en-US
search-icon

Secure Mobile Access 8.6 Admin Guide

Configuring Users & Logs

Users Configuration

This section provides information and configuration tasks specific to the Users pages on the Secure Mobile Access web-based management interface, including access policies and bookmarks for the users and groups. Policies provide you access to the different levels of objects defined on your SMA/SRA appliance.

Topics:

Users > Status

The Users > Status page provides information about users and administrators who are currently logged into the SMA/SRA appliance. This section provides general information about how the SMA/SRA appliance manages users through a set of hierarchical policies.

This section contains the following sub-sections:

Users > Status Page

When Streaming Updates is set to ON, the Users > Status page content is automatically refreshed so that the page always displays current information. Toggle to OFF by clicking ON.

The Active User Sessions table displays the current users or administrators logged into the SMA/SRA appliance. Each entry displays the name of the user, the group in which the user belongs, the portal the user is logged into, the IP address of the user, a time stamp indicating when the user logged in, the duration of the session, and the cumulative idle time during the session. An administrator could terminate a user session and log the user out by clicking the Logout icon at the right of the user row. The Active User Session table includes the following information:

 

Active User Information 

Column

Description

Name

A text string that indicates the ID of the user.

Group

The group to which the user belongs.

Portal

The name of the portal that the user is logged into.

IP Address

The IP address of the workstation which the user is logged into.

Location

The geographical location of the source IP for each user.

Login Time

The time when the user first established connection with the SMA/SRA appliance expressed as day, date, and time (HH:MM:SS).

Logged In

The amount of time since the user first established a connection with the SMA/SRA appliance expressed as number of days and time (HH:MM:SS).

Idle Time

The amount of time the user has been in an inactive or idle state with the SMA/SRA appliance.

Logout

Displays an icon that enables the administrator to log the user out of the appliance.

Access Policies Concepts

The Secure Mobile Access web-based management interface provides granular control of access to the SMA/SRA appliance. Access policies provide different levels of access to the various network resources that are accessible using the SMA/SRA appliance. There are three levels of access policies: global, groups, and users. You can block and permit access by creating access policies for an IP address, an IP address range, all addresses, or a network object.

Access Policy Hierarchy

An administrator can define user, group and global policies to predefined network objects, IP addresses, address ranges, or all IP addresses and to different Secure Mobile Access services. Certain policies take precedence.

The Secure Mobile Access policy hierarchy is:

User policies take precedence over group policies
Group policies take precedence over global policies
If two or more user, group or global policies are configured, the most specific policy takes precedence

For example, a policy configured for a single IP address takes precedence over a policy configured for a range of addresses. A policy that applies to a range of IP addresses takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses.

Network objects are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network object.

For example:

Policy 1: A Deny rule has been configured to block all services to the IP address range 10.0.0.0 - 10.0.0.255
Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 - 10.0.1.10
Policy 3: A Permit rule has been configured to allow FTP access to the predefined network object, FTP Servers. The FTP Servers network object includes the following addresses: 10.0.0.5 - 10.0.0.20. and ftp.company.com that resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted to access:

An FTP server at 10.0.0.1, the user would be blocked by Policy 1
An FTP server at 10.0.1.5, the user would be blocked by Policy 2
An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1.
An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2.
* 
NOTE: In this example, the user would not be able to access ftp.company.com using its IP address 10.0.1.3. The Secure Mobile Access policy engine does not perform reverse DNS lookups.
* 
TIP: When using Citrix bookmarks, in order to restrict proxy access to a host, a Deny rule must be configured for both Citrix and HTTP services.

Users > Local Users

This section provides an overview of the Users > Local Users page and a description of the configuration tasks available on this page.

For global configuration settings, see Global Configuration.

Users > Local Users Overview

The Users > Local Users page allows the administrator to add and configure users.

Local Users

The Local Users section allows the administrator to add and configure users by specifying a user name, selecting a domain and group, creating and confirming password, and selecting user type (user, administrator, or read-only administrator).

* 
NOTE: Users configured to use RADIUS, LDAP, or Active Directory authentication do not require passwords because the external authentication server validates user names and passwords.
* 
TIP: When a user is authenticated using RADIUS and Active Directory, an External User within the Local User database is created, however, the administrator is not able to change the group for this user. If you want to specify different policies for different user groups when using RADIUS or Active Directory, the administrator needs to create the user manually in the Local User database.

Removing a User

To remove a user, navigate to Users > Local Users and click the delete icon next to the name of the user that you wish to remove. After deleted, the user is removed from the Local Users window.

Adding a Local User

To create a new local user:
1
Navigate to the Users > Local Users page and click Add User. The Add Local User window is displayed.

2
In the Add Local User window, enter the username for the user in the User Name field. This is the name the user enters in order to log in to the Secure Mobile Access user portal.
3
Select the name of the domain to which the user belongs in the Domain drop-down list.
4
Select the name of the group to which the user belongs in the Group drop-down list.
5
Type the user password in the Password field.
6
Retype the password in the Confirm Password field to verify the password.
* 
NOTE: When logging into the portal, the user name is not case-sensitive, but the password and domain are case-sensitive.
7
Optionally, force a user in the Local User Database to change their password at set intervals or the next time they login. To force a user to change their password at set intervals, type the expiration interval in the Passwords expire in x days field.
8
If you set a password expiration interval, type the number of days before expiration that users should receive notifications in the Show warning x days before password expiration field.

When configured and a password is expiring, a notification is displayed on the user’s Virtual Office page or the Administrator’s management console identifying the number of days before their password expires. Notifications also include a link to a screen where the password can be changed.

9
Optionally, use Require password change on next logon to force a user to change their password the next time they log in by selecting Use Domain Setting or Enabled. Selecting Use Domain Setting uses the setting configured on the Portals > Domains page.
10
With the Account expires end of setting, you can set an expiration date with a pull-down calendar. No setting indicates the account never expires.
11
From the User Type drop-down list, select a user type option. The available user types are User, Administrator, or Read-only Administrator.
* 
TIP: If the selected group is in a domain that uses external authentication, such as Active Directory, RADIUS, or LDAP, then the Add User window closes and the new user is added to the Local Users list.
12
Click Accept to update the configuration. After the user has been added, the new user is displayed on the Local Users window.
* 
NOTE: Entering RADIUS, LDAP, and Active Directory user names is only necessary if you wish to define specific policies or bookmarks per user. If users are not defined in the SMA/SRA appliance, then global policies and bookmarks applies to users authenticating to an external authentication server. When working with external (non-LocalDomain) users, a local user entity must exist so that any user-created (personal) bookmarks can be stored within the Secure Mobile Access configuration files. Bookmarks must be stored on the SMA/SRA appliance because LDAP and RADIUS external domains do not provide a direct facility to store such information as bookmarks. Rather than requiring administrators to manually create local users for external domain users wishing to use personal bookmarks, the SMA/SRA appliance automatically creates a corresponding local user entity when an external domain user creates a personal bookmark so that it might store the bookmark information.

Editing User Settings

To edit a user’s attributes, navigate to the Users > Local Users window and click the Configure icon next to the user whose settings you want to configure. The Edit User Settings window displays.

The Edit Local User page has several tabs as described in the following table:

 

Edit Local User page tabs 

Tab

Description

General

Enables you to create a password and an inactivity timeout, and specify Single Sign-On settings for automatic log in to bookmarks for this user.

Groups

Enables you to add a group membership, configure a primary group, and control whether groups are automatically assigned at login.

Portal

Enables you to enable, disable, or use group settings on this portal for NetExtender, File Shares, Virtual Assist, and Bookmark settings.

Nx Settings

Enables you to specify a NetExtender client address range, including for IPv6, and to configure client settings.

Nx Routes

Enables you to specify Tunnel All mode and NetExtender client routes.

Policies

Enables you to create access policies that control access to resources from user sessions on the appliance.

Bookmarks

Enables you to create user-level bookmarks for quick access to services.

Login Policies

Enables you to create user login policies, including policies for specific source IP addresses and policies for specific client browsers. You can disable the user’s login, require One Time Passwords, and specify client certificate enforcement.

EPC

Enables you to configure End Point Control profiles used by local groups.

If the user authenticates to an external authentication server, then the User Type and Password fields are not shown. The password field is not configurable because the authentication server validates the password. The user type is not configurable because the SMA/SRA appliance only allows users that authenticate to the internal user database to have administrative privileges. Also, the user type External is used to identify the local user instances that are auto-created to correspond to externally authenticating users.

See the following sections for a description of the configuration options on each tab of the Edit User Settings window:

Modifying General User Settings

The General tab provides configuration options for a user’s password, inactivity timeout value, and bookmark single sign-on (SSO) control. Application Support provides detailed information about application-specific support of SSO, global/group/user policies and bookmark policies.

Application Support 

Application

Supports SSO

Global/Group/User Policies

Bookmark Policies

Terminal Services (RDP - Active X)

Yes

Yes

Yes

Terminal Services (RDP - Java)

Yes

Yes

Yes

Terminal Services (RDP - HTML5)

Yes

Yes

Yes

Virtual Network Computing (VNC - HTML5)

Yes

Yes

Yes

File Transfer Protocol (FTP)

Yes

Yes

Yes

Telnet

No

Yes

Yes

Telnet (HTML5)

Yes

Yes

Yes

Secure Shell (SSH)

No

Yes

Yes

Web (HTTP)

Yes

Yes

Yes

Secure Web (HTTPS)

Yes

Yes

Yes

File Shares (CIFS)

Yes

Yes

Yes

Citrix Portal (Citrix)

No

Yes

Yes

* 
NOTE: SSO cannot be used in tandem with two-factor authentication methods.
To modify general user settings:
1
In the left column, navigate to the Users > Local Users.
2
Click the configure icon next to the user you want to configure. The General tab of the Edit User Settings window displays. The General tab displays the following non-configurable fields: User Name, Primary Group, In Domain, and User Type. If information supplied in these fields needs to be modified, then remove the user as described in Removing a User and add the user again.
3
To set or change the user password, type the password in the Password field. Re-type it in the Confirm Password field.
4
Optionally, force a user in the Local User Database to change their password at set intervals or the next time they login. To force a user to change their password at set intervals, type the expiration interval in the Passwords expire in x days field. To force a user to change their password the next time they log in, check Change password at next logon.
* 
NOTE: A specific local domain user can be forced to change their password. Use the General tab on the Users > Local Users > Edit page.
5
If you set a password expiration interval, type the number of days before expiration that users should receive notifications in the Show warning x days before password expiration field.

When configured and a password is expiring, a notification is displayed on the user’s Virtual Office page or the Administrator’s management console identifying the number of days before their password expires. Notifications also include a link to a screen where the password can be changed.

6
To set the inactivity timeout for the user, meaning that they are signed out of the Virtual Office after the specified time period, enter the number of minutes of inactivity to allow in the Inactivity Timeout field. The timeout value also controls the number of minutes that a one-time password remains valid, when One Time Passwords are configured for a user.

The inactivity timeout can be set at the user, group and global level. If one or more timeouts are configured for an individual user, the user timeout setting takes precedence over the group timeout and the group timeout takes precedence over the global timeout. Setting the global settings timeout to 0 disables the inactivity timeout for users that do not have a group or user timeout configured.

7
To allow users to edit or delete user-owned bookmarks, select Allow from the Allow user to edit/delete bookmarks drop-down menu. To prevent users from editing or deleting user-owned bookmarks, select Deny. To use the group policy, select Use group policy.
* 
NOTE: Users cannot edit or delete group and global bookmarks.
8
To allow users to add new bookmarks, select Allow from the Allow user to add bookmarks drop-down menu. To prevent users from adding new bookmarks, select Deny. To use the group policy, select Use group policy.

Bookmark modification controls provide custom access to predetermined sources, and can prevent users from needing support.

9
Under Single Sign-On Settings, select one of the following options from the Automatically log into bookmarks drop-down menu:
Use Group Setting: Select this option to use the group policy settings to control single sign-on (SSO) for bookmarks.
User-controlled: Select this option to allow users to enable or disable single sign-on (SSO) for bookmarks.
Enabled: Select this option to enable single sign-on for bookmarks.
Disabled: Select this option to disable single sign-on for bookmarks.
* 
NOTE: SSO modification controls provide enhanced security and can prevent or allow users to utilize different login credentials. With SSO enabled, the user’s login name and password are supplied to the backend server for many of the services. For Fileshares, the domain name that the user belongs to on the device is passed to the server. For other services, the server might be expecting the username to be prefixed by the domain name. In this instance, SSO fails and the user has to login with the domain-prefixed username. In some instances, a default domain name can be configured at the server to allow SSO to succeed.
10
Click Accept to save the configuration changes

Modifying Group Settings

On the Groups tab, you can add a group membership for users, configure a primary group, and control whether groups are automatically assigned at user login.

Users logging into Active Directory, LDAP, and RADIUS domains are automatically assigned in real time to Secure Mobile Access groups based on their external AD group memberships, LDAP attributes, or RADIUS filter-IDs.

* 
NOTE: If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.
To configure settings on the Groups tab:
1
To set a group as the primary group, click the “Set Primary Group” star corresponding to the group you wish to set as the primary.
2
To add a group of which users are a member, click Add Group. The group must be already configured from Users > Local Groups.
3
Select the desired group from the drop-down list.
4
Select Make primary group to make this the primary group membership for users.
5
Click Add Group to add the selected group to the Group Memberships list.
6
Under Group Settings, select one of the following from the Auto-assign groups at login drop-down list:
Use group setting – Use the setting configured for the group.
Enabled – Enable automatic assignment of users to groups upon login.
Disabled – Disable automatic assignment of users to groups upon login.
7
Click Accept.

Modifying Portal Settings

The Portal tab provides configuration options for portal settings for this user.

To configure portal settings for this user:
1
On the Portal tab under Portal Settings, select one of the following portal settings for this user:
Use group setting – The setting defined in the group to which this user belongs are used to determine if the portal feature is enabled or disabled. Group settings are defined by configuring the group in the Users > Local Groups page.
Enabled – Enable this portal feature for this user.
Disabled – Disable this portal feature for this user.

You can configure one of the previous settings for each of the following portal features:

NetExtender – Because Mobile Connect acts as a NetExtender client when connecting to the appliance, this setting applies to both NetExtender and Mobile Connect.
Launch NetExtender after login
File Shares
Virtual Assist Technician
Virtual Assist Request Help
Virtual Access Setup Link
Allow User to Add Bookmarks
Allow User to Edit/Delete Bookmarks – Applies to user-owned bookmarks only.
2
Click Accept.

Modifying User NetExtender Settings

This feature is for external users, who inherits the settings from their assigned group upon login. NetExtender client settings can be specified for the user, or use the group settings. For information about configuring group settings, see Editing Group Settings.

To enable NetExtender ranges and configure Static client settings for a user:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
In the Edit Local User page, select the Nx Settings tab.
a
Under Client Address Range, select Use Static Pool from the drop-down list.
b
Supply a beginning client IPv4 address in the Client Address Range Begin field.
c
Supply an ending client IPv4 address in the Client Address Range End field.
d
Under Client IPv6 Address Range, optionally select Use Static Pool from the drop-down list.
e
Supply a beginning client IPv6 address in the Client Address Range Begin field.
f
If using IPv6, supply an ending client IPv6 address in the Client Address Range End field.
4
Under Client Settings:

Select one of the following from the Exit Client After Disconnect drop-down list:

Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
5
In the Uninstall Client After Exit drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
6
In the Create Client Connection Profile drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
7
In the User Name & Password Caching drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Allow saving of user name only - Allow caching of the user name. The user only needs to enter a password when starting NetExtender. Overrides the group setting.
Allow saving of user name & password - Allow caching of the user name and password. The user is automatically logged in when starting NetExtender. Overrides the group setting.
Prohibit saving of user name & password - Do not allow caching of the user name and password. The user is required to enter both user name and password when starting NetExtender. Overrides the group setting.
8
In the Allow client to use Touch ID on IOS devices, the control only blocks future attempts to log in with fingerprint technology on IOS devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
9
In the Allow client to use Fingerprint Authentication on Android devices, the control only blocks future attempts to log in with fingerprint technology on Android devices when the option is disabled as there is no method for the server to change the client settings until the client attempts a connection. So in some cases, a client might not be conforming to previous policies for the initial connection. Configuration is allowed globally, by group, or per user.
10
In the Internal Proxy Settings section, select from the drop-down list to enable or disable the Internal Proxy feature. See NetExtender > Client Settings for more information.
11
Click Accept.
To enable NetExtender ranges and configure DHCP client settings for a user:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
In the Edit Local User page, select the NxSettings tab.
a
Under NetExtender Client Address Range, select Use DHCP from the drop-down list.
b
Under Select Interface, use the drop-down list to select the interface to use for DHCP.
c
Supply the DHCP Server in the field provided.
d
Under NetExtender Client IPv6 Address Range, optionally select Use DHCP from the drop-down list.
e
Under Select Interface, use the drop-down list to select the interface to use for DHCPv6.
f
Supply the DHCPv6 Server in the field provided.
4
Under NetExtender Client Settings, select one of the following from the Exit Client After Disconnect drop-down list:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
5
In the Uninstall Client After Exit drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
6
In the Create Client Connection Profile drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Enabled - Enable this action for the user. Overrides the group setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
7
In the User Name & Password Caching drop-down list, select one of the following:
Use group setting - Take the action specified by the group setting. See Editing Group Settings.
Allow saving of user name only - Allow caching of the user name. The user only needs to enter a password when starting NetExtender. Overrides the group setting.
Allow saving of user name & password - Allow caching of the user name and password. The user is automatically logged in when starting NetExtender. Overrides the group setting.
Prohibit saving of user name & password - Do not allow caching of the user name and password. The user is required to enter both user name and password when starting NetExtender. Overrides the group setting.
8
In the Internal Proxy Settings section, select from the drop-down list to enable or disable the Internal Proxy feature. See NetExtender > Client Settings for more information.
9
Click Accept.

Modifying NetExtender Client Routes

The Nx Routes tab provides configuration options for NetExtender client routes. For procedures on modifying NetExtender client route settings, see NetExtender > Client Routes.

Adding User Policies

The Policies tab provides policy configuration options.

* 
NOTE: User policies are the highest priority-type of policy, and are enforced before group policies or global policies.
To add a user access policy:
1
On the Policies tab, click Add Policy. The Add Policy window is displayed.

2
In the Apply Policy To drop-down list, select whether the policy is applied to an individual host, a range of addresses, all addresses, a network object, a server path, or a URL object. You can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending on what type of object you select in the Apply Policy To drop-down list.
* 
NOTE: These Secure Mobile Access policies apply to the destination address(es) of the SMA/SRA connection, not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SMA/SRA gateway with a policy created on the Policies tab. However, it is possible to control source logins by IP address with a login policy created on the user's Login Policies tab. For more information, refer to Configuring Login Policies.
IP Address - If your policy applies to a specific host, enter the IP address of the local host machine in the IP Address field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field. See Adding a Policy for an IP Address.
IP Address Range - If your policy applies to a range of addresses, enter the beginning IP address in the IP Network Address field and the subnet mask that defines the IP address range in the Subnet Mask field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field. See Adding a Policy for an IP Address Range.
All Addresses - If your policy applies to all IPv4 addresses, you do not need to enter any IP address information. See Adding a Policy for All Addresses.
Network Object - If your policy applies to a predefined network object, select the name of the object from the Network Object drop-down list. A port or port range can be specified when defining a Network Object. See Adding Network Objects
Server Path - If your policy applies to a server path, select one of the following radio buttons in the Resource field:
Share (Server path) - When you select this option, type the path into the Server Path field.
Network (Domain list)
Servers (Computer list)

See Setting File Shares Access Policies.

URL Object - If your policy applies to a predefined URL object, type the URL into the URL field. See Adding a Policy for a URL Object.
IPv6 Address - If your policy applies to a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field. See Adding a Policy for an IPv6 Address.
IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field. See Adding a Policy for an IPv6 Address Range.
All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter any IP address information. See Adding a Policy for All IPv6 Addresses.
3
Select the service type in the Service drop-down list. If you are applying a policy to a network object, the service type is defined in the network object.
4
Select Allow or Deny from the Status drop-down list to either permit or deny SMA/SRA connections for the specified service and host machine.
* 
TIP: When using Citrix bookmarks, in order to restrict proxy access to a host, a Deny rule must be configured for both Citrix and HTTP services.
5
Click Accept to update the configuration. After the configuration has been updated, the new policy is displayed in the Edit Local User page.

The user policies are displayed in the Current User Policies table in the order of priority, from the highest priority policy to the lowest priority policy.

Adding a Policy for an IP Address
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
Select the Policies tab.
4
Click Add Policy...
5
In the Apply Policy to field, click the IP Address option.
6
Define a name for the policy in the Policy Name field.
7
Type an IP address in the IP Address field.
8
In the Port Range/Port Number field, optionally enter a port range or an individual port.
9
In the Service drop-down list, click on a service object.
10
In the Status drop-down list, click on an access action, either Allow or Deny.
11
Click Accept.
Adding a Policy for an IP Address Range
1
In the Apply Policy to field, click the IP Address Range option.
2
Define a name for the policy in the Policy Name field.
3
Type a starting IP address in the IP Network Address field.
4
Type a subnet mask value in the Subnet Mask field in the form 255.255.255.0.
5
In the Port Range/Port Number field, optionally enter a port range or an individual port.
6
In the Service drop-down list, click on a service option.
7
In the Status drop-down list, click on an access action, either Allow or Deny.
8
Click Accept.
Adding a Policy for All Addresses
1
In the Apply Policy to field, select the All Addresses option.
2
Define a name for the policy in the Policy Name field.
3
The IP Address Range field is read-only, specifying All IP Addresses.
4
In the Service drop-down list, click on a service option.
5
In the Status drop-down list, click on an access action, either Allow or Deny.
6
Click Accept.
Setting File Shares Access Policies
To set file share access policies:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
Select the Policies tab.
4
Click Add Policy.
5
Select Server Path from the Apply Policy To drop-down list.

6
Type a name for the policy in the Policy Name field.
7
Select Share in the Resource field.
8
Type the server path in the Server Path field.
9
From the Status drop-down list, select Allow or Deny.
* 
NOTE: For information about editing policies for file shares, for example, to restrict server path access, refer to Adding a Policy for a File Share.
10
Click Accept.
Adding a Policy for a File Share
To add a file share access policy:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
Select the Policies tab.
4
Click Add Policy...
5
Select Server Path from the Apply Policy To drop-down list.
6
Type a name for the policy in the Policy Name field.
7
In the Server Path field, enter the server path in the format servername/share/path or servername\share\path. The prefixes \\, //, \ and / are acceptable.
* 
NOTE: Share and path provide more granular control over a policy. Both are optional.
8
Select Allow or Deny from the Status drop-down list.
9
Click Accept.
Adding a Policy for a URL Object
To create object-based HTTP or HTTPS user policies:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
Select the Policies tab.
4
Click Add Policy.
5
In the Apply Policy To drop-down menu, select the URL Object option.

6
Define a name for the policy in the Policy Name field.
7
In the Service drop-down list, choose either Web (HTTP) or Secure Web (HTTPS).
8
In the URL field, add the URL string to be enforced in this policy.
* 
NOTE: In addition to standard URL elements, the administrator can enter the port, path and wildcard elements to the URL field. For more information on using these additional elements, see Policy URL Object Field Elements.

If a path is specified, the URL policy is recursive and applies to all subdirectories. If, for example “www.mycompany.com/users/*” is specified, the user is permitted access to any folder or file under the “www.mycompany.com/users/” folder.

9
In the Status drop-down list, click on an access action, either Allow or Deny.
10
Click Accept.
Policy URL Object Field Elements

When creating an HTTP/HTTPS policy, the administrator must enter a valid host URL in the URL field. In addition, the administrator can enter the port, path and wildcard elements to this field. The following chart provides an overview of standard URL field elements:

 

Standard URL field elements 

Element

Usage

Host

Can be a hostname that should be resolved or an IP address. Host information has to be present.

Port

If port is not mentioned, then all ports for that host are matched. Specify a specific port or port range using digits [0-9], and/or wildcard elements. Zero “0” must not be used as the first digit in this field. The least possible number matching the wildcard expression should fall within the range of valid port numbers such as [1-65535].

Path

This is the file path of the URL along with the query string. A URL Path is made of parts delimited by the file path separator ‘/’. Each part might contain wildcard characters. The scope of the wildcard characters is limited only to the specific part contained between file path separators.

Usernames

%USERNAME% is a variable that matches the username appearing in a URL requested by a user with a valid session. Especially useful if the policy is a group or a global policy.

Wildcard Characters

The following wildcard characters are used to match one or more characters within a port or path specification.

* – Matches one or more characters in that position.

^ – Matches exactly one character in the position.

[!<character set>] – Matches any character in that position not listed in character set. For example [!acd], [!8a0]

[<range>] – Matches any character falling within the specified ASCII range. Can be an alphanumeric character. For example, [a-d], [3-5], [H-X]

* 
NOTE: Entries in the URL field cannot contain (“http://,” “https://”) elements. Entries can also not contain fragment delimiters such as “#.”
Adding a Policy for an IPv6 Address
To add a policy for an IPv6 address:
1
Navigate to Users > Local Users.
2
Click the configure icon next to the user you want to configure.
3
Select the Policies tab.
4
Click Add Policy...
5
In the Apply Policy To field, click the IPv6 Address option.
6
Define a name for the policy in the Policy Name field.
7
Type an IPv6 address in the IPv6 Address field in the form 2001::1:2:3:4.
8
In the Port Range/Port Number field, optionally enter a port range or an individual port.
9
In the Service drop-down list, click on a service object.
10
In the Status drop-down list, click on an access action, either Allow or Deny.
11
Click Accept.
Adding a Policy for an IPv6 Address Range
To add a policy for an IPv6 address range:
1
In the Apply Policy To field, click the IPv6 Address Range option.
2
Define a name for the policy in the Policy Name field.
3
Type a starting IPv6 address in the IPv6 Network Address field.
4
Type a prefix value in the IPv6 Prefix field, such as 64 or 112.
5
In the Port Range/Port Number field, optionally enter a port range or an individual port.
6
In the Service drop-down list, click on a service option.
7
In the Status drop-down list, click on an access action, either Allow or Deny.
8
Click Accept.
Adding a Policy for All IPv6 Addresses
To add a policy for all IPv6 addresses:
1
In the Apply Policy To field, select the All IPv6 Address option.
2
Define a name for the policy in the Policy Name field.
3
The IPv6 Address Range field is read-only, specifying all IPv6 addresses.
4
In the Service drop-down list, click on a service option.
5
In the Status drop-down list, click on an access action, either Allow or Deny.
6
Click Accept.

Adding or Editing User Bookmarks

The Bookmarks tab provides configuration options to add and edit user bookmarks. In addition to the main procedure that follows, see the following:

To define user bookmarks:
1
In the Edit User Settings window, click the Bookmarks tab.
2
Click Add Bookmark. The Add Bookmark window displays.

When user bookmarks are defined, the user sees the defined bookmarks from the Secure Mobile Access Virtual Office home page.

1
Type a descriptive name for the bookmark in the Bookmark Name field.
2
Enter the fully qualified domain name (FQDN) or the IPv4 or IPv6 address of a host machine on the LAN in the Name or IP Address field. In some environments you can enter the host name only, such as when creating a VNC bookmark in a Windows local network.

If a Port number is included with an IPv6 address in the Name or IP Address field, the IPv6 address must be enclosed in square brackets, for example: [2008::1:2:3:4]:6818.

* 
NOTE: IPv6 is not supported by ActiveX or File Shares.

Some services can run on non-standard ports, and some expect a path when connecting. Depending on the choice in the Service field, format the Name or IP Address field like one of the examples shown in Bookmark Name or IP Address Formats by Service Type.

 

Bookmark Name or IP Address Formats by Service Type 

Service Type

Format

Example for Name or IP Address Field

RDP - HTML5

RDP - Native

IP Address

IPv6 Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

2008::1:2:3:4

10.20.30.4:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

VNC

VNC - HTML5

IP Address

IPv6 Address

IP:Port (mapped to session)

FQDN

Host name

NOTE: Do not use session or display number instead of port.

10.20.30.4

2008::1:2:3:4

10.20.30.4:5901 (mapped to session 1)

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

NOTE: Do not use 10.20.30.4:1

TIP: For a bookmark to a Linux server, see the Tip below this table.

Citrix

(Citrix Web Interface)

Citrix - HTML5

Citrix - Native

Citrix - ActiveX

IP Address

IPv6 Address

IP:Port

IP:Path or File

IP:Port:Path or File

FQDN

URL:Path or File

URL:Port

URL:Port:Path or File

Note: Port refers to the HTTP(S) port of Citrix Web Interface, not to the Citrix client port.

172.55.44.3

2008::1:2:3:4

172.55.44.3:8080 or [2008::1:2:3:4]:8080

172.55.44.3/folder/file.html

172.55.44.3:8080/report.pdf

www.citrixhost.company.net

www.citrixhost.net/folder/

www.citrixhost.company.com:8080

www.citrixhost.com:8080/folder/index.html

HTTP

HTTPS

URL

IP Address of URL

IPv6 Address

URL:Path or File

IP:Path or File

URL:Port

IP:Port

URL:Port:Path or File

IP:Port:Path or File

www.sonicwall.com

204.212.170.11

2008::1:2:3:4

www.sonicwall.com/index.html

204.212.170.11/folder/

www.sonicwall.com:8080

204.212.170.11:8080 or [2008::1:2:3:4]:8080

www.sonicwall.com:8080/folder/index.html

204.212.170.11:8080/index.html

File Shares (CIFS)

Host\Folder\

Host\File

FQDN\Folder

FQDN\File

IP\Folder\

IP\File

server-3\sharedfolder\

server-3\inventory.xls

server-3.company.net\sharedfolder\

server-3company.net\inventory.xls

10.20.30.4\sharedfolder\

10.20.30.4\status.doc

NOTE: Use backslashes even on Linux or Mac computers; these use the Windows API for file sharing.

FTP

IP Address

IPv6 Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

2008::1:2:3:4

10.20.30.4:6818 or [2008::1:2:3:4]:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

Telnet

Telnet - HTML5

IP Address

IPv6 Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

2008::1:2:3:4

10.20.30.4:6818 or [2008::1:2:3:4]:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

SSHv2

IP Address

IPv6 Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

2008::1:2:3:4

10.20.30.4:6818 or [2008::1:2:3:4]:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

* 
TIP: When creating a Virtual Network Computing (VNC) bookmark to a Linux server, you must specify the port number and server number in addition to the Linux server IP the Name or IP Address field in the form of ipaddress:port:server. For example, if the Linux server IP address is 192.168.2.2, the port number is 5901, and the server number is 1, the value for the Name or IP Address field would be 192.168.2.2:5901:1.
3
Optionally, you can enter a friendly description to be displayed in the bookmark table by filling in the Description field.
4
Optionally, you can enter a comma-separated list of tabs where this bookmark appears in the Tabs field. For example: Favorites, Tab1, Tab 2. Note that standard tabs, such as Desktop, Web, Terminal, or Mobile, do not need to be specified.
5
Set whether users are can edit or delete bookmarks from the Virtual Office portal by making a selection for Allow user to edit/delete. You can select to Allow, Deny, or to Use the user policy setting.
6
Select one of the service types from the Service drop-down list.

For the specific service you select from the Service drop-down list, additional fields might appear. Use the following information for the chosen service to complete the building of the bookmark:

Terminal Services (RDP) or Terminal Services (RDP - HTML5)
* 
NOTE: HTML5 RDP bookmarks are only supported with Per User licensing on Terminal Server connections. These bookmarks do not work if the Terminal Server’s licensing mode is Per Device.
In the Screen Size drop-down list, select the default terminal services screen size to be used when users execute this bookmark. (Option available for all Terminal Services.)

Because different computers support different screen sizes, when you use a remote desktop application, you should select the size of the screen on the computer from which you are running a remote desktop session. Additionally, you might want to provide a path to where your application resides on your remote computer by typing the path in the Application Path field.

In the Colors drop-down list, select the default color depth for the terminal service screen when users execute this bookmark. (Option available for all Terminal Services.)
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5 and Native. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the RDP bookmark, then the SMA Connect Agent launches the RDP Client on the local machine to do the RDP connection.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

Select Enable wake-on-LAN to enable waking up a computer over the network connection. Selecting this check box causes the following new fields to be displayed: (Options available for all Terminal Services.)
MAC/Ethernet Address – Enter one or more MAC addresses, separated by spaces, of target hosts to wake.
Wait time for boot-up (seconds) – Enter the number of seconds to wait for the target host to fully boot up before cancelling the WoL operation.
Send WOL packet to host name or IP address – To send the WoL packet to the hostname or IP of this bookmark, select Send WOL packet to host name or IP address that can be applied in tandem with a MAC address of another machine to wake.
Optionally enter the local path for this application in the Application and Path field and specify the folder in the Start in the following folder field. The remote application feature displays a single application to the user. The value might also be the alias of the remote application.
Enter the Command-line Arguments for the RemoteApp. (Option available for ActiveX only.)
In the Start in the following folder field, optionally enter the local folder in which to execute application commands. (Option available for ActiveX only.)
Select Login as console/admin session to allow login as console or admin. Login as admin replaces login as console in RDC 6.1 and newer. (Option available for all Terminal Services.)
Select the Server is TS Farm if users are connecting to a TS Farm or Load Balanced server.

In Windows 2012, there is a new way to do the redirection (load balance). The RDP client can connect to the broker server directly, and then the broker server returns the redirection information to the client. The RDP client can connect to the RDP Host in the “Collection.”

When you access the Windows 2012 RD Web, download the RDP file by clicking the item on the page. The RDP file contains a line with the following string:

loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.<CollectionName>

The <CollectionName> is the collection name in the user’s farm. This line is the “Load Balance Information.” The broker server needs this information to do the load balancing (redirection).

Enter the Terminal Services Broker information in the Load Balance Info box, such as tsv://MS Terminal Services Plugin.1.SSLVPN. Maximum length is 1024 characters. For the bookmark with complex options (like RDP), options are mixed from all the modes and distinguished with tips like *non-html5, or *for html5.

By default, the bookmark only connects to the provided name and IP address. If you enable this feature, the SMA/SRA appliance obtains the redirected address and connects the user to the correct server. Note that Interactive Login might need to be disabled for this feature to work properly.

For RDP - HTML5, select the Default Language from the drop-down menu.
For Windows clients or on Mac clients running Mac OS X 10.5 or higher with RDC installed, expand Show advanced Windows options and select the check boxes to redirect the following features on the local network for use in this bookmark. For RDP - HTML5 or Native, the following Advanced Windows options are available:
Desktop background
Menu/window animation
Show window contents while dragging/resizing
Redirect clipboard
File Share

When you choose File Share, a new button for the feature appears on the HTML5 RDP menu when you click the Shield icon.

Click Files Shares, the File Share window opens. You can manipulate the folders and files in the window.

Redirect drives
Redirect SmartCards
Bitmap caching
Auto-reconnection
Visual styles
Remote copy
Redirect printers - See Printer redirection for more information on setting up Printer Redirection
Redirect ports
Display connection bar
Select the Remote Audio option from the drop-down list. Audio redirection enables the user to play an audio clip on the server, either remotely or locally. Valid selections are Play on this computer, Play on remote computer, or Do not play. Note that this feature is currently supported by Chrome, Firefox, and Safari.
* 
NOTE: Hover your mouse pointer over the Help icon next to certain options to display tooltips that indicate requirements.
If the client application is RDP6, you can select any of the following options: (Option available for all Terminal Services)
Font smoothing
Span monitors
Desktop composition
Dual monitors
Remote application
Select the Connection Speed from the drop-down list (low-speed broadband or high speed broadband) for optimized performance. (Option available for all Terminal Services.)
Select the action from the drop-down list that happens in the event that the Server Authentication fails. Server authentication verifies that you are connecting to the intended remote computer. The strength of the verification required to connect is determined by your system security policy. (Option available for all Terminal Services.)
Click Import RDP Options. When the RDP file finishes downloading, open it with a text editor (such as Notepad) and select the entire file content. Copy the content and paste the text into the text field in Import RDP Options. Click OK. The feature selects the support options to import into the bookmark.

The following table lists the RDP options and the RDP file options.

Bookmark field

RDP option

Name or IP Address

full address:s:<value>

Screen Size

desktopheight:i:<value>

desktopwidth:i:<value>

Colors

session bpp:i:<value>

Load Balance Info

loadbalanceinfo:s:<value>

Desktop Background

disable wallpaper:i:<value>

Auto-Reconnection

autoreconnection enabled:i:<value>

Menu/Window Animation

disable menu anims:i:<value>

Visual Styles

disable themes:i:<value>

Show Window contents while dragging/resizing

disable full window drag:i:<value>

Redirect clipboard & Remote Copy

redirectclipboard:i:<value>

Redirect printers

redirectprinters:i:<value>

Redirect drives

redirectdrives:i:<value>

Redirect ports

redirectcomports:i:<value>

Redirect SmartCards

redirectsmartcards:i:<value>

Display connection bar

displayconnectionbar:i:<value>

Bitmap caching

bitmapcachepersistenable:i:<value>

Remote audio

audiomode:i:<value>

Font smoothing

allow font smoothing:i:<value>

Span monitors

span monitors:i:<value>

Dual monitors

use multimon:i:<value>

Desktop composition

allow desktop composition:i:<value>

Remote Application

remoteapplicationmode:i:<value>

Choose your connection speed to optimize performance

connection type:i:<value>

Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server. Windows 2008 and newer servers might require this option to be enabled. (Option available for all Terminal Services.)

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices. (Option available for all Terminal Services.)
* 
NOTE: RDP over HTML5 is supported using the default/standard browser in iOS or Android.

Limitations to Terminal Services Farm Bookmarks from Virtual Office

Verify access and configuration is setup properly outside the remote access appliance first by connecting with NetExtender then running your RDP client to connect as if you would were you inside your network. If NetExtender is unable to connect properly there is likely another device or setting on the network that needs to be configured properly.

Refer to your server's guide or contact Microsoft for additional help regarding Terminal Server settings if the provided instructions do not work for you to change the settings.

Interactive Login might need to be disabled. The windows login notice prevents the proxy from obtaining the correct redirection server.
Run gpedit.msc and go to Computer Configuration > Windows Settings > Local Policies > Security Options and look for Interactive logon: Message title for users attempting to log on and Interactive logon: Message text for users attempting to logon and ensure both are blank.
Multiple RDP Sessions might need to be disabled. Multiple RDP sessions might cause more than one redirection preventing the bookmark proxy from being able to connect to the correct server. Restricting the user to on session in the Group policy prevents from occurring.
Run gpedit.msc on the remote server and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and set the Restrict Remote Desktop Services user to a single Remote Desktop Services session to Enabled.
Note that we create a new session request when connecting to the RDP server and are unable to clear the old session through the bookmark. There might be some issues with your server setup depending on your available licenses and how disconnected sessions are handled.
Ensure SSO is correct if that option is enabled. Improper SSO credentials prevents the bookmark from accessing the server properly. If you are running into issues, try disabling SSO and ensuring the proper credentials are entered for connection.
HTML5 RDP Client is recommended for usage for users connecting from systems unable to take advantage of a native RDP client. Most modern browsers support the Web Sockets feature required for connection and should be available on the systems that do not have a native RDP client.
Virtual Network Computing (VNC)
Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server.
In the Encoding drop-down list, select one of:
Raw – Pixel data is sent in left-to-right scanline order, and only rectangles with changes are sent after the original full screen has been transmitted.
RRE – Rise-and-Run-length-Encoding uses a sequence of identical pixels that are compressed to a single value and repeat count. This is an efficient encoding for large blocks of constant color.
CoRRE – A variation of RRE, using a maximum of 255x255 pixel rectangles, allowing for single-byte values to be used. More efficient than RRE except where very large regions are the same color.
Hextile – Rectangles are split up in to 16x16 tiles of raw or RRE data and sent in a predetermined order. Best used in high-speed network environments such as within the LAN.
Zlib – Simple encoding using the zlib library to compress raw pixel data, costing a lot of CPU time. Supported for compatibility with VNC servers that might not understand Tight encoding which is more efficient than Zlib in nearly all real-life situations.
Tight – The default and the best encoding to use with VNC over the Internet or other low-bandwidth network environments. Uses zlib library to compress pre-processed pixel data to maximize compression ratios and minimize CPU usage.
In the Compression Level drop-down list, select the level of compression as Default or from 1 to 9 where 1 is the lowest compression and 9 is highly compressed.
The JPEG Image Quality option is not editable and is set at 6.
In the Cursor Shape Updates drop-down list, select Enable, Ignore, or Disable. The default is Ignore.
Select Use CopyRect to gain efficiency when moving items on the screen.
Select Restricted Colors (256 Colors) for more efficiency with slightly less depth of color.
Select Reverse Mouse Buttons 2 and 3 to switch the right-click and left-click buttons.
Select View Only to disable keyboard and mouse events in the desktop window.
Select Share Desktop to allow multiple users to view and use the same VNC desktop.
Select Display Bookmark to Mobile Connect clients to enable bookmark viewing on Mobile Connect clients. Mobile Connect must be running version 2.0 or newer to view and access this bookmark.
* 
NOTE: Support varies by device and might require supported third-party applications to be installed.
Citrix Portal (Citrix)
In the Resource Window Size drop-down list, select the default Citrix portal screen size to be used when users execute this bookmark.
1
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5, Native, and ActiveX. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the Citrix bookmark, then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
Optionally, select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears. This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session. By default, the bookmark uses the information provided in the ICA configuration on the Citrix server.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Web (HTTP)
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Select Forms-based Authentication to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Secure Web (HTTPS)
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the secure Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Select Forms-based Authentication to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
External Web Site
Select HTTPS Mode to use SSL to encrypt communications with this Web site.
Select Disable Security Warning if you do not want to see any security warnings when accessing this Web site. Security warnings are normally displayed when this bookmark refers to anything other than an Application Offloaded Web site.
Select Automatically log in to enable the virtual host domain SSO for this bookmark. If the host in the bookmark refers to a portal with the same shared domain as this portal, selecting this check box allows you to automatically be logged in with this portal’s credential.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Mobile Connect
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
* 
NOTE: Mobile Connect must be running version 2.0 or newer to view and access this Bookmark. Support varies by device and might require supported third-party applications to be installed.
File Shares (CIFS)
* 
NOTE: SMB2 and SMB3 protocols are currently not supported. Servers should be configured to allow communication from a Linux based client.
To restrict access on the client UI, select Set user to access the specific files/folders. To completely restrict access, navigate to the Services > Policies page to set a policy for access constraints. For more information, see Adding User Policies.
Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server.

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients.

When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA/SRA appliance is not a domain member and is not able to connect to the DFS shares.

DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

File Transfer Protocol (FTP)
Expand Show advanced server configuration to select an alternate value in the Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the FTP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients.

When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA/SRA appliance is not a domain member and is not able to connect to the DFS shares.

DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

SSH File Transfer Protocol (SFTP)
Expand Show advanced server configuration to select an alternate value in the Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the FTP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients.
Telnet
Single sign-on is supported for Telnet bookmarks. The bookmark must be configured enabling the Automatically log in option in the bookmark settings. If the correct username and password are set, the session is logged in automatically.
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the secure Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Secure Shell Version 2 (SSHv2)
Single sign-on is supported for SSH bookmarks. The bookmark must be configured enabling the Automatically log in option in the bookmark settings. If the correct username and password are set, the session is logged in automatically.
For the SSHv2 HTML5 bookmark, SSO is supported for both user name and password authentication. If SSO has failed, a menu pops-up to allow you to decide whether to manually fill in the credentials or cancel the log in.

Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
2
Click Accept to update the configuration. After the configuration has been updated, the new user bookmark is displayed in the Edit Local User window.

Per device license support

When a Remote Desktop Session Host (RD Session Host) server is configured to use the Per-Device licensing mode, and a client computer or device connects to an RD Session Host server for the first time, the client computer or device is issued a temporary license by default. When a client computer or device connects to an RD Session Host server for the second time, if the Remote Desktop license server is activated and enough Remote Desktop Services (RDS) Per-Device Client Access Licenses (CALs) are available, the license server issues the client computer or device a permanent RDS Per-Device CAL. If the license server is not activated or does not have any RDS Per-Device CALs available, the device continues to use the temporary license. The temporary license is valid for 90 days.

A permanent RDS Per-Device CAL issued by a license server is configured to automatically expire after a random period between 52 and 89 days, at which time the RDS Per-Device CAL returns to the pool of available RDS Per-Device CALs on the license server.

Configuring a per-device license server

This section describes how to configure Per-Device licensing on Windows Server 2008 R2. Configuration details may vary for other server versions.

To add a license server:
1
In the Server Manager screen under Edit Settings, double-click Remote Desktop license servers.

2
In the Properties dialog that appears, on the Licensing tab, click Add.

3
The Add License Server dialog appears. Select the License server name or IP address field and click Add.

To configure a license server:
1
On the Server Manager screen, click Licensing Diagnosis in the left navigation pane.

2
In the middle pane under license server(s) specified, select the desired server name or IP address. The right pane displays additional actions.
3
In the right pane, click Start RD Licensing Manager.

4
The next screen lists the available licenses, shown as Temporary.

Manage your Per-Device license from this screen.

Every remote connection from different web browsers consumes a device license. You can revoke the licenses within the previous screen, but only a few times within a certain period.

To install a Remote Desktop Services client access license:
1
Right-click the server in the left pane under All servers and select install license, and then follow the wizard step by step. Make sure your Internet connection is available.

Creating a Citrix Bookmark for a Local User

Citrix bookmarks are supported on Windows, MacOS, and Linux. Citrix support requires Internet connectivity in order to download the ActiveX or Java client from the Citrix Web site. Citrix is accessed from Internet Explorer using ActiveX by default, or from other browsers using Java. Java can be used with IE by selecting an option in the Bookmark configuration. The server automatically decides which Citrix client version to use.

* 
NOTE: Citrix Java Bookmarks are no longer officially supported by SonicWall Inc. because Citrix has ended support for the Java Receiver. SonicWall Inc. recommends using HTML5, Native, or ActiveX access methods for Citrix Bookmarks.
To configure a Citrix bookmark for a user:
1
Navigate to Users > Local Users and click the configure icon next to the user.
2
In the Edit Local User page, select the Bookmarks tab.
3
Click Add Bookmark...
4
Enter a name for the bookmark in the Bookmark Name field.
5
Enter the name or IP address of the bookmark in the Name or IP Address field.
* 
NOTE: HTTPS, HTTP, Citrix, SSHv2, Telnet, and VNC all take a port option :portnum. HTTP, HTTPS, and Fileshares can also have the path specified to a directory or file.
6
Optionally enter a friendly Description to be displayed in the bookmark table.
7
Optionally enter a comma-separated list of Tabs where this bookmark should appear. Standard tabs (Desktop, Web, Files, Terminal, and Mobile) do not need to be specified. For example; Favorites, Tab 1, Tab 2.
8
From the Service drop-down list, select Citrix Portal (Citrix). The display changes.
9
Select a Resource Window Size selection from the drop-down list.
10
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5, Native, and ActiveX. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the Citrix bookmark, then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

11
Select the box next to HTTPS Mode to securely access the Citrix portal.
12
Optionally, select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears. This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session. By default, the bookmark uses the information provided in the ICA configuration on the Citrix server.
Windows - The SMA Connect Agent tries to open the ICA file to launch the Citrix Receiver. If the Citrix Receiver is not installed, the system pops up a message.
Macintosh - The SMA Connect Agent searches for the “Citrix Receiver App; to be sure you have installed the App. The SMA Connect Agent launches the “Citrix Receiver” to make the Citrix connection. If you have not yet installed the App, the SMA Connect Agent pops up an alert message for you to start the installation.
13
Click Accept.
Creating Bookmarks with Custom SSO Credentials

The administrator can configure custom Single Sign On (SSO) credentials for each user, group, or globally in HTTP(S), RDP (ActiveX, VNC), File Shares (CIFS), and FTP bookmarks. This feature is used to access resources such as HTTP, RDP and FTP servers that need a domain prefix for SSO authentication. Users can log in to the SMA/SRA appliance as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or dynamic variables might be used for the Username and Domain. For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the bookmark.

To configure custom SSO credentials, and to configure Single Sign-On for Forms-based Authentication (FBA):
1
Create or edit a Citrix, HTTP(S), RDP, File Shares (CIFS), or FTP bookmark as described in Adding or Editing User Bookmarks.
2
For a Citrix bookmark, enable the Automatically log in option. Only Forms-based Authentication can be used for a Citrix SSO bookmark.

In the Bookmarks tab, select the Use Custom Credentials option.

3
In the Username and Domain fields, enter the custom text to be passed to the bookmark, or use dynamic variables, as follows:
 

Dynamic variables 

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN%\%USERNAME%

Group Name

%USERGROUP%

%USERGROUP%\%USERNAME%

IP Address

%IPADDR%

%IPADDR%\%USERNAME%

4
In the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the bookmark.
5
Select Forms-based Authentication to configure Single Sign-On for Forms-based authentication.
User Form Field - This should be the same as the ‘name’ and ‘ID’ attribute of the HTML element representing the User Name in the login form, for example:

<input type=text name=’userid’>

Password Form Field - This should be the same as the ‘name’ or the ‘ID’ attribute of the HTML element representing Password in the login form, for example:

<input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>

6
Check Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
7
Click Accept.

After launching the Citrix bookmark, you can automatically log in to the Citrix StoreFront portal as shown in the following image and it is ready to use the XenApp or XenDesktop.

Configuring Login Policies

The Login Policies tab provides configuration options for policies that allow or deny users with specific IP addresses from having login privileges to the SMA/SRA appliance.

To allow or deny specific users from logging into the appliance:
1
Navigate to the Users > Local Users page.
2
Click the configure icon for the user you want to configure. The Edit Local User page is displayed.
3
Click the Login Policies tab. The Edit Local User - Login Policies tab is displayed.

4
To block the specified user or users from logging into the appliance, select Disable login.
5
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
6
To require the use of one-time passwords for the specified user to log in to the appliance, select Require one-time passwords.
7
Enter the user’s email address into the E-mail address field to override any address provided by the domain. For more information about one-time passwords, see One Time Password Overview.
* 
NOTE: To configure email to external domains (for example, SMS addresses or external webmail addresses), you need to configure the SMTP server to allow relaying between the SMA/SRA appliance and that domain.
8
To apply the policy you selected to a source IP address, select an access policy (Allow or Deny) in the Login From Defined Addresses drop-down list under Login Policies by Source IP Address, and then click Add under the list box. The Define Address window is displayed.
9
In the Define Address window, select one of the source address type options from the Source Address Type drop-down list.
IP Address - Enables you to select a specific IP address.
IP Network - Enables you to select a range of IP addresses. If you select this option, a Network Address field and Subnet Mask field appear in the Define Address window.
IPv6 Address - This enables you to select a specific IPv6 address.
IPv6 Network - This enables you to select a range of IPv6 addresses. If you select this option, a IPv6 Network field and Prefix field appear in the Define Address window.
10
Provide appropriate IP address(es) for the source address type you selected.
IP Address - Type a single IP address in the IP Address field.
IP Network - Type an IP address in the Network Address field and then supply a subnet mask value that specifies a range of addresses in the Subnet Mask field.
IPv6 Address - Type an IPv6 address, such as 2007::1:2:3:4.
IPv6 Network - Type the IPv6 network address into the IPv6 Network field, in the form 2007:1:2::. Type a prefix into the Prefix field, such as 64.
11
Click Add. The address or address range is displayed in the Defined Addresses list in the Edit User Settings window. As an example, if you selected a range of addresses with 10.202.4.32 as the network address and 255.255.255.240 (28 bits) as the subnet mask value, the Defined Addresses list displays 10.202.4.32–10.202.4.47. In this case, 10.202.4.47 would be the broadcast address. Whatever login policy you selected is now applied to addresses in this range.
12
To apply the policy you selected to a client browser, select an access policy (Allow or Deny) in the Login From Defined Browsers drop-down list under Login Policies by Client Browser, and then click Add under the list. The Define Browser window is displayed.
13
In the Define Browser window, type a browser definition in the Client Browser field and then click Add. The browser name appears in the Defined Browsers list.
* 
NOTE: The browser definition for Firefox and Internet Explorer is: javascript:document:writeln(navigator.userAgent)
14
Click Accept. The new login policy is saved.

Configuring End Point Control for Users

To configure the End Point Control profiles used by a local user:
1
Navigate to the Users > Local Users page.
2
Click the configure icon next to the user to be configured for EPC. The Edit Local User window is displayed.
3
Click the EPC tab. The EPC window is displayed.
4
Configure EPC user settings and add or remove device profiles.

Users > Local Groups

This section provides an overview of the Users > Local Groups page and a description of the configuration tasks available on this page.

For a description of global settings for local groups, see Global Configuration.

Users > Local Groups Overview

The Users > Local Groups page allows the administrator to add and configure groups for granular control of user access by specifying a group name and domain.

Note that a group is automatically created when you create a domain. You can create domains in the Portals > Domains page. You can also create a group directly from the Users > Local Groups page.

Users > Local Groups Page

Group memberships are split into two groups, ‘primary’ and ‘additional’.

Primary groups - Used to assign simple policies, such as timeouts and the ability to add/edit bookmarks. Advanced policies, such as URL or network object policies, might come from primary or additional groups.

Additional Groups - Multiple additional groups could be assigned, but in the case of conflicting policies, the primary group takes precedence over any additional groups.

Keep in mind that users can only belong to groups within a single domain.

Deleting a Group

To delete a group, click the delete icon in the row for the group that you wish to remove in the Local Groups table on the Users > Local Groups page. The deleted group no longer appears in the list of defined groups.

* 
NOTE: A group cannot be deleted if users have been added to the group or if the group is the default group created for an authentication domain. To delete a group that is the default group for an authentication domain, delete the corresponding domain (you cannot delete the group in the Edit Group Settings window). If the group is not the default group for an authentication domain, first delete all users in the group. Then you are able to delete the group on the Edit Group Settings page.

Adding a New Group

Note that a group is automatically created when you create a domain. You can create domains in the Portals > Domains page. You can also create a group directly from the Users > Local Groups page.

The Users > Local Groups window contains two default objects:

Global Policies - Contains access policies for all nodes in the organization.
LocalDomain - The LocalDomain group is automatically created to correspond to the default LocalDomain authentication domain. This is the default group to which local users are added, unless otherwise specified.
To create a new group:
1
Click Add Group. The Add Local Group window is displayed.
2
In the Add Local Group window, enter a descriptive name for the group in the Group Name field.
3
Select the appropriate domain from the Domain drop-down list. The domain is mapped to the group.
4
Click Accept to update the configuration. After the group has been added, the new group is added to the Local Groups window.

All of the configured groups are displayed in the Users > Local Groups page, listed in alphabetical order.

Editing Group Settings

To edit the settings for a group, click the configure icon in the row for the group that you wish to edit in the Local Groups table on the Users > Local Groups page. The Edit Group Settings window contains six tabs: General, Portal, NxSettings, NxRoutes, Policies, and Bookmarks.

See the following sections for information about configuring settings:

Editing General Group Settings

The General tab provides configuration options for a group’s inactivity timeout value and single sign-on settings.

To modify the general user settings:
1
In the left column, navigate to the Users > Local Groups.
2
Click the configure icon next to the group you want to configure. The General tab of the Edit Group Settings window displays. The General Group Settings section displays the following non-configurable fields: Group Name and Domain Name.

3
To set the inactivity timeout for the group, meaning that users are signed out of the Virtual Office after no activity on their computer for the specified time period, enter the number of minutes of inactivity to allow in the Inactivity Timeout field. Set to 0 to use the global timeout.
* 
NOTE: The inactivity timeout can be set at the user, group and global level. If one or more timeouts are configured for an individual user, the user timeout setting takes precedence over the group timeout and the group timeout takes precedence over the global timeout. Setting the global settings timeout to 0 disables the inactivity timeout for users that do not have a group or user timeout configured.
4
Under Single Sign-On Settings, select one of the following options from the Use SSL-VPN account credentials to log into bookmarks drop-down menu:
Use Global Policy: Select this option to use the global policy settings to control single sign-on (SSO) for bookmarks.
User-controlled (enabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) for bookmarks. This setting enables SSO by default for new users.
* 
NOTE: Single sign-on in the SMA/SRA appliance does not support two-factor authentication.
User-controlled (disabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) for bookmarks. This setting disables SSO by default for new users.
Enabled: Select this option to enable single sign-on for bookmarks.
Disabled: Select this option to disable single sign-on for bookmarks.
5
Click Accept to save the configuration changes.

Modifying Group Portal Settings

The Portal Settings section provides configuration options for portal settings for this group.

To configure portal settings for this group:
1
In the left column, navigate to the Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Local Group page, click the Portal Settings section.

4
In the Portal Settings section, for NetExtender, Launch NetExtender after login, FileShares, Virtual Assist Technician, Virtual Assist Request Help, Virtual Access Setup Link, select one of the following portal settings for this group:
Use portal setting – The settings defined in the main portal settings are used to determine if the portal feature is enabled or disabled. The main portal settings are defined by configuring the portal in the Portals > Portals page, on the Home tab of the Edit Portal screen.
Enabled – Enable this portal feature for this group.
Disabled – Disable this portal feature for this group.

Because Mobile Connect acts as a NetExtender client when connecting to the appliance, the setting for NetExtender also controls access by Mobile Connect users.

5
To allow users in this group to add new bookmarks, select Allow from the Allow user to add bookmarks drop-down menu. To prevent users from adding new bookmarks, select Deny. To use the setting defined globally, select Use global setting. See Edit Global Settings for information about global settings.
6
To allow users to edit or delete user-owned bookmarks, select Allow from the Allow user to edit/delete bookmarks drop-down menu. To prevent users from editing or deleting user-owned bookmarks, select Deny. To use the setting defined globally, select Use global setting.
7
Click Accept.

Enabling Group NetExtender Settings

This feature is for external users, who inherits the settings from their assigned group upon login. NetExtender client settings can be specified for the group, or use the global settings. For information about configuring global settings, see Edit Global Settings.

To enable NetExtender ranges and configure DNS and client settings for a group:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Local Group page, select the Nx Settings tab.
4
Choose the Client address pool setting. Options include using the global settings, the DHCP settings, or a Static Pool.
5
Choose the IPv6 address pool setting. Options include using the global settings, the DHCPv6 settings, or a Static Pool.
6
Under DNS Settings, type the address of the primary DNS server in the Primary DNS Server field.
7
Optionally type the IP address of the secondary server in the Secondary DNS Server field.
8
In the DNS Search List field, type the DNS domain suffix and click Add. Next, use the up and down arrows to prioritize multiple DNS domains in the order they should be used.

For SMA/SRA appliances supporting connections from Apple iPhones, iPads, or other iOS devices using SonicWall Inc. Mobile Connect, use this DNS Search List. This DNS domain is set on the VPN interface of the iPhone/iPad after the device makes a connection to the appliance. When the mobile device user accesses a URL, iOS determines if the domain matches the VPN interface’s domain, and if so, uses the VPN interface’s DNS server to resolve the hostname lookup. Otherwise, the Wi-Fi or 3G/4G DNS server is used that is not able to resolve hosts within the company intranet.

9
Under Client Settings, select one of the following from the Exit Client After Disconnect drop-down list:
Use global setting - Take the action specified by the global setting. See Edit Global Settings.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
10
In the Uninstall Client After Exit drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global Settings.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
11
In the Create Client Connection Profile drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global Settings.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
12
In the User Name & Password Caching drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global Settings.
Allow saving of user name only - Allow caching of the user name for members of the group. Group members only need to enter their passwords when starting NetExtender. Overrides the global setting.
Allow saving of user name & password - Allow caching of the user name and password for members of the group. Group members are automatically logged in when starting NetExtender. Overrides the global setting.
Prohibit saving of user name & password - Do not allow caching of the user name and password for members of the group. Group members are required to enter both user name and password when starting NetExtender. Overrides the global setting.
13
Click Accept.

Enabling NetExtender Routes for Groups

The Nx Routes tab allows the administrator to add and configure client routes. IPv6 client routes are supported on SMA/SRA appliances.

To enable multiple NetExtender routes for a group:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Local Group page, go to the Client Routes section.

4
In the Tunnel All Mode drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global Settings.
Enabled - Force all traffic for this user, including traffic destined to the remote users’ local network, over the Secure Mobile Access NetExtender tunnel. Affects all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global setting.
5
To add globally defined NetExtender client routes for members of this group, select Add Global NetExtender Client Routes.
6
To configure NetExtender client routes specifically for members of this group, click Add Client Route.
7
On the Add Client Route screen, enter a destination network in the Destination Network field. For example, enter the IPv4 network address 10.202.0.0. For IPv6, enter the IPv6 network address in the form 2007::1:2:3:0.
8
For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network, type the prefix, such as 112.
9
On the Add Client Route screen, click Accept.
10
On the Edit Local Group page, click Accept.
Enabling Group NetExtender Client Routes
To enable global NetExtender client routes for groups that are already created:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Client Routes section, select Add Global Client Routes.
4
Click Accept.
Enabling Tunnel All Mode for Local Groups

This feature is for external users, who inherit the settings from their assigned group upon login. Tunnel all mode ensures that all network communications are tunneled securely through the Secure Mobile Access tunnel.

To enable tunnel all mode:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Local Group section, select Enable from the Tunnel All Mode drop-down list.
4
Click Accept.
* 
NOTE: You can optionally tunnel-all Secure Mobile Access client traffic through the NetExtender connection by entering 0.0.0.0 for the Destination Network and Subnet Mask/Prefix in the Add Client Routes window.

Adding Group Policies

With group access policies, all traffic is allowed by default. Additional allow and deny policies could be created by destination address or address range and by service type.

The most specific policy takes precedence over less specific policies. For example, a policy that applies to only one IP address has priority over a policy that applies to a range of IP addresses. If there are two policies that apply to a single IP address, then a policy for a specific service (for example RDP) takes precedence over a policy that applies to all services.

User policies take precedence over group policies and group policies take precedence over global policies, regardless of the policy definition. A user policy that allows access to all IP addresses takes precedence over a group policy that denies access to a single IP address.

* 
NOTE: Within the group policy scheme, the primary group policy is always enforced over any additional group policies.
To define group access policies:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Local Group page, select the Policies tab.
4
On the Policies tab, click Add Policy. The Add Policy screen is displayed.

5
Define a name for the policy in the Policy Name field.
6
In the Apply Policy To drop-down list, select whether the policy is applied to an individual host, a range of addresses, all addresses, a network object, a server path, or a URL object. You can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending on what type of object you select in the Apply Policy To drop-down list.
* 
NOTE: The Secure Mobile Access policies apply to the destination address(es) of the SMA/SRA connection, not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SMA/SRA gateway through the policy engine. It is possible to control source logins by IP address from the user's Login Policies page. For more information, refer to Configuring Login Policies.
IP Address - If your policy applies to a specific host, enter the IP address of the local host machine in the IP Address field. Optionally enter a port range (80-443) or a single port number into the Port Range/Port Number field.
IP Address Range - If your policy applies to a range of addresses, enter the beginning IP address in the IP Network Address field and the subnet mask that defines the IP address range in the Subnet Mask field. Optionally enter a port range (4100-4200) or a single port number into the Port Range/Port Number field.
Network Object - If your policy applies to a predefined network object, select the name of the object from the Network Object drop-down list. A port or port range can be specified when defining a Network Object. See Adding Network Objects.
Server Path - If your policy applies to a server path, select one of the following radio buttons in the Resource field:
Share (Server path) - When you select this option, type the path into the Server Path field.
Network (Domain list)
Servers (Computer list)

See Editing a Policy for a File Share.

URL Object - If your policy applies to a predefined URL object, type the URL into the URL field.
IPv6 Address - If your policy applies to a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter any IP address information.
7
Select the service type in the Service menu. If you are applying a policy to a network object, the service type is defined in the network object.
8
Select Allow or Deny from the Status drop-down list to either permit or deny SMA/SRA connections for the specified service and host machine.
9
Click Accept to update the configuration. After the configuration has been updated, the new group policy is displayed in the Edit Local Group window. The group policies are displayed in the Group Policies list in the order of priority, from the highest priority policy to the lowest priority policy.

Editing a Policy for a File Share

To edit file share access policies:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
Select the Policies tab.
4
Click Add Policy...
5
Select Server Path from the Apply Policy To drop-down list.

6
Type a name for the policy in the Policy Name field.
7
For Resource, select Share (Server path) for the resource type.
8
In the Server Path field, enter the server path in the format servername/share/path or servername \share\path. The prefixes \\, //, \ and / are acceptable.
* 
NOTE: Share and path provide more granular control over a policy. Both are optional.
9
Select Allow or Deny from the Status drop-down list.
10
Click Accept.

Configuring Group Bookmarks

SMA/SRA appliance bookmarks provide a convenient way for Secure Mobile Access users to access computers on the local area network that they connect to frequently. Group bookmarks apply to all members of a specific group.

To define group bookmarks:
1
Navigate to the Users > Local Groups window.
2
Click the configure icon for the group for which you want to create a bookmark. The Edit Local Group page is displayed.
3
On the Bookmarks tab, click Add Bookmark. The Add Bookmark screen is displayed.

* 
NOTE: When group bookmarks are defined, all group members see the defined bookmarks from the Secure Mobile Access user portal. Individual group members are not able to delete or modify group bookmarks.
4
Enter a string that is the name of the bookmark in the Bookmark Name field.
5
Enter the fully qualified domain name (FQDN) or the IPv4 or IPv6 address of a host machine on the LAN in the Name or IP Address field. In some environments you can enter the host name only, such as when creating a VNC bookmark in a Windows local network.
* 
NOTE: If a Port number is included with an IPv6 address in the Name or IP Address field, the IPv6 address must be enclosed in square brackets, for example: [2008::1:2:3:4]:6818. IPv6 is not supported for File Shares or VNC bookmarks.

For HTTP and HTTPS, you can add a custom port and path, for example, servername:port/path. For VNC, Telnet, and SSH, you can add a custom port, for example, servername:port.

6
Enter a friendly description in the Description field to be displayed in the Bookmarks table.
7
Select one of the service types from the Service drop-down list. For the specific service you select from the Service drop-down list, additional fields might appear. Use the following information for the chosen service to complete the building of the bookmark:
Terminal Services (RDP); Terminal Services (RDP-HTML5) or Terminal Services (RDP-Native)
In the Screen Size drop-down menu, select the default terminal services screen size to be used when users execute this bookmark.

Because different computers support different screen sizes, when you use a remote desktop application, you should select the size of the screen on the computer from which you are running a remote desktop session. Additionally, you might want to provide a path to where your application resides on your remote computer by typing the path in the Application and Path field.

In the Colors drop-down list, select the default color depth for the terminal service screen when users execute this bookmark.
8
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5 and Native. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the RDP bookmark, then the SMA Connect Agent launches the RDP Receiver on the local machine to do the RDP connection.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

Optionally enter the local path for this application in the Application and Path field.
Select Enable wake-on-LAN to enable waking up a computer over the network connection. Selecting this check box causes the following new fields to be displayed:
MAC/Ethernet Address – Enter one or more MAC addresses, separated by spaces, of target hosts to wake.
Wait time for boot-up (seconds) – Enter the number of seconds to wait for the target host to fully boot up before cancelling the WoL operation.
Send WOL packet to host name or IP address – To send the WoL packet to the hostname or IP of this bookmark, select Send WOL packet to host name or IP address that can be applied in tandem with a MAC address of another machine to wake.
In the Start in the following folder field, optionally enter the local folder in which to execute application commands.
Optionally enter the local path for this application in the Application and Path field and specify the folder in the Start in the following folder field. The remote application feature displays a single application to the user. The value can also be the alias of the remote application.
Enter the Command-line Arguments for the RemoteApp. (Option available for ActiveX or Java only.)
In the Start in the following folder field, optionally enter the local folder in which to execute application commands. (Option available for ActiveX or Java only.)
Select Login as console/admin session to allow login as console or admin. Login as admin replaces login as console in RDC 6.1 and newer. (Option available for all Terminal Services.)
Select Server is TS Farm if users are connecting to a TS Farm or Load Balanced server. Enter the Terminal Services Broker information in the Load Balance Info box, such tsv://MS Terminal Services Plugin. 1. CollectionName. Maximum length is 1024 characters. For the bookmark with complex options (like RDP), options are mixed from all the modes and distinguished with tips like *non-html5, or *for html5.

By default, the bookmark only connects to the provided name and IP address. If you enable this feature, the SMA/SRA appliance obtains the redirected address and connects the user to the correct server. Note that Interactive Login might need to be disabled for this feature to work properly.

* 
NOTE: If this setting is enabled, set the correct SSO credentials to log in to the bookmark automatically. If this setting is not enabled, leave Automatically log in deselected.
For RDP - HTML5, select the Default Language from the drop-down menu.
For Windows clients or on Mac clients running Mac OS X 10.5 or higher with RDC installed, expand Show advanced Windows options and select the check boxes for to redirect the following features on the local network for use in this bookmark:
Redirect Printers - See Printer redirection for more information on setting up Printer Redirection
Redirect Ports
Redirect Clipboard
Redirect Drives
Redirect SmartCards
Redirect Plug and Play Devices

Select the check boxes for any of the following additional features for use in this bookmark session:

Display connection bar
Desktop background
Menu/window animation
Show window contents while dragging/resizing
Auto-reconnection
Bitmap caching
Visual styles
Select the Remote Audio option from the drop-down list. Audio redirection enables the user to play an audio clip on the server, either remotely or locally. Valid selections are Play on this computer, Play on remote computer, or Do not play. Note that this feature is currently supported by Chrome, Firefox, and Safari.
* 
NOTE: Hover your mouse pointer over the Help icon next to certain options to display tooltips that indicate requirements.
For RDP - HTML5, the following Advanced Windows options are available:
Desktop background
Menu/window animation
Show window contents while dragging/resizing
Enable Compression
Visual Styles
Select the Remote Audio option from the drop-down list. Audio redirection enables the user to play an audio clip on the server, either remotely or locally. Valid selections are Play on this computer, Play on remote computer, or Do not play. Note that this feature is currently supported by Chrome, Firefox, and Safari.
If the client application is RDP6, you can select any of the following options: (Option available for all Terminal Services)
Font smoothing
Select the Connection Speed from the drop-down list for optimized performance. (Option available for all Terminal Services.)
Select the action from the drop-down list that happens in the event that the Server Authentication fails. Server authentication verifies that you are connecting to the intended remote computer. The strength of the verification required to connect is determined by your system security policy. (Option available for all Terminal Services.)
Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server. Windows 2008 and newer servers could require this option to be enabled. (Option available for all Terminal Services.)

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices. (Option available for all Terminal Services.)
* 
NOTE: RDP over HTML5 is supported using the default/standard browser in iOS or Android.
Virtual Network Computing (VNC)
In the Encoding drop-down list, select one of the following:
Raw – Pixel data is sent in left-to-right scanline order, and only rectangles with changes are sent after the original full screen has been transmitted.
RRE – Rise-and-Run-length-Encoding uses a sequence of identical pixels that are compressed to a single value and repeat count. This is an efficient encoding for large blocks of constant color.
CoRRE – A variation of RRE, using a maximum of 255x255 pixel rectangles, allowing for single-byte values to be used. More efficient than RRE except where very large regions are the same color.
Hextile – Rectangles are split up in to 16x16 tiles of raw or RRE data and sent in a predetermined order. Best used in high-speed network environments such as within the LAN.
Zlib – Simple encoding using the zlib library to compress raw pixel data, costing a lot of CPU time. Supported for compatibility with VNC servers that might not understand Tight encoding which is more efficient than Zlib in nearly all real-life situations.
Tight – The default and the best encoding to use with VNC over the Internet or other low-bandwidth network environments. Uses zlib library to compress pre-processed pixel data to maximize compression ratios and minimize CPU usage.
In the Compression Level drop-down list, select the level of compression as Default or from 1 to 9 where 1 is the lowest compression and 9 is highly compressed.
The JPEG Image Quality option is not editable and is set at 6.
In the Cursor Shape Updates drop-down list, select Enable, Ignore, or Disable. The default is Ignore.
Select Use CopyRect to gain efficiency when moving items on the screen.
Select Restricted Colors (256 Colors) for more efficiency with slightly less depth of color.
Select Reverse Mouse Buttons 2 and 3, to switch the right-click and left-click buttons.
Select View Only if the user is not making any changes on the remote system.
Select Share Desktop to allow multiple users to view and use the same VNC desktop.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Citrix Portal (Citrix)
In the Resource Window Size drop-down list, select the default Citrix portal screen size to be used when users execute this bookmark.
9
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5, Native, and ActiveX. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the Citrix bookmark, then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection. Native can provide advanced features when launched on Windows and OS X platforms after installing the SMA Connect Agent and Citrix Receiver.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
Optionally, select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears. This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session. By default, the bookmark uses the information provided in the ICA configuration on the Citrix server.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Web (HTTP)
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Select Forms-based Authentication to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Secure Web (HTTPS)
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Select Forms-based Authentication to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.
Select the Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
External Web Site
Select HTTPS Mode to use SSL to encrypt communications with this Web site.
Select Disable Security Warning if you do not want to see any security warnings when accessing this Web site. Security warnings are normally displayed when this bookmark refers to anything other than an Application Offloaded Web site.
Select Automatically log in to enable the virtual host domain SSO for this bookmark. If the host in the bookmark refers to a portal with the same shared domain as this portal, selecting this check box allows you to automatically be logged in with this portal’s credential.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Mobile Connect
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
* 
NOTE: Mobile Connect must be running version 2.0 or newer to view and access this Bookmark. Support varies by device and might require supported third-party applications to be installed.
File Shares (CIFS)
* 
NOTE: SMB2 and SMB3 protocols are currently not supported. Servers should be configured to allow communication from a Linux based client.
To restrict access on the client UI, select Set user to access the specific files/folders. To completely restrict access, navigate to the Services > Policies page to set a policy for access constraints. For more information, see Adding User Policies.
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the RDP server. Enable the Use Login Domain for SSO option to pass the user’s domain to the RDP server.

Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Enable Display Bookmark to Mobile Connect clients to send bookmark information to Mobile Connect clients.

When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so disables access to the DFS file shares from other domains. The SMA/SRA appliance is not a domain member and is not able to connect to the DFS shares.

DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

File Transfer Protocol (FTP) and SSH File Transfer Protocol (SFTP)
Expand Show advanced server configuration to select an alternate value in the Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the FTP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Telnet HTML5 Settings
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the secure Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Secure Shell Version 2 (SSHv2) HTML5 Settings
Select the Default Font Size. Supported options range from 12 to 99 points.
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current Secure Mobile Access session for log in to the secure Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
SSHv2 Common Settings
Optionally select Automatically accept host key. This option allows the browser to keep the server’s public host key in local storage automatically.
Select Display Bookmark to Mobile Connect clients to display the bookmark on mobile devices.
Click Accept to update the configuration. After the configuration has been updated, the new group bookmark displays in the Edit Local Group page.

Configuring Group End Point Control

To configure the End Point Control profiles used by local groups:
1
Navigate to either the Users > Local Users or Users > Local Groups page.
2
Click the configure icon next to the group to be configured for EPC. The Edit Local Group window is displayed.
3
Click the EPC tab. The EPC window is displayed.
4
Configure EPC group settings and add or remove device profiles, as explained in Users > Local Groups.

Group Configuration for LDAP Authentication Domains

* 
NOTE: The Microsoft Active Directory database uses an LDAP organization schema. The Active Directory database might be queried using Kerberos authentication (the standard authentication type; this is labeled “Active Directory” domain authentication in the Secure Mobile Access management interface), or using LDAP database queries. An LDAP domain configured in the Secure Mobile Access management interface can authenticate to an Active Directory server.

Lightweight Directory Access Protocol (LDAP) is a standard for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for example, groups or organizational units), the SMA/SRA appliance can query this information and provide specific group policies or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SMA/SRA appliance administrator can leverage the groups that have already been configured in an LDAP or Active Directory database, rather than needing to manually recreate the same groups in the SMA/SRA appliance.

After an LDAP authentication domain is created, a default LDAP group is created with the same name as the LDAP domain name. Although additional groups can be added or deleted from this domain, the default LDAP group cannot be deleted. If the user for which you created LDAP attributes enters the Virtual Office home page, the bookmark you created for the group the user is in displays in the Bookmarks Table.

For an LDAP group, you can define LDAP attributes. For example, you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server. Or you can specify a unique LDAP distinguished name.

To add an LDAP attribute for a group so that a user has a bookmark assigned when entering the Virtual Office environment, complete the following steps:
1
Navigate to the Portals > Domains page and click Add Domain to display the Add New Domain window.
2
Select LDAP from the Authentication Type menu. The LDAP domain configuration fields are displayed.

3
Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users select in order to log in to the Secure Mobile Access user portal. It can be the same value as the Server address field.
4
Enter the IP address or domain name of the server in the Server address field.
5
Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.
* 
TIP: It is possible for multiple OUs to be configured for a single domain by entering each OU on a separate line in the LDAP baseDN field. In addition, any sub-OUs is automatically included when parents are added to this field.
* 
NOTE: Do not include quotes (“”) in the LDAP BaseDN field.
6
Enter a Server address that has been delegated control of the container that server is in.
7
Enter the user name along with the corresponding password in the Login user name and Login password fields.
* 
NOTE: When entering Login user name and Login password, remember that the SMA/SRA appliance binds to the LDAP tree with these credentials and users can log in with their SMA AccountName.
8
Enter a Backup Server address.
9
Enter the backup user name along with the corresponding backup password in the Login user name and Login password fields
10
Select the name of the portal in the Portal name field. Additional layouts can be defined in the Portals > Portals page.
11
Select Allow password changes (if allowed by LDAP server) if you want to be able to change user’s passwords. The admin account must be used when changing user passwords.
12
Optionally select Use SSL/TLS. This option allows for the needed SSL/TLS encryption to be used for Active Directory password exchanges. This check box should be enabled when setting up a domain using Active Directory authentication.
13
Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:
Verify user name matches Common Name (CN) of client certificate - Select this check box to require that the user’s account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that matches the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
14
Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
15
Select Only allow users listed locally to allow only users with a local record in the Active Directory to login.
16
Select Auto-assign groups at login to assign users to a group when they log in.

Users logging into Active Directory domains are automatically assigned in real time to Secure Mobile Access groups based on their external AD group memberships. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

17
Optionally, select One-time passwords to enable the One Time Password feature. A drop-down list appears, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured uses the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured are not allowed to login.
using domain name - Users in the domain uses the One Time Password feature. One Time Password emails for all users in the domain are sent to username@domain.com.
18
If you selected if configured or required for all users in the One-time passwords drop-down list, the Active Directory AD e-mail attribute drop-down list appears, in which you can select mail, mobile, pager, userPrincipalName, or custom. These are defined as:
mail - If your AD server is configured to store email addresses using the “mail” attribute, select mail.
mobile or pager - If your AD server is configured to store mobile or pager numbers using either of these attributes, select mobile or pager, respectively. Raw numbers cannot be used, however, SMS addresses can.
userPrincipalName - If your AD server is configured to store email addresses using the “userPrincipalName” attribute, select userPrincipalName.
custom - If your AD server is configured to store email addresses using a custom attribute, select custom. If the specified attribute cannot be found for a user, the email address assigned in the individual user policy settings is used. If you select custom, the Custom attribute field appears. Type the custom attribute that your AD server uses to store email addresses. If the specified attribute cannot be found for a user, the email address is taken from their individual policy settings.

If you select using domain name, an E-mail domain field appears following the drop-down list. Type in the domain name where one-time password emails are sent (for example, abc.com).

19
If Technician Allowed is enabled, Secure Virtual Assist can log in as a technician role in this domain.
20
Select the type of user from the User Type drop-down list. All users logging in through this domain are treated as this user type. The choices depend on user types defined already. Some possible choices are:
External User – Users logging into this domain are treated as normal users without administrative privileges.
External Administrator – Users logging into this domain are treated as administrators, with local Secure Mobile Access admin credentials. These users are presented with the admin login page.

This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain.

SonicWall Inc. recommends adding filters that allow administrative access only to those users who are in the correct group. You can do so by editing the domain on the Users > Local Groups page.

Read-only Administrator – Users logging into this domain are treated as read-only administrators and can view all information and settings, but cannot apply any changes to the configuration. These users are presented with the admin login page.
21
Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.
22
Navigate to the Users > Local Groups page and click the configure icon. The Edit Group Settings page is displayed, with fields for LDAP attributes on the General tab.

23
On the General tab, you can optionally fill out one or multiple LDAP Attribute fields with the appropriate names where name=value is the convention for adding a series of LDAP attributes. To see a full list of LDAP attributes, refer to the SonicWall Inc. LDAP Attribute document.

As a common example, fill out an attribute field with the memberOf= attribute which can bundle the following common variable types:

CN= - the common name. DN= - the distinguished name. DC= - the domain component.

You need to provide quote delimiters around the variables you bundle in the memberOf line. You separate the variables by commas. An example of the syntax using the CN and DC variables would be:

memberOf="CN=<string>, DC=<string>"

An example of a line you might enter into the LDAP Attribute field, using the CN and DC variables would be:

memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"

24
Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to use the global inactivity timeout setting.
25
Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of the following:
Use global policy – Use the global policy for using SSO to log in to bookmarks.
User-controlled (enabled by default for new users) – Enable SSO to log in to bookmarks for new users, and allow users to change this setting.
User-controlled (disabled by default for new users) – Disable SSO to log in to bookmarks for new users, and allow users to change this setting.
Enabled – Enable SSO to log in to bookmarks
Disabled – Disable SSO to log in to bookmarks
26
Click Accept when done.

LDAP Attribute Information

When configuring LDAP attributes, the following information could be helpful:

If multiple attributes are defined for a group, all attributes must be met by LDAP users.
LDAP authentication binds to the LDAP tree using the same credentials as are supplied for authentication. When used against Active Directory, this requires that the login credentials provided match the CN (common name) attribute of the user rather than SMAAccountName (login name). For example, if your Active Directory login name is gkam and your full name is guitar kam, when logging into the SMA/SRA appliance with LDAP authentication, the username should be provided in the following ways: If a login name is supplied, that name is used to bind to the tree. If the field is blank, you need to login with the full name. If the field is filled in with a full login name, users login with the SMAAccountName.
If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user is considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an equal number of attributes, then the user is considered a member of the group based on the alphabetical order of the groups.
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SMA/SRA appliance, then the user is not able to log in to the portal. So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log in to the portal.
Example of LDAP Users and Attributes

If a user is manually added to a LDAP group, then the user setting takes precedence over LDAP attributes.

For example, an LDAP attribute objectClass=Person” is defined for group Group1 and an LDAP attribute memberOf=“CN=WINS Users,DC=sonicwall,DC=net” is defined for Group2.

If user Jane is defined by an LDAP server as a member of the Person object class, but is not a member of the WINS Users group, Jane is a member of SMA/SRA appliance Group1.

But if the administrator manually adds the user Jane to SMA/SRA appliance Group2, then the LDAP attributes is ignored and Jane is a member of Group2.

Sample LDAP Attributes

You can enter up to four LDAP attributes per group. The following are some example LDAP attributes of Active Directory LDAP users:

name="Administrator"
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
objectClass="user"
msNPAllowDialin="FALSE"

Querying an LDAP Server

If you would like to query your LDAP or Active Directory server to find out the LDAP attributes of your users, there are several different methods. From a machine with ldap search tools (for example a Linux machine with OpenLDAP installed) run the following command:

ldapsearch -h 10.0.0.5 -x -D

"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 –b

"dc=sonicwall,dc=net" > /tmp/file

Where:

10.0.0.5 is the IP address of the LDAP or Active Directory server
cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user
demo123 is the password for the user demo
dc=sonicwall,dc=net is the base domain that you are querying
> /tmp/file is optional and defines the file where the LDAP query results are saved.

For instructions on querying an LDAP server from a Window server, refer to:

http://technet.microsoft.com/en-us/library/cc783845(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc731033(v=ws.10).aspx

Group Configuration for Active Directory and RADIUS Domains

For authentication to RADIUS or Active Directory servers (using Kerberos), you can individually define AAA users and groups. This is not required, but it enables you to create separate policies or bookmarks for individual AAA users.

When a user logs in, the SMA/SRA appliance validates with the appropriate Active Directory or RADIUS server that the user is authorized to login. If the user is authorized, the SMA/SRA appliance checks to see if a user exists in the SMA/SRA appliance database for users and groups. If the user is defined, then the policies and bookmarks defined for the user applies.

For example, if you create a RADIUS domain in the SMA/SRA appliance called “Miami RADIUS server,” you can add users to groups that are members of the “Miami RADIUS server” domain. These user names must match the names configured in the RADIUS server. Then, when users log in to the portal, policies, bookmarks and other user settings applies to the users. If the AAA user does not exist in the SMA/SRA appliance, then only the global settings, policies and bookmarks applies to the user.

This section contains the following subsections:

Bookmark Support for External (Non-Local) Users

The Virtual Office bookmark system allows bookmarks to be created at both the group and user levels. The administrator can create both group and user bookmarks which are propagated to applicable users, while individual users can create only personal bookmarks.

Because bookmarks are stored within the SMA/SRA appliance’s local configuration files, it is necessary for group and user bookmarks to be correlated to defined group and user entities. When working with local (LocalDomain) groups and users, this is automated since the administrator must manually define the groups and users on the appliance. Similarly, when working with external (non-LocalDomain, for example, RADIUS or LDAP) groups, the correlation is automated since creating an external domain creates a corresponding local group.

However, when working with external (non-LocalDomain) users, a local user entity must exist so that any user-created (personal) bookmarks can be stored within the Secure Mobile Access configuration files. The need to store bookmarks on the SMA/SRA appliance itself is because LDAP and RADIUS external domains do not provide a direct facility to store such information as bookmarks.

Rather than requiring administrators to manually create local users for external domain users to use personal bookmarks, the SMA/SRA appliance automatically creates a corresponding local user entity upon user login. Bookmarks can be added to the locally-created user.

For example, if a RADIUS domain called myRADIUS is created, and RADIUS user jdoe logs on to the SMA/SRA appliance, the moment jdoe adds a personal bookmark, a local user called jdoe is created on the SMA/SRA appliance as type External, and can then be managed like any other local user by the administrator. The external local user remains until deleted by the administrator.

Adding a RADIUS Group

* 
NOTE: Before configuring RADIUS groups, ensure that the RADIUS Filter-Id option is enabled for the RADIUS Domain to which your group is associated. This option is configured in the Portals > Domains page.

The RADIUS Groups tab allows the administrator to enable user access to the SMA/SRA appliance based on existing RADIUS group memberships. By adding one or more RADIUS groups to a Secure Mobile Access group, only users associated with specified RADIUS group(s) are allowed to login.

To add a RADIUS group:
1
In the Users > Local Groups page, click Configure for the RADIUS group you want to configure.
2
In the RADIUS Groups tab and click Add Group... The Add RADIUS Group page displays.
3
Enter the RADIUS Group name in the corresponding field. The group name must match the RADIUS Filter-Id exactly.
4
Click Accept. The group displays in the RADIUS Groups section.

Adding an Active Directory Group

The AD Groups tab allows the administrator to enable user access to the SMA/SRA appliance based on existing AD group memberships. By adding one or more AD groups to a Secure Mobile Access group, only users associated with specified AD group(s) are allowed to login.

* 
NOTE: Before configuring and Active Directory group, ensure that you have already created an Active Directory domain. This option is configured in the Portals > Domains page.
To add an AD group:
1
In the Users > Local Groups page, click Configure for the AD group you want to configure.
2
In the AD Groups tab and click Add Group... The Add Active Directory Group page displays.
3
Enter the Active Directory Group name in the corresponding field.
4
Optionally, select Associate with AD group if you wish to associate the Secure Mobile Access group with your AD group. This step can also be completed at a later time in the Edit Group page under the AD Groups tab.
5
Click Accept. The group displays in the Active Directory Groups section. The process of adding a group can take several moments. Do not click Add more than one time during this process.

Creating a Citrix Bookmark for a Local Group

To configure a Citrix bookmark for a user:
1
Navigate to Users > Local Groups.
2
Click the configure icon next to the group you want to configure.
3
In the Edit Group Settings window, select the Bookmarks tab.
4
Click Add Bookmark...
5
Enter a name for the bookmark in the Bookmark Name field.
6
Enter the name or IP address of the bookmark in the Name or IP Address field.
7
From the Service drop-down list, select Citrix Portal (Citrix).
8
Select the Resource Window Size from the drop-down list.
9
Select an Access Type Selection. Smart or Manual.
Smart: Allows the firmware to decide which mode to launch on the client.

When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.

Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.

The launch sequence is as follows: HTML5, Native, and ActiveX. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the Citrix bookmark, then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection.

The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color.

The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection.

After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.

If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.

That means, when next launching the bookmark, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.

Editing or deleting the bookmark in the same browser can also reset the remembered mode.

When no modes are able to run on the client with the configuration, the following notice appears.

10
Optionally select HTTPS Mode to enable HTTPS mode.
11
Optionally, select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears. This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session. By default, the bookmark uses the information provided in the ICA configuration on the Citrix server.
12
Click Accept.

Global Configuration

SMA/SRA appliance global configuration is defined from the Local Users or Local Groups environment. To view either, click the Users option in the left navigation menu, then click either the Local Users or Local Groups option. This section contains the following configuration tasks:

Edit Global Settings

To edit global settings:
1
Navigate to either the Users > Local Users or Users > Local Groups window.
2
Click the configure icon next to Global Policies. The Edit Global Settings window is displayed.

3
On the General tab, to set the inactivity timeout for all users or groups, meaning that users are signed out of the Virtual Office after the specified time period, enter the number of minutes of inactivity to allow in the Inactivity Timeout field.
* 
NOTE: The inactivity timeout can be set at the user, group and global level. If one or more timeouts are configured for an individual user, the user timeout setting takes precedence over the group timeout and the group timeout takes precedence over the global timeout. Setting the global settings timeout to 0 disables the inactivity timeout for users that do not have a group or user timeout configured.
4
To allow users to add new bookmarks, select Allow from the Allow User to Add Bookmarks drop-down menu. To prevent users from adding new bookmarks, select Deny.
5
To allow users to edit or delete user-owned bookmarks, select Allow from the Allow User to Edit/Delete Bookmarks drop-down menu. To prevent users from editing or deleting user-owned bookmarks, select Deny.
* 
NOTE: Users cannot edit or delete group and global bookmarks.
6
In the Automatically log into bookmarks drop-down list, select one of the following options:
User-controlled (enabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) automatic login for bookmarks. This setting enables automatic login by default for new users.
User-controlled (disabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) automatic login for bookmarks. This setting disables automatic login by default for new users.
Enabled: Select this option to enable automatic login for bookmarks.
Disabled: Select this option to disable automatic login for bookmarks.
7
Click Accept to save the configuration changes.
8
Navigate to the Nx Settings tab.
9
To set a client address range, enter a beginning address in the Client Address Range Begin field and an ending address in the Client Address Range End field.
10
To set a client IPv6 address range, enter a beginning IPv6 address in the Client IPv6 Address Range Begin field and an ending IPv6 address in the Client IPv6 Address Range End field.
11
In the Exit Client After Disconnect drop-down list, select Enabled or Disabled.
12
In the Uninstall Client After Exit drop-down list, select Enabled or Disabled.
13
In the Create Client Connection Profile drop-down list, select Enabled or Disabled.
14
In the User Name & Password Caching drop-down list, select one of the following:
Allow saving of user name only - Allow caching of the user name on the client. Users only need to enter their password when starting NetExtender.
Allow saving of user name & password - Allow caching of the user name and password on the client. Users are automatically logged in when starting NetExtender, after the first login.
Prohibit saving of user name & password - Do not allow caching of the user name and password on the client. Users are required to enter both user name and password when starting NetExtender.
15
Navigate to the Nx Routes tab.
16
In the Tunnel All Mode drop-down list, select Enabled to force all traffic for the user, including traffic destined to the remote user’s local network, over the Secure Mobile Access NetExtender tunnel. Tunnel All Mode is disabled by default.
17
To add a client route, click Add Client Route...
18
In the Add Client Route window, enter a destination network in the Destination Network field. For example, enter the IPv4 network address 10.202.0.0. For IPv6, enter the IPv6 network address in the form 2007::1:2:3:0.
19
For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network, type the prefix, such as 112.
20
Click Add.
21
Click Accept to save the configuration changes.
22
Navigate to the Policies tab.
23
To add a policy, click Add Policy...
24
In the Apply Policy To drop-down list, select one of the following: IP Address, IP Address Range, All Addresses, Network Object, Server Path, URL Object, All IPv6 Address, IPv6 Address, or IPv6 Address Range.
25
Enter a name for the policy in the Policy Name field.
26
In the fields that appear based on your Apply Policy To settings, fill in the appropriate information. For example, if you select IP Address in the Apply Policy To drop-down list, you need to supply the IP Address in the IP Address field and the service in the Service drop-down list. If you select IPv6 Address Range, enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix field. Optionally enter a port range (80-443) or a single port number into the Port Range/Port Number field. This field is available when you select IP Address, IP Address Range, IPv6 Address, or IPv6 Address Range in the Apply Policy To drop-down list.
27
Click Accept to save the configuration changes.
28
Click the Bookmarks tab.
29
To add a bookmark, click Add Bookmark...
30
Enter a bookmark name in the Bookmark Name field.
31
Enter the bookmark name or IP address in the Name or IP Address field.
32
Select one of the following services from the Service drop-down list: Terminal Services (RDP), Virtual Network Computing (VNC), Citrix Portal (Citrix), Web (HTTP), Secure Web (HTTPS), File Shares (CIFS), File Transfer Protocol (FTP), SSH File Transfer Protocol (SFTP), Telnet, or Secure Shell Version 2 (SSHv2).
* 
NOTE: IPv6 is not supported on File Shares bookmarks.
33
In the fields that appear based on your Service settings, fill in the appropriate information. For example, if you select Terminal Services (RDP), you need to select the desired screen size from the Screen Size drop-down list.
34
Click Accept to save the configuration changes.

Edit Global Policies

To define global access policies:
1
Navigate to either the Users > Local Users or Users > Local Groups window.
2
Click the configure icon next to Global Policies. The Edit Global Settings window is displayed.

3
On the Policies tab, click Add Policy. The Add Policy window is displayed.
* 
NOTE: User and group access policies takes precedence over global policies.
4
In the Apply Policy To drop-down list, select one of the following: IP Address, IP Address Range, All Addresses, Network Object, Server Path, URL Object, All IPv6 Address, IPv6 Address, or IPv6 Address Range.
5
Type a name for the policy in the Policy Name field.
* 
NOTE: SMA/SRA appliance policies apply to the destination address(es) of the SMA/SRA connection, not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SMA/SRA appliance through the policy engine.
If your policy applies to a specific IPv4 host, select the IP Address option from the Apply Policy To drop-down list and enter the IPv4 address of the local host machine in the IP Address field.
If your policy applies to a range of IPv4 addresses, select the IP Address Range option from the Apply Policy To drop-down list and enter the IPv4 network address in the IP Network Address field and the subnet mask in the Subnet Mask field.
If your policy applies to a specific IPv6 host, select the IPv6 Address option from the Apply Policy To drop-down list and enter the IPv6 address of the local host machine in the IPv6 Address field.
If your policy applies to a range of IPv6 addresses, select the IPv6 Address Range option from the Apply Policy To drop-down list and enter the IPv6 network address in the IPv6 Network Address field and the IPv6 prefix in the IPv6 Prefix field.
6
Optionally enter a port range (80-443) or a single port number into the Port Range/Port Number field. This field is available when you select IP Address, IP Address Range, IPv6 Address, or IPv6 Address Range in the Apply Policy To drop-down list.
7
Select the service type in the Service drop-down list. If you are applying a policy to a network object, the service type is defined in the network object.
8
Select ALLOW or DENY from the Status drop-down list to either permit or deny SMA/SRA connections for the specified service and host machine.
9
Click Accept to update the configuration. After the configuration has been updated, the new policy is displayed in the Edit Global Settings window. The global policies are displayed in the policy list in the Edit Global Settings window in the order of priority, from the highest priority policy to the lowest priority policy.

Edit a Policy for a File Share

To edit file share access policies:
1
Navigate to either the Users > Local Users or Users > Local Groups window.
2
Click the configure icon next to Global Policies. The Edit Global Settings window is displayed.
3
Select the Policies tab.
4
Click Add Policy.
5
Select Server Path from the Apply Policy To drop-down list.
6
Type a name for the policy in the Policy Name field.
7
In the Resource field, select one of the following radio buttons for the type of resource:
Share (Server path)
Network (Domain list)
Servers (Computer list)
8
In the Server Path field, enter the server path in the format servername/share/path or servername\share\path. The prefixes \\, //, \ and / are acceptable.
* 
NOTE: Share and path provide more granular control over a policy. Both are optional.
9
Select PERMIT or DENY from the Status drop-down list.
10
Click Accept.

Edit Global Bookmarks

To edit global bookmarks:
1
Navigate to either the Users > Local Users or Users > Local Groups page.
2
Click the configure icon next to Global Policies. The Edit Global Policies window is displayed.
3
Click Add Bookmark. An Add Bookmark window is displayed.
* 
NOTE: When global bookmarks are defined, all users see the defined bookmarks from the Secure Mobile Access user portal. Individual users are not able to delete or modify global bookmarks.
4
To edit a bookmark, enter a descriptive name in the Bookmark Name field.
5
Enter the domain name or the IP address of a host machine on the LAN in the Name or IP Address field.
6
Select the service type in the Service drop-down list.
7
Click Accept to update the configuration. After the configuration has been updated, the new global bookmark is displayed in the bookmarks list in the Edit Global Settings window.

Edit EPC Settings

To configure global End Point Control profiles for local groups or users:
1
Navigate to either the Users > Local Users or Users > Local Groups page.
2
Click the configure icon next to Global Policies. The Edit Global Policies window is displayed.
3
Click the EPC tab. The EPC window is displayed.
4
Configure EPC global settings and add or remove device profiles, as explained in Users > Local Groups and Users > Local Groups.

Log Configuration

This section provides information and configuration tasks specific to the Log pages on the Secure Mobile Access web-based management interface.

Topics:

Log > View

The SMA/SRA appliance supports web-based logging, syslog logging and email alert messages. In addition, The SMA/SRA appliance can be configured to email the event log file to the Secure Mobile Access administrator before the log file is cleared.

This section provides an overview of the Log > View page and a description of the configuration tasks available on this page.

Log > View Overview

The Log > View page allows the administrator to view the Secure Mobile Access event log. The event log can also be automatically sent to an email address for convenience and archiving.

Log > View

The Log > View page displays log messages in a sortable, searchable table. The SMA/SRA appliance can store up to 1GB of log data in the log file system with a limit of 50MB for each log file. Each log entry contains the date and time of the event and a brief message describing the event. After the log file reaches the log size limit, the log entry is cleared and optionally emailed to the Secure Mobile Access administrator.

The log table size can be specified on the System > Administration page under Default Table Size.

Column Views

Each log entry displays the following information:

 

Log View Columns 

Column

Description

Time

The time stamp displays the date and time of log events in the format YY/MM/DD/HH/MM/SS (Year/Month/Day/Hour/Minute/Second). Hours are displayed in 24-hour clock format. The date and time are based on the local time of the SMA/SRA gateway which is configured in the System > Time page.

Priority

The level of severity associated with the event. Severity levels can be Emergency, Alert, Critical, Error, Warning, Notice, Information, and Debug.

Category

The category of the event message. Categories include Authentication, Authorization & Access, GMS, NetExtender, System, Virtual Assist, and Web Application Firewall.

Source

The Source IP address shows the IP address of the appliance of the user or administrator that generated the log event. The source IP address cannot be displayed for certain events, such as system errors.

Destination

The Destination IP address shows the name or IP address of the server or service associated with the event. For example, if a user accessed an intranet Web site through the Secure Mobile Access portal, the corresponding log entry would display the IP address or Fully Qualified Domain Name (FQDN) of the Web site accessed.

User

The name of the user who was logged into the appliance when the message was generated.

Location

The geographical location of the source IP for each event log message.

Message

The text of the log message.

Navigating and Sorting Log View Table Entries

The Log View page provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the facilities described in the following table:

 

Log Table Navigation Facilities 

Navigation Button

Description

Find

Enables you to search for a log containing a specified setting based on a criteria type you select in the criteria list. Criteria includes Time, Priority, Source, Destination, and User. Search results list out the results in various orders depending upon the criteria type.

Exclude

Enables you to display all log entries but the type specified in the criteria list.

Reset

Resets the listing of log entries to their default sequence after you have displayed them in an alternate way, using search buttons.

Log > View Buttons

The Log > View page also contains options that allow the administrator to send, save log files for external viewing or processing.

 

Log rendering options 

Button

Action

Export Log

Exports the current log contents to a text-based file. Local log contents are cleared after an export log command.

Clear Log

Clears the current log contents.

E-Mail Log

Emails the current log contents to the address specified in the Log > Settings screen. Local log contents are cleared after an email log command.

Viewing Logs

The Log > View page allows the administrator to view the SMA event log. The SMA/SRA appliance maintains an event log for tracking system events, for example, unsuccessful login attempts, NetExtender sessions, and logout events. This log can be viewed in the Log > View page, or it can be automatically sent to an email address for convenience and archiving.

The SMA/SRA appliance can store up to 1GB of log data in the log file system. Logs are displayed in a sortable, searchable table. The appliance can alert you of events, such as a successful login or an exported configuration. Alerts can be immediately emailed upon generation or the admin can choose the format of the logs included in the email- in-line text appearing within the email body or as a zipped attachment (default). Each log entry contains the date and time of the event and a brief message describing the event. After the log file reaches the 50 MB log size limit, the log entry is cleared and optionally emailed to the Secure Mobile Access administrator.

Each log entry displays the following information:

 

Log View Columns 

Column

Description

Time

Displays the date and time of log events in the format YY/MM/DD/HH/MM/SS (Year/Month/Day/Hour/Minute/Second). Hours are displayed in 24-hour clock format. The date and time are based on the local time of the SMA/SRA gateway which is configured in the System > Time page.

Priority

Displays the level of severity associated with the event. Severity levels can be Emergency, Alert, Critical, Error, Warning, Notice, Information, and Debug.

Category

The category of the event message.

Source

Displays the IP address of the appliance of the user or administrator that generated the log event. The source IP address cannot be displayed for certain events, such as system errors.

Destination

Displays the name or IP address of the server or service associated with the event. For example, if a user accessed an Internet Web site through the Secure Mobile Access portal, the corresponding log entry would display the IP address or Fully Qualified Domain Name (FQDN) of the Web site accessed.

User

The name of the user who was logged into the appliance when the message was generated.

Message

The text of the log message.

Emailing Logs

The E-mail Log button allows the administrator to immediately send and receive a copy of the Secure Mobile Access event log. This feature is useful archiving email and in testing email configuration and email filters for multiple SMA/SRA appliances.

To use the E-mail Log feature:
1
Navigate to Log > View.
2
Click E-mail Log.
3
The message Log has been successfully sent appears.
* 
NOTE: If you receive an error message, verify that the administrator email and mail server information has been specified in the Email Logging and Alerts section of the Log > Settings page. For instructions on configuring the administrator email, refer to Configuring Log Settings.

Log > Settings

This section provides an overview of the Log > Settings page and a description of the configuration tasks available on this page.

Log > Settings Overview

The Log > Settings page allows the administrator to configure log alert and syslog server settings. Syslog is an industry-standard logging protocol that records system and networking activity. The syslog messages are sent in WELF (WebTrends Enhanced Log Format), so most standard firewalls and networking reporting products can accept and interpret the log files. The syslog service transmits syslog messages to external syslog server(s) listening on UDP port 514.

Log > Settings Page

Log & Alert Levels

The Log & Alert Levels section allows the administrator to select categories for Syslog, Event log, and Alerts. The categories are: emergency, alert, critical, error, warning, notice, info, and debug.

Syslog Settings

The Syslog Settings section allows the administrator to specify the primary and secondary Syslog servers.

Event Logging and Alerts

The Event Logging and Alerts section allows the administrator to configure email alerts by specifying the email address for logs to be sent to, the mail server, mail from address, and the frequency to send alert emails. You can schedule a day and hour at which to email the event log, or schedule a weekly email, or send the email when the log is full. You can enable SMTP authentication and configure the user name and password along with the SMTP port.

Configuring Log Settings

To configure log and alert settings, complete the following steps:
1
To begin configuring event log, syslog and alert settings, navigate to the Log > Settings page.
2
In the Log & Alert Levels section, define the severity level of log messages that are identified as log (event log), alert, or syslog messages. Log levels are organized from most to least critical. If a level is selected for a specific logging service, then that log level and more critical events are logged. For example, if the Error level is selected for the Log service, then all Emergency, Alert, Critical, and Error events are stored in the internal log file.
3
Enter the IP address or fully qualified domain name (FQDN) of your syslog server in the Primary Syslog Server field. Leave this field blank if you do not require syslog logging.
4
If you have a backup or second syslog server, enter the server’s IP address or domain name in the Secondary Syslog Server field.
5
Designate when log files are cleared and emailed to an administrator in the Send Event Logs field. If the option When Full is selected, the event log is emailed when it reaches the maximum file size of 50MB. The log file is then cleared. If Daily is selected, select the hour at which to email the event log. If Weekly is selected, select the day of the week and the hour. If Daily or Weekly are chosen, the log file is still sent if the log file is full before the end of the period. In the Log > View page, you can click Clear Log to delete the current event log. The event log is not emailed in this case.
6
To receive event log files through email, enter your full email address (username@domain.com) in the Email Event Logs to field in the Event Logging and Alerts region. The event log file is emailed to the specified email address before the event log is cleared. If this field is left blank, log files are not emailed.
7
To receive alert messages through email, enter your full email address (username@domain.com) or an email pager address in the Email Alerts to field. An email is sent to the email address specified if an alert event occurs. If this field is left blank, alert messages are not emailed.
* 
NOTE: Define the type of events that will generate alert messages on the Log > Categories page.
8
To email log files or alert messages, enter the domain name or IP address of your mail server in the Mail Server field. If this field is left blank, log files and alert messages are not emailed.
9
Specify a Mail From Address in the corresponding field. This address appears in the from field of all log and alerts emails.
10
To use SMTP authentication when sending log files, select Enable SMTP Authentication. The display changes to expose related fields. Enter the user name, password, and the SMTP port to use. The default port is 25.
11
Click Accept to update your configuration settings.

Configuring the Mail Server

In order to receive notification email and to enable to the One Time Password feature, it is imperative that you configure the mail server from the Log > Settings page. If you fail to configure your mail server prior to using the One Time Password feature, you will receive an error message:

For information about configuring the One Time Password feature, refer to One Time Password Overview.

To configure the mail server:
1
Log in to the Secure Mobile Access management interface using administrator credentials.
2
Navigate to Log > Settings.
3
Type the email address where you want logs sent to in the Email Events Logs to field.
4
Type the email address where you want alerts sent to in the Email Alerts to field.
5
Type the IP address for the mail server you are using in the Mail Server field.
6
Type the email address for outgoing mail from your SMA/SRA appliance in the Mail From Address field.
7
Click Accept in the upper right corner.

Log > Categories

This section provides an overview of the Log > Categories page and a description of the various categories of event messages that can be viewed in the log. This page allows for each category to be enabled or disabled by the administrator. This capability can be particularly helpful when used to filter the log during the debug process.

Administrators can enable or disable check boxes for each of the following log categories:

Authentication
Authorization & Access
GMS
NetExtender
System
Virtual Assist
Web Application Firewall
High Availability (SMA 400/200, SRA 4600)
Geo IP & Botnet Filter
End Point Security
Device Management
Reverse Proxy

After all selections have been made, click Accept in the upper right corner of the screen to finish configuring the desired categories.

Log > ViewPoint

This section provides an overview of the Log > ViewPoint page and a description of the configuration tasks available on this page.

Log > ViewPoint Overview

The Log > ViewPoint page allows the administrator to add the SMA/SRA appliance to a ViewPoint server for installations that have SonicWall Inc. ViewPoint available, or are managed by the SonicWall Inc. Global Management System (GMS) appliance management software. This feature requires a ViewPoint license key.

ViewPoint is an integrated appliance management solution that:

Creates dynamic, web-based reports of SMA/SRA appliance and remote access activity
Generates both real-time and historical reports to provide a complete view of activity through your SMA/SRA Appliance
Enables remote access monitoring
Enhances network security
Helps you to anticipate future bandwidth needs
* 
TIP: For more information about monitoring your SonicWall Inc. appliances with ViewPoint, visit
http://www.sonicwall.com/us/support/3887.html

Adding a ViewPoint Server

This feature requires a ViewPoint license key.

To add the SMA/SRA appliance to a ViewPoint server and enable ViewPoint reporting on your SMA/SRA appliance:
1
Navigate to the Log > ViewPoint page in the Secure Mobile Access web-based management interface.
* 
NOTE: If you are using ViewPoint for the first time on this appliance or if you do not have a valid license, the page directs you to the System > Licenses page to activate your license.
2
In the ViewPoint Settings section, click Add. The Add ViewPoint Server screen displays.
3
In the Add ViewPoint Server screen, enter the Hostname or IP Address of your ViewPoint server.
4
Enter the Port which your ViewPoint server communicates with managed devices.
5
Click Accept at the top of the page to add this server.
6
To start ViewPoint report logging for the server you just added, select Enable ViewPoint.

Log > Analyzer

This section provides an overview of the Log > Analyzer page and a description of the configuration tasks available on this page.

Log > Analyzer Overview

The Log > Analyzer page allows the administrator to add the SMA/SRA appliance to an Analyzer server for installations that have SonicWall Inc. Analyzer available, or are managed by the SonicWall Inc. Global Management System (GMS) version 7.0 or higher appliance management software. This feature requires an Analyzer license key.

SonicWall Inc. Analyzer is a software application that creates dynamic, web-based network reports. The Analyzer Reporting Module generates both real-time and historical reports to offer a complete view of all activity through SonicWall Inc. network security appliances. With Analyzer Reporting, you can monitor network access, enhance security, and anticipate future bandwidth needs. The Analyzer Reporting Module:

Displays bandwidth use by IP address and service
Identifies inappropriate Web use
Provides detailed reports of attacks
Collects and aggregates system and network errors
Shows VPN events and problems
Presents visitor traffic to your Web site
Provides detailed daily logs to analyze specific events.
* 
TIP: For more information about monitoring your SonicWall Inc. appliances with Analyzer, visit
http://www.sonicwall.com/us/support/6631.html

Adding an Analyzer Server

This feature requires an Analyzer license key.

To add the SMA/SRA appliance to an Analyzer server and enable Analyzer reporting on your SMA/SRA appliance:
1
Navigate to the Log > Analyzer page in the Secure Mobile Access web-based management interface.
* 
NOTE: If you are using Analyzer for the first time on this appliance or if you do not have a valid license, the page provides a link to the System > Licenses page to activate your license.
2
In the Analyzer Settings section, click the Add. The Add Analyzer Server screen displays.
3
In the Add Analyzer Server screen, enter the Hostname or IP Address of your Analyzer server.
4
Enter the Port which your Analyzer server communicates with managed devices. The default is 514.
5
Click Accept at the top of the page to add this server.
6
To start Analyzer report logging for the server you just added, select Enable Analyzer.