Secure Mobile Access 12.4 Administration Guide
- Secure Mobile Access 12.4.3
- Introduction
- About Secure Mobile Access
- Secure Mobile Access on SMA Appliances
- About SMA Documentation
- What’s New in This Release
- Discontinued Features
- Deprecated Features
- Features of Your SMA Appliance
- Related Documentation
- System Requirements
- About Secure Mobile Access
- Installation
- Installation and Initial Setup
- Network Architecture
- Preparing for the Installation
- Installation and Deployment Process
- Specifications and Rack Installation
- Front Panel Controls and Indicators
- Connecting the Appliance
- Powering Up and Configuring Basic Network Settings
- Web-Based Configuration Using Setup Wizard
- Configuring the Appliance Using the Management Console
- Moving the Appliance into Production
- Powering Down and Restarting the Appliance
- Next Steps
- Installation and Initial Setup
- Management
- Working with Appliance Management Console
- Logging In to AMC
- Logging Out
- AMC Basics
- Administrator Accounts
- Managing Multiple Secure Mobile Access Appliances
- Working with Configuration Data
- Deleting Referenced Objects
- User Management
- Users, Groups, Communities, and Realms
- Using Realms and Communities
- Configuring Realms and Communities
- Creating Realms
- Adding Communities to a Realm
- Creating and Configuring Communities
- Assigning Members to a Community
- Selecting Tunnel Access Methods for a Community
- Selecting Browser Access Methods for a Community
- Using End Point Control Restrictions in a Community
- Configuring the Appearance of WorkPlace
- WorkPlace and Small Form Factor Devices
- About WorkPlace and Small Form Factor Devices
- Optimizing WorkPlace for Display on Small Form Factor Devices
- Creating or Editing a WorkPlace Style
- Creating or Editing a WorkPlace Layout
- Network Tunnel Client Configuration
- Using the Default Community
- Changing the Order of Communities Listed in a Realm
- Configuring RADIUS Accounting in a Realm
- Editing, Copying and Deleting Communities
- Managing Users and Groups
- Integrating an SMA Appliance with a SonicWall Firewall
- Working with Appliance Management Console
- Authentication
- Network and Authentication Configuration
- About Configuring the Network
- Configuring Basic Network Settings
- Configuring Routing
- Configuring Name Resolution
- Certificates
- Let's Encrypt
- Server Certificates
- CA Certificates
- About Intermediate Certificates
- Working with Certificates FAQs
- How do I Obtain a Certificate from a Non-Commercial CA?
- When do Certificates and CRLs Expire?
- Does Secure Mobile Access support SAN Certificates?
- Are Intermediate Certificates supported for End-User Certificate Verification?
- What Are the Different CA Certificates on the Appliance and How Are They Used?
- How many CA Certificates can be Stored on the Appliance?
- Can Private Keys or CSRs Generated from Other Tools be Imported to the Appliance?
- Where Is the AMC Certificate Stored?
- Should I Keep All CA Certificates on the Appliance or Just the Ones I Need?
- Managing User Authentication
- Configuring Authentication Servers
- Configuring Microsoft Active Directory Servers
- Configuring LDAP and LDAPS Authentication
- Configuring RADIUS Authentication
- Integration of SMA with Cisco Duo Security MFA Server
- User-Mapped Tunnel Addressing
- Integration of SMA1000 with RSA SecurID Authentication Manager
- Configuring a PKI Authentication Server
- Additional Field for Custom Certificates
- Configuring a SAML-Based Authentication Server
- One Identity Defender
- Configuring Local User Storage
- Testing AD,LDAP,RADIUS and One Defender Authentication Configurations
- Configuring Chained Authentication
- Enabling Group Affinity Checking in a Realm
- Using One-Time Passwords for Added Security
- Configuring Personal Device Authorization
- Using Your SMA Appliance as a SAML Identity Provider
- Biometric Identification
- Next Steps
- Network and Authentication Configuration
- Administration
- Security Administration
- Creating and Managing Resources
- Resource Types
- Resources and Resource Groups
- Using Variables in Resource and WorkPlace Shortcut Definitions
- Using Session Property Variables
- Using Query-Based Variables
- Creating a Resource Pointing to Users’ Remote Desktops
- Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
- Creating a Variable Containing a Variable
- Modifying Query Results
- Displaying a Series of Shortcuts Using a Single Definition
- Creating and Managing Resource Groups
- Web Application Profiles
- Configuring a Single Sign-On Authentication Server
- Creating Forms-Based Dynamic Single Sign-On Profiles
- Dynamic SSO Profile for Microsoft RDWeb
- Configuring Microsoft RD Web Access in AMC
- Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
- Creating Web Application Profile
- Creating RDWeb URL resource with custom access
- Adding RDWeb in start page
- Dynamic SSO Profile for Citrix XenApp
- Configuring Citrix XenApp in AMC
- Creating Dynamic SSO Profile for Citrix XenApp
- Creating Web Application Profile
- Creating Citrix XenApp URL resource with custom access
- Adding Citrix Xenapp in start page
- Kerberos Constrained Delegation
- Configuring SMA Support for Microsoft Outlook Anywhere
- Viewing User Sessions
- Access Control Rules
- Configuring Access Control Rules
- Viewing Access Control Rules
- Access Control Rules for Bi-Directional Connections
- Requirements for Reverse and Cross-Connections
- Securing Application Ports for Reverse Connections
- Adding Access Control Rules for a Forward Connection
- Specifying Advanced Access Control Rule Attributes
- Adding Access Control Rules for a Reverse Connection
- Adding a Pair of Access Control Rules for a Cross-Connection
- Configuring Advanced Access Control Rule Attributes
- Access Methods and Advanced Options
- Adding Users and Resources From Within Access Control Rules
- Editing, Copying, and Deleting Access Control Rules
- Resolving Deny Rule Incompatibilities
- Resolving Invalid Destination Resources
- Configuring Access Control Rules
- Creating and Managing Resources
- System Administration
- Optional Network Configuration
- System Logging and Monitoring
- Overview: System Logging and Monitoring
- Log Files
- Viewing Logs
- Sorting, Searching, and Filtering Log Messages
- Sorting
- Filtering
- Searching
- Exporting Log Files
- Configuring Log Settings
- System Message Log
- Management Message Log
- Management Audit Log
- Network Tunnel Audit Log
- Web Proxy Audit Log
- Client Installation Logs (Windows)
- Configuring the logging settings for managed appliances
- Setting Log Levels
- Configuring Access Request Logging
- Sending messages to a syslog server
- Splunk Integration
- Monitoring the Appliance
- SNMP Configuration
- Managing Configuration Data
- Upgrading, Rolling Back, or Resetting the System
- SSL Encryption
- FIPS Certification
- Software Licenses
- Using Global Overrides
- Security Administration
- End Point Control
- About End Point Control
- Managing EPC with Zones and Device Profiles
- Enabling and Disabling End Point Control
- Configuring and Using Zones and Device Profiles
- Viewing Zones
- Viewing Device Profiles
- Creating a Device Zone
- Creating a Deny Zone
- Creating a Quarantine Zone
- Verifying the URLs
- Configuring the Default Zone
- Defining Device Profiles for a Zone
- Device Profile Attributes
- Advanced EPC: Extended Lists of Security Programs
- Advanced EPC: Using Fallback Detection
- Advanced EPC: Using Preconfigured Device Profiles
- Using Comparison Operators with Device Profile Attributes
- Using End Point Control with the Connect Tunnel Client
- Performing Recurring EPC Checks: Example
- Microsoft Intune
- Creating Zones for Special Situations
- Using End Point Control Agents
- Capture Advanced Threat Protection
- Components
- The WorkPlace Portal
- User Access Components and Services
- About User Access Components and Services
- User Access Agents
- Client and Agent Provisioning (Windows)
- WorkPlace
- WorkPlace Sites
- Adding WorkPlace Sites
- Modifying the Appearance of WorkPlace
- About Custom WorkPlace Templates
- How Template Files are Matched
- Customizing WorkPlace Templates
- Working with WorkPlace Shortcuts
- Adding Web Shortcuts
- Viewing Shortcuts
- Editing Shortcuts
- Creating a Group of Shortcuts
- Adding Network Shortcuts
- Adding a Virtual Desktop Shortcut
- Web Shortcut Access
- Configuring WorkPlace General Settings
- Web Only Access
- Citrix Configuration
- Adding a Text Terminal Shortcut
- Fully Customizing WorkPlace Pages
- WorkPlace Style Customization: Manual Edits
- Network Explorer
- Tunnel Clients
- Web Access
- WorkPlace Lite
- Translated ActiveSync Web Access
- Custom Port Mapped Web Access
- Custom FQDN Mapped Web Access
- Notes for Custom Port Mapped or Custom FQDN Mapped Web Access
- Configuration Requirements
- Known Behavior
- Seamless Editing in SharePoint
- Enabling Storage of Persistent Session Information
- Modifying a Zone to Allow Storing of Persistent Session Information
- Exchange ActiveSync access
- Enabling Exchange ActiveSync access on the appliance
- Exchange ActiveSync sessions
- Notes for Exchange ActiveSync device profiles
- ActiveSync Resource Configuration with SAN Certificates
- Outlook Anywhere Web Access
- Client Installation Packages
- Network Tunnel Client Branding
- The OnDemand Proxy Agent
- Managing Access Services
- About Access Services
- Stopping and Starting the Secure Mobile Access Services
- Configuring the Network Tunnel Service
- Configuring IP Address Pools
- Address Pool Allocation Methods
- Translated Address Pools (Source NAT)
- Routed Address Pools (DHCP)
- RADIUS-Assigned Address Pools
- Static Address Pools
- Best Practices for Configuring IP Address Pools
- Adding Translated IP Address Pools
- Adding Dynamic IP Address Pools
- Adding a Dynamic, RADIUS-Assigned IP Address Pools
- Adding Static IP Address Pools
- Configuring Web Resource Filtering
- Secure Network Detection
- Configuring Custom Connections
- Configuring the Web Proxy Service
- Verifying the Web Proxy Security headers
- Terminal Server Access
- Secure Endpoint Manager (SEM)
- Mobile Connect
- Appendix
- Appliance Command-Line Tools
- Troubleshooting
- About Troubleshooting
- General Networking Issues
- Verify a Downloaded Upgrade File
- AMC Issues
- Authentication Issues
- Using Personal Firewalls with Agents
- Secure Mobile Access Services Issues
- Client Troubleshooting
- Troubleshooting Tools in AMC
- Best Practices for Securing the Appliance
- Network Configuration
- Configure the Appliance to Use Dual Interfaces
- Configure the Appliance to Use Dual Network Gateways
- Protect both Appliance Interfaces with Firewalls
- Enable Strict IP Address Restrictions for the SSH Service
- Enable Strict IP Address Restrictions for the SNMP Service
- Use a Secure Passphrase for the SNMP Community String
- Disable or Suppress ICMP Traffic
- Use an NTP Server
- Protect the Server Certificate that the Appliance is Configured to Use
- Appliance Configuration
- Appliance Sessions
- Administrator Accounts
- Access Policy
- Set Up Zones of Trust
- Setting security level
- Client Access
- Network Configuration
- Configuring the SAML Identity Provider Service
- Configuring External SAML Identity Providers
- Log File Output Formats
- Internationalization Support
- SonicWall Support
Web Proxy Audit Log
The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred.
The /var/log/aventail/extraweb_access.log file messages are stored in the World Wide Web
Consortium (W3C) Common Log Format (CLF). See http://httpd.apache.org/docs/logs.html for more
information on CLF logs. The log message has these parameters:
[source-ip] [identity] [shortname@realm] [longname] [date/time] "[request]" [HTTP return code]
[bytes-sent] [imei]
The following is a sample network proxy/tunnel service audit log file entry:
192.168.200.162 - (extranetuser)@(Translation) (uid=extranetuser,ou=Users,dc=indigo,dc=com)
[31/Mar/2017:09:08:09 -0700] "GET http:/
/127.0.0.1:455/postauth/interrogator/AventailComponents.exe HTTP/1.1" 200 536016 "-"
The log entries contain the fields (separated by spaces) shown in the Web Proxy audit log fields table.
| Field | Description |
| source-IP |
IP address of the computer accessing the Web proxy service (this field may contain a translated address if NAT is in use). Example: |
| identity | This field is not used by the Web proxy service; it always contain a dash (-). |
| shortname@realm |
If the user has logged in, this field displays the user’s name and login realm in the form
( If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-). In cases where no authentication is used (that is, the Authentication server for the realm in AMC is set to None), this field will contain anonymous-user. Example: |
| longname |
If the user has logged in, this field displays the user’s long name. LDAP and Active Directory usernames are displayed using a DN. Other usernames are display using a CN. If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-). Example: |
| date/time |
The date and time at which the request was received by the appliance. Example: |
| request |
First line of the HTTP request, containing the HTTP command (such as Example: |
| HTTP-return-code |
The server responds with one of the following return codes:
For more information on these codes, see http://www.ietf.org/rfc/rfc2616.txt. |
| bytes-sent | Number of bytes sent in the body of the response (this does not include the size of the HTTP headers). |
| imei |
Every mobile phone is assigned a unique, 15-digit IMEI code that indicates information
like the manufacturer, model type, and country of approval. The IMEI can be displayed
on most phones by dialling Example: |
Examples
-
If an authentication attempt fails—for example, because the user enters an invalid username or password—a single message appears in the log with a return code of
200(OK), indicating the client request was understood). Notice that the source IP address in the message is the only way for you to identify who made the request:192.168.2.69 - - [26/Feb/2017:21:43:30 +0000] "POST /__extraweb__authen HTTP/1.1" 200 3610 352711-01-521146-5For a successful authentication, a similar message appears, but with a return code of
302(Found). It is immediately followed by another message that contains the user's authentication credentials and a return code of200:192.168.2.69 - - [26/Feb/2017:21:44:25 +0000] "POST /__extraweb__authen HTTP/1.1" 302 206 352711-01-521146-5192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:44:25 +0000] "GET /workplace/access/home HTTP/1.1" 200 15424 -
If a user successfully authenticates, but is denied access to a Web resource by an access rule, a message containing a return code of
403(Forbidden) is logged:192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:52:25 +0000] "GET /dukes HTTP/1.1" 403 3358 352711-01-521146-5 -
If a user successfully authenticates and is permitted to access a URL, a message appears that is identical to the one for a failed authentication (a return code of 200), except that this one includes the user’s credentials:
192.168.2.69 - (jdoe)@(AD) [26/Feb/2017:21:51:03 +0000] "GET /dukes HTTP/1.1" 200 262 352711-01-521146-5
Was This Article Helpful?
Help us to improve our support portal