Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Administration> System Administration> SSL Encryption> Configuring SSL Encryption

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Configuring SSL Encryption

The appliance uses SSL encryption and other cryptographic algorithms-or ciphers-to secure data transfer. The default settings are typically sufficient for most deployments.

Secure Mobile Access has been enhanced to support TLS 1.3 for incoming and outgoing connections, which is the latest and more secure TLS version.

TLS 1.0 and TLS 1.1 are no longer supported for user sessions and supported only for outgoing connections to legacy internal resources.

If you have configured TLS transport protocol as “Any TLS version” or “TLS version 1.2 or 1.1” in prior version of SMA, upgrading to SMA 12.4 is prevented. To upgrade to SMA 12.4, select “TLS version 1.2 only” in AMC and proceed with the upgrade process.

To configure SSL encryption settings

In the AMC, navigate to System Configuration > SSL Settings.
Click the Edit link in the SSL Encryption section.

The SSL Encryption page displays.

All security levels use only US government-recommended (FIPS 140-2 compliant) encryption. FIPS is a government standard specifying best practices for implementing cryptographic software. This configures the appliance to use only the TLS protocol and enables only FIPS-compliant ciphers.
In the Security Level section, select the version of TLS transport protocol that the appliance will use.

By default, the TLS transport protocol is set as Secure.
1. Modern: Supports TLS 1.3 only. Provides the highest level of security without providing backward compatibility for older clients.
  - Modern TLS transport protocol supports the following ciphers/suites.
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
2. Secure: Supports only secure protocols (TLS 1.2 and higher) and ciphers. Recommended for most systems, provides the best balance of security and compatibility.
  - Secure TLS transport protocol supports the following ciphers/suites.
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
3. Legacy : Adds support for older ciphers that are no longer considered secure (TLS 1.2 and higher).
  
  The Legacy security level includes support for ciphers that are insecure, but are included only for compatibility with older browsers and clients.
  - Legacy TLS transport protocol supports the following ciphers/suites.
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_CBC_SHA
    - TLS_RSA_WITH_AES_128_CBC_SHA
In case, if you want to use a different security level for connections to internal systems such as authentication servers (AD/LDAP), SMTP servers, and so on:
1. In the Advanced section, select Use a different security level for connections to internal systems check box.
2. In the Internal security level drop-down, select any one of the following:
  - Modern: Supports TLS 1.3 only. Provides the highest level of security without providing backward compatibility for older clients.
    - Modern TLS transport protocol supports the following ciphers/suites.
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
  - Secure: Supports only secure protocols (TLS 1.2 and higher) and ciphers. Recommended for most systems, provides the best balance of security and compatibility.
    - Secure TLS transport protocol supports the following ciphers/suites.
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - Legacy: Adds support for older ciphers that are no longer considered secure (TLS 1.2 and higher).
    The Legacy security level includes support for ciphers that are insecure, but are included only for compatibility with older browsers and clients.
    - Legacy TLS transport protocol supports the following ciphers/suites.
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_RSA_WITH_AES_256_CBC_SHA
      - TLS_RSA_WITH_AES_128_CBC_SHA
  - Obsolete: If your TLS version is 1.1 or 1.0, however it is not recommended to use TLS 1.0 and 1.1 version.
Select the ciphers that the access services (Web proxy, network proxy, and network tunnel) on the appliance will accept for SSL connections.
- Provide the highest level of security: Prefer 256-bit ciphers
- Allow the highest level of performance and capacity: Prefer 128-bit ciphers
Click Save.

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Configuring SSL Encryption