en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Introduction

 

About Secure Mobile Access

Secure Mobile Access on SMA Appliances

Welcome to the Secure Mobile Access 12.0 Administration Guide. This manual provides the information you need to successfully activate, configure, and administer Secure Mobile Access (SMA) on SonicWall SMA appliances.

SonicWall SMA appliances provide secure access—including clientless access to web applications, access to client/server applications, and file sharing—to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users.

The appliance makes applications available from a range of access methods—including a standard Web browser, a Windows client, or a mobile device—on a wide range of platforms including Windows, Macintosh, and Linux.

You might use the appliance to create a:

Remote access VPN that enables remote employees to securely access private company applications such as email over the Internet.
Business partner VPN that provides designated suppliers with access to an internal supply chain application over the Internet.

The appliance’s granular access control lets you define policy and control access down to the user and resource level. Managing policy and configuring the appliance is quick and easy with the Web-based management console.

For an overview of planning your SonicWall Secure Mobile Access appliance configuration and deployment, see the SonicWall SMA Deployment Planning Guide.

About SMA Documentation

Your SonicWall SMA appliance also comes with a printed Getting Started Guide, and there is a SonicWall SMA Deployment Planning Guide that explains important VPN concepts and components and aids in deploying your VPN. For access to electronic copies of all product documentation, visit the SonicWall Support portal or log in to your MySonicWall account and register your appliance. See Registering Your SMA Appliance for more information.

Document Conventions

Throughout this document:

External refers to the network interface connected to the Internet.
Internal refers to the network interface connected to your internal corporate network.

This document uses the following typographical conventions:

 

Document conventions

Typographical convention

Usage

Bold

User interface components (such as UI pages, dialogs, text fields, or buttons).

Monospace font

Information you are supposed to type.

commandname -x [-y]

In command-line syntax, square brackets indicate optional parameters.

What’s New in This Release

SonicWall Secure Mobile Access (SMA) 12.0.1 includes these new features:

Biometric Identity Verification
Web-based RDP, VNC, SSH, and Telnet
Legacy and SAML SSO Support with CAM
Endpoint Security Integration SDK (OESIS) Version 4
Appliance Management Console (AMC) and WorkPlace management interface have a redesigned, easy-to-use page layout
Global High Availability (HA) with GTO
GTO support for Outlook Anywhere, Exchange ActiveSync, Custom FQDN, and Custom WorkPlace

Deprecated Features

These features have been deprecated on all SMA appliances in SMA 12.0.1:

 

GMS

GMS is not supported in SMA 12.0.1. For more information, refer to the SMA 12.0 Central Management Server with Global Traffic Optimization Administration Guide.

Secure Sockets Layer (SSL) Version 3.0

The Secure Sockets Layer (SSL) protocol has proven to be an inefficient and insecure protocol, and customers have been requesting its removal.

Secure Sockets Layer (SSL) Version 3.0 is being deprecated on all SMA 1000 series appliances in SMA 12.0.1. The option to enable SSLv3 is not available on the SSL configuration page.

The system disable SSLv3 automatically when upgrading to SMA 12.0.1 or when importing the configuration. This applies to standalone appliances and CMS installations. The SSLv3 protocol is not supported or negotiated for any connections in SMA 12.0.1. During system upgrade or configuration import, if SSLv3 is enabled on the incoming configuration, it is removed from the new configuration and the upgrade or import process succeeds.

The Management API, enum SSL_V3_AND_TLS_1_0_AND_HIGHER is no longer valid when configuring the SSL encryption via the encryption resource.

Virtual Assist

When you attempt to upgrade to SMA 12.0.1 from an earlier release, or import an SMA 12.0.1 configuration, the system prevents the upgrade or import and notifies you with this message:

Virtual Assist is not available in SMA 12.0.1.

You must disable Virtual Assist before you can upgrade to SMA 12.0.1.

You can then disable Virtual Assist and start the upgrade process again. This time the upgrade will complete.

Replication

CMS provides High Availability (HA), which provides redundancy. Therefore, the Replication feature has been removed from SMA, and all references to the replication feature have been removed from the AMC. The Replicate section no longer appears on the Maintenance page, and the entire Configure Replication page, accessed via the Configure button, has been removed.

IMPORTANT: CMS Policy Synchronization is the equivalent of SMA Replication.

High Availability Pair

High Availability (HA) Pair is being deprecated on all SMA 1000 series appliances in SMA 12.0.1. GTO now provides those features more efficiently. All HA Pair connections must be disabled before you can upgrade to SMA 12.0.1. Attempting to upgrade a node in an HA Pair to SMA 12.0.1 will not succeed, but will generate this error message:

Except: Special CEM to allow upgrade that breaks node out of pair.

Importing a full SMA 12.0.1 configuration will not succeed, but importing a partial SMA 12.0.1 configuration will succeed. Central User licenses replace HA Pair licenses.

Virtual Host with IP Address

Virtual Host with IP address is being deprecated. This feature provided dedicated IP address usage for:

Workplace sites
Host-mapped URL resources
Activesync URL resources

This feature is not needed and has been hidden since the 10.7.0 release.

Upgrading to SMA 12.0.1 will not succeed if any virtual hosts with IP addresses are configured in the current configuration. Importing a full SMA 12.0.1 configuration will not succeed, but importing a partial SMA 12.0.1 configuration will succeed if the extra IP addresses are removed from the current configuration first.

Features of Your SMA Appliance

Topics:  

SonicWall SMA Appliance Models

SonicWall offers the following SMA and EX Series appliance models, all of which are documented in this manual.

In this document, the term SMA appliance refers to the appliances listed in SMA Appliance models. Except for the SMA 8200v Virtual Appliance, all SMA appliances provide for clustering two identical appliances behind one virtual IP address or up to eight appliances using an external load balancer.

 

SMA Appliance models

This appliance

Supports up to this many concurrent users

E-Class SMA EX9000

20,000

E-Class SMA EX7000

5,000

E-Class SMA EX6000

250

SMA 7200

10,000

SMA 6200

2,000

SMA 8200v Virtual Appliance

250 users for Hyper-V and 5000 users for ESX

Administrator Components for Managing Appliances and Services

Appliance Management Console (AMC) is a Web-based administrative tool (see AMC Dashboard) that manages the appliance by providing centralized access for:
Managing security policies.
Configuring the system (including networking and certificate configuration).
Monitoring.

AMC is accessible from a Web browser.

AMC Dashboard

Web proxy service provides users with secure access to Web-based applications, Web servers, and network file servers from a Web browser. Web proxy service is a secure HTTP reverse proxy that brokers and encrypts access to Web-based resources.
Network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of applications, including those that use
Non-TCP protocols such as Voice Over IP (VoIP) and ICMP.
Reverse-connection protocols.
Bi-directional protocols such as FTP.

Network tunnel service works in conjunction with the Connect Tunnel client and the OnDemand Tunnel agent to provide authenticated and encrypted access. It can traverse firewalls, NAT devices, and other proxy servers that can interfere with traditional VPN devices.

Management API Library provides URLs to view and modify appliance data in JSON format. The API is divided into two primary URLs that handle HTTP requests before and after the appliance has completed initial configuration:
During initial configuration: https://<AMC IP address:8443>/Setup
On configured appliance: https://<AMC IP address:8443>/Console

where <AMC IP address> is the IP address of your AMC appliance.

* 
NOTE: When using a virtual machine, use the virtual machine port number instead of port 8443.

Browser-based documentation is available at:

https://<AMC IP address:8443>/Setup/UserGuide
https://<AMC IP address:8443>/Console/UserGuide

User Access Components

The SMA appliance includes several components that provide users with access to resources on your network:

WorkPlace

The WorkPlace portal provides users with quick access to resources on your network. It is accessible from any Web browser that supports SSL and has JavaScript enabled. WorkPlace provides a range of access methods for you to choose from:

Basic Web (HTTP) resources are accessible using the Web translation engine, a reverse proxy that provides single sign-on and fine-grained access control. The web translation engine has three modes of operation:
Alias-based translation appends a custom alias to the end of the URL that users access (also called URL re-writing). For example, if you specify http://hr.mycompany.com/ as a URL resource with an alias of hr, users would access it by clicking on a link in Workplace that looked like this: https://vpn.mycompany.com/hr/. This type of configuration is recommended for simple web applications that do not require advanced functionality, like Java applets or JavaScript (AJAX). SonicWall supports a limited number of applications in the alias-based translated web access method; see Web Application Services.
Host-mapped URL access changes the hostname that the resource is accessed on. For example, if http://hr.mycompany.com/ URL resource is configured with a custom hostname of hr.vpn.mycompany.com, users access the resource by clicking on a link that looks like this in Workplace: https://hr.vpn.mycompany.com/. Host mapped URL access is recommended for complex web applications that may use Java applets, advanced AJAX (and other advanced web technologies).
* 
TIP: It is highly recommended to purchase either a wildcard SSL certificate, or a SAN certificate with wildcards in it to make expansion of host-mapped URL resources easier.
Port-mapped URL access changes the port number that the resource is accessed on. For example, if http://hr.mycompany.com/ URL resource is configured with a custom port (8888) for access, users access the resource by clicking on a link that looks like this in Workplace: https://vpn.mycompany.com:8888/. One of the downsides of custom port URL access is that it does require you to open up a port for each web application that you want to configure to use the port mapped URL access.
* 
TIP: Port-mapped URL resources is recommended for complex web applications that may use Java applets, advanced AJAX, and other advanced web technologies.
File system resources are accessible from the Web-based Network Explorer that is integrated in WorkPlace.
Client/server traffic (TCP/IP) is accessible using one of the network redirection clients, OnDemand Tunnel. The client is provisioned automatically or activated when the user logs in to WorkPlace.

The access method you choose will be based on several factors, including the network protocols used by your applications, your security requirements, end-user convenience, and the target platforms.

Connect and OnDemand Tunnel Clients

Tunnel clients provide network-level access to all resources, effectively making each user device a virtual node on your network.

The Connect Tunnel client provides full network and application access from a Web-deployed Windows client for computers running a Windows 7 SP1, 10, Mac OS, or Linux operating system. The client can be provisioned either transparently using a link from the WorkPlace portal or through an executable installation package. The Connect Tunnel client provides split-tunneling control, granular access controls, and automatic proxy detection and authentication.
The OnDemand Tunnel agent provides the same features as the Connect Tunnel, except that it can’t be used as a dial-up adapter for domain logins, and is integrated into WorkPlace. OnDemand can operate in either split-tunnel mode or redirect all traffic mode.

End Point Control (EPC)

EPC components ensure that your network is not compromised when accessed from PCs in untrusted environments by enabling you to interrogate devices to determine whether they are running the programs you require. Advanced EPC simplifies granular end point protection by allowing you to set up device profiles (for clients running on Microsoft Windows) using a comprehensive predefined checklist that includes security solutions from leading vendors like OPSWAT, McAfee, Computer Associates, Sophos, and Kaspersky. Advanced EPC is included with the SMA 6200, SMA 7200, EX9000, and EX7000 appliances and licensed separately for the other appliances in the EX Series.

ADA 508 Improvements

The Administrator (AMC) and User Access (WorkPlace and Connect Tunnel) components provided with your appliance have ADA 508 improvements for the operating systems shown in ADA 508 improvements.

 

ADA 508 improvements

Component

Windows

Mac OS X

Linux

AMC

 

 

WorkPlace

Connect Tunnel

 

ADA 508 improvements include the following features to improve keyboard usability and compatibility with assistive technologies:

Keyboard shortcuts and proper keyboard tab order.
Visual focus that identifies the user’s location on a page and allows them to use the Tab key to move between elements on a page. This is especially helpful for tabbed pages, radio buttons, checkboxes, push buttons, and other types of selection methods.
Meaningful popup captions on property windows, dialog boxes, and non-text elements.
Completion message when Connect Tunnel successfully completes installation.
User actions in the Configuration Wizard are more accessible.
Browser-based High Contrast theme, which makes text on the computer screen easier to see. This feature is available on Internet Explorer, Chrome, and Firefox browsers, but results vary based on the operating system and browser combination.

Login and runtime dialogs, session statistics, and status are rearranged to make them more accessible.

* 
NOTE: SonicWall recommends using NonVisual Desktop Access (NVDA) or JAWS screen-reading software.

Related Documentation

Refer to these SonicWall SMA 12.0.1 documents for specific details about the various features and products of SMA 12.0.1:

SMA 12.0 CMS Administration Guide
SMA 12.0 WorkPlace User Guide
SMA 12.0 Upgrade Guide
SMA 12.0 Connect Tunnel Clients and Service User Guide
SMA 12 8200v Getting Started Guide

System Requirements

This section describes the system requirements for the client and administrator (server) components for Secure Mobile Access.

Support status is indicated by the font type for items listed in the tables:

Fully supported (normal font)
Compatible with, moving into support, issues addressed as needed (bold italics)
Compatible with, moving out of support (italics)

There are no known issues with “compatible with” configurations, but they have not been specifically tested in the current release. Therefore, SonicWall does not guarantee that significant issues will not occur, and there is no guarantee of support for such issues.

* 
NOTE: Metro View is not supported in Microsoft Internet Explorer (IE) v10.
Topics:  

Client Components

The system requirements for client components are listed in the following tables:

 
* 
NOTE: The tables that follow show the latest released versions of software available at the time of the corresponding SonicWall Secure Mobile Access (SMA) release.

WorkPlace Lite Access

 

WorkPlace Lite requirements

Operating system

Browser

Notes

Windows 10
Windows 10 Creators
IE (32 bit only)
Firefox
Chrome
Edge

No access agent or EPC is required. The browser must support HTML5.

Windows 7 x86/x64 SP1
IIE (32 bit only)
Firefox
Chrome

 

iPhone/iPad OS v9.0
iPhone/iPad OS v8.0
iPhone/iPad OS v7.0
Safari

 

Android 6.x
Android 5.x
Android 4.x
Firefox
Chrome

 

ChromeOS

 

 

Windows Phone 10
Edge

 

Mac OSX 10.12.X
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari

 

Linux x86/x64 Kernel 4.X or later
Firefox

 

Supported HTML5 bookmarks:

RDP
Telnet
SSH
VNC
Citrix (through Storefront)
Network Explorer

Web-Based Clients

WorkPlace Portal, Translated Web, Network Explorer, Host/Port Mapping URL Access
 

Web-based client system requirements

Operating system

Browser

Notes

Windows 10
N/A
N/A
Windows 7 x86/x64 SP1
N/A
N/A
Mac OSX 10.12.X
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari
Java
Linux x86/x64 Kernel 4.X or later
Firefox
Java
Web Application Services
 

Translated/Custom Port Mapped/Custom FQDN Mapped Web application service requirements

Operating system

Browser

Notes

Outlook Web Exchange 2016
IE (32 bit only)

 

Outlook Web Access 2013
IE (32 bit only)
Firefox

 

Outlook Web Access 2010
IE (32 bit only)
Firefox

 

SharePoint 2013
IE (32 bit only)

 

SharePoint 2010
For Windows 8.1 use IE

 

Web Application: Generic (Simple)

Browser: Internet Explorer, Firefox, and Chrome

NOTE: Support of a given web application using alias-based translation is based on the compatibility and complexity of these underlying web application. Some web applications do not work with alias-based translation, in which case custom host or port mapping URL access should be used. SonicWall only supports and tests the specifically listed applications in this section for alias-based translation access. Supports NTLM, BASIC, and forms-based Single Sign-On (SSO).
 

Custom Port Mapped/Custom FQDN Mapped Web application service requirements

Operating system

Browser

Notes

Domino Web Access 9.0.1
IE (9.0.1 only)
Firefox
Chrome

 

Web Application: Generic (Advanced)

Browser: Internet Explorer, Firefox, and Chrome

NOTE: Recommended for advanced web applications that may use Java Applets, AJAX, or other advanced web technologies. Supports NTLM, BASIC, and forms-based Single Sign-On (SSO).

Tunnel Clients

 

Connect Tunnel client requirements

Operating system

Browser

Notes

Windows 10
N/A
N/A
Windows 8.1 x86/x64 Update
N/A
N/A
Windows 7 x86 SP1/x64
N/A
N/A
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari
Java
Linux x86/x64 Kernel 4.X or later
Firefox
Java
 

Connect Tunnel service requirements

Operating system

Browser

Notes

Windows 2016 Server R2
N/A

 

Windows 2012 Server R2
N/A

 

Windows 2008 Server R2 x64
N/A

 

 

OnDemand Tunnel agent requirements

Operating system

Browser

Notes

Windows 10 Threshold 2 (build 10586) x86/x64
N/A
N/A
Windows 8.1 x86/x64 Update
N/A
N/A
Windows 7 x86 SP1/x64
N/A
N/A
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari
Java
Linux x86/x64 Kernel 3.X or later
Firefox
Java
TurboLinux v7
Mozilla
Java

Proxy Clients

 

Web Proxy client requirements

Operating system

Browser

Notes

Windows 10
IE (32 bit only)
Active X
Windows 8.1 x86/x64 Update
IE (32 bit only)
Active X
Windows 7 x86 SP1/x64
IE (32 bit only)
Active X
 

OnDemand Proxy agent requirements (mapped mode)

Operating system

Browser

Notes

Windows 10
IE (32 bit only)
Firefox
Active X
Windows 8.1 x86/x64 Update
IE (32 bit only)
Firefox
Active X
Windows 7 x86/x64SP1
IE (32 bit only)
Firefox
Active X
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari
Java
Linux x86/x64 Kernel 3.X or later
Firefox
Java

End Point Control

 

End Point Control (Interrogator and Installer) client system requirements)

Operating system

Browser

Notes

Windows 10
IE (32 bit only)
Firefox
Chrome
Active X
Windows 8.1 x86/x64 Update
IE (32 bit only)
Firefox
Chrome
Active X
Windows 7 x86 SP1/x64
IE (32 bit only)
Firefox
Chrome
Active X
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari v9.x
Safari v8.x
Java
Linux x86
Linux x64
Firefox
Java
 

Third Party Component (OESIS, Cache Cleaner) requirements

Operating system

Browser

Notes

Windows 10
IE (32 bit only)
Firefox
Active X
Windows 8.1 x86/x64 Update
IE (32 bit only)
Firefox
Active X
Windows 7 x86 SP1/x64
IE (32 bit only)
Firefox
Active X
Mac OSX 10.11.X
Mac OSX 10.10.X
Safari
Java
Linux x86
Linux x64
Firefox
Java
Cache Cleaner 3.6
Windows
Mac
Java

GTO Clients

Only the clients running 11.4.0 and above listed in Supported GTO clients are able to connect to GTO-based appliances. Also supported are any upgrades from a previous version to a supported version.

 

Supported GTO clients

Client

Windows CT

MAC CT

Linux

Mobile Connect for Android

Mobile Connect for ios

Mobile Connect for Mac

Mobile Connect for Windows 10

Server Components

The system requirements for the administrator components and authentication servers are listed in these tables.

System Administration

 

System requirements for management computer accessing AMC

Operating system

Browser

Notes

Appliance Management Console (AMC)

 

Windows 10
IE (32 bit only)
Firefox

 

Windows 8.1 x86/x64 Update
IE (32 bit only)
Firefox

 

Windows 7 x86 SP1/x64
IE (32 bit only)
Firefox

 

Authentication Servers

 

Requirements

Operating system

Version

Notes

Microsoft

Windows 2012 Server R2 x64
Windows 2008 Server R2 SP1 x64
Outlook Anywhere

 

 

LDAP servers

 

 

LDAP v3 compatible Servers

 

LDAP password change supported on IDS

IBM Tivoli Directory Server Enterprise Edition
V6.x

LDAP password change supported on IDS

Oracle Directory Server Enterprise Edition
V11

 

Novell eDirectory
V8.8 SP7

 

RADIUS Protocol

RSA Authentication Manager
v8.1
v7.x

 

General
Will support IP address assignment

 

Quest Defender
v5.81
v5.7

 

Single Sign-on Servers

RSA Federated Identity Manager (Clear Trust)
RSA Clear Trust Agent 5.5

 

SAML Servers/Providers

Office 365
Azure AD or Azure AD sync with local AD

 

Workplace
SonicWall CAM

 

Google Apps/Email
Azure AD or Internal Shibboleth IdP

 

Azure AD or any other IdP

 

Box
Azure AD or any other IdP

 

 

AWS
Azure AD or any other IdP

 

Workplace
CA SiteMinder

 

ActiveSync Clients

 

Requirements

Servers

Version

Android Phone/Tablet
Android 6.x
Android 5.x
Android 4.x
iPhone/iPad
iPhone/iPad OS V9.x
iPhone/iPad OS v8.x
iPhone/iPad OS v7.x
Windows Phone
Windows Phone 10

ActiveSync Servers

 

Requirements

Servers

Version

Microsoft Exchange
Exchange 2016
Exchange 2013
Exchange 2010

Outlook Anywhere

 

Outlook Anywhere using MAPI over HTTP

Servers

Clients

Windows 10 Threshold 2 (build 10586) x86/x64
Outlook 2016
Windows 8.1 x86/x64 Update
Outlook 2010 SP2
Windows 7 SP1 x86/x64
Outlook 2013 SP1
 

Outlook Anywhere using RPC over HTTP

Servers

Clients

Windows 10 Threshold 2 (build 10586) x86/x64
Outlook 2016
Windows 8.1 x86/x64 Update
Outlook 2010
Windows 7 SP1 x86/x64
Outlook 2013

Citrix Server Farms

 

Requirements

Servers

Version

Citrix
Citrix XenApp 7.7
Citrix XenApp 7.6
Citrix XenDesktop v7.6
Citrix XenDesktop v7.7

Server Farms

 

Requirements

Servers

Version

vWorkspace

8.6

VMware Horizon View

6.X

Native Access Modules (NAMs)

The Secure Mobile Access appliance integrates with several popular third party agents. In some cases, the files necessary for integration are already on the appliance, and in other cases they must be copied to the appliance.

 

Requirements

Description

Notes

Terminal Services agent

Windows V4.x

 

Mac v12.x
Java
Linux v13.x
Java

Citrix Receiver

Windows v3.x

 

Mac v3.x

 

Linux v3.x

 

VMware View

Windows v3.x

 

Mac v3.x

 

Linux v3.x

 

vWorkspace

Windows - vWorkspace Connector 8.6

 

Mac OSX - vWorkspace Connector 8.6

 

Pre-installed Linux vWorkspace Connector 8.6

 

SMA 8200v and CMS Platforms

 

vWorkspace Server Farm requirements

Component Web-based

Version

VMWare
ESX/ESXi 6.0, 7.x
Microsoft Hyper-V
Windows Server 2012 R2

API Support

 

API Support

Component Web-based

Version

Management API
Ruby 1.9.3
Mechanize 2.7.4
Authentication API
Ruby 1.9.3
Mechanize 2.7.4