en-US
search-icon

Secure Mobile Access 8.6 Admin Guide

Appendices

Using Online Help

This appendix describes how to use the Online Help on the Secure Mobile Access web-based management interface. This appendix also contains information about context-sensitive help.

Online Help Button

Online Help is located in upper right corner of the Secure Mobile Access management interface.

Online Help launches the online help in a separate Web browser. Online Help links to the main page of the online help document.

Using Context Sensitive Help

Context-sensitive help is available on most pages of the Secure Mobile Access web-based management interface. Click the context-sensitive help button in the top right corner of the page to get help that corresponds to the Secure Mobile Access management page you are using. Clicking the context-sensitive help button launches a separate browser window to the corresponding documentation.

The same help icon appears next to certain fields and check boxes throughout the Secure Mobile Access management interface. When you hover your mouse cursor over one of these help icons, a tooltip is displayed containing important information about configuring the associated option.

Configuring the SMA/SRA Appliance with a Third-Party Gateway

This appendix shows methods for configuring various third-party firewalls for deployment with a Secure Mobile Access (SMA) or Secure Remote Access (SRA) appliance.

Topics:

Cisco PIX Configuration for SMA/SRA Appliance Deployment

Topics:

Before you Begin

Make sure you have a management connection to the PIX’s console port, or the ability to Telnet/SSH into one of the PIX’s interfaces. You will need to know the PIX’s global and enable-level passwords in order to access the device and issue changes to the configuration. If you do not have these, contact your network administrator before continuing.

SonicWall Inc. recommends updating the PIX’s OS to the most recent version if your PIX can support it. This document was validated on a Cisco PIX 515e running PIX OS 6.3.5 and is the recommended version for interoperation with an SMA/SRA appliance. You need a valid Cisco SmartNET maintenance contract for your Cisco PIX and a CCO log in to obtain newer versions of the PIX OS.

* 
NOTE: The WAN/DMZ/LAN IP addresses used in the deployment method examples that follow are not valid and need to be modified to reflect your networking environment.

Management Considerations for the Cisco Pix

Both deployment methods described in the sections that follow use the PIX’s WAN interface IP address as the means of external connectivity to the internal SMA/SRA appliance. The PIX has the ability to be managed through HTTP/S, but cannot have their default management ports (80,443) reassigned in the recommended PIX OS version. Because of this, the HTTP/S management interface must be deactivated. To deactivate the HTTP/S management interface, issue the command ‘clear http’.

* 
NOTE: If you have a separate static WAN IP address to assign to the SMA/SRA appliance, you do not have to deactivate the HTTP/S management interface on the PIX.

Method One – SMA/SRA Appliance on LAN Interface

1
From a management system, log in to the SMA/SRA appliance’s Secure Mobile Access management interface. By default the management interface is X0 and the default IP address is 192.168.200.1.
2
Navigate to the Network > Interfaces page and click on the configure icon for the X0 interface. On the pop-up that appears, change the X0 address to 192.168.100.2 with a mask of 255.255.255.0. When done, click OK to save and activate the change.
3
Navigate to the Network > Routes page and change the Default Gateway to 192.168.100.1 When done, click Accept in the upper-right corner to save and activate the change.
4
Navigate to the NetExtender > Client Addresses page. You need to enter a range of IP addresses for the 192.168.100.0/24 network that are not in use on your internal LAN network; if your network has an existing DHCP server or the PIX is running a DHCP server on its internal interface, you need to make sure not to conflict with these addresses. For example: enter 192.168.100.201 in the field next to Client Address Range Begin:, and enter 192.168.100.249 in the field next to Client Address Range End:. When done, click Accept in the upper-right corner to save and activate the change.
5
Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0. If there is an entry for 192.168.200.0, delete it.
6
Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click Accept in the upper-right corner to save and activate the change.
7
Navigate to the System > Restart page and click Restart…
8
Install the SMA/SRA appliance’s X0 interface on the LAN network of the PIX. Do not hook any of the appliance’s other interfaces up.
9
Connect to the PIX’s management CLI by way of the console port, telnet, or SSH and enter configure mode.
10
Issue the command ‘clear http’ to shut off the PIX’s HTTP/S management interface.
11
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX)
12
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq https’ (replace x.x.x.x with the WAN IP address of your PIX)
13
Issue the command ‘static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
14
Issue the command ‘static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
15
Issue the command ‘access-group sslvpn in interface outside’
16
Exit config mode and issue the command ‘wr mem’ to save and activate the changes.
17
From an external system, attempt to connect to the SMA/SRA appliance using both HTTP and HTTPS. If you cannot access the SMA/SRA appliance, check all previous steps and test again.
Final Config Sample – Relevant Programming in Bold:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted
passwd SqjOo0II7Q4T90ap encrypted
hostname tenaya
domain-name vpntestlab.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www
access-list sslvpn permit tcp any host 64.41.140.167 eq https
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging history warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp 64.41.140.167 www 192.168.100.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.41.140.167 https 192.168.100.2 https netmask 255.255.255.255 0 0
access-group sslvpn in interface outside
route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community SF*&^SDG
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside
dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750
dhcpd domain vpntestlab.com
dhcpd enable inside
terminal width 80
banner motd Restricted Access. Please log in to continue.
Cryptochecksum:422aa5f321418858125b4896d1e51b89
: end
tenaya#

Method Two – SMA/SRA Appliance on DMZ Interface

This method is optional and requires that the PIX have an unused third interface, such as a PIX 515, PIX 525, or PIX 535. We are using the default numbering scheme of the SMA/SRA appliance.

1
From a management system, log in to the SMA/SRA appliance’s Secure Mobile Access management interface. By default the management interface is X0 and the default IP address is 192.168.200.1.
2
Navigate to the Network > Routes page and make sure the Default Gateway is set to 192.168.200.2 When done, click Accept in the upper-right corner to save and activate the change.
3
Navigate to the NetExtender > Client Addresses page. Enter 192.168.200.201 in the field next to Client Address Range Begin:, and enter 192.168.200.249 in the field next to Client Address Range End:’. When done, click Accept in the upper-right corner to save and activate the change.
4
Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0 and 192.168.200.0.
5
Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click Accept in the upper-right corner to save and activate the change.
6
Navigate to the System > Restart page and click Restart…
7
Install the SMA/SRA appliance’s X0 interface on the unused DMZ network of the PIX. Do not hook any of the appliance’s other interfaces up.
8
Connect to the PIX’s management CLI by way of console port, telnet, or SSH and enter configure mode.
9
Issue the command ‘clear http’ to shut off the PIX’s HTTP/S management interface.
10
Issue the command ‘interface ethernet2 auto’ (or whatever interface you are using)
11
Issue the command ‘nameif ethernet2 dmz security4’ (or whatever interface you are using)
12
Issue the command ‘ip address dmz 192.168.200.2 255.255.255.0’
13
Issue the command ‘nat (dmz) 1 192.168.200.0 255.255.255.0 0 0’
14
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX)
15
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq https’ (replace x.x.x.x with the WAN IP address of your PIX)
16
Issue the command ‘access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0’
17
Issue the command ‘access-list dmz-to-inside permit ip host 192.168.200.1 any’
18
Issue the command ‘static (dmz,outside) tcp x.x.x.x www 192.168.200.1 www netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
19
Issue the command ‘static (dmz,outside) tcp x.x.x.x https 192.168.200.1 https netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
20
Issue the command ‘static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0’
21
Issue the command ‘access-group sslvpn in interface outside’
22
Issue the command ‘access-group dmz-to-inside in interface dmz’
23
Exit config mode and issue the command ‘wr mem’ to save and activate the changes.
24
From an external system, attempt to connect to the SMA/SRA appliance using both HTTP and HTTPS. If you cannot access the SMA/SRA appliance, check all previous steps and test again.
Final Config Sample – Relevant Programming in Bold:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted
passwd SqjOo0II7Q4T90ap encrypted
hostname tenaya
domain-name vpntestlab.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www
access-list sslvpn permit tcp any host 64.41.140.167 eq https
access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz-to-inside permit ip host 192.168.200.1 any
pager lines 24
logging on
logging timestamp
logging buffered warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.200.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (dmz) 1 192.168.200.0 255.255.255.0 0 0
static (dmz,outside) tcp 64.41.140.167 www 192.168.200.1 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 64.41.140.167 https 192.168.200.1 https netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0
access-group sslvpn in interface outside
access-group dmz-to-inside in interface dmz
route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside
dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750
dhcpd domain vpntestlab.com
dhcpd enable inside
terminal width 80
banner motd Restricted Access. Please log in to continue.
Cryptochecksum:81330e717bdbfdc16a140402cb503a77
: end

Linksys WRT54GS

The SMA/SRA appliance should be configured on the LAN switch of the Linksys wireless router. This guide assumes that your Linksys is assigned a single WAN IP, through DHCP by the cable ISP and is using the default LAN IP address scheme of 192.168.1.0/24.

* 
NOTE: Version 2.07.1 firmware or newer is recommended for this setup.

To configure your Linksys for operation with the SMA/SRA appliance, you must forward the SSL (443) port to the IP address of the SMA/SRA appliance.

1
Log in to the Linksys device.
2
Navigate to the Applications & Gaming tab.

3
Enter the following information:
 

Information to be added to Applications & Gaming tab 

Application

SMA/SRA

The name for the port forwarded application.

Port Range Start

443

The starting port number used by the application.

Port Range End

443

The ending port number used by the application.

Protocol

TCP

The SMA/SRA application uses TCP.

IP Address

192.168.1.10

The IP address assigned to the SMA/SRA appliance.

Enable

Checked

Select the check box to enable the SSL port forwarding.

4
With the configuration complete, click Save Settings on the bottom of the page.

The Linksys is now ready for operations with the SMA/SRA appliance.

WatchGuard Firebox X Edge

This guide assumes that your WatchGuard Firebox X Gateway is configured with an IP of 192.168.100.1 and your SMA/SRA appliance is configured with an IP of 192.168.100.2.

* 
NOTE: The steps that follow are similar for WatchGuard SOHO6 series firewall.

Before you get started, take note of which port the WatchGuard is using for management. If the WatchGuard is not being managed on HTTPS (443), perform the following steps. If the WatchGuard is being managed on HTTPS (443) you should first review the notes within this guide.

1
Open browser and enter the IP address of the WatchGuard Firebox X Edge appliance (such as 192.168.100.1). When successful, you’ll be brought to the “System Status” page (See the following).

2
If the WatchGuard’s management interface is already configured to accept HTTPS on port 443 you need to change the port in order to be able to manage both the SMA/SRA and WatchGuard appliances.
3
Navigate to Administration > System Security.

WatchGuard Administration > System Security Dialog Box

4
Clear Use non-secure HTTP instead of secure HTTPS for administrative Web site.
5
Change the HTTP Server Port to 444 and click Submit.

The WatchGuard is now managed from the WAN on port 444. It should be accessed as follows: https://<watchguard wan ip>:444

6
In the left navigation menu, Navigate to Firewall > Incoming.

7
For the HTTPS Service, set Filter to Allow and enter the WAN IP of the SMA/SRA appliance (192.168.100.2) in the Service Host field.
8
Click Submit at the bottom of the page.

Your Watchguard Firebox X Edge is now ready for operations with the SMA/SRA appliance.

NetGear FVS318

This guide assumes that your NetGear FVS318 Gateway is configured with an IP of 192.168.100.1 and your SMA/SRA appliance is configured with an IP of 192.168.100.2.

1
Click Remote Management from the left index of your Netgear management interface.

In order for the SMA/SRA appliance to function with your Netgear gateway device, you must verify that the NetGear’s management port does not conflict with the management port used by the SMA/SRA appliance.

2
Clear the Allow Remote Management box.
3
Click Accept to save changes.
* 
NOTE: If Remote Management of the NetGear is desired, you must leave the box checked and change the default port (8080 is recommended)
4
Navigate to Add Service in the left navigation.
5
Click Add Custom Service.
6
To create a service definition, enter the following information:

 
 

Name

HTTPS

Type

TCP/UDP

Start Port

443

Finish Port

443

7
Navigate to Ports in the left navigation.

Click Add.

8
Select HTTPS from the Service Name drop-down list.
9
Select ALLOW always in the Action drop-down list.
10
Enter the WAN IP address of the SMA/SRA appliance (ex.192.168.100.2) in the Local Server Address field.
11
Click Accept to save changes.

Your Netgear gateway device is now ready for operations with the SMA/SRA appliance.

Netgear Wireless Router MR814 SSL configuration

This guide assumes that your NetGear Wireless Router is configured with an IP of 192.168.100.1 and your SMA/SRA appliance is configured with an IP of 192.168.100.2.

1
Navigate to Advanced > Port Management in the left index of your Netgear management interface.
2
Click Add Custom Service in the middle of the page.
3
Enter a service name in the Service Name field (ex. SMA)

4
Enter 443 in the Starting Port field.
5
Enter 443 in the Ending Port field.
6
Enter the WAN IP address of the SMA/SRA appliance (ex.192.168.100.2) in the Local Server Address field.
7
Click Accept.

Your Netgear wireless router is now ready for operations with the SMA/SRA appliance.

Check Point AIR 55

Topics:

Setting up an SMA/SRA Appliance with Check Point AIR 55

The first thing necessary to do is define a host-based network object. This is done under the file menu “Manage” and “Network Objects.”

Check Point Host Node Object Dialog Box

 
* 
NOTE: The object is defined as existing on the internal network. Should you decide to locate the SMA/SRA appliance on a secure segment (sometimes known as a demilitarized zone) then subsequent firewall rules have to pass the necessary traffic from the secure segment to the internal network.

Next, select the NAT tab for the object you have created.

Check Point NAT Properties Dialog Box

Here you should enter the external IP address (if it is not the existing external IP address of the firewall). The translation method to be selected is static. Clicking OK automatically creates the necessary NAT rule shown in the following section.

Check Point NAT Rule Window

Static Route

Most installations of Check Point AIR55 require a static route. This route sends all traffic from the public IP address for the SMA/SRA appliance to the internal IP address.

#route add 64.41.140.167 netmask 255.255.255.255 192.168.100.2

ARP

Check Point AIR55 contains a feature called auto-ARP creation. This feature automatically adds an ARP entry for a secondary external IP address (the public IP address of the SMA/SRA appliance). If running Check Point on a Nokia security platform, Nokia recommends that users disable this feature. As a result, the ARP entry for the external IP address must be added manually within the Nokia Voyager interface.

Finally, a traffic or policy rule is required for all traffic to flow from the Internet to the SMA/SRA appliance.

Check Point Policy Rule Window

Again, should the SMA/SRA appliance be located on a secure segment of the Check Point firewall, a second rule allowing the relevant traffic to flow from the SMA/SRA appliance to the internal network is necessary.

Printer redirection

This appendix provides information on installing a specific printer driver redirection, the “MS Publisher Imagesetter.” HTML5 RDP support a specific Printer Redirection if the Remote Desktop Session Host server has the driver installed. HTML5 RDP can redirect the printer to the client side. The user can select the Redirection Printer to print files to a PDF. After the PDF is created, a file pop-up viewer appears. You can “Print Preview” the PDF file or print the file directly.

To install the MS Publisher Imagesetter on Windows 7:
1
Go to Windows Control Panel and click Devices and Printers.
2
Click Add a printer.

3
Select Add a local printer.

4
Select Use an existing port and then FILE: (Print to File) in the drop-down box.

5
Click Next.
6
Select Generic from the Manufacturer list. Then select MS Publisher Imagesetter from the Printers list.

7
Click Next.
8
Select Use the driver that is currently installed.
9
Click Next.
10
Use the default settings for the Printer name, “MS Publisher Imagesetter.”
11
Click Next.
12
Select the option that best suits your sharing criteria.
13
Click Next.
14
Click Finish. You should find your new printer in the “Printers and Faxes” area.

Enable the Redirection Printers

1
Enable the Redirection Printers in the “Show Advanced Windows Options” of the bookmark. After the Redirection Printer is enabled, you can find the “SonicWall Secure RDP Printer” in the remote server’s printer list.

2
Select the printer to print the file. The browser might attempt to block the pop-up window. Select “Always allow pop-ups from https://...” (the server address).

3
You can now preview the file and print it on the local printer.

Time-zone redirection

HTML5 RDP can also redirect the local time-zone to the remote server. The remote server should enable this feature.

The following steps show how to enable time-zone redirection in Windows 2008 R2:
1
Open Local Group Policy Editor or Group Policy Management.
2
Use the following path:

Computer Configuration > (Policies) > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection > Allow time zone redirection.

3
Double click the printer name and select Enabled.
4
Click OK.

After enable the setting on the remote server, you can see the local time-zone is redirected to the remote server.

5
Time zone redirection is possible only when connecting to at least a Windows Server 2003 terminal server with a client that is using RDP 5.1 or later.

Importing CA Certificates on Windows

Two certificates are imported in this use case, a goDaddy certificate and a server certificate. See the following sections:

Importing a goDaddy Certificate on Windows

In this use case, we format a goDaddy Root CA Certificate on a Windows system and then import it to our Secure Mobile Access (SMA) and Secure Remote Access (SRA) appliance.

1
Double-click on the goDaddy.p7b file to open the Certificates window, and navigate to the goDaddy certificate.
The .p7b format is a PKCS#7 format certificate file, a very common certificate format.
2
Double-click the certificate file and select the Details tab.

3
Click Copy to File. The Certificate Export Wizard launches.
4
In the Certificate Export Wizard, click Next.
5
Select Base-64 encoded X.509 (.CER) and then click Next.

6
In the File to Export screen, type the file name in as goDaddy.cer and then click Next.
7
In the Completing the Certificate Export Wizard screen, verify the path and format and then click Finish.
8
Click OK in the confirmation dialog box.

The certificate is exported in base-64 encoded format. You can view it in a text editor.

9
In the Secure Mobile Access management interface, navigate to System > Certificates.

10
In the Additional CA Certificates section, click Import CA Certificate. The Import Certificate window appears.

11
In the Import Certificate window, click Browse and navigate to the goDaddy.cer file on your Windows system and double-click it.
12
Click Upload. The certificate is listed in the Additional CA Certificates table.

13
Navigate to System > Restart and restart the SMA/SRA appliance for the CA certificate to take effect.

Importing a Server Certificate on Windows

In this use case, we import a Microsoft CA server certificate to a Windows system. In this case, the purpose is to use an SSL certificate for application offloading to a mail server.

The server certificate is mail.chaoslabs.nl. This certificate needs to be exported in base-64 format as the server.crt file that is put in a .zip file and uploaded as a Server Certificate.

The private key is not included in the .p7b file. The private key needs to be exported from wherever it is and saved in a base-64 format and included in a server.key file in the .zip file.

1
Double-click on the mail.chaoslabs.nl.pb7 file and navigate to the certificate.

2
Double-click the certificate file and select the Details tab.
3
Click Copy to File.
4
In the Certificate Export Wizard, select Base-64 encoded X.509 (.CER).
5
Click Next and save the file as server.crt on your Windows system.

The certificate is exported in base-64 encoded format.

6
Add the server.crt file to a .zip file.
7
Separately save the private key in base-64 format as server.key.
8
Add the server.key file to the .zip file that contains server.crt.
9
Upload the .zip file to the server as a Server Certificate.

Creating Unique Access Policies for AD Groups

In this use case, we add Outlook Web Access (OWA) resources to the SMA/SRA appliance, and need to configure the access policies for users in multiple Active Directory (AD) groups. We will create a local group for each AD group and apply separate access policies to each local group.

While Active Directory allows users to be members in multiple groups, the SMA/SRA appliance only allows each user to belong to a single group. It is this group that determines the access policies assigned to the user.

When importing a user from AD, the user is placed into the local Secure Mobile Access group with which they have the most AD groups in common. For example: Bob belongs to the Users, Administrators, and Engineering AD groups. If one Secure Mobile Access group is associated with Users, and another is associated with both Administrators and Engineering, Bob is assigned to the Secure Mobile Access group with both Administrators and Engineering because it matches more of his own AD groups.

The goal of this use case is to show that Secure Mobile Access firmware supports group-based access policies by configuring the following:

Allow Acme Group in Active Directory to access the 10.200.1.102 server using SSH
Allow Mega Group in Active Directory to access Outlook Web Access (OWA) at 10.200.1.10
Allow IT Group in Active Directory to access both SSH and OWA resources defined previously
Deny access to these resources to all other groups

This example configuration is provided courtesy of Vincent Cai, June 2008.

Network Topology

Perform the tasks in order of the following sections:

Creating the Active Directory Domain

This section describes how to create the Secure Mobile Access Local Domain, SNWL_AD. SNWL_AD is associated with the Active Directory domain of the OWA server.

1
Log in to the Secure Mobile Access management interface and navigate to the Portals > Domains page.
2
Click Add Domain. The Add Domain window appears.

3
In the Authentication type drop-down list, select Active Directory.
4
In the Domain name field, type SNWL_AD.
5
In the Active Directory domain field, type the AD domain name, in.loraxmfg.com.
6
In the Server address field, type the IP address of the OWA server, 10.200.1.10.
7
Click Add.
8
View the new domain in the Portals > Domains page.

Adding a Global Deny All Policy

This procedure creates a policy that denies access to the OWA resources to all groups, except groups configured with an explicit Permit policy.

The Secure Mobile Access default policy is Allow All. In order to have more granular control, we add a Deny All policy here. Later, we can add Permit policies for each group, one at a time.

1
Navigate to the Users > Local Users page.

2
Click Configure in the Global Policies row. The Edit Global Policies window appears.
3
In the Edit Global Policies window, click the Policies tab.
4
Click Add Policy. The Add Policy window appears.

5
Select IP Network from the Apply Policy To drop-down list.
6
In the Policy Name field, type the descriptive name IP Network Deny All.
7
In the IP Network Address field, type the network address, 10.200.1.0.
8
In the Subnet Mask field, type the mask in decimal format, 255.255.255.0.
9
In the Service drop-down list, select All Services.
10
In the Status drop-down list, select Allow.
11
Click Add.
12
In the Edit Global Policies window, verify the Deny All policy settings and then click OK.

Creating Local Groups

This procedure creates Local Groups that belong to the SNWL_AD domain on the SMA/SRA appliance. We create one local group for each Active Directory group.

Adding the Local Groups

1
Navigate to the Users > Local Groups page and click Add Group. The Add Local Group window appears. We will add three local groups, corresponding to our Active Directory groups.

2
In the Add Local Group window, type Acme_Group into the Group Name field.
3
Select SNWL_AD from the Domain drop-down list.
4
Click Add.
5
On the Users > Local Groups page, click Add Group to add the second local group.
6
In the Add Local Group window, type Mega_Group into the Group Name field.
7
Select SNWL_AD from the Domain drop-down list.
8
Click Add.
9
On the Users > Local Groups page, click Add Group to add the second local group.
10
In the Add Local Group window, type IT_Group into the Group Name field.
11
Select SNWL_AD from the Domain drop-down list.
12
Click Add.
13
View the added groups on the Users > Local Groups page.

Configuring the Local Groups

In this procedure, we will edit each new local group and associate it with the corresponding Active Directory Group.

1
Click Configure in the Acme_Group row. The Edit Group Settings window appears.

2
In the Edit Group Settings window, click the AD Groups tab.
3
On the AD Groups tab, click Add Group.
4
In the Edit Active Directory Group window, select Acme Group from the Active Directory Group drop-down list.

5
Click Edit.

Acme Group is listed in the Active Directory Groups table on the AD Groups tab.

6
In the Edit Group Settings window, click OK.
7
On the Users > Local Groups page, click Configure in the Mega_Group row. The Edit Group Settings window appears.
8
In the Edit Group Settings window, click the AD Groups tab and then click Add Group.
9
In the Edit Active Directory Group window, select Mega Group from the Active Directory Group drop-down list and then click Edit.

Mega Group is listed in the Active Directory Groups table on the AD Groups tab.

10
In the Edit Group Settings window, click OK.
11
On the Users > Local Groups page, click Configure in the IT_Group row. The Edit Group Settings window appears.
12
In the Edit Group Settings window, click the AD Groups tab and then click Add Group.
13
In the Edit Active Directory Group window, select IT Group from the Active Directory Group drop-down list and then click Edit.

IT Group is listed in the Active Directory Groups table on the AD Groups tab.

14
In the Edit Group Settings window, click OK.

At this point, we have created the three Local Groups and associated each with its Active Directory Group.

Adding the SSHv2 PERMIT Policy

In this section, we will add the SSHv2 PERMIT policy for both Acme_Group and IT_Group to access the 10.200.1.102 server using SSH.

This procedure creates a policy for the Secure Mobile Access Local Group, Acme_Group, and results in SSH access for members of the Active Directory group, Acme Group.

Repeat this procedure for IT_Group to provide SSH access to the server for members of the Active Directory group, IT Group.

1
On the Users > Local Groups page, click Configure in the Acme_Group row. The Edit Group Settings window appears.
2
In the Edit Group Settings window, click the Policies tab.
3
On the Policies tab, click Add Policy.
4
In the Add Policy window, select IP Address in the Apply Policy To drop-down list.

5
In the Policy Name field, enter the descriptive name, Allow SSH.
6
In the IP Address field, enter the IP address of the target server, 10.202.1.102.
7
In the Services drop-down list, select Secure Shell Version 2 (SSHv2).
8
In the Status drop-down list, select ALLOW, and then click Accept.

Adding the OWA PERMIT Policies

In this section, we will add two OWA PERMIT policies for both Mega_Group and IT_Group to access the OWA service using Secure Web (HTTPS).

This procedure creates a policy for the Secure Mobile Access Local Group, Mega_Group, and results in OWA access for members of the Active Directory group, Mega Group.

To access the Exchange server, adding a PERMIT policy to the 10.200.1.10/exchange URL Object itself is not enough. Another URL Object policy is needed that permits access to 10.200.1.10/exchweb, because some OWA Web contents are located in the exchweb directory.

Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group, IT Group.

* 
NOTE: In this configuration, members of IT_Group and Mega_Group are denied access to the https://owa-server/public folder, because these groups have access only to the /exchange and /exchweb subfolders.

The OWA policies are applied to Exchange server URL Objects rather than server IP addresses since OWA is a Web service.

1
In the Users > Local Groups page, click Configure in the Mega_Group row. We will create two PERMIT policies for Mega_Group to allow access to the OWA Exchange server.
2
In the Edit Group Settings window, click the Policies tab, and then click Add Policy.
3
In the Add Policy window, select URL Object in the Apply Policy To drop-down list.

4
In the Policy Name field, enter the descriptive name, OWA.
5
In the Service drop-down list, select Secure Web (HTTPS).
6
In the URL field, enter the URL of the target application, 10.200.1.10/exchange.
7
In the Status drop-down list, select ALLOW, and then click Accept.
8
In the Edit Group Settings window on the Policies tab, click Add Policy.
9
In the Add Policy window, select URL Object in the Apply Policy To drop-down list.

10
In the Policy Name field, enter the descriptive name, OWA exchweb.
11
In the Service drop-down list, select Secure Web (HTTPS).
12
In the URL field, enter the URL of the target application, 10.200.1.10/exchweb.
13
In the Status drop-down list, select ALLOW, and then click Accept.
14
We are finished with the policies for Mega_Group. Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group, IT Group.

Verifying the Access Policy Configuration

At this point:

Acme_Group users are allowed to access SSH to 10.200.1.102
Mega_Group users are allowed to access OWA at 10.200.1.10
IT_Groups users are allowed to access both SSH and OWA as defined previously

The configuration can be verified by logging in as different AD group members to the SNWL_AD domain on the SMA/SRA appliance, and attempting to access the resources.

Test Result: Try Acmeuser Access

Acmeuser logs into the SNWL_AD domain.

The Users > Status page shows that acmeuser is a member of the local group, Acme_Group.

Acmeuser can access SSH, as expected.

Acmeuser tries to access to other resources like OWA 10.200.1.10, but is denied, as expected.

Test Result: Try Megauser Access

Megauser logs into the SNWL_AD domain.

The Users > Status page shows that megauser is a member of the local group, Mega_Group.

Megauser can access OWA resources, as expected.

Megauser tries to access SSH, but is denied, as expected.

Test Result: Try Ituser Access

Ituser logs into the SNWL_AD domain. The Users > Status page shows that ituser is a member of the local group, IT_Group.

Ituser can access SSH to 10.200.1.102, as expected.

Ituser can access OWA resources, as expected.

NetExtender Troubleshooting

See the following tables with troubleshooting information for the Secure Mobile Access (SMA) or Secure Remote Access (SRA) NetExtender utility.

 

NetExtender Cannot Be Installed 

Problem

Solution

NetExtender cannot be installed.

1
Check your OS Version, NetExtender only supports Windows Vista or higher, Mac OS X 10.5 or higher with Apple Java 1.6.0_10 or higher, and Linux OpenSUSE in addition to Fedora Core and Ubuntu. An i386-compatible Linux distribution is required, along with Sun Java 1.6.0_10+.
2
Check that the user has administrator privilege, NetExtender can only install/work under the user account with administrator privileges.
3
Check if ActiveX has been blocked by Internet Explorer or third-party blockers.
4
If the problem still exists, obtain the following information and send to support:
The version of Secure Mobile Access NetExtender Adapter from Device Manager.
The log file located at C:\Program files\SonicWall\SMA\NetExtender.dbg.
The event logs in the Event Viewer found under the Windows Control Panel Administrator Tools folder.

Select Applications and System events and use the Action /Save Log File as… menu to save the events in a log file.

 

NetExtender Connection Entry Cannot Be Created 

Problem

Solution

NetExtender connection entry cannot be created.

1
Navigate to Device Manager and check if the Secure Mobile Access NetExtender Adapter has been installed successfully. If not, delete the adapter from the device list, reboot the machine and install NetExtender again.
2
Navigate to Windows Service manager under Control Panel > Administrator Tools > Services. Look for the Remote Access Auto Connection Manager and Remote Access Connection Manager to see if those two services have been started. If not, set them to automatic start, reboot the machine, and install NetExtender again.
3
Check if there is another dial-up connection in use. If so, disconnect the connection, reboot the machine and install NetExtender again.
4
If problem still exists, obtain the following information and send them to support:
The version of Secure Mobile Access NetExtender Adapter from Device Manager.
The log file located at C:\Program files\SonicWall\SMA\NetExtender.dbg.
The event logs in Control Panel > Administrator Tools > Event Viewer. Select Applications and System events and use the Action /Save Log File as… menu to save the events in a log file.
 

NetExtender Cannot Connect 

Problem

Solution

NetExtender cannot connect.

1
Navigate to Device Manager and check if the Secure Mobile Access NetExtender Adapter has been installed successfully. If not, delete the adapter from the device list, reboot the machine and install NetExtender again.
2
Navigate to Network connections to check if the Secure Mobile Access NetExtender Dialup entry has been created. If not, reboot the machine and install NetExtender again.
3
Check if there is another dial-up connection in use, if so, disconnect the connection and reboot the machine and connect NetExtender again.
4
If problem still exists, obtain the following information and send them to support:
The version of Secure Mobile Access NetExtender Adapter from Device Manager.
The log file located at C:\Program files\SonicWall\SMA\NetExtender.dbg.
The event logs in Control Panel > Administrator Tools > Event Viewer. Select Applications and System events and use the Action /Save Log File as… menu to save the events in a log file.
 

NetExtender BSOD After Connected 

Problem

Solution

NetExtender BSOD after connected.

1
Uninstall NetExtender, reboot machine, reinstall the latest version NetExtender.
2
Obtain the following information and send them to support:
The version of Secure Mobile Access NetExtender Adapter from Device Manager.
The log file located at C:\Program files\SonicWall\SMA\NetExtender.dbg.
Windows memory dump file located at C:\Windows\MEMORY.DMP. If you cannot find this file, then you should open System Properties, click Startup and Recovery Settings under the Advanced tab. Select Complete Memory Dump, Kernel Memory Dump or Small Memory Dump in the Write Debugging Information drop-down list. Of course, you should also reproduce the BSOD to get the dump file.
The event logs in Control Panel > Administrator Tools > Event Viewer. Select Applications and System Events and use the Action /Save Log File as… menu to save the events in a log file.

Frequently Asked Questions

This appendix contains frequently asked questions (FAQs) about the Secure Mobile Access (SMA) or Secure Remote Access (SRA) appliance.

Hardware FAQ

1
What are the hardware specs for the SMA 400 and SMA 200?

Answer:

Interfaces

SMA 200: (2) gigabit Ethernet, (2) USB, (1) console

SMA 400: (4) gigabit Ethernet, (2) USB, (1) console

Processors

SMA 200: 1.74 GHz Intel Atom™ C2358 Dual Core Processor

SMA 400: 2.40 GHz Intel Atom™ C2358 Quad Core Processor

Memory (RAM)

SMA 200: 2 GB

SMA 400: 4 GB

Flash Memory

SMA 200: 2 GB (CFAST)

SMA 400: 2 GB (CFAST)

Power Supply

SMA 200: Fixed Internal, 60W adaptor

SMA 400: Fixed Internal, 60W adaptor

Max Power Consumption

SMA 200: 26.9 W

SMA 400: 31.9 W

Total Heat Dissipation

SMA 200: 92 BTU

SMA 400: 109 BTU

Dimensions

SMA 200: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

SMA 400: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

Weight

SMA 200: 11 lbs (5 kg)

SMA 400: 11 lbs (5 kg)

Major Regulatory Compliance

SMA 200/400:

FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, KCC, ANATEL, BSMI, NOM, UL, cUL, TUV/GS, CB

Environment:

Temperature:

SMA 200/400: 32-105ª F, 0-40ª C

Relative Humidity:

SMA 200/400: 5-95 percent RH non-condensing

MTBF

SMA 200: 7.060 years

SMA 400: 6.870 years

2
What are the hardware specs for the SRA 4600 and SRA 1600?

Answer:

Interfaces

SRA 1600: (2) gigabit Ethernet, (2) USB, (1) console

SRA 4600: (4) gigabit Ethernet, (2) USB, (1) console

Processors

SRA 1600: 1.66 GHz Intel Atom Processor, x86

SRA 4600: 1.66 GHz Intel Atom Dual Core Processor, x86

Memory (RAM)

SRA 1600: 1 GB

SRA 4600: 2 GB

Flash Memory

SRA 1600: 1 GB

SRA 4600: 1 GB

Power Supply

SRA 1600: Internal, 100-240Vac, 50-60Mhz

SRA 4600: Internal, 100-240Vac, 50-60Mhz

Max Power Consumption

SRA 1600: 47 W

SRA 4600: 50 W

Total Heat Dissipation

SRA 1600: 158 BTU

SRA 4600: 171 BTU

Dimensions

SRA 1600: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

SRA 4600: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

Weight

SRA 1600: 9.5 lbs (4.3 kg)

SRA 4600: 9.5 lbs (4.3 kg)

Major Regulatory Compliance

SRA 1600/4600:

FCC Class A, EMI/EMC, FCC, CE, VCCI Class A, UL, cUL, TUV/GS, CB

Environment:

Temperature:

SRA 1600/4600: 32-105ª F, 0-40ª C

Relative Humidity:

SRA 1600/4600: 5-95 percent RH non-condensing

MTBF

SRA 1600: 18.3 years

SRA 4600: 17.8 years

3
What are the SMA 500v Virtual Appliance virtualized environment requirements?

Hypervisor: VMWare ESXi (version 5.0 and newer)

Appliance size (on disk): 2 GB

Allocated memory: 2 GB

* 
NOTE: The SMA 500v Virtual Appliance is not supported on VMware ESXi 4.0 and 4.1. If you deploy the Virtual Appliance on one of these ESXi versions, it should still work, but you might see some warning messages.
4
Do the SMA/SRA appliances have hardware-based SSL acceleration onboard?

Answer: The SRA 4600 and SRA 1600 do not have a hardware-based SSL accelerator processor, however, the SMA 400/200 processor includes AES NI instructions to accelerate AES encryption.

5
What operating system do the SMA/SRA appliances run?

Answer: The appliance runs SonicWall Inc.’s own hardened Linux distribution.

6
Can I put multiple SMA/SRA appliances behind a load-balancer?

Answer: Yes, this should work fine as long as the load-balancer or content-switch is capable of tracking sessions based upon SSL Session ID persistence, or cookie-based persistence.

7
What are the maximum number of connections allowed on the different SMA/SRA appliances?

Reference the SMA/SRA Max Count Table:

 

SMA/SRA Max Count Table 

Type

Max Supported on SMA 200

Max Supported on SMA 400

Max Supported on SRA 1600

Max Supported on SRA 4600

Max Supported on SMA 500v Virtual Appliance

Portal entries

32

64

32

64

64

Domain entries

32

64

32

64

64

Group entries

512

512

512

512

512

User entries

1,000

2,000

1,000

2,000

2,000

NetExtender global client routes

100

100

100

100

100

NetExtender group client routes

100

100

100

100

100

NetExtender user client routes

100

100

100

100

100

Maximum concurrent users

200

1024

200

1024

1024

Maximum concurrent Nx connections

50

500

100

500

500

Route entries

32

32

32

32

32

Host entries

32

32

32

32

32

Bookmark entries

500

500

500

500

500

User Policy entries

64

64

64

64

64

Group Policy entries

64

64

64

64

64

Global Policy entries

64

64

64

64

64

Policy address entries

32

32

32

32

32

Network Objects

128

128

128

128

128

‘Address’ Network Objects

32

32

32

32

32

‘Network’ Network Objects

64

64

64

64

64

‘Service’ Network Objects

64

64

64

64

64

SMB shares

1,024

1,024

1,024

1,024

1,024

SMB nodes

1,024

1,024

1,024

1,024

1,024

SMB workgroups

8

8

8

8

8

Concurrent FTP sessions

8

8

8

8

8

Log size

250 KB

250 KB

250 KB

250 KB

250 KB

Digital Certificates and Certificate Authorities FAQ

1
What do I do if when I log in to the SMA/SRA appliance my browser gives me an error, or if my Java components give me an error?

Answer: These errors can be caused by any combination of the following three factors:

The certificate in the SMA/SRA appliance is not trusted by the browser
The certificate in the SMA/SRA appliance could be expired.
The site requested by the client Web browser does not match the site name embedded in the certificate.

Web browsers are programmed to issue a warning if the previous three conditions are not met precisely. This security mechanism is intended to ensure end-to-end security, but often confuses people into thinking something is broken. If you are using the default self-signed certificate, this error appears every time a Web browser connects to the SMA/SRA appliance. However, it is just a warning and can be safely ignored, as it does not affect the security negotiated during the SSL handshake. If you do not want this error to happen, you should purchase and install a trusted SSL certificate onto the SMA/SRA appliance.

2
I get the following message when I log in to my SMA/SRA appliance – what do I do?

Answer: It’s the same problem as noted in the previous topic, but this is the new “improved” security warning screen in Microsoft Internet Explorer. Whereas before IE5.x and IE6.x presented a pop-up that listed the reasons why the certificate is not trusted, IE simply returns a generic error page which recommends that the user close the page. The user is not presented with a direct ‘Yes’ option to proceed, and instead has to click on the embedded Continue to this Website (not recommended) link. For these reasons, it is strongly recommended that all SMA/SRA appliances, going forward, have a trusted digital certificate installed.

3
I get the following message when I log in to my SMA/SRA appliance using Firefox– what do I do?

Answer: Much like the errors shown previously for Internet Explorer, Firefox has a unique error message when any certificate problem is detected. The conditions for this error are the same as for the previous Internet Explorer errors.

To get past this screen, click the Or you can add an exception link at the bottom, then click Add Exception that appears. In the Add Security Exception window that opens, click Get Certificate, ensure that Permanently store this exception is checked, and finally, click Confirm Security Exception. See the following:

To avoid this inconvenience, it is strongly recommended that all SMA/SRA appliances, going forward, have a trusted digital certificate installed.

4
When I launch any of the Java components it gives me an error – what should I do?

Answer: See the previous section. This occurs when the certificate is not trusted by the Web browser, or the site name requested by the browser does not match the name embedded in the site certificate presented by the SMA/SRA appliance during the SSL handshake process. This error can be safely ignored.

5
Do I have to purchase a SSL certificate?

Answer: Although the level of encryption is not compromised, users accepting an untrusted certificate introduces the risk of Man-in-the-Middle attacks. SonicWall Inc. recommends installing only trusted certificates or installing the default self-signed certificate in all the clients.

6
What format is used for the digital certificates?

Answer: X509v3.

7
Are wild card certificates supported?

Answer: Yes.

8
What CA’s certificates can I use with the SMA/SRA appliance?

Answer: Any CA certificate should work if the certificate is in X509v3 format, including Verisign, Thawte, Baltimore, RSA, and so on.

9
Does the SMA/SRA appliance support chained certificates?

Answer: Yes, it does. On the System > Certificates page, complete the following:

Under “Server Certificates,” click Import Certificate and upload the SSL server certificate and key together in a .zip file. The certificate should be named ‘server.crt’. The private key should be named ‘server.key’.
Under “Additional CA Certificates,” click Import Certificate and upload the intermediate CA certificate(s). The certificate should be PEM encoded in a text file.

After uploading any intermediate CA certificates, the system should be restarted. The web server needs to be restarted with the new certificate included in the CA certificate bundle.

10
Any other tips when I purchase the certificate for the SMA/SRA appliance?

Answer: We recommend you purchase a multi-year certificate to avoid the hassle of renewing each year (most people forget and when the certificate expires it can create an administrative nightmare). It is also good practice to have all users that connect to the SMA/SRA appliance run Windows Update (also known as Microsoft Update) and install the ‘Root Certificates’ update.

11
Can I use certificates generated from a Microsoft Certificate Server?

Answer: Yes, but to avoid a browser warning, you should install the Microsoft CA’s root certificate into all Web browsers that connect to the appliance.

12
Why can’t I import my new certificate and private key?

Answer: Be sure that you upload a .zip file containing the PEM formatted private key file named “server.key” and the PEM formatted certificate file named “server.crt.” The .zip file must have a flat file structure (no directories) and contain only “server.key” and “server.crt” files. The key and the certificate must also match, otherwise the import fails.

13
Why do I see the status “pending” after importing a new certificate and private key?

Answer: Click the ‘configure’ icon next to the new certificate and enter the password you specified when creating the Certificate Signing Request (CSR) to finalize the import of the certificate. After this is done, you can successfully activate the certificate on the SMA/SRA appliance.

14
Can I have more than one certificate active if I have multiple virtual hosts?

Answer: It is possible to select a certificate for each Portal under the Portals > Portals: Edit Portal - Virtual Host tab. The portal Virtual Host Settings fields allow you to specify separate IP address, and certificate per portal. If the administrator has configured multiple portals, it is possible to associate a different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”

15
I imported the CSR into my CA’s online registration site but it’s asking me to tell them what kind of Webserver it’s for. What do I do?

Answer: Select ‘Apache’.

16
Can I store the key and certificate?

Answer: Yes, the key is exported with the CSR during the CSR generation process. It’s strongly recommended that you can keep this in a safe place with the certificate you receive from the CA. This way, if the SMA/SRA appliance ever needs replacement or suffers a failure, you can reload the key and cert. You can also always export your settings from the System > Settings page.

17
Does the SMA/SRA appliance support client-side digital certificates?

Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local Users: Edit User – Login Policies tab.

Per Domain/Per User client certificate enforcement settings:
Option to Verify the user name matches the Common Name (CN) of the client certificate
Option to Verify partial DN in the client certificate subject (optional). The following variables are supported:

User name: %USERNAME%

Domain name: %USERDOMAIN%

Active Directory user name: %ADUSERNAME%

Wildcard: %WILDCARD%

Support for Microsoft CA Subject Names where CN=<Full user name>, for example CN=John Doe. Client certificate authentication attempts for users in Active Directory domains should have the CN compared against the user’s full name in AD.
Detailed client certificate authentication failure messages and log messages are available in the Log > View page.
Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional CRL through file import or periodic import through URL.

The client certificate must be loaded into the client’s browser. Also, remember that any certificates in the trust chain of the client certificates must be installed onto the SMA/SRA appliance.

18
When client authentication is required my clients cannot connect even though a CA certificate has been loaded. Why?

Answer: After a CA certificate has been loaded, the SMA/SRA appliance must be rebooted before it is used for client authentication. Failures to validate the client certificate also causes failures to logon. Among the most common are certificate is not yet valid, certificate has expired, login name does not match common name of the certificate, certificate not sent.

NetExtender FAQ

1
Does NetExtender work on other operating systems than Windows?

Answer: Yes. See the following supported platforms:

Mac Requirements:

Mac OS X 10.6.8+
Apple Java 1.6.0_10+ (can be installed/upgraded by going to Apple Menu > Software Update; should be pre-installed on OS X 10.6.8+)

Linux Requirements:

i386-compatible distribution of Linux
Sun Java 1.6.0_10+
Fedora 14+
Suse: Tested successfully on 10.3
Ubuntu 11.04+

Separate NetExtender installation packages are also downloadable from MySonicWall.com for each release.

2
Which versions of Windows does NetExtender support?

Answer: NetExtender supports:

Vista SP2
Windows 10
Windows 7
3
Can I block communication between NetExtender clients?

Answer: Yes, this can be achieved with the User/Group/Global Policies by adding a ‘deny’ policy for the NetExtender IP range.

4
Can NetExtender run as a Windows service?

Answer: NetExtender can be installed and configured to run as a Windows service that allows systems to log in to domains across the NetExtender client.

5
What range do I use for NetExtender IP client address range?

Answer: This range is the pool that incoming NetExtender clients are assigned – NetExtender clients actually appear as though they are on the internal network – much like the Virtual Adapter capability found in SonicWall Inc.’s Global VPN Client. You should dedicate one IP address for each active NetExtender session, so if you expect 20 simultaneous NetExtender sessions to be the maximum, create a range of 20 open IP addresses. Make sure that these IP addresses are open and are not used by other network appliances or contained within the scope of other DHCP servers. For example, if your SMA/SRA appliance is in one-port mode on the X0 interface using the default IP address of 192.168.200.1, create a pool of addresses from 192.168.200.151 to 192.168.200.171. You can also assign NetExtender IPs dynamically using the DHCP option.

6
What do I enter for NetExtender client routes?

Answer: These are the networks that are sent to remote NetExtender clients and should contain all networks that you wish to give your NetExtender clients access to. For example, if your SMA/SRA appliance was in one-port mode, attached to a SonicWall Inc. NSA 3500 appliance on a DMZ using 192.168.200.0/24 as the subnet for that DMZ, and the SonicWall Inc. NSA 3500 had two LAN subnets of 192.168.168.0/24 and 192.168.170.0/24, you would enter those two LAN subnets as the client routes to provide NetExtender clients access to network resources on both of those LAN subnets.

7
What does the ‘Tunnel All Mode’ option do?

Answer: Activating this feature causes the SMA/SRA appliance to push down two default routes that tell the active NetExtender client to send all traffic through the SMA/SRA appliance. This feature is useful in environments where the SMA/SRA appliance is deployed in tandem with a SonicWall Inc. security appliance running all UTM services, as it allows you to scan all incoming and outgoing NetExtender user traffic for viruses, spyware, intrusion attempts, and content filtering.

8
Is there any way to see what routes the SMA/SRA appliance is sending NetExtender?

Answer: Yes, right-click on the NetExtender icon in the taskbar and select route information. You can also get status and connection information from this same menu.

9
After I install the NetExtender is it uninstalled when I leave my session?

Answer: By default, when NetExtender is installed for the first time it stays resident on the system, although this can be controlled by selecting the Uninstall On Browser Exit > Yes option from the NetExtender icon in the taskbar while it is running. If this option is checked, NetExtender removes itself when it is closed. It can also be uninstalled from the “Add/Remove Program Files” in Control Panel. NetExtender remains on the system by default to speed up subsequent login times.

10
How do I get new versions of NetExtender?

Answer: New versions of NetExtender are included in each SonicWall Inc. Secure Mobile Access firmware release and have version control information contained within. If the SMA/SRA appliance has been upgraded with new software, and a connection is made from a system using a previous, older version of NetExtender, it is automatically upgraded to the new version.

There is one exception to the automatic upgrading feature: it is not supported for the MSI version of NetExtender. If NetExtender was installed with the MSI package, it must be upgraded with a new MSI package. The MSI package is designed for the administrator to deploy NetExtender through Active Directory, allowing full version control through Active Directory.

11
How is NetExtender different from a traditional IPSec VPN client, such as SonicWall Inc.’s Global VPN Client (GVC)?

Answer: NetExtender is designed as an extremely lightweight client that is installed through a Web browser connection, and utilizes the security transforms of the browser to create a secure, encrypted tunnel between the client and the SMA/SRA appliance.

12
Is NetExtender encrypted?

Answer: Yes, it uses whatever cipher the NetExtender client and SMA/SRA appliance negotiate during the SSL connection.

13
Is there a way to secure clear text traffic between the SMA/SRA appliance and the server?

Answer: Yes, you can configure the Microsoft Terminal Server to use encrypted RDP-based sessions, and use HTTPS reverse proxy.

14
What is the PPP adapter that is installed when I use the NetExtender?

Answer: This is the transport method NetExtender uses. It also uses compression (MPPC). You can elect to have it removed during disconnection by selecting this from the NetExtender menu.

15
What are the advantages of using the NetExtender instead of a Proxy Application?

Answer: NetExtender allows full connectivity over an encrypted, compressed PPP connection allowing the user to directly to connect to internal network resources. For example, a remote user could launch NetExtender to directly connect to file shares on a corporate network.

16
Does performance change when using NetExtender instead of proxy?

Answer: Yes. NetExtender connections put minimal load on the SMA/SRA appliances, whereas many proxy-based connections might put substantial strain on the SMA/SRA appliance. Note that HTTP proxy connections use compression to reduce the load and increase performance. Content received by Secure Mobile Access from the local Web server is compressed using gzip before sending it over the Internet to the remote client. Compressing content sent from the SMA/SRA saves bandwidth and results in higher throughput. Furthermore, only compressed content is cached, saving nearly 40-50 percent of the required memory. Note that gzip compression is not available on the local (clear text side) of the SMA/SRA appliance, or for HTTPS requests from the remote client.

17
The SMA/SRA appliance is application dependent; how can I address non-standard applications?

Answer: You can use NetExtender to provide access for any application that cannot be accessed using internal proxy mechanisms - HTTP, HTTPS, FTP, RDP5, Telnet, and SSHv2. Application Offloading can also be used for Web applications. In this way, the SMA/SRA appliance functions similar to an SSL off loader and proxies Web applications pages without the need for URL rewriting.

18
Why is it required that an ActiveX component be installed?

Answer: NetExtender is installed through an ActiveX-based plug-in from Internet Explorer. Users using Firefox browsers can install NetExtender through an XPI installer. NetExtender can also be installed through an MSI installer. Download the NetExtender MSI installer from MySonicWall.com.

19
Does NetExtender support desktop security enforcement, such as AV signature file checking, or Windows registry checking?

Answer: Not at present, although these sorts of features are planned for future releases of NetExtender.

20
Does NetExtender work with the 64-bit version of Microsoft Windows?

Answer: Yes, NetExtender supports 64-bit Windows 7 and Vista.

21
Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?

Answer: Yes, NetExtender supports 32-bit and 64-bit Windows 7.

22
Does NetExtender support client-side certificates?

Answer: Yes, Windows NetExtender client supports client certificate authentication from the stand-alone client. Users can also authenticate to the Secure Mobile Access portal and then launch NetExtender.

23
My firewall is dropping NetExtender connections from my SonicWall SMA/SRA as being spoofs. Why?

Answer: If the NetExtender addresses are on a different subnet than the X0 interface, a rule needs to be created for the firewall to know that these addresses are coming from the SMA/SRA appliance.

General FAQ

1
Is the SMA/SRA appliance a true reverse proxy?

Answer: Yes, the HTTP, HTTPS, CIFS, FTP are web-based proxies, where the native Web browser is the client. VNC, RDP, Citrix, SSHv2, SSHv2, and Telnet use browser-delivered HTML5 clients. NetExtender on Windows uses a browser-delivered client.

2
What browser and version do I need to successfully connect to the SMA/SRA appliance?

Answer: Currently supported browsers and versions are listed in the Browser Requirements section of this document.

3
What needs to be activated on the browser for me to successfully connect to the SMA/SRA appliance?

Answer:

TLS
Enable cookies
Enable pop-ups for the site
Enable Java
Enable Javascript
Enable ActiveX
4
What version of Java do I need?

Answer: You should install SUN’s JRE 1.6.0_10 or higher (available at http://www.java.com) to use some of the features on the SMA/SRA appliance. On Google Chrome, you need Java 1.6.0 update 10 or higher.

5
What operating systems are supported?

Answer:

Microsoft Vista
Microsoft Windows 7
Apple OSX 10.6.8 and newer
Linux kernel 2.6.x and newer
6
Why does the ‘File Shares’ component not recognize my server names?

Answer: If you cannot reach your server by its NetBIOS name, there might be a problem with name resolution. Check your DNS and WINS settings on the SMA/SRA appliance. You might also try manually specifying the NetBIOS name to IP mapping in the Network > Host Resolution section, or you could manually specify the IP address in the UNC path, for example \\192.168.100.100\sharefolder.

Also, if you get an authentication loop or an error, is this File Share a DFS server on a Windows domain root? When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA/SRA appliance is not a domain member and is not able to connect to the DFS shares. DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

7
Does the SMA/SRA appliance have an SPI firewall?

Answer: No. It must be combined with a SonicWall Inc. security appliance or other third-party firewall/VPN device.

8
Can I access the SMA/SRA appliance using HTTP?

Answer: No, it requires HTTPS. HTTP connections are immediately redirected to HTTPS. You might wish to open both 80 and 443, as many people forget to type https: and instead type
http://. If you block 80, it is not redirected.

9
What is the most common deployment of the SMA/SRA appliances?

Answer: One-port mode, where only the X0 interface is utilized, and the appliance is placed in a separated, protected “DMZ” network/interface of a SonicWall Inc. security appliance, such as a SonicWall Inc. TZ or NSA appliance.

10
Why is it recommended to install the SMA/SRA appliance in one-port mode with a SonicWall Inc. security appliance?

Answer: This method of deployment offers additional layers of security control plus the ability to use SonicWall Inc.’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic.

11
Is there an installation scenario where you would use more than one interface or install the appliance in two-port mode?

Answer: Yes, when it would be necessary to bypass a firewall/VPN device that might not have an available third interface, or a device where integrating the SMA/SRA appliance might be difficult or impossible.

12
Can I cascade multiple SMA/SRA appliances to support more concurrent connections?

Answer: No, this is not supported.

13
Why can’t I log in to the Secure Mobile Access management interface of the SMA/SRA appliance?

Answer: The default IP address of the appliance is 192.168.200.1 on the X0 interface. If you cannot reach the appliance, try cross-connecting a system to the X0 port, assigning it a temporary IP address of 192.168.200.100, and attempt to log in to the SMA/SRA appliance at https://192.168.200.1. Then verify that you have correctly configured the DNS and default route settings on the Network pages.

14
Can I create site-to-site VPN tunnels with the SMA/SRA appliance?

Answer: No, it is only a client-access appliance. If you require this, you need a SonicWall Inc. TZ, NSA. or SuperMassive series security appliance.

15
Can the SonicWall Inc. Global VPN Client (or any other third-party VPN client) connect to the SMA/SRA appliance?

Answer: No, only NetExtender and proxy sessions are supported.

16
Can I connect to the SMA/SRA appliance over a modem connection?

Answer: Yes, although performance is slow, even over a 56K connection it is usable.

17
What SSL ciphers are supported by the SMA/SRA appliance?

Answer: Starting with 7.5 firmware or newer, SonicWall Inc. only uses HIGH security ciphers with TLSv1, TLSv1.1, and TLSv1.2. In 8.0 firmware or newer, SSL Perfect Forward Secrecy (PFS) is supported.

18
Is AES supported in the SMA/SRA appliance?

Answer: Yes, if your browser supports it.

19
Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?

Answer: Yes, actually you might see better performance as NetExtender uses multiplexed PPP connections and runs compression over the connections to improve performance.

20
Is Two-factor authentication (RSA SecurID, etc) supported?

Answer: Yes, this is supported.

21
Does the SMA/SRA appliance support VoIP?

Answer: Yes, over NetExtender connections.

22
Is Syslog supported?

Answer: Yes.

23
Does NetExtender support multicast?

Answer: Not at this time. Look for this in a future firmware release.

24
Are SNMP and Syslog supported?

Answer: Syslog forwarding to up to two external servers is supported in the current software release. SNMP is supported beginning in the 5.0 release. MIBs can be downloaded from MySonicWall.

25
Does the SMA/SRA appliance have a Command Line Interface (CLI)?

Answer: Yes, the SMA/SRA appliances have a simple CLI when connected to the console port. The SMA 500v Virtual Appliance is also configurable with the CLI. The Secure Mobile Access CLI allows configuration of only the X0 interface on the SMA/SRA appliances or SMA 500v Virtual Appliance.

26
Can I Telnet or SSH into the SMA/SRA appliance?

Answer: No, neither Telnet or SSH are supported in the current release of the SMA/SRA appliance software as a means of management (this is not to be confused with the Telnet and SSH proxies that the appliance does support).

27
What does the Web cache cleaner do?

Answer: The Web cache cleaner is an ActiveX-based applet that removes all temporary files generated during the session, removes any history bookmarks, and removes all cookies generated during the session.

28
Why didn’t the Web cache cleaner work when I exited the Web browser?

Answer: In order for the Web cache cleaner to run, you must click Logout. If you close the Web browser using any other means, the Web cache cleaner cannot run.

29
What does the ‘encrypt settings file’ check box do?

Answer: This setting encrypts the settings file so that if it is exported it cannot be read by unauthorized sources. Although it is encrypted, it can be loaded back onto the SMA/SRA appliance (or a replacement appliance) and decrypted. If this box is not selected, the exported settings file is clear-text and can be read by anyone.

30
What does the ‘store settings’ button do?

Answer: By default, the settings are automatically stored on a SMA/SRA appliance any time a change to programming is made, but this can be shut off if desired. If this is disabled, all unsaved changes to the appliance are lost. This feature is most useful when you are unsure of making a change that could result in the box locking up or dropping off the network. If the setting is not immediately saved, you can power-cycle the box and it returns to the previous state before the change was made.

31
What does the ‘create backup’ button do?

Answer: This feature allows you to create a backup snapshot of the firmware and settings into a special file that can be reverted to from the management interface or from SafeMode. SonicWall Inc. strongly recommends creating system backup right before loading new software, or making significant changes to the programming of the appliance.

32
What is ‘SafeMode’?

Answer: SafeMode is a feature of the SMA/SRA appliance that allows administrators to switch between software image builds and revert to older versions in case a new software image turns out to cause issues. In cases of software image corruption, the appliance boots into a special interface mode that allows the administrator to choose which version to boot, or load a new version of the software image.

33
How do I access the SafeMode menu?

Answer: In emergency situations, you can access the SafeMode menu by holding in Reset on the SMA/SRA appliance (the small pinhole button located on the front of the SMA/SRA appliances) for 12-14 seconds until the ‘Test’ LED begins quickly flashing yellow. After the SMA/SRA appliance has booted into the SafeMode menu, assign a workstation a temporary IP address in the 192.168.200.x subnet, such as 192.168.200.100, and attach it to the X0 interface on the SMA/SRA appliance. Then, using a modern Web browser (Microsoft IE6.x+, Mozilla 1.4+), access the special SafeMode GUI using the appliance’s default IP address of 192.168.200.1. You are able to boot the appliance using a previously saved backup snapshot, or you can upload a new version of software with Upload New Software image.

34
Can I change the colors of the portal pages?

Answer: This is not supported in the current releases, but is planned for a future software release.

35
What authentication methods are supported?

Answer: Local database, RADIUS, Active Directory, and LDAP.

36
I configured my SMA/SRA appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why?

Answer: The appliances must be precisely time-synchronized with each other or the authentication process fails. Ensure that the SMA/SRA appliance and the Active Directory server are both using NTP to keep their internal clocks synchronized.

37
I created a FTP bookmark, but when I access it, the filenames are garbled – why?

Answer: If you are using a Windows-based FTP server, you should change the directory listing style to ‘UNIX’ instead of ‘MS-DOS’.

38
Where can I get a VNC client?

Answer: SonicWall Inc. has done extensive testing with RealVNC. It can be downloaded at:

http://www.realvnc.com/download.html

39
Are the SRA 4600/1600 appliances fully supported by GMS or Analyzer?

Answer: Yes.

40
Does the SMA/SRA appliance support printer mapping?

Answer: Yes, this is supported with the ActiveX-based RDP client only. The Microsoft Terminal Server RDP connector must be enabled first for this to work. You might need to install the correct printer driver software on the Terminal Server you are accessing.

41
Can I integrate the SMA/SRA appliance with wireless?

Answer: Yes, refer to the SonicWall Inc. Secure Wireless Networks Integrated Solutions Guide, available through Elsevier, http://www.elsevierdirect.com/.

42
Can I manage the appliance on any interface IP address of the SMA/SRA appliance?

Answer: Yes, you can manage on any of the interface IP addresses.

43
Can I allow only certain Active Directory users access to log in to the SMA/SRA appliance?

Answer: Yes. On the Users > Local Groups page, edit a group belonging to the Active Directory domain used for authentication and add one or more AD Groups under the AD Groups tab.

44
Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?

Answer: Yes.

45
Why are my RDP sessions dropping frequently?

Answer: Try adjusting the session and connection timeouts on both the SMA/SRA appliance and any appliance that sits between the endpoint client and the destination server. If the SMA/SRA appliance is behind a firewall, adjust the TCP timeout upwards and enable fragmentation.

46
Can I create my own services for bookmarks rather than the services provided in the bookmarks section?

Answer: This is not supported in the current release of software but could be supported in a future software release.

47
Why can’t I see all the servers on my network with the File Shares component?

Answer: The CIFS browsing protocol is limited by the server's buffer size for browse lists. These browse lists contain the names of the hosts in a workgroup or the shares exported by a host. The buffer size depends on the server software. Windows personal firewall has been known to cause some issues with file sharing even when it is stated to allow such access. If possible, try disabling such software on either side and then test again.

48
What port is the SMA/SRA appliance using for the Radius traffic?

Answer: It uses port 1812.

49
Do the SMA/SRA appliances support the ability for the same user account to login simultaneously?

Answer: Yes. On the portal layout, you can enable or disable ‘Enforce login uniqueness’ option. If this box is unchecked, users can log in simultaneously with the same username and password.

50
Does the SMA/SRA appliance support NT LAN Manager (NTLM) Authentication?

Answer: No.

51
I cannot connect to a web server when Windows Authentication is enabled. I get the following error message when I try that: ‘It appears that the target web server is using an unsupported HTTP(S) authentication scheme through the SMA/SRA that currently supports only basic and digest authentication schemes. Contact the administrator for further assistance.’ - why?

Answer: In SRA 3.5 and earlier releases, the HTTP proxy does not support Windows Authentication (formerly called NTLM). Only basic authentication is supported.

52
Why do Java Services, such as Telnet or SSH, not work through a proxy server?

Answer: When the Java Service is started it does not use the proxy server. Transactions are done directly to the SMA/SRA appliance.

53
There is no port option for the service bookmarks – what if these are on a different port than the default?

Answer: You can specify in the IP address box an ‘IPaddress:portid’ pair for HTTP, HTTPS, Telnet, Java, and VNC.

54
What if I want a bookmark to point to a directory on a Web server?

Answer: Add the path in the IP address box: IP/mydirectory/.

55
When I access Microsoft Telnet Server using a telnet bookmark it does not allow me to enter a user name -- why?

Answer: This is not currently supported on the appliance.

56
What versions of Citrix are supported?

Answer: Citrix Portal Bookmarks have been tested and verified to support the following Citrix Application Virtualization platforms through the Citrix Web Interface:

Servers:

XenApp 7.6 (HTML5 and ActiveX only)
XenApp 6.5
XenApp 6.0
XenApp 5.0

Clients:

Receiver for Windows 4.2, 4.1, or 4.0
Receiver for Java 10.1.006
XenApp Web Plugiin version 14.2, 14.1, 14.0

For browsers requiring Java to run Citrix, you must have Sun Java 1.6.0_10 or higher.

57
What applications are supported using Application Offloading?

Answer: Application Offloading should support any application using HTTP/HTTPS. SMA/SRA has limited support for applications using Web services and no support for non-HTTP protocols wrapped within HTTP.

One key aspect to consider when using Application Offloading is that the application should not contain hard-coded self-referencing URLs. If these are present, the Application Offloading proxy rewrites the URLs. Because Web site development does not usually conform to HTML standards, the proxy can only do a best-effort translation when rewriting these URLs. Specifying hard-coded, self-referencing URLs is not recommended when developing a Web site because content developers must modify the Web pages whenever the hosting server is moved to a different IP or hostname.

For example, if the backend application has a hard-coded IP and scheme within URLs as follows, then Application Off-loading needs to rewrite this URL.

<a href="http://1.1.1.1/doAction.cgi?test=foo">

This can be done by enabling the Enable URL Rewriting for self-referenced URLs setting for the Application Off-loading Portal, but all the URLs might not be rewritten, depending on how the Web application has been developed. (This limitation is usually the same for other WAF/SMA vendors employing reverse proxy mode.)

58
Is SSHv2 supported?

Answer: Yes, this is supported.

59
Should I create a Global Deny ALL policy?

Answer: Yes, SonicWall Inc. recommends that administrators set up a Global Deny ALL policy that allows access to only trusted hosts. This prevents outbound requests to malicious hosts from Secure Mobile Access. For more information on how to set up a Global Deny ALL policy, see Adding a Policy.

Using the Command Line Interface

The Command Line Interface (CLI) is a text-only mechanism for interacting with a computer operating system or software by typing commands to complete specific tasks. It is a critical part of the deployment of the SMA 500v Virtual Appliance, where basic networking needs to be configured from the console. The CLI is also supported on the SRA 4600 and 1600 appliances.

While the SMA/SRA physical appliance products have a default IP address and network configuration that requires a client’s network settings to be reconfigured to connect, the network settings in an existing VMware virtual environment might conflict with the SMA/SRA appliance defaults. The CLI utility remedies this by allowing basic configuration of the network settings when deploying the Virtual Appliance.

* 
NOTE: The SonicWall Inc. Secure Mobile Access CLI allows configuration of only the X0 interface on the SRA 4600/1600 or SMA 500v Virtual Appliance.
NOTE: To use the CLI on a serial connection or in an SSH management session, you need to use a terminal emulation application (such as Tera Term) or an SSH Client application (such as PuTTY). You can find suitable, free terminal emulators on the Internet.

For the SMA/SRA physical appliances, console access is achieved by connecting a computer to the serial port. Use the following settings:

Baud: 115200
Data Bits: 8
Parity: None
Stop Bits: 1
No flow control

For the Virtual Appliance, the following login prompt is displayed after the firmware has fully booted:

In the following examples, user input is highlighted in bold to indicate text entered by the user.

To access the CLI, login as admin. The password is the same as the password for the admin account that is configured on the appliance. The default is password.

sslvpn login: admin
Password: password

If the incorrect password is entered, the login prompt is displayed again. If the correct password is entered, the CLI is launched.

For hardware and Virtual Appliances, basic system information and network settings are displayed along with the main menu, as in the following example:

You can press Ctrl-C at any time to log out and exit the CLI, returning to the login prompt.

The main menu has four selections:

1
Setup Wizard – This option launches a simple wizard to change the basic network settings, starting with the X0 IP Address, X0 subnet mask, default gateway, primary and secondary DNS, and the hostname. The following CLI output illustrates an example where each field is changed:

X0 IP Address (default 192.168.200.1): 192.168.200.201
X0 Subnet Mask (default 255.255.255.0): 255.255.0.0
Default Gateway (default 192.168.200.2): 192.168.200.1
Primary DNS: 10.50.128.52
Secondary DNS (optional, enter "none" to disable): 4.2.2.2
Hostname (default sslvpn): sslvpn

New Network Settings:
X0 IP Address: 192.168.200.201
X0 Subnet mask: 255.255.0.0
Default Gateway: 192.168.200.1
Primary DNS: 10.50.128.52
Secondary DNS: 4.2.2.2
Hostname: sslvpn

Would you like to save these changes (y/n)?

If a field is not filled out, the prior value is retained, allowing you to change only a single field. After each field has been prompted, the new network settings are shown and a confirmation message is given for the user to review and verify the changes before applying them. The following shows the result when you save the changes:

Would you like to save these changes (y/n)? y
Saving changes...please wait....
Changes saved!
Press <Enter> to continue...

After saving the changes, press Enter to return to the original display of the System Information and Network Settings and verify that the changes have taken effect:

If no changes are saved, the following message is displayed and pressing Enter returns to the initial display of the System Information and Network Settings:

No changes have been made.
Press <Enter> to continue...

* 
NOTE: When applying settings that change the IP address, there might be a delay of up to five seconds as the interface settings are updated.
2
Reboot – Selecting this option displays a confirmation prompt and then reboots:

Reboot
Are you sure you want to reboot (y/n)?

3
Restart SSL-VPN Services – This option displays a confirmation prompt and then restarts the Web server and the related Secure Mobile Access daemon services. This command is equivalent to issuing the EasyAccessCtrl restart command.

Restart SSL-VPN Services
Are you sure you want to restart the SSL-VPN services (y/n)? y

Restarting SSL-VPN services...please wait.
Stopping SMM: [ OK ]
Stopping Firebase :[ OK ]
Stopping FTP Session:[ OK ]
Stopping HTTPD: [ OK ]
Cleaning Apache State: [ OK ]
Stopping Graphd :[ OK ]

Cleaning Temporary files........
Starting SMM: [ OK ]
Starting firebase: [ OK ]
Starting httpd: [ OK ]
Starting ftpsession: [ OK ]
Starting graphd: [ OK ]

Restart completed...returning to main menu...

4
Logout – The logout option ends the CLI session and returns to the login prompt.

SafeMode

SafeMode is a limited Web management interface that provides a way to upload firmware from your computer and reboot the appliance.

The SafeMode feature allows you to recover quickly from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

You can get to the SafeMode CLI, by pressing the SafeMode switch to reboot to SafeMode, and then logging in as admin. The password is the same as the password for the admin account that is configured on the appliance. The default is password.

sma400 login: admin
Password: password

When an incorrect password is entered, the login prompt is displayed again. When the correct password is entered, the SafeMode CLI is launched.

The numbered options explain themselves. Select the number of the option you would like to perform. For the first option, to Manage Firmware Images, press 1. The following screen appears with five additional options.

The five additional options explain themselves. Select the number of the option you would like to perform. For the first option, to Boot Current Firmware, press 1. The following screen appears with three additional options.

The three additional options explain themselves. Select the number of the option you would like to perform.

For more instructions on how to restart your firewall in SafeMode, refer to the Getting Started Guide for your particular appliance.

Using SMS Email Formats

This section provides a list of SMS (Short Message Service) formats for worldwide cellular carriers. Find the correct format for your carrier from the following list, using your own phone number before the @ sign.

* 
NOTE: These SMS email formats are for reference only. These email formats are subject to change and can vary. You might need additional service or information from your provider before using SMS. Contact the SMS provider directly to verify these formats and for further information on SMS services, options, and capabilities.
 

SMS formats based on carrier 

Carrier

SMS Format

3River Wireless

4085551212@sms.3rivers.net

AirTel

4085551212@airtelmail.com

AT&T Wireless

4085551212@mobile.att.net

Andhra Pradesh Airtel

4085551212@airtelap.com

Andhra Pradesh Idea Cellular

4085551212@ideacellular.net

Alltel PC

4085551212@message.alltel.com

Alltel

4085551212@alltelmessage.com

Arch Wireless

4085551212@archwireless.net

BeeLine GSM

4085551212@sms.beemail.ru

BeeLine (Moscow)

4085551212@sms.gate.ru

Bell Canada

4085551212@txt.bellmobility.ca

Bell Canada

4085551212@bellmobility.ca

Bell Atlantic

4085551212@message.bam.com

Bell South

4085551212@sms.bellsouth.com

Bell South

4085551212@wireless.bellsouth.com

Bell South

4085551212@blsdcs.net

Bite GSM (Lithuania)

4085551212@sms.bite.lt

Bluegrass Cellular

4085551212@sms.bluecell.com

BPL mobile

4085551212@bplmobile.com

Celcom (Malaysia)

4085551212@sms.celcom.com.my

Cellular One

4085551212@mobile.celloneusa.com

Cellular One East Cost

4085551212@phone.cellone.net

Cellular One South West

4085551212@swmsg.com

Cellular One

4085551212@mobile.celloneusa.com

Cellular One

4085551212@cellularone.txtmsg.com

Cellular One

4085551212@cellularone.textmsg.com

Cellular South

4085551212@csouth1.com

CenturyTel

4085551212@messaging.centurytel.net

Cingular

4085551212@mobile.mycingular.net

Cingular Wireless

4085551212@mycingular.textmsg.com

Comcast

4085551212@comcastpcs.textmsg.com

CZECH EuroTel

4085551212@sms.eurotel.cz

CZECH Paegas

4085551212@sms.paegas.cz

Chennai Skycell / Airtel

4085551212@airtelchennai.com

Chennai RPG Cellular

4085551212@rpgmail.net

Comviq GSM Sweden

4085551212@sms.comviq.se

Corr Wireless Communications

4085551212@corrwireless.net

D1 De TeMobil

4085551212@t-d1-sms.de

D2 Mannesmann Mobilefunk

4085551212@d2-message.de

DT T-Mobile

4085551212@t-mobile-sms.de

Delhi Airtel

4085551212@airtelmail.com

Delhi Hutch

4085551212@delhi.hutch.co.in

Dobson-Cellular One

4085551212@mobile.cellularone.com

Dobson Cellular Systems

4085551212@mobile.dobson.net

Edge Wireless

4085551212@sms.edgewireless.com

E-Plus (Germany)

4085551212 @eplus.de

EMT

4085551212@sms.emt.ee

Eurotel (Czech Republic)

4085551212@sms.eurotel.cz

Europolitan Sweden

4085551212@europolitan.se

Escotel

4085551212@escotelmobile.com

Estonia EMT

4085551212@sms-m.emt.ee

Estonia RLE

4085551212@rle.ee

Estonia Q GSM

4085551212@qgsm.ee

Estonia Mobil Telephone

4085551212@sms.emt.ee

Fido

4085551212@fido.ca

Georgea geocell

4085551212@sms.ge

Goa BPLMobil

4085551212@bplmobile.com

Golden Telecom

4085551212@sms.goldentele.com

Golden Telecom (Kiev, Ukraine only)

4085551212@sms.gt.kiev.ua

GTE

4085551212@messagealert.com

GTE

4085551212@airmessage.net

Gujarat Idea

4085551212@ideacellular.net

Gujarat Airtel

4085551212@airtelmail.com

Gujarat Celforce / Fascel

4085551212@celforce.com

Goa Airtel

4085551212@airtelmail.com

Goa BPLMobil

4085551212@bplmobile.com

Goa Idea Cellular

4085551212@ideacellular.net

Haryana Airtel

4085551212@airtelmail.com

Haryana Escotel

4085551212@escotelmobile.com

Himachal Pradesh Airtel

4085551212@airtelmail.com

Houston Cellular

4085551212@text.houstoncellular.net

Hungary Pannon GSM

4085551212@sms.pgsm.hu

Idea Cellular

4085551212@ideacellular.net

Inland Cellular Telephone

4085551212@inlandlink.com

ISRAel Orange IL

4085551212- @shiny.co.il

Karnataka Airtel

4085551212@airtelkk.com

Kerala Airtel

4085551212@airtelmail.com

Kerala Escotel

4085551212@escotelmobile.com

Kerala BPL Mobile

4085551212@bplmobile.com

Kyivstar (Kiev Ukraine only)

4085551212@sms.kyivstar.net

Kyivstar

4085551212@smsmail.lmt.lv

Kolkata Airtel

4085551212@airtelkol.com

Latvia Baltcom GSM

4085551212@sms.baltcom.lv

Latvia TELE2

4085551212@sms.tele2.lv

LMT

4085551212@smsmail.lmt.lv

Madhya Pradesh Airtel

4085551212@airtelmail.com

Maharashtra Idea Cellular

4085551212@ideacellular.net

MCI Phone

408555121 @mci.com

Meteor

4085551212@mymeteor.ie

Metro PCS

4085551212@mymetropcs.com

Metro PCS

4085551212@metorpcs.sms.us

MiWorld

4085551212@m1.com.sg

Mobileone

4085551212@m1.com.sg

Mobilecomm

4085551212@mobilecomm.net

Mobtel

4085551212@mobtel.co.yu

Mobitel (Tanazania)

4085551212@sms.co.tz

Mobistar Belgium

4085551212@mobistar.be

Mobility Bermuda

4085551212@ml.bm

Movistar (Spain)

4085551212@correo.movistar.net

Maharashtra Airtel

4085551212@airtelmail.com

Maharashtra BPL Mobile

4085551212@bplmobile.com

Manitoba Telecom Systems

4085551212@text.mtsmobility.

Mumbai Orange

4085551212@orangemail.co.in

MTS (Russia)

4085551212@sms.mts.ru

MTC

4085551212@sms.mts.ru

Mumbai BPL Mobile

4085551212@bplmobile.com

MTN (South Africa only)

4085551212@sms.co.za

MiWorld (Singapore)

4085551212@m1.com.sg

NBTel

4085551212@wirefree.informe.ca

Netcom GSM (Norway)

4085551212@sms.netcom.no

Nextel

4085551212@messaging.nextel.com

Nextel

4085551212@nextel.com.br

NPI Wireless

4085551212@npiwireless.com

Ntelos

4085551212number@pcs.ntelos.com

One Connect Austria

4085551212@onemail.at

OnlineBeep

4085551212@onlinebeep.net

Omnipoint

4085551212@omnipointpcs.com

Optimus (Portugal)

4085551212@sms.optimus.pt

Orange - NL / Dutchtone

4085551212@sms.orange.nl

Orange

4085551212@orange.net

Oskar

4085551212@mujoskar.cz

Pacific Bell

4085551212@pacbellpcs.net

PCS One

4085551212@pcsone.net

Pioneer / Enid Cellular

4085551212@msg.pioneerenidcellular.com

PlusGSM (Poland only)

4085551212@text.plusgsm.pl

P&T Luxembourg

4085551212@sms.luxgsm.lu

Poland PLUS GSM

4085551212@text.plusgsm.pl

Primco

4085551212@primeco@textmsg.com

Primtel

4085551212@sms.primtel.ru

Public Service Cellular

4085551212@sms.pscel.com

Punjab Airtel

4085551212@airtelmail.com

Qwest

4085551212@qwestmp.com

Riga LMT

4085551212@smsmail.lmt.lv

Rogers AT&T Wireless

4085551212@pcs.rogers.com

Safaricom

4085551212@safaricomsms.com

Satelindo GSM

4085551212@satelindogsm.com

Simobile (Slovenia)

4085551212@simobil.net

Sunrise Mobile

4085551212@mysunrise.ch

Sunrise Mobile

4085551212@freesurf.ch

SFR France

4085551212@sfr.fr

SCS-900

4085551212@scs-900.ru

Southwestern Bell

4085551212@email.swbw.com

Sonofon Denmark

4085551212@note.sonofon.dk

Sprint PCS

4085551212@messaging.sprintpcs.com

Sprint

4085551212@sprintpaging.com

Swisscom

4085551212@bluewin.ch

Swisscom

4085551212@bluemail.ch

Telecom Italia Mobile (Italy)

4085551212@posta.tim.it

Telenor Mobil Norway

4085551212@mobilpost.com

Telecel (Portugal)

4085551212@sms.telecel.pt

Tele2

4085551212@sms.tele2.lv

Tele Danmark Mobil

4085551212@sms.tdk.dk

Telus

4085551212@msg.telus.com

Telenor

4085551212@mobilpost.no

Telia Denmark

4085551212@gsm1800.telia.dk

TIM

4085551212 @timnet.com

TMN (Portugal)

4085551212@mail.tmn.pt

T-Mobile Austria

4085551212@sms.t-mobile.at

T-Mobile Germany

4085551212@t-d1-sms.de

T-Mobile UK

4085551212@t-mobile.uk.net

T-Mobile USA

4085551212@tmomail.net

Triton

4085551212@tms.suncom.com

Tamil Nadu Aircel

4085551212@airsms.com

Tamil Nadu BPL Mobile

4085551212 @bplmobile.com

UMC GSM

4085551212@sms.umc.com.ua

Unicel

4085551212@utext.com

Uraltel

4085551212@sms.uraltel.ru

US Cellular

4085551212@email.uscc.net

US West

4085551212@uswestdatamail.com

Uttar Pradesh (West) Escotel

4085551212@escotelmobile.com

Verizon

4085551212@vtext.com

Verizon PCS

4085551212@myvzw.com

Virgin Mobile

4085551212@vmobl.com

Vodafone Omnitel (Italy)

4085551212@vizzavi.it

Vodafone Italy

4085551212@sms.vodafone.it

Vodafone Japan

4085551212@pc.vodafone.ne.j

Vodafone Japan

4085551212@h.vodafone.ne.jp

Vodafone Japan

4085551212@t.vodafone.ne.jp

Vodafone Spain

4085551212@vodafone.es

Vodafone UK

4085551212@vodafone.net

West Central Wireless

4085551212@sms.wcc.net

Western Wireless

4085551212@cellularonewest.com

Support Information

This appendix contains the following sections:

GNU General Public License (GPL) Source Code

SonicWall Inc. provides a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or money order in the amount of US $25.00 payable to “SonicWall, Inc.” to:

General Public License Source Code Request
SonicWall, Inc. Attn: Jennifer Anderson

5455 Great America Parkway
Santa Clara, CA 95054

Limited Hardware Warranty

All SonicWall Inc. appliances come with a 1-year Limited Hardware Warranty which provides delivery of critical replacement parts for defective parts under warranty. Visit the Warranty Information page for details on your product’s warranty:
https://support.sonicwall.com/essentials/support-offerings

SonicWall Inc., Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWall Inc.), and continuing for a period of twelve (12) months, that the product is free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWall Inc. and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWall Inc.'s discretion, the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWall Inc.'s obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWall Inc.'s then-current Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWall Inc..

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. SonicWall'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SonicWall OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SonicWall OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWall or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

End User License Agreement

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT. BY DOWNLOADING, INSTALLING OR USING THIS PRODUCT, YOU ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. FOR DELIVERIES OUTSIDE THE UNITED STATES OF AMERICA, PLEASE GO TO HTTPS://WWW.SONICWALL.COM/LEGAL/EUPA.ASPX TO VIEW THE APPLICABLE VERSION OF THIS AGREEMENT FOR YOUR REGION. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT OR THE APPLICABLE VERSION OF THIS AGREEMENT FOR YOUR REGION, DO NOT DOWNLOAD, INSTALL OR USE THIS PRODUCT.

This SonicWall End User Product Agreement (the Agreement) is made between you, the Customer (“Customer” or “You”) and the Provider, as defined below.

1
Definitions. Capitalized terms not defined in context shall have the meanings assigned to them below:
a
“Affiliate” means any legal entity controlling, controlled by, or under common control with a party to this Agreement, for so long as such control relationship exists.
b
“Appliance” means a computer hardware product upon which Software is pre-installed and delivered.
c
“Documentation” means the user manuals and documentation that Provider makes available for the Products, and all copies of the foregoing.
d
“Maintenance Services” means Provider’s maintenance and support offering for the Products as identified in the Maintenance Services Section below.
e
“Partner” means the reseller or distributor that is under contract with Provider or another Partner and is authorized via such contract to resell the Products and/or Maintenance Services.
f
“Provider” means, (i) for the US and Taiwan, SonicWall Inc., with its principal place of business located at 4 Polaris Way, Aliso Viejo, CA 92656 USA and (ii) for Europe, Middle East, Africa, and Asia (other than Taiwan) SonicWall International Ltd. City Gate Park Mahon, Cork, Ireland.
g
“Products” means the Software and Appliance(s) provided to Customer under this Agreement.
h
“Software” means the object code version of the software that is delivered on the Appliance and any other software that is later provided to Customer as well as any new versions and releases to such software that are made available to Customer pursuant to this Agreement, and all copies of the foregoing.
2
Software License.
a
General. Subject to the terms of this Agreement, Provider grants to Customer, and Customer accepts from Provider, a non-exclusive, non-transferable (except as otherwise set forth herein) and non-sublicensable license to access and use the quantities of each item of Software purchased from Provider or a Partner within the parameters of the license type (“License Type(s)”) described below in the quantities purchased (“License”). Except for MSP Licenses (as defined below), Customer shall only use the Software to support the internal business operations of itself and its worldwide Affiliates.
b
License Types. The License Type for the Software initially delivered on the Appliance is “per Appliance”. Software licensed per Appliance may be used only on the Appliance on which it is delivered, but without any other quantitative limitations. Software that is purchased on a subscription, or periodic basis is licensed by User or by Managed Node. A “User” is each person with a unique login identity to the Software. A “Managed Node” is any object managed by the Software including, but not limited to firewalls, devices, and other items sold by Provider.
c
Software as a Service When Customer purchases a right to access and use Software installed on equipment operated by Provider or its suppliers (the “SaaS Software”), (i) the License for such SaaS Software shall be granted for the duration of the term stated in the order (the “SaaS Term”), as such SaaS Term may be extended by automatic or agreed upon renewals, and (ii) the terms set forth in the SaaS Provisions Section of this Agreement shall apply to all access to and use of such Software. If any item of Software to be installed on Customer’s equipment is provided in connection with SaaS Software, the License duration for such Software shall be for the corresponding SaaS Term, and Customer shall promptly install any updates to such Software as may be provided by Provider.
d
MSP License.

“Management Services” include, without limitation, application, operating system, and database implementation, performance tuning, and maintenance services provided by Customer to its customers (each, a “Client”) where Customer installs copies of the Software on its Clients’ equipment or provides its Clients access to the Products. Customer shall be granted a License to use the Software and the associated Documentation to provide Management Services (the “MSP License”). Each MSP License is governed by the terms of this Agreement and any additional terms agreed to by the parties.

If the Product is to be used by Customer as a managed service provider, then Customer shall ensure that (i) Customer makes no representations or warranties related to the Products in excess of SonicWall's representations or warranties contained in this Agreement, (ii) each Client only uses the Products and Documentation as part of the Management Services provided to it by Customer, (iii) such use is subject to the restrictions and limitations contained in this Agreement, including, but not limited to those in the Export Section of this Agreement, and (iv) each Client cooperates with Provider during any compliance review that may be conducted by Provider or its designated agent. At the conclusion of any Management Services engagement with a Client, Customer shall promptly remove any Appliance and Software installed on its Client’s computer equipment or require the Client to do the same. Customer agrees that it shall be jointly and severally liable to Provider for the acts and omissions of its Clients in connection with their use of the Software and Documentation and shall, at its expense, defend Provider against any action, suit, or claim brought against Provider by a Client in connection with or related to Customer’s Management Services and pay any final judgments or settlements as well as Provider’s expenses in connection with such action, suit, or claim.

e
Evaluation/Beta License. If Software is obtained from Provider for evaluation purposes or in beta form, Customer shall be granted a License to use such Software and the associated Documentation solely for Customer’s own non-production, internal evaluation purposes (an “Evaluation License”). Each Evaluation License shall be granted for an evaluation period of up to thirty (30) days beginning (i) five (5) days after the Appliance is shipped or (ii) from the date that access is granted to the beta Software or the SaaS Software, plus any extensions granted by Provider in writing (the “Evaluation Period”). There is no fee for an Evaluation License during the Evaluation Period, however, Customer is responsible for any applicable shipping charges or taxes which may be incurred, and any fees which may be associated with usage beyond the scope permitted herein. Beta Software licensed hereunder may include pre-release features and capabilities which may not be available in SonicWall’s generally available commercial versions of the Software. SonicWall retains the right during the term to modify, revise, or remove SonicWall beta software from Customer's premises. Customer acknowledges that SonicWall owns all modifications, derivative works, changes, expansions or improvements to beta software, as well as all reports, testing data or results, feedback, benchmarking or other analysis completed in whole or in part in conjunction with usage of beta software. NOTWITHSTANDING ANYTHING OTHERWISE SET FORTH IN THIS AGREEMENT, CUSTOMER UNDERSTANDS AND AGREES THAT EVALUATION AND BETA SOFTWARE IS PROVIDED “AS IS”, WHERE IS, WITH ALL FAULTS AND THAT SONICWALL DOES NOT PROVIDE A WARRANTY OR MAINTENANCE SERVICES FOR EVALUATION OR BETA LICENSES, AND SONICWALL BEARS NO LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES RESULTING FROM USE (OR ATTEMPTED USE) OF THE EVALUATION OR BETA SOFTWARE THROUGH AND AFTER THE EVALUATION PERIOD AND HAS NO DUTY TO PROVIDE SUPPORT TO CUSTOMER FOR SUCH SOFTWARE. BETA SOFTWARE MAY CONTAIN DEFECTS AND A PRIMARY PURPOSE OF LICENSING THE BETA SOFTWARE IS TO OBTAIN FEEDBACK ON THE SOFTWARE’S PERFORMANCE AND THE IDENTIFICATION OF DEFECTS. CUSTOMER IS ADVISED TO SAFEGUARD IMPORTANT DATA, TO USE CAUTION AND NOT TO RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF THE BETA SOFTWARE AND/OR ACCOMPANYING MATERIALS.
f
Use by Third Parties. Customer may allow its services vendors and contractors (each, a “Third Party User”) to access and use the Products and Documentation provided to Customer hereunder solely for purposes of providing services to Customer, provided that Customer ensures that (i) the Third Party User’s access to or use of the Products and Documentation is subject to the restrictions and limitations contained in this Agreement, including, but not limited to those in the Export Section, (ii) the Third Party User cooperates with Provider during any compliance review that may be conducted by Provider or its designated agent, and (iii) the Third Party Users promptly removes any Software installed on its computer equipment upon the completion of the Third Party’s need to access or use the Products as permitted by this Section. Customer agrees that it shall be liable to Provider for those acts and omissions of its Third Party Users which, if done or not done by Customer, would be a breach of this Agreement.
3
Restrictions. Customer may not reverse engineer, decompile, disassemble, or attempt to discover or modify in any way the underlying source code of the Software, or any part thereof unless and to the extent (a) such restrictions are prohibited by applicable law and (b) Customer has requested interoperability information in writing from Provider and Provider has not provided such information in a timely manner. In addition, Customer may not (i) modify, translate, localize, adapt, rent, lease, loan, create or prepare derivative works of, or create a patent based on the Products, Documentation or any part thereof, (ii) resell, sublicense or distribute the Products or Documentation, (iii) provide, make available to, or permit use of the Products, in whole or in part, by any third party (except as expressly set forth herein), (iv) use the Products or Documentation to create or enhance a competitive offering or for any other purpose which is competitive to Provider, (v) remove Software that was delivered on an Appliance from the Appliance on which it was delivered and load such Software onto a different appliance without Provider’s prior written consent, or (vi) perform or fail to perform any other act which would result in a misappropriation or infringement of Provider’s intellectual property rights in the Products or Documentation. Each permitted copy of the Software and Documentation made by Customer hereunder must contain all titles, trademarks, copyrights and restricted rights notices as in the original. Customer understands and agrees that the Products may work in conjunction with third party products and Customer agrees to be responsible for ensuring that it is properly licensed to use such third party products. Notwithstanding anything otherwise set forth in this Agreement, the terms and restrictions set forth herein shall not prevent or restrict Customer from exercising additional or different rights to any open source software that may be contained in or provided with the Products in accordance with the applicable open source software licenses which shall be either included with the Products or made available to Customer upon request. Customer may not use any license keys or other license access devices not provided by Provider, including but not limited to “pirate keys”, to install or access the Software.
4
Proprietary Rights. Customer understands and agrees that (i) the Products are protected by copyright and other intellectual property laws and treaties, (ii) Provider, its Affiliates and/or its licensors own the copyright, and other intellectual property rights in the Products, (iii) the Software is licensed, and not sold, (iv) this Agreement does not grant Customer any rights to Provider’s trademarks or service marks, and (v) Provider reserves any and all rights, implied or otherwise, which are not expressly granted to Customer in this Agreement.
5
Title. Provider, its Affiliates and/or its licensors own the title to all Software.
6
Payment. Customer agrees to pay to Provider (or, if applicable, the Partner) the fees specified in each order, including any applicable shipping fees. Customer will be invoiced promptly following delivery of the Products or prior to the commencement of any Renewal Maintenance Period and Customer shall make all payments due to Provider in full within thirty (30) days from the date of each invoice or such other period (if any) stated in an order. Provider reserves the right to charge Customer a late penalty of 1.5% per month (or the maximum rate permitted by law, whichever is the lesser) for any amounts payable to Provider by Customer that are not subject to a good faith dispute and that remain unpaid after the due date until such amount is paid.
7
Taxes. The fees stated in an order from Provider or a Partner may not include taxes. If Provider is required to pay sales, use, property, value-added or other taxes based on the Products or Maintenance Services provided under this Agreement or on Customer’s use of Products or Maintenance Services, then such taxes shall be billed to and paid by Customer. This Section does not apply to taxes based on Provider’s or a Partner’s income.
8
Termination.
a
This Agreement or the Licenses granted hereunder may be terminated (i) by mutual written agreement of Provider and Customer or (ii) by either party for a breach of this Agreement by the other party (or a Third Party User) that the breaching party fails to cure to the non-breaching party’s reasonable satisfaction within thirty (30) days following its receipt of notice of the breach. Notwithstanding the foregoing, in the case of MSP Licenses, if Customer or its Client breaches this Agreement two (2) times in any twelve (12) consecutive month period, the breaching party shall not have a cure period for such breach and Provider may terminate this Agreement immediately upon providing written notice to the breaching party.
b
Upon termination of this Agreement or expiration or termination of a License for any reason, all rights granted to Customer for the applicable Software shall immediately cease and Customer shall immediately: (i) cease using the applicable Software and Documentation, (ii) remove all copies, installations, and instances of the applicable Software from all Appliances, Customer computers and any other devices on which the Software was installed, and ensure that all applicable Third Party Users and Clients do the same, (iii) return the applicable Software to Provider together with all Documentation and other materials associated with the Software and all copies of any of the foregoing, or destroy such items, (iv) cease using the Maintenance Services associated with the applicable Software, (v) pay Provider or the applicable Partner all amounts due and payable up to the date of termination, and (vi) give Provider a written certification, within ten (10) days, that Customer, Third Party Users, and Clients, if applicable, have complied with all of the foregoing obligations.
c
Any provision of this Agreement that requires or contemplates execution after (i) termination of this Agreement, (ii) a termination or expiration of a License, or (iii) the expiration of a SaaS Term, is enforceable against the other party and their respective successors and assignees notwithstanding such termination or expiration, including, without limitation, the Restrictions, Payment, Taxes, Termination, Survival, Warranty Disclaimer, Infringement Indemnity, Limitation of Liability, Confidential Information, Compliance Verification, and General Sections of this Agreement. Termination of this Agreement or a License shall be without prejudice to any other remedies that the terminating party or a Partner may have under law, subject to the limitations and exclusions set forth in this Agreement.
9
Export. Customer acknowledges that the Products and Maintenance Services are subject to the export control laws, rules, regulations, restrictions and national security controls of the United States and other applicable foreign agencies (the “Export Controls”) and agrees to abide by the Export Controls. Customer hereby agrees to use the Products and Maintenance Services in accordance with the Export Controls, and shall not export, re-export, sell, lease or otherwise transfer the Products or any copy, portion or direct product of the foregoing in violation of the Export Controls. Customer is solely responsible for obtaining all necessary licenses or authorizations relating to the export, re-export, sale, lease or transfer of the Products and for ensuring compliance with the requirements of such licenses or authorizations. Customer hereby (i) represents that Customer, and if Customer is providing services under the MSP License herein each of its Clients, is not an entity or person to which shipment of Products, or provision of Maintenance Services, is prohibited by the Export Controls; and (ii) agrees that it shall not export, re-export or otherwise transfer the Products to (a) any country subject to a United States trade embargo, (b) a national or resident of any country subject to a United States trade embargo, (c) any person or entity to which shipment of Products is prohibited by the Export Controls, or (d) anyone who is engaged in activities related to the design, development, production, or use of nuclear materials, nuclear facilities, nuclear weapons, missiles or chemical or biological weapons. Customer shall, at its expense, defend Provider and its Affiliates from any third party claim or action arising out of any inaccurate representation made by Customer regarding the existence of an export license, Customer’s failure to provide information to Provider to obtain an export license, or any allegation made against Provider due to Customer’s violation or alleged violation of the Export Controls (an “Export Claim”) and shall pay any judgments or settlements reached in connection with the Export Claim as well as Provider’s costs of responding to the Export Claim.
10
Maintenance Services.
a
Description. During any Maintenance Period, Provider shall:

(i) Make available to Customer new versions and releases of the Software, if and when Provider makes them generally available without charge as part of Maintenance Services.

(ii) Respond to communications from Customer that report Software failures not previously reported to Provider by Customer. Nothing in the foregoing shall operate to limit or restrict follow up communication by Customer regarding Software failures.

(iii) Respond to requests from Customer’s technical coordinators for assistance with the operational/technical aspects of the Software unrelated to a Software failure. Provider shall have the right to limit such responses if Provider reasonably determines that the volume of such non-error related requests for assistance is excessive or overly repetitive in nature.

(iv) Provide access to Provider’s software support web site at https://support.sonicwall.com (the “Support Site”).

(v) For Customers that have purchased Maintenance Services continuously since the purchase of such License, provide the repair and return program described on the Support Site for the Appliance on which the Software is delivered.

Maintenance Services are available during regional business support hours (“Business Hours”) as indicated on the Support Site, unless Customer has purchased 24x7 Support. The list of Software for which 24x7 Support is available and/or required is listed in the Global Support Guide on the Support Site.

The Maintenance Services for Software that Provider has obtained through an acquisition or merger may, for a period of time following the effective date of the acquisition or merger, be governed by terms other than those in this Section. The applicable different terms, if any, shall be stated on the Support Site.

b
Maintenance Period. The first period for which Customer is entitled to receive Maintenance Services begins on the date of the registration of the Product at Provider’s registration portal (the “Registration”) and ends twelve (12) months thereafter (the “Initial Maintenance Period”). Following the Initial Maintenance Period, Maintenance Services for the Product(s) may then be renewed for additional terms of twelve (12) or more months (each, a “Renewal Maintenance Period”) For purposes of this Agreement, the Initial Maintenance Period and each Renewal Maintenance Period shall be considered a “Maintenance Period.For the avoidance of doubt, this Agreement shall apply to each Renewal Maintenance Period. Cancellation of Maintenance Services will not terminate Customer’s rights to continue to otherwise use the Products. Maintenance fees shall be due in advance of each Renewal Maintenance Period and shall be subject to the payment requirements set forth in this Agreement. The procedure for reinstating Maintenance Services for the Products after it has lapsed is posted at https://support.sonicwall.com/essentials/support-guide. Maintenance Services are optional and only provided if purchased separately.

For SaaS Software, the Maintenance Period is equal to the duration of the applicable SaaS Term. For non-perpetual Licenses or for non-perpetual MSP Licenses, the Maintenance Period is equal to the duration of the License.

11
Warranties and Remedies.
a
Software Warranties. Provider warrants that, during the applicable Warranty Period (as defined in subsection (c) below),

(i) the operation of the Software, as provided by Provider, will substantially conform to its Documentation (the “Operational Warranty”);

(ii) the Software, as provided by Provider, will not contain any viruses, worms, Trojan Horses, or other malicious or destructive code designed by Provider to allow unauthorized intrusion upon, disabling of, or erasure of the Software, except that the Software may contain a key limiting its use to the scope of the License granted, and license keys issued by Provider for temporary use are time-sensitive (the “Virus Warranty”);

(iii) it will make commercially reasonable efforts to make the SaaS Software available twenty-four hours a day, seven days a week except for scheduled maintenance, the installation of updates, those factors that are beyond the reasonable control of Provider, Customer’s failure to meet any minimum system requirements communicated to Customer by Provider, and any breach of this Agreement by Customer that impacts the availability of the SaaS Software (the “SaaS Availability Warranty”).

b
Appliance Warranties. Provider warrants that, during the applicable Warranty Period, the Appliance will operate in a manner which allows the SNWL Software, respectively, to be used in substantial conformance with the Documentation (the Appliance Warranty”,).
c
Warranty Periods. The “Warranty Period” for each of the above warranties (except for E-class appliances which do not include a Software warranty, shall be as follows: (i) for the Operational Warranty as it applies to Software and the Virus Warranty, ninety (90) days following the initial Registration of the Software; (ii) for the Operational Warranty as it applies to SaaS Software and the SaaS Availability Warranty, the duration of the SaaS Term; and (iv) for the Appliance Warranty, one (1) year following the date the Appliance is registered with Provider.
d
Remedies. Any breach of the foregoing warranties must be reported by Customer to Provider during the applicable Warranty Period. Customer’s sole and exclusive remedy and Provider’s sole obligation for any such breach shall be as follows:

(i) For a breach of the Operational Warranty that impacts the use of Software, Provider shall correct or provide a workaround for reproducible errors in the Software that caused the breach within a reasonable time considering the severity of the error and its effect on Customer or, at Provider’s option, refund the license fees paid for the nonconforming Software upon return of such Software to Provider and termination of the related License(s) hereunder.

(ii) For a breach of the Operational Warranty that impacts the use of SaaS Software, Provider shall correct or provide a workaround for reproducible errors in the Software that caused the breach and provide a credit or refund of the fees allocable to the period during which the Software was not operating in substantial conformance with the applicable Documentation.

(iii) For a breach of the Virus Warranty, Provider shall replace the Software with a copy that is in conformance with the Virus Warranty.

(v) For a breach of the SaaS Availability Warranty, Provider shall provide a credit or refund of the fees allocable to the period during which the SaaS Software was not available for use.

e
Warranty Exclusions. The warranties set forth in this Section shall not apply to any non-conformance (i) that Provider cannot recreate after exercising commercially reasonable efforts to attempt to do so; (ii) caused by misuse of the applicable Product or by using the Product in a manner that is inconsistent with this Agreement or the Documentation; or (iii) arising from the modification of the Product by anyone other than Provider.
f
Third Party Products. Certain Software may contain features designed to interoperate with third-party products. If the third-party product is no longer made available by the applicable provider, Provider may discontinue the related product feature. Provider shall notify Customer of any such discontinuation, however Customer will not be entitled to any refund, credit or other compensation as a result of the discontinuation.
g
Warranty Disclaimer. THE EXPRESS WARRANTIES AND REMEDIES SET FORTH IN THIS SECTION ARE THE ONLY WARRANTIES AND REMEDIES PROVIDED BY PROVIDER HEREUNDER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL OTHER WARRANTIES OR REMEDIES ARE EXCLUDED, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, AND ANY WARRANTIES ARISING FROM USAGE OF TRADE OR COURSE OF DEALING OR PERFORMANCE. PROVIDER DOES NOT WARRANT UNINTERRUPTED OR ERROR-FREE OPERATION OF THE PRODUCTS.
h
High-Risk Disclaimer. customer understands and agrees that The Products are not fault-tolerant and are not designed or intended for use in any high-risk or hazardous environment, including without limitation, the operation of nuclear facilities, aircraft navigation, air traffic control, life support machines, weapons systems, or any other application where the failure or malfunction of any Product can reasonably be expected to result in death, personal injury, severe property damage or severe environmental harm (A “High Risk Environment”). accordingly, (i) customer should not use the products in a High Risk Environment, (ii) any use of the products by customer in a high risk environment is at customer’s own risk, (iii) Provider, its affiliates and suppliers shall not be liable to Customer in any way for use of the Products in a High risk Environment, and (iv) Provider makes no warranties or assurances, express or implied, regarding use of the Products in a High Risk Environment.
12
Infringement Indemnity. Provider shall indemnify Customer from and against any claim, suit, action, or proceeding brought against Customer by a third party to the extent it is based on an allegation that the Software directly infringes any patent, copyright, trademark, or other proprietary right enforceable in the country in which Provider has authorized Customer to use the Software, including, but not limited to the country to which the Software is delivered to Customer, or misappropriates a trade secret in such country (a “Claim”). Indemnification for a Claim shall consist of the following: Provider shall (a) defend or settle the Claim at its own expense, (b) pay any judgments finally awarded against Customer under a Claim or any amounts assessed against Customer in any settlements of a Claim, and (c) reimburse Customer for the reasonable administrative costs or expenses, including without limitation reasonable attorneys’ fees, it necessarily incurs in responding to the Claim. Provider’s obligations under this Infringement Indemnity Section are conditioned upon Customer (i) giving prompt written notice of the Claim to Provider, (ii) permitting Provider to retain sole control of the investigation, defense or settlement of the Claim, and (iii) providing Provider with cooperation and assistance as Provider may reasonably request in connection with the Claim. Provider shall have no obligation hereunder to defend Customer against any Claim (a) resulting from use of the Software other than as authorized by this Agreement, (b) resulting from a modification of the Software other than by Provider, (c) based on Customer’s use of any release of the Software after Provider recommends discontinuation because of possible or actual infringement and has provided a non-infringing version at no charge, or (d) to the extent the Claim arises from or is based on the use of the Software with other products, services, or data not supplied by Provider if the infringement would not have occurred but for such use. If, as a result of a Claim or an injunction, Customer must stop using any Software (“Infringing Software”), Provider shall at its expense and option either (1) obtain for Customer the right to continue using the Infringing Software, (2) replace the Infringing Software with a functionally equivalent non-infringing product, (3) modify the Infringing Software so that it is non-infringing, or (4) terminate the License for the Infringing Software and (A) for non-SaaS Software, accept the return of the Infringing Software and refund the license fee paid for the Infringing Software, pro-rated over a sixty (60) month period from the date of initial delivery of such Software, or (B) for SaaS Software, discontinue Customer’s right to access and use the Infringing Software and refund the unused pro-rated portion of any license fees pre-paid by Customer for such Software. This Section states Provider’s entire liability and its sole and exclusive indemnification obligations with respect to a Claim and Infringing Software.
13
Limitation of Liability. EXCEPT FOR (A) ANY BREACH OF THE RESTRICTIONS OR Confidential informatIon SECTIONS OF THIS AGREEMENT, (B) AMOUNTS CONTAINED IN JUDGMENTS OR SETTLEMENTS WHICH PROVIDER OR CUSTOMER IS LIABLE TO PAY TO A THIRD PARTY UNDER THE INFRINGEMENT INDEMNITY SECTION OF THIS AGREEMENT and CUSTOMER IS LIABLE TO PAY ON BEHALF OF OR TO PROVIDER under the CONDUCT, export, MSP LICENSE, AND USE BY THIRD PARTIES SECTIONs OF THIS AGREEMENT, OR (C) any liability to the extent LIABILITY may not be excluded or limited as a matter of APPLICABLE law, IN NO EVENT SHALL customer or its affiliaTes, or PROVIDER, ITS AFFILIATES OR SUPPLIERS BE LIABLE FOR (X) any indirect, incidental, special or consequeNTIAL loss or damage of any kind or (Y) loss of revenue, loss of actual or anticipated profits, loss of business, loss of contracts, loss of goodwill or reputation, loss of anticipated savings, loss of, damage to or corruption of data, howsoever arising, whether such loss or damage was foreseeable or in the contemplation of the parties and whether arising in or for breach of contract, tort (including negligence), breach of statutory duty, or otherwise.

EXCEPT FOR (a) ANY BREACH OF THE software LICENSE, RESTRICTIONS, OR Confidential Information SECTIONS OF THIS AGREEMENT, OR ANY OTHER VIOLATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS; (B) PROVIDER’s express obligations under THE INFRINGEMENT INDEMNITY SECTION OF THIS AGREEMENT AND CUSTOMER’S EXPRESS OBLIGATIONS UNDER THE conduct, export, MSP LICENSE, AND USE BY THIRD PARTIES SECTIONs OF THIS AGREEMENT, (c) PROVIDER’S COSTS OF COLLECTING DELINQUENT AMOUNTS WHICH ARE NOT THE SUBJECT OF A GOOD FAITH DISPUTE; (D) A PREVAILING PARTY’S LEGAL FEES PURSUANT TO THE LEGAL FEES SECTION OF THIS AGREEMENT; OR (E) any liability to the extent LIABILITY may not be excluded or limited as a matter of applicable law, The maximum aggregate and cumulative liability of CUSTOMER and its affiliates, and PROVIDER, its affiliates and suppliers, for damages under this agreement, whether arising in or for breach of contract, tort (including negligence), breach of statutory duty, or otherwise, shall be an amount equal to (Y) THE GREATER OF THE FEES PAID and/OR OWED (as applicable) BY CUSTOMER or its affiliates FOR THE pRODUCTS THAT ARE THE SUBJECT OF THE breach OR FIVE HUNDRED DOLLARS ($500.00),except for (Z) MAINTENANCE SERVICES OR A PRODUCT SUBJECT TO RECURRING FEES, for which the maximum aggregate and cumulative liability shall be THE GREATER OF THE AMOUNT paid and/OR OWED (as applicable) FOR SUCH MAINTENANCE SERVICE OR PRODUCT during the TWELVE (12) MONTHS PRECEDING THE breach OR FIVE HUNDRED DOLLARS ($500.00). THE PARTIES AGREE THAT THESE LIMITATIONS OF LIABILITY ARE AGREED ALLOCATIONS OF RISK CONSTITUTING IN PART THE CONSIDERATION FOR PROVIDER PROVIDING PRODUCTS AND SERVICES TO CUSTOMER, AND SUCH LIMITATIONS WILL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITIES OR FAILURES.

Provider’s Affiliates and suppliers and Customer’s Affiliates shall be beneficiaries of this Limitation of Liability Section and Customer’s Clients and Third Party Users are entitled to the rights granted under the MSP License and Use by Third Parties Sections of this Agreement; otherwise, no third party beneficiaries exist under this Agreement. Provider expressly excludes any and all liability to Third Party Users, Clients and to any other third party.

14
Confidential Information.
a
Definition. “Confidential Information” means information or materials disclosed by one party (the “Disclosing Party”) to the other party (the “Receiving Party”) that are not generally available to the public and which, due to their character and nature, a reasonable person under like circumstances would treat as confidential, including, without limitation, financial, marketing, and pricing information, trade secrets, know-how, proprietary tools, knowledge and methodologies, the Software (in source code and/or object code form), information or benchmark test results regarding the functionality and performance of the Software, any Software license keys provided to Customer, and the terms and conditions of this Agreement.

Confidential Information shall not include information or materials that (i) are generally known to the public, other than as a result of an unpermitted disclosure by the Receiving Party after the date that Customer accepts the Agreement (the “Effective Date”); (ii) were known to the Receiving Party without an obligation of confidentiality prior to receipt from the Disclosing Party; (iii) the Receiving Party lawfully received from a third party without that third party’s breach of agreement or obligation of trust; (iv) are protected by Provider in accordance with its obligations under the Protected Data Section below, or (v) are or were independently developed by the Receiving Party without access to or use of the Disclosing Party’s Confidential Information.

b
Obligations. The Receiving Party shall (i) not disclose the Disclosing Party’s Confidential Information to any third party, except as permitted in subsection (c) below and (ii) protect the Disclosing Party’s Confidential Information from unauthorized use or disclosure by exercising at least the same degree of care it uses to protect its own similar information, but in no event less than a reasonable degree of care. The Receiving Party shall promptly notify the Disclosing Party of any known unauthorized use or disclosure of the Disclosing Party’s Confidential Information and will cooperate with the Disclosing Party in any litigation brought by the Disclosing Party against third parties to protect its proprietary rights. For the avoidance of doubt, this Section shall apply to all disclosures of the parties’ Confidential Information as of the Effective Date, whether or not specifically arising from a party’s performance under this Agreement.
c
Permitted Disclosures. Notwithstanding the foregoing, the Receiving Party may disclose the Disclosing Party’s Confidential Information without the Disclosing Party’s prior written consent to any of its Affiliates, directors, officers, employees, consultants, contractors or representatives (collectively, the “Representatives”), but only to those Representatives that (i) have a “need to know” in order to carry out the purposes of this Agreement or to provide professional advice in connection with this Agreement, (ii) are legally bound to the Receiving Party to protect information such as the Confidential Information under terms at least as restrictive as those provided herein, and (iii) have been informed by the Receiving Party of the confidential nature of the Confidential Information and the requirements regarding restrictions on disclosure and use as set forth in this Section. The Receiving Party shall be liable to the Disclosing Party for the acts or omissions of any Representatives to which it discloses Confidential Information which, if done by the Receiving Party, would be a breach of this Agreement.

Additionally, it shall not be a breach of this Section for the Receiving Party to disclose the Disclosing Party’s Confidential Information as may be required by operation of law or legal process, provided that the Receiving Party provides prior notice of such disclosure to the Disclosing Party unless expressly prohibited from doing so by a court, arbitration panel or other legal authority of competent jurisdiction.

15
Protected Data. For purposes of this Section, “Protected Data” means any information or data that is provided by Customer to Provider during this Agreement that alone or together with any other information relates to an identified or identifiable natural person or data considered to be personal data as defined under Privacy Laws, and “Privacy Laws” means any applicable law, statute, directive or regulation regarding privacy, data protection, information security obligations and/or the processing of Protected Data.

Except as permitted herein or to the extent required by Privacy Laws or legal process, Provider shall implement reasonable technical and organizational measures to prevent unauthorized disclosure of or access to Protected Data by third parties, and shall only store and process Protected Data as may be required to fulfill its obligations under this Agreement. If Provider complies with Customer’s written instructions with respect to the Protected Data, Provider shall have no liability to Customer for any breach of this Section resulting from such compliance. Provider shall promptly notify Customer of any disclosure of or access to the Protected Data by a third party in breach of this Section and shall cooperate with Customer to reasonably remediate the effects of such disclosure or access. Provider further affirms to Customer that it has adequate agreements in place incorporating the EU standard contractual clauses for the transfer of Protected Data from the European Union (“EU”) to a country outside the EU.

Customer hereby (i) represents that it has the right to send the Protected Data to Provider, (ii) consents for Provider to store and use the Protected Data worldwide for the sole purpose of performing its obligations under this Agreement, (iii) agrees that the Protected Data may be accessed and used by Provider and its Representatives worldwide as may be needed to support Provider’s standard business operations, and (iv) agrees that Protected Data consisting of Customer contact information (e.g., email addresses, names) provided as part of Maintenance Services may be sent to Provider’s third party service providers as part of Provider’s services improvement processes.

16
Compliance Verification. Customer agrees to maintain and use systems and procedures to accurately track, document, and report its installations, acquisitions and usage of the Software. Such systems and procedures shall be sufficient to determine if Customer’s deployment of the Software or, if applicable, use of the SaaS Software is within the quantities, terms, and maintenance releases to which it is entitled. Provider or its designated auditing agent shall have the right to audit Customer's deployment of the Software or, if applicable, use of the SaaS Software for compliance with the terms and conditions of this Agreement. Any such audits shall be scheduled at least ten (10) days in advance and shall be conducted during normal business hours at Customer's facilities. Customer shall provide its full cooperation and assistance with such audit and provide access to the applicable records and computers. Without limiting the generality of the foregoing, as part of the audit, Provider may request, and Customer agrees to provide, a written report, signed by an authorized representative, listing Customer's then current deployment of the Software and/or the number of individuals that have accessed and used SaaS Software. If Customer's deployment of the Software or, if applicable, use of the SaaS Software is found to be greater than its purchased entitlement to such Software, Customer will be invoiced for the over-deployed quantities at Provider’s then current list price plus the applicable Maintenance Services and applicable over-deployment fees. All such amounts shall be payable in accordance with this Agreement. Additionally, if the unpaid fees exceed five percent (5%) of the fees paid for the applicable Software, then Customer shall also pay Provider's reasonable costs of conducting the audit. The requirements of this Section shall survive for two (2) years following the termination of the last License governed by this Agreement.
17
SaaS Provisions.
a
Data. Customer may store data on the systems to which it is provided access in connection with its use of the SaaS Software (the “SaaS Environment”). Provider may periodically make back-up copies of Customer data, however, such back-ups are not intended to replace Customer’s obligation to maintain regular data backups or redundant data archives. Customer is solely responsible for collecting, inputting and updating all Customer data stored in the SaaS Environment, and for ensuring that it does not (i) knowingly create and store data that actually or potentially infringes or misappropriates the copyright, trade secret, trademark or other intellectual property right of any third party, or (ii) use the SaaS Environment for purposes that would reasonably be seen as obscene, defamatory, harassing, offensive or malicious.. Provider shall have the right to delete all Customer data stored in connection with the use of the SaaS Software thirty (30) days following any termination of this Agreement or any License to SaaS Software granted hereunder.

Customer represents and warrants that it has obtained all rights, permissions and consents necessary to use and transfer all Customer and/or third party data within and outside of the country in which Customer or the applicable Customer Affiliate is located (including providing adequate disclosures and obtaining legally sufficient consents from Customer’s employees, customers, agents, and contractors). If Customer transmits data to a third-party website or other provider that is linked to or made accessible by the SaaS Software, Customer will be deemed to have given its consent to Provider enabling such transmission and Provider shall have no liability to Customer in connection with any claims by a third party in connection with such transmission.

b
Conduct. In connection with the use of SaaS Software, Customer may not (i) attempt to use or gain unauthorized access to Provider’s or to any third-party's networks or equipment; (ii) permit other individuals or entities to copy the SaaS Software; (iii) provide unauthorized access to or use of any SaaS Software or the associated access credentials; (iv) attempt to probe, scan or test the vulnerability of the SaaS Software, the SaaS Environment, or a system, account or network of Provider or any of Provider’s customers or suppliers; (v) interfere or attempt to interfere with service to any user, host or network; (vi) engage in fraudulent, offensive or illegal activity of any nature or intentionally engage in any activity that infringes the intellectual property rights or privacy rights of any individual or third party; (vii) transmit unsolicited bulk or commercial messages; (viii) intentionally distribute worms, Trojan horses, viruses, corrupted files or any similar items; (ix) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the SaaS Software (except for tools with safety and security functions); or (x) restrict, inhibit, interfere with or otherwise disrupt or cause a performance degradation to any Provider (or Provider supplier) facilities used to provide the SaaS Environment. Customer shall cooperate with Provider’s reasonable investigation of SaaS Environment outages, security issues, and any suspected breach of this Section, and shall, at its expense, defend Provider and its Affiliates from any claim, suit, or action by a third party (a “Third Party Claim”) alleging harm to such third party caused by Customer’s breach of any of the provisions of this Section. Additionally, Customer shall pay any judgments or settlements reached in connection with the Third Party Claim as well as Provider’s costs of responding to the Third Party Claim.
c
Suspension. Provider may suspend Customer’s use of SaaS Software (a) if so required by law enforcement or legal process, (b) in the event of an imminent security risk to Provider or its customers, or (c) if continued use would subject Provider to material liability. Provider shall make commercially reasonable efforts under the circumstances to provide prior notice to Customer of any such suspension.
18
General.
a
Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without giving effect to any conflict of laws principles that would require the application of laws of a different state. Any action seeking enforcement of this Agreement or any provision hereof shall be brought exclusively in the state or federal courts located in the Santa Clara County, California. Each party hereby agrees to submit to the jurisdiction of such courts. The parties agree that neither the United Nations Convention on Contracts for the International Sale of Goods, nor the Uniform Computer Information Transaction Act (UCITA) shall apply to this Agreement, regardless of the states in which the parties do business or are incorporated.
b
Assignment. Except as otherwise set forth herein, Customer shall not, in whole or part, assign or transfer any part of this Agreement, the Licenses granted under this Agreement or any other rights, interest or obligations hereunder, whether voluntarily, by contract, by operation of law or by merger (whether that party is the surviving or disappearing entity), stock or asset sale, consolidation, dissolution, through government action or order, or otherwise without the prior written consent of Provider. Any attempted transfer or assignment by Customer that is not permitted by this Agreement shall be null and void.
c
Severability. If any provision of this Agreement shall be held by a court of competent jurisdiction to be contrary to law, such provision will be enforced to the maximum extent permissible by law to effect the intent of the parties and the remaining provisions of this Agreement will remain in full force and effect. Notwithstanding the foregoing, the terms of this Agreement that limit, disclaim, or exclude warranties, remedies or damages are intended by the parties to be independent and remain in effect despite the failure or unenforceability of an agreed remedy. The parties have relied on the limitations and exclusions set forth in this Agreement in determining whether to enter into it.
d
Use by U.S. Government. The Software is a “commercial item” under FAR 12.201. Consistent with FAR section 12.212 and DFARS section 227.7202, any use, modification, reproduction, release, performance, display, disclosure or distribution of the Software or Documentation by the U.S. government is prohibited except as expressly permitted by the terms of this Agreement. In addition, when Customer is a U.S. government entity, the language in Subsection (ii) of the Infringement Indemnity Section of this Agreement and the Injunctive Relief Section of this Agreement shall not be applicable.
e
Notices. All notices provided hereunder shall be in writing and may be delivered by email, in the case of Provider to legal@sonicwall.com and in the case of Customer to the email address Provider has on file for Customer. All notices, requests, demands or communications shall be deemed effective upon delivery in accordance with this paragraph.
f
Disclosure of Customer Status. Provider may include Customer in its listing of customers and, upon written consent by Customer, announce Customer's selection of Provider in its marketing communications.
g
Waiver. Performance of any obligation required by a party hereunder may be waived only by a written waiver signed by an authorized representative of the other party, which waiver shall be effective only with respect to the specific obligation described therein. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
h
Injunctive Relief. Each party acknowledges and agrees that in the event of a material breach of this Agreement, including but not limited to a breach of the Software License, Restrictions or Confidential Information Sections of this Agreement, the non-breaching party shall be entitled to seek immediate injunctive relief, without limiting its other rights and remedies.
i
Force Majeure. Each party will be excused from performance for any period during which, and to the extent that, it is prevented from performing any obligation or service as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of war, epidemics, communication line failures, and power failures. For added certainty, this Section shall not operate to change, delete, or modify any of the parties’ obligations under this Agreement (e.g., payment), but rather only to excuse a delay in the performance of such obligations.
j
Equal Opportunity. Provider is a federal contractor and Affirmative Action employer (M/F/D/V) as required by the Equal Opportunity clause C.F.R. § 60-741.5(a).
k
Headings. Headings in this Agreement are for convenience only and do not affect the meaning or interpretation of this Agreement. This Agreement will not be construed either in favor of or against one party or the other, but rather in accordance with its fair meaning. When the term “including” is used in this Agreement it will be construed in each case to mean “including, but not limited to.”
l
Legal Fees. If any legal action is brought to enforce any rights or obligations under this Agreement, the prevailing party shall be entitled to recover its reasonable attorneys’ fees, court costs and other collection expenses, in addition to any other relief it may be awarded.
m
Entire Agreement. This Agreement is intended by the parties as a final expression of their agreement with respect to the subject matter thereof and may not be contradicted by evidence of any prior or contemporaneous agreement unless such agreement is signed by both parties. In the absence of such an agreement, this Agreement shall constitute the complete and exclusive statement of the terms and conditions and no extrinsic evidence whatsoever may be introduced in any proceeding that may involve the Agreement. Each party acknowledges that in entering into the Agreement it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in the Agreement. In those jurisdictions where an original (non-faxed, non-electronic, or non-scanned) copy of an agreement or an original (non-electronic) signature on agreements such as this Agreement is required by law or regulation, the parties hereby agree that, notwithstanding any such law or regulation, a faxed, electronic, or scanned copy of and a certified electronic signature on this Agreement shall be sufficient to create an enforceable and valid agreement. This Agreement, may only be modified or amended t by a writing executed by a duly authorized representative of each party. No other act, document, usage or custom shall be deemed to amend or modify this Agreement.