en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Installation

 

Installation and Initial Setup

Network Architecture

This section shows where the appliance fits into your network environment, provides installation and cabling instructions, and explains how to use the Web-based Setup Wizard (or alternatively use the command-line Setup Tool) to perform basic network configuration.

All SonicWall SMA appliances can be set up in either a dual interface or single interface configuration:

* 
NOTE: The SMA 7200, SMA 6200, EX9000, EX7000, and EX6000 appliances include physical network interfaces that can be set up to use an external load balancer.
Dual-homed Configuration (Internal and External Interfaces – see Dual-homed interface configuration) — One network interface is used for external traffic (that is, to and from the Internet), and the other interface is used for internal traffic (to and from your corporate network).

Dual-homed interface configuration

Single-homed interface configuration (internal interface – see Single-homed interface configuration) — A single network interface is used for both internal and external traffic. The appliance is usually installed in the demilitarized zone (or DMZ, also known as a perimeter network).

Single-homed interface configuration

In both configurations, incoming requests to the Secure Mobile Access services—including HTTP/S traffic for the Web proxy service—are sent over port 80 (HTTP) and port 443 (HTTPS). Traffic from the OnDemand agent is always sent over port 443. Because most networks are configured to enable traffic over these ports, you shouldn’t need to reconfigure firewalls on your network.

You should install the appliance in a location where it can connect to resources on your network, including:

Application servers and file servers, including Web servers, client/server applications, and Windows file servers.
External authentication repositories (such as an LDAP, Microsoft Active Directory, or RADIUS server).
One or more Domain Name System (DNS) servers.
Optionally, a Windows Internet Name Service (WINS) server. This is required for browsing Windows networks using WorkPlace.
 
* 
CAUTION: The SonicWall SMA appliance does not provide full firewall capabilities and should be secured behind a firewall. Running without a firewall makes the appliance vulnerable to attacks that can compromise security and degrade performance.

Although not required, enabling the appliance to communicate with these additional resources provides greater functionality and ease of use:

Network Time Protocol (NTP) server for synchronizing the time on the appliance.
External server for storing syslog output.
Administrator’s workstation for secure shell (SSH) access.

You can configure the appliance to use a self-signed server certificate, or, for enhanced security, you can obtain a certificate from a commercial certificate authority (CA). For more information, see Obtaining a Certificate from a Commercial CA.

Preparing for the Installation

Before beginning the installation, you need to gather information about your networking environment and verify that your firewalls are properly configured to permit traffic to and from the appliance.

Topics:  

Gathering Information

Before configuring the appliance, you need to gather the following information. You are prompted for some of this information when running Setup Wizard (see Web-Based Configuration Using Setup Wizard) or Setup Tool (see Configuring a New Appliance Using Setup Tool), but most of it will be used when you configure the appliance in AMC (see Network and Authentication Configuration).

Topics:  

Settings Required to Start the Appliance Management Console

The root password for administering the appliance
The name for the appliance (because this name is used only in log files, you don’t need to add it to DNS)
The internal IP address and, optionally, an external IP address
Select a routing mode and supply IP addresses for the network gateways to the Internet, and your corporate network.

Certificate Information

Several pieces of information are used to generate the server and AMC certificates:

A fully qualified domain name (FQDN) for the appliance and for any WorkPlace sites that use a unique name. These names should be added to your public DNS; they are also visible to users when they connect to Web-based resources.
A FQDN for the Appliance Management Console (AMC) server. The AMC server name is used to access AMC, which is a Web-based tool for managing the appliance.

Name Lookup Information

Internal DNS domain name of the network to which the appliance is connected
Primary internal DNS server address (additional DNS servers are optional)
IP address for an internal WINS server and the name of your Windows domain (required to browse files on a Windows network using WorkPlace, but are otherwise optional)

Authentication Information

Server name and login information for your authentication servers (LDAP, Active Directory, or RADIUS)

Virtual Address Pool Information

If you are planning to deploy either network tunnel client (Connect Tunnel or OnDemand Tunnel), you must allocate IP addresses for one or more address pools. For more information, see Configuring IP Address Pools.

Optional Configuration Information

To enable SSH access from a remote machine, you need to know the remote host’s IP address.
To synchronize with an NTP server, you need to know the IP addresses for one or more NTP servers.
To send data to a syslog server, you need to know the IP address and port number for one or more syslog servers.

Verifying Your Firewall Policies

For the appliance to function correctly, you must open ports on your external (Internet-facing) and internal firewalls.

External Firewall

For secure access to the appliance from a Web browser or OnDemand, you must make sure that ports 80 and 443 are open on firewalls at your site; see Traffic types and ports used by SMA on external network. Opening your firewall to permit SSH access is optional, but can be useful for performing administrative tasks from a remote system.

 

Traffic types and ports used by SMA on external network

Traffic type

Port/protocol

Usage

Required?

HTTP

80/tcp

Unencrypted network access

Y

HTTPS

443/tcp

Encrypted network access

Y

SSH

22/tcp

Administrative access to the appliance

 

ESP

4500/UDP

Enable ESP encapsulation of tunnel network traffic

 

Internal Firewall

If you have a firewall on the internal network, you may need to adjust its policy to open ports for back-end applications with which the appliance must communicate. In addition to opening ports for standard network services such as DNS and email, you may need to modify your firewall policy before the appliance can access the services shown in Traffic types and ports used by SMA on internal network.

 

Traffic types and ports used by SMA on internal network

Traffic type

Port/protocol

Usage

Microsoft networking

138/tcp and 138/udp
137/tcp and 137/udp
139/udp
162/snmp
445/smb

Used by WorkPlace to perform WINS name resolution, browse requests, and access file shares

LDAP (unencrypted)

389/tcp

Communicate with an LDAP directory or Microsoft Active Directory

LDAP over SSL (encrypted)

636/tcp

Communicate with an LDAP directory or Microsoft Active Directory over SSL

RADIUS

1645/udp or 1812/udp

Communicate with a RADIUS authentication server

NTP

123/udp

Synchronize the appliance clock with an NTP server

Syslog

514/tcp

Send system log information to a syslog server

SNMP

161/udp

Monitor the appliance from an SNMP management tool

Helpful Management Tools

To manage the appliance from a remote system running Microsoft Windows, you may find the following management tools useful. Both of these tools use encryption to protect information from eavesdropping, unlike standard FTP or Telnet utilities:

A Secure Shell (SSH) client enables you to securely log in to the appliance and configure it from the command line. This is useful for backing up the system, viewing log files, and configuring advanced network settings. A popular SSH client for Windows is VanDyke Software’s SecureCRT. A trial download is available at http://www.vandyke.com/products/securecrt/. Another popular client is PuTTY, a free implementation of Telnet and SSH for Windows platforms. PuTTY is recommended by Cisco.

To connect to the appliance using SSH, you type root as the username and type the password you created using Setup Wizard.

A Secure Copy (SCP) client makes it easy to securely transfer files from a PC running Windows to the appliance. This is useful for copying certificates and other data to the appliance. A popular Windows client is WinSCP, available at http://winscp.sourceforge.net/eng/.

Most of the configuration management tasks that you need to perform—backing up and restoring your appliance configuration, applying upgrades, and so on—can be done on the Maintenance page in AMC, as described in Managing Configuration Data. If you prefer to handle these tasks on the command line, see Saving and Restoring Configuration Data.

Installation and Deployment Process

This section outlines the process of installing, configuring, and testing the appliance, and then deploying it in a production environment. See Installation steps for an overview.

 

Installation steps

Installation step

Description

Make a note of your appliance serial number and authentication code

you will need this information when you register your product on MySonicWall. The serial number and authentication code are printed on your appliance label; they are also displayed on the General Settings page in AMC.

Rack-mount the appliance and connect the cables

See Specifications and Rack Installation and Connecting the Appliance.

Turn on the appliance and begin configuration

To connect to your appliance on your internal network you must specify an internal IP address, the subnet mask, and indicate whether your appliance is part of a cluster. Use the controls on the front of the appliance. See Powering Up and Configuring Basic Network Settings.

Run Setup Wizard

The wizard guides you through the process of initial setup for your SMA appliance. See Web-Based Configuration Using Setup Wizard.

Register your appliance on MySonicWall

Register your appliance on MySonicWall. Product registration gives you access to essential resources, such as your license file and updates. To register, you need both the serial number for your appliance and its authentication code.

The SMA appliance uses a few different types of licenses. All license files must be retrieved from MySonicWall and imported to the appliance. See Software Licenses.

If you choose the Free Evaluation license on MySonicWall, you get 24/7 support for 30 days.

If you install the CMS virtual machine and do not register it with MySonicWall, you get these licenses:

15 Central user licenses for 3 days
3 managed appliances for 3 days

Both the Setup Wizard and AMC are Web-based applications for configuring the appliance. PCs running these applications must have JavaScript enabled. JavaScript must also be enabled on the browsers used for accessing WorkPlace.

Topics:  

Specifications and Rack Installation

After you’ve unpacked the appliance, you’re ready to install and configure it on your network. The appliances are designed to fit on a standard, 19-inch telecom rack. Before connecting the appliance, make sure that you have sufficient space and adequate power. The specifications for each appliance model are:

SonicWall SMA 7200 and SMA 6200 Hardware

The SMA 7200 and SMA 6200 include:

Rails (in kit, not attached)
Standard IEC 60320 C13 to NEMA 15 USA only power cord(s)
6 1Gb Ethernet ports
2 10Gb SFP+ ports (on SMA 7200)
2 USB ports
1 DIAG port
2 500 GB SATA hard drives:
 

Specifications

 

SMA 7200

SMA 6200

Regulatory Model/Type

1RK30-0AF

1RK31-0B0

CPU

E3-1275 3.5GHz

I5-4570S 2.9GHz

RAM

4 x 16GB DDR3 1600MHz ECC

4 x 8GB DDR3 1600MHz ECC

Network ports

8 (6-port 1GE + 2-port 10Gb SFP+)

6 (6-port 1GE)

Power supply

Dual hot swappable

Fixed

Front panel illustration

See SMA 6200/7200 Front Panels

See SMA 6200/7200 Front Panels

SonicWall E-Class SMA EX9000 Hardware

The SonicWall E-Class SMA EX9000 includes:

Rails (in kit, not attached)
Standard IEC 60320 C13 to NEMA 15 USA only power cords
1 GB Ethernet ports
10 GB Ethernet ports
2 USB ports
1 DIAG port
2 80 GB SATA hard drive
Serial connection to appliance (115,200 baud)

SonicWall E-Class SMA EX7000 and EX6000 Hardware

The SonicWall E-Class SMA EX7000 and EX6000 includes:

Rails (in kit, not attached)
Standard IEC 60320 C13 to NEMA 15 USA only power cords
1 GB Ethernet ports
2 USB ports
80 GB SATA hard drive
Serial connection to appliance (115,200 baud)

The models differ from each other most in terms of processor power, RAM, network ports, and power supply:

 

Hardware specifications

 

SMA EX9000

SMA EX7000

SMA EX6000

Regulatory Model/Type

2RK03-092

1RK15-059

1RK20-05A

Intel processor

 

Core2 Duo 2.1GHz CPU

Celeron 2.0GHz CPU

RAM

32 Gig

2Gig DDR533

1Gig DDR533

PCIe Gig network ports

12 (8-port 1GE + 4-port 10GE)

6 (HA Pair is not supported)

4 (HA Pair is not supported)

Power supply

Dual hot swappable

Dual hot swappable

Fixed

Front panel (illustration)

See EX9000 Appliance Front Panel Controls

See EX7000 Appliance Front Panel Controls

See EX6000 Appliance Front Panel Controls

Front Panel Controls and Indicators

Before powering up the appliance, you should familiarize yourself with the front panel controls:

SMA 6200/7200 Front Panels

The power button is at the bottom, right corner of the front panel.

Front panels of the SMA 6200 and SMA 7200

 

Controls and indicators on the front panels

Item

Description

Hard Drive modules

Dual hard drives.

LCD display screen and controls

Displays status and configuration about the appliance. Keypad buttons are used to display appliance status and configure initial settings:

For more information on displaying appliance status and using the keypad to shut down or reboot the appliance, see LCD Controls for the SMA 7200, SMA 6200, EX9000, EX7000, and EX6000.
For information on using the LCD controls during initial configuration (so that you can run Setup Wizard), see Configuring an SMA 7200, SMA 6200, EX9000, EX7000, or EX6000 Appliance.

Console port

Connects the appliance to a personal computer with an Ethernet cable.

USB ports

There are two USB ports.

LED indicators

From top to bottom, the LED indicators are:

Hard disk drive activity
Alarm
Test
Power 1 and 2:
Blue: operating correctly
Yellow: Unconnected power supply or failure

DIAG port

Diagnostics port.

X0: Internal network

Connects the appliance to your internal network.

X1: External network

Connects the appliance to your external network.

X2: Cluster interface

In SMA 12, the X2 interface is no longer supported for clustering. See Deprecated Features.

X3-X5

Not used.

X6 SFP+: Internal network

Connects the appliance to your internal 10Gb network.

X7 SFP+: External network

Connects the appliance to your external 10Gb network.

EX9000 Appliance Front Panel Controls

The power switch is located on the rear panel.

Front panels of the EX9000

 

Controls and indicators on the EX9000 front panel

Item

Description

Hard Drive modules

Dual hard drives.

LCD display screen and controls

Displays status and configuration about the appliance. Keypad buttons are used to display appliance status and configure initial settings:

 

For more information on displaying appliance status and using the keypad to shut down or reboot the appliance, see LCD Controls for the SMA 7200, SMA 6200, EX9000, EX7000, and EX6000.

 

For information on using the LCD controls during initial configuration (so that you can run Setup Wizard), see Configuring an SMA 7200, SMA 6200, EX9000, EX7000, or EX6000 Appliance.

Console port

Connects the appliance to a personal computer with a DB-9 serial cable.

USB ports

There are two USB ports.

LED indicators

From top to bottom, the LED indicators are:

HDD Hard disk drive—red indicates disk activity.
Alarm
Test
Power 2 and 1
Blue: operating correctly
Yellow: Unconnected power supply or failure

DIAG port

Diagnostics port.

X8: 10GigE network

Connects the appliance to your internal 10GigE network.

X9: 10GigE network

Connects the appliance to your external 10GigE network.

X10: 10GigE network

In SMA 12, the X2 interface is no longer supported for clustering. See Deprecated Features.

X11

Not used.

X0: Internal network

Connects the appliance to your internal network.

X1: External network

Connects the appliance to your external network.

X2: Cluster interface

In SMA 12, the X2 interface is no longer supported for clustering. See Deprecated Features.

X3-X7

Not used.

EX7000 Appliance Front Panel Controls

The power switch is located on the rear panel.

Front panels of the EX7000

 

Controls and indicators on the EX7000 front panel

Item

Description

LCD display screen and controls

Displays status and configuration about the appliance. Keypad buttons are used to display appliance status and configure initial settings:

For more information on displaying appliance status and using the keypad to shut down or reboot the appliance, see LCD Controls for the SMA 7200, SMA 6200, EX9000, EX7000, and EX6000.
For information on using the LCD controls during initial configuration (so that you can run Setup Wizard), see Configuring an SMA 7200, SMA 6200, EX9000, EX7000, or EX6000 Appliance.

Console

Connects the appliance to a personal computer with a DB-9 serial cable.

USB ports

There are two USB ports.

LED indicators

From left to right, the LED indicators are:

Power 1 and 2
Test
Alarm
Hard disk drive—red indicates disk activity.

X0: Internal network

Connects the appliance to your internal network.

X1: External network

Connects the appliance to your external network.

X2: Cluster interface

In SMA 12, the X2 interface is no longer supported for clustering. See Deprecated Features.

X3-X5

Not used.

EX6000 Appliance Front Panel Controls

The power switch is located on the rear panel.

Front panels of the EX6000

 

Controls and indicators on the EX6000 front panel

Item

Description

LCD display screen and controls

Displays status and configuration about the appliance. Keypad buttons are used to display appliance status and configure initial settings:

For more information on displaying appliance status and using the keypad to shut down or reboot the appliance, see LCD Controls for the SMA 7200, SMA 6200, EX9000, EX7000, and EX6000.

 

For information on using the LCD controls during initial configuration (so that you can run Setup Wizard), see Configuring an SMA 7200, SMA 6200, EX9000, EX7000, or EX6000 Appliance.

Console

Connects the appliance to a personal computer with a DB-9 serial cable.

USB ports

There are two USB ports.

LED indicators

From left to right, the LED indicators are:

Power
Test
Alarm
Hard disk drive

X0: Internal network

Connects the appliance to your internal network.

X1: External network

Connects the appliance to your external network.

X2: Cluster interface

In SMA 12, the X2 interface is no longer supported for clustering. See Deprecated Features.

X3

Not used.

LCD Controls for the SMA 7200, SMA 6200, EX9000, EX7000, and EX6000

Use the four-button keypad to the right of the LCD display on the SMA and EX Series appliances to:

Display status and configuration information about the appliance.
Shut down or reboot the appliance.
 
* 
CAUTION: SMA 6200, SMA 7200, EX9000, EX7000, and EX6000 appliances: Remove any USB devices from the appliance before you reboot it. If a USB device is plugged in to your appliance when it is rebooted, the appliance tries to use it as a boot device. As a result, the boot information stored in the BIOS on the appliance is overwritten, and the device becomes unusable.
 

LCD keypad functions

Keypad Function

Description

Left button

Press the Left button once to reboot the appliance. This prompt is displayed:

Restart appliance?
<Yes No>

Press the Left button again to reboot the appliance, or press the Right button to cancel the reboot.

Up button

Press the Up button once to display the configuration of the appliance’s network settings. Each time you press it, the display shows another network setting:

Internal address
External address
Default gateway
Host name
Domain name
IP address
Netmask

Right button

Press the Right button once to shut down the appliance. This prompt is displayed:

Shut down now?
<Yes No>

Press the Left button again to shut down the appliance, or press the Right button to cancel the shutdown.

Down button

To return to the default view at any time, or to refresh the display, press the Down button once.

Connecting the Appliance

Follow the appropriate instructions for your appliance model to connect the appliance to your network:

Connecting the SMA 6200 or SMA 7200 Appliance

For a diagram of the appliances, see SMA 6200/7200 Front Panels.

To connect the SMA 6200/7200 appliance
1
Connect a network cable from your internal network to the internal interface on the appliance. (X0 for 1GB and X6 for 10GB).
2
Optionally, connect a cable from your external network to the external interface on the appliance. (X1 for 1GB and X7 for 10GB).
3
Connect the supplied power cord(s) to the appliance power supply and to an AC outlet.

Connecting the EX9000 Appliance

For a diagram of the appliance, see EX9000 Appliance Front Panel Controls.

To connect the EX9000 appliance
1
Connect a network cable from your internal network to the internal interface on the appliance (X0).
2
Optionally, connect a cable from your external network to the external interface on the appliance (X1).
3
Connect a standard AC power cord to the power supply.

Connecting the EX7000 Appliance

For a diagram of the appliance, see EX7000 Appliance Front Panel Controls.

To connect the EX7000 appliance
1
Connect a network cable from your internal network to the internal interface on the appliance (X0).
2
Optionally, connect a cable from your external network to the external interface on the appliance (X1).
3
Connect a standard AC power cord to the power supply.

Connecting the EX6000 Appliance

For a diagram of the appliance, see EX6000 Appliance Front Panel Controls.

To connect the EX6000 appliance
1
Connect a network cable from your internal network to the internal interface on the appliance (X0).
2
Optionally, connect a cable from your external network to the external interface on the appliance (X1).
3
Connect a standard AC power cord to the power supply.

Powering Up and Configuring Basic Network Settings

After you’ve connected the appliance, you are ready to power up for the first time and begin the configuration process. You use a Web-based Setup Wizard to configure the settings needed to get the appliance up and running quickly, but to start the wizard you must first enter information that enables a Web browser to connect to your appliance.

After your appliance is configured, you can control its configuration and operation from AMC, the Appliance Management Console. On the LCD screen of the appliance you can also see basic information about the appliance (its name and internal address, for example) or restart it, which is useful if your appliance is not in the same area as the browser you use to run AMC.

 
* 
NOTE: You cannot run Setup Wizard on an appliance that has already been configured unless you first restore the appliance’s factory default configuration settings. This applies whether you initially configured the appliance using Setup Wizard, or by running setup_tool from the command line. See Configuring the Appliance Using the Management Console

Configuring Basic Network Settings

To start Setup Wizard you must first enter information that enables a Web browser to connect to your appliance. The recommended procedure for initial setup is to use the LCD controls (to the right of the LCD screen on the front of your appliance) to enter minimal settings and then run Setup Wizard. Alternatively, you have the option of using Setup Tool on the command-line. Both procedures are outlined below.

After your basic settings are entered you will be able to run the Web-based Setup Wizard, as described in Web-Based Configuration Using Setup Wizard.

Configuring an SMA 7200, SMA 6200, EX9000, EX7000, or EX6000 Appliance

To the right of the LCD screen on the front of your appliance are four buttons you'll use to enter your settings.

Configuring Basic Network Settings using the LCD Controls
To configure with LCD controls:
1
Press the Up and Down controls to read the welcome screen.
2
Press Right to continue past it.
3
Set the IP address for your internal interface. To change the IP address that appears:
a
Use the Left and Right buttons to position your cursor over the number you want to change.
b
Use Up and Down to change the number.
c
Press Right to continue to the next screen.
4
Enter your subnet mask:
a
Use the four buttons to change the IP address displayed on the LCD screen.
b
Press Right to continue to the next screen.
5
Review your settings and confirm them. In a few moments your settings are saved, and you will see instructions on browsing to a URL on your desktop computer. This is the URL for continuing your appliance configuration with Setup Wizard. For instance, the LCD display might read as follows:
Please browse to: https://172.31.0.140:8443

For a description of configuring your appliance using Setup Wizard, see Web-Based Configuration Using Setup Wizard.

Configuring an Appliance Using Setup Tool on the Command Line

To set the minimum configuration items necessary for running Setup Wizard, you must use Setup Tool. Below is an overview of your steps; see Configuring a New Appliance Using Setup Tool for detailed instructions.

To configure basic network settings using Setup Tool:
1
Use a terminal emulation program to establish a serial connection with the appliance from a laptop computer or terminal.
2
Turn the appliance on. The first time you start the system from a serial connection, Setup Tool automatically runs. When prompted to log in, type root for the username.
3
To configure the appliance, you are prompted to provide this information:
IP address and subnet mask for the internal interface
Default gateway used to access the internal interface (optional)

For a description of configuring your appliance using Setup Wizard, see Web-Based Configuration Using Setup Wizard.

Web-Based Configuration Using Setup Wizard

Setup Wizard guides you through a series of required and optional steps for configuring the appliance. The AMC home page includes a Setup Checklist that indicates which items you have completed.

Running Setup Wizard requires the same system configuration as AMC (see System Requirements for details); in addition, JavaScript must be enabled in the browser.

To configure settings:
1
License agreement: Read the terms of the End User License Agreement.
2
Basic Settings:
Specify the password you will use to access the AMC. Your password must be at least eight characters long, but no longer than 20 characters.
(Optional) Select a time zone, and then click Change to set the current time. You can synchronize the time with an NTP server later in the AMC. For more information, see Configuring Time Settings. It is important to ensure that the appliance’s date and time settings are correct for your time zone before you import your license file.
3
Network Settings:
Enter a name for the appliance (the default is SMA1000SSLVPN).
* 
TIP: Because this name is used only in log files, you don’t need to add it to DNS.
The IP address and subnet mask for the internal interface (connected to your private network) is shown. For a dual-homed configuration, enter the IP address and subnet mask for the external interface.
4
Routing: To leverage an existing router, select the dual gateway option to reach your resources. To restrict incoming appliance traffic to just a few routes or subnets, select the single gateway option and enter the routes or subnets as static routes later in the AMC.

If the appliance is on a different network than the computer you will use to access AMC, you must set up routing to maintain access to AMC.

5
Name Resolution: The appliance must be able to perform name resolution to reach resources on your internal network. Enter a default domain, which is the domain in which the appliance is located (such as yourcompany.com).
6
User access: You can give users full network access by provisioning the OnDemand Tunnel access agent. If you do, you also need to specify the Source NAT address that appears to back-end servers as the source of client traffic. This must be an IP address that is on the same subnet as the internal interface, and is not in use elsewhere.

Decide on an initial access policy for users (you can refine it later in AMC). This can be completely permissive (granting access to the entire network protected by the SSL VPN), very strict (deny all access), or in-between (give users access to all resources as you define them in AMC).

The end of the Setup Wizard process displays your settings. Proceed to AMC, the management console, for the last steps in the configuration process. See Configuring the Appliance Using the Management Console for details.

Configuring the Appliance Using the Management Console

The final installation and deployment settings are done in AMC.

To configure the appliance in the AMC:
1
Log in to AMC.

Log in to AMC, the Web-based application used to administer the appliance, and look at the setup checklist on the right.

2
Register the appliance on MySonicWall and retrieve your license file.

When you register your appliance, you must enter both your serial number and your authentication code, which is the hardware identifier for the appliance you purchased:

The serial number is printed on a label on the outside of your appliance.
The authentication code is displayed in AMC: click General Settings from the main navigation menu, and then look in the Licensing area.

When you receive your SMA appliance there is a single user license on it, valid for an unlimited number of days. To become familiar with the AMC and test it in your environment with additional users, request a lab license. After initial setup and testing, download your license file from MySonicWall and then import it to the appliance.

See Managing Licenses.

3
Define one or more authentication servers.

Authentication is used to verify the identity of users. When configuring an authentication server, you are prompted to specify a directory type (LDAP, Microsoft Active Directory, RADIUS, or local users) and a credential type (username/password, token, or digital certificate).

See Managing User Authentication.

4
Configure a server certificate.

The appliance encrypts information using the Secure Sockets Layer (SSL) protocol. You can create a self-signed certificate using AMC, or optionally obtain a certificate from a commercial certificate authority (CA).

See Certificates.

5
Define application resources and groups.

Application resources include TCP/IP-based resources (such as client/server applications, file servers, or databases), Web-based resources (including Web applications or Web sites) that run over HTTP, and Windows network share resources (to be accessed in WorkPlace). Resource definitions can include variables, so that a single resource can, for example, derive its network name or address based on each user.

See Creating and Managing Resources.

6
Define users and groups.

User and group definitions are used in access control rules to control access to application resources.

See Managing Users and Groups.

7
Define realms and communities.

Realms enable the appliance to directly integrate with authentication servers, eliminating the need to create and manage accounts for each user who needs access to your network. Communities aggregate users with similar access needs and End Point Control requirements.

See Managing User Authentication.

8
Create access control rules.

Access control rules determine what resources are available to users and groups.

See Access Control Rules.

9
Configure shortcuts for WorkPlace.

To provide your users with easy access to a Web, file system, or graphical terminal resource from within WorkPlace, you may want to create shortcuts in WorkPlace.

See Working with WorkPlace Shortcuts.

10
(Optional) Configure the network tunnel service.

If you plan to deploy the network tunnel clients, you must configure the network tunnel service and allocate IP address pools for the clients.

See Configuring the Network Tunnel Service.

11
(Optional) Enable and configure End Point Control.

End Point Control optionally deploys data protection components designed to safeguard sensitive data and ensure that your network is not compromised when accessed from PCs in untrusted environments. End Point Control is deployed through communities.

See End Point Control and Using End Point Control Restrictions in a Community.

12
Apply your changes.

To activate your configuration changes, you must apply them.

See Applying Configuration Changes.

13
Test system accessibility.

Verify that the appliance can access your external user repositories, and ensure that the resources on your network are accessible.

See Troubleshooting.

Moving the Appliance into Production

After you have tested the appliance sufficiently in your network environment and determined how you want it to work, you’re ready to move it into its permanent home. This section describes steps you may need to perform when moving the appliance into production.

To move the appliance into production:
1
Reconfigure the appliance with new address information.

If the network environment changed when you moved the appliance into production, you must reconfigure the basic network settings and adjust any of the following values if they have changed:

IP addresses for the internal and external interfaces
Default gateway IP addresses
Static routes
Default DNS domain and DNS server IP address
2
Register the appliance with DNS.

If you haven’t already registered the appliance with your company’s DNS, do this now. This ensures that external users can access your network resources using a fully qualified domain name instead of an IP address. Edit your DNS server’s database to include the fully qualified domain name contained in the appliance’s certificate and any WorkPlace sites.

3
Obtain a commercial SSL certificate.

You may want to obtain a commercial certificate for the appliance to assure users of its identity. (Generally, a self-signed certificate is adequate for AMC.)

For more information on generating server certificates, see Obtaining a Certificate from a Commercial CA.

4
Adjust your firewall policies.

If you have an Internet-facing firewall, you may need to adjust its policy to open ports required by the appliance. By default, the Web proxy service communicates using port 443/tcp (it uses port 443/tcp for HTTPS and port 80/tcp for HTTP). If you want to use SSH to connect to the appliance from outside the network, you'll need to open port 22/tcp.

If you have a firewall that faces the internal network, you may need to adjust the policy for that firewall to open ports for any back-end applications with which the appliance must communicate (if these ports are not already open). For instance, if you use an LDAP or Microsoft Active Directory server for authentication, you must open port 389/tcp on your internal firewall. For RADIUS, open ports 1645/ucp and 1812/udp.

If you’re using WorkPlace to access Windows network shares, you must also open internal ports on your internal firewall so that WorkPlace can perform name resolution, make browse requests, and connect to file shares.

For more information, see Gathering Information.

5
Create shortcuts and deploy WorkPlace.

If you use WorkPlace as an interface to Web-based resources and to provide Web-based access to Windows network share and graphical terminal resources, you must create shortcuts (see Working with WorkPlace Shortcuts). You should also publish the WorkPlace URLs so your users know how to access resources through your VPN.

You may want to customize the appearance of WorkPlace for your environment. See Configuring WorkPlace General Settings for more information.

Powering Down and Restarting the Appliance

When it’s time to power down or restart the appliance, be sure to follow the proper procedure. The appliance stores important data in memory while it is running. That data must be written to the hard disk before you turn off the power.

* 
CAUTION: Powering down the appliance improperly can result in loss of data and leave the system’s files in an inconsistent state. For EX9000, EX7000, EX6000, SMA 7200, and SMA 6200 appliances: Remove any USB devices from the appliance before you reboot it. If a USB device is plugged in to your appliance when it is rebooted, the appliance tries to use it as a boot device. As a result, the boot information stored in the BIOS on the appliance is overwritten, and the device becomes unusable.
To power down or restart the appliance in AMC
1
From the main navigation menu, click Maintenance. The Maintenance page displays.

2
Click the appropriate button:
To restart the appliance, click Restart. AMC stops responding. After the appliance restarts, you can log in to AMC again.
To shut down the appliance, click Shutdown. AMC stops responding and the appliance powers down. You do not need to press the power button on the front panel.

All appliance models can be shut down or restarted at the appliance:

a
On the front of the appliance, press the Down button on the four-button keypad to get to the main LCD menu.
b
Scroll down until you reach the option you want, Restart or Shutdown.
c
Both options display a confirmation message; press the Left button to continue.
d
The results are the same as restarting or shutting down in AMC:
AMC stops responding; after the appliance restarts, you can log in to AMC again.
AMC stops responding and the appliance automatically powers down. You do not need to press the power button on the front panel.

Hyper-V for the SMA 8200v

Microsoft Hyper-V in Windows Server 2012 R2 is supported as a host platform for both the Central Management Server (CMS) and Secure Mobile Access (SMA) appliances. Customers using a Microsoft Hyper-V-based virtualization/private cloud infrastructure can host SMA appliances and CMS.

Configuring Hyper-V for SMA 8200v

* 
NOTE: Hyper-V is supported only on Windows Server 2012 R2 and later.
To create a new SMA 8200v on a Hyper-V host:
1
Copy the SMA ISO file to a location that can be accessed by the Hyper-V Manager.
2
Create a Generation 1 virtual machine with 2 processors and 2GB of memory.
3
Create a new 64 Gb dynamic hard drive with a .vhdx suffix instead of a .vhd suffix.)
4
Add the hard drive to the virtual machine on IDE Controller 0.
5
Create a second network adapter.
* 
NOTE: The virtual machine is created with just one network adapter.
6
The virtual machine gets created with a DVD:
Specify the media for the DVD to be the SMA ISO file.
Change the virtual machine BIOS boot order so that the DVD is first.
7
Start the virtual machine. It boots from the DVD.
8
After a successful boot, an SMA appliance is created, and the virtual machine is automatically stopped.
9
Remove ISO SMA as it is no longer needed.
10
Change the BIOS boot order so that the hard drive is higher than the DVD
11
Connect the network adapters to the appropriate virtual switch in the Hyper-V environment.

The next time the virtual machine is started, it boots from the hard drive and you can configure the SMA 8200v from the console.

The maximum concurrent user count for the Hyper-V platform is 250 CCU.

For more details about configuring a Hyper-V, see the Secure Mobile Access Virtual Appliance Hyper-V Deployment Guide.

Next Steps

After you have completed the initial network setup, use AMC to continue configuring the appliance. AMC is accessible using a Web browser.

* 
TIP: If you’re new to AMC, you might want to read Working with Appliance Management Console.

If you’re ready to continue configuring the appliance, see Network and Authentication Configuration.