en-US
search-icon

Secure Mobile Access 12.0 Deployment Planning Guide

About SonicWall SMA Connect Tunnel Service

About the SMA Appliance

The SonicWall SMA appliance provides secure remote access to:

Web applications, client/server applications, and file shares
Employees, business partners, and customers

All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users.

This appliance makes applications available using different access methods and devices on a wide range of platforms, including Windows, Macintosh, and Linux.

The SMA appliance can be used to:

Create a remote access Virtual Private Network (VPN) that gives remote employees secure access to private company applications such as email.
Create a business partner VPN that provides designated suppliers with access to an internal supply chain application.

As the administrator, you determine the resources that users have access to. The SMA appliance transparently and dynamically uses the access methods appropriate for those resources.

Key SSL VPN Concepts and SMA Features

This section describes the essential concepts that you should become familiar with before installing, configuring, and managing the SonicWall SMA appliance.

Topics:  

Resources

The SonicWall SMA appliance manages a wide variety of corporate resources in three main categories:

Web resources—Applications or services that run over the HTTP or HTTPS protocol such as Microsoft Outlook Web Access
Client/server resources—Enterprise applications that run over TCP/IP, such as Citrix, and Voice over Internet Protocol (VoIP) telephony applications
File shares—Network servers or computers containing shared folders and files

When specifying a resource type, keep the intended audience in mind. For example, you can give business partners narrow access to a Web application by defining a URL as a resource (and even alias the host name for an extra measure of security).

To give remote employees broader access, you could define the network segment in which the Web application is located as a domain, IP range, or subnet resource. Employees would then have access to all of the Web resources in that domain.

Users and Groups

A user is an individual who needs access to resources on your network, and a group is a collection of users. After you’ve created users or user groups on the appliance that are mapped to an external authentication server, you can reference them in access control rules to permit or deny them access to resources. You can even form dynamic groups if you want to reference a user population that isn’t already defined in the external directory.

Authentication

Authentication is the process of verifying a user’s identity. To manage user authentication with the appliance, use AMC to define one or more external authentication servers (also known as directory servers or user stores) that contain the credentials for your user population. The actual management of the user information is still done on your authentication servers; the appliance makes use of that information to authenticate users.

Creating an authentication realm in AMC also involves specifying an authentication method (username/password or one-time password, token or smart card, or digital certificate).

The SMA appliance supports these directories and authentication methods:

LDAP with username/password supports LDAP Certificate
Dell Defender
SAML CA SiteMinder
RADIUS PhoneFactor with username/password or token-based authentication such as SecurID or SoftID
Microsoft Active Directory with username/password, configured with either a single root domain, or one or more subordinate (child) domains
Public Key Infrastructure (PKI) with digital certificate
RSA Authentication Manager server authentication using token-based user credentials
RSA ClearTrust with credentials
Local users with username/password (used primarily for testing purposes and not recommended in a production environment)

An authentication realm is what users log in to on the appliance to gain access to your resources. If your organization has only one authentication server, you would create one realm on the appliance. If you have several authentication servers, you can create a realm for each of them, or set up pairs of servers for chained authentication. To take a more granular approach to deployment and security, you can further subdivide the user population of a realm into communities.

Communities

Communities are a cornerstone of the appliance’s approach to deployment and security. They are used to aggregate users and groups for the purpose of deploying access agents and controlling the end point, and can also be referenced in access control rules.

You can create communities for specific types of users, such as remote employees or business partners, or take a more granular approach and create communities of users in a particular department or location.

For example, employees who require broad access to resources and applications on your network could be assigned to a community that offers the network tunnel client as an access method. To make sure that they are using laptops managed by your IT department, specify which End Point Control zones are available to users in this community.

You may have another group of users who require only limited access to resources because they’re logging in from public kiosks or other non-secure locations. To give these two different groups access to your network resources, you could create separate communities, each configured to deploy the appropriate access agents, and (in the case of users with non-secure devices) use End Point Control (EPC) to prevent sensitive data from being left on a device.

Access Policy

An access policy is a set of rules that defines the applications or network resources that users or groups are given access to through the appliance.

Access to a resource can be based on several criteria. Most rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource. You can use other criteria in access control rules, such as the access method for a resource, the user’s network address, the zone of trust, or the date and time of the connection request.

The appliance gives you wide latitude in creating access control rules, depending on whether your organization’s security policy is relatively permissive or demands stringent control. For example, if your VPN is accessed only by highly trusted employees who are using computers managed by your IT department, you could create an open access policy that defines your entire network domain as a resource and grants broad access to your employees.

Conversely, if you are providing access to a diverse group of users with varying degrees of access privileges, or who connect from less-secure devices such as public kiosks, you might use an access policy that defines individual resources and establishes more granular access requirements.

As the network changes over time, so should your access control rules.

End Point Control (EPC)

Traditional VPN solutions typically provide access only from the relative safety of an IT-managed device. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring the additional risk of computers in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer.

The appliance’s EPC configuration options give you granular control over VPN access using profiles and zones to protect sensitive data and ensure that your network is not compromised:

A device profile is a set of attributes that characterize the device requesting the connection, such as a Windows domain name, the presence of a certain software program, a registry entry, or other unique characteristics.
An application access zone is a set of attributes used to establish a trust relationship with a client iOS or Android device.
An End Point Control zone classifies a connection request based on the presence or absence of a device profile. The zone in which a device is then placed controls the provisioning of data protection components and can be used to determine which resources are available. A device can be placed in a Standard zone, a Quarantine zone (with instructions on installing the required security programs), or in a Deny zone, where the user is denied access to the network.

SSL and Encryption

The SonicWall SMA appliance encrypts information using the Secure Sockets Layer (SSL) protocol. SSL protocol is an authentication and encryption protocol that uses a key exchange method to establish a secure environment in which all data exchanged is encrypted to protect it from eavesdropping and alteration.

The appliance uses SSL certificates to validate the appliance’s identity to connecting users, and to provide a public key to secure information that the client computer sends to the server. The appliance requires a minimum of two SSL certificates:

The appliance services use a certificate to secure user traffic.
The Appliance Management Console (AMC) uses a certificate to secure management traffic.

There are two types of certificates: self-signed and commercial. With a self-signed SSL certificate, the appliance identifies itself with a certificate that has not been signed by a commercial CA, and the associated private key data is encrypted using a password. AMC uses a self-signed certificate.

A self-signed certificate can also be a wildcard certificate, allowing it to be used by multiple servers which share the same IP address and certificate, but have different FQDNs. For example, a wildcard certificate such as *.company.com could be used for iPhone access at and for VPN access at vpn.company.com.

You can also configure an authentication server to trust an intermediate CA. For example, you could create a root certificate signing authority on a system that is not connected to the corporate network. You can then issue a set of trusted intermediate signing authority certificates to be deployed in various sectors of the network (often by department or organizational unit).

Although a self-signed SSL certificate is secure, you may want to secure user traffic with a certificate from a commercial certificate authority (CA) such as VeriSign.

When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance and how they will use resources on your network:

If business partners are connecting to Web resources through the appliance, they will likely want some assurance of your identity before performing a transaction or providing confidential information. In this case, you would probably want to obtain a certificate from a commercial CA for the appliance.
On the other hand, employees connecting to Web resources may trust a self-signed certificate. Even then, you may want to obtain a third-party certificate so that users are not prompted to accept a self-signed certificate each time they connect. Or, add the self-signed certificate to the user’s list of Trusted Root Certificate Authorities in the Web browser.

Single Sign-On

Single Sign-On (SSO) is an option that controls whether user credentials are forwarded to back-end Web resources. Configuring the appliance to use SSO prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource). The appliance supports several types of Web-based SSO:

Basic authentication forwarding is a widely supported form of authentication forwarding, but is not very secure because it sends passwords in the clear across the network. The appliance can be configured to send each user’s unique authentication credentials, or static credentials (that is, the same credentials for all users). Basic authentication forwarding is configured within a Web application profile, which is assigned to one or more application resources in AMC.
Domain authentication forwarding provides a secure method for sending Windows network credentials to a Microsoft IIS (Internet Information Services) Web server. NTLM (Windows NT LAN Manager, also known as Windows NT challenge/response authentication) uses a challenge/response mechanism to securely authenticate users without sending passwords in the clear across the network. Domain authentication forwarding passes a Windows domain name along with the user’s authentication credentials.
RSA ClearTrust is a third-party product that provides a centralized mechanism for administering authentication and single sign-on. You can configure the appliance to receive user authentication credentials and forward them to any back-end Web resources it is protecting.

Sharing Configuration Data

To keep settings matched up, you can replicate and distribute configuration data to a group of SonicWall appliances. For example, you might have appliances behind an external load-balancer supporting thousands of users, or appliances in different locations that must share configurations. This is not a merging of data: some of the settings on the receiving appliances are overwritten (security policy and CA certificates, for example), and others are not (network settings).

When you define a collection of appliances that will share settings, the nodes in the collection communicate over the internal interface using SSL. They operate in peer-to-peer mode: replication can be initiated from any system that knows the shared secret for a collection. This is in contrast to the synchronization that occurs in a high-availability cluster of SonicWall appliances, in which one node is designated the master.

Role-based Administration

Permission to manage the appliance and perform specific administration functions using AMC is assigned in AMC. The primary administrator defines the roles and identities of all secondary administrators, setting the permission levels for each administrative role, and creating a password-protected account for each administrator.

System Monitoring and Logging

System monitoring and logging features allow administrators to view both real-time and historical data about the performance of the appliance and its access services, as well as user activity.

The AMC home page displays a graphical summary of the current number of active users, network bandwidth, disk space usage, and CPU usage. More detailed views of this graphical data are available in hourly, daily, weekly, and monthly increments.

If a user is experiencing trouble—for example, he is logged in but cannot establish a connection or is denied access to resources—you can view his session details to diagnose the problem. You can quickly see why a user’s device is classified into a particular zone, and what policy rules are applied, editing them as needed.

If you have an SNMP (Simple Network Management Protocol) tool, you can use it to monitor the appliance as an SNMP agent. The appliance provides a variety of management data in MIB (Management Information Base) format.

The AMC log viewer provides a detailed view of appliance, user access, and other activities contained in a series of log files. The viewer allows you to customize the display of log message data using sorting, searching, and filtering options. If you need to perform additional analysis of the log message data, or display the data differently than how it appears in the log viewer, you can export data to comma-separated values (.csv) files for use by another application such as Microsoft Excel.

SonicWall SMA Components

Your SonicWall SMA appliance consists of several administrator and client components. For Web-based access, when a user logs in to WorkPlace for the first time, the appliance automatically provisions the agent that will provide the broadest range of access based on the user’s privileges, operating system, browser configuration, and any other constraints on the user’s system. Stand-alone clients, such as Connect Tunnel, can be provisioned from the appliance or distributed manually.

Topics:  

Client Components and Access Methods

The SMA appliance includes several components that provide users with access to resources on your network.

WorkPlace

The WorkPlace portal provides your users with access to Web-based resources. You can create customized WorkPlace sites, each with a unique URL and appearance (colors, logo, and greeting text). This enables you to configure and deploy unique portals for different audiences such as partners and employees.

For Windows users, Access Manager takes care of installing agents and clients through the browser, and client installation log files make the process easy to troubleshoot. Once Access Manager is installed on a user device, most users will be able to receive client updates without requiring administrator privileges.

After a user logs in to WorkPlace, a Web page presents an administrator-defined list of shortcuts. These shortcuts reference the Web-based resources, Windows file system resources, and terminal servers to which the user has access privileges. Users can also add their own WorkPlace bookmarks to Web sites or network shares. The means of access to these resources depends on the user’s browser:

Web resources and file system resources can be accessed from any Web browser that supports JavaScript and SSL. By default, the appliance is configured to deploy a Microsoft ActiveX control (the Web proxy agent) on Microsoft Windows systems running Internet Explorer. The Web proxy agent proxies Web content directly through the appliance.
For users running other browsers, the appliance automatically provides Translated Web access. If you would rather not install an agent or your users’ systems don’t support ActiveX, you can configure the appliance to provide Translated Web access.
As an alternative to Translated Web access, which may have limitations with some Web applications such as AJAX, custom port mapping or custom FQDN mapping can be used. These methods involve mapping the backend resource either to a port on the EX-Series appliance, or to an external fully qualified domain name.

The SMA appliance also supports Web-based access to Windows Terminal Services (WTS) and Citrix hosts. These hosts are accessed by Web-based terminal agents that use proprietary protocols to communicate with the terminal server.

Topics:  

Network Explorer

Network Explorer is a Web-based extension, accessible from WorkPlace, that provides access to any Windows file system resources that the user has permission to use (even from desktop browsers on non-Windows platforms). These resources can include servers, computers, workgroups, folders, and files.

Connect Tunnel Client

Connect Tunnel is an application that provides broad access to network resources from devices running a Windows, Macintosh, or Linux operating system. It provides access to any IP-based type of application protocol and ICMP, and it will route VoIP (Voice Over Internet Protocol) over TCP/IP. Connect Tunnel is initially installed from the WorkPlace portal or from a separate installer package.

OnDemand Tunnel Agent

The OnDemand Tunnel agent is lightweight, Web-based, and provides the same broad access to applications and protocols as Connect Tunnel. It is similar in all respects to Connect Tunnel except that it is activated each time a user logs in to the WorkPlace portal from an ActiveX or Java-enabled device.

Mobile Connect App

SonicWall Mobile Connect provides fast, safe, easy-to-use secure mobile access to resources from a range of device platforms, including iOS, Android, Mac OS X, and Windows on both smart phones and tablets. Mobile Connect establishes encrypted SSL VPN connections to private networks that are protected by SonicWall SMA or other SonicWall security appliances. The Mobile Connect app is downloaded to a user's mobile device from the App Store, Google Play, Amazon Appstore, or Windows Store.

Web Proxy Agent

The Web proxy agent provides access through WorkPlace to any Web resource, including Web-based applications, Web portals, and Web servers. Web proxy access eliminates the need for Web content translation and provides broad access to enterprise Web applications for Microsoft Windows users who are running Internet Explorer with ActiveX enabled.

Translated Web Access

Translated Web access provides access to Web resources and Windows network shares. It is available from any Web browser that supports SSL and has JavaScript enabled.

Custom Port Mapping

Custom port mapping provides Web-based access by mapping the backend resource or server to a port number at the SonicWall SMA or EX-Series appliance. Custom port mapping does not require installation of a client agent, and works with any Web browser.

Custom FQDN Mapping

Custom FQDN mapping provides Web-based access by mapping the backend resource or server to an external fully qualified domain name (host and domain). The FQDN name should be resolvable to an IP address in the public domain. Custom FQDN mapping does not require installation of a client agent, and works with any Web browser.

End Point Control Components

End Point Control (EPC) components ensure that your network is not compromised when accessed from PCs in untrusted environments. As devices attempt to connect to the appliance, EPC interrogates them to determine whether they are running the programs that you require. You can also use EPC to specify that a data protection agent, such as Cache Cleaner, automatically removes session data from the PC.

Advanced EPC provides an extended and detailed list of personal firewall, antivirus, and spyware programs to check for in device profiles for clients running on Microsoft Windows and Mac OS X. Advanced EPC is included on the SMA 6200, SMA 7200, EX7000, and EX9000 appliance as well with the Virtual Appliance. The only optional purchases for these products are user licenses, support, AAR, and Virtual Assist.

Virtual Assist

SonicWall Virtual Assist is a remote support tool that enables an administrator or help desk technician to assume control of a user’s PC or laptop in order to provide remote technical assistance. With the user’s permission, the technician gains instant access to the computer using a Web browser and can then diagnose and fix a problem remotely. It also gives technicians the ability to transfer files from a user’s computer (such as log files), and to chat online with the user.

Virtual Assist does not require the installation of any external software. For computers that do not support Java, Virtual Assist can be manually installed by downloading an executable file that is available in the Appliance Management Console.

There are two sides to a Virtual Assist session: the client view and the technician view. The client is the person requesting assistance on their computer. The technician is the person providing assistance. Technicians install the stand-alone Virtual Assist application from AMC.

To initiate a Virtual Assist session, an end user can request assistance directly by clicking the Assistance button at the top of the WorkPlace portal and downloading and running a small client program. Or, a technician can send email invitations to users that contain a direct URL link to initiate a Virtual Assist session.

Administrator Components

This section highlights the key components that you’ll use to set up and manage the SMA appliance and services.

Topics:  
Setup Wizard

Setup Wizard streamlines the initial configuration of the appliance. It guides you through the process of selecting basic network settings, configuring appliance options, defining resources, creating local users for testing purposes.

Appliance Management Console (AMC)

The AMC is a Web-based administrative tool for managing the appliance. It provides centralized access for managing security policies, configuring the system (including networking and certificate configuration), distributing configuration data, monitoring, troubleshooting, and setting up administrator accounts.

Access Services

The appliance uses various access services to manage the access clients and agents that users employ to connect to your network resources:

The network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of applications and protocols, including non-TCP protocols such as VoIP (Voice over IP) and ICMP, reverse-connection protocols like SMS, and bi-directional protocols such as FTP. It works in conjunction with the Connect Tunnel client and the OnDemand Tunnel agent to provide authenticated and encrypted access.
The Web proxy service provides users with secure access to Web-based applications and servers from a Web browser, or Web-based applications and servers from a Windows Mobile-powered device using the Mobile Connect client. The Web proxy service contains a secure HTTP reverse proxy that brokers and encrypts access to Web-based resources.
The WorkPlace service controls access to WorkPlace resources accessed from a Web browser. The WorkPlace service communicates with Windows file servers and network shares (including Microsoft Distributed file system, or DFS, resources) using the Server Message Block (SMB) file-sharing protocol.