Preparing for the Installation
Before beginning the installation, you need to gather information about your networking environment and verify that your firewalls are properly configured to permit traffic to and from the appliance.

Gathering Information

Before configuring the appliance, you need to gather the following information. You are prompted for some of this information when running Setup Wizard (see Web-Based Configuration Using Setup Wizard on page 32) or Setup Tool (see Configuring a New Appliance Using Setup Tool on page 400), but most of it will be used when you configure the appliance in AMC (see Network and Authentication Configuration on page 55). If you are installing a cluster, you need some additional information. See Installing and Configuring a Cluster on page 390 and Configuring a High-Capacity Cluster on page 453.
Settings required in order to start Aventail Management Console
The root password for administering the appliance The name for the appliance (because this name is used only in log files, you dont need to add it to DNS) The internal IP address and, optionally, an external IP address Select a routing mode and supply IP addresses for the network gateways to the Internet, and your corporate network.

Certificate information

Several pieces of information are used to generate the server and AMC certificates: A fully qualified domain name (FQDN) for the appliance and for any WorkPlace sites that use a unique name. These names should be added to your public DNS; they are also visible to users when they connect to Web-based resources. A FQDN for the Aventail Management Console (AMC) server. The AMC server name is used to access AMC, which is a Web-based tool for administering the appliance.

Name lookup information

Internal DNS domain name of the network to which the appliance is connected Primary internal DNS server address (additional DNS servers are optional) IP address for an internal WINS server and the name of your Windows domain (required to browse files on a Windows network using WorkPlace, but are otherwise optional)
Authentication information
Server name and login information for your authentication servers (LDAP, Active Directory, or RADIUS)

Configuring Local User Storage
You can create local user accounts in AMC and then map them to a local authentication repository. The appliance checks username and password credentials against users stored locally in /etc/passwd. For information on creating local user accounts, see Managing Local User Accounts on page 191. Local user authentication is intended for testing purposes and is not recommended in a production environment. Only one local user store can be created on the appliance. To configure local user authentication 1. From the main navigation menu in AMC, click Authentication Servers, and then click New. 2. Under Local user storage, click Local users (if a local store already exists, this option is dimmed).
4. In the Name box, type a name for the authentication server. 5. To change the prompts and other text that Windows users see when they log in, select the Customize authentication server prompts check box. The page title, message, and login prompts can all be customized. For example, if an employee ID number is used to identify a user, you could change the text for the Identity prompt from Username: to Employee ID:. Because this configuration is normally used for testing, a customized Message could point to test procedures or other instructions. 6. Click Save.
Testing LDAP and AD Authentication Configurations
To help you validate your authentication configuration settings, the AMC pages used to configure Microsoft Active Directory and LDAP servers include a Test Connection button. Clicking this button establishes a connection with your external user repository and provides status information.
If you have correctly configured the appliance, a message reading Valid connection! appears. If there is an error in the configuration settings, the message provides a description of the problem. Notes The test connection feature is intended only for testing whether the appliance can bind to an external directory. If you enter login credentials, the appliance will use them, but it will otherwise attempt to bind to the directory anonymously. Because it does not actually search the directory, testing a connection will not validate that your login credentials provide access to the configured domain.
Configuring Chained Authentication
For increased security, you can require users to authenticate to a single realm using two different authentication methods. For example, you could set up RADIUS or a digital certificate as the first authentication method, and LDAP or Active Directory as the second one. You can require that the user names are the same on the primary and secondary authentication servers. To make the login experience for your users a one-step process you can configure AMC such that users see only one set of prompts. To configure chained authentication 1. From the main navigation menu in AMC, click Realms. 2. Click the name of the realm you want to modify, or click New and then select an entry in the Authentication server drop-down list. This is your primary authentication server. If one of your credential types for chained authentication is a digital certificate, the corresponding authentication server must be the primary one: you cant configure a PKI server as your secondary authentication server. 3. Click Advanced, and then select a Secondary authentication server (if none is defined, click New; see Configuring Authentication Servers on page 81 for the steps involved in setting up an authentication server). 4. The remaining (optional) settings can provide more security, help with troubleshooting, and simplify the login process: Setting Audit username from this server Description Show the username from the secondary server in the audit and accounting logs (instead of the username from the primary authentication server).

The SonicWALL appliance provides access to a wide variety of corporate resources, which fall into three categories: Web, client/server, and file share resources.

Built-In Resources

There are several resources that are built into your appliance to help you get a WorkPlace portal set up quickly. These built-in resources cannot be deletedaccess to some of them is granted through WorkPlace shortcuts:
Aventail WorkPlace (Resource Type: URL)
The WorkPlace portal gives users access to Web-based resources. This particular resource is used by another built-in item, which you can modify: an access permit all rule that allows any user from any zone to have access to the default WorkPlace portal. Value: http://127.0.0.1:8085/workplace/
Connect Tunnel (Resource Type: URL)
Connect Tunnel is an application that provides broad access to network resources. You determine how users access the Connect Tunnel client: Allow users to download the Connect Tunnel client and activate it from a link (shortcut) in WorkPlace. Keep in mind that when you give users access to this resource, you allow them to both install and use the client: a user without access to this resource cannot use Connect Tunnel for access to network resources. The WorkPlace shortcut for this resource (Install Connect Tunnel) can be modified or deleted; the resource itself cannot.
Chapter 5 - Security Administration
Deploy the Connect Tunnel client setup package without requiring users to log in to Aventail WorkPlace. Value: http://127.0.0.1:8085/ctdownload/
Network Explorer (Resource Type: Network Share)
Network Explorer is a Web-based extension, accessible from WorkPlace, that provides access to any Windows file system resources that the user has permission to use (even from desktop browsers on non-Windows platforms). These resources can include servers, computers, workgroups, folders, and files. The WorkPlace shortcut for this resource (Network Explorer) can be modified or deleted; the resource itself cannot. Value: smb://127.0.0.1/networkexplorer/

Web Resources

Web resources include Web-based applications or services that are accessed using HTTP or HTTPS. Examples include Microsoft Outlook Web Access and other Web-based email programs, Web portals, corporate intranets, and standard Web servers. Web traffic is proxied through the Web proxy service, a secure gateway through which users can access private Web resources from the Internet. When you define a Web resource as a destination in an access control rule, make sure that Web browser is among the client software agents available for the rule. For more information, see Resolving Invalid Destination Resources on page 157. A Web resource can be defined in various ways: URL Type Standard URL Standard URL with port number URL for secure site URL containing IP address Matching URL Example http://host.example.com/index.html http://host.example.com:8445/index.html https://host.example.com/index.html http://192.0.34.0/index.html Use wildcards to refer to a group of Web resources: http://mailserver*.company.com/ URL with path and query string matching Block email attachments, or prevent a Web-based application from displaying restricted data by matching a path element or query string value to a particular URL: http://www.patient-records.com/reports.aspx?last_name= Notes Some Web-based applications use Java applets or other browser extensions using protocols other than HTTP. Although these applications are accessed using a Web browser, they must be defined as client/server (not Web resources), and they must be accessed using either a network tunnel client or client/server proxy agent. Examples of such applications include Citrix NFuse, Oracle J-Initiator, and certain versions of SAP and PeopleSoft.

Resources in this list can also contain variables; see Using Variables in Resource and WorkPlace Shortcut Definitions on page 130 for more information.
4. Click OK after each addition to the Exclusion list. 5. Click Save. Notes To see which resources are configured to be redirected through the appliance, click the Show network redirection list link. This displays the Redirection List page. To delete a resource from the exclusion list, select its check box and then click Delete. If you exclude a resource by specifying its fully qualified domain name (FQDN), users who connect to WorkPlace from a realm that provides access using translated Web mode can still access the resource if they type its unqualified domain name in the WorkPlace Intranet Address box.
CAUTION If you create a Domain resource in AMC (for example, win.yourcompany.com), and you exclude a resource from that domain using its IP address (10.20.30.40), the resource can still be accessed using its FQDN (server.win.yourcompany.com). This note of caution applies only to agents that use the Web proxy service, not the tunnel clients.
Using Variables in Resource and WorkPlace Shortcut Definitions
Using variables, you can define a single resource or WorkPlace shortcut that derives its value from a property that is unique for each user. Variables can be defined by a property associated with the session a user has started (the user name, for example, or the name of the zone to which he or she has been assigned), or by querying an external LDAP store for a specific set of attributes, such as a group or computer name. Notes Variables can be used for all resource types except IP range and Subnet. If a variable resolves to nothing, any configuration item using it will be undefined. For example, you might query an LDAP store for a users IMEI number (the built-in ID number on a mobile device). In the case of a user who does not have an IMEI number, the variable would not resolve to anything during that user session. A WorkPlace shortcut that uses the variable would not be displayed, for example, and a policy rule that uses it will also fail.
Using Session Property Variables
Once a user has started a WorkPlace session by logging in, there are several session properties that are known, such as the name of the community to which the user has been assigned. You can use these properties to create dynamic resources. For example, you might want mobile users to have access to a different network share than users with desktop computers. The way you would do this is as roughly as follows: Define two communities (Mobile and Desktop). Set up two file shares on your network. For example, \\company\Mobile and \\company\Desktop. Define a resource for WorkPlace: \\company\{Session.communityName}. A single resource can in this manner present both kinds of users with the link thats appropriate for their devices. Built-in variables {Session.activeDirectoryDomain} {Session.activeDirectoryDomain2} {Session.communityName} Description The FQDN or IP address of the AD domain to use as a search base. The FQDN or IP address of a second AD domain to use as a search base (if youre using chained authentication). The name of the community to which the user was assigned when he or she logged in. The community controls which access agents are available and the end point. The login domain. For example, server3 in this FQDN: server3.uk.company.com. The password from the first authentication method. The password from the second authentication method, if used. For your primary (or only) authentication method, this is the fully qualified user name (username@userdomain.company.com). For your secondary authentication method, this is the fully qualified user name. The name of the realm the user is logged in to. The IP address of the user's host as seen by the appliance. The short name for the user from the first authentication method. The short name is usually used for both the users email address and home folder. The users short name from the second authentication method, if used. The name of the zone to which the user has been assigned, based on the profile of his or her device.

7. The test results will indicate what character (for example, a comma or a semicolon) you should enter in the Delimiter box. 8. Click Save. The new variable ({User_workstations}) appears in the list and can now be used to define or describe other variables, resources, or WorkPlace shortcuts. B: Create a host resource that points to the {User_workstations} variable 1. From the main navigation menu in AMC, click Resources. 2. Click New, and then select Host Name or IP Address. 3. Enter Workstation_list as the resource name. 4. In the Host name or IP address box, click {variable}, and then select {User_workstations}, the variable you created in step A. 5. Click Insert, and then click {variable} again to close the list. 6. Edit the entry for Host name or IP address to add the portion of the address that the computers on your network share. The completed entry might look something like this: {User_Workstations}.dept.company.com C: Create a WorkPlace shortcut that points to the Workstation_list resource 1. From the main navigation menu, click Aventail WorkPlace. 2. On the Shortcuts page, click New, and then select Graphical terminal shortcut from the list. The General tab of the Add Graphical Terminal Shortcut page appears.
3. In the Position box, specify the shortcuts position in the list. (Its possible to change its position later in your WorkPlace layout.) 4. In the Resource list, select the resource to which this shortcut will be linked: Workstation_list. 5. In the Link text box, type the first part of the hyperlink users will see. For example, enter My workstation(s): followed by a space. 6. Using a variable you can have the link end in each succeeding value for Workstation_list; if there is more than one, then more than one shortcut will be displayed in WorkPlace. Click {variable}, and then select {URL_REF_VALUE} from the list. Click Insert to add the variable to the link text, and then close the list by clicking {variable} again. The entry for Link now looks like this: My workstation(s): {URL_REF_VALUE} 7. Click Finish to save the shortcut. (For a description of the settings on the Advanced page, see Adding Graphical Terminal Shortcuts to Individual Hosts on page 362.)

it, AMC automatically assigns the global Default community to the realm. For more information, see Using the Default Community on page 179. Notes For information on how to edit, copy, and delete communities, see Adding, Editing, Copying, and Deleting Objects in AMC on page 43.
Adding Communities to a Realm
After you create a realm, the next step is to configure one or more communities that belong to it. If all of the users in a realm should be treated the same, then only a single community needs to be defined. Create additional communities if you want to subdivide users; you might want to give remote employees, for example, access methods and End Point Control restrictions that differ from those for local employees. Each community defines the following: A subset of users within a realm Which access methods are available to those users when they log in to a realm What restrictions (if any) are placed on their end point devices Each realm on the appliance must reference at least one community. Using multiple communities can be an efficient way of segmenting your user population in order to provide specific access agents to certain users, or to place End Point Control restrictions on certain types of devices used by community members. You can either use the preconfigured Default community (see Using the Default Community on page 179), or add other communities to the realm. As your user access or security policy requirements change over time, you can add additional communities to a realm, modify the user communities referenced by a realm, or delete them. To add a community to a realm 1. After creating a realm on the General tab of the Configure Realm page, go to the Communities page. The Configure Realm - <name> page appears with the Communities tab highlighted.
2. If you want to use an existing community as is (without changing it), you may need to change the order in which the communities are listed. See Changing the Order of Communities Listed in a Realm on page 179. 3. To create a new community for the realm, click New, and to edit an existing community, click its link: the Configure Community page appears. Follow the steps described in Creating and Configuring Communities on page 166.
Creating and Configuring Communities
Creating a community involves these basic steps: Assign members to the community Select access methods for the community Optionally, specify End Point Control restrictions for the community Specify a style and layout for the WorkPlace portal.
Assigning Members to a Community
The first step in creating a community involves specifying which users will be members. By default a community is configured to include all users from the authentication realm to which it is assigned. However, you can configure a community to permit access to only a subset of users or user groups in a realm. This is useful, for example, if you want to segment a realm into one community for employees and another community for business partners. You can then provide each community with the appropriate access agents, or impose End Point Control restrictions if users are logging in from nonsecure computers. Communities can also be referenced in access control rules in order to permit or deny access to your resources. To assign members to an existing community 1. From the main navigation menu, click Realms. 2. Within the realm, click the link for the community you want to configure. The Configure Community page appears with the Members tab displayed. 3. The Members box specifies which users or groups belong to this community. Click Edit to select from a list of users and groups. If no users or groups are specified, the default value of this field is Any, meaning that any users from the authentication realm that references this community belong to this community. 4. In the Maximum active sessions box you can limit the number of sessions each member of this community is allowed to have active at one time. For mobile users, for example, you may want to restrict the number of sessions to 1each session consumes one user license, and its impractical for a mobile user to have more than one active session. With other communities, such as employees who alternate between working from home and in the office, the number of allowed sessions should probably be higher. See How Licenses Are Calculated on page 244 for more information. 5. To select which access methods will be available to members of the community, click the Access Methods tab. See Selecting Access Methods for a Community on page 166 for more information. 6. To restrict user access based on the security of client devices, click the End Point Control restrictions tab and specify which zones are available to users in this community. See Using End Point Control Restrictions in a Community on page 168. 7. Click Save.

Session Persistence

The tunnel clients and Connect Mobile automatically handle the sorts of connection interruptions that users (and especially mobile users) are familiar with, like undocking a laptop and taking it into a meeting, or crossing cellular network boundaries while on the road. Users can experience these temporary interruptions and then resume their sessions without having to reauthenticate. To allow sessions to be reestablished automatically when a users IP address changes (for example, when moving from the office to home), select the Allow user to resume session from multiple IP addresses check box when you set up EPC zones. See the steps described in Creating a Standard Zone on page 259 or Configuring the Default Zone on page 264 for more information. Reauthentication is, however, required if this setting is disabled, or if any of the following is true: The users session on the appliance has expired The credentials provided (such as a SmartCard) do not persist during suspend/resume

Redirection Modes

When configuring the network tunnel clients, you must specify a redirection mode, which determines how client traffic is redirected to the appliance. The network tunnel service supports the following redirection modes:

Split Tunnel Modes

In Split tunnel mode, traffic bound for resources defined in AMC is redirected through the tunnel, and all other traffic is routed as normal. This is less secure than redirect all mode, but also more convenient for users because it doesnt interfere with Internet access. To safeguard against unauthorized access to users computers through their Internet connections, which could potentially reach network resources by re-routing through the split tunnel, consider using End Point Control restrictions to require that users computers are running personal firewalls or antivirus protection. To also give users access to local printers and file shares, select Split tunnel, with access to local network. When the appliance is configured for one of the split tunnel modes, you can allow users to decide whether to give preference to local or remote network access. For example, lets say you have a host resourcea Web serverwith an address of 192.168.230.1. The user goes on a business trip and it turns out that the printer he or she wants to use, on a local network at a conference center, uses that same address. If youve selected the Allow users to indicate which split tunnel redirection mode to use on the client option in AMC, you allow the traveler to indicate a preference for local resources (in this case, the printer) when there is a network conflict. The choice is made on the client in the Connect Tunnel Properties dialog box, on the Advanced tab.

Editing, Copying and Deleting Communities
For information on how to edit, copy, and delete communities, see Adding, Editing, Copying, and Deleting Objects in AMC on page 43.
Managing Users and Groups
User and group management is an ongoing job. Although most user management is done through external user repositories (users and groups are not stored directly on the appliance, but are instead referenced), keeping the AMC list current is essential for delivering reliable access. The users and groups defined in AMC are associated with any directories currently configured on the appliance.

Viewing Users and Groups

Users and groups configured in AMC are displayed on the Groups, Users, and Local Accounts pages. To view users and groups 1. On the main navigation menu, click Users & Groups.
2. Select the tab for the user object you want to view: Tab Groups Description Manage groups of users that are mapped to group information stored on an external authentication server, or create new groups based on directory information. Manage individual users mapped to group information stored on an external authentication server. Manage users that are stored in a local repository on the appliance.

Users Local Accounts

3. Optionally use the Filters settings to display only the objects you are interested in. For information about using filters, see the Filters section under A Quick Tour of the AMC Interface on page 38. 4. Review the data shown in the list of groups, users, or local accounts: The check-box column is used to select one or more list items to delete. The plus sign (+) column expands the display of user, group, or local account information. The Name column displays the name you assigned when creating a user, group, or local user account. The Description column shows the text you entered when creating an account. The Realm column displays the realm with which a user, group, or local user account is associated. 5. Click a column heading to sort the list by that column.
Managing Users and Groups Mapped to External Repositories
Users and groups are not stored directly on the appliance, but are instead referenced from external user directories. In most cases, you manage individual users in AMC only when you need to assign them permissions that are different from those that their group membership allows. There are two ways to form groups of users in AMC using information stored in external directories: Use the same group names as the external directory. In most directories, similar user accounts are grouped together so they can be granted similar rights and permissions. Assuming that your directory is organized in this way, your user management on the appliance is usually centered around groups, not users. Set up the appliance to reference user groups stored in your directory, and then reference those groups in access control rules. Query the external directory using common attributes. The results can be used to create a new group (one that is not referenced in the external directory) that can be used in access control rules. You might create a new group named Local employees by querying the directory for all employees living within a given set of zip codes. For Microsoft Active Directory and LDAP directories, there are several ways to add groups (this feature is not available for adding users referenced by a RADIUS realm or in the local user store): Manually type a distinguished name (DN) Search the contents of the directory and select groups from a list Build a dynamic group expression For testing and evaluation purposes, you can also create local users on the appliance. See Managing Local User Accounts on page 191.

Defining Device Profiles for a Zone
A device profile establishes a trust relationship with a client device by looking for one or more attributes, such as an antivirus program, application, or Windows registry entry. Device profiles can be referenced by one or more zones. A device profile can be defined to detect only one attribute on a client computer, or it can require multiple attributes. When a device profile references multiple attributes, each of those attributes must be present on a client computer in order for there to be a match. In addition to supporting Microsoft Windows, Apple Macintosh, Linux operating systems, and Windows Mobile-powered devices, profiles can also be used for other mobile devices such as PDAs and smartphones. To define a device profile for a zone 1. From the main navigation menu in AMC, click End Point Control.
2. Click the Device Profiles tab, click New, and then select one of the following platforms: Microsoft Windows Mac OS X Linux Windows Mobile Other mobile device
3. On the Device Profile Definition page, type a meaningful name for the device profile in the Name text box. 4. (Optional) In the Description box, type a descriptive comment about the device profile.
5. Select attributes for the device profile. After selecting each attribute, click Add to Current Attributes. The attribute is added to the Current attributes list at the bottom of the AMC page. The available attributes depend on the device profile you selected; Client certificate, for example, is not available as an attribute in a Linux profile, and Antispyware program is available only for users who have Advanced EPC. Where multiple entries are allowed for an attribute, note whether a device profile must match all (and) or match any (or) items on the device. Detailed descriptions of the attributes and the platforms on which they are available are in Device Profile Attributes on page 267. 6. Click Save. Notes For information on how to copy or delete a device profile, see Adding, Editing, Copying, and Deleting Objects in AMC on page 43.

Collecting Equipment IDs from Unregistered Devices
Every Windows desktop and mobile device has a unique identifier, and you can use this identity in a device profile to ensure that only certain devices have access to protected resources. But before you can add equipment ID data to your directory server as a user attribute, you must first collect the data. You can do this in several ways: By creating device profiles for unregistered devices and having users log in: the device ID is collected in the Unregistered device log. See Creating Device Profiles that Allow Unregistered Devices on page 278. By creating a device profile that uses a device identity, but does not have the Match Profile if user has no registered devices option enabled. See Disabling Match Profile if user has no registered devices in the Device Profile on page 279. By creating a quarantine zone associated with a device profile that matches users who log in using an unregistered device. See Quarantining Unregistered Devices on page 279. By creating a deny zone associated with a device profile that matches users who log in using an unregistered device. See Locking Out Unregistered Devices on page 280. By exporting the log messages for login attempts by unregistered devices to an external machine, where an IT administrator can view the list and register the devices or they can be automatically registered. See Exporting the Unregistered Device Log for External Processing on page 280. Note about Match profile if user has no registered devices: When selected, the Match profile if user has no registered devices check box is applicable when the user has no devices registered in the back end AD or LDAP server and there are no hard coded devices in the device profile. For example, consider the case where two attributes have been created for user 'test' in the AD/LDAP server, and these attributes are mapped to two policy variables. A device profile is created containing these two variables and the equipment ID "4JV5DQH1". The check box is selected. This device profile is a part of a zone called 'std_desc'. Unlike user 'test', user 'test1' has no representation in the backend LDAP/AD server. User 'test' logs in with a device that is registered in the backend server. The zone classification is std_desc. However, user 'test1' logs in with the same device and is classified into the default zone. Note that the check box does not apply to user 'test1' in this case. However, if you remove the device ID '4JV5DQH1' from the device profile, leaving just the two policy variables, you will see a different zone classification for user 'test1'. In this case, user 'test' logs in with a registered device and is classified into the std_desc zone. User 'test1' logs in and is also classified into the std_desc zone. Note that the check box applies in this case because user 'test1' has no devices registered, the two policy variables in the device profile of the zone return with NULL values, and there isn't the third hard coded device in the device profile. If you are using mobile devices, you may already have the device identities entered into your database. In this case, you could simply refer to them in a profile. Users logging in from one of these devices will match this profile and qualify for the associated zone. The device identifier is usually an attribute in the authentication directory represented by a variable; for example, {device_identity}. The format of the identifier differs, depending on the kind of device used: For a Microsoft Windows device, the identifier is a unique string, stored in the hardware; for example, WD-WMAM9SK79685. For a mobile device, this is the unique 15-digit IMEI (International Mobile Equipment Identity) code for the device; for example, 350077-52-323751-3. A device that supports Microsoft Exchange ActiveSync reports its device ID. In the case of the Apple iPhone, for example, the device prepends Appl to its device ID/serial number when it communicates with Exchange servers. For example: Appl828315FLY7H. To get the correct device ID for a smartphone, you can view the POST message in the AMC log after the phone attempts to connect to the appliance. Navigate to the Logging page, and

Creating or Editing a WorkPlace Style
To create a new WorkPlace style 1. On the main navigation menu, click Aventail WorkPlace, and then click the Appearance tab. 2. In the Styles area, choose an existing style to base your new one on (select its check box, and then click Copy), or click New. 3. In the Name box, type a unique name for the WorkPlace style. 4. (Optional) In the Description box, type a descriptive comment about the style. 5. In the Font family list, select the type of font you want to use (Serif or Sans-serif). 6. In the Color scheme list, click the name of the color scheme you want to use. If you select Custom, you can set custom colors for the WorkPlace Page background, Subheadings, and Main heading. Specify color settings by typing the applicable hexadecimal RGB value, or by clicking a color swatch and then selecting a color from the Please choose a color dialog box.
7. To replace the SonicWALL Aventail logo that is displayed in WorkPlace with a different image, use the Replace with box to enter or browse for the.gif or.jpg file you want to use. For best results, the image should not exceed 200 pixels wide by 50 pixels high.
8. When Display gradient background behind logo is selected, the accent color of your Color scheme is displayed at the top of each WorkPlace page, gradually going from dark (at the top of the page) to light. Any heading that you have appears in white. 9. On small form factor devices, the logo specified in the Images area is resized by default, but for best results you may want to specify an alternate image that does not exceed 40 pixels by 100 pixels. Type the path of the image file, or click the Browse button to select the image file you want to use. The logo is automatically omitted from WAP and i-mode devices, so this setting does not affect the display on those devices.
10. In the Title box, type the text that will appear as the title on the page and in the browsers title bar. The title must be no longer than 25 characters. 11. In the Greeting box, type the introductory text that should appear below the title. The greeting must not exceed 250 characters, but you may want to use a shorter one, especially if you want it to appear on small form factor devices. 12. To further assist the user, you could specify a custom Help file that provides more detailed information about the resources available on your VPN, or describe how to get technical support. Click Browse to specify a well-formed HTML file that contains custom Help information. Your custom Help content is integrated with the default WorkPlace Help system. To make changes to your custom help content, edit the file locally and upload it to the appliance again. 13. Click Save to save your WorkPlace site settings, or click Reset Defaults to restore the factory-default settings.

Overview: Browser Profiles
The appliance is preconfigured to recognize most popular desktop browsers and many common small form factor devices. When a user connects to WorkPlace, it uses this profile information to classify the device into one of several categories. This in turn determines how WorkPlace appears, which shortcuts are visible on the device, and how the device is classified for use with EPC. The browser profile is determined by examining a variety of information sent from the client, including the Web browsers user-agent string and HTTP headers. The classification details are as follows: Client device examples Windows, Mac, or Linux Apple iPhone WorkPlace classifications Desktop (JavaScript enabled) Desktop (JavaScript disabled) Because JavaScript is disabled, the appliance cannot interrogate the iPhone to determine which EPC zone it belongs in.
Client device examples Windows Pocket PCs Windows Smartphone Professional Many Windows CE devices Many Palm OS devices Windows Smartphone Standard Any Smartphone without JavaScript Some Palm OS devices Any WAP 2.0-compliant phone (includes many Symbian-based phones) Mobile browser using cHTML (no cookie support)
WorkPlace classifications Advanced mobile (Touch screen and JavaScript enabled)
Standard mobile (JavaScript enabled) Standard mobile (No JavaScript) WAP Phone v2.0 i-mode phone (cHTML)
The market for mobile phones and handheld devices is evolving rapidly, and you may need to modify the default appliance settings. For example, you might need to configure the appliance to support a new type of smartphone purchased by your sales organization. Or you might want to override the appliances default profile to accommodate a PDA vendor whose user-agent string has changed. Any browser profiles you define will take precedence over the built-in profiles configured on the appliance. AMCs browser profiles enable you to configure the appliance to support the latest small form factor devices. A browser profile maps a particular user-agent string to a device type. As mentioned in Overview: WorkPlace and Small Form Factor Devices on page 305, the profile is used to determine three things: Feature specified in browser profile How WorkPlace is rendered on the device Which links appear on WorkPlace How the device is classified into an End Point Control zone For more information See Overview: WorkPlace and Small Form Factor Devices on page 305. See Adding Web Shortcuts on page 294. See How the Appliance Uses Zones and Device Profiles for End Point Control on page 250.

The Connect Tunnel client supports command-line utilities such as ngdial that can modify the normal run-time behavior of the client and enable you to perform troubleshooting and diagnostic tasks without using the standard graphical user interface. For more information, see Command Line Access to Connect Tunnel with NGDIAL on page 330. You can configure the Windows version of the Connect Tunnel client software to be automatically updated on users computers whenever a new version becomes available. For more information, see Windows Tunnel Client Automatic Client Updating on page 173. Notes A user logged in as a guest on a computer running the Windows Vista operating system will not be able to run Connect Tunnel. A guest account is for users who don't have a permanent account on your computer or domainit allows them to use your computer without giving them access to your personal files.

The Proxy Clients

This section provides an overview of the Connect Mobile client.

Connect Mobile Client

The Connect Mobile client is a lightweight application for Windows Mobile-powered devices. It provides access to a broad range of resourcesincluding traditional client/server applications, thinclient applications, and Web resourcesprotected by the Web proxy service. The Connect Mobile client is installed using a Windows setup program that extracts the application files and then copies them to the users device using Microsoft ActiveSync. For information about deploying the setup files to users, see Client Installation Packages on page 326. Some legacy devices may display the Windows Mobile branding, but are in fact powered by an older version of the operating system. For example, the Connect Mobile client does not support the following Smartphone 2003 devices: Audiovox SMT5600 Motorola MPx220 Sierra Wireless Voq Samsung i600 iMate SP2 But these small form factor devices, along with other Web-enabled devices, can use the Aventail WorkPlace portal for Web-based access to the SonicWALL SSL VPN appliance. See WorkPlace and Small Form Factor Devices on page 305 for more information.

Release Notes

Secure Remote Access SonicWALL Aventail E-Class SRA EX-Series 10.5.2

Platform Compatibility

The SonicWALL Aventail E-Class SRA EX-Series 10.5.2 release is supported on the following SonicWALL appliances: SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-750 On 64-bit Windows Vista and Windows 7 systems, this release has been tested on and supports 32-bit Internet Explorer 7 and 8. On Windows 7 SP1 (32-bit and 64-bit), this release has been tested on and supports Safari 5.0.x.
Upgrading from Earlier Versions
If you are upgrading a SonicWALL Aventail E-Class SRA EX-Series appliance to version 10.5.2 from an earlier release, be sure to consult the upgrade instructions in the SonicWALL Aventail Upgrade Guide for detailed information. Youll find a copy of this document on the MySonicWALL Web site (www.mysonicwall.com).

Release Caveats

1. The OPSWAT Secure Desktop Emulator is currently provided as a beta-quality release and has a number of known issues. Details about this feature are provided in the next section. 2. The 10.5.X release series will be the last release with support for OnDemand Dynamic Mode, which is a proxy based agent deployed through the WorkPlace portal. It is important to note that the OnDemand Proxy Agent has two configurations: Dynamic Mode and Mapped Mode. The Mapped Mode use case is still supported, and only Dynamic Mode support is being removed. We recommend customers who still have OnDemand Dynamic mode configured through the WorkPlace portal consider the OnDemand Tunnel agent as an alternative. The OnDemand Tunnel agent offers superior performance and platform coverage over OnDemand Dynamic mode, while requiring identical installation requirements.
Whats New in This Release?
This version of the Aventail SonicWALL E-Class SRA EX-Series software includes the following new and enhanced features: Virtual Assist Provides administrators and helpdesk technicians with the capability to assist remote employees and users with technical assistance issues. Technicians are able to control a users desktop and system at a distance, which provides an efficient and economical method to provide targeted technical support. Users can also request Virtual Assist sessions through the WorkPlace portal. Web Policy and SSO Tunnel Support This tunnel URL filtering feature enforces URL-based rules within VPN tunnel sessions. This feature not only provides more effective security, but also allows the use of Single Sign-On (SSO) for Web applications accessed via a tunnel.
SonicWALL Aventail E-Class SRA EX-Series 10.5.2 Release Notes

232-001932-00 Rev A

iPhone, iPad, Android and Symbian Support ActiveSync for Exchange Extends SonicWALLs clientless ActiveSync support for Exchange email to mobile devices that are becoming popular choices for corporate mail. This feature also leverages the devices ID capability to link the device to a single user, providing a first layer of end-point control. Password Management for Sun and Novell Directory Servers Provides support to Novell and Sun LDAP servers for improved password management. This new feature calls upon the Policy server to probe and predetermine the directory server and the applicable version. End users will be able to enter LDAP credentials and be notified through the appliance when their password needs to be changed due to expiration or backend policies, and will then allow users to change the password. The following server versions are supported: o Sun Java System Directory Server Enterprise Edition (DSEE) 7.0 o Novell eDirectory 8.8 SP5 Extension Configurations in Management UI A new page has been added to the Maintenance section of the AMC management interface to allow simple configurations to be completed for extensions. This new feature assists administrators in making configuration adjustments that appear in maintenance releases or hotfixes, and allows for the configuration of arbitrary key-value pairs. OPSWAT Secure Desktop Emulator (SDE) Provides VPN administrators with an additional end-point data protection tool that prevents end users from copying or moving data from an end-point system to other locations that have not been qualified for security clearance. When a client device is classified into a zone that requires the desktop emulator, the emulator will automatically deploy for the user. The Secure Desktop Emulator is available as a beta-quality feature for the following platforms: o Windows XP SP3 or later o Windows Vista SP2 or later (32-bit, 64-bit) o Windows 7 (32-bit, 64-bit) o Windows 7 SP1 (32-bit, 64-bit) o Windows 2008 Server Note: SonicWALL recommends using Java with Internet Explorer when using SDE. Cache Cleaner (also known as OPSWAT CC) Provides VPN administrators with an end-point data protection tool to ensure data downloaded or accessed during a session is functionally wiped from the users system. This feature removes Web browser information, such as cookies, browsing history, and stored passwords upon termination of the session. The Cache Cleaner (OPSWAT) is supported on the following platforms: o Windows XP SP3 or later o Windows Vista SP2 or later (32-bit, 64-bit) o Windows 7 (32-bit, 64-bit) o Windows 2008 Server o Mac OS X 10.5 (Leopard) o Mac OS X 10.6 (Snow Leopard) (32-bit, 64-bit)

The tray icon for Cache Cleaner is not displayed on the client system.
Cache Cleaner is slow to release memory and exit after user logout.
Cache Cleaner Comparison This table lists differences in behavior between the OPSWAT Cache Cleaner and the Symantec Cache Cleaner that was included in previous releases. # 1 Features Supported platforms Symantec (Sygate) Cache Cleaner Windows XP SP2 (32 bit) Windows 2000, 2003 Macintosh 10.3.9 and 10.4.9 OPSWAT Cache Cleaner Windows XP SP3 (32 bit) Vista SP2 (32/64) Windows7 (32/64) Windows 2003, 2008 (32/64) Macintosh 10.x Internet Explorer 6, 7 and 8 FF 2, 3.0 and 3.5 Safari 3.0 and 4.0 (Mac) No Not supported in Safari (Mac) Yes (Mostly) Instead of clearing session specific typed-URLs and cookies, all of the typed-URLs and cookies are wiped. No. This feature has been removed. Instead, when the user chooses to logout from WorkPlace, a prompt states all browser windows will close. The client initiates a wipe but continues to run until the browser windows are closed explicitly. OPSWAT provides system-wide DPA. OPSWAT monitors and wipes data in all supported browsers (Internet Explorer and Firefox) and not necessarily that of provisioning-browser.

Supported browsers

Internet Explorer (IE) 6 and 7 Firefox (FF) 1.5 and 2.0 Safari 1.2 and 2.0 (Mac) Yes Yes Yes
Clearing Browser data Form data Download history Support Session scope
Close all browser windows at startup

Post -timeout interval

Wipe scope
The client closes browsers and then initiates a complete wipe and terminates. Data in the context of the provisioning browser is wiped. For example: If the Cache Cleaner is loaded within Internet Explorer (IE), then at the end, CC only wipes data specific to IE. However, data in another supported browser (Firefox) is unmodified.
OPSWAT Cache Cleaner Deployment Issues The following tables contain known issues and deployment results provided by OPSWAT for the Cache Cleaner when using Internet Explorer in certain environments. Key to colors and abbreviations: IE Internet Explorer PM JRE RED GREEN Protected Mode Java Runtime Environment Failed to wipe Successful wipe
Launching via Applet The following table outlines the issues that the Cache Cleaner will encounter based on different environments: JRE < JRE 6, update 10 PM ON data IE 7 PM ON Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords JRE >= JRE 6, update 10 PM ON data Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords

IE 7 PM OFF

Cache Cookies History Typed Addresses Passwords

IE 8 PM ON

IE 8 PM OFF
Launching via ActiveX The following table outlines the issues that the Cache Cleaner will encounter based on different environment setups on Windows Vista: PM ON data IE 7 PM ON Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords

A misleading error message is displayed: VPN Connection Failed. Access denied. The required system capabilities are not present, enabled, or current. Local resources are sometimes directed through an internal proxy server.
Tunnel clients are unable to reconnect over an access point that requires authentication.
In Redirect All mode, the Internet is accessible if proxy settings are configured on browsers. The desktop icon for Connect Tunnel in WorkPlace is not present for all Linux users.
When using dial-up and remote proxy for the connection to the Internet, Internet browsing might not traverse the remote proxy.
Occurs when you use a dial-up connection to the Internet, and the community to which you are assigned is configured for remote proxy. This applies regardless of whether the remote proxy was configured manually or using a.pac file. Workaround: In Connect Tunnel, make sure the dial-up connection is specified on the Properties page. Select the 'Establish this connection first' check box and specify a connection in the dropdown list. (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.) Occurs when Internet Explorer is configured to use an outbound HTTP proxy server and Connect Tunnel attempts to access the appliance using that proxy server. If the proxy is available, the client connection will succeed. However, if the proxy server is unavailable, the client will not fall back to sending traffic through the default route, causing the connection to the appliance to fail. Workaround: Remove the proxy setting from the browser. Occurs when the Connect tunnel client is configured (by an administrator or user) to access the appliance using the FQDN or virtual IP address for a custom WorkPlace site. Workaround: Configure the client to access the appliance using the FQDN or IP address contained in the appliance's main certificate.
Cannot access the appliance if specified proxy server is unavailable.
Cannot access the appliance using the FQDN/VIP for a WorkPlace site. The Connect tunnel client displays the message, "The device is not in a valid state to perform this request."

End Point Control

Symptom Smartphone ActiveSync users are classified to the default or quarantine zone even when the smartphone device ID or serial number is configured as a user attribute in the Active Directory server. Condition / Workaround Occurs when the device ID in the user attribute does not include the specific prefix such as Appl or droid that is sent in the POST message when the smartphone connects to the appliance. Workaround: View the POST message in the appliance log, and use the device ID value shown there for the AD user attribute. Occurs when a user launches a Secure Desktop Emulator session through the Firefox Web browser. The browser window displays a "waiting" message, even once the SDE session has begun. Occurs when a user successfully removes the Secure Desktop Emulator plug-in using the Internet Explorer browser tools options. Issue 93443

Zone classification fails when a device profile combines values and the Match profile if user has no registered devices check box is selected.
Zone classification fails with certificate device profile on Linux and Mac machines. The client is relegated to the default zone rather than the intended zone.
Zone classification fails for a user who does not have Windows administrator rights. The user is classified to the default or quarantine zone.

ExtraWeb

Symptom The Safari browser stops responding when accessing Web sites that use applets. Condition / Workaround Occurs after logging in to the appliance in a Safari 4.0.5 browser on a machine running Mac OS X 10.5.8, and accepting the certificate prompts. The certificate prompts show header values instead of strings, which appears to be a browser issue. This issue can occur on all Web sites that use applets. Issue 89190

OnDemand Proxy

Symptom The first time a user installs OnDemand proxy, OnDemand proxy might not redirect all connections. Condition / Workaround Occurs for connections to unqualified names that are fewer than 16 characters in length, which are not redirected if DNS cannot resolve them. This can happen if no DNS suffix is configured on the system. Workaround: Reboot the system. When DNS fails, WINS or WINS Broadcast is used, but WINS cannot perform name resolution until the system has been rebooted. Issue 60633

OnDemand Tunnel

Symptom OnDemand Tunnel upgrade appears to work using two different appliances, but activation fails with an error that there is no phonebook. Condition / Workaround Occurs when a non-administrator installs OnDemand Tunnel on a Windows system, and when subsequent upgrades are performed using different appliances. Workaround: Install OnDemand Tunnel when logged in as an administrator. Upgrade from the same appliance, as administrator or non-administrator. Issue 71411
OPSWAT Secure Desktop Emulator (SDE)
Symptom Web resources are not accessible using the Web Proxy Client (EWPCA) and OnDemand Proxy in the Secure Desktop Emulator. Condition / Workaround Occurs when there is already a proxy (.pac file or auto configuration) defined in the Internet Explorer or Firefox browser and the user attempts to modify the preset proxy settings in the secure desktop. Workaround: Use OnDemand Tunnel agent or use a manual proxy. Access Web resources using an alias or a custom access option such as a hostname or port mapped URL. Occurs when using a 32-bit Windows 7 machine using Internet Explorer 8 and Java, either when starting it in IE8 with no other browsers running, or when IE8 is running and then Firefox is launched and the user attempts to start Secure Desktop Emulator in Firefox. Workaround: Press the F5 key to refresh the browser and then SDE starts. Issue 91956, 91954, 91946, 91942

Secure Desktop Emulator does not remove installed applications when it terminates. The application can still be used on the computer, outside of SDE. OnDemand Tunnel activation fails with Secure Desktop Emulator when using ActiveX.
Secure Desktop Emulator does not exit upon logging out of WorkPlace, and clicking Logout in WorkPlace displays an error dialog.
Users cannot print from Notepad on Windows 7 and an error message is displayed.
Platform/Operating System
Symptom In split tunnel mode, file shares are not always redirected to the appliance. Traffic bound for resources defined on the appliance is redirected through the tunnel, and all other traffic is routed as normal. Condition / Workaround Occurs when using Connect tunnel on a Vista computer and an appliance in split tunnel mode. File share accesswhich uses the SMB protocolmay not be redirected properly if there is a conflicting resource on both the remote and local networks. For example, if Connect tunnel is started on a network at 192.168.144.0/24 and there is a resource at 192.168.144.100, a user who is trying to access a share on a remote network at 192.168.144.100 may get connected to 192.168.144.100 on the local network instead. On the Vista operating system, SMB does not use the appliance's routing table directly, but issues connects on different interfaces simultaneously: whichever connection succeeds first is the one that is subsequently used (even if the routing table on the appliance prescribes something else). In this example, if the 192.168.144.0/24 interface connects first, then access to the resource at 192.168.144.100 will not be redirected. Occurs because the certificate is not being properly imported in Internet Explorer on Windows 7 systems. Workaround: Mark certificate keys as exportable. Occurs when a USB device is inserted into the appliance. During the re-imaging process, appliances boot from the internal hard drive instead of a compact flash card. Workaround: Before rebooting an EX7000 or EX6000 appliance, remove any USB devices. Issue 63383

The Access Manager component fails to properly install on Windows 7 platform clients, causing a dialog box prompt to display a request for the insertion of a smart card. SonicWALL Aventail EX7000 and EX6000 appliances refuse to boot during re-imaging.

Policy Server

Symptom Group affinity checking is not successfully completed with certain authentication scheme combinations. Condition / Workaround Occurs when PKI is configured as the primary authentication scheme, and Active Directory, LDAP, or RADIUS is configured as the secondary authentication. Workaround: Remove the secondary authentication. Issue 90434

Virtual Assist

Symptom The Help button incorrectly displays Windows help. The Virtual Assist session sometimes stops responding. The technician application stops responding in certain conditions. Condition / Workaround Occurs on Mac OS X when the Help button is clicked. Occurs on Mac OS X when closing the browser window where the initial Virtual Assist session was launched. Occurs on Mac OS X after an ungraceful exit if the browser is closed before the application exits. Workaround: Exit the application first, then close the browser. Occurs on Mac OS X when the technician application shows the last screen of the Mac system even after ending support. Occurs when the technician PC is running Windows Vista SP2 with Internet Explorer 8, the customer PC is running Windows XP SP3 with Internet Explorer 8, the technician clicks Reboot Customer PC, and the customer provides their credentials. Workaround: The customer logs back into the wait queue on a new ticket either by entering the authentication code or by responding to an invitation sent when the technician creates a new ticket. Occurs when a technician has both a Windowsclient customer and a Mac-client customer waiting for service in the Virtual Assist queue, and the technician services the Windows customer and then attempts to service the same Windows customer again after a re-queue. Occurs on Mac OS X when the client application is not terminated when the technician re-queues the customer. Occurs on Mac OS X when the technician selects the option to end support (Stop or Remove). Occurs when a customer accepts an invitation to join the Virtual Assist queue for service when it is full, which prompts to try back later, and then tries to use the same invitation link to join the queue after a space opens up. Occurs when a technician initiates a Virtual Assist session with a customer, and selects the fullscreen mode option to view the client's screen. Workaround: The technician and user should each move their mouse to refresh the VNC connection. Occurs when the client or customer attempts to send numerous files to the technician's system at one time, using the file transfer tool. Issue 94630 94629
The technician application sometimes stops responding. The customer system reboots and then displays an error message about incorrect parameters. The technician cannot reconnect with the customer.

The Safari browser stops responding after a technician attempts to service a re-queued Windows customer.
The technician cannot start the service for the customer again after re-queue. Cannot use the same user name to log in as a technician for approximately six minutes. A customer cannot use an invitation link to join the queue until after six minutes.

90510 89674

The technician's screen may momentarily go blank the first time the technician attempts to view the customer screen.
During a Virtual Assist support session, Virtual Assist may stop responding while transferring files.

Web Translation

Symptom Edited layout is not reflected on Domino Web Access home page after saving the selected layout. Using the Windows Explorer style view on SharePoint causes a long delay and then fails. Condition / Workaround Occurs when using port mapped or host name mapped access for Domino Web Access, and the user edits the layout of the page. Workaround: Click the Refresh button to display the new layout. Occurs when Explorer View is clicked to view a document library on a backend SharePoint server (2003/2007) while logged in through the EXSeries appliance. This is a known limitation due to SharePoint use of built-in URLs with proprietary components. Workaround: Use other views that provide tables and columns. Issue 83358

WorkPlace

Symptom Clicking OK on a File Size Exceeded window closes the window without returning to the folder. Condition / Workaround Occurs when a user is logged into WorkPlace using Internet Explorer 8, and attempts to upload a file exceeding the size limit. When the user clicks OK, the warning window sometimes closes without returning the user to the folder containing the file to upload. Workaround: Use another type of browser or a different version of Internet Explorer. Occurs when a file download dialog opens during installation of Aventail Access Manager (the provisioning and EPC component for Windows). If the user clicks Cancel in this dialog box, the Aventail Access Manager Web page does not display any navigation buttons. Workaround: Refresh the browser, and the buttons used to select the installation options will display. Occurs when you attempt to log in to a realm that requires a client certificate when connecting to WorkPlace using Internet Explorer on a PDA that is running Windows Mobile 5. Workaround: Click the Next button. Issue 83150
Cannot cancel installation of Aventail Access Manager.
Certificate authentication process stalls during login to WorkPlace.

Resolved Issues

This section describes resolved issues for this release. The five-digit numbers in brackets are internal tracking IDs. The issues are organized into the following categories: AMC Configuration..... 17 Authentication...... 17 Cache Cleaner (OPSWAT CC)..... 17 Certificates...... 18 Connect Tunnel (CT)..... 18 End Point Control (EPC)..... 19 ExtraWeb...... 19 Logging...... 20 OnDemand Proxy..... 20 OPSWAT Secure Desktop Emulator (SDE)... 20 Platform/Operating System.... 21 Policy Server..... 22 Provisioning..... 22 WorkPlace..... 23

Symptom AMC displays Unknown for some entries in the unregistered devices log table. Condition / Workaround Occurs because activeSyncMobile enumeration is missing from the platform row in the MySQL database equipmentIdentifier table. Issue 93530

Authentication

Symptom After authentication, a message is displayed which says "Your password will expire in -24626 days (Numbers appear randomly generated). Users not in Active Directory are incorrectly granted access for rule with Dynamic Group Expression. One Time Password user login session does not timeout after 15 minutes. Condition / Workaround Occurs when Active Directory is misconfigured and is giving incorrect timestamps. Occurs when using RADIUS as primary authentication with Active Directory group affinity check enabled. Occurs when the user is inactive for 15 minutes or more. Issue 93749
Symptom Cache Cleaner cannot be disabled on a Mac OS X 10.6 machine. Condition / Workaround Occurs when the CC system tray icon is rightclicked and the Disable option is selected. Upon exit, CC still removes all session related information. This occurs when logged into WorkPlace on a Mac OS X Snow Leopard system with a Safari 4.0 browser. Issue 88991
Cache Cleaner is not provisioned on some platforms when Secure Desktop Emulator is configured.
Occurs on non-Windows client machines when Secure Desktop Emulator (SDE) has been enabled in the appliance configuration. SDE is not supported on non-Windows platforms, so to maintain legacy support, CC needs to be provisioned.

Certificates

Symptom PKI authentication through Connect Tunnel with a chained certificate fails and displays an Access Denied message. Condition / Workaround Occurs when the PKI server is configured with the primary CA, the sec1 intermediate CA, which is issued by the primary CA, is installed in the client machine browser, and then Connect Tunnel is installed and a login is attempted with a secondary user certificate issued by the sec1 CA. Occurs when using multiple certificates and the common name (cn) field is identical. Issue 93921
Only one certificate is displayed when a user is prompted to choose among multiple certificates.

Connect Tunnel (CT)

Symptom Remote Internet Proxy does not always work. Connect Tunnel client picks the wrong one among multiple client certificates with the same common name and eventually authentication fails. The Connect Tunnel system tray icon takes a couple of minutes to respond, soon after Connect Tunnel connects. Authentication fields are grayed out on Windows 7 after installing Connect Tunnel with the ngsetup.ini file. Connect Tunnel Windows 7 users cannot get to any destination without a route, although other clients can. Connect Tunnel retains the fallback connection profile after disconnecting, instead of reverting to the primary appliance connection profile. Condition / Workaround Occurs when the PAC file is sent as chunkencoded stream. Occurs when multiple valid certificates are imported on the client machine's browser in such a way that two client certificates have the same common name but are issued by different CAs. Occurs when an internal recurring EPC request times out, causing the delay. Occurs when logged into Windows 7 as a nonadministrator, after installing Connect Tunnel while logged in as an administrator and then logging out. Occurs when using split tunnels. Issue 92559 92005

Accessing an Outlook Web Access 2010 resource displays the login page, but then reports that the credentials are invalid.
Occurs when the OWA resource is accessed in Translated mode. When the OWA resource is configured on the appliance, an alias name is configured. Users log in to WorkPlace to access the OWA resource.

Logging

Symptom Rebooting an appliance with a very large troubleshooting database takes a long time. Logserver process consumes too much memory. Condition / Workaround Occurs when the MySQL database size is well over 1 gigabyte. Occurs due to a memory leak. Issue 93933 91698
Symptom OnDemand proxy users can see an error when they try to access WorkPlace. Condition / Workaround Occurs after upgrading the client system from Vista to Vista SP1. Workaround: Uninstall OnDemand proxy either before or after the upgrade to Vista SP1, and reinstall OnDemand after the upgrade. Issue 68628
Symptom Secure Desktop Emulator leaves the client system in a state in which no desktop icons appear, the browser does not open, and other problems occur. Explorer.exe in Secure Desktop Emulator stops responding. The background image for the secure desktop disappears. Condition / Workaround Occurs when Secure Desktop Emulator exits due to an inactivity timeout while the computer is locked, and then the user unlocks the computer and attempts to use it. Workaround: Reboot the client computer. Occurs when trying to copy a file from a network share to the secure desktop on a Windows XP SP3 machine with Internet Explorer 8. Occurs when the browser instance created in the secure desktop is minimized. The browser instance is created in the secure desktop when WorkPlace is launched in a browser to access a realm with translated mode and Secure Desktop Emulator enabled. This issue occurs on a 64-bit machine running Windows Vista and using Internet Explorer 8. Workaround: Switch to the normal desktop and then switch back to the secure desktop. Issue 91941
Firefox becomes unresponsive and a dialog box in the secure desktop displays the message: "Firefox is already running but is not responding. To open a new window, you must first close the existing Firefox process or restart your system." Clicking OK has no effect. Attempting to open another Firefox browser in the same session causes the same message. With a proxy configured, the Secure Desktop Emulator loads very slowly and all the operations within the secure desktop slow down further. The right-click menu is slow to display in the Secure Desktop Emulator. It does not appear for approximately 30 seconds when using Internet Explorer, and approximately 45 seconds when using Firefox. A dialog box with the message, "Your session has been terminated because of a change in your system status. Please contact the administrator for more information." can be displayed in the normal desktop and the user in SDE will not be aware of it. If the user clicks on any link in WorkPlace, the SDE session will end. Within Secure Desktop Emulator, created files or folders display lock icons. In Secure Desktop Emulator, folders with lock icons in root drive are displayed in all other drives.

Occurs when using a Firefox 3.5.9 browser to launch WorkPlace to access a realm with translated mode and Secure Desktop Emulator enabled. This occurs on a 64-bit machine running Windows Vista SP2 when logged in as the administrator.
Occurs when using Windows XP SP3 with Firefox or Internet Explorer 8, with a proxy configured (manual proxy, Proxy Auto-Config (PAC) file, and auto-proxy). Occurs when you right-click in the secure desktop.
Occurs when there is a change in the device profile and recurring EPC is enabled.
Occurs when a Windows 7 user creates any files or folders under any of the drives such as C:\ or D:\, and views them as a list. Occurs when folders are displayed with lock icons in the C:\ drive (which is the root drive), and then viewing the D:\, E:\, or other drives, and the window that is displayed after inserting a USB flash drive. This occurs on Windows 7. Occurs when the contents of the C:\ drive (on which the OS is installed) are viewed as a list in the Secure Desktop Emulator virtual desktop. This includes the Users, Windows, Program Data, and other folders. This occurs on Windows 7.
Some folders under the root drive are displayed with lock icons in the secure desktop.
Symptom New users cannot connect after memory and swap space utilization reaches 90% or above. Appliance reboots every 4 to 5 hours as the user load increases. Condition / Workaround Occurs on a cluster when hundreds of users are RDP access via WorkPlace. Occurs after upgrading to version 10.0.4 and installing the pform-hotfix-005 on 13 appliances that are deployed behind a load balancer, with around 9000 resources defined. Issue 93091 92625
Memory utilization increases until appliance stops accepting new connections and eventually generates core files. Connect Tunnel users who are connected will not be able to access various resources at the backend. The user sees a script error and cannot access WorkPlace through Internet Explorer.
Occurs when memory utilization reaches 60% to 70% due to excessive memory usage or leaking by the policy server in relation to LDAP.
Occurs when Java is installed on a client computer running Vista, but ActiveX and Java are disabled. This causes Internet Explorer 7 to fail to use Translated Web access. Workaround: Enable Java or ActiveX. Works with IE8. Occurs when using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client computer running Vista. Workaround: Refer to the following Microsoft knowledge base article for instructions on installing a patch on your Microsoft Exchange Server 2003 that addresses this issue: http://support.microsoft.com/?kbid=924334 This is fixed in Exchange 2007.

Users cannot type in a new mail window to compose a message in Outlook Web Access.
Symptom LDAP users are unable to change passwords from WorkPlace. A DNS query is sent by the appliance to the primary DNS server whenever there is an AMC change, and causes errors for WINS in the logs. Condition / Workaround Occurs after upgrading the appliance to version 10.0.4 from 10.0.2, without LDAP over SSL option enabled. Occurs when the query is made with a comma separating the WINS server IP addresses, which is an invalid format. This is an issue in WorkPlace Network mapping service. When AMC is configured with both primary and backup WINS servers, WorkPlace fails to parse backup WINS server from the properties and instead broadcasts NetBIOS queries on "<primary>,<backup>" for enumerating the network. Occurs due to memory leaks in the policy server. Issue 92056
Connect Tunnel authentication outage on primary node of HA pair, and the policy server and Apache generate core files. Deny rule based on group blocks all users.
Occurs when using LDAP/AD group affinity with RSA as the primary authentication type.

Provisioning

Symptom ActiveX Control format string overflow allows remote exploitation in which an attacker can execute arbitrary code within the security context of the targeted user. Condition / Workaround Occurs when logging input data like team or configuration string. Issue 91522
Symptom Bookmarks saved by anonymous users are not displayed in WorkPlace. Condition / Workaround Occurs when users are logged in to WorkPlace using the NULL authentication realm. Any bookmarks that they create and save will not display on the WorkPlace home page. Occurs when protection is needed against Slowloris attacks. Slowloris can cause a Denial of Service (DoS) by sending partial HTTP requests to Web servers. These partial requests consume unusual amounts of resources (in the form of open connections), which cause Apache, and other Web servers, to be monopolized quickly. Workaround: Users can enable a configuration extension mechanism, "mod_qos". This module does provide Quality-of-Service for web applications running on Apache servers, and may affect performance in some cases. Users must enable this module extension mechanism, as it is not implemented by default in version 10.5.2. Occurs on a computer that is running Microsoft Windows XP SP2. Workaround: Install the KB884020 update patch from the Microsoft site: http://support.microsoft.com/kb/884020/ Issue 91903, 90819

Users must enable a module extension mechanism for protection against Slowloris HTTP Denial of Service attacks.
OnDemand access agent and other programs that connect to IP addresses that are in the loopback address range (127.0.0.x) to redirect and secure traffic through the appliance may display an error message that says that you cannot establish a connection.
Technical Documentation and the Knowledge Portal
Check the SonicWALL Customer Support Knowledge Portal, available when you log in to MySonicWALL, for information and hotfixes that are relevant to your appliance. Technical documentation is available on the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/Support.html
______________________ Last updated: 10/7/2010