Typical Deployment of SMA/SRA appliance
03/26/2020 37 15668
The SMA and SRA appliances provide organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use Secure Mobile Access connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.
The SMA/SRA appliance is commonly deployed in tandem in one-armed mode over the DMZ interface on an accompanying gateway appliance, for example, a SonicWall network security appliance.
This method of deployment offers additional layers of security control plus the ability to use SonicWall’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic. SonicWall recommends one-armed mode deployments over two-armed for the ease-of-deployment and for use in conjunction with UTM GAV/IPS for clean VPN.
As shown in the above figure, in one-armed mode the primary interface (X0) on the SMA/SRA appliance connects to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SMA/SRA appliance. The SMA/SRA appliance decrypts the session and determines the requested resource. The Secure Mobile Access session traffic then traverses the gateway appliance to reach the internal network resources. While traversing the gateway, security services, such as Intrusion Prevention, Gateway Anti-Virus and Anti-Spyware inspection can be applied by appropriately equipped gateway appliances. The internal network resource then returns the requested content to the SMA/SRA appliance through the gateway where it is encrypted and returned to the client.
Both NSA and SMA/SRA appliances need to be configured in the deployment. In this case NSA 4600 and SRA 4600 are used for demonstration.
On NSA appliance:
Web management HTTPS port
Navigate to System > Administration, under Web Management Settings section, change the HTTPS Port value from 443(default value) to 4333 for example. This is to avoid port conflict because SSL VPN service port on SRA is 443 too and cannot be changed.
Navigate to Network > Interfaces, edit X2 interface as following:
Navigate to Network > NAT Polices, click Add to create the NAT couple as following:
Navigate to Firewall > Access Rules, select Matrix and then DMZ to LAN, click Add to create an allow entry as following(RDP service used here for demonstration):
On SRA appliance:
Navigate to Network > Interface, configure the IP address for X0, here just leave it as default.
Navigate to Network > Routes, set the default gateway for SRA as following:
Navigate to NetExtender > Client Routes, click Add Client Route to add the destination network that the SSL VPN client can access.
Navigate to Users > Local Users, click Add User to add a client user.
How to test
To test the remote RDP access, configure the NetExtender on the remote client as following:
After the session connected, open the RDP service and input the IP of the remote desktop, click connect and then you will get the credentials window.