Italic Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence. Sometimes indicates the first instance of a significant term or concept. SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview 2 8 Virtual Office Overview
c Select your platform for manual download and click Save File. The file is saved in your folder. NOTE: If the SMA Connect Agent is already installed, ...
SonicWall Secure Mobile Access 10.0 User Guide SMA 200/400 SMA 210/410 SMA 500v for ESXi SMA 500v for Hyper-V
SonicWall® Secure Mobile Access 10.0
User Guide
SMA 200/400 SMA 210/410 SMA 500v for ESXi SMA 500v for Hyper-V
Contents
1
Part 1. Introduction
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Organization of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Virtual Office Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 About Virtual Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Accessing Virtual Office Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About the Virtual Office Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Logging Out of the Virtual Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Part 2. Using Secure Remote Access Features
Using Secure Mobile Access Connect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 What is the Secure Mobile Access Connect Agent? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Downloading and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting Up the SMA Connect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Browser Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 End Point Control (EPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 PDA (Personal Device Authorization) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 SonicWall Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Using Virtual Office Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 RSA Two-Factor User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 VASCO Two-Factor User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Using One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 User Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Logging In with an Email One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Logging In with a Mobile App Time-based One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Logging In with an SMS One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Generating Backup Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring One-Time Password Settings for E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring One-Time Password Settings for Mobile App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Configuring One-Time Passwords for SMS-Capable Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Configuring One-Time Password Settings for SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
SonicWall Secure Mobile Access 10.0 User Guide Contents
2
Verifying User One-Time Password Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Using NetExtender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 User Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 User Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installing NetExtender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Launching NetExtender Directly from Your Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Pre-Filling the Key Fields While Installing with Microsoft Installer . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring NetExtender Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring NetExtender Connection Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring Batch File Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuring Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Configuring NetExtender Log Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuring NetExtender Advanced Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuring NetExtender Acceleration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuring NetExtender Packet Capture Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring Language Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Viewing the NetExtender Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Disconnecting NetExtender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Upgrading NetExtender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Uninstalling NetExtender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Verifying NetExtender Operation from the System Tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Displaying Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Using the NetExtender Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Installing NetExtender on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Using NetExtender on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using Mobile Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Using File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Using HTML-based File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Downloading Files and Folders using HTML5 File Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Managing Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Adding Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
RDP Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 VNC Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Citrix Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Web Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Mobile Connect Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 FTP Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 SSHv2 Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Editing Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Removing Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Using Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Using Remote Desktop Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Using VNC Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SonicWall Secure Mobile Access 10.0 User Guide Contents
3
Using Citrix Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Using Web Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Using Mobile Connect Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Using File Share Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Using FTP Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Using Telnet Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Using SSHv2 Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Global Bookmark Single Sign-On Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Per-Bookmark Single Sign-On Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Part 3. Appendixes
Warranty and License Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 GNU General Public License (GPL) Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Limited Hardware Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 End User License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
SonicWall Secure Mobile Access 10.0 User Guide Contents
4
· About This Guide · Virtual Office Overview
Part 1
Introduction
SonicWall Secure Mobile Access 10.0 User Guide Introduction
5
1
About This Guide
Welcome to the SonicWall® Secure Mobile Access (SMA) 10.0 User Guide. This guide provides information on using the Secure Mobile Access user portal called Virtual Office that allows you to create bookmarks and run services over the SMA appliance. The SMA Release Notes can be accessed and downloaded from www.mysonicwall.com.
Organization of This Guide
The SonicWall Secure Mobile Access User Guide is structured as shown here: · Introduction
· About This Guide This section provides helpful information for using this guide. It includes conventions used in this guide, information on how to obtain additional product information, and a Quick Access Worksheet that you should complete before using the SMA appliance.
· Virtual Office Overview This section provides an overview of SMA appliance user features, NetExtender, File Shares, services, sessions, bookmarks, and service tray menu options.
· Using Secure Remote Access Features · Using Secure Mobile Access Connect Agent This section provides procedures on downloading, installing, and configuring the SMA Connect Agent. It includes overviews of the End Point Control (EPC), Personal Device Authorization, and supported SonicWall applications. · Using Virtual Office Authentication This section provides details on how to use the authentication features of the SonicWall Secure Mobile Access (SMA) Virtual Office portal. It includes importing certificates, using Two-Factor authentication, and using One-Time Passwords. · Using NetExtender This section provides procedures on installing, configuring, and using NetExtender. · Using File Shares This section provides procedures on using file shares. · Managing Bookmarks This section provides procedures on configuring bookmarks.
SonicWall Secure Mobile Access 10.0 User Guide About This Guide
6
· Appendixes · Warranty and License Agreements This section provides the Limited Hardware Warranty and End User Licensing Agreement, and SonicWall Support contact information. · SonicWall Support This section provides SonicWall Support contact information.
Guide Conventions
The conventions used in this guide are as follows:
Guide Conventions
Convention Bold
Italic
Use
Highlights dialog box, window, and screen names. Also highlights buttons. Also used for file names and text or values you are being instructed to type into the interface.
Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence. Sometimes indicates the first instance of a significant term or concept.
SonicWall Secure Mobile Access 10.0 User Guide About This Guide
7
2
Virtual Office Overview
This section provides an overview of the SonicWall Secure Mobile Access (SMA) user portal, the Virtual Office. It also includes information about supported browsers and associated requirements.
Topics:
· About Virtual Office on page 8 · Browser Requirements on page 9 · About Certificates on page 10 · About the Virtual Office Web Interface on page 11 · Logging Out of the Virtual Office on page 14
About Virtual Office
Secure Mobile Access Virtual Office provides secure remote access to network resources, such as applications, files, intranet web sites, and email through web access interfaces such as Microsoft Outlook Web Access (OWA). The underlying protocol used for these sessions is SSL.
With Secure Mobile Access, mobile workers, telecommuters, partners, and customers can access information and applications on your intranet or extranet. What information should be accessible to the user is determined by access policies configured by the Secure Mobile Access administrator.
Accessing Virtual Office Resources
Remote network resources can be accessed in the following ways:
· Using a standard Web browser - To access network resources, you must log in to the Secure Mobile Access portal. After authenticated, you might access intranet HTTP and HTTPS sites, offloaded portals, Web-based applications, and Web-based email. In addition, you might upload and download files using FTP or Windows Network File Sharing. All access is done through a standard Web browser and does not require any client applications to be downloaded to remote users' machines.
· Using the NetExtender Secure Mobile Access client The SonicWall Secure Mobile Access network extension client, NetExtender, is available through the Secure Mobile Access Virtual Office portal through an ActiveX control or through standalone applications for Windows, Linux, and Mac OS X platforms. To connect using the SMA client, log in to the portal, download the installer application and then launch the NetExtender connector to establish the SSL VPN tunnel. About the Virtual Office Web Interface on page 11. After you have set up the SSL VPN tunnel, you can access network resources as if you were on the local network.
The NetExtender standalone applications are automatically installed on a client system the first time you click the NetExtender link in the Virtual Office portal. The standalone client can be launched directly from users' computers without requiring them to log in to the Secure Mobile Access portal first.
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
8
· Using the SonicWall Mobile Connect app SonicWall Mobile Connect is an app for iOS, Android, Mac OS X, Windows Phone, Windows 10, and ChromeOS that, like NetExtender, uses SSL VPN to enable secure, mobile connections to private networks protected by SonicWall security appliances. For information about installing and using SonicWall Mobile Connect, see the SonicWall Mobile Connect User documentation available at the Technical Documentation portal: https://www.sonicwall.com/support/technical-documentation/.
For secure remote access to work as described in this guide, the SonicWall SMA security appliance must be installed and configured according to the directions provided in the Getting Started Guide for your model.
NOTE: If your Administrator has Remediation enabled, the warning message "Access is denied by Geo IP & Botnet Filter" displays when attempting to accessing remote network resources. A browser window is automatically opened to display a CAPTCHA picture and entry field. You must complete remediation within the specified time limit before you can login. Refer to the SonicWall Secure Mobile Access Administration documentation for details.
Browser Requirements
Browser Versions Per Client Operating Systems provides information about the browsers supported on various client operating systems.
Browser Versions Per Client Operating Systems
Browser Mozilla Firefox (latest version)
Google Chrome (latest version)
Apple Safari (latest version)
Operating System Windows 7 Windows 10 Windows 7 Windows 10 Mac OS X
Linux Mac OS X Linux Mac OS X
For Administrator management interface browser compatibility, refer to the SonicWall Secure Mobile Access Administration documentation.
Below, Browser Support for Virtual Office Features provides browser requirements for specific features of Virtual Office.
Browser Support for Virtual Office Features
Application Proxy
Features & Browser Requirements NetExtender
Windows 7
Windows 10
Linux
Mac OS X
Browser Independent
RDP5
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
9
Browser Support for Virtual Office Features
Application Proxy
Features & Browser Requirements
VNC
Windows 7
Windows 10
Linux
Mac OS X
Telnet
SSHv2
HTTP, HTTPS, FTP (Browser)
File Sharing (Browser)
File Sharing Citrix HTML5
NOTE: Plug-ins might not be supported in Firefox or Chrome browsers, because of the removal of NPAPI support. To launch clients such as NetExtender, download and open the files manually.
About Certificates
If the SMA appliance uses a self-signed SSL certificate for HTTPS authentication, then it is recommended to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWall recommends that you import the
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
10
certificate. The easiest way to import the certificate is to click Import Certificate on the System > Certificates page. If the certificate is not issued by an authorized organization, a message is displayed warning users of the risk. A user can then view detailed information and choose to continue or end the connection. When using the network logon method from the Windows login screen, NetExtender uses System Store for certificate-based authentication. When the user is already logged in to Windows, NetExtender uses the User Store for certificate-based authentication. A user who wants to use the network logon method when certificate authentication is also enabled should import his user certificate into the System Store as well as into the User Store.
About the Virtual Office Web Interface
You can access the Virtual Office portal at the URL provided to you by your network administrator.
To log in to Virtual Office:
1 On your workstation at your remote location, launch an approved browser and enter the IP address of the Virtual Office portal in the Location or Address field. By default, this is the default LAN IP address of the SMA appliance, for example, https://192.168.200.1.
2 A security warning may appear. Click Advanced and click Proceed to <IP Address> (unsafe) to continue.
NOTE: The action you should take to continue to the portal depends on your browser. For example, in Firefox, you need to click Advanced, and select Accept the risk and continue.
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
11
3 The SonicWall Secure Mobile Access login page displays and prompts you to choose the appropriate domain from the Domain drop-down list.
4 Enter user name in the UserID field and password in the Password field, and click LOGIN. NOTE: Your Administrator should have set up login and password for you that has only user privileges.
To log in using the default administrator credentials, select LocalDomain from the Domain drop-down list and click NEXT. Enter admin in the UserID field, password in the Password field, and click LOGIN.
The default page displayed is the Virtual Office home page. The default version of this page shows a SonicWall logo, although your company's system Administrator might have customized this page to contain a logo and look and feel of your company. Go to the About Virtual Office on page 8 to learn more about the Virtual Office home page.
From the Virtual Office portal home page, you cannot navigate to the Administrator's environment. If you have Administrator's privileges and want to enter the Administrator environment, you need to go back to the login page and enter a username and password that have Administrator privileges, and log in again using the LocalDomain domain. Only the LocalDomain allows Administrator access to the management interface. Also note that the domain is independent of the privileges set up for the user.
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
12
Logging in as a user takes you directly to Virtual Office. The Virtual Office Home page displays as shown here.
The Virtual Office content varies based on the configuration of your network administrator. Some bookmarks and services described in the SonicWall Secure Mobile Access User documentation might not be displayed when you log in to the SMA appliance.
The Virtual Office can contain any of the nodes described in Virtual Office Node Descriptions.
Virtual Office Node Descriptions
Node File Shares
NetExtender
Classic Mode/Contemporary Mode ALERT Help
Description Provides access to the File Shares utility that gives remote users with a secure Web interface access to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft's familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. Provides access to the NetExtender utility, a transparent SSL VPN client for Windows or Linux users that allows you to run any application securely on the remote network. On Windows, NetExtender is downloaded and installed using the SMA ConnectAgent. On Linux, NetExtender is downloaded and installed manually. After installation, NetExtender automatically launches and connects a virtual adapter for SSL secure NetExtender point-to-point access to permitted hosts and subnets on the internal network. Allows you to toggle between the Contemporary and the Classic modes.
Displays the notifications.
Provides a short list of common questions and tips about Virtual Office.
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
13
Virtual Office Node Descriptions
Node Online help
User icon Virtual Office Downloads Settings
Log Out
Description Launches the online help document. Displays the status of the user. Green indicates active; Yellow indicates idle. Click the <user icon> to access other options.
Allows you to access the Virtual Office home page from any page you are on. Provides a list of downloadable clients and applications. Provides the option to change user password and use single sign-on, if enabled by the Administrator. Logs you out of the Virtual Office environment.
The Home page provides customized content and links to network resources. The Home Page might contain support contact information, VPN instructions, company news, or technical updates.
Only a Web browser is required to access intranet web sites, File Shares, and FTP sites. SSHv2 provide strong encryption, requires Oracle JRE 1.4 or above and can only connect to servers that support SSHv2.
As examples of tasks you can do and environments you can reach through Virtual Office, you can connect to:
· Intranet Web or HTTPS sites If your organization supports Web-based email, such as Outlook Web Access, you can also access Web-based email
· The entire network by launching the NetExtender client
· FTP servers for uploading and downloading files
· The corporate network neighborhood for file sharing
· Telnet and SSH servers
· Desktops and desktop applications using Terminal Services or VNC.
· Email servers through the NetExtender client.
The Administrator determines what resources are available to users from the SonicWall Secure Mobile Access Virtual Office. The Administrator can create user, group, and global policies that disable access to certain machines or applications on the corporate network.
The Administrator might also define bookmarks, or preconfigured links, to Web sites or computers on the intranet. Additional bookmarks might be defined by the end user.
SonicWall NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network.
Logging Out of the Virtual Office
To end your session, click the <user icon> at the upper-right corner, and click Log Out from any page you are on within the portal.
When using the Virtual Office with the admin username, the Log Out option is not displayed. This is a security measure to ensure that Administrators log out of the administrative interface, and not the Virtual Office.
SonicWall Secure Mobile Access 10.0 User Guide Virtual Office Overview
14
Part 2
Using Secure Remote Access Features
· Using Secure Mobile Access Connect Agent · Using Virtual Office Authentication · Using NetExtender · Using File Shares · Managing Bookmarks
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Remote Access Features
15
3
Using Secure Mobile Access Connect Agent
This section provides details on how to use the features of the SonicWall Secure Mobile Access (SMA) Connect Agents portal.
Topics:
· What is the Secure Mobile Access Connect Agent? on page 16 · Supported Operating Systems on page 16 · Downloading and Installation on page 17 · Setting Up the SMA Connect Agent on page 17 · End Point Control (EPC) on page 19 · PDA (Personal Device Authorization) on page 20
What is the Secure Mobile Access Connect Agent?
The Browser Plug-ins (NPAPI and ActiveX) are used to launch native applications such as NetExtender, EPC and so on. For security reasons, popular browsers block theses Plug-ins. The Chrome browser, for example, has disabled all NPAPI Plug-ins, and the newest Microsoft Edge browser does not support ActiveX. As such, the ease-of-use ability of launching directly from the browser is no longer functional, and a new method for seamless launching is necessary. There is another application to launch that opens a specific Scheme URL. There are some Schemes already defined in the Windows/OS X, such as mailto. The SMA Connect Agent uses the Scheme URL to replace the Browser Plug-ins. The SMA Connect Agent is like a bridge that receives the Scheme URL requests and launches the specific native application. To launch the Citrix Receiver through a Citrix bookmark, you must first install the SMA Connect Agent.
Supported Operating Systems
The SMA Connect Agent supports Windows (7, 8, and 10) as well as the Macintosh (OS X) operating systems.
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Mobile Access Connect Agent
16
Downloading and Installation
After you enter your login credentials in the login page and click LOGIN, you will see the below prompt if the administrator has enabled the EPC check for your user account.
After you enter your login credentials in the login page and click LOGIN, you will see the below prompt if the administrator has enabled Enforce Device Register under Device Management settings for your user account.
On the Portal page, the download and install notification displays when the user attempts to launch Net-Extender, RDP Bookmark (Native), or Citrix Bookmark (Native):
· Download - Click Download to download and install SMA Connect Agent. After that, users can click Installed to tell the browser to 'remember' that the SMA Connect Agent has been installed, or click Continue just to bypass the page and log in to the StoreFront.
· Installed - the notification does not appear again. · Continue - closes the notification and continues the action. After the download is complete, install the SMA Connect Agent. The Windows installer is SMAConnectAgent.msi, the Macintosh installer is SMAConnectAgent.dmg. The Windows installer needs your permission to install, the Macintosh installer guides you to put the SMA Connect Agent in the /Application directory.
Setting Up the SMA Connect Agent
Topics: · Proxy Configuration on page 18 · Logs on page 18 · Browser Warning on page 18
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Mobile Access Connect Agent
17
Proxy Configuration
SMA supports proxy deployment, where all client browsers are configured to redirect to a proxy server, but an appliance sits between the client browsers and the proxy server. All SMA features are supported in this scenario, including supporting domain exclusions when the domain is part of a virtual hosting server, or in some cloud deployments, wherein the same server IP can be used by multiple domains.
Additionally, typical data center server farms are fronted with a load balancer and/or reverse SSL Proxy to offload SSL processing on the servers. For a load balancer fronting the servers and doing decryption, the appliance usually only sees the IP of the load balancer, and the load balancer decrypts the content and determines the specific server to assign this connection to. DPI-SSL now has a global policy option to disable an IP-based exclusion cache. The exclusions continue to work even when the IP-based exclusion cache is off. The SMA Connect Agent can setup the proxy by user.
The connect agent will add an icon to the system tray if you run it manually. To access Proxy Configuration, double-click the tray icon.
There are four options to setup the proxy configuration:
· No Proxy - When no proxy server is configured, IPv6 attributes are discarded.
· Use system proxy settings -
· Manual proxy configuration -
· Automatic proxy configuration URL -
Logs
There is a Log tray on the system tool bar. You can right-click the tray and select the popup menu to view the logs.
Browser Warning
The Connect Agent will be launched by some actions such as NetExtender Connection, RDP-Native Bookmark launch, and Citrix bookmarks launch. When the Scheme URL tries to launch the SMA Connect
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Mobile Access Connect Agent
18
Agent, some browsers may show an alert to confirm that you want to run the Connect Agent. Click Allow/Open link/Launch Application button to launch the Connect Agent. Chrome warning window In a Chrome warning window, click Open SonicWall SMA Connect Agent to launch the SMA Connect Agent.
Firefox warning window With a Firefox warning window, press Open link to launch the SMA Connect Agent.
End Point Control (EPC)
If the administrator has enabled the EPC check for your user account, the SMA Connect Agent supports doing an EPC check from the browser. In the login page, when you enter user credentials and click LOGIN, the browser launches the specific Scheme URL requesting the SMA Connect Agent to do the EPC check.
The SMA Connect Agent checks the EPC Service on the machine. If the EPC Service is not on the local machine or if there is a newer version on the Appliance, the SMA Connect Agent downloads/Installs or upgrades the EPC Service. After installing or upgrading, the SMA Connect Agent does the EPC check.
The EPC check is authenticated if the endpoint configuration matches the EPC device profile configuration, and you are denied or approved to access the Virtual Office according to the EPC device profile configuration set by your administrator. If the EPC check authentication fails, EPC check failed dialog box appears.
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Mobile Access Connect Agent
19
· If the administrator has enabled Show EPC failed message in detail at client side option, the SMA Connect Agent records the detailed fail message in the log. Then, you can view the tray Log.
· You will receive a custom message when EPC check fails at the client side, if configured by the administrator.
PDA (Personal Device Authorization)
If the administrator has enabled the Enforce Device Register under Device Management settings, the SMA Connect Agent supports doing PDA authentication from the browser. In the login page, when you enter user credentials and click LOGIN, the SMA Connect Agent gets the information of the local machine and sends the information to the appliance. Click Accept in the security warning prompt to agree and proceed.
SonicWall Application
On the portal page, there are buttons you can click to launch supported SonicWall applications such as NetExtender.
SonicWall Secure Mobile Access 10.0 User Guide Using Secure Mobile Access Connect Agent
20
Using Virtual Office Authentication
This section provides details on how to use the authentication features of the SonicWall Secure Mobile Access (SMA) Virtual Office portal.
Topics:
· Importing Certificates on page 21 · Using Two-Factor Authentication on page 21 · Using One-Time Passwords on page 26
Importing Certificates
If the SMA appliance uses a self-signed SSL certificate for HTTPS authentication, then it is recommended to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWall recommends that you import the certificate.
NOTE: Certificates for browsers such as Chrome or Firefox must be imported manually.
When using the network logon method from the Windows login screen, NetExtender uses System Store for certificate-based authentication. When the user is already logged in to Windows, NetExtender uses the User Store for certificate-based authentication. A user who wants to use the network logon method when certificate authentication is also enabled should import his user certificate into the System Store as well as into the User Store.
Using Two-Factor Authentication
The following sections describe how to log in to the Secure Mobile Access Virtual Office portal using two-factor authentication:
· User Prerequisites on page 22 · RSA Two-Factor User Authentication Process on page 22 · VASCO Two-Factor User Authentication Process on page 24
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
21
User Prerequisites
Before you can log in using two-factor authentication, you must meet the following prerequisites: · Your Administrator has created your user account. · You have an account with a two-factor authentication server that conforms to the RFC standard.
RSA Two-Factor User Authentication Process
The following sections describe user tasks when using RSA two-factor authentication to log in to the Secure Mobile Access Virtual Office:
· Logging into Virtual Office Using RSA Two-Factor Authentication on page 22 · Creating a New PIN on page 23 · Waiting for the Next Token on page 24
Logging into Virtual Office Using RSA Two-Factor Authentication
To log in to the SonicWall Secure Mobile Access Virtual Office using RSA two-factor authentication:
1 Enter the IP address of the SMA appliance in your browser and press Enter. 2 Select the appropriate domain from the Domain drop-down list and click NEXT.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
22
3 Type in your user name in the UserID field.
4 The first time you log in to the Virtual Office, your entry in the password field depends on whether your system requires a PIN: · If you already have a PIN, enter the passcode in the Password field. The passcode is the user PIN and the SecurID token code. For example, if the user's PIN is 8675 and the token code is 30966673, then the passcode is 867530966673. · If a PIN is required, but you do not yet have a PIN, enter the SecurID token code in the Password field. You are prompted to create a PIN. · If the RSA server does not require a PIN, simply enter the SecurID token code.
NOTE: Consult with your network administrator to determine if your configuration requires a PIN.
5 Click LOGIN.
Creating a New PIN
The RSA Authentication Manager automatically determines when users are required to create a new PIN. The SMA appliance prompts the user to enter new PIN.
To create a new PIN:
1 Enter the PIN in the New PIN field and again in the Confirm PIN field and then click OK. The PIN must be between four and eight characters long.
2 The RSA Authentication Manager verifies that the new PIN is acceptable. If the PIN is accepted, you are prompted to log in with the new passcode.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
23
Waiting for the Next Token
If user authentication fails three consecutive times, the RSA server requires the user to enter a new token. To complete authentication, the user is prompted to wait for the token to change and enter the new token.
VASCO Two-Factor User Authentication Process
The following sections describe user tasks when using RSA two-factor authentication: · Logging into Virtual Office Using VASCO Two-Factor Authentication on page 24 · Other RADIUS Server Two-Factor User Authentication Process on page 25
Logging into Virtual Office Using VASCO Two-Factor Authentication
To log in to the Secure Mobile Access Virtual Office using VASCO two-factor authentication:
1 Enter the IP address of the SMA appliance in your browser and press Enter. 2 Select the appropriate domain from the Domain drop-down list and click NEXT.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
24
3 Type in your user name in the UserID field.
4 Enter the passcode in the Password field. Your entry in the password field depends on whether your system requires a PIN: · If you already have a PIN, enter the passcode in the Password field. The passcode is the user PIN and the VASCO Digipass token code. For example, if the user's PIN is 8675 and the token code is 30966673, then the passcode is 867530966673. · If a PIN is required, but you do not yet have a PIN, enter the VASCO Digipass code in the Password field. You are prompted to create a PIN. · If the VASCO server does not require a PIN, simply enter the VASCO Digipass code. NOTE: Consult with your network Administrator to determine if your configuration requires a PIN.
5 Click LOGIN.
Other RADIUS Server Two-Factor User Authentication Process
To log in to the Virtual Office using another type of RADIUS server for two-factor authentication:
1 Enter the IP address of the SMA appliance in your browser and press Enter. 2 Select the appropriate domain from the Domain drop-down list and click NEXT.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
25
3 Type in your user name in the UserID field.
4 Enter your password in the Password field.
5 Click LOGIN.
6 You are prompted to enter additional information, the details of which depends on the type of RADIUS server used. The example below shows an M.ID RADIUS server that first prompts you to "Please enter the M.ID PIN." Enter the PIN in the Challenge field and then click OK.
7 You are then prompted to "Please enter the M.ID Passcode." Enter the passcode received through email or text message in the Challenge field and then click OK.
Using One-Time Passwords
The following sections describe how to use one-time passwords: · User Prerequisites on page 27 · Logging In with an Email One-Time Password on page 27 · Logging In with a Mobile App Time-based One-Time Password on page 29 · Logging In with an SMS One-Time Password on page 31 · Configuring One-Time Password Settings for E-mail on page 34 · Configuring One-Time Password Settings for Mobile App on page 35
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
26
· Configuring One-Time Password Settings for SMS on page 37 · Verifying User One-Time Password Configuration on page 39
User Prerequisites
Users must have a user account enabled in the Secure Mobile Access management interface. Only users enabled by the Administrator to use the One-Time Password feature needs to use the following procedure to log in. The Administrator must enable the One-Time Password feature and select from the following authentication methods:
· User discretion - Enables the user to select any one or all of the one-time password authentication methods enabled by the administrator. The user-discretion options are: E-mail, Mobile App, and Short Message.
· Use Email - Enables the user to use a code delivered in an email for one-time password authentication. · Use Mobile App - Enables the user to use a third-party mobile app code for one-time password
authentication.
NOTE: The user must download a compliant two-factor authentication app, such as Google Authenticator or Duo Mobile.
· Short Message - Enables the user to use an SMS code for one-time password authentication.
NOTE: In some countries, translation of mail to a Short Message Service (SMS) text is not supported; SMA must integrate with third-party SMS gateway providers such as Twilio, Nexmo, and Clickatell through their REST APIs to send outgoing SMA messages from one mobile number to others around the globe.
Logging In with an Email One-Time Password
To use the Email one-time password feature:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
27
3 Type in your user name in the UserID field and your password in the Password field, and then Click LOGIN.
The below prompt appears.
4 You can use either email OTP or backup code to log in to the Virtual Office. · To complete authentication using an email OTP: 1) Log in to your email account to retrieve the one-time password. 2) Type or paste the one-time password into the Password field where prompted and then click VERIFY. You are logged in to the Virtual Office.
NOTE: One-time passwords are immediately deleted after a successful login, and cannot be used again. Unused one-time passwords expire according to each user's time-out policy.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
28
· To complete authentication using a personally generated backup code: 1) Click BACKUP CODE.
2) Open the backup code file to retrieve one of the backup codes. For information on generating backup codes, see Generating Backup Codes on page 33.
3) Type or paste the backup code into the Code field where prompted and then click VERIFY. NOTE: You can use each backup code only once.
You are logged in to the Virtual Office.
Logging In with a Mobile App Time-based One-Time Password
To use the mobile app time-based one-time password feature:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
29
3 Type in your user name in the UserID field and your password in the Password field, and then click LOGIN.
The below prompt appears.
4 You can use either mobile application OTP or backup code to log in to the Virtual Office. · To complete authentication using mobile application OTP: 1) Open the selected two-factor authentication app and retrieve the verification code. 2) Type or paste the one-time password into the CODE field where prompted and then click VERIFY.
NOTE: One-time passwords are immediately deleted after a successful login, and cannot be used again. Unused one-time passwords expire according to each user's time-out policy.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
30
· To complete authentication using a personally generated backup code: 1) Click BACKUP CODE.
2) Open the backup code file to retrieve one of the backup codes. For information on generating backup codes, see Generating Backup Codes on page 33.
3) Type or paste the backup code into the Code field where prompted and then click VERIFY. NOTE: You can use each backup code only once.
You are logged in to the Virtual Office.
Logging In with an SMS One-Time Password
To use the SMS one-time password feature:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
31
3 Type in your user name in the UserID field and your password in the Password field, and then click LOGIN.
4 You can use either an SMS OTP or backup code to log in to the Virtual Office. · To complete authentication using an SMS OTP: 1) Open the Messaging app and retrieve the verification code.
NOTE: If OTP is not sent to your mobile, you will see a notification saying the SMS delivery to your mobile is failed.
2) Type or paste the one-time password into the Code field where prompted and then click VERIFY.
NOTE: One-time passwords are immediately deleted after a successful login, and cannot be used again. Unused one-time passwords expire according to each user's time-out policy.
You are logged in to the Virtual Office. · To complete authentication using a personally generated backup code:
1) Click BACKUP CODE. 2) Open the backup code file to retrieve one of the backup codes. For information on
generating backup codes, Generating Backup Codes on page 33. 3) Type or paste the backup code into the Code field where prompted and then click VERIFY.
NOTE: You can use each backup code only once.
You are logged in to the Virtual Office.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
32
Generating Backup Codes
To generate backup codes:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down menu. 3 Type in your user name in the UserID field and your password in the Password field, and then Click
LOGIN. 4 Complete the authentication if prompted.
The Virtual Office home page is displayed. 5 Click the user icon in the upper-right corner of the page and then click Settings.
6 In the ONE TIME PASSWORD SETTINGS section, click Generate Backup Code tab.
7 Click OK to save the file to your system. A file with backup codes is saved to your system. You can use each backup code only once.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
33
Configuring One-Time Password Settings for E-mail
NOTE: You can configure one-time password settings for Email only if the administrator has selected Email as one of the user-discretion options for login OTP authentication.
To configure One-Time Password settings for E-mail:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list. 3 Type in your user name in the User Name field and your password in the Password field, and then click
Login. 4 Click the user icon in the upper-right corner of the page and then click Settings.
5 In the one time password settings section:
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
34
a Enable One-Time Password. b Enable Use E-mail. c Enter your E-mail address in the E-mail domain box. d Click Accept.
The update successful message is displayed. 6 Optionally, select GENERATE BACKUP CODE to download a generated list of backup codes to use backup
code as an authentication mode to log in to Virtual Office.
Configuring One-Time Password Settings for Mobile App
NOTE: You can configure one-time password settings for mobile app only when the administrator has selected Mobile App as the login OTP authentication method.
To configure One-Time Password settings for Mobile App:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list. 3 Type in your user name in the User Name field and your password in the Password field, and then click
Login. 4 Click the user icon in the upper-right corner of the page and then click Settings.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
35
5 In the one time password settings section:
a Enable One-Time Password. b Enable Use Mobile App. c Click Bind Mobile APP. 6 In the MOBILE APP BINDING window, do the following to bind the mobile app to your user account:
d Install Google Authenticator, Duo, or Microsoft Authenticator on your phone. e Scan the QR code with the app or enter the text code that is displayed when you click text code to
your app to generate the OTP. f Enter the 6-digit OTP from the app in the Code field. g Click VERIFY. You will receive a message indicating the bind is successful.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
36
7 Click Accept. 8 Optionally, select GENERATE BACKUP CODE to download a generated list of backup codes to use backup
code as an authentication mode to log in to Virtual Office.
Configuring One-Time Passwords for SMS-Capable Phones
One-Time Passwords can be configured to be sent through email directly to SMS-capable phones. Contact your cell phone service provider for further information about enabling SMS. Below is a list of SMS email formats for selected major carriers, where 4085551212 represents a 10-digit telephone number and area code.
NOTE: These SMS email formats are for reference only. These email formats are subject to change and can vary. You might need additional service or information from your provider before using SMS. Contact the SMS provider directly to verify these formats and for further information on SMS services, options, and capabilities.
· Verizon: 4085551212@vtext.com · Sprint: 4085551212@messaging.sprintpcs.com · AT&T: 4085551212@mobile.att.net · Cingular: 4085551212@mobile.mycingular.com · T-Mobile: 4085551212@tmomail.net · Nextel: 4085551212@messaging.nextel.com · Virgin Mobile: 4085551212@vmobl.com · Qwest: 4085551212@qwestmp.com For a more complete list, see the SonicWall Secure Mobile Access Administration documentation.
Configuring One-Time Password Settings for SMS
NOTE: You can configure one-time password settings for SMS only when the administrator has selected Short Message as the login OTP authentication method.
To configure One-Time Password settings for Mobile App:
1 If you are not logged into the Secure Mobile Access Virtual Office user interface, open a web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
2 Select the appropriate domain from the Domain drop-down list. 3 Type in your user name in the UserID field and your password in the Password field, and then click
LOGIN.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
37
4 Click the user icon in the upper-right corner of the page and then click Settings. 5 In the one time password settings section:
a Enable One-Time Password.
b Enable Short Message.
c Select a template from the Template drop-down list.
d Enter your phone number registered with the cell phone service provider in the Phone Number box.
e Click Accept.
6 Optionally, select GENERATE BACKUP CODE to download a generated list of backup codes to use backup code as an authentication mode to log in to Virtual Office.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
38
Verifying User One-Time Password Configuration
If you are successfully logged in to Virtual Office, you have correctly used the One-Time Password feature.
If you cannot log in using the One-Time Password feature, verify the following:
· Are you able to log in to the Virtual Office without being prompted to check your email for a one-time password? If so, you have not been enabled to use the One-Time Password feature. Contact your Secure Mobile Access Administrator if you believe this is an error.
· Is your email address correct? If your email address has been entered incorrectly, contact your Secure Mobile Access Administrator to correct it.
· Is there no email with a one-time password? Wait a few minutes and refresh your email inbox. Check your spam filter. If there is no email after several minutes, try to log in again to generate a new one-time password.
· Have you accurately typed the one-time password in the correct field? Re-type or copy and paste the one-time password.
· Are you able to scan the QRCode? Have you downloaded an Authentication app? Download an Authentication app such as Google Authenticator or Duo Mobile.
· Did you bind the authentication app with mobile device? Contact you administrator if you are having trouble binding the authentication app with your mobile device.
· Did your one-time password expire? If your password is not accepted, open the authentication app and verify password is current. A new password will show, when the old password expires.
SonicWall Secure Mobile Access 10.0 User Guide Using Virtual Office Authentication
39
5
Using NetExtender
This section explains how to configure and use SonicWall NetExtender. Information about using Mobile Connect is also provided. Topics:
· User Prerequisites on page 40 · User Configuration Tasks on page 41
User Prerequisites
Prerequisites for Windows Clients
Windows clients must meet the following prerequisites to use NetExtender:
· One of the following platforms:
· Windows 10, Windows 7, Windows 2012, Windows Server 2008 R2
· One of the following browsers:
· Mozilla Firefox 16.0 and higher
· Google Chrome 22.0 and higher
· To initially install the NetExtender client, the user must be logged into the PC with administrative privileges.
· If the SMA gateway uses a self-signed SSL certificate for HTTPS authentication, it is necessary to install the certificate before establishing a NetExtender connection. If you are unsure if the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWall recommends that you import the certificate. The easiest way to import the certificate is to click Import Certificate on the Virtual Office home page.
When using the network logon method from the Windows login screen, NetExtender uses System Store for certificate-based authentication. When the user is already logged in to Windows, NetExtender uses the User Store for certificate-based authentication. A user who wants to use the network logon method when certificate authentication is also enabled should import his user certificate into the System Store as well as into the User Store.
Prerequisites for Linux Clients
Linux 32-bit or 64-bit clients are supported for NetExtender when running one of the following distributions (32-bit or 64-bit):
· Linux Fedora Core 20 or higher, Ubuntu 12.04, 13.10, or higher, or OpenSUSE 10.3 or higher
The NetExtender client has been known to work on other distributions as well, but these are not officially supported.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
40
User Configuration Tasks
SonicWall NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network. The following sections describe how to use NetExtender on the various supported platforms:
Windows Platform Installation
· Installing NetExtender on page 41
Windows Platform Usage
· Launching NetExtender Directly from Your Computer on page 45 · Configuring NetExtender Properties on page 47 · Configuring NetExtender Connection Scripts on page 49 · Configuring Batch File Commands on page 50 · Configuring Proxy Settings on page 51 · Configuring NetExtender Log Properties on page 53 · Configuring NetExtender Advanced Properties on page 54 · Configuring NetExtender Acceleration Properties on page 54 · Configuring NetExtender Packet Capture Properties on page 55 · Configuring Language Properties on page 56 · Viewing the NetExtender Log on page 57 · Disconnecting NetExtender on page 57 · Upgrading NetExtender on page 58 · Changing Passwords on page 58 · Authentication Methods on page 58 · Uninstalling NetExtender on page 59 · Verifying NetExtender Operation from the System Tray on page 59 · Using the NetExtender Command Line Interface on page 60
Linux Platform
· Installing NetExtender on Linux on page 61 · Using NetExtender on Linux on page 63
Installing NetExtender
NOTE: The procedure for installing NetExtender is same for all supported browsers on Windows platform.
To install and launch NetExtender for the first time:
1 Log in to the Secure Mobile Access Virtual Office portal.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
41
2 Click NetExtender.
3 If you haven't installed the SMA Connect agent, you will see a prompt asking you to download the SMA Connect Agent. Download and install the SMA Connect Agent; allow SMA Connect agent to launch NetExtender from your browser. For detailed information, see Downloading and Installation on page 17 and Setting Up the SMA Connect Agent on page 17. NOTE: If the SMA Connect Agent is already installed, you may still see the prompt. Click Installed to ensure that you don't see the prompt again or click Continue to skip the prompt.
4 The NetExtender is downloaded automatically and the NetExtender installer launches. In the User Account Control prompt, click Yes to run the NetExtender installer. NetExtender is connected. You may see an error connecting to NetExtender, click Reconnect, and skip to step 17. NOTE: If you don't see the prompt, the NexEtender client hasn't downloaded automatically. Continue executing the next steps to download and install the NetExtender manually.
5 To download the NetExtender client manually: a Click <user icon> at the upper-right corner of the page. b Click Downloads. c Select your platform for manual download and click Save File. The file is saved in your Downloads folder.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
42
6 Navigate to your Downloads folder and double-click NXSetupU.exe to run the installer.
7 The User Account Control dialog displays. Click Yes in answer to the question, "Do you want to allow the following program to make changes to this computer?"
8 The SonicWall NetExtender Setup wizard is launched. The Welcome screen recommends that you close all other applications before starting the setup to avoid the need to restart your computer after the installation. When ready to proceed, click Next.
9 In the License Agreement screen, read the agreement, select I accept the terms of the License Agreement and then click Next.
10 In the Choose Install Location screen, optionally change the Destination Folder field by using Browse. Click Next.
11 In the Shortcuts screen, the following shortcut options are selected by default:
· Create a shortcut on StartMenu.
· Create a shortcut on QuickLaunch bar.
· Create a shortcut on Desktop
Clear the check boxes for any of these shortcut options that you do not want.
12 Click Install.
13 If a Windows Security dialog box asks, "Would you like to install this device software?", click Install.
14 In the Completing the SonicWall NetExtender Setup Wizard screen, leave the Run SonicWall NetExtender check box selected to launch NetExtender immediately, or clear the check box to complete the installation without launching NetExtender.
15 Click Finish.
16 If NetExtender is launched, type the IP address or FQDN of the SMA appliance into the Server field. This is the same server that you point your browser to when accessing the portal page to download NetExtender.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
43
17 In the Username field, type in your user name.
18 In the Password field, type in your password.
19 In the Domain field, type in the domain. This is the same domain shown in the Domain field of the login page when you access the portal in your browser.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
44
20 Click Connect. NetExtender takes a few seconds to connect to the server and verify your credentials. The NetExtender status window displays, indicating that NetExtender successfully connected. The
NetExtender icon
is displayed in the task bar.
The Status tab provides the following information:
Status tab field descriptions
Field Server
Client IP Sent
Received
Throughput
Description
Indicates the name of the server to which the NetExtender client is connected.
Indicates the IP address assigned to the NetExtender client.
Indicates the amount of traffic the NetExtender client has transmitted since initial connection.
Indicates the amount of traffic the NetExtender client has received since initial connection.
Indicates the current NetExtender throughput rate.
TIP: Closing the window (clicking the x icon in the upper right corner of the window) does not close the NetExtender session, but minimizes it to the system tray for continued operation.
21 To disconnect NetExtender, click Disconnect.
Launching NetExtender Directly from Your Computer
After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the Secure Mobile Access portal.
To launch NetExtender:
1 Navigate to Start > All Programs. 2 Select the SonicWall NetExtender folder, and then click SonicWall NetExtender. The NetExtender login
window is displayed.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
45
3 The IP address of the last SMA server you connected to is displayed in the Server field. To display a list of recent SMA servers you have connected to, click the arrow.
4 Enter your username and password.
5 The last domain you connected to is displayed in the Domain field.
NOTE: The NetExtender client reports an error message if the provided domain is invalid when you attempt to connect. Note that the domain names are case-sensitive.
6 The drop-down menu at the bottom of the window provides three options for remembering your username and password:
· Save user name & password if server allows
· Save user name only if server allows
· Always ask for user name & password
TIP: Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
Pre-Filling the Key Fields While Installing with Microsoft Installer
Installing NetExtender through Microsoft Installer (MSI) now supports the use of default profile settings during the installation process where the default server and default domain can be pre-filled along with additional options that control whether the server and domain fields can be edited by a standard user. This feature is designed specifically for administrators who want their default servers and domains pre-set during the installation process.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
46
To set the default server and domain during the NetExtender Installation with Microsoft Installer,
1 On the Default Profile Setting page, enter the IP address of the Default Server in the appropriate field and the location of the Default Domain in the second field.
2 Disable Allow connections to other profiles to prevent users from connecting to other profiles. This setting disables the Server and Domain fields for editing on the login page of NetExtender.
3 Enable this option to allow those connections. If this option is not enabled, users are not able to add or delete profiles on the NetExtender properties page.
Configuring NetExtender Properties
To configure NetExtender properties:
1 Right click the icon displayed.
in the system tray and click Properties... The NetExtender Properties window is
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
47
Connection Profiles tab
The Connection Profiles tab displays the Secure Mobile Access connection profiles you have used, including the IP address of the SMA server, the domain, and the username.
2 To create a shortcut on your desktop that launches NetExtender with the specified profile, highlight the profile and click Create Shortcut.
3 To delete a profile, highlight it by clicking on it and then click Remove. Click Remove All to delete all connection profiles.
4 Click Apply to save your changes.
Settings Tab
The Settings tab allows you to customize the behavior of NetExtender.
5 To have NetExtender connect to a specific profile when starting up your computer, select Automatically connect with profile and select the profile from the drop-down list.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
48
6 To have NetExtender launch when you log in to your computer, select the Automatically start NetExtender UI. NetExtender starts, but is only displayed in the system tray. To have the NetExtender login window display, select Display NetExtender UI.
7 Select Minimize to the tray icon when NetExtender window is closed to have the NetExtender icon display in the system tray. If this option is not selected, you are only able to access the NetExtender UI through Window's program menu.
8 Select Minimize to the tray icon when NetExtender connected to have the NetExtender icon display in the system tray when you are connected.
9 Select Display Connect/Disconnect Tips from the System Tray to have NetExtender display tips when you mouse over the NetExtender icon.
10 Select Automatically reconnect when the connection is terminated to have NetExtender attempt to reconnect when it loses connection.
11 Select Automatically reconnect when computer resumed to have NetExtender reconnect when the computer resumes from a sleep or a locked mode.
12 Select Display precise number in connection status to display precise byte value information in the connection status.
13 Select Enable UI animations to enable the sliding animation effects in the UI.
14 Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
15 Select Disconnect an active connection to have NetExtender log out of all of your SSL VPN sessions when you exit a NetExtender session.
16 Select Uninstall EPC Agent automatically to have the Endpoint Control Agent uninstalled when NetExtender is uninstalled from the system.
17 Click OK to save your changes.
Configuring NetExtender Connection Scripts
Secure Mobile Access provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or web sites.
To configure NetExtender Connection Scripts:
1 Right click the icon displayed.
in the task bar and click Properties... The NetExtender Preferences window is
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
49
2 Click Connection Scripts.
3 To enable the domain login script, select the Attempt to execute domain logon script check box. When enabled, NetExtender attempts to contact the domain controller and execute the login script. Optionally, you might now also select to Hide the console window. If this check box is not selected, the DOS console window remains open while the script runs.
NOTE: Enabling this feature might cause connection delays while remote client's printers and drives are mapped. Make sure the domain controller and any machines in the logon script are accessible through NetExtender routes.
4 To enable the script that runs when NetExtender connects, select the Automatically execute the batch file "NxConnect.bat" check box. Optionally, you can now also select to Hide the console window. If this check box is not selected, the DOS console window remains open while the script runs.
5 To enable the script that runs when NetExtender disconnects, select Automatically execute the batch file "NxDisconnect.bat."
6 Click Apply to save your changes.
Configuring Batch File Commands
NetExtender Connection Scripts can support any valid batch file commands. For more information on batch files, see the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat. The following tasks provide an introduction to some commonly used batch file commands.
1 To configure the script that runs when NetExtender connects, click Edit "NxConnect.bat." The NxConnect.bat file is displayed.
2 To configure the script that runs when NetExtender disconnects, click Edit "NxDisconnect.bat." The NxConnect.bat file is displayed.
3 By default, the NxConnect.bat file contains examples of commands that can be configured, but no actual commands. Too add commands, scroll to the bottom of the file.
4 To map a network drive, enter a command in the following format:
net use drive-letter\\server\share password /user:Domain\name
For example to if the drive letter is z, the server name is engineering, the share is docs, the password is 1234, the user's domain is eng and the username is admin, the command would be the following:
net use z\\engineering\docs 1234 /user:eng\admin
5 To disconnect a network drive, enter a command in the following format:
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
50
net use drive-letter: /delete For example, to disconnect network drive z, enter the following command: net use z: /delete 6 To map a network printer, enter a command in the following format: net use LPT1 \\ServerName\PrinterName /user:Domain\name For example, if the server name is engineering, the printer name is color-print1, the domain name is eng, and the username is admin, the command would be the following: net use LPT1 \\engineering\color-print1 /user:eng\admin 7 To disconnect a network printer, enter a command in the following format: net use LPT1 /delete 8 To launch an application enter a command in the following format: C:\Path-to-Application\Application.exe 9 For example, to launch Microsoft Outlook, enter the following command: C:\Program Files\Microsoft Office\OFFICE11\outlook.exe 10 To open a Web site in your default browser, enter a command in the following format: start http://www.website.com 11 To open a file on your computer, enter a command in the following format: C:\Path-to-file\myFile.doc 12 When you have finished editing the scripts, save the file and close it.
Configuring Proxy Settings
Secure Mobile Access supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings.
To manually configure NetExtender proxy settings:
1 Right click the icon displayed.
in the task bar and click Preferences... The NetExtender Preferences window is
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
51
2 Click Proxy.
3 Select Enable proxy settings.
4 NetExtender provides three options for configuring proxy settings:
· Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)) that can push the proxy settings script to the client automatically.
· Use automatic configuration script - If you know the location of the proxy settings script, select this option and enter the URL of the scrip in the Address field.
· Use proxy server - Select this option to enter the Address and Port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses that bypass the proxy server. If required, enter a User name and Password for the proxy server. If the proxy server requires a username and password, but you do not specify them in the Properties window, a NetExtender pop-up window prompts you to enter them when you first connect.
5 Click Apply to save your changes.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
52
Configuring NetExtender Log Properties
Within the NetExtender Properties dialog box, click the Log heading in the menu on the left panel. The available options provide basic control over the NetExtender Log and Debug Log.
1 To establish the size of the NetExtender Log, select either Unlimited log file size or Set maximum log file size to. If you choose to set a maximum size, use the adjoining arrows. To clear the NetExtender Log, select Clear NetExtender Log.
2 To Enable the NetExtender Debug Log, select the corresponding check box. To clear the debug log, select Clear Debug Log.
3 Click Log Viewer... to view the current NetExtender log. 4 Click Apply to save your changes.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
53
Configuring NetExtender Advanced Properties
Within the NetExtender Properties dialog box, click the Advanced heading in the menu on the left panel. The available options allow you to adjust advanced settings on NetExtender network properties and protocols.
NetExtender allows users to customize the link speed that the NetExtender adapter reports to the operating system.
1 To select a virtual link speed to report, select either Report the underlying network speed to OS, or select Report a fixed speed and designate a speed. NOTE: Users can click Advanced Network Properties to make adjustments. However, modifying these settings could impact NetExtender performance and/or functionality. It is recommended to only make changes here if advised to do so by SonicWall support.
2 Click OK to save your changes.
Configuring NetExtender Acceleration Properties
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
54
Configuring NetExtender Packet Capture Properties
Within the NetExtender Properties dialog box, click the Packet Capture heading in the menu on the left panel. The available options allow you to enable and disable packet capture and data compression on NetExtender.
NOTE: You must have Administrator privileges to change packet capture settings.
To configure packet capture, complete the following steps:
1 To enable packet capture, select Enable NetExtender packet capture.
2 If packet capture is enabled, clear all captured packet data when NetExtender exits by selecting Clear the capture when NetExtender exits. To disable packet capture, clear this check box.
3 If packet capture is enabled, clear all captured packet data when NetExtender exits by selecting Clear the capture when NetExtender exits. To retain packet data, clear this check box.
4 To enable data compression of captured packets, select Enable data compression. To disable data compression the next time NetExtender is connected, clear this box. If packet capture is enabled when NetExtender connects and you want to disable data compression immediately (instead of waiting until the next time NetExtender is connected), select Attempt to disable data compression during packet capture.
5 Click Apply to save your changes.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
55
Configuring Language Properties
Within the NetExtender Properties dialog box, click the Languages heading in the menu on the left panel. The available options allow you to select your language settings or import other language packs on NetExtender.
To configure language properties, complete the following steps:
1 The Language drop-down list allows you to select the available languages on NetExtender. The default language is English. After you select a language from the drop-down list, click OK. Restart NetExtender for the new language to be applied.
2 Import allows you to upload a new language pack to NetExtender. Click Import. Select the language pack you want to import. Click Open. NOTE: Language packs must be in .ZIP format. After the import, the language displays in the Language drop-down list.
3 Click Apply to save your changes.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
56
Viewing the NetExtender Log
The NetExtender log displays information on NetExtender session events. The log is a file named NetExtender.dbg. It is stored in the directory: C:\Program Files\SonicWall\SSL VPN\NetExtender. To view the NetExtender log, right click the NetExtender icon in the system tray, and click View Log, click the Log icon on the main status page.
To view details of a log message, double-click a log entry, or go to View > Log Detail to open the Log Detail pane. To save the log, either click the Export icon or go to Log > Export. To filter the log to display entries from a specific duration of time, go to the Filter menu and select the cutoff threshold. To filter the log by type of entry, go to Filter > Level and select one of the level categories. The available options are Fatal, Error, Warning, and Info, in descending order of severity. The log displays all entries that match or exceed the severity level. For example, when selecting the Error level, the log displays all Error and Fatal entries, but not Warning or Info entries. To view the Debug Log, either click the Debug Log icon or go to Log > Debug Log.
NOTE: It could take several minutes for the Debug Log to load. During this time, the Log window is not accessible, although you can open a new Log window while the Debug Log is loading.
To clear the log, click Log > Clear Log.
Disconnecting NetExtender
To disconnect NetExtender:
1 Right click the NetExtender icon in the system tray to display the NetExtender icon menu and click Disconnect.
2 The NetExtender session disconnects after few seconds. You can also disconnect by double-clicking on the NetExtender icon to open the NetExtender window and then clicking Disconnect. When NetExtender is disconnected, the NetExtender window displays and gives you the option to either Reconnect or Close NetExtender.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
57
Upgrading NetExtender
NetExtender automatically notifies users when an updated version of NetExtender is available. Users are prompted to click OK and NetExtender downloads and installs the update from the SMA security appliance.
Changing Passwords
Before connecting to the new version of NetExtender, users might be required to reset their password by suppling their old password, along with providing and re-verifying a new one.
Authentication Methods
NetExtender supports various two factor authentication methods, including one-time password, RSA, and Vasco. If an Administrator has configured one-time passwords to be required to connect through NetExtender, you are asked to provide this information before connecting.
If an Administrator has configured RSA pin-mode authentication to be required to connect through NetExtender, users are asked whether they want to create their own pin, or receive one that is system-generated.
After the pin has been accepted, you must wait for the token to change before logging in to NetExtender with the new passcode.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
58
During authentication, the SMA server can be configured by the Administrator to request a client certificate. In this case, users must select a client certificate to use when connecting.
Uninstalling NetExtender
The NetExtender utility is automatically installed on your computer. To remove NetExtender, click Start > All Programs, click SonicWall NetExtender, and then click Uninstall. You can also configure NetExtender to automatically uninstall when your session is disconnected.
To configure NetExtender to automatically uninstall when your session is disconnected:
1 Right click the NetExtender icon Properties window is displayed.
in the system tray and click Properties... The NetExtender
2 Click the Settings tab.
3 Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
4 Click Apply.
Verifying NetExtender Operation from the System Tray
To view options in the NetExtender system tray, right-click the NetExtender icon in the system tray. The following are some tasks you can complete with the system tray.
Displaying Route Information
To display the routes that NetExtender has installed on your system, click the Route Information option in the system tray menu. The system tray menu displays the default route and the associated subnet mask.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
59
Displaying Connection Information
You can display connection information by mousing over the NetExtender icon in the system tray.
Using the NetExtender Command Line Interface
NOTE: The NetExtender command line interface is only available on Windows platforms.
To launch the NetExtender CLI:
1 Launch the Windows Command Prompt by going to the Start menu, select Run, enter cmd, and click OK.
2 Change directory to where NetExtender is installed. To do this, you first must move up to the root drive by entering the cd .. command. Repeat this command until you are at the root drive. Then enter cd Program Files\SonicWall\SSL-VPN\NetExtender.
NOTE: The specific command directory could be different on your computer. Use Windows Explorer to find the directory path where NetExtender is located.
Below, NetExtender CLI commands and options describes the commands available in the NetExtender CLI and their options.
NetExtender CLI commands and options
Command NECLI addprofile NECLI connect
NECLI deleteprofile
Option
Description
Creates a NetExtender profile
-s server
The IP address or hostname of the SMA server.
-u user-name
The username for the account.
-p password
The password for the account.
-d domain-name
The domain to connect to.
Initiates a NetExtender session.
-s server
The IP address or hostname of the SMA server.
-u user-name
The username for the account.
-p password
The password for the account.
-d domain-name
The domain to connect to.
- clientcertificatethumb thumb
The SSL Client Certificate thumbprint value.
- clientcertificatename name The SSL Client Certificate name.
Deletes a saved NetExtender profile.
-s server
The IP address or hostname of the SMA server.
-u user-name
The username for the account.
-d domain-name
The domain to connect to.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
60
NetExtender CLI commands and options (Continued)
Command NECLI disconnect
Option timeout
NECLI displayprofile
-s server
-u user-name
-d domain-name
NECLI queryproxy NECLI reconnect NECLI showstatus
NECLI setproxy
-t [0 |1 | 2 | 3]
NECLI viewlog
-s proxy address -o port -u user name -p password -b bypass-proxy -save
Description Disconnects (Optional) Timeout duration, after which the session is disconnected. Displays all NetExtender profiles. (Optional) Displays only the profiles that are saved for the specified server. (Optional) Displays only the profiles that are saved for the specified user name. (Optional) Displays only the profiles that are saved for the specified domain name. Checks the connect to the proxy server. Attempts to reconnect to the server. Displays the status of the current NetExtender session. Configures proxy settings for NetExtender. There are three options for setting proxy settings: 0 - Disable proxy. 1 - Automatically detects proxy settings. The proxy server must support Web Proxy Auto Discovery Protocol (WPAD). 2 - Uses a proxy configuration script. 3 - Manually configure the proxy server. The address of the proxy script or proxy server. The port number. The user name for the proxy server. The password name for the proxy server. Bypasses the previously configured proxy settings. Saves the proxy settings. Displays the NetExtender log.
Installing NetExtender on Linux
Secure Mobile Access supports NetExtender on Linux. To use NetExtender on your Linux system, your system must meet the following prerequisites:
· i386-compatible distribution of Linux · Linux Fedora Core 15 or higher, Ubuntu 11.10 or higher, or OpenSUSE 10.3 or higher
To install NetExtender on your Linux system:
1 Log in to the SonicWall Virtual Office.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
61
2 Click NetExtender. A pop-up window indicates that you have chosen to open a .tgz file. Click OK to save it to your default download directory.
NOTE: You must be logged in as root to install NetExtender, although many Linux systems allows the sudo ./install command to be used if you are not logged in as root.
3 To install NetExtender from the CLI, navigate to the directory where you saved the .tgz file and enter the tar -zxf NetExtender.tgz command.
4 Enter the cd netExtenderClient/ command.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
62
5 Enter su -C " ./install" to install NetExtender.
6 Enter your system password. 7 The installer asks if you want non-root users to be able to run NetExtender. Enter either y for yes or n for
no.
NOTE: To allow non-root users to run NetExtender, the installer sets PPPD to run as root. This could be considered a security risk.
Using NetExtender on Linux
To use NetExtender on a Linux computer:
1 After NetExtender is installed, there are two methods to launch it: · Click the NetExtender icon in the Applications menu, under either the Internet or Network category. · Enter the netExtenderGui command.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
63
2 The first time you connect, you must enter the SMA server name in the Server field. NetExtender remembers the server name.
3 Enter your username and password. 4 The first time you connect, you must enter the domain name. The domain name is case-sensitive.
NetExtender remembers the domain name in the future. 5 To view the NetExtender routes, select the Routes tab in the main NetExtender window.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
64
6 To view the NetExtender DNS server information, select the DNS tab in the main NetExtender window. 7 To configure NetExtender Preferences, select NetExtender > Preferences.
8 The following NetExtender settings can be configured: · Automatically reconnect when the connection is terminated · Uninstall NetExtender automatically when exiting the application · DNS server options: · Try remote DNS servers first, then try local DNS servers · Only use remote DNS servers · Only use local DNS servers
9 The Advanced tab of the NetExtender Preferences window provides two additional options: · MTU - Sets the Maximum Transmission Unit (MTU) size that is the largest packet size that a router can forward without needing to fragment the packet.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
65
· PPP Sync Mode - Specifies synchronous PPP. By default, this option is disabled and asynchronous PPP is used.
10 To view the NetExtender Log, go to NetExtender > Log.
11 To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.
12 Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
SonicWall Secure Mobile Access 10.0 User Guide Using NetExtender
66
6
Using Mobile Connect
SonicWall Mobile Connect serves the same function as NetExtender on iOS, Android, Mac OS X, Windows Phone, Windows 10, and ChromeOS. Mobile Connect is an app that, like NetExtender, uses SSL VPN to enable secure, mobile connections to private networks protected by SonicWall security appliances. For information about installing and using SonicWall Mobile Connect, see the SonicWall Mobile Connect User documentation for your device at: https://www.sonicwall.com/support/technical-documentation/. Mobile Connect is compatible with Secure Mobile Access and is a free download from the app store for the type of device. Mobile Connect acts as a NetExtender client when connecting to Secure Mobile Access. For Mobile Connect access to succeed, the portal must be set to allow NetExtender connections and the user account and group must be authorized to use NetExtender.
Prerequisites for Apple iOS Clients
SonicWall Mobile Connect 5.0 is supported on Apple iPhone, iPad, and iPod Touch devices running Apple iOS. For a list of specific supported devices, see the SonicWall Mobile Connect iOS User documentation. To use SonicWall Mobile Connect, iOS 10.0 or higher is required on the device.
Prerequisites for Android Smartphone Clients
SonicWall Mobile Connect 5.0 is supported on smartphones running Android. To use SonicWall Mobile Connect, Android 4.1 or higher is required on the device.
SonicWall Secure Mobile Access 10.0 User Guide Using Mobile Connect
67
Using File Shares
File shares provide remote users with a secure HTML-based interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft's familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall.
Topics:
· Using HTML-based File Shares on page 68 · Downloading Files and Folders using HTML5 File Share on page 70
Using HTML-based File Shares
File shares provide remote users with a secure Web interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft's familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall.
NOTE: The server can be specified either by name or by IP address, for example, \\moosedc or \\10.50.165.2. For names to work, it is necessary that DNS and/or WINS be properly configured by the Administrator on the SMA appliance to be able to resolve host names.
To create a file share:
1 Click File Shares. Virtual Office displays a dialog box that provides a hot link to a login prompt.
NOTE: Pop-up window blockers might prevent File Shares from functioning properly. Configure your browser to allow pop-up windows on the Secure Mobile Access portal site.
SonicWall Secure Mobile Access 10.0 User Guide Using File Shares
68
2 To specify a new share path (as an example, \\moosedc) in the Address field. You need to precede the share name with two back slashes. For example: \\file-directory01.example.com.
3 To connect to a pre-existing file share, click the Login to Server link next to the file share name. 4 Click the go prompt to display the Enter Network Password dialog box. 5 Type a valid username in the User Name field and a valid password in the Password field and click Login.
6 Virtual Office displays the home File Share screen that you have specified, displaying folders on the network to which you can navigate.
Below, File Share Controls describes the controls at the top of the File Share window.
File Share Controls
Button Reload New
Description Reloads the current folder to display any changes. Creates new folder at the specified location.
SonicWall Secure Mobile Access 10.0 User Guide Using File Shares
69
File Share Controls Button Delete
Rename
Upload Download Bookmark Logout Bookmarks
Description
Deletes the selected folder or folders. Note that only empty folders can be deleted. If there are files in the folder, an error message is displayed. Delete all files out of the folder and then delete the folder.
Renames a selected folder or file. After you rename a file or folder, click <right mark> to save it or <wrong mark> to discard the changes. Uploads selected files or folders to the specified folder.
Downloads selected files and folders.
Creates a new bookmark to the current File Share location. Logs out of the File Share service.
Lists the bookmarks.
7 You can now navigate the folders and files in the File Share as you would through Windows Explorer or other file management systems.
8 To add a new folder in the current File Share location, type the name of the folder in the Add New Folder Name field and click OK.
9 To add files in the current File Share location, click Upload. In the Upload dialog box, click Choose Files to navigate to the location of the file on your computer, select the files and click Open.
Downloading Files and Folders using HTML5 File Share
You can download multiple files and folders in one tarball, or download them one-by-one. 1 In the File Share screen, select the files for download. 2 Click Download at the top of the page.
SonicWall Secure Mobile Access 10.0 User Guide Using File Shares
70
3 In the prompt that appears, select:
· Tar Download--to download multiple files/folder in a tar file. · Download--to download files one-by-one.
SonicWall Secure Mobile Access 10.0 User Guide Using File Shares
71
8
Managing Bookmarks
Bookmarks are objects that enable you to connect to a location or application conveniently and quickly. The Virtual Office Bookmark system allows bookmarks to be created at the group and user levels. The Administrator can create both group and user bookmarks which applies to applicable users while individual users can create only personal (user-level) bookmarks. Because bookmarks are stored within the security appliance's local configuration files, it is necessary for group and user bookmarks to be correlated to defined group and user entities. When working with local groups and users (LocalDomain), this is automated since the Administrator must manually define the groups and users on the device. Similarly, when working with external groups (not LocalDomain), the correlation is automated since creating an external domain creates a corresponding local group. However, when working with external users, a local user entity must exist so that any user-created (personal) bookmarks can be stored within the SMA appliance's configuration files. The need to store bookmarks on the SMA appliance itself is because LDAP, RADIUS, and NT authentication external domains do not provide a direct facility to store such information as bookmarks. Rather than requiring Administrators to manually create local users for external domain users wishing to use personal bookmarks, Secure Mobile Access automatically creates a corresponding local user entity when an external domain user logs in to the Virtual Office. The following sections describe basic bookmark tasks:
· Adding Bookmarks on page 72 · Editing Bookmarks on page 85 · Removing Bookmarks on page 85 · Using Bookmarks on page 85
Adding Bookmarks
Bookmarks provide a convenient way for you to access Web, FTP, or other services on the remote network that you connect to frequently.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
72
To define bookmarks:
1 In the Virtual Office window at the top of the bookmarks table, click +.
2 In the Add Bookmark screen, enter a name in the Bookmark Name field.
3 Enter the domain name, IP address, or IPv6 address of a host machine on the LAN in the Name or IP Address field. IPv6 addresses should be enclosed in brackets (meaning the [ and ] symbols). You can also enter the wildcard variable %USERNAME% to display the current user name. Variables are case-sensitive.
4 In the Description field, optionally enter a friendly description to be displayed in the bookmark table.
5 In the Categories field, optionally enter a comma-separated list of tabs where this bookmark should appear. Standard tabs (Desktop, Web, Files, Terminal, and Mobile) do not need to be specified. For example, Favorites, Tab 1, Tab 2.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
73
6 Select the service type in the Service drop-down list. You can select from the following services: Desktop · Terminal Services (RDP) · Virtual Network Computing (VNC) · Citrix Portal (Citrix) Web · Web (HTTP) · Secure Web (HTTPS) · External Web Site · Mobile Connect Files · File Shares (CIFS) · File Transfer Protocol (FTP) · SSH File Transfer Protocol (SFTP) Terminal · Telnet · Secure Shell version 2 (SSHv2)
7 Enable Automatic log in to configure automatic login credentials. The options are: · Use SSL VPN account credentials (default) · Use custom credentials
8 To display bookmarks in Mobile Client Connect, enable Display Bookmark in Mobile Connect clients. The options to configure are: · Launch in Mobile Connect Secure Web Browser (selected by default) · Allow Edit URL in Secure Web Browser
9 Click ACCEPT to create the new bookmark. The following sections provide additional details about adding the different types of bookmarks:
· RDP Bookmarks on page 75 · VNC Bookmarks on page 79 · Citrix Bookmarks on page 81 · Web Bookmarks on page 84 · Mobile Connect Bookmarks on page 84 · FTP Bookmarks on page 84 · SSHv2 Bookmarks on page 84 After the configuration has been updated, the new bookmark is displayed in the Virtual Office Bookmarks table. Click a bookmark description to go to the bookmark location that you have defined.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
74
RDP Bookmarks
RDP bookmarks offer several features that are not available in other bookmarks.
For information about configuring the remote computer to allow RDP access, see: · Determining the Remote Computer's Full Name or IP Address on page 79 · Configuring Remote Desktop Access on the Remote Computer on page 79
To create an RDP bookmark:
1 Enter the desired Bookmark Name. 2 Enter the Name or IP Address of the resource you are trying to reach. You can also use an IPv6 address. 3 In the Description field, type a brief description of the bookmark. 4 In the Categories field, create a comma-separate list of categories showing where the bookmark should
be displayed. 5 Select Terminal Services (RDP) from the Service drop-down list.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
75
6 Continue to configure the RDP Bookmark. RDP Bookmark Options provides information about the settings.
RDP Bookmark Options Option Screen Size
Colors
Usage
Select the default screen size to be used when users execute this bookmark. It is advised that you select a size equal to or smaller than your current desktop screen size. RDP bookmarks also have a full-screen option that displays the RDP window in full screen mode. To toggle from the RDP window back to your desktop, press Alt-Tab.
Select the default color depth to be used when users execute this bookmark.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
76
RDP Bookmark Options (Continued)
Option
Usage
Access Type Selection
· Smart: Allows the firmware to decide which mode to launch on the client.
When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark.
· Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.
Enable wake-on-LAN
Select this option to send WoL packets to the host. This option also allows entering one or more Mac/Ethernet Addresses (separated by spaces) for the machines to wake and the desired Wait time for boot-up before canceling the WoL operation. To send the WoL packet to the hostname or IP of this bookmark, select the Send WOL packet to bookmark host Name or IP address check box, this option can be applied in tandem with a Mac address.
Application and Path
To have the RDP session launch an application when the bookmark is initiated, enter the path to the application in the Application and Path (optional): field. For example, C:\Program Files\Example\app.exe (optional).
Start in the following folder Enter the local folder to execute application commands in (optional).
Command-line arguments
Type any command-line arguments required to access the remote application.
Client computer name
Type the client computer name.
Login as console/admin session Select this option to enable console and admin commands on login.
Server is TS Farm
Select this option if users connect to a TS Farm or load balanced server. You might need to disable interactive login for this option to work properly.
Load Balance Info:
Enter the Terminal Services Broker information in the Load Balance Info box, such as tsv://MS Terminal Services Plugin.1.SSLVPN. Maximum length is 1024 characters. For the bookmark with complex options (like RDP), options are mixed from all the modes and distinguished with tips like *non-html5, or *for html5.
Default keyboard layout
For RDP - HTML5, select the Default Language from the drop-down menu.
Show advanced Windows options
Expand Show windows advanced options and select any of the redirect check boxes, as well as any of the additional listed features for use in this bookmark session.
You can select any of the following options as well: Font smoothing, Span monitors, Dual monitors, Desktop composition, and Remote Application.
Desktop background
Menu/window animation
Show window contents while dragging/resizing
Note: This option is available in Windows client and Mac client running Mac os10.5 or above, with RDP installed.
Select this option to view or hide the desktop wallpaper on the remote machine.
Select this option to enable or disable menu/windows animation on the remote machine.
Select this option to enable or disable show windows contents while dragging or resizing.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
77
RDP Bookmark Options (Continued)
Option Redirect clipboard
Usage Select this option to save text to the clipboard for use on the desktop.
File Share (HTML5 only)
Redirect ports (non-HTML5)
Display connection bar (non-HTML5) Redirect printers
Note: HTML5 only supports copy/paste text on desktop. This option is not available on mobile devices.
Select this option to enable file share between the local and the remote machines.
Select this option to copy/paste text between the local and remote machine. When this option is not selected, the copy/paste option is only available on the remote machine.
Select this option to show or hide the connection bar on the remote machine.
Select this option to enable redirect Microsoft Print to PDF printer driver. Available drivers include MS Publisher Imagesetter and Microsoft Print to PDF.
Auto-reconnection Visual styles
Note: Microsoft Print to PDF driver option is only available on Windows 10 and Windows Server 2016.
Select this option to enable auto-reconnection when a session is disconnected.
Select this option to get better view quality. This setting is recommended for large bandwidth networks.
Remote copy (HTML5 only)
Redirect drives (non-HTML5) Redirect SmartCards Bitmap caching (non-HTML5) Automatically log in
Display Bookmark to Mobile Connect clients
Launch in Mobile
Note: This setting impacts performance.
Select this option to enable copy text between the local and remote machines.
Select this option to redirect drives.
Select this option to redirect SmartCards.
Select this option to enable bitmap caching.
Select this option and select Use SSL VPN account credentials to forward credentials from the current SSL VPN session. Select Use custom credentials to enter a custom username, password, and domain for this bookmark.
Select this option to display bookmarks to Mobile Connect clients running Mobile Connect 2.0 or higher. Some devices might require supported third-party applications for this feature to work properly.
Select this option to launch this bookmark in a Mobile Connect Secure Web Browser instead of the configured third party web browser. Enabling this option overrides the Mobile Connect client bookmark setting for web bookmarks.
Allow Edit URL in Secure Web Browser
Note: Option only available on Mobile Connect running version 5.0 or newer.
Select this option to enable the user to edit the bookmark URL in a Secure Web Browser.
7 When you are finished. Click Add to add this bookmark to your Virtual Office list.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
78
Determining the Remote Computer's Full Name or IP Address
To determine the full name of the computer to which the RDP bookmark is pointing:
1 Right click the My Computer icon on the desktop of the remote computer, and select Properties. 2 Click the Remote tab. 3 The full computer name is listed under Remote Desktop.
To determine the IP address of your computer.
1 In the Windows Start menu on the remote computer, navigate to Run... 2 Type cmd to open the command interpreter and click OK. 3 Type ipconfig. The IP address of your computer is displayed.
Configuring Remote Desktop Access on the Remote Computer
To allow remote desktop access to the computer that is the target of the RDP bookmark:
1 Right-click the My Computer icon on the desktop, and select Properties. 2 Click the Remote tab. 3 Under Remote Desktop, select the check box for Allow connections from computers running any
version of Remote Desktop (less secure). By default, RDP has Transport Layer Security (TLS) enabled. To use Network Level Authentication (NLA), which is a security enhancement for computers using RDP bookmarks, click the check box for Allow connections only from computer running Remote Desktop with Network Level Authentication (more secure). 4 Click OK.
VNC Bookmarks
For VNC bookmarks, you can select the following options:
To create a VNC bookmark, do the following:
1 Enter the desired Bookmark Name. 2 Enter the Name or IP Address of the resource you are trying to reach. You can also use a hostname or an
IPv6 address. 3 In the Description field, enter a friendly description to be displayed in the bookmark table. 4 In the Categories field, create a comma-separate list of categories showing where the bookmark should
be displayed. Standard categories (Desktop, Web, Files, Terminal, Mobile) do not need to be included.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
79
5 In the Services field, select Virtual Network Computing (VNC) from the drop-down menu. The VNC HTML5 Options and VNC Common Options menus appear.
6 For VNC HTML5 Bookmark Options, you can select the following options: · For automatic login, select Automatically log in and then select from the following credentials: · Use SSL VPN account credentials to login with user credentials. · Use customer credentials allows you to select a unique password for login.
7 Continue to configure the VNC Common Bookmark Options. The VNC Common Options table provides information about the settings.
VNC Common Options Option Encoding Compression Level
JPEG Image Quality
Default Tight Default
6
Description of Options
Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections.
Use specified compression level for Tight and Zlib encodings. Level 1 uses minimum of CPU time on the server but achieves weak compression ratios. Level 9 offers best compression but might be slow in terms of CPU time consumption on the server side. Use high levels with very slow network connections, and low levels when working over higher-speed networks. The Default value means that the server's default compression level should be used.
Choose a value between 0-9, with 0 being the lowest quality value and 9 as the highest image quality value.
If set to JPEG off, then no JPEG format is used for images.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
80
VNC Common Options (Continued)
Option Cursor Shape Updates
Default Enable
Remote Paste Keys Use CopyRect
Ctrl + V Yes
Restricted Colors
No
View Only
No
Share Desktop
Yes
Remote Copy
Yes
Display Bookmark to
Yes
Mobile Connect clients
Description of Options
Cursor shape updates is a protocol extension used to handle remote cursor movements locally on the client side, saving bandwidth and eliminating delays in mouse pointer movement. Note that current implementation of cursor shape updates does not allow a client to track mouse cursor position at the server side. This means that clients would not see mouse cursor movements if the mouse was moved either locally on the server, or by another remote VNC client.
Set this parameter to Disable if you always want to see real cursor position on the remote side. Setting this option to Ignore is similar to Enable but the remote cursor is not visible at all. This can be a reasonable setting if you don't care about cursor shape and don't want to see two mouse cursors, one above another.
Select remote paste shortcut key combinations. Options include setting this option to Alt + V, Ctrl + V, and Meta + V
CopyRect saves bandwidth and drawing time when parts of the remote screen are moving around. Most likely, you don't want to change this setting.
If set to No, then 24-bit color format is used to represent pixel data. If set to Yes, then only 8 bits are used to represent each pixel. 8-bit color format can save bandwidth, but colors might look very inaccurate.
If set to Yes, then all keyboard and mouse events in the desktop window is silently ignored and is not passed to the remote side.
If set to Yes, then the desktop can be shared between clients. If this option is set to No then an existing user session ends when a new user accesses the desktop.
If set to Yes, then the user can copy text between the VNC client and the server.
Select the Display Bookmark to Mobile Connect clients check box to enable bookmark viewing on Mobile Connect clients. Mobile Connect must be running version 2.0 or newer to view and access this bookmark.
8 Click Ok. The bookmark is added to the available bookmarks listed on the Virtual Office home page.
Citrix Bookmarks
For Citrix bookmarks, you can select the following options:
· Disable client detection by Citrix server check box is selected by default. Clear the selection of Disable client detection by Citrix server to enable client detection when using Citrix Bookmarks. Note that this feature is compatible with Citrix XenAPP 5.0 or later.
· Select the HTTPS Mode check box to use a secure Citrix connection.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
81
· Select Always use specified Citrix ICA Server to explicitly specify the Citrix ICA Server Address for the Citrix ICA Session. By default, the Bookmark uses the information provided in the ICA configuration on the Citrix server. · Smart: Allows the firmware to decide which mode to launch on the client.
When creating a new unified bookmark, Smart is selected by default. Auto-detection is processed using bookmark-specific default modes while launching the bookmark. · Manual: Provides options to configure the modes, their priorities, and the choose method. At least one mode should be enabled in the selection box.
The launch sequence is as follows: HTML5 and Native. Selecting Manual allows you to change, enable, or disable the launch methods. If you select Native to launch the Citrix bookmark, then the SMA Connect Agent launches the Citrix Receiver on the local machine to do the Citrix connection. Both should be installed before choosing Native. If you choose to run as HTML5, the Citrix HTML5 client is used to view the Citrix3 backend host. The up and down arrows are used to adjust the launch priority. Fork and tick are used to disable or enable the modes. Disabled modes are put at the bottom of the list with a gray font color. The Choose during Launch option is not enabled by default under the Manual mode. In this setting, while launching the bookmark, the first available mode in the configured list is run at once after auto-detection. After the Choose during Launch option is enabled, while launching the unified bookmark, if there are multiple modes available for the client, a menu is provided from which you can choose within a five second count-down. When only one mode is available, the bookmark is also run immediately.
If the Remember my choice option is selected during the launch time, the selected mode is remembered through a cookie.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
82
That means, when launching the bookmark thereafter, the remembered mode is run directly within two seconds. Clicking anywhere in the HTML can 'forget' the remembered mode so you can re-choose.
Editing or deleting the bookmark in the same browser can also reset the remembered mode. When no modes are able to run on the client with the configuration, the following notice appears.
· Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal. · Select Always use specified Citrix ICA Server to explicitly specify the Citrix ICA Server Address for the
Citrix ICA Session. By default, the Bookmark uses the information provided in the ICA configuration on the Citrix server.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
83
Web Bookmarks
For HTTP(S) bookmarks, you can select Use SSL-VPN account credentials to log in or configure custom credentials for use with Single Sign-On. Select the Forms-based Authentication check box to use this method, and then fill in the following fields that are exposed:
· Configure the User Form Field to be the same as the `name' or `id' attribute of the HTML element representing User Name in the Login form, for example:
<input type=text name='userid'>
· Configure the Password Form Field to be the same as the `name' or `id' attribute of the HTML element representing Password in the Login form, for example:
<input type=password name='PASSWORD' id='PASSWORD' maxlength=128>
For External Web Site bookmarks, select HTTPS Mode to encrypt Web communication with SSL. External Web Site bookmarks are used to access an offloaded Web site or portal using a bookmark. Select Disable security warning if you do not want a security warning dialog box to be displayed when a user clicks this bookmark. If left cleared, the warning dialog allows the user to select a "Do not show this warning again" option if the user has permissions to edit this bookmark (set above).
For more information about offloaded applications, see the Application Offloading section in the SonicWall Secure Mobile Access Administration documentation.
Mobile Connect Bookmarks
The Mobile Connect bookmark allows a custom bookmark to be defined for display in Mobile Connect after the user is connected. This bookmark is meant to support any third-party app, whether an in-house app or a public app in the App Store or Google Play. The bookmark also enables calling third-party apps that have defined a custom URL scheme, for example `comgoogleearth://' for Google Earth. The Mobile Connect bookmark is only available for edit from normal browsers and is intended for use only on mobile devices.
NOTE: The Mobile Connect bookmark might also be used for `http://' or `https://' URL schemes, however, SonicWall recommends using HTTP or HTTPS bookmarks for these schemes.
FTP Bookmarks
For FTP bookmarks, click Show advance server configuration to select the Character Encoding. You can also select Use SSL-VPN account credentials to log in or configure custom credentials for use with Single Sign-On. To disable the use of SSO, clear the Automatically log in check box.
SSHv2 Bookmarks
For SSHv2 bookmarks, you must have SUN JRE 1.6.0_10 or higher and must be connecting to a server that supports SSHv2. The Default Font Size option is configurable with the default value set as 15. The Automatically log in options let users select either Use SSL VPN account credentials or Use custom credentials.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
84
There are also options to Automatically accept host key, Display Bookmark in Mobile Connect clients which varies by platform and may require installation of a third-party app, Launch in Mobile Connect Secure Web Browser (requires Mobile Connect 5.0 or newer), and Allow Edit URL in Secure Web Browser (requires Mobile Connect 5.0 or newer).
Editing Bookmarks
You can change the IP address, domain name, or IPv6 address as well as the service and other settings associated with an existing bookmark.
NOTE: Only user-created Bookmarks can be edited or deleted by the user. Global or Group Bookmarks pre-defined by the Administrator cannot be edited or deleted.
To edit a bookmark to change its name or associated IP address:
1 Identify a bookmark in the Virtual Office Bookmarks list for which you want to change an IP address or domain name or other settings.
2 In the Virtual Office Bookmarks list, click the Configure icon for an existing bookmark. The Edit Bookmark dialog box displays.
3 To change the bookmark name, domain name or IP address of the bookmark, edit the names in the Bookmark Name or Name or IP Address fields.
4 To change the service, select a new Service from the drop-down menu. 5 Optionally change other settings specific to the Service type. 6 Optionally enable or disable the Automatically log in setting, or change the credentials selection. 7 Click ACCEPT. The Virtual Office home page displays with the new IP address or domain name.
Removing Bookmarks
To remove a bookmark:
1 Identify a bookmark in the Virtual Office Bookmarks list that you want to remove.
2 In the Virtual Office Bookmarks list, click the delete icon bookmark disappears from the list.
for the bookmark you want to remove. The
Using Bookmarks
The following sections describe how to use the various types of bookmarks: · Using Remote Desktop Bookmarks on page 86 · Using VNC Bookmarks on page 87 · Using Citrix Bookmarks on page 89 · Using Web Bookmarks on page 89 · Using Mobile Connect Bookmarks on page 90 · Using File Share Bookmarks on page 91
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
85
· Using FTP Bookmarks on page 92 · Using Telnet Bookmarks on page 94 · Using SSHv2 Bookmarks on page 95 · Global Bookmark Single Sign-On Options on page 96 · Per-Bookmark Single Sign-On Options on page 97
Using Remote Desktop Bookmarks
Remote Desktop Protocol (RDP) bookmarks enable you to establish remote connections with a specified desktop. Secure Mobile Access supports the RDP5 standard with HTML5. HTML5 is a Clientless browser-based method; Native client uses the SMA Connect Agent to invoke native RDP Client from the OS. If the HTML5 client application is RDP 6, it also supports:
· Dual monitors · Span monitors · Font smoothing · Desktop composition · Remote Application
NOTE: RDP bookmarks can use a port designation if the service is not running on the default port.
TIP: To terminate your remote desktop session, be sure to log off from the Terminal Server session. If you wish to suspend the Terminal Server session (so that it can be resumed later) you might simply close the remote desktop window.
To access a system with an RDP bookmark:
1 Click the RDP bookmark. Continue through any warning screens that display by clicking Yes or Ok. 2 Enter your username and password at the login screen and press Enter.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
86
3 The remote desktop loads in its own windows. You can now access all of the applications and files on the remote computer.
For information on configuring options for RDP bookmarks, see Web Bookmarks on page 84.
Using VNC Bookmarks
To use a VNC bookmark:
1 Click the VNC bookmark. The following window is displayed while the VNC client is loading. NOTE: VNC can have a port designation if the service is running on a different port.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
87
2 When the VNC client has loaded, you are prompted to enter your password in the VNC Authentication window.
3 VNC options must be configured by the administrator. Contact your administrator if you do not have permission to edit the bookmark options.
Below, VNC Options describes the options that the administrator can configure for VNC.
VNC Options
Option Encoding Compression Level
JPEG Image Quality
Default Tight Default
6
Description of Options
Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections.
Use specified compression level for Tight and Zlib encodings. Level 1 uses minimum of CPU time on the server but achieves weak compression ratios. Level 9 offers best compression but might be slow in terms of CPU time consumption on the server side. Use high levels with very slow network connections, and low levels when working over higher-speed networks. The Default value means that the server's default compression level should be used.
This cannot be modified.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
88
VNC Options (Continued)
Option Cursor Shape Updates
Default Enable
Remote Paste Keys Use CopyRect
Ctrl + V Yes
Restricted Colors
No
View Only
No
Share Desktop
Yes
Remote Copy
Yes
Display Bookmark in
No
Mobile Connect clients
Description of Options
Cursor shape updates is a protocol extension used to handle remote cursor movements locally on the client side, saving bandwidth and eliminating delays in mouse pointer movement. Note that current implementation of cursor shape updates does not allow a client to track mouse cursor position at the server side. This means that clients would not see mouse cursor movements if the mouse was moved either locally on the server, or by another remote VNC client.
Set this parameter to Disable if you always want to see real cursor position on the remote side. Setting this option to Ignore is similar to Enable but the remote cursor is not visible at all. This can be a reasonable setting if you don't care about cursor shape and don't want to see two mouse cursors, one above another.
Select remote paste shortcut key combinations. Options include setting this option to Alt + V, Ctrl + V, and Meta + V
CopyRect saves bandwidth and drawing time when parts of the remote screen are moving around. Most likely, you don't want to change this setting.
If set to No, then 24-bit color format is used to represent pixel data. If set to Yes, then only 8 bits are used to represent each pixel. 8-bit color format can save bandwidth, but colors might look very inaccurate.
If set to Yes, then all keyboard and mouse events in the desktop window is silently ignored and is not passed to the remote side.
If set to Yes, then the desktop can be shared between clients. If this option is set to No then an existing user session ends when a new user accesses the desktop.
If set to Yes, then the user can copy text between the VNC client and the server.
Select the Display Bookmark to Mobile Connect clients check box to enable bookmark viewing on Mobile Connect clients. Mobile Connect must be running version 2.0 or newer to view and access this bookmark.
Using Citrix Bookmarks
Citrix is a remote access, application sharing service, similar to RDP. It enables users to remotely access files and applications on a central computer over a secure connection. There are two types of Citrix bookmarks:
· Native · HTML5
Using Web Bookmarks
Web bookmarks are also known as HTTP or HTTPS bookmarks. HTTP & HTTPS Bookmarks have been tested and verified to support the following web applications:
· Microsoft Outlook Web Access 2013, Outlook Web Access 2010, and Outlook Web Access 2007 · Windows SharePoint 2007, and Windows SharePoint Services 3.0
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
89
NOTE: The client integrated features of SharePoint are not supported.
· Lotus Domino Web Access 8.0.1, 8.5.1 and 8.5.2 · Novell Groupwise Web Access 7.0 Other applications might work, but there might be problems accessing pages that are malformed, have advanced HTML features, use an unsupported authentication method (for example, Windows Integrated Authentication) and URLs that are embedded in Macromedia Flash or ActiveX. If a web application does not work with a HTTP or HTTPS Bookmark, contact your Administrator.
To use a web bookmark:
1 Click the HTTP or HTTPS bookmark. NOTE: HTTP bookmarks can have a port designation and a path.
2 A new window is launched in your default browser that connects to the domain name or IP address specified in the bookmark.
Using Mobile Connect Bookmarks
To use a Mobile Connect bookmark:
1 Click the Mobile Connect bookmark. 2 Enter the Bookmark Name and the Name or IP Address. The Name or IP Address field is the custom URL
scheme. 3 Click ACCEPT.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
90
After the Mobile Connect bookmark on the Secure Mobile Access is successfully configured, the bookmark displays on your mobile device:
Using File Share Bookmarks
For information on using File Share (CIFS) bookmarks, see Using HTML-based File Shares on page 68.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
91
Using FTP Bookmarks
FTP bookmarks can use a port designation if the service is not running on the default port.
To use an FTP bookmark:
1 Click the FTP bookmark. The FTP Session dialog box displays.
2 If the server name or IP address is not displayed, enter it in the Server Name/Address field.
3 Enter your username and password. If you want to use your Virtual Office username and password, simply leave the fields blank.
4 Optionally expand Show advanced server configuration and select the desired settings.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
92
5 Click OK. An FTP session displays.
6 Use the buttons across the top of the page to complete actions on the FTP site: · To reload the page, click Reload. · To add a file or folder, click Add. You can also drag and drop files onto the page. · To delete a file or folder, select it and then click Delete. · To rename a file or folder, select it and then click Rename. Edit the name and then click the green checkmark.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
93
· To upload a file, click Upload. Click Browse to locate the file and select it.
· To Download a file, click Download and then click the name of the file. If a File Download Security Warning displays, click Run to launch the file or click Save to save it to your computer.
· To initiate another FTP session, click Session. · To log out of the FTP session, click Logout. · To move between multiple FTP sessions, click FtpSessions.
Using Telnet Bookmarks
To use a Telnet bookmark:
1 Click the Telnet bookmark. Telnet bookmarks can use a port designation for servers not running on the default port.
2 Click OK to any warning messages that are displayed. 3 If the device you are Telnetting to is configured for authentication, enter your username and password in
the custom credentials fields.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
94
Using SSHv2 Bookmarks
SSHv2 bookmarks can use a port designation for servers not running on the default port.
To use an SSHv2 bookmark:
1 Click the SSHv2 bookmark. To Use custom credentials, type your user name and password in the Username and Password field and click OK.
2 A hostkey popup displays. Click Yes to accept and proceed with the login process. 3 Enter your password and click OK.
4 The SSH terminal launches in a new screen.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
95
Global Bookmark Single Sign-On Options
SSO settings are enabled only if the Administrator has configured user- controlled single sign-on (SSO).
To configure SSO bookmark options:
1 Click <user icon> at the upper-right corner of the Virtual Office homepage and click Settings.
2 Under Single Sign-On Settings, select Use SSL VPN account credentials to log in to bookmarks to enable SSO for bookmarks. Leave the box cleared if you do not want to use SSO for bookmarks.
3 Click Save to save your changes.
Fileshares are used to configure domain name of which the user is a member to supply to the backend server. HTTP, HTTPS, FTP, RDP supplies the username and password that were used to login. If the server is expecting a domain-prefixed username, SSO fails. In some cases, a default domain can be specified at the server to allow SSO to succeed.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
96
Per-Bookmark Single Sign-On Options
Secure Mobile Access supports per-bookmark single sign-on for the following bookmark services: · Terminal Services (RDP) · Web (HTTP) · Secure Web (HTTPS) · File Shares (CIFS) · File Transfer Protocol (FTP)
Per-Bookmark SSO allows users to enable or disable SSO for individual bookmarks. This flexibility in specifying login credentials is useful in the following cases:
· Users who use multiple accounts to access a variety of resources. · Users who use two-factor authentication to log in to the Secure Mobile Access Virtual Office, but use a
static password to access other resources. · Users who need to access servers that require a domain prefix.
To configure per-bookmark SSO:
1 Before enabling SSO on an individual bookmark, you must first enable SSO globally as described in Global Bookmark Single Sign-On Options on page 96.
2 On the Virtual Office page, click +.
3 Select one of the service types that supports per-bookmark SSO: Terminal Services (RDP), Secure Web (HTTPS), File Shares (CIFS), or File Transfer Protocol (FTP).
4 To disable SSO for the bookmark, clear the Automatically log in check box.
5 To use SSO for the bookmark, select the Automatically log in check box and then select one of the following radio buttons:
· Use SSL-VPN account credentials allow login to the bookmark using the local user credentials configured on the SMA appliance.
· Use custom credentials allow login to the bookmark using the credentials you enter here; when selected, this option displays Username, Password, and Domain fields. Enter the custom credentials into the Username, Password, and Domain fields that are displayed.
You can enter the custom credentials as text or use dynamic variables such as those shown in SSO Credentials: Dynamic Variables:
SSO Credentials: Dynamic Variables
Text Usage Login Name Domain Name Group Name
Variable %USERNAME% %USERDOMAIN% %USERGROUP%
Example Usage US\%USERNAME% %USERDOMAIN\%USERNAME% %USERGROUP%\%USERNAME%
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
97
6 For Web (HTTP) and Secure Web (HTTPS) bookmarks, select the Forms-based Authentication check box to use this method for SSO, and then fill in the following fields that are exposed:
· Configure the User Form Field to be the same as the `name' or `id' attribute of the HTML element representing User Name in the Login form, for example:
<input type=text name='userid'>
· Configure the Password Form Field to be the same as the `name' or `id' attribute of the HTML element representing Password in the Login form, for example:
<input type=password name='PASSWORD' id='PASSWORD' maxlength=128>
7 Enter the User name and password for the service.
8 Click ACCEPT.
SonicWall Secure Mobile Access 10.0 User Guide Managing Bookmarks
98
· Warranty and License Agreements · SonicWall Support
Part 3
Appendixes
SonicWall Secure Mobile Access 10.0 User Guide Appendixes
99
A
Warranty and License Agreements
This appendix contains the following sections: · GNU General Public License (GPL) Source Code on page 100 · Limited Hardware Warranty on page 100 · End User License Agreement on page 101
GNU General Public License (GPL) Source Code
SonicWall provides a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or money order in the amount of US $25.00 payable to "SonicWall, Inc." to: General Public License Source Code Request SonicWall, Inc. Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035
Limited Hardware Warranty
All SonicWall appliances come with a 1-year Limited Hardware Warranty which provides delivery of critical replacement parts for defective parts under warranty. Visit the Warranty Information page for details on your product's warranty: https://support.sonicwall.com/essentials/support-offerings SonicWall, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWall), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWall and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWall's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWall's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWall's then-current Support Services policies. This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWall.
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
100
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWall or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
End User License Agreement
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT. BY DOWNLOADING, INSTALLING OR USING THIS PRODUCT, YOU ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. FOR DELIVERIES OUTSIDE THE UNITED STATES OF AMERICA, PLEASE GO TO HTTPS://WWW.SONICWALL.COM/LEGAL/EUPA.ASPX TO VIEW THE APPLICABLE VERSION OF THIS AGREEMENT FOR YOUR REGION. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT OR THE APPLICABLE VERSION OF THIS AGREEMENT FOR YOUR REGION, DO NOT DOWNLOAD, INSTALL OR USE THIS PRODUCT. This SonicWall End User Product Agreement (the "Agreement") is made between you, the Customer ("Customer" or "You") and the Provider, as defined below. 1.Definitions. Capitalized terms not defined in context shall have the meanings assigned to them below: (a)"Affiliate" means any legal entity controlling, controlled by, or under common control with a party to this Agreement, for so long as such control relationship exists. (b)"Appliance" means a computer hardware product upon which Software is pre-installed and delivered. (c)"Documentation" means the user manuals and documentation that Provider makes available for the Products, and all copies of the foregoing. (d) "Maintenance Services" means Provider's maintenance and support offering for the Products as identified in the Maintenance Services Section below. (e)"Partner" means the reseller or distributor that is under contract with Provider or another Partner and is authorized via such contract to resell the Products and/or Maintenance Services. (f)"Provider" means, (i) for the US, Europe, Middle East, Africa, Latin America, and Taiwan, SonicWall Inc., with its principal place of business located at 4 Polaris Way, Aliso Viejo, CA 92656 USA and (ii) for Asia (other than Taiwan) SonicWall International Ltd. City Gate Park Mahon, Cork, Ireland. (g)"Products" means the Software and Appliance(s) provided to Customer under this Agreement. (h)"Software" means the object code version of the software that is delivered on the Appliance and any other software that is later provided to Customer as well as any new versions and releases to such software that are made available to Customer pursuant to this Agreement, and all copies of the foregoing. 2.Software License. (a)General. Subject to the terms of this Agreement, Provider grants to Customer, and Customer accepts from Provider, a non-exclusive, non-transferable (except as otherwise set forth herein) and non-sublicensable license to access and use the quantities of each item of Software purchased from Provider or a Partner within the parameters of the license type ("License Type(s)") described below in the quantities purchased ("License"). Except for MSP Licenses (as defined below), Customer shall only use the Software to support the internal business operations of itself and its worldwide Affiliates. (b) License Types. The License Type for the Software initially delivered on the Appliance is "per Appliance." Software licensed per Appliance may be used only on the Appliance on which it is delivered, but without any other quantitative limitations. Software that is purchased on a subscription, or periodic basis is licensed by User or by Managed Node. A "User" is each person with a unique login identity to the Software. A "Managed Node" is any object managed by the Software including, but not limited to firewalls, devices, and other items sold by Provider. (c)Software as a Service. When Customer purchases a right to access and use Software installed on equipment operated by Provider or its suppliers (the "SaaS Software"), (i) the License for such SaaS Software shall be granted for the duration of the term stated in the order (the "SaaS Term"), as such SaaS Term may be extended by automatic or agreed upon renewals, and (ii) the terms set forth in the SaaS Provisions Section of this Agreement shall apply to all access to and use of such Software. If any item of Software to be installed on Customer's equipment is provided in connection with SaaS Software, the License duration for such Software shall be for the corresponding SaaS Term, and Customer shall promptly install any updates to such Software as may be provided by Provider.
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
101
(d)MSP License. "Management Services" include, without limitation, application, operating system, and database implementation, performance tuning, and maintenance services provided by Customer to its customers (each, a "Client") where Customer installs copies of the Software on its Clients' equipment or provides its Clients access to the Products. Customer shall be granted a License to use the Software and the associated Documentation to provide Management Services (the "MSP License"). Each MSP License is governed by the terms of this Agreement and any additional terms agreed to by the parties. If the Product is to be used by Customer as a managed service provider, then Customer shall ensure that (i) Customer makes no representations or warranties related to the Products in excess of SonicWall's representations or warranties contained in this Agreement, (ii) each Client only uses the Products and Documentation as part of the Management Services provided to it by Customer, (iii) such use is subject to the restrictions and limitations contained in this Agreement, including, but not limited to those in the Export Section of this Agreement, and (iv) each Client cooperates with Provider during any compliance review that may be conducted by Provider or its designated agent. At the conclusion of any Management Services engagement with a Client, Customer shall promptly remove any Appliance and Software installed on its Client's computer equipment or require the Client to do the same. Customer agrees that it shall be jointly and severally liable to Provider for the acts and omissions of its Clients in connection with their use of the Software and Documentation and shall, at its expense, defend Provider against any action, suit, or claim brought against Provider by a Client in connection with or related to Customer's Management Services and pay any final judgments or settlements as well as Provider's expenses in connection with such action, suit, or claim. (e)Evaluation/Beta License. If Software is obtained from Provider for evaluation purposes or in beta form, Customer shall be granted a License to use such Software and the associated Documentation solely for Customer's own non-production, internal evaluation purposes (an "Evaluation License"). Each Evaluation License shall be granted for an evaluation period of up to thirty (30) days beginning (i) five (5) days after the Appliance is shipped or (ii) from the date that access is granted to the beta Software or the SaaS Software, plus any extensions granted by Provider in writing (the "Evaluation Period"). There is no fee for an Evaluation License during the Evaluation Period, however, Customer is responsible for any applicable shipping charges or taxes which may be incurred, and any fees which may be associated with usage beyond the scope permitted herein. Beta Software licensed hereunder may include pre-release features and capabilities which may not be available in SonicWall's generally available commercial versions of the Software. SonicWall retains the right during the term of the Evaluation License to modify, revise, or remove SonicWall beta software from Customer's premises. Customer acknowledges that SonicWall owns all modifications, derivative works, changes, expansions or improvements to beta software, as well as all reports, testing data or results, feedback, benchmarking or other analysis completed in whole or in part in conjunction with usage of beta software. NOTWITHSTANDING ANYTHING OTHERWISE SET FORTH IN THIS AGREEMENT, CUSTOMER UNDERSTANDS AND AGREES THAT EVALUATION AND BETA SOFTWARE IS PROVIDED "AS IS," WHERE IS, WITH ALL FAULTS AND THAT SONICWALL DOES NOT PROVIDE A WARRANTY OR MAINTENANCE SERVICES FOR EVALUATION OR BETA LICENSES, AND SONICWALL BEARS NO LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES RESULTING FROM USE (OR ATTEMPTED USE) OF THE EVALUATION OR BETA SOFTWARE THROUGH AND AFTER THE EVALUATION PERIOD AND HAS NO DUTY TO PROVIDE SUPPORT TO CUSTOMER FOR SUCH SOFTWARE. BETA SOFTWARE MAY CONTAIN DEFECTS AND A PRIMARY PURPOSE OF LICENSING THE BETA SOFTWARE IS TO OBTAIN FEEDBACK ON THE BETA SOFTWARE'S PERFORMANCE AND THE IDENTIFICATION OF DEFECTS. CUSTOMER IS ADVISED TO SAFEGUARD IMPORTANT DATA, TO USE CAUTION AND NOT TO RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF THE BETA SOFTWARE AND/OR ACCOMPANYING MATERIALS. (f)Use by Third Parties. Customer may allow its services vendors and contractors (each, a "Third Party User") to access and use the Products and Documentation provided to Customer hereunder solely for purposes of providing services to Customer, provided that Customer ensures that (i) the Third Party User's access to or use of the Products and Documentation is subject to the restrictions and limitations contained in this Agreement, including, but not limited to those in the Export Section, (ii) the Third Party User cooperates with Provider during any compliance review that may be conducted by Provider or its designated agent, and (iii) the Third Party Users promptly removes any Software installed on its computer equipment upon the completion of the Third Party's need to access or use the Products as permitted by this Section. Customer agrees that it shall be liable to Provider for those acts and omissions of its Third Party Users which, if done or not done by Customer, would be a breach of this Agreement. 3. Restrictions. Customer may not reverse engineer, decompile, disassemble, or attempt to discover or modify in any way the underlying source code of the Software, or any part thereof unless and to the extent (a) such restrictions are prohibited by applicable law and (b) Customer has requested interoperability information in writing from Provider and Provider has not provided such information in a timely manner. In addition, Customer may not (i) modify, translate, localize, adapt, rent, lease, loan, create or prepare derivative works of, or create a patent based on the Products, Documentation or any part thereof, (ii) resell, sublicense or distribute the Products or Documentation, (iii) provide, make available to, or permit use of the Products, in whole or in part, by any third party (except as expressly set forth herein), (iv) use the Products or Documentation to create or enhance a competitive offering or for any other purpose which is competitive to Provider, (v) remove Software that was delivered on an Appliance from the Appliance on which it was delivered and load such Software onto a different appliance without Provider's prior written consent, or (vi) perform or fail to perform any other act which would result in a misappropriation or infringement of Provider's intellectual property rights in the Products or Documentation. Each permitted copy of the Software and Documentation made by Customer hereunder must contain all titles, trademarks, copyrights and restricted rights notices as in the original. Customer understands and agrees that the Products may work in conjunction with third party products and Customer agrees to be responsible for ensuring that it is properly licensed to use such third party products. Notwithstanding anything otherwise set forth in this Agreement, the terms and restrictions set forth herein shall not prevent or restrict Customer from exercising additional or different rights to any open source software that may be contained in or provided with the Products in accordance with the applicable open source software licenses which shall be either included with the Products or made available to Customer upon request. Customer may not use any license keys or other license access devices not provided by Provider, including but not limited to "pirate keys," to install or access the Software. 4.Proprietary Rights. Customer understands and agrees that (i) the Products are protected by copyright and other intellectual property laws and treaties, (ii) Provider, its Affiliates and/or its licensors own the copyright, and other intellectual property rights in the Products, (iii) the Software is licensed, and not sold, (iv) this Agreement does not grant Customer any rights to Provider's trademarks or service marks, and (v) Provider reserves any and all rights, implied or otherwise, which are not expressly granted to Customer in this Agreement. 5. Title. Provider, its Affiliates and/or its licensors own the title to all Software. 6. Payment. Customer agrees to pay to Provider (or, if applicable, the Partner) the fees specified in each order, including any applicable shipping fees. Customer will be invoiced promptly following delivery of the Products or prior to the commencement of any Renewal Maintenance Period and Customer shall make all payments due to Provider in full within thirty (30) days from the date of each invoice or such other period (if any) stated in an order. Provider reserves the right to charge Customer a late penalty of 1.5% per month (or the maximum rate permitted by law, whichever is the lesser) for any amounts payable to Provider by Customer that are not subject to a good faith dispute and that remain unpaid after the due date until such amount is paid. 7.Taxes. The fees stated in an order from Provider or a Partner may not include taxes. If Provider is required to pay sales, use, property, value-added or other taxes based on the Products or Maintenance Services provided under this Agreement or on Customer's use of Products or Maintenance Services, then such taxes shall be billed to and paid by Customer. This Section does not apply to taxes based on Provider's or a Partner's income. 8. Termination. (a)This Agreement or the Licenses granted hereunder may be terminated (i) by mutual written agreement of Provider and Customer or (ii) by either party for a breach of this Agreement by the other party (or a Third Party User) that the breaching party fails to cure to the non-breaching party's reasonable satisfaction within thirty (30) days following its receipt of notice of the breach. Notwithstanding the foregoing, in the case of MSP Licenses, if Customer or its Client breaches this Agreement two (2) times in any twelve (12) consecutive month period, the breaching party shall not have a cure period for such breach and Provider may terminate this Agreement immediately upon providing written notice to the breaching party. (b)Upon termination of this Agreement or expiration or termination of a License for any reason, all rights granted to Customer for the applicable Software shall immediately cease and Customer shall immediately: (i) cease using the applicable Software and Documentation, (ii) remove all copies, installations, and instances of the applicable Software from all Appliances, Customer computers and any other devices on which the Software was installed, and ensure that all applicable Third Party Users and Clients do the same, (iii) return the applicable Software to Provider together with all Documentation and other materials associated with the Software and all copies of any of the
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
102
foregoing, or destroy such items, (iv) cease using the Maintenance Services associated with the applicable Software, (v) pay Provider or the applicable Partner all amounts due and payable up to the date of termination, and (vi) give Provider a written certification, within ten (10) days, that Customer, Third Party Users, and Clients, as applicable, have complied with all of the foregoing obligations. (c)Any provision of this Agreement that requires or contemplates execution after (i) termination of this Agreement, (ii) a termination or expiration of a License, or (iii) the expiration of a SaaS Term, is enforceable against the other party and their respective successors and assignees notwithstanding such termination or expiration, including, without limitation, the Restrictions, Payment, Taxes, Termination, Survival, Warranty Disclaimer, Infringement Indemnity, Limitation of Liability, Confidential Information, Compliance Verification, and General Sections of this Agreement. Termination of this Agreement or a License shall be without prejudice to any other remedies that the terminating party or a Partner may have under law, subject to the limitations and exclusions set forth in this Agreement. 9. Export. Customer acknowledges that the Products and Maintenance Services are subject to the export control laws, rules, regulations, restrictions and national security controls of the United States and other applicable foreign agencies (the "Export Controls") and agrees to abide by the Export Controls. Customer hereby agrees to use the Products and Maintenance Services in accordance with the Export Controls, and shall not export, re-export, sell, lease or otherwise transfer the Products or any copy, portion or direct product of the foregoing in violation of the Export Controls. Customer is solely responsible for obtaining all necessary licenses or authorizations relating to the export, re-export, sale, lease or transfer of the Products and for ensuring compliance with the requirements of such licenses or authorizations. Customer hereby (i) represents that Customer, and if Customer is providing services under the MSP License herein each of its Clients, is not an entity or person to which shipment of Products, or provision of Maintenance Services, is prohibited by the Export Controls; and (ii) agrees that it shall not export, re-export or otherwise transfer the Products to (a) any country subject to a United States trade embargo, (b) a national or resident of any country subject to a United States trade embargo, (c) any person or entity to which shipment of Products is prohibited by the Export Controls, or (d) anyone who is engaged in activities related to the design, development, production, or use of nuclear materials, nuclear facilities, nuclear weapons, missiles or chemical or biological weapons. Customer shall, at its expense, defend Provider and its Affiliates from any third party claim or action arising out of any inaccurate representation made by Customer regarding the existence of an export license, Customer's failure to provide information to Provider to obtain an export license, or any allegation made against Provider due to Customer's violation or alleged violation of the Export Controls (an "Export Claim") and shall pay any judgments or settlements reached in connection with the Export Claim as well as Provider's costs of responding to the Export Claim. 10. Maintenance Services. (a) Description. During any Maintenance Period, Provider shall: (i)Make available to Customer new versions and releases of the Software, if and when Provider makes them generally available without charge as part of Maintenance Services. (ii)Respond to communications from Customer that report Software failures not previously reported to Provider by Customer. Nothing in the foregoing shall operate to limit or restrict follow up communication by Customer regarding Software failures. (iii)Respond to requests from Customer's technical coordinators for assistance with the operational/technical aspects of the Software unrelated to a Software failure. Provider shall have the right to limit such responses if Provider reasonably determines that the volume of such non-error related requests for assistance is excessive or overly repetitive in nature. (iv)Provide access to Provider's software support web site at https://support.sonicwall.com (the "Support Site"). (v) For Customers that have purchased Maintenance Services continuously since the purchase of such License, provide the repair and return program described on the Support Site for the Appliance on which the Software is delivered. Maintenance Services are available during regional business support hours ("Business Hours") as indicated on the Support Site, unless Customer has purchased 24x7 Support. The list of Software for which 24x7 Support is available and/or required is listed in the Global Support Guide on the Support Site. The Maintenance Services for Software that Provider has obtained through an acquisition or merger may, for a period of time following the effective date of the acquisition or merger, be governed by terms other than those in this Section. The applicable different terms, if any, shall be stated on the Support Site. (b)Maintenance Period. The first period for which Customer is entitled to receive Maintenance Services begins on the date of the registration of the Product at Provider's registration portal (the "Registration") and ends twelve (12) months thereafter (the "Initial Maintenance Period"). Following the Initial Maintenance Period, Maintenance Services for the Product(s) may then be renewed for additional terms of twelve (12) or more months (each, a "Renewal Maintenance Period") For purposes of this Agreement, the Initial Maintenance Period and each Renewal Maintenance Period shall be considered a "Maintenance Period." For the avoidance of doubt, this Agreement shall apply to each Renewal Maintenance Period. Cancellation of Maintenance Services will not terminate Customer's rights to continue to otherwise use the Products. Maintenance fees shall be due in advance of each Renewal Maintenance Period and shall be subject to the payment requirements set forth in this Agreement. The procedure for reinstating Maintenance Services for the Products after it has lapsed is posted at https://support.sonicwall.com/essentials/support-guide. Maintenance Services are optional and only provided if purchased separately. For SaaS Software, the Maintenance Period is equal to the duration of the applicable SaaS Term. For non-perpetual Licenses or for non-perpetual MSP Licenses, the Maintenance Period is equal to the duration of the License. 11. Warranties and Remedies. (a)Software Warranties. Provider warrants that, during the applicable Warranty Period (as defined in subsection (c) below), (i) the operation of the Software, as provided by Provider, will substantially conform to its Documentation (the "Operational Warranty"); (ii) the Software, as provided by Provider, will not contain any viruses, worms, Trojan Horses, or other malicious or destructive code designed by Provider to allow unauthorized intrusion upon, disabling of, or erasure of the Software, except that the Software may contain a key limiting its use to the scope of the License granted, and license keys issued by Provider for temporary use are time-sensitive (the "Virus Warranty"); (iii)it will make commercially reasonable efforts to make the SaaS Software available twenty-four hours a day, seven days a week except for scheduled maintenance, the installation of updates, those factors that are beyond the reasonable control of Provider, Customer's failure to meet any minimum system requirements communicated to Customer by Provider, and any breach of this Agreement by Customer that impacts the availability of the SaaS Software (the "SaaS Availability Warranty"). (b)Appliance Warranties. Provider warrants that, during the applicable Warranty Period, the Appliance will operate in a manner which allows the SNWL Software, respectively, to be used in substantial conformance with the Documentation (the "Appliance Warranty"). (c)Warranty Periods. The "Warranty Period" for each of the above warranties (except for E-class appliances which do not include a Software warranty, shall be as follows: (i) for the Operational Warranty as it applies to Software and the Virus Warranty, ninety (90) days following the initial Registration of the Software; (ii) for the Operational Warranty as it applies to SaaS Software and the SaaS Availability Warranty, the duration of the SaaS Term; and (iv) for the Appliance Warranty, one (1) year following the date the Appliance is registered with Provider. (d)Remedies. Any breach of the foregoing warranties must be reported by Customer to Provider during the applicable Warranty Period. Customer's sole and exclusive remedy and Provider's sole obligation for any such breach shall be as follows: (i)For a breach of the Operational Warranty that impacts the use of Software, Provider shall correct or provide a workaround for reproducible errors in the Software that caused the breach within a reasonable time considering the severity of the error and its effect on Customer or, at Provider's option, refund the license fees paid for the nonconforming Software upon return of such Software to Provider and termination of the related License(s) hereunder. (ii)For a breach of the Operational Warranty that impacts the use of SaaS Software, Provider shall correct or provide a workaround for reproducible errors in the Software that caused the breach and provide a credit or refund of the fees allocable to the period during which the Software was not operating in substantial conformance with the applicable Documentation. (iii)For a breach of the Virus Warranty, Provider shall replace the Software with a copy that is in conformance with the Virus Warranty.
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
103
(v)For a breach of the SaaS Availability Warranty, Provider shall provide a credit or refund of the fees allocable to the period during which the SaaS Software was not available for use. (e)Warranty Exclusions. The warranties set forth in this Section shall not apply to any non-conformance (i) that Provider cannot recreate after exercising commercially reasonable efforts to attempt to do so; (ii) caused by misuse of the applicable Product or by using the Product in a manner that is inconsistent with this Agreement or the Documentation; or (iii) arising from the modification of the Product by anyone other than Provider. (f)Third Party Products. Certain Software may contain features designed to interoperate with third-party products. If the third-party product is no longer made available by the applicable provider, Provider may discontinue the related product feature. Provider shall notify Customer of any such discontinuation, however Customer will not be entitled to any refund, credit or other compensation as a result of the discontinuation. (g)Warranty Disclaimer. THE EXPRESS WARRANTIES AND REMEDIES SET FORTH IN THIS SECTION ARE THE ONLY WARRANTIES AND REMEDIES PROVIDED BY PROVIDER HEREUNDER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL OTHER WARRANTIES OR REMEDIES ARE EXCLUDED, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, AND ANY WARRANTIES ARISING FROM USAGE OF TRADE OR COURSE OF DEALING OR PERFORMANCE. PROVIDER DOES NOT WARRANT UNINTERRUPTED OR ERROR-FREE OPERATION OF THE PRODUCTS. (h)High-Risk Disclaimer. CUSTOMER UNDERSTANDS AND AGREES THAT THE PRODUCTS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HIGH-RISK OR HAZARDOUS ENVIRONMENT, INCLUDING WITHOUT LIMITATION, THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION, AIR TRAFFIC CONTROL, LIFE SUPPORT MACHINES, WEAPONS SYSTEMS, OR ANY OTHER APPLICATION WHERE THE FAILURE OR MALFUNCTION OF ANY PRODUCT CAN REASONABLY BE EXPECTED TO RESULT IN DEATH, PERSONAL INJURY, SEVERE PROPERTY DAMAGE OR SEVERE ENVIRONMENTAL HARM (A "HIGH RISK ENVIRONMENT"). ACCORDINGLY, (I) CUSTOMER SHOULD NOT USE THE PRODUCTS IN A HIGH RISK ENVIRONMENT, (II) ANY USE OF THE PRODUCTS BY CUSTOMER IN A HIGH RISK ENVIRONMENT IS AT CUSTOMER'S OWN RISK, (III) PROVIDER, ITS AFFILIATES AND SUPPLIERS SHALL NOT BE LIABLE TO CUSTOMER IN ANY WAY FOR USE OF THE PRODUCTS IN A HIGH RISK ENVIRONMENT, AND (IV) PROVIDER MAKES NO WARRANTIES OR ASSURANCES, EXPRESS OR IMPLIED, REGARDING USE OF THE PRODUCTS IN A HIGH RISK ENVIRONMENT. 12.Infringement Indemnity. Provider shall indemnify Customer from and against any claim, suit, action, or proceeding brought against Customer by a third party to the extent it is based on an allegation that the Software directly infringes any patent, copyright, trademark, or other proprietary right enforceable in the country in which Provider has authorized Customer to use the Software, including, but not limited to the country to which the Software is delivered to Customer, or misappropriates a trade secret in such country (a "Claim"). Indemnification for a Claim shall consist of the following: Provider shall (a) defend or settle the Claim at its own expense, (b) pay any judgments finally awarded against Customer under a Claim or any amounts assessed against Customer in any settlements of a Claim, and (c) reimburse Customer for the reasonable administrative costs or expenses, including without limitation reasonable attorneys' fees, it necessarily incurs in responding to the Claim. Provider's obligations under this Infringement Indemnity Section are conditioned upon Customer (i) giving prompt written notice of the Claim to Provider, (ii) permitting Provider to retain sole control of the investigation, defense or settlement of the Claim, and (iii) providing Provider with cooperation and assistance as Provider may reasonably request in connection with the Claim. Provider shall have no obligation hereunder to defend Customer against any Claim (a) resulting from use of the Software other than as authorized by this Agreement, (b) resulting from a modification of the Software other than by Provider, (c) based on Customer's use of any release of the Software after Provider recommends discontinuation because of possible or actual infringement and has provided a non-infringing version at no charge, or (d) to the extent the Claim arises from or is based on the use of the Software with other products, services, or data not supplied by Provider if the infringement would not have occurred but for such use. If, as a result of a Claim or an injunction, Customer must stop using any Software ("Infringing Software"), Provider shall at its expense and option either (1) obtain for Customer the right to continue using the Infringing Software, (2) replace the Infringing Software with a functionally equivalent non-infringing product, (3) modify the Infringing Software so that it is non-infringing, or (4) terminate the License for the Infringing Software and (A) for non-SaaS Software, accept the return of the Infringing Software and refund the license fee paid for the Infringing Software, pro-rated over a sixty (60) month period from the date of initial delivery of such Software, or (B) for SaaS Software, discontinue Customer's right to access and use the Infringing Software and refund the unused pro-rated portion of any license fees pre-paid by Customer for such Software. This Section states Provider's entire liability and its sole and exclusive indemnification obligations with respect to a Claim and Infringing Software. 13.Limitation of Liability. EXCEPT FOR (A) ANY BREACH OF THE RESTRICTIONS OR CONFIDENTIAL INFORMATION SECTIONS OF THIS AGREEMENT, (B) AMOUNTS CONTAINED IN JUDGMENTS OR SETTLEMENTS WHICH PROVIDER OR CUSTOMER IS LIABLE TO PAY TO A THIRD PARTY UNDER THE INFRINGEMENT INDEMNITY SECTION OF THIS AGREEMENT AND CUSTOMER IS LIABLE TO PAY ON BEHALF OF OR TO PROVIDER UNDER THE CONDUCT, EXPORT, MSP LICENSE, AND USE BY THIRD PARTIES SECTIONS OF THIS AGREEMENT, OR (C) ANY LIABILITY TO THE EXTENT LIABILITY MAY NOT BE EXCLUDED OR LIMITED AS A MATTER OF APPLICABLE LAW, IN NO EVENT SHALL CUSTOMER OR ITS AFFILIATES, OR PROVIDER, ITS AFFILIATES OR SUPPLIERS BE LIABLE FOR (X) ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL LOSS OR DAMAGE OF ANY KIND OR (Y) LOSS OF REVENUE, LOSS OF ACTUAL OR ANTICIPATED PROFITS, LOSS OF BUSINESS, LOSS OF CONTRACTS, LOSS OF GOODWILL OR REPUTATION, LOSS OF ANTICIPATED SAVINGS, LOSS OF, DAMAGE TO OR CORRUPTION OF DATA, HOWSOEVER ARISING, WHETHER SUCH LOSS OR DAMAGE WAS FORESEEABLE OR IN THE CONTEMPLATION OF THE PARTIES AND WHETHER ARISING IN OR FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE. EXCEPT FOR (A) ANY BREACH OF THE SOFTWARE LICENSE, RESTRICTIONS, OR CONFIDENTIAL INFORMATION SECTIONS OF THIS AGREEMENT, OR ANY OTHER VIOLATION OF THE OTHER PARTY'S INTELLECTUAL PROPERTY RIGHTS; (B) PROVIDER'S EXPRESS OBLIGATIONS UNDER THE INFRINGEMENT INDEMNITY SECTION OF THIS AGREEMENT AND CUSTOMER'S EXPRESS OBLIGATIONS UNDER THE CONDUCT, EXPORT, MSP LICENSE, AND USE BY THIRD PARTIES SECTIONS OF THIS AGREEMENT, (C) PROVIDER'S COSTS OF COLLECTING DELINQUENT AMOUNTS WHICH ARE NOT THE SUBJECT OF A GOOD FAITH DISPUTE; (D) A PREVAILING PARTY'S LEGAL FEES PURSUANT TO THE LEGAL FEES SECTION OF THIS AGREEMENT; OR (E) ANY LIABILITY TO THE EXTENT LIABILITY MAY NOT BE EXCLUDED OR LIMITED AS A MATTER OF APPLICABLE LAW, THE MAXIMUM AGGREGATE AND CUMULATIVE LIABILITY OF CUSTOMER AND ITS AFFILIATES, AND PROVIDER, ITS AFFILIATES AND SUPPLIERS, FOR DAMAGES UNDER THIS AGREEMENT, WHETHER ARISING IN OR FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, SHALL BE AN AMOUNT EQUAL TO (Y) THE GREATER OF THE FEES PAID AND/OR OWED (AS APPLICABLE) BY CUSTOMER OR ITS AFFILIATES FOR THE PRODUCTS THAT ARE THE SUBJECT OF THE BREACH OR FIVE HUNDRED DOLLARS ($500.00),EXCEPT FOR (Z) MAINTENANCE SERVICES OR A PRODUCT SUBJECT TO RECURRING FEES, FOR WHICH THE MAXIMUM AGGREGATE AND CUMULATIVE LIABILITY SHALL BE THE GREATER OF THE AMOUNT PAID AND/OR OWED (AS APPLICABLE) FOR SUCH MAINTENANCE SERVICE OR PRODUCT DURING THE TWELVE (12) MONTHS PRECEDING THE BREACH OR FIVE HUNDRED DOLLARS ($500.00). THE PARTIES AGREE THAT THESE LIMITATIONS OF LIABILITY ARE AGREED ALLOCATIONS OF RISK CONSTITUTING IN PART THE CONSIDERATION FOR PROVIDER PROVIDING PRODUCTS AND SERVICES TO CUSTOMER, AND SUCH LIMITATIONS WILL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITIES OR FAILURES. Provider's Affiliates and suppliers and Customer's Affiliates shall be beneficiaries of this Limitation of Liability Section and Customer's Clients and Third Party Users are entitled to the rights granted under the MSP License and Use by Third Parties Sections of this Agreement; otherwise, no third party beneficiaries exist under this Agreement. Provider expressly excludes any and all liability to Third Party Users, Clients and to any other third party. 14.Confidential Information. (a)Definition. "Confidential Information" means information or materials disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party") that are not generally available to the public and which, due to their character and nature, a reasonable person under like circumstances would treat as confidential, including, without limitation, financial, marketing, and pricing information, trade secrets, know-how, proprietary tools, knowledge and methodologies, the Software (in source code and/or object code form), information or benchmark test results regarding the functionality and performance of the Software, any Software license keys provided to Customer, and the terms and conditions of this Agreement. Confidential Information shall not include information or materials that (i) are generally known to the public, other than as a result of an unpermitted disclosure by the Receiving Party after the date that Customer accepts the Agreement (the "Effective Date"); (ii) were known to the Receiving Party without an obligation of confidentiality prior to receipt from the Disclosing Party; (iii) the Receiving Party lawfully
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
104
received from a third party without that third party's breach of agreement or obligation of trust; (iv) are protected by Provider in accordance with its obligations under the Protected Data Section below, or (v) are or were independently developed by the Receiving Party without access to or use of the Disclosing Party's Confidential Information. (b)Obligations. The Receiving Party shall (i) not disclose the Disclosing Party's Confidential Information to any third party, except as permitted in subsection (c) below and (ii) protect the Disclosing Party's Confidential Information from unauthorized use or disclosure by exercising at least the same degree of care it uses to protect its own similar information, but in no event less than a reasonable degree of care. The Receiving Party shall promptly notify the Disclosing Party of any known unauthorized use or disclosure of the Disclosing Party's Confidential Information and will cooperate with the Disclosing Party in any litigation brought by the Disclosing Party against third parties to protect its proprietary rights. For the avoidance of doubt, this Section shall apply to all disclosures of the parties' Confidential Information as of the Effective Date, whether or not specifically arising from a party's performance under this Agreement. (c)Permitted Disclosures. Notwithstanding the foregoing, the Receiving Party may disclose the Disclosing Party's Confidential Information without the Disclosing Party's prior written consent to any of its Affiliates, directors, officers, employees, consultants, contractors or representatives (collectively, the "Representatives"), but only to those Representatives that (i) have a "need to know" in order to carry out the purposes of this Agreement or to provide professional advice in connection with this Agreement, (ii) are legally bound to the Receiving Party to protect information such as the Confidential Information under terms at least as restrictive as those provided herein, and (iii) have been informed by the Receiving Party of the confidential nature of the Confidential Information and the requirements regarding restrictions on disclosure and use as set forth in this Section. The Receiving Party shall be liable to the Disclosing Party for the acts or omissions of any Representatives to which it discloses Confidential Information which, if done by the Receiving Party, would be a breach of this Agreement. Additionally, it shall not be a breach of this Section for the Receiving Party to disclose the Disclosing Party's Confidential Information as may be required by operation of law or legal process, provided that the Receiving Party provides prior notice of such disclosure to the Disclosing Party unless expressly prohibited from doing so by a court, arbitration panel or other legal authority of competent jurisdiction. 15.Protected Data. For purposes of this Section, "Protected Data" means any information or data that is provided by Customer to Provider during this Agreement that alone or together with any other information relates to an identified or identifiable natural person or data considered to be personal data as defined under Privacy Laws, and "Privacy Laws" means any applicable law, statute, directive or regulation regarding privacy, data protection, information security obligations and/or the processing of Protected Data. Except as permitted herein or to the extent required by Privacy Laws or legal process, Provider shall implement reasonable technical and organizational measures to prevent unauthorized disclosure of or access to Protected Data by third parties, and shall only store and process Protected Data as may be required to fulfill its obligations under this Agreement. If Provider complies with Customer's written instructions with respect to the Protected Data, Provider shall have no liability to Customer for any breach of this Section resulting from such compliance. Provider shall promptly notify Customer of any disclosure of or access to the Protected Data by a third party in breach of this Section and shall cooperate with Customer to reasonably remediate the effects of such disclosure or access. Provider further affirms to Customer that it has adequate agreements in place incorporating the EU standard contractual clauses for the transfer of Protected Data from the European Union ("EU") to a country outside the EU. Customer hereby (i) represents that it has the right to send the Protected Data to Provider, (ii) consents for Provider to store and use the Protected Data worldwide for the sole purpose of performing its obligations under this Agreement, (iii) agrees that the Protected Data may be accessed and used by Provider and its Representatives worldwide as may be needed to support Provider's standard business operations, and (iv) agrees that Protected Data consisting of Customer contact information (e.g., email addresses, names) provided as part of Maintenance Services may be sent to Provider's third party service providers as part of Provider's services improvement processes. 16.Compliance Verification. Customer agrees to maintain and use systems and procedures to accurately track, document, and report its installations, acquisitions and usage of the Software. Such systems and procedures shall be sufficient to determine if Customer's deployment of the Software or, if applicable, use of the SaaS Software is within the quantities, terms, and maintenance releases to which it is entitled. Provider or its designated auditing agent shall have the right to audit Customer's deployment of the Software or, if applicable, use of the SaaS Software for compliance with the terms and conditions of this Agreement. Any such audits shall be scheduled at least ten (10) days in advance and shall be conducted during normal business hours at Customer's facilities. Customer shall provide its full cooperation and assistance with such audit and provide access to the applicable records and computers. Without limiting the generality of the foregoing, as part of the audit, Provider may request, and Customer agrees to provide, a written report, signed by an authorized representative, listing Customer's then current deployment of the Software and/or the number of individuals that have accessed and used SaaS Software. If Customer's deployment of the Software or, if applicable, use of the SaaS Software is found to be greater than its purchased entitlement to such Software, Customer will be invoiced for the over-deployed quantities at Provider's then current list price plus the applicable Maintenance Services and applicable over-deployment fees. All such amounts shall be payable in accordance with this Agreement. Additionally, if the unpaid fees exceed five percent (5%) of the fees paid for the applicable Software, then Customer shall also pay Provider's reasonable costs of conducting the audit. The requirements of this Section shall survive for two (2) years following the termination of the last License governed by this Agreement. 17.SaaS Provisions. (a)Data. Customer may store data on the systems to which it is provided access in connection with its use of the SaaS Software (the "SaaS Environment"). Provider may periodically make back-up copies of Customer data, however, such back-ups are not intended to replace Customer's obligation to maintain regular data backups or redundant data archives. Customer is solely responsible for collecting, inputting and updating all Customer data stored in the SaaS Environment, and for ensuring that it does not (i) knowingly create and store data that actually or potentially infringes or misappropriates the copyright, trade secret, trademark or other intellectual property right of any third party, or (ii) use the SaaS Environment for purposes that would reasonably be seen as obscene, defamatory, harassing, offensive or malicious. Provider shall have the right to delete all Customer data stored in connection with the use of the SaaS Software thirty (30) days following any termination of this Agreement or any License to SaaS Software granted hereunder. Customer represents and warrants that it has obtained all rights, permissions and consents necessary to use and transfer all Customer and/or third party data within and outside of the country in which Customer or the applicable Customer Affiliate is located (including providing adequate disclosures and obtaining legally sufficient consents from Customer's employees, customers, agents, and contractors). If Customer transmits data to a third-party website or other provider that is linked to or made accessible by the SaaS Software, Customer will be deemed to have given its consent to Provider enabling such transmission and Provider shall have no liability to Customer in connection with any claims by a third party in connection with such transmission. (b)Conduct. In connection with the use of SaaS Software, Customer may not (i) attempt to use or gain unauthorized access to Provider's or to any third-party's networks or equipment; (ii) permit other individuals or entities to copy the SaaS Software; (iii) provide unauthorized access to or use of any SaaS Software or the associated access credentials; (iv) attempt to probe, scan or test the vulnerability of the SaaS Software, the SaaS Environment, or a system, account or network of Provider or any of Provider's customers or suppliers; (v) interfere or attempt to interfere with service to any user, host or network; (vi) engage in fraudulent, offensive or illegal activity of any nature or intentionally engage in any activity that infringes the intellectual property rights or privacy rights of any individual or third party; (vii) transmit unsolicited bulk or commercial messages; (viii) intentionally distribute worms, Trojan horses, viruses, corrupted files or any similar items; (ix) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the SaaS Software (except for tools with safety and security functions); or (x) restrict, inhibit, interfere with or otherwise disrupt or cause a performance degradation to any Provider (or Provider supplier) facilities used to provide the SaaS Environment. Customer shall cooperate with Provider's reasonable investigation of SaaS Environment outages, security issues, and any suspected breach of this Section, and shall, at its expense, defend Provider and its Affiliates from any claim, suit, or action by a third party (a "Third Party Claim") alleging harm to such third party caused by Customer's breach of any of the provisions of this Section. Additionally, Customer shall pay any judgments or settlements reached in connection with the Third Party Claim as well as Provider's costs of responding to the Third Party Claim. (c)Suspension. Provider may suspend Customer's use of SaaS Software (a) if so required by law enforcement or legal process, (b) in the event of an imminent security risk to Provider or its customers, or (c) if continued use would subject Provider to material liability. Provider shall make commercially reasonable efforts under the circumstances to provide prior notice to Customer of any such suspension.
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
105
18.General. (a)Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without giving effect to any conflict of laws principles that would require the application of laws of a different state. Any action seeking enforcement of this Agreement or any provision hereof shall be brought exclusively in the state or federal courts located in the Santa Clara County, California. Each party hereby agrees to submit to the jurisdiction of such courts. The parties agree that neither the United Nations Convention on Contracts for the International Sale of Goods, nor the Uniform Computer Information Transaction Act (UCITA) shall apply to this Agreement, regardless of the states in which the parties do business or are incorporated. (b)Assignment. Except as otherwise set forth herein, Customer shall not, in whole or part, assign or transfer any part of this Agreement, the Licenses granted under this Agreement or any other rights, interest or obligations hereunder, whether voluntarily, by contract, by operation of law or by merger (whether that party is the surviving or disappearing entity), stock or asset sale, consolidation, dissolution, through government action or order, or otherwise without the prior written consent of Provider. Any attempted transfer or assignment by Customer that is not permitted by this Agreement shall be null and void. (c)Severability. If any provision of this Agreement shall be held by a court of competent jurisdiction to be contrary to law, such provision will be enforced to the maximum extent permissible by law to effect the intent of the parties and the remaining provisions of this Agreement will remain in full force and effect. Notwithstanding the foregoing, the terms of this Agreement that limit, disclaim, or exclude warranties, remedies or damages are intended by the parties to be independent and remain in effect despite the failure or unenforceability of an agreed remedy. The parties have relied on the limitations and exclusions set forth in this Agreement in determining whether to enter into it. (d)Use by U.S. Government. The Software is a "commercial item" under FAR 12.201. Consistent with FAR section 12.212 and DFARS section 227.7202, any use, modification, reproduction, release, performance, display, disclosure or distribution of the Software or Documentation by the U.S. government is prohibited except as expressly permitted by the terms of this Agreement. In addition, when Customer is a U.S. government entity, the language in Subsection (ii) of the Infringement Indemnity Section of this Agreement and the Injunctive Relief Section of this Agreement shall not be applicable. (e)Notices. All notices provided hereunder shall be in writing and may be delivered by email, in the case of Provider to legal@sonicwall.com and in the case of Customer to the email address Provider has on file for Customer. All notices, requests, demands or communications shall be deemed effective upon delivery in accordance with this paragraph. (f)Disclosure of Customer Status. Provider may include Customer in its listing of customers and, upon written consent by Customer, announce Customer's selection of Provider in its marketing communications. (g)Waiver. Performance of any obligation required by a party hereunder may be waived only by a written waiver signed by an authorized representative of the other party, which waiver shall be effective only with respect to the specific obligation described therein. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. (h)Injunctive Relief. Each party acknowledges and agrees that in the event of a material breach of this Agreement, including but not limited to a breach of the Software License, Restrictions or Confidential Information Sections of this Agreement, the non-breaching party shall be entitled to seek immediate injunctive relief, without limiting its other rights and remedies. (i)Force Majeure. Each party will be excused from performance for any period during which, and to the extent that, it is prevented from performing any obligation or service as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of war, epidemics, communication line failures, and power failures. For added certainty, this Section shall not operate to change, delete, or modify any of the parties' obligations under this Agreement (e.g., payment), but rather only to excuse a delay in the performance of such obligations. (j)Equal Opportunity. Provider is a federal contractor and Affirmative Action employer (M/F/D/V) as required by the Equal Opportunity clause C.F.R. § 60-741.5(a). (k)Headings. Headings in this Agreement are for convenience only and do not affect the meaning or interpretation of this Agreement. This Agreement will not be construed either in favor of or against one party or the other, but rather in accordance with its fair meaning. When the term "including" is used in this Agreement it will be construed in each case to mean "including, but not limited to." (l) Legal Fees. If any legal action is brought to enforce any rights or obligations under this Agreement, the prevailing party shall be entitled to recover its reasonable attorneys' fees, court costs and other collection expenses, in addition to any other relief it may be awarded. (m)Entire Agreement. This Agreement is intended by the parties as a final expression of their agreement with respect to the subject matter thereof and may not be contradicted by evidence of any prior or contemporaneous agreement unless such agreement is signed by both parties. In the absence of such an agreement, this Agreement shall constitute the complete and exclusive statement of the terms and conditions and no extrinsic evidence whatsoever may be introduced in any proceeding that may involve the Agreement. Each party acknowledges that in entering into the Agreement it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in the Agreement. In those jurisdictions where an original (non-faxed, non-electronic, or non-scanned) copy of an agreement or an original (non-electronic) signature on agreements such as this Agreement is required by law or regulation, the parties hereby agree that, notwithstanding any such law or regulation, a faxed, electronic, or scanned copy of and a certified electronic signature on this Agreement shall be sufficient to create an enforceable and valid agreement. This Agreement, may only be modified or amended t by a writing executed by a duly authorized representative of each party. No other act, document, usage or custom shall be deemed to amend or modify this Agreement.
SonicWall Secure Mobile Access 10.0 User Guide Warranty and License Agreements
106
B
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support. The Support Portal enables you to:
· View knowledge base articles and technical documentation · View video tutorials · Access MySonicWall · Learn about SonicWall professional services · Review SonicWall Support services and warranty information · Register for training and certification · Request technical support or customer service To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.
SonicWall Secure Mobile Access 10.0 User Guide SonicWall Support
107
About This Document
Legend
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
SMA User Guide Updated - July 2019 Software Version - 10.0 232-004891-00 Rev B
Copyright © 2019 SonicWall Inc. All rights reserved.
SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners The information in this document is provided in connection with SonicWall Inc. and/or its affiliates' products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document. For more information, visit https://www.sonicwall.com/legal. End User Product Agreement To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements. Open Source Code SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to "SonicWall Inc.", to:
General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035
SonicWall Secure Mobile Access 10.0 User Guide SonicWall Support
108
Acrobat Elements 15.0 (Windows)