- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Typical Deployment of SMA/SRA appliance
03/26/2020 
112 People found this article helpful
50,920 Views
Description
The SMA and SRA appliances provide organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use Secure Mobile Access connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.
The SMA/SRA appliance is commonly deployed in tandem in one-armed mode over the DMZ interface on an accompanying gateway appliance, for example, a SonicWall network security appliance.
This method of deployment offers additional layers of security control plus the ability to use SonicWall’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic. SonicWall recommends one-armed mode deployments over two-armed for the ease-of-deployment and for use in conjunction with UTM GAV/IPS for clean VPN.
Resolution
Deployment
As shown in the above figure, in one-armed mode the primary interface (X0) on the SMA/SRA appliance connects to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SMA/SRA appliance. The SMA/SRA appliance decrypts the session and determines the requested resource. The Secure Mobile Access session traffic then traverses the gateway appliance to reach the internal network resources. While traversing the gateway, security services, such as Intrusion Prevention, Gateway Anti-Virus and Anti-Spyware inspection can be applied by appropriately equipped gateway appliances. The internal network resource then returns the requested content to the SMA/SRA appliance through the gateway where it is encrypted and returned to the client.
Configuration
Both NSA and SMA/SRA appliances need to be configured in the deployment. In this case NSA 4600 and SRA 4600 are used for demonstration.
On NSA appliance:
Web management HTTPS port
Navigate to System > Administration, under Web Management Settings section, change the HTTPS Port value from 443(default value) to 4333 for example. This is to avoid port conflict because SSL VPN service port on SRA is 443 too and cannot be changed.
Interface
Navigate to Network > Interfaces, edit X2 interface as following:
NAT Policies
Navigate to Network > NAT Polices, click Add to create the NAT couple as following:
Access Rules
Navigate to Firewall > Access Rules, select Matrix and then DMZ to LAN, click Add to create an allow entry as following(RDP service used here for demonstration):
On SRA appliance:
Network
Navigate to Network > Interface, configure the IP address for X0, here just leave it as default.
Navigate to Network > Routes, set the default gateway for SRA as following:
NetExtender
Navigate to NetExtender > Client Routes, click Add Client Route to add the destination network that the SSL VPN client can access.
Users
Navigate to Users > Local Users, click Add User to add a client user.
How to test
To test the remote RDP access, configure the NetExtender on the remote client as following:
After the session connected, open the RDP service and input the IP of the remote desktop, click connect and then you will get the credentials window.
Related Articles
- How to secure Virtual Office portal from all external access
- NetExtender users fail to get connected throwing an Error Failed to get vpn protocol on firmware 10.2.1.2 or above due to misconfigured protocol
- Is SRA/SMA appliance vulnerable to CVE-2016-2183 and CVE-2016-5915?
YES
NO