en-US
search-icon

Secure Mobile Access 8.6 Admin Guide

Configuring Secure Mobile Access

System Configuration

This section provides information and configuration tasks specific to the System pages in the Secure Mobile Access web-based management interface, including registering your SMA/SRA appliance, setting the date and time, configuring system settings, system administration and system certificates.

Topics:

System > Status

This section provides an overview of the System > Status page and a description of the configuration tasks available on this page.

System > Status Overview

The System > Status page provides the administrator with current system status for the SMA/SRA appliance, including information and links to help manage the SMA/SRA appliance and SonicWall Inc. Security Services licenses. This section provides information about the page display and instructions to complete the configuration tasks on the System > Status page.

System > Status Page

Overviews of each area of the System > Status page are provided in the following sections:

System Messages

The System Messages section displays text about recent events and important system messages, such as system setting changes. For example, if you do not set an outbound SMTP server, you will see the message, “Log messages and one-time passwords cannot be sent because you have not specified an outbound SMTP server address.”

System Information

The System Information section displays details about your specific SMA/SRA appliance. The following information is displayed in this section:

 

System Information 

Field

Description

Model

The type of SMA/SRA appliance.

Serial Number

The serial number or the MAC address of the SMA/SRA appliance.

Authentication Code

The alphanumeric code used to authenticate the SMA/SRA appliance on the registration database at <https://www.MySonicWall.com>.

Firmware Version

The firmware version loaded on the SMA/SRA appliance.

ROM Version

Indicates the ROM version. The ROM code controls low-level functionality of the appliance.

CPU (Utilization)

The type of the SMA/SRA appliance processor and the average CPU usage over the last 5 minutes.

Total Memory

The amount of RAM and Flash memory on the appliance.

System Time

The current date and time.

Up Time

The number of days, hours, minutes, and seconds, that the SMA/SRA appliance has been active since its most recent restart.

Active Users

The number of users who are currently logged into the Secure Mobile Access management interface of the SMA/SRA appliance.

Latest Alerts

The Latest Alerts section displays text about recent invasive events, irregular system behavior, or errors. Latest Alerts includes information about the date and time of the event, the host of the user that generated the event and a brief description of the event.

Any messages relating to system events or errors are displayed in this section. Clicking the arrow button located in upper right corner of this section displays the Log > Log View page.

Fields in the Latest Alerts section are:

Date/Time - The date and time when the message was generated.
User - The name of the user that generated the message.
Message - A message describing the error.

Licenses & Registration

The Licenses & Registration section indicates the user license allowance and registration status of your SMA/SRA appliance. The status of your Analyzer, ViewPoint, Secure Virtual Assist, Spike License, and Web Application Firewall licenses are also displayed here.

To register your appliance on MySonicWall and manually enter the registration code in the available field at the bottom of this section, see Registering Your SMA/SRA Appliance with System Status.

To register your appliance on MySonicWall from the System > Licenses page and allow the appliance to automatically synchronize registration and license status with the SonicWall Inc. server, see Registering the SMA/SRA Appliance with System > Licenses.

Network Interfaces

The Network Interfaces section provides the administrator with a list of SMA/SRA appliance interfaces by name. For each interface, the Network Interfaces tab provides the IP address that has been configured and the current link status.

For information about configuration tasks related to the Network Interfaces section, refer to Configuring Network Interfaces.

Registering Your SMA/SRA Appliance with System Status

Register with MySonicWall to get the most out of your SMA/SRA appliance. Complete the steps in the following sections to register.

Before You Register

Verify that the time, DNS, and default route settings on your SMA/SRA appliance are correct before you register your appliance. These settings are generally configured during the initial SMA/SRA appliance setup process. To verify or configure the time settings, navigate to the System > Time page. To verify or configure the DNS setting, navigate to the Network > DNS page. To verify or configure the default route, navigate to the Network > Routes page. For more information about time and DNS setting configuration, refer to Setting the Time, Configuring DNS Settings and Configuring a Default Route for the SMA/SRA Appliance.

* 
NOTE: You need a MySonicWall account to register the SonicWall SMA/SRA appliance.
Creating a MySonicWall Account from System > Licenses
1
On the System > Licenses page, click Activate, Upgrade, or Renew services. The License Management page is displayed.
2
If you do not have a MySonicWall account or if you forgot your user name or password, click the https://www.MySonicWall.com link at the bottom of the page. The MySonicWall User Login page is displayed.

Do one of the following:

If you forgot your user name, click the Forgot Username? link.
If you forgot your password, click the Forgot Password? link.
If you do not have a MySonicWall account, click the Not a registered user? link.
3
Follow the instructions to activate your MySonicWall account.

Registering with MySonicWall

There are two ways to register your SMA/SRA appliance:

Log in to your MySonicWall account directly from a browser or click the SonicWall Inc. link on the System > Status page to access MySonicWall, enter the appliance serial number and other information there, and then enter the resulting registration code into the field on the System > Status page. This manual registration procedure is described in this section.
Use the link on the System > Licenses page to access MySonicWall, then enter the serial number and other information into MySonicWall. When finished, your view of the System > Licenses page shows that the appliance has been automatically synchronized with the licenses activated on MySonicWall. This procedure is described in Registering the SMA/SRA Appliance with System > Licenses.
To register your SMA/SRA appliance:
1
If you are not logged into the Secure Mobile Access management interface, log in with the username admin and the administrative password you set during initial setup of your SMA/SRA appliance (the default is password). For information about configuring the administrative password, refer to the Getting Started Guide for your appliance model.
2
If the System > Status page is not automatically displayed in the Secure Mobile Access management interface, click System in the left-navigation menu, and then click Status.
3
Record your Serial Number and Authentication Code from the Licenses & Registration section.
4
Do one of the following to access the MySonicWall Web page:
Click the SonicWall Inc. link in the Licenses & Registration section.
Type http://www.MySonicWall.com into the Address or Location field of your Web browser.

The MySonicWall User Login page is displayed.

5
Enter your MySonicWall account user name and password.
* 
NOTE: If you are not a registered MySonicWall user, you must create an account before registering your SonicWALL product. Click the Not a registered user? link at the bottom of the page to create your free MySonicWall account.
6
Navigate to Products in the left navigation bar.
7
Enter your Serial Number and Authentication Code in the appropriate fields.
8
Enter a descriptive name for your SMA/SRA appliance in the Friendly Name field.
9
Select the product group for this appliance, if any, from the Product Group drop-down list.
10
Click Register.
11
When the MySonicWall server has finished processing your registration, the Registration Code is displayed along with a statement that your appliance is registered. Click Continue.
12
On the System > Status page of the Secure Mobile Access management interface, enter the Registration Code into the field at the bottom of the Licenses & Registration section, and then click Update.

Configuring Network Interfaces

The IP settings and interface settings of the SMA/SRA appliance can be configured by clicking­­ on the blue arrow in the corner of the Network Interfaces section of the System > Status page. The link redirects you to the Network > Interfaces page that can also be accessed from the navigation bar. From the Network > Interfaces page, a SMA/SRA appliance administrator can configure the IP address of the primary (X0) interface, and also optionally configure additional interfaces for operation.

For a port on your SMA/SRA appliance to communicate with a firewall or target device on the same network, you need to assign an IP address and a subnet mask to the interface.

For more information about configuring interfaces, refer to Network > Interfaces.

System > Licenses

This section provides an overview of the System > Licenses page and a description of the configuration tasks available on this page. See the following sections:

System > Licenses Overview

Services upgrade licensing and related functionality is provided by the License Manager that runs on the SMA/SRA appliance. The License Manager communicates periodically (hourly) with the SonicWall Inc. licensing server to verify the validity of licenses. The License Manager also allows the administrator to purchase licenses directly or turn on free trials to preview a product before buying.

* 
NOTE: Initial registration of the unit is required for the License Manager to work.

The System > Licenses page provides a link to activate, upgrade, or renew SonicWall Inc. Security Services licenses. From this page in the Secure Mobile Access management interface, you can manage all the SonicWall Inc. Security Services licenses for your SMA/SRA appliance.

System > Licenses page

Security Services Summary

The Security Services Summary table lists the number of Nodes/Users licenses and the available and activated security services on the SMA/SRA appliance.

The Security Service column lists all the available SonicWall Inc. Security Services and upgrades available for the security appliance. The Status column indicates if the security service is activated (Licensed), available for activation (Not Licensed, or for Spike License, Inactive), or no longer active (Expired). ViewPoint, Secure Virtual Assist, Spike License, Stateful High Availability (only on SMA 400, SRA 4600), and Web Application Firewall are licensed separately as upgrades.

The number of nodes (computer or other device connected to your appliance with an IP address) or users allowed by the license is displayed in the Count column. This number refers to the maximum number of simultaneous connections to the SMA/SRA appliance.

The Expiration column displays the expiration date for any licensed service that is time-based. For a Spike License, the Expiration column shows the number of days that the Spike License can be active before it expires. The days do not have to be consecutive.

The information listed in the Security Services Summary table is updated from the SonicWall Inc. licensing server every time the SMA/SRA appliance automatically synchronizes with it (hourly), or you can click Synchronize to synchronize immediately.

* 
NOTE: If the licenses do not update after a synchronize, you might need to restart your SMA/SRA appliance. DNS must be configured properly and the appliance should be able to reach the sonicwall.com domain.

Manage Security Services Online

You can log in to MySonicWall directly from the System > Licenses page by clicking the link Activate, Upgrade, or Renew services. You can click this link to register your appliance, to purchase additional licenses for upgrading or renewing services, or to activate free trials.

Registering the SMA/SRA Appliance with System > Licenses

On a new SMA/SRA appliance or after upgrading your firmware from an earlier release, you can register your appliance from the System > Licenses page.

To register your appliance from the System > Licenses page:
1
Log in to the System > Licenses page. Click “Activate, Upgrade, or Renew services.” Enter your MySonicWall user name and password into the fields and then click Submit.

2
The License Management page is displayed.

3
Click Activate, Upgrade, or Renew on your existing license.
4
Enter your license key in the spaces provided.
5
Click Submit.
6
The display changes to inform you that your SMA/SRA appliance is registered.

7
Click Continue.
8
In the License Management page, your latest license information is displayed.

* 
NOTE: After registration, some network environments require the SMA/SRA appliance to be offline so that it is unable to connect to the SonicWall Inc. licensing server. In this mode, the appliance still honors the valid licenses; however, timed-based licenses might not be valid.

Activating or Upgrading Licenses

After your SMA/SRA appliance is registered, you can activate licenses for Secure Virtual Assist (includes Secure Virtual Meeting), Analyzer/ViewPoint, End Point Control, Spike License, and Web Application Firewall on the System > Licenses page. Secure Virtual Assist, Analyzer/ViewPoint, and Web Application Firewall also offer a free trial. You can also upgrade a license from this page. For example, if your appliance is licensed for a single Virtual Assist technician, you can upgrade the license for multiple technicians.

You must purchase the license subscription on MySonicWall or from a reseller before you can activate or upgrade. You will receive an activation key to enter into the License Manager page.

* 
NOTE: Services displayed on the System > Licenses page vary, depending on the appliance.
To activate or upgrade licenses or free trials on your appliance:
1
On the System > Licenses page, click Activate, Upgrade, or Renew services. The License Management page is displayed.
2
Enter your MySonicWall user name and password into the fields and then click Submit. The display changes to show the status of your licenses. The services can have a Try link, an Activate link, or an Upgrade link.
3
To activate a free trial, click Try next to the service that you want to try. The page explains that you will be guided through the setup of the service, and that you can purchase a SonicWall Inc. product subscription at any time during or after the trial. Click Continue, and follow the setup instructions.
4
To activate a new license which you have already purchased on MySonicWall or from your reseller, click Activate next to the service that you want to activate. Enter your license activation key into the <Product> Activation Key field, and then click Submit.

5
To upgrade an existing license with a new license that you have already purchased, click Upgrade next to the service that you want to upgrade. Type or paste one or more new activation keys into the New License Key # field(s), and then click Submit.

6
After completing the activation or upgrading process, click Synchronize to update the appliance license status from the SonicWall Inc. licensing server. Rebooting the appliance also updates the license status.

Using a Spike License

A Spike License enables you to temporarily increase the number of remote users your appliance or SMA 500v Virtual Appliance can support if there is a sudden spike in remote access needs, such as during a period of severe weather or during a business event for remote participants. Licensed separately, this feature helps you accommodate spikes in remote access traffic during planned or unplanned events.

When you buy a Spike License, it is valid for a given number of users and days (total number of users supported when the Spike License is activated, not the number in addition to your base license number). You can suspend and resume the use of the license as needed.

More than one Spike Licenses can be uploaded to your appliance, but only one can be active at a time.

An option is available to automatically enable and disable the license depending on the number of user connections. Select Automatically activate Spike License to enable it. If this option is enabled, the Spike License is automatically activated when the number of connected users exceeds your normal user license. The Spike License stays active until either the number of users decreases back to your normal licensed amount or the Spike License expires.

To activate or stop a Spike License:
1
Purchase your Spike License from MySonicWall and import it to the appliance, as described in Activating or Upgrading Licenses. After licensing, the status is updated to Licensed, and the total users supported and number of usage days remaining in the Spike License are shown on the System > Licenses page.

2
After reloading the page, the Spike License is listed as Off on the System > Licenses page.

3
When you need to accommodate more users, click Activate. The status changes to Active.

4
To stop an active Spike License, click Stop. The status goes back to Off, and the number of days remaining is updated.

* 
NOTE: Whenever you activate and then stop a Spike License, the number of days for which it is valid decreases by one, even if fewer than 24 hours have elapsed. If it remains active for several days, a day is subtracted after each 24 hour period.

Manual Upgrade

To manually upgrade the your Security Services, scroll down to the Manual Upgrade section of the System > Licences page. You will need the Keyset for the service(s) you wish to upgrade. Enter the Keyset in the available field, then click Submit. Click Synchronize at the top of the page to refresh the Security Services Summary. You should now see the upgraded license in the Security Services Summary.

System > Time

This section provides an overview of the System > Time page and a description of the configuration tasks available on this page.

System > Time Overview

The System > Time page provides the administrator with controls to set the SMA/SRA appliance system time, date and time zone, and to set the SMA/SRA appliance to synchronize with one or more NTP servers.

System > Time Page

System Time

The System Time section allows the administrator to set the time (hh:mm:ss), date (mm:dd:yyyy) and time zone. It also allows the administrator to select automatic synchronization with the NTP (Network Time Protocol) server and to display UTC (Coordinated Universal Time) instead of local time in logs.

NTP Settings

The NTP Settings section allows the administrator to set an update interval (in seconds), an NTP server, and two additional (optional) NTP servers.

Setting the Time

To configure the time and date settings, navigate to the System > Time page. The appliance uses the time and date settings to timestamp log events and for other internal purposes. It is imperative that the system time be set accurately for optimal performance and proper registration.

* 
NOTE: For optimal performance, the SMA/SRA appliance must have the correct time and date configured.
To configure the time and date settings:
1
Select your time zone in the Time Zone drop-down list.
2
The current time, in 24-hour time format, appears in the Time (hh:mm:ss) field and the current date appears in the Date (mm:dd:yyyy) field.
3
Alternately, you can manually enter the current time in the Time (hh:mm:ss) field and the current date in the Date (mm:dd:yyyy) field.
* 
NOTE: If the check box next to Automatically synchronize with an NTP server is selected, you cannot manually enter the time and date. To manually enter the time and date, clear the check box.
4
Click Accept to update the configuration.

Enabling Network Time Protocol

If you enable Network Time Protocol (NTP), then the NTP time settings overrides the manually configured time settings. The NTP time settings are determined by the NTP server and the time zone that is selected in the Time Zone drop-down list.

To set the time and date for the appliance using the Network Time Protocol (NTP):
1
Navigate to the System > Time page.
2
Select Automatically synchronize with an NTP server.
3
In the NTP Settings section, enter the time interval in seconds to synchronize time settings with the NTP server in the Update Interval field. If no period is defined, the appliance selects the default update interval, 3600 seconds.
4
Enter the NTP server IP address or fully qualified domain name (FQDN) in the NTP Server 1 field.
5
For redundancy, enter a backup NTP server address in the NTP Server Address 2 (Optional) and NTP Server Address 3 (Optional) fields.
6
Click Accept to update the configuration.

System > Settings

This section provides an overview of the System > Settings page and a description of the configuration tasks available on this page.

System > Settings Overview

The System > Settings page allows the administrator to import and export the settings of the SMA/SRA appliance. Options to automatically send your settings to an external FTP server after a firmware upgrade and upon generation are included. SMA already had a period backup of the appliance settings, but these options provide a new method for backup.

On a physical appliance, the System > Settings page provides a way to upload new firmware, and to boot either the current firmware, newly uploaded firmware, or backup firmware.

System > Settings Page - Physical Appliance

Configure the FTP server on the System > Administration page to automatically send new settings to the external FTP server. Refer to the Configuring External FTP/TFTP Server Settings.

On an SMA 500v Virtual Appliance, the System > Settings page allows for settings management, but does not provide any firmware management, because the SMA 500v Virtual Appliance is itself a software image.

Settings

The Settings page provides buttons to import and export settings along with email settings, and allows the administrator to encrypt the settings files. There is also an option to be notified when new firmware becomes available.

Firmware Management

The Firmware Management section allows the administrator to control the firmware that is running on the SMA/SRA appliance. This section provides buttons for uploading new firmware, creating a backup of current firmware, downloading existing firmware to the management computer, rebooting the appliance with current or recently uploaded firmware, and rebooting the appliance with factory default settings.

Phone Home Settings

SONAR Enhanced Product Analytics, also known as “phone home,” uses the MSW backend server to collect phone home data from your appliance. The collected data is divided into two parts. The first part is the static license and configuration data that indicates configured numbers. The second part is the run-time data that indicates usage numbers. Based on this data and subsequent analytics, this data can be accurately tracked and improved or deprecated effectively.

You can enable or disable the Phone Home settings by accessing them on the System > Settings page and selecting or deselecting the Enable the phone home for product analytics option.

Managing Configuration Files

SMA/SRA appliances allow you to save and import file sets that hold the SMA/SRA configuration settings. These file sets can be saved and uploaded through the System > Settings page in the Secure Mobile Access management interface.

These tasks are described in the following sections:

Encrypting the Configuration File

For security purposes, you can encrypt the configuration files in the System > Settings page. However, if the configuration files are encrypted, they cannot be edited or reviewed for troubleshooting purposes.

To encrypt the configuration files, select Encrypt settings file in the System > Settings page.

Importing a Configuration File

You can import the configuration settings that you previously exported to a backup configuration file.

To import a configuration file:
1
Navigate to the System > Settings page.
2
To import a backup version of the configuration, click Import Settings. The Import Settings dialog box is displayed.
* 
NOTE: Because of feature differences between some platforms, importing settings from the SMA 200 to the SMA 400 and vice versa or the SRA 1600 to the SRA 4600 and vice versa is not fully supported. In addition, importing Virtual Machine settings to any other platform is not fully supported. If you import settings between these platforms, be sure to verify settings were imported correctly.
3
Click Browse to navigate to a location that contains the file (that includes settings) you want to import. The file can be any name, but is named sslvpnSettings-serialnumber.zip by default.
4
Click Upload. Secure Mobile Access imports the settings from the file and configures the appliance with those settings.
* 
NOTE: Make sure you are ready to reconfigure your system. After you import the file, the system overwrites the existing settings immediately.
5
After the file has been imported, restart the appliance to make the changes permanent.

Exporting a Backup Configuration File

Exporting a backup configuration file allows you to save a copy of your configuration settings on your local machine. You can then save the configuration settings or export them to a backup file and import the saved configuration file at a later time, if necessary. The backup file is called sslvpnSettings-serialnumber.zip by default, and includes the contents shown in the following figure.

Backup Configuration Directory Structure in Zip File

The backup directory structure contains the following elements:

ca folder (not shown) – Contains CA certificates provided by a Certificate Authority.
cert folder – Contains the default folder with the default key/certification pair. Also contains key/certification pairs generated by Certificate Signing Requests (CSRs) from the System > Certificates page, if any.
uiaddon folder – Contains a folder for each portal. Each folder contains portal login messages, portal home page messages, and the default logo or the custom logo for that portal, if one was uploaded. VirtualOffice is the default portal.
firebase.conf file – Contains network, DNS and log settings.
settings.json file – Contains user, group, domain and portal settings.
fcrontab.config file – Only generated when the Schedule TSR is enabled.
To export a backup configuration file:
1
Navigate to the System > Settings page.
2
To save a backup version of the configuration, click Export Settings. The browser you are working in displays a pop-up asking you if you want to open the configuration file.
3
Select the option to Save the file.
4
Choose the location to save the configuration file. The file is named sslvpnSettings-serialnumber.zip by default, but it can be renamed.
5
Click Save to save the configuration file.

Emailing Configuration Settings

You can email the current settings, auto-generated settings on upgrade, and scheduled settings to an email address as another way to back up your system. Specify an email address in the Email Settings to field. Then, click Email Settings.

You can also have the email settings sent automatically upon every firmware upgrade. Select the Automatically email settings on firmware upgrade check box. The Mail Server and Mail From Address values must be configured for automated email delivery. See Log > Settings for more information.

Enabling Scheduled Backups

You can set scheduled backups for your current settings by selecting Enable scheduled settings backup. Then, specify the frequency of back ups to be scheduled. You can specify for the back ups to occur Daily, Weekly, Fortnightly, or Monthly.

Emailing New Settings

You can select Automatically email new settings upon generation to have emails sent to you of the newest settings after they are generated.

Managing Firmware

The Firmware Management section of System > Settings provides the administrator with the option to be notified when new firmware becomes available. It provides the configuration options for firmware images, including uploading new firmware and creating a backup.

These tasks are described in the following sections:

Setting Firmware Notification

The administrator can be notified by email when a new firmware build is available.

To be notified when new firmware is available, select Notify me when new firmware is available.

Creating a Backup

To create a system backup of the current firmware and settings, click Create Backup. The backup might take up to two minutes. When the backup is complete, the Status at the bottom of the screen displays the message, “System Backup Successful.”

Downloading Firmware

To download firmware, click the download icon next to the Firmware Image version you want to download.

Booting a Firmware Image

You can boot up (restart) the appliance with any firmware image that appears in the Firmware Management table on the System > Settings page. You have the choice of keeping current configuration settings or reverting to factory default settings.

To boot a firmware image:
1
Click the boot icon in the row for the Firmware Image version that you want to run on the SMA/SRA appliance.
2
To reboot the image with factory default settings, select Boot with factory default settings. If this option is not selected, current configuration settings are kept.
3
The pop-up message is displayed: Are you sure you wish to boot this firmware? Click OK.

Uploading New Firmware

To upload new firmware:
1
Log in to MySonicWall.
2
Download the latest Secure Mobile Access firmware version.
3
In the Secure Mobile Access management interface, navigate to the System > Settings page.
4
Click Upload New Firmware under the Firmware Management section.
5
Click Browse.
6
Select the downloaded Secure Mobile Access firmware. It should have a .sig file extension.
7
Click Open.
8
Click Accept. Wait for the firmware to upload and be written to the disk.
9
The System > Settings page displays the firmware table, with the uploaded firmware listed in it. Click the Boot icon in the Uploaded Firmware row to boot the new firmware with existing settings.

Managing Language Settings

SMA/SRA appliances allow you to import and apply new language packs to the firmware. The language packs are stored on the back end server. The Secure Mobile Access firmware is scheduled to check the back end server every hour for updates to existing or new language packs.

These tasks are described in the following sections:

Downloading a language pack

The Language Settings section displays the newest language pack(s) available. Log in to MySonicWall to download the language pack to your local system, or click the link for the language you want to download to be automatically directed to MySonicWall.

Importing a language pack

After you have downloaded a new language pack from MySonicWall, you can import it to your Secure Mobile Access firmware. Click Import. Then, click Choose File to select the language file to import. Click Open.

Selecting a language

The Select Language drop-down menu has the available languages downloaded to the back end server of the SMA/SRA appliance. The default language is English. Select the language from the drop-down menu, then click Apply. This process can take a few minutes.

Querying for new languages

To manually query available language packs on the back end server, click Query Now. If there are any new language packs available, they are listed under “Available New Language Packs.”

System > Administration

This section provides an overview of the System > Administration page and a description of the configuration tasks available on this page.

System > Administration Overview

This section provides the administrator with information about and instructions to complete the configuration tasks on the System > Administration page. The System > Administration page allows the administrator to configure login security, Web management settings, SNMP settings, and GMS settings.

See the following sections:

System > Administration page

Login Security

The Login Security section provides a way to configure administrator/user lockout for a set period of time (in minutes) after a set number of maximum login attempts per minute.

HTTP DOS Settings

The HTTP DOS Settings section is used to configure the maximum concurrent TCP connections (20-100, default 20) a client can open with the Secure Mobile Access web server.

Global SSL/TSL Settings

The Global SSL/TLS settings section allows the administrator to configure Secure Sockets Layer (SSL) and Transport Layer Security (TSL) settings globally from the System > Administration page.

Configure the following settings:

Enforce Forward Secrecy — Enable this option to allow current information to be kept in secrecy, even if the private key is compromised in the future. Note that browsers that do not support Forward Secrecy might not be able to connect to the SMA/SRA appliance. The performance of this feature can decline depending on the ciphers that the client browser supports.
Verify Backend SSL Server Certificate for Proxy connections — When this option is enabled, the connection is dropped if the backend SSL/TLS server certificate is not trusted. The verification depth is 10. Alert level log messages are also generated when this option is enabled.

Capacity Matrix

The Secure Mobile Access Capacity Matrix Report is a downloadable .PDF file that allows you to view the total number of various connections, interfaces, portals, domains, groups, users, and so on, available for your specific SMA/SRA appliance model. Click Download to have the report downloaded to your local system.

Web Management Settings

The Web Management Settings section allows the administrator to set the default page size for paged tables and the streaming update interval for dynamically updated tables in the Secure Mobile Access management interface.

The following paged tables are affected by the Default Table Size setting:

Secure Virtual Assist > Log
Web Application Firewall > Log
Log > View

The minimum for the Default Table Size field is 10 rows, the default is 100, and the maximum is 99,999.

The following dynamically updated tables are affected by the Streaming Update Interval setting:

System > Monitoring
Network > Interfaces
NetExtender > Status
Users > Status

The minimum for the Streaming Update Interval field is one second, the default is 10 seconds, and the maximum is 99,999.

SNMP Settings

The SNMP Settings section allows the administrator to enable SNMP and specify SNMP settings for the appliance. A list of downloaded MIBs is displayed to the right of the fields. MIBs can be downloaded from MySonicWall.

GMS Settings

The GMS Settings section allows the administrator to enable GMS management, and specify the GMS host name or IP address, GMS Syslog server port and heartbeat interval (in seconds).

Configuring Login Security

SMA/SRA appliance login security provides an auto lockout feature to protect against unauthorized login attempts on the user portal. Complete the following steps to enable the auto lockout feature:

1
Navigate to System > Administration.
2
Select Enable Administrator/User Lockout.
3
In the Maximum Login Attempts Per Minute field, type the number of maximum login attempts allowed before a user is locked out. The default is five attempts. The maximum is 99 attempts.
4
In the Lockout Period (minutes) field, type a number of minutes to lockout a user that has exceeded the number of maximum login attempts. The default is five minutes. The maximum is 9999 minutes.
5
Click Accept to save your changes.

Configuring HTTP DOS Settings

HTTP DPS setting is used to configure the maximum concurrent TCP connections per IP address. Complete the following steps to change the maximum number of connections at any one time:

1
Navigate to System > Administration.
2
In the Max Concurrent TCP connections Per IP field, type the maximum number of concurrent TCP connections a client can open with the Secure Mobile Access web server. The default is 20 and the maximum is 100 connections.

Configuring Web Management Settings

The Web Management Settings section allows the administrator to set the default page size for paged tables and the streaming update interval for dynamically updated tables in the Secure Mobile Access management interface.

To set the table page size and streaming update interval:
1
In the Default Table Size field, enter the number of rows per page for paged tables in the Secure Mobile Access management interface. The default is 100, the minimum is 10, and the maximum is 99,999.
2
In the Streaming Update Interval field, enter the number of seconds between updates for dynamically updated tables in the Secure Mobile Access management interface. The default is 10, the minimum is 1, and the maximum is 99,999.
3
Click Accept to save your changes.

Configuring SNMP Settings

To configure the SNMP Settings fields:
1
Navigate to System > Administration.
2
Select Enable SNMP.
3
Type the name (FQDN) of the system into the System Name field.
4
Type the email address of the system contact into the System Contact field.
5
Type the city or other identifying location of the system into the System Location field.
6
Type the asset number of the system into the Asset field. The asset number is defined by the administrator.
7
Type the public community name into the Get Community Name field. This name is used in SNMP GET requests.
8
Click Accept to save your changes.

Enabling GMS Management

The SonicWall Inc. Global Management System (GMS) is a web-based application that can configure and manage thousands of SonicWall Inc. Internet Security appliances, including global administration of multiple site-to-site VPNs from a central location.

To enable GMS management of your SMA/SRA appliance, complete the following steps:
1
Navigate to System > Administration.
2
Select Enable GMS Management.
3
Type the host name or IP address of your GMS server in the GMS Host Name or IP Address field.
4
Type the port number of your GMS server in the GMS Syslog Server Port field. The default for communication with a GMS server is port 514.
5
Type the desired interval for sending heartbeats to the GMS server in the Heartbeat Interval (seconds) field. The maximum heartbeat interval is 86400 seconds (24 hours).
6
Click Accept to save your changes.

External FTP/TFTP Server

The External FTP/TFTP Server section allows you to configure an external FTP server to backup your settings and diagnostic data.

Configuring External FTP/TFTP Server Settings

To configure the External FTP/TFTP Server field:
1
Navigate to System > Administration | External FTP/TFTP Server.

2
Type the FTP/TFTP server address, port, user name, and password into the corresponding fields.
3
Click Accept to save your changes.

System > Certificates

This section provides an overview of the System > Certificates page and a description of the configuration tasks available on this page.

System > Certificates Overview

The System > Certificates page allows the administrator to import server certificates and additional CA (Certificate Authority) certificates.

System > Certificates Page

See the following sections:

Server Certificates

The Server Certificates section allows the administrator to import and configure a server certificate, and to generate a CSR (certificate signing request).

A server certificate is used to verify the identity of the SMA/SRA appliance. The appliance presents its server certificate to the user’s browser when the user accesses the login page. Each server certificate contains the name of the server to which it belongs.

There is always one self-signed certificate (self-signed means that it is generated by the SMA/SRA appliance, not by a real CA), and there could be multiple certificates imported by the administrator. If the administrator has configured multiple portals, it is possible to associate a different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”

A CSR is a certificate signing request. When preparing to get a certificate from a CA, you first generate a CSR with the details of the certificate. Then the CSR is sent to the CA with any required fees, and the CA sends back a valid signed certificate.

Additional CA Certificates

The Additional CA Certificates section allows the administrator to import additional certificates from a Certificate Authority server, either inside or outside of the local network. The certificates are in PEM encoded format for use with chained certificates, for example, when the issuing CA uses an intermediate (chained) signing certificate.

The imported additional certificates only take effect after restarting the SMA/SRA appliance.

Certificate Management

The SMA/SRA appliance comes with a pre-installed self-signed X509 certificate for SSL functions. A self-signed certificate provides all the same functions as a certificate obtained through a well-known certificate authority (CA), but presents an “untrusted root CA certificate” security warning to users until the self-signed certificate is imported into their trusted root store. This import procedure can be completed by the user by clicking Import Certificate within the portal after authenticating.

The alternative to using the self-signed certificate is to generate a certificate signing request (CSR) and to submit it to a well-known CA for valid certificate issuance. Well-known CAs include RapidSSL (www.rapidssl.com), Verisign (www.verisign.com), and Thawte (www.thawte.com).

Virtual Assist verifies the server certificate that provides a safer environment for the appliance. If the certificate is not issued by an authorized organization, an alert message is displayed to notify the user of the risk.

View - Click for detailed information about the server certificate. Information displays, as shown in the following image:

OK - Click to accept the certificate and launch the connection.

Cancel - Click to end the connection.

Generating a Certificate Signing Request

In order to get a valid certificate from a widely accepted CA such as RapidSSL, Verisign, or Thawte, you must generate a Certificate Signing Request (CSR) for your SMA/SRA appliance.

To generate a certificate signing request:
1
Navigate to the System > Certificates page.
2
Click Generate CSR to generate a CSR and Certificate Key. The Generate Certificate Signing Request dialog box is displayed.

3
Fill in the fields in the dialog box and click Accept.
* 
NOTE: The Subject Alternative Name (SAN)/Unified Communications Certificate (UCC) can be included in the request.
4
If all information is entered correctly, a csr.zip file is created. Save this .zip file to disk. You need to provide the contents of the server.csr file, found within this zip file, to the CA.

Viewing and Editing Certificate Information

The Current Certificates table in System > Certificates lists the currently loaded SSL certificates.

To view certificate and issuer information and edit the Common Name in the certificate:
1
Click the configure icon for the certificate. The Edit Certificate window is displayed, showing issuer and certificate subject information.

2
From the Edit Certificate window, you can view the issuer and certificate subject information.
3
On self-signed certificates, type in the Web server host name or IP address in the Common Name field.
4
Click Accept to submit the changes.

You can also delete an expired or incorrect certificate. Delete the certificate by clicking Delete in the row for the certificate, on the System > Certificates page.

* 
NOTE: A certificate that is currently active cannot be deleted. To delete a certificate, upload and enable another SSL certificate, then delete the inactive certificate on the System > Certificates page.

Importing a Certificate

When importing a certificate you must upload either a PKCS #12 (.p12 or.pfx) file containing the private key and certificate, or a zip file containing the PEM-formatted private key file named “server.key” and the PEM-formatted certificate file named server.crt. The .zip file must have a flat file structure (no directories) and contain only server.key and server.crt files.

To import a certificate:
1
Navigate to the System > Certificates page.
2
Click Import Certificate. The Import Certificate dialog box is displayed.
3
Click Browse.
4
Locate the server certificate. If uploading from a PKCS #12 file, select the .p12 or .pfx file from your disk or network drive. If uploading a zipped file containing the private key and certificate select the .zip file from your disk or network drive. Any filename is accepted, but it must have the “.zip” extension. The zipped file should contain a certificate file named server.crt and a certificate key file named server.key. The key and certificate must be at the root of the zip, or the file is not uploaded.
5
Click Upload.

After the certificate has been uploaded, the certificate is displayed in the Certificates list in the System > Certificates page.

* 
NOTE: Private keys might require a password.

Adding Additional CA Certificates

You can import additional CA certificates for use with chained certificates, for example, when the issuing CA uses an intermediate (chained) signing certificate. To import a CA certificate file, upload a PEM-encoded, DER-encoded, or PKCS #7 (.p7b) file.

To add additional certificates in PEM format:
1
Navigate to the System > Certificates page.
2
Click Import CA Certificate in the Additional CA Certificates section. The Import Certificate dialog box is displayed.
3
Click Browse.
4
Locate the PEM-encoded, DER-encoded, or PKCS #7 CA certificate file on your disk or network drive and select it. Any filename is accepted.
5
Click Upload.

After the certificate has been uploaded, the CA certificate is displayed in the Additional CA Certificates list in the System > Certificates page.

6
To add the new CA certificate to the Web server’s active CA certificate list, the Web server must be restarted. Restart the SMA/SRA appliance to restart the Web server.

System > Monitoring

This section provides an overview of the System > Monitoring page and a description of the configuration tasks available on this page.

System > Monitoring Overview

The SMA/SRA appliance provides configurable monitoring tools that enable you to view usage and capacity data for your appliance. The System > Monitoring page provides the administrator with four monitoring graphs:

Active Concurrent Users
Bandwidth Usage
CPU Utilization (%)
Memory Utilization (%)

The administrator can configure the following monitoring periods: last 30 seconds, last 30 minutes, last 24 hours, last 30 days. For example, Last 24 Hours refers to the most recent 24 hour period.

The following Figure shows the System > Monitoring page.

System > Monitoring Page

Monitoring Graphs

The four monitoring graphs can be configured to display their respective data over a period of time ranging from the last hour to the last month.

 

Monitoring Graph Types 

Graph

Description

Active Concurrent Users

The number of users who are logged into the appliance at the same time, measured over time by seconds, minutes, hours, or days. This figure is expressed as an integer, for example, 2, 3, or 5.

Bandwidth Usage (Kbps)

Indicates the amount of data per second being transmitted and received by the appliance in Kbps measured over time by seconds, minutes, hours, or days.

CPU Utilization (%)

The amount of capacity usage on the appliance processor being used, measured over time by seconds, minutes, hours, or days. This figure is expressed as a percentage of the total capacity on the CPU.

Memory Utilization (%)

The amount of memory available used by the appliance, measured over time by seconds, minutes, hours, or days. This monitoring graph displays memory utilization as a percentage of the total memory available.

Setting The Monitoring Period

To set the monitoring period, select one of the following options from the Monitor Period
drop-down list in the System > Monitoring page:

Last 30 Seconds
Last 30 Minutes
Last 24 Hours
Last 30 Days

Refreshing the Monitors

To refresh the monitors, click Refresh at the top right corner of the System > Monitoring page.

System > Diagnostics

This section provides an overview of the System > Diagnostics page and a description of the configuration tasks available on this page.

System > Diagnostics Overview

The System > Diagnostics page allows the administrator to download or email a tech support report and complete basic network diagnostics.

System > Diagnostics Page

Options to automatically send the TSR to an external FTP server after a restart and upon generation are included. Configure the FTP server in the System > Administration page to automatically send the TSR to an external FTP server. See Configuring External FTP/TFTP Server Settings for more information.

Downloading & Generating the Tech Support Report

Downloading a Tech Support Report records system information and settings that are useful to SonicWall Inc. Technical Support when analyzing system behavior. The following options are available for Tech Support Reports:

Download Current Report—Clicking this button prompts a Windows pop-up to display confirming the download. Click Save to save the report. The Tech Support Report is saved as a .zip file, containing graphs, event logs and other technical information about your SMA/SRA appliance.
Email Current Report— Click to email the TSR report to the Email address specified in the Email Reports to field.
Generate TSR on Restart—Enable this option by selecting the check box. When enabled, the SMA/SRA appliance generates a new TSR upon every restart of the appliance. The latest report generated from an appliance restart is available in the drop-down list, prefaced with “Restarted_TSR_.”
Download—This button allows you to download the latest Restarted Tech Support Report to your local system.
Delete—This button allows you to delete the latest Restarted Tech Support Report.
Email—Click this button to email the latest Restarted Tech Support Report to the values specified in the Mail Server field on the Log > Settings page.
Automatically email new reports upon generation—Select this check box to enable automatic emailing of the latest Restarted Tech Support Report. You must specify the Mail Server and Mail From Address fields on the Log > Settings page for automated email delivery.
Enable scheduled TSR generation—Click the check box to enable scheduled Tech Support Reports. After enabled, you can either have them generated Hourly or Daily. Note that a maximum of 12 TSRs are stored, with a total file size not exceeding 50 MB. Scheduled Tech Support Reports are mostly used for diagnostics or troubleshooting purposes by a SonicWall Inc. technician, if needed.
* 
NOTE: Scheduled TSR is disabled by default. You must enable the feature on the <SSLVPN>/cgi-bin/diag page first.
Download—This button allows you to download the latest scheduled Tech Support Reports to your local system.
Delete—This button allows you to delete the latest scheduled Tech Support Reports.
Email—Click this button to email the latest scheduled Tech Support Reports to the values specified in the Mail Server field on the Log > Settings page.
Automatically email new reports upon generation—Select this check box to enable automatic emailing of the latest scheduled Tech Support Reports. You must specify the Mail Server and Mail From Address fields on the Log > Settings page for automated email delivery.

Performing Diagnostic Tests

Diagnostic tools allows the administrator to test SMA/SRA connectivity by performing a ping, TCP connection test, DNS lookup, or Traceroute for a specific IP address or Web site. You can also do a bandwidth test between the SMA/SRA appliance and your local computer, or do an SNMP query to display information about the appliance.

You can do standard network diagnostic tests on the SMA/SRA appliance in the System > Diagnostics page.

To run a diagnostic test:
1
Navigate to the System > Diagnostics page.
2
In the Diagnostic Tool drop-down list, select Bandwidth Test, TCP Connection Test, DNS Lookup, Ping, Ping6, Traceroute, Traceroute6, SNMP Query, or Botnet Test.

The following Table describes the diagnostic tools and functions.

 

Diagnostic tools and their functions 

Diagnostic Tool

Function

Bandwidth Test

Measures the upload and download speed of the network connection between your computer and the SMA/SRA appliance.

TCP Connection Test

Tests the connectivity of a port that is specified by appending a colon and port number to the host name or IP address (for example, 10.9.9.19:83 or www.myhost.com:83. If no port is specified, port 80 is tested.

DNS Lookup

Translates a DNS name to an IP address and vice versa.

Ping

Tests the connection to a host or IP address.

Ping6

Tests the connection to an IPv6 address or domain. Ping6 is meant for use with IPv6 addresses and networks.

Traceroute

Identifies the route and number of hops needed to connect to a host or IP address.

Traceroute6

Identifies the route and number of hops needed to connect to an IPv6 address or domain. Traceroute 6 is meant for use with IPv6 addresses and networks.

SNMP Query

Looks up SNMP information from the selected MIB. SNMP must be enabled (System > Administration page) before a query can be completed. In the SNMP MIB drop-down list, select the MIB for which to display the values. The SNWL-SSLVPN-MIB is the Secure Mobile Access specific MIB that shows device statistics and licensing information. The SNWL-COMMON-MIB is a file common to all SonicWall Inc. products and shows product name, serial, firmware, ROM version, and asset number (user defined). The rest of the MIBs are standard SNMP MIBs including SNMPv2-MIB and All SNMP MIB-2, or you can select ALL MIBs.

Botnet Test

Identifies whether an IP address is a Botnet IP address.

3
If prompted for additional information like a Host or IP Address, type the requested information.
4
Click Enter.

The results display at the bottom of the page.

System > Restart

This section provides an overview of the System > Restart page and a description of the configuration tasks available on this page.

System > Restart Overview

The System > Restart page allows the administrator to restart the SMA/SRA appliance.

A warning is displayed that restarting takes one or two minutes and causes all current users to be disconnected.

Restarting the SMA/SRA Appliance

To restart the SMA/SRA appliance, complete the following steps:
1
Navigate to System > Restart.
2
Click Restart.
3
In the confirmation dialog box, click OK.
* 
NOTE: Restarting takes approximately two minutes and causes all users to be disconnected.

System > About

The System > About page provides the End-User License Agreement for using the SMA/SRA appliance. Click Download for SonicWall Inc. copyright Information. For more information regarding the End-User License Agreement, refer to https://www.sonicwall.com/legal/.

Network Configuration

This section provides information and configuration tasks specific to the Network pages on the Secure Mobile Access web-based management interface. Network tasks for the SMA/SRA appliance include configuring network interfaces, DNS settings, routes, and host resolution.

Topics:

Network > Interfaces

This section provides an overview of the Network > Interfaces page and a description of the configuration tasks available on this page.

Network > Interfaces Overview

The Network > Interfaces page allows the administrator to configure the IP address, subnet mask and view the connection speed of physical network interface ports on the SMA/SRA appliance.

Network > Interfaces Page

Configuring Network Interfaces

The Network > Interfaces page allows the administrator to view and configure the IP address, subnet mask, speed, and management settings of the X0, X1, X2, X3, and where available, the X4 and X5 interfaces on the SMA/SRA appliance. For a port on your SMA/SRA appliance to communicate with a firewall or target device on the same network, you need to assign an IP address and a subnet mask to the interface.

* 
NOTE: If the Secure Mobile Access management interface IP address changes, the Secure Mobile Access services are automatically restarted. This interrupts any existing user sessions, and users need to reconnect to continue using the SMA/SRA appliance.
To configure these settings for an interface on the SMA/SRA appliance:
1
Navigate to the Network > Interfaces page and click the configure icon next to the interface you want to configure.
2
In the Edit Interfaces dialog box on the SMA/SRA appliance, type an unused static IP address in the IP Address field. This IP address should reside within the local subnet to which your SMA/SRA appliance is connected.
3
Type Subnet Mask in the corresponding field.

4
In the IPv6 address/prefix field, optionally enter an IPv6 address for global scope. If you leave this field empty, IPv6-enabled devices can still automatically connect using a link-local address. The scope is indicated in a tooltip on the Network > Interfaces page.

5
In the Speed drop-down list, Auto Negotiate is selected by default to allow the SMA/SRA appliance to automatically negotiate the speed and duplex mode with the connected switch or other networking device. Ethernet connections are typically auto-negotiated. If you want to force a certain link speed and duplex mode, select one of the following options:
1000 Mbps - Full Duplex
100 Mbps - Full Duplex
100 Mbps - Half Duplex
10 Mbps - Full Duplex
10 Mbps - Half Duplex
* 
NOTE: If you select a specific link speed and duplex mode, you must force the connection speed and duplex from the connected networking device to the SonicWall Inc. security appliance as well.
6
For the Management options, if you want to enable remote management of the SMA/SRA appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, and/or Ping.
7
Click Accept.

Network > DNS

This section provides an overview of the Network > DNS page and a description of the configuration tasks available on this page.

Network > DNS Overview

The Network > DNS page allows the administrator to set the SMA/SRA appliance hostname, DNS settings and WINS settings.

Network > DNS Page

The hostname section allows the administrator to specify the SMA/SRA gateway hostname.

DNS Settings

The DNS settings section allows the administrator to specify a Primary DNS Server, Secondary DNS Server (optional) and DNS Domain (optional). The Primary DNS Server is required.

For SMA/SRA appliances supporting connections from Apple iPhones, iPads, or other iOS devices using SonicWall Inc. Mobile Connect, the DNS Domain is a required field. This DNS domain is set on the VPN interface of the iPhone/iPad after the device makes a connection to the appliance. When the mobile device user accesses a URL, iOS determines if the domain matches the VPN interface’s domain, and if so, uses the VPN interface’s DNS server to resolve the hostname lookup. Otherwise, the Wi-Fi or 3G/4G DNS server is used that cannot resolve hosts within the company intranet.

WINS Settings

The WINS (Windows Internet Name Server) settings section allows the administrator to specify the primary WINS server and secondary WINS server (both optional).

Configuring Hostname Settings

To configure a hostname:
1
Navigate to the Network > DNS page.
2
In the Hostname region, type a hostname for the SMA/SRA appliance in the SMA Gateway Hostname field.
3
Click Accept.

Configuring DNS Settings

The Domain Name Server (DNS) is required to allow your SMA/SRA appliance to resolve host names and URL names with a corresponding IP address. This enables your SMA/SRA appliance to connect to hosts or sites using a Fully Qualified Domain Name (FQDN).

To configure a DNS server:
1
Navigate to the Network > DNS page.
2
In the DNS Settings region, type the address of the primary DNS server in the Primary DNS Server field.
3
An optional secondary address can be provided in the Secondary DNS Server (optional) field.
4
Optionally, use the DNS Search List field to create a pool of domain names:
a
Type the domain suffix in the Domain Search List and click Add. The suffix is appended with the host name to make a Fully Qualified Domain Name (FQDN) that is used in host resolution.
b
To remove a DNS suffix, select the domain suffix from the list and click Remove.
c
Use the up and down arrow keys to arrange the DNS domain suffixes in the order that is used to resolve host names.

For example, your host name is SonicPRS and the usa.n.sonicwall.com and rsc.sonicwall.com DNS suffixes are added to the search list. The first suffix is appended to SonicPRS to make the FQDN (SonicPRS.usa.n.sonicwall.com) that is used in name resolution. If the name is not resolved, the next suffix in the search list is used (SonicPRS.rsc.sonicwall.com).This process continues until the name is resolved or all suffixes have been tried.

5
Click Accept.
6
Restart the appliance to ensure new DNS settings take effect.

Configuring WINS Settings

WINS settings are optional. The SMA/SRA appliance can act as both a NetBIOS and WINS (Windows Internet Naming Service) client to learn local network host names and corresponding IP addresses.

To configure WINS settings:
1
Navigate to the Network > DNS page.
2
In the WINS Settings region, type a primary WINS address in the Primary WINS Server (optional) field.
3
In the WINS settings region, type a secondary WINS address in the Secondary WINS Server (optional) field.
4
Click Accept.

Network > Routes

This section provides an overview of the Network > Routes page and a description of the configuration tasks available on this page.

Network > Routes Overview

The Network > Routes page allows the administrator to assign a default gateway and interface, and to add and configure static routes. For more information on default or static routes, refer to the Getting Started Guide for your appliance model.

Network > Routes Page

Default Route

The default route section allows the administrator to define the default network route by setting the default IPv4 gateway and interface, and/or default IPv6 gateway and interface. A default network route is required for Internet access.

Static Routes

The static routes section allows the administrator to add and configure additional static routes by specifying a destination network, subnet mask, optional default gateway, and interface.

Configuring a Default Route for the SMA/SRA Appliance

You must configure a default gateway on your SMA/SRA appliance for it to be able to communicate with remote networks. A remote network is any IP subnet different from its own. In most cases, the default gateway is the LAN IP address of the firewall interface to which the SMA/SRA appliance is connected. This is the default route for the appliance.

To configure the default route:
1
Navigate to the Network > Routes page.
2
In the Default IPv4 Gateway field, type the IP address of the firewall or other gateway device through which the SMA/SRA appliance connects to the network. This address acts as the default route for the appliance.
3
In the Interface drop-down list, select the interface that serves as the IPv4 connecting interface to the network. In most cases, the interface is X0.
4
In the Default IPv6 Gateway field, type the IPv6 address of the firewall or other gateway device through which the SMA/SRA appliance connects to the network. This address acts as the default IPv6 route for the appliance.
5
In the Interface drop-down list, select the interface that serves as the IPv6 connecting interface to the network.
6
Click Accept.

Configuring Static Routes for the Appliance

Based on your network’s topology, you might find it necessary or preferable to configure static routes to certain subnets rather than attempting to reach them through the default gateway. While the default route is the default gateway for the device, static routes can be added as needed to make other networks reachable for the SMA/SRA appliance. For more details on routing or static routes, refer to a standard Linux reference guide.

To configure a static route to an explicit destination for the appliance, complete the following steps:
1
Navigate to the Network > Routes page and click Add Static Route...
2
In the Add Static Route dialog box, type the subnet or host to which the static route is directed into the Destination Network field (for example, 192.168.220.0 provides a route to the 192.168.220.X/24 subnet). You can enter an IPv6 subnet (for example, 2017:1:2::).

3
In the Subnet Mask/Prefix field, enter the number of bits used for the prefix.
4
In the Default Gateway field, type the IP address of the gateway device that connects the appliance to the network.You can enter an IPv6 address.
5
In the Interface drop-down list, select the interface that connects the appliance to the desired destination network.
6
Click Accept.

Network > Host Resolution

This section provides an overview of the Network > Host Resolution page and a description of the configuration tasks available on this page.

Network > Host Resolution Overview

The Network > Host Resolution page allows the administrator to configure host names.

Network > Host Resolution Page

Host Name Settings

The host name settings section allows the administrator to add and configure a host name by specifying an IP address, host name (host or FQDN) and an optional alias.

Configuring Host Resolution

The Host Resolution page enables network administrators to configure or map host names or fully qualified domain names (FQDNs) to IP addresses.

* 
NOTE: A host resolution entry is automatically created for the SMA/SRA appliance itself. Do not delete it.

The SMA/SRA appliance can act as both a NetBIOS and WINS (Windows Internet Name Service) client to learn local network host names and corresponding IP addresses.

To resolve a host name to an IP address:
1
Navigate to the Network > Host Resolution page. The Network > Host Resolution page is displayed.
2
Click Add Host Name.
3
In the Add Host Name window, in the IP Address field, type the IP address that maps to the hostname.
4
In the Host Name field, type the hostname that you want to map to the specified IP address.
5
Optionally, in the Alias field, type a string that is the alias for the hostname.
6
Click Add. The Host Resolution page now displays the new host name.
7
Optionally select Configure auto-added hosts on the Network > Host Resolution page. If this option is selected, you can edit or delete automatically added Host entries (such as for IPv6). This option is not recommended, as host mis-configuration could lead to undesirable results.

Network > Network Objects

This section provides an overview of the Network > Network Objects page and a description of the configuration tasks available on this page.

Network > Network Objects Overview

The Network > Network Objects page allows the administrator to add and configure network resources, called objects. For convenience, you can create an entity that contains both a service and an IP address mapped to it. This entity is called a network object. This creates an easy way to specify a service to an explicit destination (the network object) when you are applying a policy, instead of having to specify both the service and the IP address.

You can create IPv6 network objects using IPv6 object types and addresses.

Network > Network Objects Page

Network objects are set up by specifying a name and selecting one of the following services:

Web (HTTP)
Secure Web (HTTPS)
NetExtender
Terminal Services (RDP)
Virtual Network Computing (VNC)
File Transfer Protocol (FTP)
Telnet, Secure Shell Version 2 (SSHv2)
File Shares (CIFS)
Citrix Portal (Web Access)

Port or port range settings are available for all services, allowing the administrator to configure a port range (such as 80-443) or a port number (80) for a Network Object. You can use this feature to create port-based policies. For example, you can create a Deny All policy and allow only HTTP traffic to reach port 80 of a Web server.

Adding Network Objects

To add a network object:
1
Navigate to the Network > Network Objects page.
2
Click Add Network Object... The Add Network Object screen is displayed.

3
Type a string in the Name field that is the name of the network object you are creating.
* 
NOTE: To edit an existing network object, select Configure next to the object you want to edit. A new network object with the same name as an existing network object does not replace or modify an existing network object.
4
Click on the Service list and select a service type: Web (HTTP), Secure Web (HTTPS), NetExtender, Terminal Services (RDP), Virtual Network Computing (HTML5), File Transfer Protocol, Telnet, Telnet (HTML5), Secure Shell Version 2 (SSHv2), File Shares (CIFS), or Citrix Portal.
5
Click Accept. The Edit Network Object screen is displayed, showing the network object name and the service associated with it. To complete the object by adding addresses mapped to the network object, see Editing Network Objects.

Editing Network Objects

To edit a network object, complete the following steps:
1
To edit an existing network object, navigate to the Network > Network Objects page and click the Configure icon or click the Incomplete link for the object you wish to edit. The Edit Network Object screen is displayed.

If you just created a network object, the Edit Network Object screen is displayed as soon as you clicked Accept.

The Edit Network Object shows the network object name and the service associated with it. It also contains an address list that displays existing addresses mapped to the network object.

2
To change the service, select the desired service from the Service drop-down list and then click Update Service. The Service column in the Network Objects table displays the new service, and the Edit Network Object dialog box remains open. You can click Done if finished.
3
To add or edit Type and Address values for this Network Object, click Add. The Define Object Address page is displayed.

4
When finished adding addresses, click Done in the Edit Network Object screen.
5
The Network > Network Objects page is displayed with the new network object in the Network Objects list.
6
If the object is not fully defined with at least one IP address or network range, the status Incomplete displays. Click the Incomplete link or the Configure icon to edit the network object again, and then click Add to add Type and Address values for this network object. The Define Object Address page is displayed.

* 
NOTE: Policies cannot be created for incomplete network objects.

Defining an Object Address

1
In the Define Object Address page, click on the Object Type drop-down list and select an object type. The four object types are:
IP Address - A single IP address.
Network Address - A range of IP addresses, defined by a starting address and a subnet mask.
IPV6 Address - A single IPv6 address.
IPV6 Network - A range of IPv6 addresses.

2
Type in the appropriate information pertaining to the object type you have selected.
For the IP Address object type, type an IP address in the IP Address field.
For the IP Network object type, in the Network Address field, type an IP Address that resides in the desired network subnet and type a subnet mask in the Subnet Mask field.In the Port Range/Port Number field, optionally enter a port range in the format 80-443, or enter a single port number.
For the IPV6 Address object type, type an IP address in the IPv6 Address field.
For the IPV6 Network object type, in the IPv6 Network Address field, type an IPv6 address that resides in the desired network subnet and type the number of bits to use as a prefix in the Prefix field.

3
When finished adding addresses, click Done in the Edit Network Object dialog box.

Portals Configuration

This section provides information and configuration tasks specific to the Portals pages on the Secure Mobile Access web-based management interface, including configuring portals, assigning portals, and defining authentication domains, such as RADIUS, LDAP, and Active Directory.

Topics:

Portals > Portals

This section provides an overview of the Portals > Portals page and a description of the configuration tasks available on this page.

For information about Application Offloading and Offload Web Application, see Portals > Application Offloading.

Portals > Portals Overview

The Portals > Portals page allows the administrator to configure a custom portal for the Secure Mobile Access portal login page as well as the portal home page.

Portals > Portals page

Portal Settings

The Portal Settings section allows the administrator to configure a custom portal by providing the portal name, portal site title, portal banner title, login message, virtual host/domain name and portal URL. This section also allows the administrator to configure custom login options for control over what is displayed/loaded on login and logout, HTTP meta tags for cache control, ActiveX Web cache cleaner, login uniqueness, and client source uniqueness.

Additional Information About the Portal Home Page

For most Secure Mobile Access administrators, a plain text home page message and a list of links to network resources is sufficient. For administrators who want to display additional content on the user portal, review the following information:

With the Tips/Help sidebar enabled, the width of the workspace is 561 pixels.
With the Tips/Help sidebar disabled, the width of the workspace is 712 pixels.
No IFRAME is used.
You can upload a custom HTML file which is displayed following all other content on the home page. You can also add HTML tags and JavaScript to the Home Page Message field.
Because the uploaded HTML file is displayed after other content, do not include <head> or <body> tags in the file.

Adding Portals

The administrator can customize a portal that appears as a customized landing page to users when they are redirected to the SMA/SRA appliance for authentication.

The network administrator might define individual layouts for the portal. The layout configuration includes menu layout, portal pages to display, portal application icons to display, and Web cache control options.

The default portal is the Virtual Office portal. Additional portals can be added and modified.

To add a portal:
1
Navigate to the Portals > Portals window and click Add Portal. The Portal Settings window is displayed.

The following Table provides a description of the fields you can configure in the General section. Refer to Configuring General Portal Settings for the specific steps required to configure a custom portal.

 

General Section Fields 

Field

Description

Portal Name

The title used to refer to this portal. It is for internal reference only, and is not displayed to users.

Portal Site Title

The title that appears on the Web browser title bar of users access this portal.

Portal Banner Title

The welcome text that appears on top of the portal screen.

Login Message

Optional text that appears on the portal login page above the authentication area.

Portal URL

The URL that is used to access this specific portal.

Display custom login page

Displays the customized login page rather than the default login page for this portal.

Display login message on custom login page

Displays the text specified in the Login Message text box.

Hide Domain list on portal login page

If enabled, this option replaces the Domain list box on the login page to a text box. The user can then type in the correct domain name. This option is only enabled for portal login through Web.

Enable HTTP meta tags for cache control

Enables HTTP meta tags in all HTTP/HTTPS pages served to remote users to prevent their browser from caching content.

Enable ActiveX Web cache cleaner

Loads an ActiveX control (browser support required) that cleans up all session content after the Secure Mobile Access session is closed.

Enforce login uniqueness

If enforced, login uniqueness restricts each account to one session at a time. Select to Automatically logout existing session or Confirm logout of existing session as the preferred Enforcement Method.
If not enforced, each account can have multiple simultaneous sessions.

Enforce client source uniqueness

If enforced, client source uniqueness prevents multiple connections from a user with the same client source address when connecting with a SonicWall Inc. client (NetExtender, Mobile Connect, Virtual Assist, and so on). This prevents a user from consuming multiple licenses when a user reconnects after an unexpected network interruption.

Small Logo

Specify the link for the small logo. The recommended size is 128 x 128.

Medium Logo

Specify the link for the medium logo. The recommended size is 270 x 270.

Wide Logo

Specify the link for the wide logo. The recommended size is 558 x 270.

Large Logo

Specify the link for the large logo. The recommended size is 558 x 558.

Background Color

Specify the background color for Live Tile. The default setting is #0085C3.

Site Name

Specify the display name for the bookmark. The default setting is your portal name.

Configuring General Portal Settings

There are two main options for configuring a portal:

Modify an existing layout.
Configure a new portal.
To configure the settings in the General section for a new portal:
1
Navigate to the Portals > Portals page.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
In the General section, enter a descriptive name for the portal in the Portal Name field. This name is part of the path of the Secure Mobile Access portal URL. For example, if your Secure Mobile Access portal is hosted at https://vpn.company.com, and you created a portal named “sales,” then users are able to access the sub-site at https://vpn.company.com/portal/sales.
* 
NOTE: Only alphanumeric characters, hyphen (-), and underscore (_) are accepted in the Portal Name field. If other types of characters or spaces are entered, the portal name is truncated before the first non-alphanumeric character.
4
Enter the title for the Web browser window in the Portal Site Title field.
5
To display a banner message to users before they log in to the portal, enter the banner title text in the Portal Banner Title field.
6
Enter an HTML compliant message, or edit the default message in the Login Message field. This message is shown to users on the custom login page.
7
The Portal URL field is automatically populated based on your SMA/SRA appliance network address and Portal Name.
8
To enable visibility of your custom logo, message, and title information on the login page, select Display custom login page.
* 
NOTE: Custom logos can only be added to existing portals. To add a custom logo to a new portal, first complete general portal configuration, then add a logo in Adding a Custom Portal Logo.
9
Select Enable HTTP meta tags for cache control to apply HTTP meta tag cache control directives to the portal. Cache control directives include:

<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">

These directives help prevent clients browsers from caching SMA portal pages and other Web content.

* 
NOTE: Enabling HTTP meta tags is strongly recommended for security reasons and to prevent out-of-date Web pages, and data being stored in users’ Web browser cache.
10
Select Enable ActiveX Web cache cleaner to load an ActiveX cache control when users log in to the SMA/SRA appliance. The Web cache cleaner prompts the user to delete all session temporary Internet files, cookies and browser history when the user logs out or closes the Web browser window. The ActiveX Web cache control is ignored by Web browsers that do not support ActiveX.
13
Specify the link(s) for the Small / Medium / Wide / Large Logo to be used with Live Tile.
14
Specify the Background Color for Live Tile. If no value is specified, the default color is #0085C3.
15
Specify the Site Name to be displayed for Live Tile. If no value is specified, the default is the Portal Name.

Enforcing Login Uniqueness

Login uniqueness, when enforced, restricts each account to a single session at a time. When login uniqueness is not enforced, each account can have multiple, simultaneous, sessions.

To enforce login uniqueness:
1
Navigate to Portals > Portals.
2
For an existing portal, click the configure icon next to the portal you want to configure. Or, for a new portal, click Add Portal.
3
Select Enforce login uniqueness.
4
Click Accept.

Enforcing Client Source Uniqueness

Client source uniqueness, when enforced, prevents multiple connections from a user with the same client source address when connecting with a SonicWall Inc. client (NetExtender, Mobile Connect, Virtual Assist, and so on). This prevents a user from consuming multiple licenses when a user reconnects after an unexpected network interruption.

For example, a user on an unreliable network is disconnected because of a network issue. If login uniqueness is NOT enabled, the user session on the appliance stays active for this type of disconnect until the timeout value is reached. The user reconnects and consumes a second license with the potential of consuming more licenses before the timeout disconnects them.

To enforce client source uniqueness:
1
Navigate to Portals > Portals.
2
For an existing portal, click the configure icon next to the portal you want to configure. Or, for a new portal, click Add Portal.
3
Select Enforce client source uniqueness.
4
Click Accept.

Configuring Login Schedules

The login schedules section allows you to restrict access to a portal based on the time specified.

To enable login schedules:
1
Navigate to Portals > Portals.
2
Select the existing portal you want to configure.
3
Go to the Login Schedule section. The Login Schedule displays.

4
Click Enable Login Schedule.
5
Set the login schedule by clicking the time slot on the day you wish to permit or deny access. To select multiple items, hold the Ctrl key down. You can also click Day to select the whole day.
6
Click Accept to save changes made to the login schedule.

Configuring the Home Page

The home page is an optional starting page for the Secure Mobile Access appliance portal. The home page enables you to create a custom page that mobile users see when they log in to the portal. Because the home page can be customized, it provides the ideal way to communicate remote access instructions, support information, technical contact information or Secure Mobile Access-related updates to remote users.

The home page is well-suited as a starting page for restricted users. If mobile users or business partners are only permitted to access a few files or Web URLs, the home page can be customized to show only those links.

You can edit the title of the page, create a home page message that is displayed at the top of the page, show all applicable bookmarks (user, group, and global) for each user, and optionally upload an HTML file.

See also:

To configure the home page:
1
Navigate to the Portals > Portals page.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Go to the Home Page section.

The following table provides a description of the configurable options in the Home Page section.

 

Home Page Section Fields 

Field

Description

Display Home Page Message

Displays the customized home page message after a user successfully authenticates to the SMA/SRA appliance.

Allow NetExtender/Mobile Connect connections to this portal

If selected, activates the following two check box options. If not selected, NetExtender and Mobile Connect are not available on the portal.

Display NetExtender/Mobile Connect Icon

Displays the icon to NetExtender or Mobile Connect, allowing users to install and invoke the clientless NetExtender virtual adapter, or the Mobile Connect application for mobile devices.

Display Mobile Connect banner on login page for iOS devices

Displays the Mobile Connect banner on the login page for devices running iOS 6 or higher.

Launch NetExtender after login

Launches NetExtender automatically after a user successfully authenticates to the SMA/SRA appliance. See Enabling NetExtender to Launch Automatically in the User Portal.

Allow File Shares on this portal

If selected, activates the following two check box options. If not selected, File Shares are not accessible from the portal.

Display File Shares portal button

Provide a button to link to the File Shares (Windows CIFS/SMB) Web interface according to their domain permissions. See File Sharing Using “Applet as Default”

Use Applet for portal button

Enables the Java File Shares Applet, giving users a simple yet powerful file browsing interface with drag-and-drop, multiple file selection and contextual click capabilities.

Default File Shares path

Specify the specific file share path when allowing file shares on the portal. If nothing is specified, the file share provides a link for the user to find all available domains. The file share also lists all available file share bookmarks for the user to launch.

Display Bookmark Table

If selected, activates the following two check box options. If not selected, Bookmarks are not available from the portal.

Show “All Bookmarks” tab

Displays the tab containing administrator-provided bookmarks and allows users to define their own bookmarks to network resources.

Show default tabs (Desktop, Web, Files, Terminal)

Displays the default bookmark tabs.

Display Import Certificate Button

Displays a button that allows users to permanently import the SSL security certificate.

Show SonicWall Inc. copyright footer

Displays SonicWall Inc. copyright footer on portal. If unchecked, the footer is not shown.

Show “Tips/Help” sidebar

Displays a sidebar in the portal with tips and help links. This option is not available when Legacy Look & Feel is selected on the General tab.

Show Help Button

Displays the Help button.

Help Page URL

Specify the URL for the Help Page. Leave this field blank to use the default SonicWall Inc. Help Page.

Show Options Button

If selected, displays the Options button.

Home Page Message

Optional text that can be displayed on the home page after successful user authentication.

 
* 
NOTE:  
When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA/SRA appliance is not a domain member and cannot connect to the DFS file shares. DFS file shares on a stand-alone root are not affected by this Microsoft restriction.
Some ActiveX applications, such as the ActiveX Terminal Services RDP client, only works when connecting to a server with a certificate from a trusted root authority. If you are using the test SSL certificate that is included with the SMA/SRA appliance, then you can select Display Import self-signed certificate links to allow Windows users to easily import a self-signed certificate.
It is strongly recommended that you upload a valid SSL certificate from a trusted root authority such as Verisign or Thawte. If you have a valid SSL certificate, do not select Display Import self-signed certificate links.
4
Click Accept to update the home page content.

Enabling NetExtender to Launch Automatically in the User Portal

NetExtender can be configured to start automatically when a user logs into the user portal. You can also configure whether or not NetExtender is displayed on a Virtual Office portal.

To configure NetExtender portal options:
1
Navigate to Portals > Portals
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Click the Home Page section.
4
To prevent users from accessing NetExtender through this portal, clear Allow NetExtender connections to this portal. Because Mobile Connect acts as a NetExtender client when connecting, clearing this check box also prevents Mobile Connect users on this portal.
5
To launch NetExtender automatically when users log in to the portal, select Launch NetExtender after login.
6
Click Accept.

File Sharing Using “Applet as Default”

The Java File Shares Applet option provides users with additional functionality not available in standard HTML-based file sharing, including:

Overwriting of existing files
Uploading directories
Drag-and-drop capability
Multiple file selection
Contextual click capability
Sortable file listings
Ability to navigate directly to folders by entering path
Back and forward buttons with a drop-down history menu
Properties window displays folder size
To use the Java File Shares Applet on this portal:
1
Navigate to Portals > Portals.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Click the Home Page section.
4
Select Display File Shares portal button.
5
Select Use Applet for portal button.
6
Click Accept to save changes.

Configuring Per-Portal Virtual Assist Settings

The administrator can enable Secure Virtual Assist on a per-portal basis.

The Virtual Assist section in the Add Portal screen provides almost the same configuration options for this portal as are offered by the global Secure Virtual Assist > Settings page.

To configure the Virtual Assist settings for a portal:
1
Navigate to Portals > Portals.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Go to the Virtual Assist section.
4
To allow Virtual Assist on this portal, select Enable Virtual Assist for this Portal.
5
Select Display Technician Button. If this box is not selected, Virtual Assist is hidden and technicians are required to login directly through a downloaded client.
6
Select Display Request Help Button to allow users to request assistance through the portal.
7
Select Enable Virtual Access Mode to allow Secure Virtual Access connections to be made to this portal. This must be enabled per-portal for Secure Virtual Access to function. If this box is selected, you can then select Display Virtual Access Setup Link to display the corresponding link on the portal. For more information on Secure Virtual Access functionality, see Enabling a System for Secure Virtual Access.
8
Use the Run Virtual Assist without installation feature to allow users to launch Virtual Assist without installing it on the client machine. This feature can be enabled globally or per portal. Select one of the following from the drop-down list:
Select Use Global Setting to apply the global setting to this portal.
Select Enable for this portal to launch Virtual Assist from the web without installing it, no matter what is selected for the global setting.
Select Disable for this portal to install Virtual Assist when accessing it from the web, no matter what is selected for the global setting.
9
Use the Wake customer on LAN feature to allow Technicians to wake a client running Virtual Assist on the LAN if both are in the same subnet. The client can be woken when powered off, in the Sleep state, or in the Hibernate state. This feature can be enabled globally or per portal.
Select Use Global Setting to apply the global setting to this portal.
Select Enable this feature, no matter what is selected for the global setting.
Select Disable this feature, no matter what is selected for the global setting.
* 
NOTE: To use Wake Client, this feature must be configured on the client machine, as explained in the Secure Mobile Access User Guide.
10
In the Limit Support Sessions field, enter the number of active support sessions allowed on this portal, or enter zero for no limitation.
11
Check Enable Assistance Code to require a user to enter the designated code before requesting assisting. Checking this check box displays an Assistance Code field, where you specify the code users must enter.
12
See Secure Virtual Assist > Settings for information about all other configuration settings in the Virtual Assist section.
13
Expand each section of the page to configure the related options.
14
Click Accept to save changes.

Configuring Virtual Meeting Settings

The Virtual Meeting section allows you to configure Virtual Meeting settings for the portal. There is a General Settings section and a Notification Settings section that can both be configured.

To configure Virtual Meeting Settings:
1
Navigate to Portals > Portals.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Go to the Virtual Meeting section.

4
Navigate to the General Settings section.
5
To allow Virtual Meeting control for users logging in through this portal, select Enable Virtual Meeting for this Portal.

With the Virtual Meeting for this Portal option enabled, select Display Virtual Meeting Link to have the Virtual Meeting icon link for a download or install.

6
To allow participants to join a meeting without an invite from the coordinator, select to Use Global Setting, Enable, or Disable in the Enable join without Invitation field. If this option is disabled, participants can only join a meeting by invite from a meeting creator.
7
To allow a participant to act as the meeting coordinator if the coordinator is not present at the beginning of a meeting, select to Use Global Setting, Enable, or Disable in the Allow starting meeting without meeting creator field.
8
Create a default message to display when the meeting has not started in the Meeting Waiting Message field. If this field is left blank, Virtual Meeting uses the global setting for this option.
9
Set the Allow joining before start time with a value in minutes. This is the time before a scheduled meeting start time that participants are allowed to join the meeting. After a participant is in the meeting lobby, a license is considered in use. Set this field to 0 to allow an unrestricted amount of time to join the meeting. If this field is left blank, Virtual Meeting uses the global setting for this option.
10
Set the maximum number of concurrent systems for a meeting in the Max Attendees per Meeting field. Set this field to 0 to allow an unrestricted amount of meeting attendees. If this field is left blank, Virtual Meeting uses the global setting for this option.
11
Set the maximum concurrent active meetings at a time for this appliance in the Max Concurrent Meeting Room field. Set this field to 0 to allow an unrestricted amount of meeting rooms. If this field is left blank, Virtual Meeting uses the global setting for this option.
12
Next, navigate to the Notification Settings section.
13
In the Subject of Invitation field, specify the subject for the email invitation to Virtual Meeting. The following variables can be used for this field:
%COORDINATOR% - Coordinator Name
%MEETINGNAME% - Meeting Name
%MEETINGCODE% - Meeting Code
%STARTTIME% - The start date and time of the meeting
%ENDTIME% - The end date and time of the meeting
%MEETINGDESCRIPTION% - A description of the meeting

Note that variables are case-sensitive. If this field is left blank, Virtual Meeting uses the global setting for this option.

14
In the Invitation Message field, specify the body of the invitation to Virtual Meeting. The following variables can be used for this field:
%COORDINATOR% - Coordinator Name
%MEETINGNAME% - Meeting Name
%MEETINGCODE% - Meeting Code
%STARTTIME% - The start date and time of the meeting
%ENDTIME% - The end date and time of the meeting
%MEETINGDESCRIPTION% - A description of the meeting

Note that variables are case-sensitive. If this field is left blank, Virtual Meeting uses the global setting for this option.

15
Click Accept to save changes.

Configuring Virtual Host Settings

Creating a virtual host allows users to log in using a different hostname than your default URL. For example, sales members can access https://sales.company.com instead of the default domain, https://vpn.company.com that you use for administration. The Portal URL (for example, https://vpn.company.com/portal/sales) still exists even if you define a virtual host name. Virtual host names enable administrators to give separate and distinct login URLs to different groups of users.

To create a Virtual Host Domain Name:
1
Navigate to Portals > Portals.
2
Click Add Portal or Configure next to the portal you want to configure. The Add Portal or Edit Portal screen displays.
3
Go to the Virtual Host section.

4
Enter a host name in the Virtual Host Domain Name field, for example, sales.company.com. This field is optional.

Only alphanumeric characters, hyphen (-) and underscore (_) are accepted in the Virtual Host Domain Name field.

5
Select a specific Virtual Host Interface for this portal if using IP based virtual hosting.

If your virtual host implementation uses name based virtual hosts — where more than one hostname resides behind a single IP address — choose All Interfaces from the Virtual Host interface.

6
If you selected a specific Virtual Host Interface for this portal, enter the desired Virtual Host IP Address in the field provided. This is the IP address users use in order to access the Virtual Office portal.
* 
NOTE: Be sure to add an entry in your external DNS server to resolve the virtual hostname and domain name to the external IP address of your SMA/SRA appliance.
7
If you selected a specific Virtual Host Interface for this portal, you can specify an IPv6 address in the Virtual Host IPv6 Address field. You can use this address to access the virtual host. Enter the IPv6 address using decimal or hexadecimal numbers in the form:

2001::A987:2:3:4321

8
If you plan to use a unique security certificate for this sub-domain, select the corresponding port interface address from the Virtual Host Certificate list.

Unless you have a certificate for each virtual host domain name, or if you have purchased a *.domain SSL certificate, your users might see a Certificate host name mismatch warning when they log in to the Secure Mobile Access Virtual Office portal. The certificate hostname mismatch affects the login page, NetExtender, and Secure Virtual Access/Assist/Meeting clients; Other Secure Mobile Access client applications are not affected by a hostname mismatch.

To achieve a single point of access for users, configure External Website Bookmarks for application offloading portals by selecting Enable Virtual Host Domain SSO to enable cross domain Single Sign-On (SSO). Cross Domain SSO shares the credentials for all portals in the same shared domain. Enabling Virtual Host Domain SSO automatically sets the Shared Domain Name one level up from the Virtual Host Domain name and displays it in the Shared Domain Name field. For example, the Shared Domain Name is example.com if the Virtual Host Domain is webmail.example.com.

* 
NOTE: In previous releases, users had to log in twice – once for the regular portal and once for the application offloading portal after External Website Bookmark redirection. The Cross Domain SSO feature allows users after logging into the main portal to automatically log in to application offloading portals or Web sites that share the same Virtual Host Domain.
9
Under the Advanced SSL/TLS settings section, the Enforce Forward Secrecy field allows you to: Use Global Setting, Enable, or Disable the feature. Enable this option to allow current information to be kept in secrecy, even if the private key is compromised in the future. Note that browsers that do not support Forward Secrecy might not be able to connect to the SMA/SRA appliance. The performance of this feature can decline depending on the ciphers that the client browser supports.
10
Verify Backend SSL Server Certificate for Proxy connections — When this option is enabled, the connection is dropped if the backend SSL/TLS server certificate is not trusted. The verification depth is 10. Alert level log messages are also generated when this option is enabled.
11
Enable Force SSL/TLS version for Proxy connections to enable communication between the Virtual Host and the Backend Server.

Adding a Custom Portal Logo

The Custom Logo Settings section allows the administrator to upload a custom portal logo and to toggle between the default SonicWall Inc. logo and a custom uploaded logo. You can also upload a custom portal favicon in this section. You must add the portal before you can upload a custom logo or custom favicon. In the Add Portal screen, the Logo section does not have an option to upload a custom logo or custom favicon.

* 
NOTE: A Logo or Favicon can also be customized for OWA access.

To add a custom portal logo:
1
Navigate to Portals > Portals and click Configure next to the existing portal to which you want to add a custom logo. The Edit Portal screen displays.
2
Go to the Logo section.

3
Click Choose File by the Upload Logo field. The file browser window displays.
4
Select an appropriate-sized .gif format logo in the file browser and click Open.
* 
NOTE: The custom logo must be in GIF format. In a modern portal, there is a hard size limit of 155x68 pixels. Anything larger than this is cropped to fit the designated logo space on the page. In a legacy portal, for the best aesthetic results, import a logo with a transparent or light-colored background. The recommended, but not mandatory, size is 155x36 pixels.
5
Select Light or Dark from the Background drop-down list. Select a background shade that helps set off your logo from the rest of the portal page.
6
Click Update Logo to transfer the logo to the SMA/SRA appliance.
7
Click Default Logo to revert to the default SonicWall Inc. logo.
8
Click Accept to save changes.
To add a custom favicon:
1
Navigate to Portals > Portals and click Configure next to the existing portal to which you want to add a custom favicon. The Edit Portal screen displays.
2
Go to the Logo section. Navigate to the Portal Favicon Settings section.
3
Click Choose File by the Upload Favicon field. The file browser window displays.

4
Select an appropriate-sized ICO format favicon in the file browser and click Open.
* 
NOTE: The custom favicon logo must be in ICO format. The custom favicon size must not be larger than 32x32 pixels.
5
Click Update Favicon to transfer the favicon to the SMA/SRA appliance.
6
Click Default Favicon to revert to the default SonicWall Inc. favicon.
7
If authentication control of the portal is disabled, Reuse Favicon to Offload Server is available. Enabling this option allows the favicon of the backend server to display in the client browser.
8
Click Accept to save changes.
* 
NOTE: Favicon behavior can differ in each browser, especially when the favicon is cached. Sometimes a refresh or cleaning of the cache is needed to display the favicon properly.

Portals > Application Offloading

The Portals > Application Offloading page in the Secure Mobile Access management interface provides an overview of the Application Offloading functionality available from the Portals > Portals page. No configuration is available on this page.

Click any of the screenshots on this page to go to the Portals > Portals page, where you can click Offload Web Application to configure an offloaded application.

See the following sections:

Application Offloading Overview

Application Offloading provides secure access to both internal and publicly hosted Web applications. An application offloading host is created as a special-purpose portal with an associated virtual host acting as a proxy for the backend Web application.

Unlike HTTP(S) bookmarks, access to offloaded applications is not limited to remote users. The administrator can enforce strong authentication and access policies for specific users or groups. For instance, in an organization certain guest users might need Two-factor or Client Certificate authentication to access Outlook Web Access (OWA), but are not allowed to access OWA public folders. If authentication is enabled, multiple layers of SonicWall Inc. advanced authentication features such as One Time Password, Two-factor Authentication, Client Certificate Authentication and Single Sign-On can be applied on top of each other for the offloaded host.

The portal must be configured as a virtual host with a suitable Secure Mobile Access domain. It is possible to disable authentication and access policy enforcement for such an offloaded host.

Web transactions can be centrally monitored by viewing the logs. In addition, Web Application Firewall can protect these hosts from any unexpected intrusion, such as Cross-site scripting or SQL Injection.

Access to offloaded Web applications happens seamlessly as URLs in the proxied page are not rewritten in the manner used by HTTP or HTTPS bookmarks.

An offloaded Web application has the following advantages over configuring the Web application as an HTTP(S) bookmark in Secure Mobile Access:

No URL rewriting is necessary, thereby improving the throughput tremendously.
The functionality of the original Web application is retained almost completely, while an HTTP(S) bookmark is only a best-effort solution.
Application offloading extends Secure Mobile Access security features to publicly hosted Web sites.

Application offloading can be used in any of the following scenarios:

To function as an SSL offloader and add HTTPS support to the offloaded Web application, using the integrated SSL accelerator hardware of the SMA/SRA appliance.
In conjunction with the Web Application Firewall subscription service to provide the offloaded Web application continuous protection from malicious Web attacks.
To add strong or stacked authentication to the offloaded Web application, including Two-factor authentication, One Time Passwords and Client Certificate authentication.
To control granular access to the offloaded Web application using global, group or user based access policies.
To support Web applications not currently supported by HTTP/HTTPS bookmarks. Application Offloading does not require URL rewriting, thereby delivering complete application functionality without compromising throughput.
* 
NOTE:  
The maximum number of users supported is limited by the number of applications being accessed and the volume of application traffic being sent.
The Application Offloading feature does not work well when the application refers to resources within the same host using absolute URLs. In this case, you might need to convert an absolute URL reference to its relative form.
Further information about configuring specific backend Web applications is available in the Secure Mobile Access Application Offloading and HTTP(S) Bookmarks feature module, available under Support on www.sonicwall.com.

Configuring an HTTP/HTTPS Application Offloading Portal

To offload a Web application and create a portal for it:
1
Navigate to Portals > Portals and go to the Virtual Host section. The Virtual Host Settings screen opens. This allows you to access the Portal directly.

2
Enter a descriptive name in the Virtual Host Domain Name field.
3
On the Offloading tab, select Enable Load Balancing for load balancing among offloaded application servers.
4
Select one of the following from the Scheme drop-down list:
Web (HTTP) – access the Web application using HTTP (default scheme)
Secure Web (HTTPS) – access the Web application using HTTPS
Auto (HTTP/HTTPS) – allows the user to determine the actual scheme used to talk to the backend server when accessing an offloading portal. Access is still under the control of the access policy.

When using the Auto scheme, users can type http://www.example.virtual.host.com  or https://www.example.virtual.host.com in browser’s address bar to test this feature. Even scheme set to Auto, it’s still under the control of the access policy.

* 
CAUTION: It is the Administrator’s responsibility to configure the correct scheme used to talk to the backend server. Auto (HTTP/HTTPS) Scheme can operate only if HTTP access is enabled for the Virtual Host (under the Virtual Host tab) and authentication is disabled (under the Offloading tab) that can be insecure. Therefore, you are prompted to click OK to enable HTTP for Virtual Host.
Generic (SSL Offloading) – use SSL offloading to access custom SSL applications
(non-HTTP(S) applications)

For more information about the Generic (SSL Offloading) option, see Configuring with the Offloading Portal Wizard.

5
Enter the host name or private IP address of the backend host into the Application Server Host field.
6
Optionally enter the IPv6 address of the backend host into the Application Server IPv6 Address field.
7
In the Port Number (optional) field, optionally enter a custom port number to use for accessing the application.
8
In the Homepage URI (optional) field, optionally enter a URI to a specific resource on the Web server to which the user is forwarded the first time the user tries to access the Application Offloading Portal. This is a string in the form of: /exch/test.cgi?key1=value1&key2=value2

When this field is configured, it redirects the user to the Web site’s home page the first time the user accesses the portal. This happens only when the user is accessing the site with no URL path (that is, when accessing the root folder, for example: https://www.google.com/). This is not an alias for the root folder. The user can edit the URL to go back to the root folder.

The key=value pairs allow you to specify URL query parameters in the URL. You can use these for any Web site that does not have a default redirect from the root folder to the home page URL. Outlook Web Access is one example, but note that most public sites do have a default redirect.

a
Under Security Settings, select Enable Web Application Firewall to enable the feature.
b
Select Disable Authentication Controls, Access Policies, and CSRF Protection (if enabled) if you need no authentication, access policies, or CSRF protection enforced. This is useful for publicly hosted Web sites.
a
To configure ActiveSync authentication, clear Disable Authentication Controls to display the authentication fields. Select Enable ActiveSync authentication and then type the default domain name. The default domain name is not used when the domain name is set in the email client’s setting.
9
Select Automatically Login to configure Single Sign-On settings.

10
For automatic login using SSO, select one of the following radio buttons:
Use SSL-VPN account credentials – allow log in to the offloaded application using the credentials configured on the SMA/SRA appliance.
Use custom credentials – displays Username, Password, and Domain fields where you can enter the custom credentials for the application or use dynamic variables. For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the offloaded application portal. For the other fields, dynamic variables can be used, such as those shown in the following table:
 

Supported dynamic variables 

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN\%USERNAME%

Group Name

%USERGROUP%

%USERGROUP%\%USERNAME%

11
If you selected Automatically Login, select Forms-based Authentication to configure Single Sign-On for forms-based authentication.
Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example:

<input type=text name=’userid’>

Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example:

<input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>

12
In the Virtual Host section, set a host name for the application in the Virtual Host Domain Name field, and optionally enter a descriptive alias in the Virtual Host Alias field.

If you need to associate a certificate to this host, you should additionally set a virtual interface and import the relevant SSL certificate. You could avoid creating a virtual interface by importing a wildcard certificate for all virtual hosts on the SMA/SRA appliance.

See Configuring Virtual Meeting Settings for more instructions on configuring the fields in this section.

13
If authentication is disabled for this portal, you have the option to Enable HTTP access for this Application Offloaded Portal. This feature is useful for setting up offloading in trial deployments.

14
Click Accept. You are returned to the Portals > Portals page where you see the Web application listed as an Offloaded Web Application under Description.

15
If you have not disabled authentication, navigate to the Portals > Domains page and create a domain for this portal. See Portals > Domains for information about creating a domain.
16
Update your DNS server for this virtual host domain name and alias (if any).
* 
NOTE: In the future, without a WAF license, Anonymous Application Offloading access will not be supported. Activate a WAF subscription or use the trial version from the System > Licenses page.

Configuring with the Offloading Portal Wizard

To configure a portal with Offloading Portal Wizard:
1
Navigate to Portals > Portals and click Offload Web Application. The Offloading Portal Wizard opens.

2
Begin by selecting the Application Offloading Portal type. Options include:
General portal - Can be selected for most scenarios.
Load Balancing portal - This type of portal is used to setup a Load Balancing Offloading portal.
URL-based Aliasing portal - Use to setup a URL-based Aliasing Offloading portal. Select URL Based Aliasing if you want the ability to access several Web sites using one portal and domain name. If this option is enabled, the screen options will change.
Remote Desktop Web Access (RD Web Access) - The Remote Desktop (RD) Web Access page uses the SMA Agent to proxy the RDP connection to the private network to make the resource list on the RD Web site function more efficiently. Another advantage in using the RD Web Access option is that the it works for all browsers (Chrome, Firefox, and Internet Explorer).
3
Click This is an Exchange Portal which will be accessed by OWA, ActiveSync or Outlook Anywhere if using an Exchange portal.
4
Click Next.

General Server Settings

When General is selected on the initial page, the Server page appears as follows. The portal and application server settings can be set on this page.

1
In the Portal Name field, enter a unique name to identify different portals.
2
In the Portal Domain Name field, enter the domain name used to access the offloading portal.
3
In the Portal Interface field, enter the network interface to which the portal is bound. If one specific network interface is selected, a new IP address is assigned to the portal.
4
In the Portal IP Address field, enter the IP address where the portal is located.
5
The Portal Certificate drop-down lists all certificates that have been imported.
6
The Application Server Address field accepts settings relevant to the application server. This can simply be the IP address of the application server. The scheme of the address is “HTTPS” by default. The port and default path can also be set in this single field.

All these settings are verified instantly from the Appliance when the mouse leaves the input field (green check). If the input fails, the reason it failed is shown. Only when all fields are satisfied, can you click Next to go to the next tab.

Load Balancing Server Settings

When Load Balancing is selected on the initial page, the Server page appears as follows.

1
In the Portal Name field, enter a unique name to identify different portals.
2
In the Portal Domain Name field, enter the domain name used to access the offloading portal.
3
In the Portal Interface field, enter the network interface to which the portal is bound. If one specific network interface is selected, a new IP address is assigned to the portal.
4
In the Portal IP Address field, enter the IP address where the portal is located.
5
The Portal Certificate drop-down lists all certificates that have been imported.
6
The Load Balancing Group field replaces the Application Server Address field to show the existing Load Balancing Group to which you can assign to this portal. If no Load Balancing Group exists, you can create a new one by clicking “click here to create.”

All these settings are verified instantly from the Appliance when the mouse leaves the input field (green check). If the input fails, the reason it failed is shown. Only when all fields are satisfied, can you click Next to go to the next tab.

URL-based Aliasing Server Settings

Select URL Based Aliasing on the initial page when you want the ability to access several Web sites using one portal and domain name. When this option is enabled, the screen options change. You will need to select the URL Based Aliasing Group from the drop down list. When URL Based Aliasing is selected on the initial page, the Server step appears as follows:

1
In the Portal Name field, enter a unique name to identify different portals.
2
In the Portal Domain Name field, enter the domain name used to access the offloading portal.
3
In the Portal Interface field, enter the network interface to which the portal is bound. If one specific network interface is selected, a new IP address is assigned to the portal.
4
The Portal IP Address field is not required if All Interfaces is selected in the Portal Interface field, but you need to enter the Portal IP Address of specific X0, X1, X2, and X3 interfaces.
5
The Portal Certificate drop-down lists all certificates that have been imported.
6
Any existing URL Based Aliasing Group(s) are listed in the drop-down and available to assign to this portal. If no URL Based Aliasing Group exists, you can create a new one by clicking the “click here to create” hyperlink.

All these settings are verified instantly from the Appliance when the mouse leaves the input field (green check). If the input fails, the reason it failed is shown. Only when all fields are satisfied, can you click Next to go to the next tab.

Remote Desktop Web Access Server Settings

Select Remote Desktop Web Access (RD Web Access) on the initial page when you want the ability to use the SMA Agent to proxy the RDP connection to the private network to make the resource list on the RD Web site function more efficiently. When this option is enabled, the screen options change. You will need to select Remote Desktop Web Access (RD Web Access) from the drop down list. When Remote Desktop Web Access (RD Web Access) is selected on the initial page, the Server step appears as follows.

1
In the Portal Name field, enter a unique name to identify different portals.
2
In the Portal Domain Name field, enter the domain name used to access the offloading portal.
3
In the Portal Interface field, enter the network interface to which the portal is bound. If one specific network interface is selected, a new IP address is assigned to the portal.
4
The Portal IP Address field is not required if All Interfaces is selected in the Portal Interface field, but you need to enter the Portal IP Address of specific X0, X1, X2, and X3 interfaces.
5
The Portal Certificate drop-down lists all certificates that have been imported.
6
The Application Server Address field accepts settings relevant to the application server. This can simply be the IP address of the application server. The scheme of the address is “HTTPS” by default. The port and default path can also be set in this single field.

All these settings are verified instantly from the Appliance when the mouse leaves the input field (green check). If the input fails, the reason it failed is shown. Only when all fields are satisfied, can you click Next to go to the next tab.

Configuring the Security Settings

The third step is for the Security settings, including Enable Web Application Firewall and Disable Authentication Controls. However, both options require a Web Application Firewall license.

Configuring the Miscellaneous Settings

The fourth and last step includes the general portal settings.

Portal Site Title, Portal Banner Title, and Login Message are set by default, but they can still be customized.

Restart Now - Gracefully restarts the appliance immediately after clicking Finish.

More advanced options can be fine-tuned by editing this portal after the wizard has finished. Changing the Portal settings requires a web server restart that could disconnect any active NetExtender connections and certain Bookmarks. If you want to proceed with restarting the web server for the settings to take effect immediately, check Restart now. Otherwise, uncheck the check box to save the changes without web server restarting. You can restart the appliance later from the System > Restart page.

The wizard ends after clicking Finish. The page is blocked and you are redirected to the portal list page after the App Offloading portal is successfully created.

Modifying the General Settings

To edit the General settings:
1
You can edit the Portal Name, Portal Site Title, the Portal Banner Title, and the Login Message as needed.

2
To enable visibility of your custom logo, message, and title information on the login page, select Display custom login page.
* 
NOTE: Custom logos can only be added to existing portals. To add a custom logo to a new portal, first complete general portal configuration, then add a logo.
3
Select Display login message on custom login page to display the login message (from the Login Message field) when users log in to the custom login page.
4
Select Hide Domain list on portal login page to replace the Domain list box displayed on the login page to a text box for you to type in the correct domain name.
5
Select Enable HttpOnly for SMA cookies to secure SMA cookies using the HTTPOnly flag.

Some client-side technologies such as Java applets do not have access to cookies marked HTTPOnly. This can break access to the web application when using an HTTP/HTTPS Bookmark or the App Offloading Portal. Disable this option to restore compatibility for these web applications.

6
Select Enable HTTP meta tags for cache control to apply HTTP meta tag cache control directives to the portal. Cache control directives include:

<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">

These directives help prevent client browsers from caching the SMA/SRA appliance portal pages and other Web content.

* 
NOTE: Enabling HTTP meta tags is strongly recommended for security reasons and to prevent out-of-date Web pages and data being stored in a user Web browser cache.
7
Select Enforce login uniqueness (disabled by default) to restrict each account to a single session at a time. When login uniqueness is not enforced, ActiveSync or Outlook Anywhere client accounts can have multiple, simultaneous sessions.
8
Select the Enforcement method. Options include Automatically logout existing session and Confirm logout of existing session.
9
Select Enforce client source uniqueness to prevent multiple connections by a user with the same client source address when connecting with a SonicWall Inc. client (NetExtender, Mobile Connect, Virtual Assist etc.). This prevents a user from consuming multiple licenses when a user reconnects after an unexpected network interruption.

For example, a user on an unreliable network is disconnected due to a network issue. If login uniqueness is NOT enabled, the user session on the appliance stays active for this type of disconnect until the timeout value is reached. The user reconnects and consumes a second license with the potential of consuming more licenses before the original connection timeout disconnects them.

10
Specify the link(s) for the Small / Medium / Wide / Large Logo to be used with Live Tile.
11
Specify the Background Color for Live Tile. If no value is specified, the default color is #0085C3.
12
Specify the Site Name to be displayed for Live Tile. If no value is specified, the default is the Portal Name.
13
Click Accept to preserve your settings.

Configuring the Offloading Settings

1
Navigate to Portals > Portals and click the Configure icon for the portal you would like to edit. The General tab of the Portal Settings screen opens.
2
Go to the Application Offloading Settings section.

3
On the Offloading tab, select Enable Load Balancing for load balancing among offloaded application servers.
4
Select Enable URL Based Aliasing. As a result, some fields become hidden and Enable URL Rewriting for self-referenced URLs is automatically selected.
5
Select the group you wish to add a portal for from the URL Based Aliasing Group drop down list.
6
If not using a URL Based Aliasing Group, select one of the following from the Scheme drop-down list:
Web (HTTP) – access the Web application using HTTP (default scheme)
Secure Web (HTTPS) – access the Web application using HTTPS
Auto (HTTP/HTTPS) – allows the user to determine the actual scheme used to talk to the backend server when accessing an offloading portal. Access is still under the control of the access policy.

When using the Auto scheme, users can type http://www.example.virtual.host.com  or https://www.example.virtual.host.com in browser’s address bar to test this feature. Even scheme set to Auto, it’s still under the control of the access policy.

* 
CAUTION: It is the Administrator’s responsibility to configure the correct scheme used to talk to the backend server. Auto (HTTP/HTTPS) Scheme can operate only if HTTP access is enabled for the Virtual Host (under the Virtual Host tab) and authentication is disabled (under the Offloading tab), which may be insecure. Therefore, you will be prompted to click OK to enable HTTP for Virtual Host.
7
Enter the host name or private IP address of the backend host into the Application Server Host field.
8
Optionally enter the IPv6 address of the backend host into the Application Server IPv6 Address field.
9
In the Port Number (optional) field, optionally enter a custom port number to use for accessing the application.
10
In the Homepage URI (optional) field, optionally enter a URI to a specific resource on the Web server to which the user will be forwarded the first time the user tries to access the Application Offloading Portal. This is a string in the form of: /exch/test.cgi?key1=value1&key2=value2

When this field is configured, it redirects the user to the Web site’s home page the first time the user accesses the portal. This happens only when the user is accessing the site with no URL path (that is, when accessing the root folder, for example: https://www.google.com/). This is not an alias for the root folder. The user can edit the URL to go back to the root folder.

The key=value pairs allow you to specify URL query parameters in the URL. You can use these for any Web site that does not have a default redirect from the root folder to the home page URL. Outlook Web Access is one example, but note that most public sites do have a default redirect.

11
Select a Proxy Host from the drop-down menu to provide the ability to select which host name is sent to the backend server. Options include Inherited from client request, Virtual Hostname, and Application Server Host (backend). The Inherited from client request option is the default value.

Security Settings

1
Under Security Settings, select Enable Web Application Firewall to enable the feature.
2
Select Disable Access Policies to prevent existing Access Policies from taking precedence.
3
Select Disable Authentication Controls, Access Policies, and CSRF Protection (if enabled) if you need no authentication, access policies, or CSRF protection enforced. This is useful for publicly hosted Web sites.
4
To configure ActiveSync authentication, clear the Disable Authentication Controls check box to display the authentication fields. Select Enable ActiveSync authentication and then type the default domain name. The default domain name will not be used when the domain name is set in the email client’s setting.
5
Select Automatically log in to configure Single Sign-On settings.

6
For Automatically log in using SSO, select one of the following radio buttons:
Use SSL-VPN account credentials – allow login to the offloaded application using the credentials configured on the SMA/SRA appliance
Use custom credentials – displays Username, Password, and Domain fields where you can enter the custom credentials for the application or use dynamic variables. For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the offloaded application portal. For the other fields, dynamic variables can be used, such as those shown below:
 

Supported dynamic variables 

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN\%USERNAME%

Group Name

%USERGROUP%

%USERGROUP%\%USERNAME%

7
If you selected Automatically Log in, select Forms-based Authentication to configure Single Sign-On for forms-based authentication.
Configure User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example:

<input type=text name=’userid’>

Configure Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example:

<input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>

8
Select Enable Email Clients Authentication to allow the exchange portal to be accessed by Email clients, such as ActiveSync, Outlook, or OWA. When selected, specify a Default Domain Name from the drop down list. The Default Domain Name is set automatically when creating or editing a Domain. The Domain Name is used as the default for SMA authentication if the domain name is not specified in the Email client.
* 
NOTE: This option is not necessary for OWA.

If the Authentication Controls are already disabled (and WAF is not licensed) after upgrading to 8.5, an Action Required message appears on the Portal page. The Disable Authentication Controls option is also disabled. Click Save to finalize the Authentication Controls setting.

If you access the portal under these conditions, an error message displays.

A log message is generated at the Notice level that reads; Anonymous Offloaded Connection could not be processed because WAF is not licensed. Activate the WAF subscription service or Free Trial from the System > Licenses page.

The same is true for the Exchange portal access when the Authentication Controls are disabled.

The log message reads, Anonymous Exchange access could not be processed, please enable Authentication Controls for the portal.

Configuring an HTTP/HTTPS Application Offloading Portal

To offload a Web application and create a portal for it:
1
Navigate to Portals > Portals and scroll to the Virtual Host Settings section. This allows you to access the Portal directly.

2
Enter a descriptive name in the Virtual Host Domain Name field.
3
On the Virtual Host tab, set a host name for the application in the Virtual Host Domain Name field, and optionally enter a descriptive alias in the Virtual Host Alias field. The Virtual Host Alias is set to the Autodiscover address of ActiveSync if ActiveSync access has been enabled. The Autodiscover address is generated automatically from the Virtual Host Domain Name.

If you need to associate a certificate to this host, you should additionally set a virtual interface and import the relevant SSL certificate. You could avoid creating a virtual interface by importing a wildcard certificate for all virtual hosts on the SMA/SRA appliance.

4
If authentication is disabled for this portal, you have the option to Enable HTTP access for this Application Offloaded Portal. This feature is useful for setting up offloading in trial deployments.

5
Click Accept. You are returned to the Portals > Portals page where you will see the Web application listed as an Offloaded Web Application under Description.
6
If you have not disabled authentication, navigate to the Portals > Domains page and create a domain for this portal.
7
Update your DNS server for this virtual host domain name and alias (if any).

Using Offloaded Applications

An offloaded application has its own portal page on the SMA/SRA appliance. The portal can be accessed directly by entering the URL in a Web browser. You can also create an External Web site Bookmark on the SMA Virtual Office portal that takes you to the offloaded application portal.

To use an offloaded application:
1
For direct access, point your Web browser to the URL of the offloaded application portal.
2
For access through an External Web site Bookmark, log in to the SonicWall Inc. Virtual Office and then click on the bookmark.

A new window is launched in your default browser that connects to the offloaded application portal specified in the bookmark.

3
On the portal page, enter your login credentials to access the application if authentication is required.

Configuring Application Offloading with SharePoint 2013

When the SharePoint 2013 server is accessed through an offloaded portal, basic functionalities, such as adding, editing, or deleting documents, tasks, or calender events are supported. The client integration is supported if the offloaded portal’s authentication controls are enabled or disabled. However, when the Authentication Controls are enabled, the client is only supported on Internet Explorer under the following caveats:

The offloaded portal created for SharePoint must use a valid certificate.
The Scheme used by the offloaded portal and the back end SharePoint must be the same. If the back end SharePoint is running on HTTP, the offloaded portal must enable HTTP access and be accessed with HTTP.
The same Scheme between the offloaded portal and the back end SharePoint means that URL Rewriting for the offloaded portal does not need to be enabled.
The Share session with other local application option must be enabled. This check box is located on the Portals > Portals > Offloading tab.
The Restrict Request Headers option must be disabled. This check box is located on the Services > Settings page.
If using Windows Vista or Windows 7 with the client, the offloaded portal should be added as a “Trusted Site” on the Internet Explorer browser. To configure your trusted sites, navigate to Tools > Internet Options. On the Security tab, click the Trusted Sites icon.
The Share session with other local applications option must be enabled at login.

Microsoft Outlook Anywhere with Autodiscover Overview

The Outlook Anywhere with Autodiscover Application Offloading is a feature that provides the ability for clients using Outlook 2013, Outlook 2010, or Outlook 2007 to access the Outlook Exchange Server from the Internet. Autodiscover support provides a simple configuration of the user’s account by only requiring the user’s email address and password. Autodiscover also helps to update settings on the client side when Outlook Exchange server settings have changed.

Outlook Anywhere with Autodiscover is supported by the Application Offloading portal; both Access Policy and Authentication can be enforced.

* 
NOTE: If Authentication Control of the SMA/SRA appliance is enabled, only the Basic Authentication for Outlook Anywhere can be supported.

Configuring the Outlook Anywhere Portal

To configure the Outlook Anywhere Application Offloading portal:
1
Enable Outlook Anywhere on the Exchange Server. Verify that it is properly configured.
2
Create an Application Offloading portal based on the following settings:

Because Autodiscover uses a different URL for fetching configuration, set the Autodiscover URL as the Virtual Host Alias name. Verify that the Autodiscover URL is aligned with the Exchange Server settings.

3
Specify the Virtual Host Certificate. A wildcard certificate is preferred if Autodiscover is enabled.
4
Navigate to the Offloading tab.
5
Select Enable Email Clients Authentication.
6
Select the Default Domain Name from the drop-down list. This domain name is used as the default domain for Secure Mobile Access authentication if the domain name is not specified in Outlook.

7
Open Microsoft Outlook.
8
On the File > Info page, click Add Account. The Add New Account window displays.

You can select Auto Account Setup or Manually configure server settings or additional server types to configure the email account. If Autodiscover is configured, select Auto Account Setup. If Autodiscover is not enabled or does not function properly, select Manually configure server settings or additional server types to specify Outlook Anywhere settings manually. Then, click Next.

9
On the Microsoft Exchange Settings window, click More Settings.
10
Under the Connection tab, select Connect to Microsoft Exchange using HTTP under the Outlook Anywhere section.

11
Next, click Exchange Proxy Settings.
12
On the Microsoft Exchange Proxy Settings Screen, specify the host name of the Outlook Anywhere portal in the Use this URL to connect to my proxy server for Exchange field.
13
Next, select the proxy authentication setting from the drop-down list. If Secure Mobile Access authentication is enabled, select Basic Authentication.

14
Click OK to save the configuration, and then exit out of Microsoft Outlook.
15
Open Microsoft Outlook to start a new session. Log messages are generated when the Outlook Anywhere portal is accessed.
* 
NOTE: If Authentication Control of the Secure Mobile Access portal is enabled, only Basic Authentication can be supported. Be sure to select Basic Authentication on the Exchange server for Outlook Anywhere. If Authentication Control of Secure Mobile Access is disabled, other authentication methods are supported.
NOTE: To provide better protection for the Exchange Server, anonymous Outlook Anywhere access is not supported.

Portals > Domains

This section provides an overview of the Portals > Domains page and a description of the configuration tasks available on this page.

Portals > Domains Overview

The Portals > Domains page allows the administrator to add and configure a domain, including settings for:

Authentication type (local user database, Active Directory, LDAP, or RADIUS)
Domain name
Portal name
Group (AD, RADIUS) or multiple Organizational Unit (LDAP) support (optional)
Client digital certificate requirements (optional)
One-time passwords (optional)

Portals > Domains Page

Viewing the Domains Table

All of the configured domains are listed in the table in the Portals > Domains window. The domains are listed in the order in which they were created. You can reverse the order by clicking the up/down arrow next to the Domain Name column heading.

Removing a Domain

To delete a domain:
1
Navigate to Portals > Domains.
2
In the table, click the delete icon in the same row as the domain that you wish to delete.
3
Click OK in the confirmation dialog box.

After the SMA/SRA appliance has been updated, the deleted domain is no longer be displayed in the table.

* 
NOTE: The default LocalDomain domain cannot be deleted.

Adding or Editing a Domain

You can add a new domain or edit an existing one from the Portals > Domains page. To add a domain, click Add Domain to display the Add Domain window.

To edit an existing domain, click the Configure icon to the right of the domain you wish to edit.

The interface provides the same fields for both adding and editing a domain, but the Authentication Type and Domain Name fields cannot be changed when editing an existing domain.

* 
NOTE: After adding a new portal domain, user group settings for that domain are configured on the Users > Local Groups page. Refer to the Users > Local Groups for instructions on configuring groups.

In order to create access policies, you must first create authentication domains. By default, the LocalDomain authentication domain is already defined. The LocalDomain domain is the internal user database. Additional domains can be created that require authentication to remote authentication servers. The SMA/SRA appliance supports RADIUS, LDAP, Active Directory, and Digital Certificate authentication in addition to internal user database authentication.

* 
NOTE: To apply a portal to a domain, add a new domain and select the portal from the Portal Name drop-down list in the Add Domain window. The selected portal is applied to all users in the new domain. Domain choices is displayed in the login page of the Portal that was selected. Domains are case-sensitive when logging in.

You can create multiple domains that authenticate users with user names and passwords stored on the SMA/SRA appliance to display different portals (such as a Secure Mobile Access portal page) to different users.

For convenient configuration of SMA/SRA appliance administrator accounts, you can create a domain that provides administrator access for all users who log in to that domain. Either LDAP or Active Directory authentication is used for this type of domain.

Adding or Editing a Domain with Local User Authentication

To add or edit a domain for local database authentication:
1
Navigate to the Portals > Domains window and click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit Domain window is displayed.

2
If adding the domain, select Local User Database from the Authentication Type drop-down list.
3
If adding the domain, enter a descriptive name for the authentication domain in the Domain Name field (maximum 24 characters). This is the domain name users select to log in to the Secure Mobile Access portal.
4
Select the name of the layout in the Portal Name field. Additional layouts can be defined in the Portals > Portals page.
5
All newly created domains in the local database user type should be set with a default password expiration value, as well as the “show expiration warning days” option set to 15. You can manually change it upon creation. Optionally, force all users in the Local User Database to change their password at set intervals or the next time they login. To force users to change their password at set intervals, type the expiration interval in the Passwords expire in x days field. To force users to change their password the next time they log in, check Require password change on next logon.
* 
NOTE: A specific local domain user can be forced to change their password. Use the General tab on the Users > Local Users > Edit page.

If the domain is set with concrete password expiration days, you should also set the user expiration to 0. That means using the domain expiration setting. The domain setting detection is automatic after submitting the “adding user” request. Also, you can manually change it on creation.

The default password expiration value is two years (730 days).

On upgrade, the existing values for password expiration should remain as they are.

A notice was added on the System > Status page to recommend setting the expiration from all local database domains. The notice has a list of domains (top 5) that need that setting. If you set the default password expiration for all the domains, then the message is dismissed.

6
If you set a password expiration interval, type the number of days before expiration that users should receive notifications in the Show warning x days before password expiration field.

When configured and a password is expiring, a notification is displayed on the user’s Virtual Office page or the Administrator’s management console identifying the number of days before their password expires. Notifications also include a link to a screen where the password can be changed.

7
Optionally add the number of unique new passwords that is associated with a user account before an old password can be re-used for the account in the Enforce password history, x passwords remembered field. The value specified must be between 0 and 10 passwords.
8
Optionally Enforce password minimum length by entering a value between 1 and 14 characters. This is the minimum amount of characters accepted for a user password.
9
Optionally select Enforce password complexity. When this option is enforced, at least three of the four following parameters must be met when setting a password:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
10
Optionally select Allow password changes. This allows users to change their own passwords after their account is set up.
11
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
12
Optionally select One-time passwords to enable the One-time password feature. A drop-down list appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured are not allowed to log in.
using domain name - Users in the domain uses the One Time Password feature. One Time Password emails for all users in the domain are sent to username@domain.com.
If you select using domain name, an E-mail domain field appears following the drop-down list. Type in the domain name where one-time password emails are sent (for example, abc.com).
13
If Technician Allowed is enabled, Secure Virtual Assist can log in as a technician role in this domain.
14
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.

Adding or Editing a Domain with Active Directory Authentication

To configure Windows Active Directory authentication:
1
Click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit Domain window is displayed.
* 
NOTE: Of all types of authentication, Active Directory authentication is most sensitive to clock skew, or variances in time between the SMA/SRA appliance and the Active Directory server against which it is authenticating. If you are unable to authenticate using Active Directory, refer to Active Directory Troubleshooting.
2
If adding the domain, select Active Directory from the Authentication type drop-down list. The Active Directory configuration fields are displayed.

3
If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users select in order to log in to the SMA/SRA appliance portal. It can be the same value as the Server address field or the Active Directory domain field, depending on your network configuration.
4
Enter the Active Directory domain name in the Active Directory domain field.
5
Enter the IP address or host and domain name of the Active Directory server in the Server address field.
6
Enter the IP address or host and domain name of the back up server in the Backup Server address field.
7
Enter the user name for login in the Login user name field.
8
Enter the password for login in the Login password field.
9
Enter the name of the layout in the Portal name field. Additional layouts can be defined in the Portals > Portals page.
10
Optionally select Allow password changes. Enabling this feature allows a user to change their password through the Virtual Office portal by selecting Options on the top of the portal page. User must submit their old password, along with a new password and a re-verification of the newly selected password.
11
Optionally select Use SSL/TLS. This option allows for the needed SSL/TLS encryption to be used for Active Directory password exchanges. This check box should be enabled when setting up a domain using Active Directory authentication.
12
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
13
Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
14
Select Only allow users listed locally to allow only users with a local record in the Active Directory to login.
15
Select Auto-assign groups at login to assign users to a group when they log in.

Users logging into Active Directory domains are automatically assigned in real time to Secure Mobile Access groups based on their external AD group memberships. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

16
Optionally, select One-time passwords to enable the One Time Password feature. A drop-down list appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured are not allowed to login.
using domain name - Users in the domain uses the One Time Password feature. One Time Password emails for all users in the domain are sent to username@domain.com.
17
If you selected if configured or required for all users in the One-time passwords drop-down list, the Active Directory AD e-mail attribute drop-down list appears, in which you can select mail, mobile, pager, userPrincipalName, or custom. These are defined as:
mail - If your AD server is configured to store email addresses using the “mail” attribute, select mail.
mobile or pager - If your AD server is configured to store mobile or pager numbers using either of these attributes, select mobile or pager, respectively. Raw numbers cannot be used, however, SMS addresses can.
userPrincipalName - If your AD server is configured to store email addresses using the “userPrincipalName” attribute, select userPrincipalName.
custom - If your AD server is configured to store email addresses using a custom attribute, select custom. If the specified attribute cannot be found for a user, the email address assigned in the individual user policy settings is used. If you select custom, the Custom attribute field appears. Type the custom attribute that your AD server uses to store email addresses. If the specified attribute cannot be found for a user, the email address is taken from their individual policy settings.

If you select using domain name, an E-mail domain field appears following the drop-down list. Type in the domain name where one-time password emails are sent (for example, abc.com).

18
If Technician Allowed is enabled, Secure Virtual Assist can log in as a technician role in this domain.
19
Select the type of user from the User Type drop-down list. All users logging in through this domain are treated as this user type. The choices depend on user types defined already. Some possible choices are:
External User – Users logging into this domain are treated as normal users without administrative privileges.
External Administrator – Users logging into this domain are treated as administrators, with local Secure Mobile Access admin credentials. These users are presented with the admin login page.

This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain.

SonicWall Inc. recommends adding filters that allow administrative access only to those users who are in the correct group. You can do so by editing the domain on the Users > Local Groups page.

Read-only Administrator – Users logging into this domain are treated as read-only administrators and can view all information and settings, but cannot apply any changes to the configuration. These users are presented with the admin login page.
20
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.

Active Directory Troubleshooting

If your users are unable to connect using Active Directory, verify the following configurations:

The time settings on the Active Directory server and the SMA/SRA appliance must be synchronized. Kerberos authentication, used by Active Directory to authenticate clients, permits a maximum 15-minute time difference between the Windows server and the client (the SMA/SRA appliance). The easiest way to solve this issue is to configure Network Time Protocol on the System > Time page of the Secure Mobile Access web-based management interface and check that the Active Directory server has the correct time settings.
Confirm that your Windows server is configured for Active Directory authentication.

Adding or Editing a Domain with LDAP Authentication

To configure a domain with LDAP authentication:
1
Click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit Domain window is displayed.
2
If adding the domain, select LDAP from the Authentication Type menu. The LDAP domain configuration fields are displayed.

3
If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users select in order to log in to the SMA/SRA appliance user portal. It can be the same value as the Primary LDAP Server address field.
4
Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.
* 
TIP: It is possible for multiple OUs to be configured for a single domain by entering each OU on a separate line in the LDAP baseDN field. In addition, any sub-OUs are automatically included when parents are added to this field.
* 
NOTE: Do not include quotes (“”) in the LDAP BaseDN field.
5
Enter the IP address or domain name of the Primary LDAP server in the Server Address field.
6
Enter the common name and password of a user that has been delegated control of the primary server in the Login Username and Login Password fields.
* 
NOTE: When entering Login Username and Login Password, remember that the SMA/SRA appliance binds to the LDAP tree with these credentials and users can log in with their sAMAccountName.
7
Optionally enter the IP address or domain name of a backup LDAP server in the Server Address field, under the Backup LDAP server section.
8
Optionally enter the common name and password of a user that has been delegated control of the backup server in the Login user name and Login password fields, under the Backup LDAP server section.
9
Enter the name of the layout in the Portal name field. Additional layouts can be defined in the Portals > Portals page.
10
Optionally select Allow password changes (if allowed by LDAP server). This option, if allowed by your LDAP server, enables users to change their LDAP password during a Secure Mobile Access session.
11
Optionally select Use SSL/TLS. This option allows for the SSL/TLS encryption to be used for LDAP password exchanges. This option is disabled by default as not all LDAP servers are configured for SSL/TLS.
12
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
13
Select Auto-assign groups at login to assign users to a group when they log in.

Users logging into LDAP domains are automatically assigned in real time to Secure Mobile Access groups based on their external LDAP attributes. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

14
Optionally select One-time passwords to enable the One Time Password feature. A drop-down list appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured are not allowed to login.
using domain name - Users in the domain use the One Time Password feature. One Time Password emails for all users in the domain are sent to username@domain.com.

If you selected if configured or required for all users in the One-time passwords drop-down list, the LDAP e-mail attribute drop-down list appears, in which you can select mail, userPrincipalName, or custom. These are defined as:

mail - If your LDAP server is configured to store email addresses using the “mail” attribute, select mail.
mobile or pager - If your AD server is configured to store mobile or pager numbers using either of these attributes, select mobile or pager, respectively. Raw numbers cannot be used, however, SMS addresses can.
userPrincipalName - If your LDAP server is configured to store email addresses using the “userPrincipalName” attribute, select userPrincipalName.
custom - If your LDAP server is configured to store email addresses using a custom attribute, select custom. If the specified attribute cannot be found for a user, the email address assigned in the individual user policy settings are used. If you select custom, the Custom attribute field appears. Type the custom attribute that your LDAP server uses to store email addresses. If the specified attribute cannot be found for a user, the email address is taken from their individual policy settings.

If using domain name is selected in the One-time passwords drop-down list, the E-mail domain field appears instead of the LDAP e-mail attribute drop-down list. Type in the domain name where one-time password emails are sent (for example, abc.com).

15
Select the type of user from the User Type drop-down list. All users logging in through this domain is treated as this user type. The choices depend on user types defined already. Some possible choices are:
External User – Users logging into this domain are treated as normal users without administrative privileges.
External Administrator – Users logging into this domain are treated as administrators, with local Secure Mobile Access admin credentials. These users are presented with the admin login page.

This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain.

SonicWall Inc. recommends adding filters that allow administrative access only to those users who are in the correct group. You can do so by editing the domain on the Users > Local Groups page.

Read-only Administrator – Users logging into this domain are treated as read-only administrators and can view all information and settings, but cannot apply any changes to the configuration. These users are presented with the admin login page.
16
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.

Adding or Editing a Domain with RADIUS Authentication

To configure a domain with RADIUS authentication:
1
On the Portals > Domains page, click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit Domain window is displayed.
2
If adding the domain, select RADIUS from the Authentication type menu. The RADIUS configuration fields are displayed.

3
If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users selects in order to log in to the Secure Mobile Access portal.
4
Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, MSCHAP, or MSCHAPV2.
5
Under Primary Radius server, enter the IP address or domain name of the RADIUS server in the RADIUS server address field.
6
Enter the RADIUS server port in the RADIUS server port field.
7
If required by your RADIUS configuration, enter an authentication secret in the Secret password field.
8
Enter a number (in seconds) for RADIUS timeout in the RADIUS Timeout (Seconds) field.
9
Enter the maximum number of retries in the Max Retries field.
10
Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS server in the RADIUS server address field.
11
Enter the backup RADIUS server port in the RADIUS server port field.
12
If required by the backup RADIUS server, enter an authentication secret for the backup RADIUS server in the Secret password field.
13
Optionally, if using RADIUS for group-based access, select Use Filter-ID for RADIUS Groups.
14
Click the name of the layout in the Portal name drop-down list.
15
If you selected the Authentication Protocol for your RADIUS server as MSCHAP or MSCHAPV2, you have the option to select Allow password changes. Note that if you enable password changes, you must also deploy the LAN Manager authentication.
16
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
17
Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
18
Select Auto-assign groups at login to assign users to a group when they log in.

Users logging into RADIUS domains are automatically assigned in real time to Secure Mobile Access groups based on their external RADIUS filter-IDs. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

19
Optionally select One-time passwords to enable the One-time password feature. A drop-down list appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured is not allowed to login.
using domain name - Users in the domain use the One Time Password feature. One Time Password emails for all users in the domain is sent to username@domain.com.
20
If you select using domain name, an E-mail domain field appears following the drop-down list. Type in the domain name where one-time password emails are sent (for example, abc.com).
21
If you select Technician Allowed, Secure Virtual Assist can be used as a technician in this domain.
22
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.
23
Click Configure next to the RADIUS domain you added. The Test tab of the Edit Domain page displays.

24
Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password field.
25
Click Test. The SMA/SRA appliance connects to your RADIUS server.
26
If you receive the message Server not responding, check your user ID and password and click the General tab to verify your RADIUS settings. Try running the test again.
* 
NOTE: The SMA/SRA appliance attempts to authenticate against the specified RADIUS server using PAP authentication. It is generally required that the RADIUS server be configured to accept RADIUS client connections from the SMA/SRA appliance. Typically, these connections appear to come from the SMA/SRA appliance X0 interface IP address. Refer to your RADIUS server documentation for configuration instructions.

Adding or Editing a Domain with Digital Certificates

To add or edit a domain for digital certificate authentication:
1
Navigate to the Portals > Domains window and click Add Domain or Configure for the domain to edit. The Add Domain or Edit Domain window is displayed.
2
If adding the domain, select Digital Certificate from the Authentication Type menu. The Digital Certificate configuration field is displayed.

3
If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users selects in order to log in to the Secure Mobile Access portal.
4
Select one or more certificates from the All CA certificates list to be added to the Trusted CA certificates list. The All CA certificates list displays all available certificates for the SMA/SRA appliance that were imported from the system certificate setting.
5
Enter the Username Attribute as CN. This uses the CN attribute of the client certificate as the login username.

6
Click Accept to save changes. Next, you need to import the client certificate to your Web browser.
To import the client certificate:
1
Navigate to the Certificate details on your Web browser’s settings.

2
Select the CA domain. A dialogue window displays. Choose a client certificate to authenticate. Click OK.

The authentication completes if the CA of the client certificate is on the Trusted CA certificates list. If the client certificate is not on the Trusted CA certificates list, the appliance blocks access and displays an error message.

3
Next, the client certificate user must be authorized.
To authorize the client certificate:
1
Navigate to the Portals > Domains window and click the Configure icon for the domain to edit.
2
Select Enable group affinity checking.
3
Select one of the available domains from the drop-down list to designate as the Server.

4
Click Accept.
* 
NOTE: Only Active Directory or LDAP servers and domains are supported.

Configuring Two-Factor Authentication

Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).

For more information on how two-factor authentication works see Two-Factor Authentication Overview.

SonicWall Inc.’s implementation of two-factor authentication either uses two separate RADIUS authentication servers, or partners with two of the leaders in advanced user authentication: RSA and VASCO. If you are using RSA, you must have the RSA Authentication Manager and RSA SecurID tokens. If you are using VASCO, you must have the VASCO IdentiKey and Digipass tokens.

To configure two-factor authentication, you must first configure a RADIUS domain. For information see Adding or Editing a Domain with RADIUS Authentication.

The following sections describe how to configure the supported third-party authentication servers:

Configuring the RSA Authentication Manager

The following sections describe how to configure the RSA Authentication Manager version 6.1 to do two-factor authentication with your SMA/SRA appliance:

* 
NOTE: This configuration procedure is specific to RSA Authentication Manager version 6.1. If you are using a different version of RSA Authentication Manager, the procedure is slightly different.

If you are using VASCO instead of RSA, see Configuring the VASCO IdentiKey Solution.

Adding an Agent Host Record for the SMA/SRA Appliance

To establish a connection between the SMA/SRA appliance and the RSA Authentication Manager, an Agent Host record must be added to the RSA Authentication Manager database. The Agent host record identifies the SMA/SRA appliance within its database and contains information about communication and encryption.

To create the Agent Host record for the SMA/SRA appliance:
1
Launch the RSA Authentication Manager.
2
On the Agent Host menu, select Add Agent Host. The Add Agent Host window displays.

3
Enter a hostname for the SMA/SRA appliance in the Name field.
4
Enter the IP address of the SMA/SRA appliance in the Network address field.
5
Select Communication Server in the Agent type window.
6
By default, the Enable Offline Authentication and Enable Windows Password Integration options are enabled. SonicWall Inc. recommends disabling all of these options except for Open to All Locally Known Users.
7
Click OK.
Adding the SMA/SRA Appliance as a RADIUS Client

After you have created the Agent Host record, you must add the SMA/SRA appliance to the RSA Authentication Manager as a RADIUS client.

To do so, complete the following steps:
1
In RSA Authentication Manager, go to the RADIUS menu and select Manage RADIUS Server. The RSA RADIUS Manager displays.
2
Expand the RSA RADIUS Server Administration tree and select RADIUS Clients.

3
Click Add. The Add RADIUS Client window displays.

4
Enter a descriptive name for the SMA/SRA appliance.
5
Enter the IP address of the SMA/SRA appliance in the IP Address field.
6
Enter the shared secret that is configured on the SMA/SRA appliance in the Shared secret field.
7
Click OK and close the RSA RADIUS Manager.
Setting the Time and Date

Because two-factor authentication depends on time synchronization, it is important that the internal clocks for the RSA Authentication Manager and the SMA/SRA appliance are set correctly.

Importing Tokens and Adding Users

After you have configured the RSA Authentication Manager to communicate with the SMA/SRA appliance, you must import tokens and add users to the RSA Authentication Manager.

To import tokens and add users:
1
To import the token file, select Token > Import Tokens.

2
When you purchase RSA SecurID tokens, they come with an XML file that contains information on the tokens. Navigate to the token XML file and click Open. The token file is imported.
3
The Import Status window displays information on the number of tokens imported to the RSA Authentication Manager.

4
To create a user on the RSA Authentication Manager, click on User > Add user.

5
Enter the user’s First and Last Name.
6
Enter the user’s username in the Default Login field.
7
Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN gives users the option of either creating their own PIN or having the system generate a random PIN. Required to Create a PIN requires the user to create a PIN.
8
To assign a token to the user, click Assign Token. Click Yes on the confirmation window that displays. The Select Token window displays.

9
You can either manually select the token or automatically assign the token:
To manually select the token for the user, click Select Token from List. In the window that displays, select the serial number for the token and click OK.
To automatically assign the token, you can optionally select the method by which to sort the token: the token’s import date, serial number, or expiration date. Then click Unassigned Token and the RSA Authentication Manager assigns a token to the user. Click OK.
10
Click OK in the Edit User window. The user is added to the RSA Authentication Manager.
11
Give the user their RSA SecurID Authenticator and instructions on how to log in, create a PIN, and user the RSA SecurID Authenticator. See the Secure Mobile Access User Guide for more information.

Configuring the VASCO IdentiKey Solution

The VASCO IdentiKey solution works with Secure Mobile Access. The following sections describe how to configure two-factor authentication using VASCO’s IdentiKey version 3.2:

* 
NOTE: This configuration procedure is specific to VASCO IdentiKey version 3.2. If you are using a different version of VASCO IdentiKey, the procedure is slightly different.

If you are using RSA instead of VASCO, see Configuring the RSA Authentication Manager.

Setting the Time

The DIGIPASS token is based on time synchronization. Because the two-factor authentication depends on time synchronization, it is important that the internal clocks for the SMA/SRA appliance and the VASCO IdentiKey are set correctly.

Navigate to System > Time on the SMA/SRA appliance to select the correct time zone.

Setting DNS and the Default Route

The default route for the SMA/SRA appliance is an interface on the firewall that corresponds with the DMZ Zone. The IP address of this firewall DMZ interface needs to be configured as the default route for the SMA/SRA appliance.

To configure Domain Name Service and the default route:
1
On the Secure Mobile Access management interface, navigate to Network > DNS and set the correct DNS settings and/ or WINS Settings.
2
Navigate to Network > Routes and set the correct Default Route for the Secure Mobile Access X0 interface.
Setting NetExtender Client Address Range and Route
To configure the NetExtender client address range and route on the SMA/SRA appliance:
1
Navigate to NetExtender > Client Addresses to set the NetExtender Client Address Range.

Client Addresses are assigned in the same subnet of the SMA/SRA X0 interface. Exclude the SMA/SRA appliance X0 interface and the firewall DMZ interface IP address.

2
Navigate to NetExtender > Client Routes.

Click Add Client Route to select the correct Client Routes for the authenticated remote users accessing the private networks by way of the SMA/SRA connection.

The client route corresponds with the subnet connected to the X0 (LAN) interface of the SonicWall Inc. NSA, TZ, or SuperMassive 9000 series.

Creating a Portal Domain with RADIUS Authentication
To create a domain using RADIUS authentication on the SMA/SRA appliance:
1
Navigate to Portal > Domains and click Add Domain.
2
Select Radius from the Authentication Type drop-down list.
3
Enter the Domain Name that users use in order to log in to the Secure Mobile Access portal.
Configuring a Policy on VASCO IdentiKey
To add a new policy in the VASCO Identikey Web Administration interface:
1
Log in to the Vasco Identikey Web Administration window.
2
Click the Policies tab and select Create.
* 
NOTE: There are policies available by default, and you can also create new policies to suit your needs
3
Fill in a policy name and choose the option most suitable in your situation. If you want the policy to inherit a setting from another policy, choose the inherit option. If you want to copy an existing policy, choose the copy option, and if you want to make a new policy, choose the create option.
* 
NOTE: Configure the policy properties to use the appropriate back-end server. This can be the same authentication service as previously used in the SMA/SRA appliance.

Use the following settings for the policy:

 

Policy settings 

Local Auth

Default (DIGIPASS/Password)

Back-End Auth

Default (None)

Dynamic User Registration

Default (No)

Password Autolearn

Default (No)

Stored Password Proxy

Default (No)

Windows Group Check

Default (No Check)

Registering the SMA/SRA as a VASCO Client
To register the SMA/SRA appliance as a VASCO client:
1
In the Vasco Identikey Web Administration window, click the Clients Tab and choose Register.
2
Select RADIUS Client for Client Type.
3
Enter the IP address of the SMA/SRA appliance.
4
In the Policy ID field, select your new policy.
5
Fill in the Shared Secret you entered for the RADIUS server properties on the SMA/SRA appliance.
6
Click Create.
Configuring a VASCO IdentiKey User
To create a new user:
1
In the Vasco Identikey Web Administration window, click the Users tab and select Create.
2
Fill in the User ID field.
3
Select the Domain.
4
Select the Organizational Unit.
5
Click Create.

The user appears in the list of users in the Vasco Identikey Web Administration management interface.

Importing DIGIPASS
To import a DIGIPASS:
1
In the Vasco Identikey Web Administration window, click on the DIGIPASS tab and select Import.
2
Browse for the *.DPX file.
3
Enter the Transport Key.
4
Click UPLOAD.

A confirmation message pops up when the DIGIPASS is imported successfully.

Assigning a DIGIPASS to a User

There are two ways to assign a DIGIPASS to a user. You can search for a DIGIPASS and assign it to a user or search for a user and assign the user to a DIGIPASS.

1
Do one of the following:
On the Users tab, select the check box next to the user and then click Assign DIGIPASS.
On the DIGIPASS tab, select the check box next to the DIGIPASS and then click NEXT.
* 
NOTE: If the User ID is left blank, press Find and a list of all the available users in the same domain appears. If no users appear, make sure the domains of the DIGIPASS and the user match.

When a user is assigned to a DIGIPASS, a confirmation message pops up.

Verifying Two-Factor Authentication
To test the two-factor authentication SMA/SRA connectivity with VASCO IdentiKey:
1
Connect your PC on the WAN (X1) interface of the SMA/SRA by pointing your browser to its IP address.
2
Log in to the Local Domain as an Administrator.
3
Navigate to Portal > Domains and click Configure to test the RADIUS connectivity to VASCO IdentiKey.
4
If the RADIUS Authentication is successful, log out of the Administrator account and log in to the WAN (X1) interface of Secure Mobile Access with the User Name you created.

Portals > Custom Logos

Portal logos are no longer configured globally from the Portals > Custom Logo page. Custom logos are uploaded on a per-portal basis from the Logo tab in the Portal Logo Settings dialogue. For information related to Custom Portal Logos, refer to Adding a Custom Portal Logo.

Portals > Load Balancing

This section provides an overview of the Portals > Load Balancing page and a description of the configuration tasks available on this page.

Portals > Load Balancing Overview

The Portals > Load Balancing page allows the administrator to configure back end Web servers for a load balanced deployment. This default landing page for the load balancing feature allows the administrator to configure load balancing groups, and lists general properties of any existing load balancing groups.

* 
NOTE: This feature also requires a Load Balanced Portal with virtual host to be configured in the Portals > Portals page.

Portals > Load Balancing Page

Configuration Scenarios

Load Balancing for Secure Mobile Access is a robust feature that has multiple uses, including:

Balancing a Farm of Web Servers – This is useful when the SMA/SRA appliance with a higher horse power is offering protection and balancing the load of a relatively low powered farm of Web servers. In this case, Web Application Firewall, URL rewriting and other CPU intensive operations are enabled on the Load Balancer.

Balancing a Low-Powered Cluster – A relatively low powered SMA/SRA cluster can be balanced for improved scalability. In this case, Web Application Firewall, URL rewriting, and other scalable features are enabled on the low powered SMA/SRA appliances.

Load Balanced Pair – In this scenario, the Load Balancer can have one portal configured for the front-end, and another Application Offloading portal configured to act as a Virtual Backend Server. This Virtual Backend Server and the second SMA/SRA device are configured as the Load Balancing Members and also take up the load of the Security Services. The Load Balancer in the previous two scenarios is essentially a dummy proxy without the load of any Security Services to burden it.

Load Balancing Settings

The following table lists Portals > Load Balancing configuration options. Additional per-group configuration options are described in Configuring a Load Balancing Group.

 

Load balancing configuration options 

Option

Description

Enable Load Balancing

Enables the load balancing feature across all currently active groups.

Enable Fail Over

Enables/disables all probing, monitoring, and failover features.

Probe Interval

Determines the frequency (in seconds) at which the load balancing feature checks the status of backend nodes.

Configuring a Load Balancing Group

This section provides configuration details for creating a new load balancing group and consists of the following sections:

Adding a New Load Balancing Group

1
In the Portals > Load Balancing page, click Add Group. The New Load Balancing Group configuration information displays.

2
Enter a friendly LB Group Name for this load balancing group.
3
Select a load balancing method from the LB Method drop-down list. Options include:
Weighted Requests – Keeps track of the number of incoming requests (including successfully completed requests) to decide which member should handle the next incoming request. The LB Ratio decides the percentage distribution.
Weighted Traffic – Keeps track of the number of bytes of inbound/outbound data to decide which member should handle the next incoming request.
Least Requests – Keeps track of the number of incoming requests (excluding successfully completed requests) that are currently being serviced to decide which Member should handle the next incoming request.
4
Select Enable Load Balancing to enable this group for load balancing.
5
The Enable Session Persistence option is automatically selected when the group is enabled. This option allows the administrator to enable continuous user sessions by forwarding the “requests” part of the same session to the same backend member.
6
Select Enable Failover to enable probing, monitoring, and failover features.
* 
NOTE: It is important to ensure that the same member receives all cookies to keep the user authenticated. However, for improved performance in certain situations, all backend members might be able to accept the session cookies of all users. In this case, the administrator can decide to turn off Session persistence. The Load Balancer then strictly adheres to the LB method and LB factors in distributing the load.
7
To add a new member to the group, see Adding New Members to a Load Balancing Group.

Configuring Probe Settings

To configure probe settings for this load balancing group in the Probe Settings section of the Portals > Load Balancing screen:

1
Select a Probe Method from the drop-down list. Options include:
HTTP/HTTPS GET – The Load Balancer sends a HTTP(S) GET request periodically (based on the configured Probe interval) to see if the HTTP response status code is not greater than or equal to 500 to ensure there are no Web server errors. This is the most reliable method to determine if a Web server is alive. This method ignores SSL Certificate warnings while probing.
TCP Connect – The Load Balancer completes a 3-way TCP handshake periodically to monitor the health of a backend node.
ICMP Ping – The Load Balancer sends a simple ICMP Ping request to monitor if a backend node is alive.
2
In the Deactivate Member after field, enter the number of missed intervals required to fail the node. The default value is 2.
3
In the Reactivate Member after field, enter the number of successful intervals required to reinstate the node as functional. The default value is 2.
4
In the Display error page when there is no resource available to fail over text box, enter a custom message or Web page to display in the event that all of the configured backend nodes have failed. HTML formatting is allowed in this field.

Adding New Members to a Load Balancing Group

* 
NOTE: You must create a Load Balancing group before you can begin adding members to the group.
To add members to a new or existing load balancing group:
1
When editing or adding a group from the Portals > Load Balancing page, click Add Member. The Load Balancing Member screen displays.

2
Enter a Member Name to uniquely identify this member within the Load Balancing Group.
3
Enter a friendly name or description in the Comment field to identify this group by mousing over the group’s page.
4
Select a Scheme to connect to the backend server. Select one of the following options from the drop-down list: HTTP, HTTPS, or AUTO. The default value is HTTPS.

If AUTO is selected, specify two port numbers for HTTPS and HTTP.

* 
NOTE: To enable HTTP access for the App Offloading Portal, select Enable HTTP access, located on the Virtual Host tab of the portal.
5
Enter the back end HTTP(S) server IP address in the IPv4/IPv6 Address field.
6
Enter the Port for the backend server. The default value for an HTTPS connection is 443. For Auto schemes, enter the port numbers for HTTPS and HTTP.
7
Click Accept to add this member to the group.

Portals > URL Based Aliasing

This section provides an overview of the Portals > URL Based Aliasing page and a description of the configuration tasks available on this page.

URL Based Aliasing overview

URL Based Aliasing provides the ability to access several different Web sites through one portal using one domain name. This feature is designed to be consistent with the Load Balancing setting. Because URL Based Aliasing involves rewriting URLS found in the content served by the backend Web server, the backend Web application should be compatible with third-party proxies. If a Web application does not render properly using URL Based Aliasing, you might need to set up access to the application using App Offloading without URL rewriting or using NetExtender.

Adding a URL Based Aliasing group

See also:

To add a URL Based Aliasing group:
1
Navigate to the Portals > URL Based Aliasing page.

2
Under the URL Based Aliasing Groups section, click Add Group. The New URL Based Aliasing Group page displays.

3
Enter a Group Name in the field provided. Then, click Accept. The newly added group displays on the URL Based Aliasing Groups list.

Adding members

* 
NOTE: You must create a URL Based Aliasing group before you can begin adding members to the group.

URL Based Aliasing allows you to add up to 100 members to a group.

To add members to a URL Based Aliasing group:
1
Navigate to the Portals > URL Based Aliasing page.
2
Click the Configure icon of the group you want to modify. The Group URL Based Aliasing Settings page displays.
3
Click Add Member. The Add URL Based Aliasing Member page displays.

Configure the following fields:

URL — Enter the URL or name of the member.
Comments — Enter any additional information. Anything entered in this field displays on the Index page.
Scheme — Select from the drop-down list the scheme of the backend server. Select between HTTP, HTTPS, or AUTO.
Application Server Host — Enter a Hostname, IPv4 address, or IPv6 address of the host.
Port — Specify the port number. The default value is 443.
4
Click Accept to save changes and add a member to the group. The newly added member appears on the URL Based Aliasing Settings page.

Repeat steps 2 through 4 for each member you wish to add to the group.

Deleting a group

To delete a specific group:
1
Navigate to the Portal > URL Based Aliasing page.
2
Click the Delete icon of the group you wish to delete.
3
A confirmation for deleting the group appears. Click OK.

Deleting a member

To delete a specific member from a group:
1
Navigate to the URL Based Aliasing group settings page in which the member belongs.
2
Click the Delete icon of the member you wish to delete.
3
A confirmation for deleting the member appears. Click OK. Repeat these procedures for each group you want to delete.

Default Site Settings

The Default Site Settings section provides the ability to set a default site when accessing the portal without any URL specified. The default value in the drop-down list is Index Page.

The Default Site Settings can be customized by editing the HTML, and then clicking Accept.

Click Preview... to view the Index Page. To modify how this page appears, edit the HTML in the Default Site Settings section and click Accept.

Click the Default Index Page to indicate the default page.
* 
NOTE: Use the URL webmail.sonicwall.com. You are directed to the Index page that has hyperlink access for configured sites.