SMB SSL-VPN (SMA 100 Series): General FAQ
04/29/2020 151 People found this article helpful 47,693 Views
Article Applies To:
SonicWall SMB SSL-VPN (SMA 100 Series) Appliances: SMA 200, SMA 400, SMA 500v.
1. What are the key enhancements in the latest SMA 100 Series updates?
For SMA100 series running firmwarev184.108.40.206+/v10.0.0.5+/v10.2.0.1+, improvements include:
• Expanded capacity
o SMA 210 maximum concurrent user support increased to 200 users from 50 users
o SMA 410 maximum concurrent user support increased to 400 users from 250 users
For SMA100 series running firmware v10.2.0.1+, additional enhancements include:
•SMA on AWS and Azure - Customers can benefit from the economic and operational advantages of launching their virtual appliances on public clouds such as AWS or Microsoft Azure, in addition to the existing support for private clouds such as VMware ESXi or Microsoft Hyper-V.
•Support for TLS 1.3, SAML IdP Support and Let’s Encrypt service
2. Does the capacity expansion extends to SMA 210 and SMA 410 running firmware v220.127.116.11/v10.0.0.4/v10.2.0.0 or earlier?
Answer: No. Both SMA 210 and SMA 410 will continue to support maximum concurrent user support of 50 and 250 respectively running with SMA100 series firmware v18.104.22.168/v10.0.0.4/v10.2.0.0 or earlier.
3. Is there any support SKU up to 400 users for SMA 100 series?
Answer: No. Stack existing User License SKUs to reach the desire user count.
4. Will the utilization become a performance issue with the increase of users?
Answer: Currently, there are no changes to the published SMA 100 Series performance specifications on the datasheet.
5. Are the SSL-VPN throughputs also increased for SMA 100 Series?
Answer: Currently, there are no changes to the published SMA 100 Series performance specifications on the datasheet.
6. What reporting capability is there in the SMA 100 Series?
Answer: SMA 100 Series reporting is currently supported using SonicWall Global Management System (GMS) version 9.2.
7. Is there any capacity increase on the SMA 500v?
Answer: No. The capacity expansion applies only to the SMA 210 and SMA 410.
8. Is the SonicWall SMA 100 series appliance a true reverse proxy?
Answer: Yes, the HTTP, HTTPS, CIFS, FTP are Web-based proxies, where the native Web browser is the client. VNC, SSHv2 and Telnet uses HTML5. RDP uses both HTML5 and browser delivered ActiveX client. NetExtender on Windows uses a browser-delivered client.
9. What browser and version do I need to successfully connect to the SonicWall SMA 100 Series appliance?
• Microsoft Internet Explorer 9 and newer
• Mozilla Firefox (latest version)
• Google Chrome
• Apple Safari (latest version)
10. What needs to be activated on the browser for me to successfully connect to the SonicWall SMA appliance?
• TLS 1.0, TLS 1.1 and TLS 1.2– recommend disabling TLS 1.0 if possible
• Enable cookies
• Enable pop-ups for the site
• Enable Java
• Enable ActiveX
11. What operating systems are supported?
• Microsoft Windows 7
• Microsoft Windows 10
• Microsoft Vista
• iOS & Android OS
• Linux kernel 2.4.x and newer
• MacOS X
12. There is no port option for the service bookmarks - what if these are on a different port than the default?
Answer: You can specify in the IP address box an 'IPaddress:port' pair for HTTP, HTTPS, Telnet and VNC.
13. Why does the ‘File Shares’ component not recognize my server names?
Answer: If you cannot reach your server by its NetBIOS name, there might be a problem with name resolution. Check your DNS and WINS settings on the SonicWall SMA appliance. You might also try manually specifying the NetBIOS name to IP mapping in the “Network > Host Resolution” section, or you could manually specify the IP address in the UNC path.
Also, if you get an authentication loop or an error, is this File Share a DFS server on a Windows domain root? When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SonicWall SMA is not a domain member and will not be able to connect to the DFS shares.DFS file shares on a stand-alone root are not affected by this Microsoft restriction.
14. Does the SonicWall SMA appliance have a SPI firewall?
Answer: No. It must be combined with a SonicWall security appliance or other third-party firewall/VPN device.
15. Can I access the SonicWall SMA appliance using HTTP?
Answer: No, it requires HTTPS. HTTP connections are immediately redirected to HTTPS. You may wish to open both 80 and 443, as many people forget to type https: and instead type
http://. If you block 80, it will not get redirected.
16. What if I want a bookmark to point to a directory on a Web Server?
Answer: Add the path in the IP address box: IP/mydirectory/
17. Why is it recommended to install the SonicWall SMA appliance in one-port mode with a SonicWall security appliance?
Answer: This method of deployment offers additional layers of security control plus the ability to use SonicWall’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic.
18. Is there an installation scenario where you would use more than one interface or install the appliance in two-port mode?
Answer: Yes, when it would be necessary to bypass a firewall/VPN device that may not have an available third interface, or a device where integrating the SonicWall SSL-VPN appliance may be difficult or impossible. However, two-armed mode introduces routing issues that need to be considered before deployment. The SMA appliance does not route packets across interfaces, as there are IP tables rules preventing that, and therefor cannot be used a router or default gateway.
19. Can I cascade multiple SonicWall SMA appliances to support more concurrent connections?
Answer: No, this is not supported.
20. What versions of Citrix are supported?
Answer: Citrix Portal Bookmarks have been tested and verified to support the following Citrix Application Virtualization platforms through the Citrix StoreFront:
- XenApp 7.6 (HTML5 and ActiveX only)
- XenApp 6.5
- XenApp 6.0
- XenApp 5.0
- Receiver for Windows 4.4, 4.2, 4.1 or 4.0
Citrix Native Bookmark supports Advanced features and can be launched on Windows and OS X platforms after installing SMA Connect Agent and the Citrix Receiver.
21. Can I create site-to-site VPN tunnels with the SonicWall SMA appliance?
Answer: No, it is only a client-access appliance. If you require this, you will need a SonicWall TZ-series or NSA security appliance.
22. Can the SonicWall Global VPN Client (or any other third-party VPN client) connect to the SonicWall SMA appliance?
Answer: No, only NetExtender and proxy sessions are supported.
23. Can I connect to the SonicWall SMA appliance over a modem connection?
Answer: Yes, although performance will be slow, even over a 56K connection it is usable.
24. What SSL ciphers are supported by the SMA appliance?
Answer: Starting with 7.5 firmware, SonicWall only uses HIGH security ciphers with TLSv1, TLSv1.1 and TLSv1.2. In 8.0 firmware or newer, SSL Perfect Forward Secrecy (PFS) is supported.
25. Is AES supported in SonicWall SMA appliance?
Answer: Yes, if your browser supports it.
26. What applications are supported using Application Offloading?
Answer: Application Offloading should support any application using HTTP / HTTPS. SMA has limited support for applications using Web Services and no support for non-HTTP protocols wrapped within HTTP. One key aspect to consider when using Application Offloading is that the application should not contain hard-coded self-referencing URLs. If these are present, the Application Offloading proxy rewrites the URLs. Web site development does not usually conform to HTML standards, the proxy can only do a best-effort translation when rewriting these URLs.
Specifying hard-coded, self-referencing URLs is not recommended when developing a Web site because content developers must modify the Web pages whenever the hosting server is moved to a different IP or hostname.
For example, if the backend application has a hard-coded IP and scheme within URLs as followed, then Application Offloading needs to re-write this URL.
This can be done by enabling the Enable URL Rewriting for self-referenced URLs setting for the Application Offloading portal, but all the URLs might not be rewritten, depending on how the Web application has been developed (This limitation is usually the same for SMA / WAF vendors employing reverse proxy mode).
27. Is 2-factor authentication (RSA SecurID, etc) supported?
Answer: Yes, this is supported.
28. Does the SonicWall SMA appliance support VoIP?
Answer: Yes, over NetExtender connections.
29. Is Syslog and SNMP supported?
- Yes. Syslog forwarding to up to two external servers is supported in the current software release.
- Yes. SNMP MIBs can be downloaded from MySonicWall.
30. Does NetExtender support multicast?
Answer: Not at this time. Look for this in a future firmware release.
31. Should I create a Global Deny All policy?
Answer: Yes. We recommend admin to set up a Global Deny ALL policy and allow access to only trusted hosts. This prevents outbound requests to malicious hosts from SMA.
32. Does the SonicWall SMA appliance have a Command Line Interface (CLI)?
Answer: Yes, the SMA appliance have a simple CLI when connected to the console port. The SMA 500v Virtual Appliance is also configurable with the CLI. The SMA CLI allows configuration of only the X0 interface on the SMA appliances.
33. Can I Telnet or SSH into the SMA appliance?
Answer: No, neither Telnet or SSH are supported in the current release of the SMA appliance software as a means of management (this is not to be confused with the Telnet and SSH proxies, that the appliance does support).
34. When controlling user access, can I apply permissions on both a domain as well as a Forest basis?
Answer: Yes, using the LDAP connector.
35. Can the Portal login message be customized?
Answer: Yes, the portal login message can be customized.
36. Why did’t the customized login message not displayed in the portal?
Answer: In order for the customized login message to be displayed in the portal, "Display custom login page" and "Display login message on custom login page" must be enabled in portal.
37. What does the ‘encrypt settings file’ checkbox do?
Answer: This setting will encrypt the settings file so that if it is exported it cannot be read by unauthorized sources. Although it is encrypted, it can be loaded back onto the SonicWall SMA appliance (or a replacement appliance) and decrypted. If this box is not selected, the exported settings file is clear-text and can be read by anyone.
38. Can the appliance be booted to Safe Mode from GUI?
Answer: Yes, the appliance can be booted to Safe mode from GUI diag page. This is an Internal setting, to be used only by direction on Technical Support. It is advised to Export your settings before booting to Safe mode.
39. What does the ‘create backup’ button do?
Answer: This feature allows you to create a backup snapshot of the firmware and settings into a special file that can be reverted to from the management interface or from SafeMode.SonicWall strongly recommends creating system backup right before loading new software, or making significant changes to the programming of the appliance.
40. What is ‘SafeMode’?
Answer: SafeMode is a feature of the SonicWall SMA appliance that allows administrators to switch between software image builds and revert to older versions in case a new software image turns out to cause issues. In cases of software image corruption, the appliance will boot into a special interface mode that allows the administrator to choose which version to boot, or load a new version of the software image.
41. How do I access the SafeMode menu?
Answer: In emergency situations, you can access the SafeMode menu by holding in the Reset button on the SMA appliance (the small pinhole button located on the front of the SMA appliance) for 12-14 seconds until the ‘Test’ light begins quickly flashing yellow. Once the SonicWall has booted into the SafeMode menu, assign a workstation a temporary IP address of ‘192.168.200.100 and attach it to the X0 interface on the SSL-VPN appliance. Then, using a modern Web browser, access the special SafeMode GUI using the appliance’s default IP address of 192.168.200.1. Safe mode listens on http only. You will be able to boot the appliance using a previously saved backup snapshot, or you can upload a new version of software with the Upload New Software image button.
42. Can I change the colors of the portal pages?
Answer: Only the background color can be changed.
43. What authentication methods are supported?
Answer: Local database, RADIUS, Active Directory, Digital Certificate and LDAP.
44. I configured my SonicWall SMA appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why?
Answer: The appliances must be precisely time-synchronized with each other or the authentication process will fail. Ensure that the SonicWall SMA appliance and the Active Directory server are both using NTP to keep their internal clocks synchronized.
45. Can a domain be mapped to multiple portals?
Answer: Yes, once a portal is created it must be mapped to a domain. The same domain can be mapped to multiple portals.
46. I created a FTP bookmark, but when I access it, the filenames are garbled – why?
Answer: If you are using a Windows-based FTP server, you will need to change the directory listing style to ‘UNIX’ instead of ‘MS-DOS’.
47. Where can I get a VNC client?
48. Are the SMA appliances fully supported by GMS / Analyzer?
Answer: Yes, you can configure it to send heartbeat and syslog messages to a designated SonicWall Global Management System / Analyzer. GMS 4.0 or later is required to remotely manage the SMA appliances.
49. Does the SonicWall SMA appliance support printer mapping?
Answer: Yes, this is supported with the ActiveX-based RDP client and HTML5 only. MS Publisher ImageSetter and Microsoft Print to PDF are the supported printer drivers. Microsoft Print to PDF is supported on only Windows 10 and Windows Server 2016.
50. Can I integrate SonicWall SMA with wireless?
Answer: Yes, refer to the SonicWall Inc. Secure Wireless Networks Integrated Solutions Guide, available through Elsevier, http://www.elsevierdirect.com/
51. Can I manage the appliance on any interface IP address of the SonicWall SMA appliance?
Answer: Yes, you can manage on any of the interface IP addresses.
52. Can I allow only certain Active Directory users access to log into the SonicWall SMA appliance?
Answer: Yes. On the Users > Local Groups page, edit a group belonging to the Active Directory domain used for authentication and add one or more AD Groups under the AD Groups tab.
53. Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?
54. Why are my RDP sessions dropping frequently?
Answer: Try adjusting the session and connection timeouts on both the SMA appliance and any appliance that sits between the endpoint client and the destination server. If the SMA appliance is behind a firewall, adjust the TCP timeout upwards and enable fragmentation.
55. Can I create my own services for bookmarks rather than the services provided in the bookmarks section?
Answer: This is not supported in the current release of software but may be supported in a future software release.
56. Why can’t I see all the servers on my network with the File Shares component?
Answer: The CIFS browsing protocol is limited by the server's buffer size for browse lists. These browse lists contain the names of the hosts in a workgroup or the shares exported by a
host. The buffer size depends on the server software. Windows personal firewall has been known to cause some issues with file sharing even when it is stated to allow such access. If
possible, try disabling such software on either side and then test again.
57. What port is the SMA appliance using for the Radius traffic?
Answer: It uses port 1812.
58. Do the SonicWall SMA appliances support the ability for the same user account to login simultaneously?
Answer: Yes. On the portal layout, you can enable or disable ‘Enforce login uniqueness’ option. If this box is unchecked, users can log in simultaneously with the same username and password.
59. Does the SMA appliance support NT LAN Manager (NTLM) Authentication?
Answer: No, it does not support NTLM authentication. Only Basic authentication is supported.