SMA (Secure Mobile Access) 11.3 - Web Only Access - WorkPlace Lite access
03/26/2020 
4 
10860
DESCRIPTION:
Basics
Web only access (more commonly referred to as Reverse Proxy access) allows a user to perform a task in a working browser without any Access agents, End Point Control agents, or other agents pushed down to the client device.
RESOLUTION:
Although this feature has been a mainstay of Secure Mobile Access products, in 11.3, the AMC Administrator can either give the end-user the option to enable WorkPlace Lite access mode access, force them to use WorkPlace Lite access, or disable WorkPlace Lite access entirely. This allows the AMC Administrator enough flexibility to setup a deployment where end-users can enable a checkbox or go to a specific WorkPlace site for Lite access. If the user checks "WorkPlace Lite mode", then the system allows access to browser based graphical and text-terminal shortcuts as well as Web URL and HTML fileshare shortcuts.
NOTE: Mobile Devices will always be logged in with WorkPlace Lite mode enabled.
This feature can be combined with SMA-172 (Persistent Cookie) to allow (or disallow) seamless access to SharePoint documents, should the AMC Administrator desire that type of access for their users.
Configuration
To configure Workplace Lite mode, in the AMC, browse to WorkPlace > WorkPlace Sites > Your WorkPlace Site > Advanced.
The administrator has the following options to choose from:
Automatic: The user-selection checkbox for WorkPlace Lite mode on WorkPlace is not visible and WorkPlace Lite access will be enabled for mobile devices only. This is the default for upgrades from previous firmware versions and new installations. Label and Help text controls are disabled.
Always: The user-selection checkbox for WorkPlace Lite mode on WorkPlace is not visible, but WorkPlace Lite access is always enabled when the user logs in to this WorkPlace site. Label and Help text controls are disabled.
Let user choose: The checkbox on WorkPlace for enabling or disabling WorkPlace Lite access is visible, along with the label text and help text.
The AMC Administrator can modify or adjust the label text and help text as needed
In AMC, this is what the User Sessions page looks like for WorkPlace Lite sessions:
In Automatic or Always, the user is not presented any additional options on WorkPlace for Lite mode, but can verify if WorkPlace was loaded in Lite mode by clicking on Details in the upper right-hand corner
When Let user choose is selected, the end-user is presented a checkbox to enable (or disable) WorkPlace Lite access for that specific session.
When using a mobile device, the system will hide the WorkPlace Lite checkbox, and automatically enable Lite mode.
Caveats
- Access to the Connect Tunnel installation link will be governed by existing AMC policy (ACLs or WP Layouts). If it's showing up where it shouldn't, adjust your policy.
- Realms that have PKI Authentication enabled only will not work with the WorkPlace Lite option "Let user choose".
- When Lite mode is enabled, end-user can only access the following.
- Web URL links
- Native Access Modules (NAMs) that support HTML5 (browser based) access only
- Graphical terminal
- Text terminal
- Virtual desktop
- HTML fileshare shortcuts (no Java or ActiveX)
- Works on standard devices, as well as mobile device (tablets and phones).
- When Zone Classification occurs for WorkPlace Lite mode sessions, only EPC Zones with no Device Profiles or the Default zone will match.
- Personal Device Authorization (PDA) will not work with WorkPlace Lite mode.
- In AMC, if Personal Device Authorization (PDA) is enabled, we will show a message to the administrator in the User Session details about why that particular user did not classify in to the zone.
- In the access_servers.log, the following log message will be emitted for WP Lite user sessions that cannot classify in to an EPC Zone due to Personal Device Authorization being enabled (where {user} is replaced with the username for the active user, and {zone} is replaced with the EPC Zone that was tried).
Workplace Lite Mode is active for user '{user}', this connection will not classify into zone '{zone}' because Personal Device Authorization is enabled for this zone.
- Some browser profiles (3 below) have been migrated out of the configuration as a result of WorkPlace Lite mode. Browsers that do not support JavaScript (or do not have JavaScript enabled) will be unable to establish a session to WorkPlace. Any device connecting to SMA WorkPlace that would match these profiles will instead behave like a Standard Mobile Device that has JavaScript enabled (which is now the default / fallback).
- Standard mobile (No JavaScript)
- WAP 2.0 mobile
- i-Mode (cHTML browser)
FAQs
Will file share short-cuts work on Mobile Devices?
Yes, the HTML version of Network Explorer on all mobile devices including iOS devices is allowed. Users can manage files (upload/download) with restricted file types supported on that mobile platform.
With HTML5 clients, is it possible to obtain user credentials by running a capture on the client device? Are the credentials stored in the browser somewhere that they could be accessed?
For RDP with SSO enabled, WorkPlace would send the encrypted password to HTML5 RDP client. The HTML5 client would decrypt and forward the credentials to RDP server over RDP/WS protocol.
For RDP without SSO and for other clients, when user enters the password, it's captured by the HTML5 client (JavaScript) and is forwarded to the backend server. In other words, the credentials aren't stored anywhere in the browser.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
