Secure Mobile Access 12.4 Administration Guide

Certificates

The SMA appliance uses SSL certificates to secure information that the client computer sends to the server, and to validate the appliance’s identity to connecting users; see the below image. It requires at least two SSL certificates:

  • The Secure Mobile Access services use a certificate to secure user traffic from a Web browser to WorkPlace, and from the Connect clients to the appliance. (If you want to provide several WorkPlace sites, you can use a wildcard certificate for multiple sites, or associate a different certificate with each one. In either case, the sites can have different host and domain names; for more information, see Adding WorkPlace Sites.)

  • AMC uses a separate certificate to secure management traffic. This is usually a self-signed certificate.

    Certificate usage

Subject Alternative Name (SAN) certificates are supported for Workplace, Workplace sites, and Connect Tunnel. These certificates are used to securely encrypt communication channels between a set of clients and multiple distinct SSL or TLS services.

SAN certificates simplify the IP address/hostname/certificate sets needed for a typical deployment. With a single SAN certificate, you can utilize one IP address with multiple distinct SSL or TLS protected web or client/server services, without the need for configuring additional IP addresses. Additionally, SANs can be used for different host names on the same IP address, alleviating the need for a one-to-one mapping of SSL certificate Common Names to FQDN.

Only IPv4 addresses are supported in SAN certificates and Certificate Signing Requests (CSR).

Improvements include:

  • SANs-related features can be generated via the AMC instead of through mechanisms external to the appliance:

    • CSR with SANs

    • Self-signed certificates with SAN entries

  • WorkPlace sites, custom FQDN URL resources, and ActiveSync resources can be created using existing SAN certificates.
  • The appliance seamlessly handles Web connections to Workplace sites that use a combination of IP address, FQDN, or SSL certificate, regardless of whether that Workplace site has its own dedicated IP address or is sharing one with the Default Workplace site.
  • When using Connect Tunnel or Mobile Connect connections to Workplace sites, ensure Workplace sites are not defined with a dedicated IP address, but share the Default Workplace site IP address. For example, if a Default Workplace site of vpn.mycompany.com is bound to 192.168.200.160 with a SSL certificate, *.mycompany.com, and you want to add a new Workplace site for contractors.mycompany.com, simply add the Fully Qualified Domain Name (FQDN) to the New Workplace Site configuration page, and do not specify another IP address. This allows Web or Tunnel connections to connect to either vpn.mycompany.com or contractors.mycompany.com with no further configuration needed on the appliance.

The Administrator can generate, import, process, and otherwise use a SAN certificate for Workplace, ActiveSync, Custom FQDN URL Mapping, or Tunnel-based access services.

CA certificates are also used for securing connections to back-end servers and authentication using client certificates. See Importing CA Certificates for more details.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.