, AMC listens on all interfaces for all services and connects the request to the correct service based on the FQDN being requested.
6
(Migrated/imported configurations only) An additional listening address can be specified if AMC was upgraded from a previous version where a virtual IP address is configured for the WorkPlace site or the CEM is used. To listen on an additional address, check the Listen on an additional IP address checkbox and type the IP address.

For new installations, the Listen on an additional IP address fields are hidden. On a partial import, virtual IP address information is lost, and applying pending changes forces the Administrator to fix any WorkPlace site or URL resource configured to use a different IP address. In this case, the Listen on an additional IP address fields are visible, with the checkbox checked to enable listening on an additional address. Either enter an IP address or uncheck the checkbox.

For migrated/imported configurations with existing virtual hosts, the UI section is visible, but the Administrator cannot create new virtual addresses. If necessary, use CEM to create virtual host addresses in a new or migrated/imported configuration.

On a partial import, virtual IP address information is lost, and applying pending changes will force the Administrator to fix any WorkPlace site or URL resource configured to use a different IP address. In this case, the UI should be visible, with the checkbox checked to enable listening on an additional address, (New) selected as the IP address, and no IP address entered in the address field. The Administrator can choose to either enter an IP address or uncheck the checkbox.

If the host name or IP address on the certificate does not match the Custom FQDN or IP address that you specified for this site, a security warning is displayed when users access the site.

7
Select a style—which includes the logo, color scheme, and text—for the WorkPlace login page. The style and layout for other WorkPlace portal pages is specified during community configuration; see Modifying the Appearance of WorkPlace for information on modifying or creating a style.
8
Click Next to open the Advanced page.
9
In the Realm area, select one of these options:
Log in using this realm: Users are not prompted to select a realm, and only members of the specified realm can access the WorkPlace site.
Prompt user for realm: Offer users a list of realms from which to choose. You can offer them all configured realms, or clear the All realms selection and choose the ones that should be in the list. Any authorized user can access the WorkPlace site after selecting a realm during login.
10
In the Start page area, select Display this page after authentication if you want users to bypass the default WorkPlace home page after authentication. For example, if you have someone who will submit content using a Web-based content management system, this setting allows you to present the writer with the CMS interface immediately after he or she logs in.

This setting is available only if the realm specified in the Realm area offers translated, custom port mapped, or custom FQDN mapped Web access exclusively. The URL you enter in this text box will be automatically prefixed with http://. If this is a URL for a secure site, you must include the https:// protocol identifier.

If you specify an alternate page for users and they bypass the default WorkPlace portal, the user's session is valid as long as the browser window is open, or until the session times out. Unlike the WorkPlace portal, the alternate page will not include a Log out option.

11
Click Finish to save your WorkPlace site settings.
* 
NOTE: You can enter a URL alias in the Start page area (if you don’t want users to see the complete URL in WorkPlace), provided that you create a URL resource for it. For example, if you define a URL resource as http://intranet.mycompany.com with an alias of intranet, you can specify the start page for WorkPlace here simply with intranet (or a more specific path, such as intranet/some/path). When users authenticate, they are redirected to https://<appliance>/intranet or https://<appliance>/intranet/some/path.

Modifying the Appearance of WorkPlace

When you create a new WorkPlace site, you have control over the look-and-feel of the pages and the organization of resource shortcuts and other elements, such as intranet browsing and Network Explorer. The appearance of WorkPlace is controlled by the following design elements, which can be created and reused:

A WorkPlace style determines the color scheme, fonts, and images used in WorkPlace. A style can be applied to two groups of pages: those that contain user resources, and the login, error, and notification pages.

An important thing to remember is that WorkPlace login, error, and notification pages are assigned a style when you configure a WorkPlace site (see Adding WorkPlace Sites for more information), and the portal pages are assigned a style when you configure a community (see Creating and Configuring Communities for more information).

A WorkPlace layout determines elements like WorkPlace navigation, the number of columns on a page, whether users see the Intranet Address box, and which shortcuts appear and how they are arranged. A layout applies only to WorkPlace resource pages.

If your site requires a complete overhaul of the way WorkPlace looks and you are familiar with creating Web content and style sheets (.css), you can upload a complete style to the appliance and then select it when you create your site and assign it a style. See Fully Customizing WorkPlace Pages for more information. To do further customization—for example, to insert a use agreement into the login process—see About Custom WorkPlace Templates.

* 
NOTE: The Default Style and Default Layout for WorkPlace cannot be deleted.
Topics:  

Creating or Editing a WorkPlace Style

To create a new WorkPlace style:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Styles area, choose an existing style to base your new one on (select its checkbox, and then click Copy), or click New.
3
In the Name field, type a unique name for the WorkPlace style.
4
(Optional) In the Description field, type a descriptive comment about the style.
5
In the Font family list, select the type of font you want to use (Serif or Sans-serif).
6
In the Color scheme drop-down menu, click the name of the color scheme you want to use. If you select Custom, you can set custom colors for the WorkPlace Page background, Subheadings, and Main heading. Specify color settings by typing the applicable hexadecimal RGB value, or by clicking a color swatch and then selecting a color from the Please choose a color dialog.
7
To replace the Secure Mobile Access logo that is displayed in WorkPlace with a different image, use the Replace with field to enter or browse for the .gif or .jpg file you want to use. For best results, the image should not exceed 200 pixels wide by 50 pixels high.
8
When Display gradient background behind logo is selected, the accent color of your Color scheme is displayed at the top of each WorkPlace page, gradually going from dark (at the top of the page) to light. Any heading that you have appears in white.
9
On small form factor devices, the logo specified in the Images area is resized by default, but for best results you may want to specify an alternate image that does not exceed 40 pixels by 100 pixels. Type the path of the image file, or click the Browse button to select the image file you want to use. The logo is automatically omitted from WAP and i-mode devices, so this setting does not affect the display on those devices.
10
In the Title field, type the text that will appear as the title on the page and in the browser’s title bar. The title must be no longer than 25 characters.
11
In the Greeting field, type the introductory text that should appear below the title. The greeting must not exceed 250 characters, but you may want to use a shorter one, especially if you want it to appear on small form factor devices.
12
To further assist the user, you could specify a custom Help file that provides more detailed information about the resources available on your VPN, or describe how to get technical support. Click Browse to specify a well-formed HTML file that contains custom Help information. Your custom Help content is integrated with the default WorkPlace Help system. To make changes to your custom help content, edit the file locally and upload it to the appliance again.
13
Click Save to save your WorkPlace site settings, or click Reset Defaults to restore the factory-default settings.

Creating or Editing a WorkPlace Layout

To create a new WorkPlace layout:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Layouts area, click New.
3
In the Name field, type a unique name for the WorkPlace layout.
4
(Optional) In the Description field, type a descriptive comment about the layout.
5
In the Initial content area, select a layout for your current WorkPlace content (any shortcuts and shortcut groups that you’ve defined), or choose to set up an initial structure for your content and add WorkPlace resources later. No matter how you decide to lay out your initial content, you can change it later by adding, removing, or rearranging pages and page content.
6
In the Page navigation area, specify the kind of navigation controls that will be displayed if your content requires more than one page.
7
Specify whether the Intranet Address field will be displayed when this layout is used. It gives users access to resources by typing a resource name (a UNC path, URL, or both). Click Next.
8
Click the Edit page properties link to change the basic properties of this WorkPlace page: its name (for example, Home) and a short description.
9
Use the page, column, and shortcut controls to add pages, content, and rearrange the elements on each page. Rearranging items in a layout or deleting them from a layout does not affect the resource itself, just its appearance in WorkPlace.
10
Click Next to move to the Device Preview page. This page allows you to see how your layout will appear on different types of devices with different display capabilities. On a mobile device, for example, the Intranet Address field cannot be displayed, even if it is configured to be part of a layout.

WorkPlace and Small Form Factor Devices

WorkPlace provides support for a variety of small form factor devices, including PDAs, Pocket PCs, smart phones, WAP 2.0-compatible phones, and i-mode phones. This section explains how to configure the appliance to support these devices.

Topics:  

About WorkPlace and Small Form Factor Devices

When a user logs in to WorkPlace from a small form factor device, WorkPlace detects the device type and automatically transforms to best match the capabilities of the client device. This transformation affects several aspects of the user experience:

WorkPlace functionality: Some WorkPlace features available from a standard desktop browser are omitted on small form factor devices:
The Network Explorer page is not available for accessing network shares.
The Intranet Address box is not available for typing a URL or UNC path name.
WorkPlace http and https bookmarks are supported.
SonicWall access agents are not supported, including the OnDemand access agent, the EPC data protection agents, and terminal server agents.
The custom online Help file is not available.
WorkPlace look and feel: The standard WorkPlace appearance (including any customization you’ve made) is automatically modified for optimal display on small form factor devices.
* 
NOTE: For information about configuring the appearance of WorkPlace on a small form device, see Optimizing WorkPlace for Display on Small Form Factor Devices.
Resource availability: You can control which WorkPlace shortcuts will appear on a small form factor device. This allows you to omit Web resources that are incompatible with a particular type of device.

For example, you might want to hide the link for Outlook Web Access and instead provide a link to Outlook Mobile Access. This setting is controlled when creating a WorkPlace shortcut; for more information, see Adding Web Shortcuts.

End Point Control classification: To restrict access based on device type, you can create an EPC zone for a specific type of Windows mobile device and then reference that zone in an access control rule. For more information, see Defining Zones.

The appliance is preconfigured to classify most common small form factor devices into one of several categories. The default settings should be sufficient for most deployments, but you can modify the configuration to change the classification or recognize other devices, as needed. For more information on how devices are classified, see About Browser Profiles.

* 
NOTE:  
Some small form factor devices do not display error pages, but instead return an error code (such as a 500 error) from the Web server, without any descriptive error text.
Users attempting to log in to WorkPlace from an unsupported device will receive an error message.
For users who connect to the appliance from small form factor devices, you should configure the appliance with a certificate from a leading CA (such as VeriSign), or else import the CA certificate to your users’ small form factor devices—many devices will fail to connect when presented with a certificate from an unknown CA and will not provide any error message. For more information, see CA Certificates.

Optimizing WorkPlace for Display on Small Form Factor Devices

The general WorkPlace appearance, including any customization you’ve made, is automatically modified for optimal display on small form factor devices. The results are sufficient for most deployments, but you may want to manually configure a few settings to improve the display. Most of the settings are configured as part of a WorkPlace style; when you configure a WorkPlace layout you’ll be able to see how page navigation and other elements will work on different mobile devices.

To optimize a WorkPlace site for display on small form factor devices:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Styles drop-down menu, select a style you want to modify, or click New to start from scratch.
3
In the Images area, specify a logo for WorkPlace. For optimum results on smaller devices, the image should not exceed 100 pixels by 40 pixels. By default, the logo specified in the Standard logo image file box is used. To specify an alternate image, type the path of the .gif, .jpg, or .png file in the Replace with field, or click Browse to locate it. Graphics are automatically omitted from WAP and i-mode devices: this setting does not affect the display on those devices.
4
To reduce the amount of vertical scrolling required, clear the Display greeting on small form factor devices checkbox in the Text and Files area.
5
Click Save or Finish to save your WorkPlace site settings, or click Reset Defaults to restore the factory default WorkPlace site settings.
* 
NOTE: If you are using a mobile device that doesn't support UTF-8, such as the Sanyo W32SA handset, localized content is displayed using illegible characters. To log in, the user must enter his or her credentials in ASCII format.
To preview a WorkPlace layout on a small form factor device:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Layouts drop-down menu, select the layout you plan to use, or click New to configure one.
3
General settings: If your layout contains more than one page, you can specify the kind of navigation controls that will be displayed. Only an advanced mobile device, which is defined as one that has a browser that supports JavaScript, supports multiple pages. An example is a Pocket PC running Windows Mobile Professional.
4
Device preview: There are two approaches to lay out a community on smaller devices.
You can have the appliance accommodate smaller devices automatically. For example, the Intranet Address field (if it is part of the layout) is automatically not displayed on mobile devices, and whatever logo you have specified is scaled down.
If the automatic results are not acceptable, you can create a different layout, intended only for mobile devices, and then specify it when you configure the community. See Configuring the Appearance of WorkPlace for more information.

About Browser Profiles

The appliance is preconfigured to recognize most popular desktop browsers and many common small form factor devices. When a user connects to WorkPlace, it uses this profile information to classify the device into one of several categories. This in turn determines how WorkPlace appears, which shortcuts are visible on the device, and how the device is classified for use with EPC.

The browser profile is determined by examining a variety of information sent from the client, including the Web browser’s user-agent string and HTTP headers. The classification details are shown in Browser profile classification details.

 

Browser profile classification details

Client device examples

WorkPlace classifications

Windows, Mac, or Linux

Desktop (JavaScript enabled)

Apple iPhone

Desktop (JavaScript disabled)

Because JavaScript is disabled, the appliance cannot interrogate the iPhone to determine which EPC zone it belongs in.

Windows Pocket PCs
Windows Smartphone Professional
Many Windows CE devices
Many Palm OS devices

Advanced mobile (Touch screen and JavaScript enabled)

Windows Smartphone Standard

Standard mobile (JavaScript enabled)

Any Smartphone without JavaScript
Some Palm OS devices

Standard mobile (No JavaScript)

Any WAP 2.0-compliant phone (includes many Symbian-based phones)

WAP Phone v2.0

Mobile browser using cHTML (no cookie support)

i-mode phone (cHTML)

The market for mobile phones and handheld devices is evolving rapidly, and you may need to modify the default appliance settings. For example, you might need to configure the appliance to support a new type of smartphone purchased by your sales organization. Or you might want to override the appliance’s default profile to accommodate a PDA vendor whose user-agent string has changed. Any browser profiles you define will take precedence over the built-in profiles configured on the appliance.

AMC’s browser profiles enable you to configure the appliance to support the latest small form factor devices. A browser profile maps a particular user-agent string to a device type. As mentioned in About WorkPlace and Small Form Factor Devices, the profile is used to determine three things, as shown in Browser profile features.

 

Browser profile features

Feature specified in browser profile

For more information

How WorkPlace is rendered on the device

See About WorkPlace and Small Form Factor Devices.

Which links appear on WorkPlace

See Adding Web Shortcuts.

How the device is classified into an End Point Control zone

See How the Appliance Uses Zones and Device Profiles for End Point Control.

The appliance evaluates browser profiles in the order listed until it finds a match. If there is no match for a defined user-agent string, the appliance checks its built-in list of profiles. If no match is found in either list, the device is classified as Desktop (JavaScript enabled) and includes full browser capability.

Adding Browser Profiles

The appliance is preconfigured to recognize many popular small form factor devices. To override or supplement this information, you can create a browser profile that determines how WorkPlace is transformed. A profile is a mapping between the user-agent string sent by the browser and one of several device types defined in AMC. Any profiles you define take precedence over the built-in profiles configured on the appliance.

To add a browser profile:
1
On the main navigation menu, click Agent Configuration.
2
In the Other Agents area, under Web browser profiles, click Edit. The Browser Profiles page appears.
3
Click New, and then, in the User-agent string field, type a distinguishing portion of the user-agent string used by the device. You can use the standard * and ? wildcard characters when defining a user-agent string. For example, a user-agent string of do* would match DoCoMo, and a string of MSI? would match any of the MSIE possibilities.
* 
NOTE: Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.
4
In the Device type drop-down menu, select the entry that most closely matches the client information of the device identified by the user-agent string. For more information on classifying devices, see About Browser Profiles.
5
(Optional) In the Description field, type a descriptive comment about the browser profile.
6
Click OK. The new profile is added to the bottom of the list.
7
Click Save.
* 
NOTE: The appliance evaluates browser profiles in the order listed, until it finds a match. See Moving Browser Profiles for more information.

Moving Browser Profiles

Browser profiles are matched in the order listed. Once the appliance matches a profile, it stops evaluating the list. You can reorder the placement of one or more profiles as needed to ensure that a particular small form factor device is properly recognized.

To move a browser profile:
1
On the main navigation menu, click Agent Configuration.
2
In the Other Agents area, under Web browser profiles, click Edit. The Browser Profiles page appears.
3
Select the checkbox for any profiles you want to move.
4
Click Move Up or Move Down as needed; each click of the button moves the selected profiles up or down one position in the list.
5
Click Save.

Fully Customizing WorkPlace Pages

The WorkPlace customization that can be done in AMC (described in Configuring WorkPlace General Settings) are a convenient way to change the general look and feel of WorkPlace, but they may not provide enough control for some deployments.

This section describes two levels of customization:

WorkPlace style and layout can be configured in AMC, as described in Modifying the Appearance of WorkPlace. To take this customization a step further and, for example, use a background image for your WorkPlace pages, or change the size of the header area, download an existing style, edit it locally, and upload it back up to your appliance. See WorkPlace Style Customization: Manual Edits for more information.
If you need to do more advanced customization, such as adding a use agreement or end-user license agreement to the login process, you can customize specific pages in WorkPlace, including authentication, error, and notification pages. See About Custom WorkPlace Templates for more information.
Topics:  

WorkPlace Style Customization: Manual Edits

WorkPlace style and layout can be configured in AMC, as described in Modifying the Appearance of WorkPlace. If you are familiar with creating Web content and style sheets (.css), you can take this customization a step further and, for example, make your login and logoff pages visually consistent with your corporate standards, or modify the error pages (which appear if a resource is unavailable or a user provides invalid credentials) to include detailed support or troubleshooting information.

The most efficient way to create a new style is to download an existing style, edit it locally, and upload it back up to your appliance.

To fully customize a WorkPlace style:
1
On the main navigation menu, click WorkPlace.
2
In the Styles drop-down menu on the Appearance page, select a style that you want to use as your starting point, and then click Download. (Styles can be downloaded only one at a time.)
3
The style is downloaded as a compressed (.zip) file, and its filename is a combination of WorkPlace_Style followed by the current style name.
If you plan to create a new style, rename the .zip file when you save it.
If you plan to overwrite an existing style with your changes, keep the current filename.
4
Make edits to the cascading style sheets (one for desktop devices and one for mobile devices) and graphics. You can use the sample WorkPlace and login HTML pages to see how page elements are classified.
5
Gather your edits into a .zip file name WorkPlace_Style_<your style name>.zip, and then click Upload on the WorkPlace Appearance page.
6
On the Upload Style page, select whether you are uploading changes to an existing style, or adding a new WorkPlace style. Uploading a style in the form of a .zip file overwrites all style files.
7
If you are uploading a new WorkPlace style, give it a name; for example, Corporate Branding.
8
In the Style zip file field, enter the name of the .zip file you edited or created. If your new style is named Corporate Branding, for example, the name of the corresponding file must be WorkPlace_Style_Corporate_Branding.zip.
9
Click Upload to transfer the style-related files to your appliance.

About Custom WorkPlace Templates

There are situations in which you need to completely customize the way that WorkPlace looks and what steps are involved in the login process. For example:

You may want to use your existing corporate portal (where that portal application has been defined as a resource) instead of WorkPlace. Here you would customize the login, logoff, notification, and error pages to match the look and feel of your existing portal.
You might want to provide access to a specific application (which has been defined as a resource) to a business partner. Here you would customize the login, logoff, notification, and error pages to match the look and feel of the application.

The templates you can customize fall into three categories, see Custom WorkPlace template types. If you modify the ones in one category, you should probably also modify the others to ensure consistency.

 

Custom WorkPlace template types

Template type

Description

Authentication

The pages used to gather a user’s credentials, including selecting a realm and entering a username, password, or passcode.

You might use these templates to provide the user with on-screen information about how to log in to your network.

Error

The pages displayed when an error occurs, such as invalid user input (an authorization-denied message or a failed login), or an error in the appliance.

You might use these templates to provide the user with support information, such as administrator contact information and where to find user guides.

Notification

The pages that provide the user with basic information required to interact with the system, including the logout page (confirming successful logout) and pages containing messages from the authentication module (such as a password-expiration warning).

Although you can redesign the layout or add graphics and text on these pages, you cannot modify or remove the existing elements. For example, on the authentication page you cannot rename the Login button. These elements are dynamically generated by WorkPlace.

The WorkPlace pages that are presented to the user after login cannot be customized manually; they are controlled from AMC.

How Template Files are Matched

You can customize templates globally, or on a per-WorkPlace site basis. For example, you might customize the global templates to use one design, and then override that design on a site-by-site basis by modifying its templates.

When a user connects to a WorkPlace site, the appliance first looks for the most specific template. If one is not found, it checks for the generic template for the category (authentication, error, or notification). If neither is found, the default WorkPlace template (the one under AMC’s control) is used.

The following tables list the templates available for full-screen devices (desktops and laptops), along with the corresponding file names. For small form factor devices, prefix the file names as follows:

For smartphone and PDA devices, prefix the file name with compact-.
For WAP devices, prefix the file name with micro-.

For example, to customize the page users see when selecting a realm, edit realm-select.tmpl. The equivalent pages for smaller devices are compact-realm-select.tmpl (for smart phones and PDAs), and micro-realm-select.tmpl (for WAP devices).

Authentication

 

Template files: authentication

Description

File name

User selects a realm

realm-select.tmpl

User provides login credentials

authentication-request.tmpl

Error

 

Template files: errors

Description

File name

Realm selection failed

realm-error.tmpl

Invalid credentials supplied

authentication-error.tmpl

Access to resource is denied

authorization-error.tmpl

Appliance license capacity exceeded

licensing-error.tmpl

EPC error

epc-error.tmpl

Status

 

Template files: status

Description

File name

Authentication notification (such as password expiration)

authentication-status.tmpl

Logoff successful page

logoff-status.tmpl

EPC successful logoff page

epc-logoff.tmpl

Generic

 

Template files: generic

Description

File name

EPC download page

epc-launch.tmpl

User provides login credentials

authentication.tmpl

General errors

error.tmpl

General status

status.tmpl

General page (applied if no other specific template is found)

custom.tmpl

* 
NOTE: The default WorkPlace template files (named extraweb.tmpl, compact-extraweb.tmpl, and micro-extraweb.tmpl) should never be edited: your changes will be overwritten the next time you customize WorkPlace in AMC.

Customizing WorkPlace Templates

The appearance of WorkPlace is controlled using several templates. To customize the templates, you create an HTML file (or, in the case of a small form factor device, an xHTML or cHTML file) using any standard Web design tool or text editor.

If your customization includes graphics, upload them to this folder:

/usr/local/extranet/htdocs/__extraweb__/images

If an images directory is not already present, you can create it by typing the following command:

mkdir -p /usr/local/extranet/htdocs/__extraweb__/images

The file names you must use are described in How Template Files are Matched. For small form factor devices, a prefix is added:

For smartphone and PDA devices, prefix the file name with compact-.
For WAP devices, prefix the file name with micro-.
To customize the WorkPlace templates for desktop devices:
1
Create an HTML file containing the desired layout, and add the WorkPlace-specific tags:
Within the BODY tag, add an HTML COMMENT tag containing the word EXTRAWEB:
<!-- EXTRAWEB -->

This tag is required; it determines where to place content dynamically generated by the appliance. Without it, the user trying to log in to WorkPlace will be repeatedly sent back to the beginning of the authentication process.

Add a reference to the external JavaScript file:
<script language="javascript"
src="/__extraweb__/template.js"></script>
To have your templates display any WorkPlace content (including the .css file or the custom logo you configured in AMC), modify your HTML code to reference the /__extraweb__/images/ path. For example:
<img src="/__extraweb__/images/mylogo.gif">
2
Save the file with the appropriate file name using a .tmpl file extension.
To customize the WorkPlace templates for small form factor devices:
1
Create a file in xHTML (for smart phones or PDAs) or cHTML (for WAP devices) format containing the desired layout, and add the WorkPlace-specific tags:
Within the BODY tag, add a COMMENT tag containing the word EXTRAWEB:
<!-- EXTRAWEB -->

This tag is required: it determines where to place content dynamically generated by the appliance. Without it, the user trying to log in to WorkPlace will be repeatedly sent back to the beginning of the authentication process.

To have your templates display any WorkPlace content (including the .css file or the custom logo you configured in AMC), modify your code to reference the /__extraweb__/images/ path. For example:
<img src="/__extraweb__/images/mylogo.gif">
2
Save the file with the appropriate file name using a .tmpl file extension.

Giving Users Access to WorkPlace

Because WorkPlace is a Web application, users can access it through a standard Web browser. You can also incorporate WorkPlace links into a Web page or a portal hosted on your own network.

You must tell users which URL to use to access WorkPlace. You can give users the default WorkPlace URL, or you can give them a URL for a customized WorkPlace site; see WorkPlace site types.

 

WorkPlace site types

WorkPlace site type

URL

Description

Default WorkPlace site

https://<server_name>

<server_name> is the fully qualified domain name (FQDN) contained in the appliance’s SSL certificate. For more information, see Certificates.

Custom WorkPlace site

http://<custom_fqdn>

<custom_fqdn> is the external FQDN associated with the WorkPlace site. For more information, see WorkPlace Sites.

If users will be accessing WorkPlace from a Web page or portal hosted on your network, you may want to provide a Log out button to preserve the security of user accounts. To do this, give users the following WorkPlace site URL:

https://<server_name>/__extraweb__logoff

The <server_name> is the actual FQDN from your appliance’s SSL certificate.

End Point Control and the User Experience

When Secure Mobile Access End Point Control components are enabled, the WorkPlace login process includes additional steps, which vary depending on whether Cache Cleaner is used. For more information, see About End Point Control.

How Cache Cleaner Works

With Cache Cleaner, the typical WorkPlace session looks like this:

1
In a Web browser, the user types the appropriate WorkPlace URL.
2
The user logs in to WorkPlace.
3
The user must accept any Secure Mobile Access security warnings that appear. The Cache Cleaner icon appears in the task bar notification area.
4
The user accesses network resources as needed.
5
When the user ends the Cache Cleaner session, Cache Cleaner deletes all data associated with the session. All browser windows are closed by Cache Cleaner upon logout. A dialog warns users that all browser windows will be closed on logout.
* 
NOTE: Because Cache Cleaner closes all browser windows on logout, and if you configure Cache Cleaner to close other browser windows at startup, make sure your users are aware: if someone is filling out a form, for example, anything that isn’t submitted when the browser window closes will be lost.

User Access Components and Services

About User Access Components and Services

The SMA appliance includes several components that enable users to access resources on your network. This section describes each of the user access components and the services that control them.

Many of these components are provisioned or activated from the WorkPlace portal. For more information about WorkPlace, see The WorkPlace Portal.

User Access Agents

User access agents are deployed to client devices based on the community to which the user belongs. Most agents are deployed automatically when the user logs in to the WorkPlace portal using a browser. The installation package for these two access agents can also be made available for download from a file share on your network or deployed through applications such as Microsoft’s Systems Management Server (SMS) or IBM’s Tivoli. For more information, see Selecting Access Methods for a Community.

When deployed automatically—when a user logs in using a browser—the access agents are both deployed and activated on the first visit. This generally requires the user to accept a download for the Secure Endpoint Manager (SEM), which will in turn manage the access agent installation and future access agent updates. On subsequent visits to the WorkPlace portal from the same client device using the same browser, the access agents are automatically activated without user intervention. See Client and Agent Provisioning (Windows) for more information.

Access agent comparison compares the capabilities of access agents and lists their requirements. For other system-requirement information, see Client Components.

 

Access agent comparison

 

Network tunnel access (IP protocol)

Proxy access (TCP protocol)

Web access (HTTP protocol)

 

OnDemand Tunnel agent

Connect Tunnel client

OnDemand Mapped Mode

Web Proxy Agent

Translated, Custom Port mapped, Custom FQDN mapped Web access

Application support

 

 

 

 

 

TCP-based client/server applications

x

x

x

 

 

TCP- or UDP-based client/server applications

x

x

 

 

 

URLs and Web applications

x

x

x

x

x

Windows networking

 

 

 

 

 

Web-based file access

x

 

 

x

x

Native Windows file access (Network Neighborhood)

x

x

 

 

 

Mapped network drives

x

x

 

 

 

Windows domain logon

 

x

 

 

 

Connection types

 

 

 

 

 

Forward connections

x

x

x

x

x

Reverse connections (such as FTP or SMS)

x

x

 

 

 

Cross-connections
(such as VoIP)

x

x

 

 

 

Operating systems

 

 

 

 

 

Windows

x

x

x

x

x

Linux or Macintosh

x

x

x

 

x

Windows Mobile

 

 

 

 

x

Administrator privileges required to install client/agent

x

x

 

 

 

Deployment

 

 

 

 

 

Auto-activated from WorkPlace

x

 

x

x

x

Provisioned from WorkPlace

x

x

1

x

 

Provisioned outside of WorkPlace

 

x

 

 

 


1
Port-mapped mode requires ActiveX or Java. For a user without administrator rights who can’t run ActiveX, the Java Runtime Environment (JRE) is used.

Topics:  

Client and Agent Provisioning (Windows)

Secure Endpoint Manager is a component that enables you to provision Windows users with EPC and access agents reliably when they log in to WorkPlace. It provides better application compatibility for applications that need an agent, and more reliable EPC interrogation; in addition, most client updates do not require administrator privileges. If something goes wrong during provisioning, the error is automatically recorded in a client installation log (identified by username) that you can view in AMC.

Installing Secure Endpoint Manager is a one-time step and does not require that the user have administrator privileges. The only other time users will be (briefly) aware of it once it’s installed is when an access agent or the Access Manager itself needs to be updated. Installing Secure Endpoint Manager is also not required, but users without it will have just Web-only access to resources in WorkPlace, or be forced to log out, depending on how you configure the community.

Topics:  

Secure Endpoint Manager

Secure Endpoint Manager (SEM) is a software component that is installed on a client device. It is installed when the SMA product is accessed from a Web browser. SEM enables a user on a client device to log in to an SMA appliance and perform tasks using a Web browser.

SEM provides the installation and activation of several client components, such as OnDemand Tunnel, End Point Control, OnDemand Mapped Mode, and Native Access Modules.

SMA provides an update policy for Secure Endpoint Manager (SEM) and its associated sub-components, such as Native Access Modules, End Point Control, OnDemand Tunnel, Web Proxy, and OnDemand Mapped Mode.

SEM installation and software update policies are supported on Windows, Mac OSX, and Linux client operating systems.

After the server-side firmware has been updated, SMA administrators can control and update specific user Groups and Communities individually, eliminating the need to update thousands of client devices simultaneously.

SEM software updates can be triggered using Web access or Tunnel access methods or using both methods.

Installing Secure Endpoint Manager

Users are normally required to install a Secure Mobile Access agent or client before they are granted access to network resources when they log in to WorkPlace. This is the recommended setting: it provides better compatibility for applications that need an agent, which means broader access for users and fewer Help Desk calls for you.

Users logging in to WorkPlace are offered these choices when this setting is enabled:

Install: Secure Endpoint Manager is installed on the user’s computer. Users will need to do this only once.
Logout: The user’s session is ended.

If you configure the community such that an agent or client is not required, users are offered these choices when they log in:

Install: Secure Endpoint Manager is installed on the user’s computer. Users will need to do this only once.

 
* 
CAUTION: In this scenario (assuming EPC is enabled), the user is placed in either the Default zone or a Quarantine zone, depending on how the community is configured. A Quarantine zone may be too restrictive, and the Default zone probably needs to accommodate many other types of users. You might want to create a unique, Web-only zone for users who don’t require an agent. See Scenario 3: Employees Connecting from a Public Kiosk for ideas on how to set up this kind of zone.
Installing Secure Endpoint Manager on a Computer Running Vista

When users install Secure Endpoint Manager for the first time on a computer running the Microsoft Vista operating system, they see an additional consent dialog that are not seen by users with earlier Windows versions. Users should follow the on-screen instructions and select Do not show me the warning for this program again, and then click Allow.

Enabling Secure Endpoint Manager Software Update Policies

Software update policies for Secure Endpoint Manager (SEM) are enabled at the Community level.

To enable an automatic software update policy for Secure Endpoint Manager:
1
Log in to AMC.
2
Go to the Realms > {Your Realm} > Communities > {Your Community} > Access Methods page. The Secure Endpoint Manager (SEM) panel is near the bottom of the page.

There are three options that can be configured for the SEM Software Update Policy:

Update only when necessary – Select this option if you want the SEM to be updated on client devices based on the following criteria whether or not it is necessary. The following criteria triggers an update:
When Personal Device Authorization is not enabled on any client version 11.4 and older. Clients running versions 12.X.X are not prompted for updates.
When Personal Device Authorization is enabled on any client version 11.4 and older.

When the Update only when necessary option is selected, updates and installations are performed whenever an update is required by the system or whenever an update is required by the administrator.

Always update - Select this option if you want the SEM to always be kept up-to-date on client devices. This includes differences in hotfix, maintenance, and major releases (any differences in those triggers an update).

When the Always Update option is selected, when a user logs in, they are given a choice to update the SEM or log out.

Notify user - Select the Notify the user when installing or updating client software option if you want notifications to be sent to the user about the SEM during an installation or an update. This is controlled by the AMC administrator and applies to both installations and updates of the SEM.

The only time a user, that cannot make it to Land on WorkPlace, will not get notification is if the AMC Administrator has enabled notifications, but the user has opted out by clicking Logout.

In cases where SEM is required, either Access Agents or EPC must be provisioned. Otherwise, the SEM installation or update will fail.

Automatic Installation of SEM Components

If SEM or any of its subcomponents are not present on a device, they will be installed during the update process, regardless of which option is selected in the SEM Software Update Policy. Access to WorkPlace resources cannot be guaranteed unless SEM and its subcomponents are installed properly.

If SEM is not installed, you are prompted to Accept Installation of the SEM components.
If you select Yes, SEM is installed.
If the SEM Installation is Successful, you can continue to Land on Workplace.
If the SEM Installation Fails, you are Logged Out.
If you select No, you are Logged Out.

Provisioning and Personal Firewalls

Some third-party firewall products regulate outbound connections by process (in addition to port and protocol). These firewalls may raise a security alert dialog regarding Secure Endpoint Manager during the provisioning of agents or EPC components. In most cases, the user should be instructed to “unblock” or “permit” the outbound connection.

There are a few firewalls, such as one supplied by Trend Micro, that do not permit a user with restricted rights to override firewall settings. For corporate systems on which users have limited access rights, you may want to update the firewall settings before deploying the Secure Mobile Access VPN so that users won’t have to respond to these security dialog prompts. See Using Personal Firewalls with Agents for more information.

Client Installation Logs

If something goes wrong during client or agent installation on a computer running Windows, the error is recorded in a client installation log on the user’s local computer. These logs are automatically uploaded to the appliance and listed in AMC if the user has Secure Endpoint Manager installed. For more information, see Client Installation Logs (Windows).

WorkPlace

WorkPlace is a Web-based portal that provides dynamically personalized access to Web resources protected by the Web proxy service. After a user logs in to WorkPlace, a home page appears that contains an administrator-defined list of shortcuts. These shortcuts point to Web-based file shares, Web-based applications, and terminal server resources to which the user has access privileges.

All Secure Mobile Access user access components are provisioned or activated through the WorkPlace portal. WorkPlace is accessible from any standard Web browser. For more information, see The WorkPlace Portal.

Network Explorer

Network Explorer, available through WorkPlace, is a Web-based user interface that provides access to any shared Windows file system resources a user has permission to access (even from a computer that isn’t running Windows). These resources can include domains, servers, computers, workgroups, folders, and files.

Network Explorer is an optional component that can be controlled through policy or completely disabled. It is supported on any browser supported by WorkPlace. For more information, see The WorkPlace Portal.

Tunnel Clients

The Secure Mobile Access tunnel clients provide secure access for TCP and UDP traffic; bi-directional traffic, such as remote Help Desk applications; cross-connections, such as VoIP applications; and reverse connections, such as SMS. The clients all provide network-level access to all resources, effectively making the user’s computer a node on your network:

OnDemand Tunnel agent is a browser-based, Web-activated agent.
Connect Tunnel client is a Web-installed client. The tunnel clients are managed from AMC using the network tunnel service. Configuring this service to manage TCP/IP connections from the network tunnel clients requires setting up IP address pools that are used to allocate IP addresses to the clients.
Topics:  

OnDemand Tunnel Agent

The OnDemand Tunnel agent enables you to provide complete network and application access through a Web browser to resources protected by the network tunnel service. The OnDemand Tunnel agent is a lightweight agent that provides the same broad application and protocol access as the Connect Tunnel client, but it is integrated into the WorkPlace portal and automatically starts each time users log in to WorkPlace.

The OnDemand Tunnel agent is supported on Windows, Linux, and Macintosh, and requires Internet Explorer with ActiveX or Java enabled, or Mozilla Firefox or Safari with the Java Runtime Environment (JRE).

Connect Tunnel Client

The Connect Tunnel client provides full access to resources protected by the network tunnel service, and to any type of application, including those that use TCP, and non-TCP protocols such as VoIP and ICMP. Connect Tunnel also includes split-tunneling control, granular access controls, proxy detection, and authentication.

The Connect Tunnel client can be deployed in a number of ways (for more information, see Client Installation Packages):

Offer users a shortcut in WorkPlace for downloading and installing the client; the link points to the Connect Tunnel resource, described in Built-In Resources.
If you don’t want to require users to log in to WorkPlace, have them download and install the Connect Tunnel client components from a network location (such as a Web server, FTP server, or file server).
Distribute installation packages using an application such as SMS or Tivoli.
Create a master image of a Connect Tunnel install and copy it to user systems using a third-party disk-image copying utility such as Norton Ghost.

The Connect Tunnel client is supported on Windows, Linux, and Macintosh operating systems, and installation of the Connect Tunnel client requires users to have administrator privileges. All Connect Tunnel configuration and management is performed in AMC.

The Connect Tunnel client supports command-line utilities, such as ngdial, that can modify the normal run-time behavior of the client and enable you to perform troubleshooting and diagnostic tasks without using the standard graphical user interface. For more information, see Command Line Access to Connect Tunnel with NGDIAL.

When Connect Tunnel is active, a Connect Tunnel icon is displayed in the system task bar.

You can configure the Windows version of the Connect Tunnel client software to be automatically updated on users’ computers whenever a new version becomes available. For more information, see Windows Tunnel Client Automatic Client Updating.

* 
NOTE: A user logged in as a guest on a computer running the Windows Vista operating system will not be able to run Connect Tunnel. A guest account is for users who don't have a permanent account on your computer or domain—it allows them to use your computer without giving them access to your personal files.
Support for Quest Desktop Workspace

Moka5 Suite is an enterprise desktop management platform that is used to create and administer layered virtual desktop images called LivePCs, which execute as guests on a Type-2 Hypervisor.

SonicWall provides a pre-installed SMA VPN client (Windows) on the virtual windows OS image that is created using the Moka5 Creator.

The windows SMA Connect Tunnel client can be integrated with the Moka5 Creator by making changes to the SMA Connect Tunnel client (Windows) as specified in the Moka5 Integration Guide.

The SMA Connect Tunnel client works well with the Quest KACE K1000 Management Appliance.

Web Access

This section provides an overview of the Web Proxy Agent and zero-client Web access methods such as translated Web access, custom port mapped Web access, and custom FQDN mapped Web access. A section describing Exchange ActiveSync Web access is also included.

Topics:  

Web Proxy Agent

The Web Proxy Agent provides access through the WorkPlace portal to any Web resource—including Web-based applications, Web portals, and Web servers—as well as Windows network shares. The Web Proxy Agent provides improved application compatibility over Translated Web access, but provisioning the Web Proxy Agent can take a little extra time when a user first logs in to WorkPlace. The Web Proxy Agent requires Internet Explorer with ActiveX enabled.  

* 
NOTE: The Web Proxy Agent is being deprecated.

In the absence of a Web Proxy agent, the administrator should select the Network tunnel client option on the User Access > Realms > Configure Community > Access Methods > Tunnel IP Protocol page, for a given user community. Unlike the Web Proxy Agent, which provides access only to Web-based resources, the Network tunnel client provides access to all types of resources.

* 
NOTE: You must have Administrator privileges to install the Network tunnel client option. See Tunnel Clients.

Translated ActiveSync Web Access

By default, the appliance is configured to deploy a Microsoft ActiveX control (the Web Proxy Agent) on Microsoft Windows systems running Internet Explorer. If the Web Proxy Agent cannot run, Translated Web access can be used as a fallback. Translated Web provides basic access to Web resources, and enables you to create aliases that obscure internal host names. It proxies Web content directly through the appliance and provides access to any Web resource that is specifically configured to run with WorkPlace, as well as access to Windows network shares. Translated Web access works on any Web browser that supports SSL and has JavaScript enabled. It uses URL rewriting, which may have limitations with some Web applications, such as AJAX. Custom port mapping or custom FQDN mapping may be used as an alternative to URL translation.

Custom Port Mapped Web Access

Custom port mapping involves mapping the backend resource or server to a port number at the EX Series appliance. Apache listens on this port and all HTTPS traffic received on it is terminated at the appliance. A new HTTP request is made to retrieve the mapped backend resource. The HTTP reply is transmitted using plain text to facilitate translation of absolute URLs. URL rewriting is not used. When using custom port mapping, any firewalls in the network must be configured to keep the specific ports open. Custom port mapping does not require installation of a client agent, and works with any Web browser.

Custom FQDN Mapped Web Access

Custom FQDN mapping means that the backend resource or server is mapped to an external fully qualified domain name (host and domain). The resource should be accessed with the FQDN name rather than with the IP address. The FQDN name should be resolvable to an IP address in the public domain. Apache listens on port 443 at this IP address. All HTTPS traffic is terminated at this socket. A new HTTP request is made to retrieve the mapped backend resource. The HTTP reply is transmitted using plain text to facilitate translation of absolute URLs. URL rewriting is not used.

Notes for Custom Port Mapped or Custom FQDN Mapped Web Access

These access methods are ideal for all well written applications that predominantly use relative URLs. Ajax and Flash applications may also behave better with these access methods than the Translated Web Access.

The following applications are recommended for Custom Port Mapped or Custom FQDN Mapped Web Access over Translated Web Access:

Share Point 2010, SharePoint 2013
Outlook Web Access 2013
Dominos Web Access
Complex web applications (Java applets/AJAX/Flash/other advanced web technologies)
Topics:  
Configuration Requirements
Each resource should be configured using only one of the access methods. Do not mix translated, custom port mapped and custom FQDN-mapped modes.
Do not include a path in the URL. For example, do not use a URL like:
http(s)://backend_hostname(:portNumber)

To set the complete path on WorkPlace, specify the start page on the Edit WorkPlace ShortCuts > Advanced page, as explained in Adding Web Shortcuts.

Use of valid Certificates is highly recommended.
Single sign-on for the appliance might not work with Internet Explorer when a custom FQDN mapped resource with an invalid certificate is accessed from WorkPlace. For example, this could happen when a user logs in to WorkPlace and clicks a custom FQDN mapped resource that has a self-signed certificate or otherwise does not have a valid certificate on the appliance. A JavaScript certificate warning is popped up to the Internet Explorer user. After the user accepts the certificate, Internet Explorer does not transmit the “referrer” HTTP header to the initial page. This referrer value is required for single sign-on functionality. This issue does not occur when using browsers other than Internet Explorer, or when there is no certificate warning, or when wildcard or SAN certificates are used.

This Internet Explorer issue is described at:

http://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=379975

Custom Port Mapped resource may get redirected to Workplace Portal in case of certificate warning while accessing with Internet Explorer.
The resources should be configured and accessed using host and domain name only, not via IP address.
Known Behavior

Logging out of applications like OWA, DWA and SharePoint from an Internet Explorer browser may log you out of Workplace.

* 
NOTE: Logging out does not affect other active WorkPlace shortcut sessions. Only the browser is logged off as the backend application clears all cookies (including appliance-specific cookies) on logoff.

Seamless Editing in SharePoint

The SonicWall Secure Mobile Access (SMA) platform supports Microsoft SharePoint access using reverse proxy, as well as seamless editing of Office documents while in SharePoint. SMA accomplishes this by allowing persistent cookie information to be stored on appropriate zones. Administrators can enable or disable persistent cookie information on the user’s system.

* 
NOTE: Editing SharePoint documents from a zone that allows persistent session storage is available only for Microsoft Internet Explorer (IE).
* 
NOTE: In cases where legal regulations require the consent of the user before storing persistent cookies, the Administrator can create an Acceptable Use Policy (AUP).
* 
NOTE: If there are zones where a user could go to unsafe zones (such as kiosk mode zones), persistent cookies should not be enabled for those zones.

Configuring seamless editing in SharePoint is done in three parts:

Enabling Storage of Persistent Session Information
To enable Persistent Cookie information on a user’s system:
1
Go to the End Point Control page.
2
In the Zones and Profiles panel, click Edit for Zones. The Zones page appears.

3
Select a zone or create a new zone as follows:
a
If you want a new zone, see Creating a Device Zone.
b
If you want to change one of the existing zones, click on that zone in the table.

The Zone Definition - Device Zone page appears.

4
Scroll down to the Client Security panel and open it.

5
Under Persistent session information, select the Allow storage of persistence session information on client system checkbox.
Configuring a Resource as a SharePoint Web Service
To configure a resource as a SharePoint Web Service:
1
Go to the Security Administration > Resources page.

2
Click New, then select URL from the drop-down menu.

The Add Resource - URL page appears.

3
Enter the Name and the URL for this resource.
4
If this resource is on the external network, select the checkbox for This destination is on the external network.
5
Scroll down to the Web proxy options panel and open it.

6
From the Web application profile drop-down menu, select SharePoint.
7
Select the Web service is Microsoft Sharepoint checkbox.
8
Select Access this from resource using a custom FQDN.
9
In the Custom FQDN field, enter the FQDN.
Modifying a Zone to Allow Storing of Persistent Session Information
To modify a zone to allow storing of persistent session information on a client system:
1
Go to the User Sessions page.

2
Click on the User Session that you want. The Session Details page appears.

3
Click on the zone that you want. The Zone Details page appears.

4
Click Edit Zone. The Zone Definition - Device Zone page appears.

5
Scroll down to the Client Security panel and open it.

6
Under Persistent session information, select the Allow storage of persistence session information on client system checkbox.

Exchange ActiveSync Web Access

Secure Mobile Access supports Exchange ActiveSync for Apple iPhones/iPads and smart phones or tablets that run Android 2.1/2.2/2.3+ or the Symbian 9.x operating system.

Symbian is an open OS that acts as host to many devices. A few popular devices that run the latest Symbian OS versions and support Exchange ActiveSync (branded as “Mail for Exchange” on Nokia devices) are:

Symbian OS 9.1 – Nokia E65, N71
Symbian OS 9.3 – Nokia E72
Symbian OS 9.4 – Nokia X6, Samsung Omnia HD

After the administrator configures the SMA appliance, a user with a supported smart phone or tablet can configure the device to access email using Exchange ActiveSync.

To do this, the user enters an email account name, server, domain, user name and password. The user turns on ActiveSync for this account. The results are saved as a new email account on the device.

With ActiveSync turned on, the device gives the user notice when new mail arrives.

When the user syncs the iPhone or Symbian device to a computer that is connected to the Exchange server through the SMA appliance, the mail, contacts and calendar are updated. On Symbian, Tasks and Out Of Office settings are also supported.

Topics:  
Enabling Exchange ActiveSync access on the appliance

The administrator can enable Exchange ActiveSync access for a community of iPhone or Symbian device users. This involves the following tasks:

Create a realm that uses an Active Directory authentication server. Realms that use chained authentication are not supported for Exchange ActiveSync.
Create a resource for Exchange ActiveSync using the Exchange Server Options section of the Resources Add/Edit page for a URL resource.

The Exchange Server Options section allows the administrator to specify a custom FQDN, IP address, SSL certificate, and realm to use for providing Exchange ActiveSync access.

The custom FQDN, IP address, and SSL certificate options function in the same way as those for Workplace sites that use these options. The custom FQDN provides a host/domain name through which ActiveSync connections or sessions can be established.

The IP address is a virtual IP address hosted by the appliance, and must be on the same subnet as the external interface (or the internal if single-homed) of the SMA appliance so that it is reachable via the public interface of the appliance.

The SSL certificate can be a wildcard certificate or you can configure a server certificate that matches the host name.

The only realms that appear in the Realm drop-down menu are those that use an Active Directory authentication server. Realms that use chained authentication do not appear in the menu. A realm used for Exchange ActiveSync cannot be changed to provide chained authentication or to use an authentication server other than Active Directory.

Define a Device Profile for end point control of Exchange ActiveSync devices from the EPC page in AMC. You can select Exchange ActiveSync as the device profile type.

The only attribute that can be configured for this device profile is Equipment ID. The device serial number is used as the identifier. Equipment ID retrieval uses the underlying operating system hard disk drivers. All driver updates should be applied to ensure that Equipment ID retrieval works reliably.

The Exchange ActiveSync device profile can be included in any zone for evaluation.

* 
NOTE: ActiveSync clients will not be able to connect on zones that have Device authorization enabled.
View the Network Settings page to see all custom IP addresses used for virtual hosting, the FQDNs that listen on these addresses, and the associated Resources or WorkPlace Sites.

The Resources and WorkPlace Site items are links to the configuration page for easy navigation and editing.

View the User Sessions page, which displays Exchange ActiveSync sessions as belonging to the Exchange ActiveSync Access Agent. Exchange ActiveSync is an option in the Agent list under Filters.
Exchange ActiveSync sessions

Initial connections to the ActiveSync Exchange Server FQDN name cause a username and password challenge by the appliance.

If the user successfully authenticates, the ActiveSync session is established with the Exchange server without further user interaction.

For users connecting to Exchange 2007, the device IMEI serial number is parsed out of the ActiveSync stream during session initialization. The administrator of the Exchange system might need to make configuration changes that result in the device identifier being sent.

Authentication methods from the appliance to the Exchange server use basic authentication.

Notes for Exchange ActiveSync device profiles
Device authorization is not supported by ActiveSync clients. ActiveSync clients will not be able to connect on zones that have Device authorization enabled.
The profiles only work with an ActiveSync stream because that is the only way to obtain the device value.
The profiles only work on ActiveSync streams that are interacting with Exchange 2007 servers.
Only ActiveSync for Exchange is supported in this release.

ActiveSync Resource Configuration with SAN Certificates

SAN certificates can be used for different host names on the same IP address. If you do not want to use a SAN certificate and instead want to continue configuring ActiveSync resources as in previous versions, however, the same can be achieved with CEM variable, MGMT_ALLOW_LEGACY_VIRTUAL_HOSTS, being set to TRUE.

To use a SAN certificate, configure the IP address on the Exchange Server options page.

Outlook Anywhere Web Access

SMA supports Outlook Anywhere for Microsoft Outlook clients on Windows. After the administrator configures the SMA appliance, a user can configure the Microsoft Outlook Client to access Emails using Outlook Anywhere and can use the Out-of-Office service as well.

Configuring Outlook Anywhere on the Appliance

You can enable Outlook Anywhere access for Microsoft Outlook Client users. This involves the following tasks:

Create a realm that uses an Active Directory authentication server. Realms that use chained authentication are not supported for Outlook Anywhere.
Create a resource for Outlook Anywhere using the Exchange Server Options section of the Resources Add/Edit page for a URL resource.

The Exchange Server Options section allows the administrator to specify the Exchange Server FQDN and realm to use for providing Exchange access. The Exchange Server FQDN should be same as the one configured at the exchange server for Outlook Anywhere RPC over HTTP or MAPI over HTTP and should resolve to the SMA appliance public IP.

The realms that appear in the Realm drop-down list are those that use an Active Directory authentication server. Realms that use chained authentication do not appear in the list. A realm used for Outlook Anywhere cannot be changed to provide chained authentication or to use an authentication server other than Active Directory.

Microsoft Outlook will try to connect to the Exchange Autodiscover FQDN when configuring the Email account. For example, the Email address, user@example.com, would have an Autodiscover FQDN of autodiscover.example.com. The name autodiscover.example.com must be configured in a public DNS server with the public IP address of the appliance.

The User Sessions page displays Exchange sessions as belonging to the Outlook Anywhere Access Agent.

Outlook Anywhere Session

When connecting to Outlook Anywhere, users must submit their username/password credentials to the appliance. If the user authenticates successfully, the OA session is established with the exchange server.

The username/password is extracted from the basic authorization headers from the client and is authenticated with the Active Directory server to establish a session to appliance. Then, the connection to the exchange server is established after successful authentication.

If non-basic authentication headers come in the initial requests, the client is prompted again for the basic headers. Then, the username/password is extracted and authenticated against the Active Directory server. Once authentication is successful, the session is established with the exchange server.

If Autodiscover is enabled, the Outlook Anywhere client will automatically update the server information using the Email ID. This may take some time while the server is updated.

Microsoft Outlook Client Configuration
Topics:  
Configuring a New Microsoft Outlook Client Account
To configure a new Microsoft Outlook client account:
1
Open Microsoft Outlook.
2
Go to the File > Info page.
3
Click the Add Account button. The Add New account page appears.

4
Enter Your Name, Email Address, and Password.

The client will automatically fetch the server information using autodiscover and setup the account. Make sure the autodiscover URL at AMC and Exchange server are configured properly.

For RPC/HTTP you can manually configure the Outlook Anywhere settings at Microsoft Outlook client, though it automatically updates with the latest server information if autodiscover is enabled.

Configuring An Existing Microsoft Outlook Client Account
To configure an existing Microsoft Outlook client account:
1
Open Microsoft Outlook.
2
Click on File > Info page.

3
Click Account Settings.

The Account Settings dialog appears.

4
Click Change... The Change Account dialog appears.

5
Click the More Settings... button. The Microsoft Exchange dialog appears.

6
Select the Connection tab.
* 
NOTE: The Connection tab is not available for MAPI/HTTP. It gets the server information automatically.
7
Under Outlook Anywhere, select Connect to Microsoft Exchange using HTTP.
8
Click the Exchange Proxy Settings button. The Microsoft Exchange Proxy Settings dialog appears.

9
In the Use this URL to connect to my proxy server for Exchange field, enter the Outlook Anywhere FQDN.
10
Under Proxy authentication settings, from the drop-down menu, select Basic Authentication.
* 
NOTE: As Basic Authentication is supported only for RPC/HTTP in SMA, you must make sure that Basic Authentication is configured for Outlook Anywhere RPC/HTTP at the Exchange server.
11
Click OK to save the configuration.
12
Exit Microsoft Outlook.
13
Open Microsoft Outlook to start a new session.
Viewing Outlook Anywhere Sessions of the Outlook Anywhere Access Agent
To view the Outlook Anywhere sessions belonging to the Outlook Anywhere Access Agent:
1
Go to the Monitor > Users Session page.
2
Under Filters, in the Agent list, select the Exchange option.

Client Installation Packages

You can make the Connect Tunnel client components available for users to download and install from another network location (such as a Web server, FTP server, or file server) without requiring them to log in to WorkPlace. You can also push the Connect Tunnel client installation package to users through an application such as Tivoli or SMS, or create a master image of a client install and copy it to user systems using a third-party disk-image copying utility.

The client setup packages are available for you to download from AMC. With the Windows-based packages (Connect Tunnel for Windows), you also have the option of configuring various client settings in an .ini configuration file before distributing the client to users.

* 
NOTE: The easiest way to ensure that users are running the latest version is to make client updates automatic; see Windows Tunnel Client Automatic Client Updating for more information.
Topics:  

Downloading the Secure Mobile Access Client Installation Packages

This section describes how to download the installation package for the Connect Tunnel client to your local workstation.

To download a client installation package:
1
From the main navigation menu, click Agent Configuration.
2
In the Secure Mobile Access access agents area, under Client installation packages, click Download. The Client Installation Packages page appears.
3
Select the language for the installation packages. Each package includes translated user interface elements and online help.

4
Download the client installation files for the platforms you plan to support (<xx> represents the language you selected):
 

Download links

Download link

Installation package

Windows

ngsetup_<xx>.exe

Linux x86

SMA1000Connect-Linux.tar

Mac OS X 10.5.x

SMA1000Connect-OSX.dmg

Windows Mobile

cmsetup.exe

Windows service (Connect Tunnel Service)

ctssetup_<xx>.exe
5
The Download Client Package page appears, and a File Download dialog prompts you to save the file to your local computer.
6
Click Save, browse to the appropriate directory, and then click Save again.
7
Click OK on the Download Client Package page to return to the Client Installation Packages page.

Customizing the Configuration for the Connect Tunnel Client

The Connect Tunnel client setup package that you download from the appliance is not configured. You can customize the Connect Tunnel configuration file (an .ini file) before deploying the setup package to users. This allows you to speed things up for users by preconfiguring the client with the host name or IP address of the appliance, the realm name used during log in, and other client options. If you skip this step, the package uses the default appliance settings.

To customize the Connect Tunnel configuration file:
1
Download the Connect Tunnel installation file onto a Windows computer as described in Downloading the Secure Mobile Access Client Installation Packages.
2
Open a Windows command prompt by typing cmd in the Start > Run field.
3
Browse to the directory where you saved ngsetup_<xx>.exe, and then extract the installation files by typing the following command. The destination for the unpacked files will be the current working directory unless you specify a <path> with the expand parameter:
ngsetup_<xx>.exe -expand=<path>
4
Open the ngsetup.ini file in a text editor, and specify the appropriate configuration settings.
5
Save and then close the modified ngsetup.ini file. The .ini customizations you made will be incorporated during setup if the file is copied to the same directory in which you saved ngsetup_<xx>.exe. To specify a different location for the .ini file, use the following command:
ngsetup_<xx>.exe -f=<path>\<configuration file name>

You can also log installation data to a file named ngmsi.log in the %ALLUSERSPROFILE%\Documents and Settings\All Users\Application Data\SMA1000 folders. Type the following for a list of all the possible parameters:

ngsetup_<xx>.exe -?
6
Configuration options describes the configuration options, followed by a sample .ini file. Some of these options are available only when Connect Tunnel is installed from WorkPlace. For any optional components that you do not specify, default values are used.
 

Configuration options

Option

Description

[Connectoid number] section

(Required) This controls the basic settings for accessing the appliance. To enable the user to access multiple appliances, copy this configuration block and increment the number ([Connectoid 1], [Connectoid 2], and so on).

ConnectionName=name

(Optional) The name for the connection as it will appear in the client user interface. If you do not specify a value, the default connection name is used (SMA1000 VPN Connection).

VpnServer=host name | IP address

(Optional) The host name or IP address of the appliance. If you do not specify a value, users must manually type the host name or IP address of the appliance.

StartMenuIcon=[0 | 1]

(Optional) Determines whether to add a shortcut named Secure Mobile Access VPN Connection to the Secure Mobile Access Start menu folder. The default value is 1 (add a shortcut).

DesktopIcon=[0 | 1]

(Optional) Determines whether to add a shortcut to the desktop. The default value is 1 (add a shortcut).

UserRealm=name

(Optional) Determines the default realm that users will log in to. Type the realm name exactly as it appears in AMC.

DefaultAuthType= [ADUNPW | LDAPUNPW | RADIUSUNPW | RADIUSCRAM | UNIX]

(Obsolete) This setting determines which type of user authentication to perform. It applies only when accessing an E-Class SMA appliance that predates v8.7.0.

StatusDlg=[0 | 1]

(Optional) Determines whether to display a status dialog box when connecting to the appliance. The default value is 1 (status display enabled).

Taskbar=[0 | 1]

(Optional) Determines whether to display an icon in the task bar notification area when connected to the appliance. The default value is 1 (icon display enabled).

RunAtStartup=[0 | 1]

(Optional) Determines whether to automatically start the connection at Windows startup. The default value is 1 (enable automatic startup).

[Install Settings] section

(Optional) This section contains information about the type of MSI installation to perform. Each .ini file can include only one [Install Settings] section.

UILevel=[FULL | REDUCED | BASIC | NONE]

(Optional) Determines the level of user interface to include during installation. The default value is NONE.

ProductCode=key
PackageCode=key
FileSize=bytecount
ProductVersion=x.yy.zzz

These settings are preconfigured and required. They should not be modified.

Sample ngsetup.ini file

[Install Settings]
UILevel=FULL
ProductCode={A814B50B-B392-458A-8C31-51697E1EBB7A}
PackageCode={A77CB50B-0384-5D8A-DE3D-61099E9EB37C}
Branding=C:\Users\Admin\AppData\Roaming\SMA1000\CustomBranding.zip
BrandingMD5=1fc1a7b361c3b7e81e29842372f5e875
* 
NOTE: The value of Branding should specify the absolute path of your Custom Branding file. The value of Branding MD5 can be obtained using any MD5 tool.
[Connectoid 1]
ConnectionName="XYZ Company Network"
VpnServer=64.94.142.134
[Connectoid 2]
ConnectionName="Test Network"
VpnServer=64.94.142.134
StartMenuIcon=1
DesktopIcon=1
UserRealm="employees"
StatusDlg=1
Taskbar=1
RunAtStartup=1
* 
NOTE: On a computer running the Windows operating system, there is a registry key that enables you to launch programs once, after which the reference is deleted so that the program is not run again. After Connect Tunnel is installed, any program that is listed in:
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce

is executed.

* 
NOTE: The file cannot include certain items—such as authentication type and custom prompts—until a connection has been made to the VPN appliance. This means that first-time users are presented with dimmed authentication prompts. There are a few workarounds:
Have users install from WorkPlace.
Have users click Properties in the Connect dialog box and select a realm.
Refer to Customizing a Connect Tunnel Initialization File vs. Installing from WorkPlace (SW2831) for an explanation of how to obtain a complete configuration file from a WorkPlace installation and modify it for your users.

Command Line Access to Connect Tunnel with NGDIAL

The NGDIAL command-line utility establishes a connection to a remote network using Connect Tunnel, much like the Windows RASDIAL utility does with other network connections.

The NGDIAL command-line utility can also create, delete, and modify network connection phone book entries. Issuing the NGDIAL command without any parameters will list all RAS connections.

Linux and Macintosh configurations support Connect Tunnel and the Connect Tunnel Extensibility Toolkit.

Command Syntax

Command syntax

Option

Description

<connection name>

The name of the network connection; if the name includes a space, enclose it in quotes.

<public>

The user’s public credential (username) for authentication; if the name includes a space, enclose it in quotes. For example:

ngdial report_server "Jen Bates"

The public and <private> portions of the credentials must correspond correctly with the authentication type specified by the authentication realm on the E-Class SMA appliance.

[<private>|* [<auth type>]]

The private credentials (password) and authentication type to be used when authenticating the user (the <auth type> parameter is required only for logging in to a pre-v8.7.0 appliance).

If the <private> portion of the credential is omitted or an asterisk (*) is specified, the NGDIAL command prompts the user to enter the password.

If you do not specify an <auth type> when logging in to a pre-v8.7.0 appliance, the default authentication type for the realm is used. Values for <auth type> are:

NULL: No authentication required
LDAPUNPW: LDAP username/password credential
LDAPCERTIFICATE: LDAP certificate credential
RADIUSCRAM: RADIUS token/securID credential
RADIUSUNPW: RADIUS username/password credential
UNIX: UNIX username/password credential
TEAM: SMA TEAM credential
ADUNPW: Active Directory username/password credential

-create

Generates a new network connection, or updates an existing network connection, with the information passed on the command line.

-delete

Deletes the specified network connection entry from the specified phone book. You must have system administrator privileges to perform this operation.

[-connection=<connection name> | <connection list friendly name>]

Loads the connection entry for dial from connection list.

-disconnect | -d

Causes the VPN to disconnect from the <connection name> remote network.

[-gui]

If additional information is necessary to establish the VPN network connection, use this parameter to allow RAS to prompt the user with a graphical user interface (GUI).

For example, the user could be prompted to accept the appliance's server certificate if there are any problems with the certificate, or the user might need to be notified regarding password expiration or required changes. If the -gui option is not specified in such a case, the NGDIAL utility fails and returns an error code to the caller.

-help | -?

Displays the command-line syntax for the NGDIAL command. When combined with the -gui option, displays the online Help.

[-icon[=enable|disable]]

Controls the display of an icon in the task bar notification area that allows the user to manage the VPN network connection and receive connection notifications. See Notes.

[-login=<login group>]

The name of the login group (authentication realm) used to authenticate the user. If a login is specified without specifying an <auth type> for the credentials (in a connection to a pre-v8.7.0 appliance), NGDIAL uses an <auth type> of ADUNPW.

[-phonebook=<phonebook>]

Specifies the file name of the phone book where the <connection name> is defined. The file name must include the fully qualified path to the phone book file. If a path is not specified, NGDIAL looks in the directory that contains the system phone book (rasphone.pbk) for the specified phone book file.

[-list=<connection name>]

Displays all connections in list when used without an argument. Displays detail of connection list when used with an argument.

-prompt

Causes the NGDIAL command to prompt the user to connect to the <connection name> remote network.

[-proxycredential=
<username> [,<password>|*]]

If a proxy server is required for access to the appliance, use this option to specify the username and password credentials for it.

If the password is omitted, or entered as an asterisk (*), the NGDIAL command prompts the user for a proxy password.

[-server=<server name>| <server IP>]

Specifies the appliance name or IP address. If a server is specified, and it is different from the server defined in the phone book entry, the server and login group (if specified) are saved to the phone book entry.

[-editserver=<server name>]

Edits server name in custom connection list

[-editrealm=<realm name>]

Edits realm name in custom connection list

[-status[=enable|disable]]

Controls the display of a connection status dialog box when the VPN network connection takes more than two seconds to connect.

[-nocerterrors]

Suppresses the server certificate errors.

ngdial <connection name> <public> [<private>|* [<auth type>]]
[-phonebook=<phonebook>]
[-server=<server name>|<server IP>]
[-login=<login group>]
[-proxycredential=<username>[,<password>|*]]
[-status[=enable|disable]] [-icon[=enable|disable]] [-gui]
ngdial <connection name> <public> [<private>|* [<auth type>]]
         [-phonebook=<phonebook>]
         [-connection=<connection name>|<Connection list friendly name>]
         [-proxycredential=<username>[,<password>|*]]
         [-status[=enable|disable]] [-icon[=enable|disable]] [-gui]
         [-nocerterrors]
ngdial <connection name> -disconnect|-d
ngdial <connection name> -prompt
[-phonebook=<phonebook>]
ngdial <connection name> [-list= <connection name>]
ngdial <connection name> [-editserver= <server name>]
ngdial <connection name> [-editrealm= <realm name>]
ngdial <connection name> -create
[-phonebook=<phonebook>]
[-server=<server name>|<server IP>]
[-login=<login group>]
[-status[=enable|disable]] [-icon[=enable|disable]]
ngdial -help | -?

Examples

NGDIAL "ACME Corp" -create -server=remote.acme.com -icon -status
NGDIAL "ACME Corp" "Jen Bates" * -login="Business Partners" -icon -gui
NGDIAL "ACME Corp" jdoe password
NGDIAL "ACME Corp" -disconnect
* 
NOTE: Although the ngdial -help usage statement indicates that the -icon=disable flag is an option without the -create flag, in some cases the -create flag is necessary to disable the icon.

To disable the icon so that it does not appear on the task bar, you can use either of the following two methods:

Set taskbar=0 in the ngsetup.ini file, and then type a command such as:
ngdial "SMA VPN Connection" -server=<server IP address> -login="Realm name"
username password -icon=disable -gui
Type a command using the -create option with the -icon=disable option to store the icon parameter, and then type the command to connect, such as:
ngdial "SMA VPN Connection" -create -server=<server IP address>
-icon=disable -gui
ngdial "SMA VPN Connection" -server=<server IP address> -login="Realm name"
username password -icon=disable -gui

Running Connect as a Service

The Connect Tunnel client is a Windows client component of Secure Mobile Access’s VPN solution that enables secure, authorized access to Web-based and client/server applications, and to Windows file shares.

In a server environment, you can install and configure an add-on component—Connect Tunnel Service—so that the VPN connection starts automatically without user intervention: no user login is required, and no user interface or icons are displayed. For example, you may want to synchronize data between a remote system in the field and a file server secured behind the VPN at corporate headquarters. On the remote system (running the Windows Server platform), Connect Tunnel Service is configured to run at a specific time, connect to the corporate file server, and synchronize its database with the master database at headquarters.

* 
NOTE: Connect Tunnel has the capability to establish a dial-up connection before it makes a connection to an E-Class SMA appliance. The Connect Tunnel Service, on the other hand, does not support this option; it requires an always-on, non-dialup network connection.
Topics:  

Installing Connect Tunnel Service

Using the Connect Tunnel Service involves installing both Connect Tunnel and Connect Tunnel Service.

To install and configure Connect Tunnel Service:
1
On the Client Installation Packages page in AMC (Agent Configuration > Download), select a language, and then download the installation packages for both the Connect Tunnel (ngsetup_<xx>.exe) and Connect Tunnel Service (ctssetup_<xx>.exe).
2
Install Connect Tunnel first (ngsetup_<xx>.exe). A shortcut named Secure Mobile Access VPN Connection will be created on desktop.
3
Install Connect Tunnel Service (ctssetup_<xx>.exe). A shortcut named Secure Mobile Access VPN Service Options will be created on desktop.
4
On the desktop, double-click the Secure Mobile Access VPN Service Options shortcut. Alternatively, double-click VPN Service Options in the Control Panel. The VPN Service Properties dialog appears.

5
On the VPN tab, configure these settings:
 

VPN tab settings

Setting

Description

VPN Connection Name

Type the name of the Connect client connection object exactly as it appears in the Windows Network Connections window (Start|Connect To|Show All Connections). By default, this is VPN Connection.

Hostname or IP address

Type the host name or IP address of the E-Class SMA appliance to log in to.

Login group

Type the name of the realm to log in to.

Username and Password

Type the credentials for a user in this Login group (realm).

6
On the Service tab, configure these settings:
 

Service tab settings

Setting

Description

Number of attempts to restart a failed connection

Specify how many times to attempt restarting if an initial connection attempt fails.

Time interval between restart attempts

Specify the amount of time (in minutes) to wait between restart attempts.

7
Click the Start and Stop buttons to control the service.

8
To verify that Connect Tunnel started, open the VPN Connection shortcut on the desktop. You should see the established connection. Alternatively, you can issue the ipconfig command on the command line to verify that you have a virtual IP address for the VPN connection.

Windows Services and Scripting Options

You can use Windows Services to manage Connect Tunnel Service on a local or remote computer.

How to use Windows Services to Configure and Run Connect Tunnel Service

To use Windows Services to configure and run Connect Tunnel Service:
1
On the computer running the Windows Server platform and Connect Tunnel Service, run Windows Services, and then open the VPN Service Properties dialog (Control Panel > Administrative Tools > Services > VPN Service).

2
Use these settings to control the service (start, stop, pause, resume, or disable it), set up recovery actions in case of service failure, or disable the service for a hardware profile.

Using a Command or Script to Run Connect Tunnel Service

You can use the Windows sc.exe utility to communicate with Service Controller (services.exe) from the command prompt or in a batch file. This enables you, for example, to automate the startup and shutdown of the VPN service. Or, in an environment where you want users to be able to start the VPN connection by clicking on a shortcut (and without being aware of the credentials), you could also create a shortcut on the desktop that launches a command or batch file.

For example, start and stop the service on a remote computer with the following commands:

sc \\SERVERNAME start ctssrv
sc \\SERVERNAME stop ctssrv

To start or stop the Connect Tunnel Service from the command line or a third-party application, invoke these commands:

%windir%\system32\sc.exe start ctssrv
%windir%\system32\sc.exe stop ctssrv

Troubleshooting

Use the Windows Event Viewer (Control Panel > Administrative Tools > Event Viewer> Application > CTS) to view any information, warning, or error messages related to running Connect Tunnel Service. For more detailed messages, look in the service log. The default location is:

%ALLUSERSPROFILE%\Application Data\SMA1000
* 
NOTE: If your environment includes an outbound HTTP proxy for access to the Internet, you must use one that does not require authentication, otherwise you will see this error message in the log file for Connect Tunnel Service (ctssrv.log): Direct internet access is not available. You must also configure Connect Tunnel Service to run under a Windows user account with administrative privileges.Distributing Secure Mobile Access Client Setup Packages

You can deploy the Connect Tunnel client setup package to users from a network location (such as a Web server, FTP server, or file server) without requiring them to log in to WorkPlace.

For the Connect Tunnel client, you can also push an installation package to users through a configuration management application such as Microsoft Systems Management Server (SMS) or IBM Tivoli Configuration Manager, or distribute a disk image that includes a preconfigured Connect Tunnel installation.

If you configured the client’s .ini file, you should distribute it along with the setup program (if you distribute the setup program by itself the client will use the default settings).

Deploying Client Installation Packages for Connect Tunnel

The Connect Tunnel client can be installed as an .exe file, deployed using a Microsoft Installer (.msi) file, or distributed as part of a disk image.

Topics:  
Deploying as an .exe File
To deploy the Connect Tunnel client as an .exe file:

Distribute the ngsetup_<xx>.exe file to users (<xx> represents the language you selected). If you modified the ngsetup.ini file (as described in Customizing the Configuration for the Connect Tunnel Client), distribute this file as well. To invoke the .ini file, pass it as a command-line parameter to the setup program by typing the following command:

ngsetup_<xx>.exe -f=<path>\<configuration file name>

To simplify the user experience, you might write a batch file that calls the setup program with this parameter.

Deploying using an .msi File

If you install the Connect Tunnel client this way (rather than running ngsetup_<xx>.exe), you must set the Windows Installer to do a per-machine, rather than a per-user, installation; see Specifying a Per-Machine Installation to Support MSI Updates. (A per-user installation does not make the registry entries that are necessary for later updates.)

To deploy the Connect Tunnel client using an .msi file:
1
Set up your configuration management software program (such as Microsoft SMS or IBM Tivoli) to deploy the .msi installation package and the modified ngsetup.ini file (if you created one).
Specifying a Per-Machine Installation to Support MSI Updates
To specify a per-machine installation so that subsequent MSI updates will be supported:
1
Download ngsetup_<xx>.exe from the Client Installation Packages page in AMC, and then extract the installation files by typing the following command. The destination for the unpacked files will be the current working directory unless you specify a <path> with the expand parameter:
ngsetup_<xx>.exe -expand=<path>
2
Modify the ngsetup.ini file (as described in Customizing the Configuration for the Connect Tunnel Client) as needed.
3
To run Windows Installer, type the following:
msiexec.exe /i ngvpn.msi ALLUSERS=1 NGSETUP=1 CONFIGURATIONFILE=<path>\
<.ini file name>
Deploying as a Disk Image

Disk cloning is a common method for distributing Windows operating systems and applications. If you decide to use this distribution method for Connect Tunnel, you must run the Windows System Preparation Tool (Sysprep.exe) to prepare the disk image for duplication. Without Sysprep, the computer’s security ID (SID) remains unchanged and Connect Tunnel’s unique identifier is then duplicated, resulting in IP address conflicts. Here is a broad outline of how to prepare and distribute disk images:

To deploy the Connect Tunnel client as a disk image:
1
Install Connect Tunnel for Windows on a reference system and configure it as needed.
2
Run the Windows System Preparation Tool and shut down the computer.
3
Duplicate the master disk using a third-party application or disk duplicator.
4
When the disk is inserted into the destination computers, Mini-Setup will prompt the user for information (for example, the computer name). You can automate this step by creating an “answer file” (sysprep.inf). For more information about using System Preparation Tool, refer to the Microsoft Web site: http://support.microsoft.com/kb/302577.

Network Tunnel Client Branding

Custom branding is available for the Connect Tunnel user interface. This feature allows companies to replace the SonicWall branding in Connect Tunnel windows with their own company names and logos. Connect Tunnel branding is available on Windows, Mac OS X, and Linux platforms and is done on a per-appliance basis.

To upload customized branding graphics and guidelines:
1
Under the main navigation menu, select Agent Configuration and then click Configure next to Network Tunnel client branding.

2
Click Download next to Default branding package and select the download location.

3
Click OK to return to the Configure custom branding package page.
4
Unzip the downloaded file, which contains a folder of branding files for each platform (Windows, Linux, and Mac). Using the README.txt file as a guide, replace the default files with custom branding files, and then zip the files.
5
On the Configure custom branding package page, click the Browse button and select the zip file containing the custom branding files.
6
After saving the file, click Save. All Connect Tunnel windows and icons are then updated with custom branding.

The OnDemand Proxy Agent

The OnDemand Proxy Agent is a secure, lightweight agent that provides access to TCP/IP resources. It uses local loopback proxying to redirect communication to protected network resources according to routing directives defined in AMC (it does not support UDP applications).

Note that the OnDemand Proxy Agent does not scale as effectively as the OnDemand Tunnel agent. The OnDemand Proxy Agent is not recommended for usage as a broad VPN agent, but instead should be targeted for access to specific applications through WorkPlace. In situations where you want to provide broad access to applications through the WorkPlace portal for more than 500 concurrent users at a time, we recommend that you deploy the OnDemand Tunnel agent instead. Note that you can use OnDemand Proxy as a fallback for OnDemand Tunnel in case OnDemand Tunnel cannot be installed (perhaps due to issues around administrative rights). In that scenario, you would configure both OnDemand Tunnel and OnDemand Proxy within a community.

This section provides an overview of OnDemand and describes how to configure and deploy it.

Topics:  

About OnDemand Proxy

OnDemand Proxy is a loopback-based proxy solution that secures communication between a client application and an application server. OnDemand Proxy connection sequence illustrates the connection sequence.

OnDemand Proxy connection sequence

1
OnDemand starts automatically when the user logs in to WorkPlace.
2
OnDemand runs within the WorkPlace window.
3
OnDemand waits for application requests on the local loopback address (127.0.0.1) and redirects the traffic to the Web proxy service.
4
The Web proxy service proxies the traffic to an application server using the application’s required port(s).
5
The application server sends application traffic to the Web proxy service.
6
The Web proxy service sends the application traffic to OnDemand, which then passes it to the client application.

OnDemand supports TCP applications that use one or multiple ports, including applications that dynamically define ports (it does not support UDP-based applications). Applications accessed using OnDemand lists applications typically accessed using OnDemand.

 

Applications accessed using OnDemand

Application

Examples

Resident client/server

Typically, these client applications are installed locally on the client computer

Internet email applications:

Microsoft Outlook
Outlook Express
Lotus Notes
Netscape Mail
Eudora

Terminal emulation applications:

WRQ Reflection
NetManage RUMBA PC-to-Host

Remote office connectivity applications:

Citrix ICA/Xenapp
Microsoft Windows Terminal Services

By default, OnDemand is configured to run automatically when the user connects to WorkPlace. For optimum performance, OnDemand is installed on the user’s computer the first time it is accessed, minimizing download time for returning users.

Topics:  

OnDemand Mapped Mode

By default, OnDemand starts automatically when users log in to WorkPlace. Mapped mode enables users to click a shortcut that is configured for a specific application. Optionally, you can configure OnDemand to automatically launch a specified Web URL when users click a shortcut. This is useful for starting an application (such as a thin-client application) when OnDemand runs. You must manually create any shortcuts to specific applications. Mapped mode is supported on Windows, Macintosh, and Linux platforms.

On Windows PCs, when a user logs in to WorkPlace for the first time, WorkPlace automatically downloads, installs, and launches OnDemand on the user’s computer (assuming the community the user belongs to is configured to do so). On subsequent WorkPlace logins, WorkPlace automatically starts OnDemand.

Activating OnDemand

By default, when OnDemand is enabled, it starts automatically when users log in to WorkPlace and runs within the WorkPlace window. Users must keep the WorkPlace window open while working with OnDemand in this embedded mode.

* 
NOTE:  
Users cannot start an application from the OnDemand window. Unless you configure a URL to launch automatically when users start OnDemand, users must manually start applications as they would normally.
Users may need to configure their personal firewalls to allow OnDemand traffic.

How OnDemand Redirects Network Traffic

OnDemand uses the local loopback address to redirect and secure traffic through the appliance. This section provides an overview of loopback proxying and describes the various redirection methods.

Topics:  

Overview: Loopback Proxying

OnDemand uses local loopback proxying to securely submit application traffic through the Web proxy service. For example, suppose a Windows user wants to connect to the appliance and run a Citrix application:

1
The user logs in to WorkPlace, and OnDemand automatically starts.
2
OnDemand dynamically maps the local loopback address to the host name for the Citrix server.
3
The user runs the Citrix application, which attempts to connect to citrix.example.com. OnDemand resolves the Citrix host name to 127.0.0.1 and routes the traffic to the Web proxy service.
4
OnDemand encrypts the Citrix traffic using SSL and securely routes it to the SMA appliance, which in turn forwards it to the Citrix server.
5
The Citrix server responds, sending data back through the SMA appliance.
6
The appliance forwards the response to OnDemand over SSL.
7
OnDemand forwards the information to the Citrix application.

Hosts File Redirection

To redirect traffic to destination servers, modify the hosts file on the user’s computer. This redirection method is supported on Windows, Macintosh, and Linux platforms, provided the user has administrator privileges on the local computer.

Modifying the hosts file on a user’s system maps a destination server to a local loopback address. When an application attempts to resolve a host name, traffic is redirected to the loopback address on which OnDemand is listening.

Hosts files shows a typical hosts file, with host names mapped to IP addresses, followed by a hosts file modified for use by OnDemand.

Hosts files

Typical Hosts File

 

 

192.168.1.135 telnet.example.com telnet

 

192.168.1.140 mailhost.example.com mail

 

192.168.1.143 citrix.example.com citrix

OnDemand Hosts File

 

 

127.0.0.1 telnet.example.com telnet

 

127.0.0.1 mailhost.example.com mail

 

127.0.0.1 citrix.example.com citrix
* 
NOTE: The OnDemand host names are mapped to the local loopback address, not the host’s IP address. For application-specific configurations, these loopback addresses would match the addresses you specify when configuring OnDemand in AMC; for more information, see Configuring OnDemand to Access Specific Applications.

Configuring OnDemand to Access Specific Applications

If you are deploying OnDemand to users on non-Windows platforms, or want to automatically use the launch URL feature to start a thin-client application when users run OnDemand, you must define an application-specific configuration in AMC. This involves mapping the port numbers for the client and server, a process called port mapping.

Topics:  

About Port Mapping

To configure OnDemand to redirect traffic for a specific application, you need to know the port numbers the application uses for the client and server, and then map those ports in AMC. OnDemand listens for incoming requests on specific ports on the client and then proxies them to the appliance, which forwards the information to an IP address and port on the application server.

For example, you might configure an IP address and port on the client (such as 127.0.1.1:23) to the host or IP address and port on the destination server, such as telneta.example.com:23.

Some applications—such as email—use multiple ports for different protocols. In this case, you must configure OnDemand to listen on several different ports. This configuration can also be useful for configuring OnDemand to work with several different applications. Example: OnDemand configuration shows OnDemand configured to work with three applications over five different ports.

Example: OnDemand configuration

In this example OnDemand is configured to listen on port 23 for telnet and port 1494 for Citrix. For email requests it is listening on port 25 (SMTP), port 110 (POP3), and port 143 (IMAP).

Configuring an Application for Use with OnDemand

To configure an application, you need to know the protocols it uses for each service and map the source address and ports on the client to those on the destination host. You also have the option of specifying a URL to open a Web page, which is useful for automatically starting an application, when the user runs OnDemand.

To configure an application for use with OnDemand:
1
On the main navigation menu of AMC, click Agent Configuration.
2
In the OnDemand area under Access agents, click Edit. The Configure OnDemand page appears.
3
In the Mapped mode area, click New.

4
In the Application name field, type the name to use for the application. This name is displayed to the user in WorkPlace. Use a short, descriptive name.
5
In the Description field, type a descriptive comment about the application.
6
Configure each service used by the application in the Add mapping area.
a
Click the Edit button beside the Destination resource field, select the network resource you want to configure, and then click Save. Alternatively, you can create a new network resource by clicking the New Resource button in the Resources dialog.
b
If the IP address/port combination of the service conflicts with that of another service, you can modify the IP address displayed in the Local host field, or you can map the ports as described below. You can change the Local host value to any IP address in the 127.x.y.z address space.
* 
NOTE: On MacOS, OnDemand works only when using IP address 127.0.0.1 for the local host.
c
In the Service type drop-down menu, select the type of service used by the application. This populates the Destination/local ports fields with the well-known port for that service. If the service uses a destination port that differs from that of the local port, map the ports to each other by editing the information in the Destination/local ports boxes as needed.
d
Click Add to Current Mapping. This adds the mapping to the Current mapping list.
7
If the application uses multiple services, repeat Step 6 to configure each one. Most applications use only one service, but some (like email) use multiple protocols, which requires multiple services.
8
Select the Create shortcut on WorkPlace checkbox.

If you want OnDemand to open a Web page automatically (which is useful for automatically starting a thin-client application), type the URL of the appropriate page in the Start an application by launching this URL field. You must specify either an http:// or an https:// protocol identifier. The URL you specify automatically opens in a new browser window after OnDemand loads.
In WorkPlace you can set up groups to organize resources for your users, or have shortcuts appear singly. In the Add this shortcut to group drop-down menu, select a new or existing group to which to add your shortcut, or select Standalone shortcuts if you want it to appear on its own. (The order in which shortcuts appear can be changed on the Configure WorkPlace Layout page; see Creating or Editing a WorkPlace Layout for more information.)
* 
NOTE: After you initially configure the Create shortcut on WorkPlace option, you can view its setting only on the Mapped Mode page; you cannot edit it on this page. After initially configuring this setting, shortcuts are managed from the Shortcuts page in AMC. For more information, see Working with WorkPlace Shortcuts.

Configuring Advanced OnDemand Options

This section describes how to access the appliance using its external IP address and add debug messages to the OnDemand logs.

Topics:  

Accessing the Appliance Using Its External IP Address

By default, OnDemand accesses the appliance using the FQDN contained in the appliance’s SSL certificate. This works in a production environment—where the FQDN is added to public DNS—but may be an issue in a test environment for one of two reasons:

You have not added the FQDN for the appliance to DNS.
The external IP address does not match the external network address on the appliance because your environment uses Network Address Translation (NAT).

In either case, you will need to configure OnDemand to use the IP address for the external network interface.

To configure OnDemand to use the appliance’s external IP address:
1
From the main navigation menu in AMC, click Agent Configuration.
2
In the Access agents area, to the right of OnDemand, click Edit. The Configure OnDemand page appears.
3
Click to expand the Advanced area and then, in the Appliance FQDN or IP address field, type the IP address for the external network interface.

Before moving the appliance into production, make sure this value contains the FQDN from the appliance’s SSL certificate. Whenever you update the appliance’s SSL certificate, AMC automatically inserts the FQDN in this field (overwriting any value you’ve previously specified).

The first time a user starts OnDemand, the Web browser displays a security warning asking the user to grant permissions to run OnDemand. For information on configuring the browser, see Suppressing the Java Security Warning.

Adding Debug Messages to the OnDemand Logs

Normally, the OnDemand logs show just information and warning messages. You can also log debug messages, but this should be done only when you are troubleshooting (otherwise the log file becomes too large).

To add debug messages to the OnDemand logs:
1
From the main navigation menu in AMC, click Agent Configuration.
2
In the Access agents area, to the right of OnDemand, click Edit. The Configure OnDemand page appears.
3
Click to expand the Advanced area, and then select the Enable debug OnDemand log messages checkbox.

Client Configuration

This section explains client-side configuration that may be useful for working with OnDemand.

Topics:  

Suppressing the Java Security Warning

When OnDemand starts, the Web browser displays a security warning asking the user to grant permission to run OnDemand. This warning varies, depending on the operating system and browser. The user must accept this certificate to run OnDemand.

OnDemand includes a Java code-signing certificate that ensures the validity of the applet. For Windows and Mac OS X, the certificate includes a Class 3 Digital ID from Thawte, which is widely used by commercial software publishers.

To prevent the security prompt from appearing each time OnDemand is started, users can configure their systems to trust the Secure Mobile Access certificate. After this is done, the browser trusts all subsequent software downloads from Secure Mobile Access.

Configuring a Proxy Server in the Web Browser

When passing an outbound connection over a proxy server, OnDemand uses the Web browser’s settings to determine the proxy server address and port. This configuration requires the user to configure his or her Web browser, either by specifying the outbound proxy server address and port or by enabling automatic proxy detection.

If a user enables both automatic proxy detection and manual proxy identification, OnDemand checks for proxy server settings in this order:

1
If the Automatically detect settings option is enabled, OnDemand attempts to automatically detect the proxy server settings.
2
If OnDemand is unable to automatically detect the proxy server settings, it checks to see if the Use automatic configuration script option is enabled.
3
If OnDemand is unable to detect the proxy server settings through a configuration script, it uses the proxy server settings that the user manually specified.
To configure automatic proxy detection in Internet Explorer for Windows:
1
On the Tools menu, click Internet Options.
2
On the Connections tab, click LAN Settings.
3
Under Automatic Configuration, enable one or both of the options:
To automatically detect proxy-server settings, select the Automatically detect settings checkbox. (This option is supported only for users running Internet Explorer with the Microsoft Virtual Machine.)
To use configuration information contained in a configuration file, select the Use automatic configuration script checkbox and then, in the Address field, type the URL or path for the configuration file.
To manually specify proxy server settings in Internet Explorer for Windows:
1
On the Tools menu, click Internet Options.
2
On the Connections tab, click LAN Settings.
3
Under Proxy Server, select the Use a proxy server checkbox, and specify the IP address and port for it.

If a different proxy server is used for different protocols, click Advanced and specify the necessary information; be sure to specify proxy servers for both HTTP and Secure.

* 
CAUTION: Enabling either of the automatic settings in the LAN Settings dialog (Automatically detect settings or Use automatic configuration script) may override the proxy server settings; clear these two checkboxes to ensure that proxy detection works correctly.

Managing Access Services

This section provides an overview of the access services, and describes how to start, stop, and configure the services.

Topics:  

About Access Services

Users can access VPN resources secured by the SMA appliance using three primary methods, or access services. This section describes each of the access services and the types of resources they provide access to.

The network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of client/server applications, including those that use non-TCP protocols such as VoIP and ICMP, reverse-connection protocols, and bi-directional protocols, such as those used by remote Help Desk applications. It works in conjunction with the Connect Tunnel client and the OnDemand Tunnel agent to provide authenticated and encrypted access. The network tunnel service can traverse firewalls, NAT devices, and other proxy servers that can interfere with traditional VPN devices.

When Web resource filtering is enabled for the network tunnel service, policies for tunnel sessions can use URL-based rules in addition to IP-based rules.

The WorkPlace service controls access to network file shares accessed from a Web browser. The WorkPlace service communicates with Windows file servers and network shares (including Microsoft Distributed file system, or Dfs, resources) using the Server Message Block (SMB) file-sharing protocol. For information about configuring the WorkPlace service, see Configuring WorkPlace General Settings.

Relationships between SMA access services and user access components illustrates the relationships between the Secure Mobile Access access services and the user access components that they control.

 

Relationships between SMA access services and user access components

Service

User access components

Description

Network tunnel service

OnDemand Tunnel agent
Connect Tunnel client
Manages TCP/IP and non-TCP (such as VoIP and ICMP) connections from the network tunnel clients.
Provides network-level access to all resources, effectively making the user’s computer a node on your network.
Includes support for mapped network drives, native email clients, and applications that make reverse connections, such as VoIP.

Web proxy service

Web Proxy Agent
Translated Web access
Custom port mapped Web access
Custom FQDN mapped Web access
Manages HTTP and TCP/IP connections from Web browsers.

WorkPlace service

WorkPlace portal
Provides a Web-based portal that is available from any Web browser.
Provides access to file-system resources.
Provisions and deploys all user access components.

Stopping and Starting the Secure Mobile Access Services

You may occasionally want to temporarily stop one of the Secure Mobile Access services.

* 
CAUTION: SonicWall recommends stopping the services only during scheduled maintenance periods or during off hours. Also, you should give your users advance warning that the service will be going down.
To start or stop a service:
1
From the main navigation menu, click Services.

2
Under Access Services, click the appropriate link:
Click Stop to stop the service. All existing user connections will be terminated.
Click Start to start the service.

Configuring the Network Tunnel Service

The network tunnel service controls access from the Connect Tunnel client and the OnDemand Tunnel agent. In order to deploy the network tunnel clients to users, you must first make one or more IP address pools available to the community. Configuring the network tunnel service requires setting up IP address pools that are used to allocate IP addresses to the clients; these IP addresses become the clients’ end points on VPN connections.

Network tunnel service configuration also allows you to enable Web resource filtering so that you can enforce the same URL-based rules that administrators define for ExtraWeb in tunnel sessions. Web resource filtering also allows you to leverage single sign-on functionality when accessing Web applications.

You can add custom connections to configure Connect Tunnel to access a different default appliance or realm, or list other appliances and realms the client can connect to. By default, Connect Tunnel is configured to access the realm and appliance from which it was downloaded.

You can also set up fallback servers to give network tunnel clients a list of servers to contact in the event of a connection failure.

To configure the network tunnel service:
1
From the main navigation menu, click Services.
2
Under Access services, in the Network tunnel service area, click Configure. The Configure Network Tunnel Service page appears.

3
In the IP address pools area, create one or more IP address pools. For more information, see Configuring IP Address Pools.
4
To enable and configure Web resource filtering, click Edit in the Web resource filtering area. For more information, see Configuring Web Resource Filtering.
5
To configure a custom connection in which Connect Tunnel can access the current or a different default appliance or realm, or list other appliances and realms the client can connect to, click the New button in the Custom Connections area. For more information, see Configuring Custom Connections.
6
To configure fallback servers that network tunnel clients can contact in the event of a connection failure, click the New button in the Fallback servers area. For more information, see Configuring Fallback Servers.

Configuring IP Address Pools

IP address pools are used to allocate IP addresses to the network tunnel clients. When a user makes a connection using the Connect Tunnel client or the OnDemand Tunnel agent, the SMA appliance assigns the client an IP address from one of its configured address pools. Only pools allowed for the client’s community are considered. For more information about how IP addresses are allocated to a community, see IP Address Allocation.

For information about editing and deleting IP address pools, see Adding, Editing, Copying, and Deleting Objects in AMC.

Topics:  

Address Pool Allocation Methods

You can configure IP address allocation in the following ways:

Translated Address Pools (Source NAT)

With translated address pools, the appliance assigns non-routable IP addresses to clients and uses source network address translation (Source NAT) to translate them to a single address you configure for back-end traffic. The appliance uses the name servers you specify in AMC to define the DNS and WINS settings on the client. Source NAT translates the client’s non-routable source address to a single configured address from a fixed, non-routable sequence (2.0.0.2 through 2.255.254.254) on the internal network.

The advantages of using translated address pools are:

Source NAT address pools require only a single back-end address, which is shared by all remote connections.
Fewer IP addresses are required for the tunnel clients.

The constraints of this type of pool are:

All network activity must be initiated by the client; therefore, this method of IP address allocation does not support applications that make reverse connections or cross-connections (such as SMS, VoIP, or FTP).
Windows domain browsing is not supported; if users try to browse a Windows domain through Network Explorer or Network Neighborhood, an error message indicates that they are not authorized to access the resources.
Client-to-client cross-connections are not supported.
Routed Address Pools (DHCP)

With a routed address pool, IP addresses are dynamically allocated to the tunnel clients from a DHCP server. DHCP address pools have these characteristics:

They require an external server that has enough spare addressing capacity to support the new remote clients. These pools are easy to set up and maintain, and impose few restrictions on client activity.
Reverse connections and cross-connections are supported, but client IP addresses must be known. If necessary, you can associate a fixed DHCP address with a particular client by configuring the DHCP client ID on the DHCP server. Client IDs are generated during client configuration; consult the DHCP server logs to find particular IDs.
RADIUS-Assigned Address Pools

Some applications require a one-to-one relationship between an assigned IP address and a user. This is best supported by a RADIUS server, where IP address allocation happens during the authorization process, as part of authentication.

This strict one-to-one correlation may have some unintended consequences:

For example, if an employee is logged in to the appliance at work and forgets to log out, logging in from home will fail: the IP address is still attached to the original tunnel connection at the office. Optionally, you can configure the community and realm in AMC that is referencing the RADIUS server to use other IP address pools if the RADIUS pool is exhausted.
If you have two appliances authenticating against the same RADIUS server and both are using RADIUS pools, duplicate address assignments will be made, resulting in multiple network conflicts.
Static Address Pools

With static address pools, you specify one or more static IP address pools from which IP addresses will be allocated to the tunnel clients. You can configure static IP address pools as subnets or address ranges. Static address pools have these characteristics:

Static address pools require no configuration work outside of the appliance, and they support reverse connections and cross-connections.
Static pools require identification of one back-end address per simultaneous remote connection. If enough addresses are available to cover all possible remote clients (not just simultaneous connections) and no address conflicts occur, this method tends to be the most stable because the same address is typically assigned to the same client.
Static pools leave an IP address assigned as long as the tunnel remains up. If the tunnel goes down, there is a two-minute period during which the address is available, but only for reassignment to the same client. After that two minute period expires, the address is available to any client; address reassignment is performed using an LRU (Least Recently Used) scheme.
Windows domain browsing is supported.

Best Practices for Configuring IP Address Pools

Here are some best practices to keep in mind when configuring IP address pools:

Don’t duplicate addresses:
When configuring static IP address pools, do not specify IP addresses that are already assigned to other network resources.
Be aware that any IP addresses you configure for use by the network tunnel clients may conflict with IP addresses already in use on the client networks. Whenever possible, avoid configuring IP addresses that you know to be in use on your users’ networks.
When configuring translated (Source NAT) IP address pools, be sure to specify an unused address on the subnet of the internal interface.
If you are using RADIUS pools on more than one appliance, and the appliances are authenticating against the same RADIUS server, duplicate address assignments will be made.
When configuring dynamic DHCP or static IP address pools, ensure that you have enough IP addresses to accommodate your maximum number of concurrent users. For example, if your maximum concurrent user count is 100, you should make at least 100 IP addresses available.

Adding Translated IP Address Pools

This section describes how to create a translated IP address pool using secure network address translation (Source NAT).

To add a translated IP address pool:
1
From the main navigation menu, click Services.
2
Under Access services, in the Network tunnel service area, click Configure. The Configure Network Tunnel Service page appears.
3
In the IP address pools area, click New. The Configure IP Address Pool page appears.

4
In the Name field, type a name for the address pool.
5
In the Description field, type a descriptive comment about the address pool.
6
Click Translated address pool (Source NAT).
7
In the IP address field, type the Source NAT address that will appear to back-end servers as the source of all client traffic. Ensure that this IP address is not in use elsewhere.
8
Click Save.

Adding Dynamic IP Address Pools

To add a dynamic IP address pool:
1
From the main navigation menu, click Services.
2
Under Access services, in the Network tunnel service area, click Configure. The Configure Network Tunnel Service page appears.
3
In the IP address pools area, click New. The Configure IP Address Pool page appears.

4