Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Administration> Security Administration> Access Control Rules> Configuring Access Control Rules> Adding a Pair of Access Control Rules for a Cross-Connection

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Adding a Pair of Access Control Rules for a Cross-Connection

Most of the steps involved in creating an access control rule for a cross-connection are the same as those for creating a rule for a forward connection or a reverse connection. However, there are some key differences and requirements.

For example, to permit your VPN users to call each other using a VoIP application, create one rule for your users to connect to an IP address pool on the appliance, and a second rule for the IP address pool to connect to the users.

You would also need to follow this procedure to create a pair of rules to permit bi-directional connections between an FTP server and users.

To add an access control rule for a cross-connection

Ensure that the requirements for configuring a reverse connection are met. For more information, see Requirements for Reverse and Cross-Connections.
In the AMC, navigate to Security Administration > Access Control.
Click the + (New) icon.

The Add Access Rule page displays.
Type a number in the Position field to specify the rule’s position in the access rule list. By default, new rules are added to the top of the list, but you can use this box to place the rule anywhere you want. For example, if you have four rules and you assign the number 3 to a new one, it is inserted before the current rule 3 (which will become rule 4). This field is required.
In the Description field, type a descriptive comment about the rule. This step is optional, but a description can be helpful when viewing your list of rules later. The description also appears in log files where it is useful when examining logs to determine why a connection did not match a specific rule. The ID is a unique identifier automatically assigned by AMC; it cannot be edited.

Since a cross-connection requires a pair of forward-connection and reverse-connection rules, you should assign similar names to the two rules to make it easy to locate them in the list of access control rules.
Use the Action buttons to specify whether the rule will be used to Permit or Deny access, or if the rule is Disabled.
Under Basic settings, use the User and Resource buttons to select forward-connection or reverse-connection rules.
- To create a forward-connection rule from the users to the IP address pool, click User.
- To create a reverse-connection rule from the IP address pool to the users, click Resource.
In the From field under Basic settings, specify the users or resources to which this rule applies:
- For a forward-connection rule, specify the users or user groups to whom the rule applies. Click Edit to select from a list of users or groups. The default value is Any user.
- For a reverse-connection rule, specify the address pool that will be used for the VoIP application. Click Edit to select the address pool from a list of resources. The default value is Any resource.
In the To box under Basic settings, specify the users or resources to which this rule applies:
- For a forward-connection rule, specify the address pool that will be used for the VoIP application. Click Edit to select the address pool from a list of resources. The default value is Any resource.
- For a reverse-connection rule, specify the users to whom the rule applies. Click Edit to select from a list of users or groups. The default value is Any user.
In the Access method restrictions area, select Any. This enables the appliance’s Smart Access feature to determine the appropriate access method for the users’ end point devices, which for a reverse connection is either the Connect Tunnel client or the OnDemand Tunnel agent. The other access methods do not support cross-connections or bi-directional connections and will be bypassed.
In the Access method restrictions area, select Any to automatically manage access to all resources in the rule regardless of the access method making the request. This ensures that either the Connect Tunnel client or the OnDemand Tunnel agent, which are required for reverse connections, are managed by the rule. The other access methods do not support reverse connections and will be bypassed.
Click Finish after you have created the first rule in the pair of cross-connection rule, and then create and save the second rule. (Alternatively, you can save the first rule in the pair, make a copy of it, and then reverse the user and resource settings.)

After you have configured the forward-connection rule and the reverse-connection rule that make up the cross-connection rule pair, you should position the two rules next to each other in the access control list. That will make it easier to identify them as related rules.

AMC displays an error message if you attempt to create a cross-connection rule with no IP address pools configured. For more information, see Access Control Rules for Bi-Directional Connections.

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Adding a Pair of Access Control Rules for a Cross-Connection