Dell SonicWALL Secure Mobile Access 8software.sonicwall.com/Manual/232-003316-00_RevA_SMA_8.5_App... · Dell SonicWALL Secure Mobile Access 8.5 ... bookmarks with SharePoint and Lotus

Dell SonicWALL Secure Mobile Access 8.5Application Offloading and HTTP(S) Bookmarks Feature Guide

Copyright© 2016 Dell Inc. All rights reserved.

This product is protected by U.S. and international copyright and intellectual property laws. Dell™, the Dell logo, and SonicWALL™ are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

For more information, go to http://software.dell.com/legal/.

Dell SonicWALL Secure Mobile Access Application Offloading and HTTP(S) Bookmarks Feature GuideUpdated - June 2016Software Version - 8.5232-003316-00 Rev A

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

http://software.dell.com/legal/

Contents

Document Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What are HTTP(S) Bookmarks and Application Offloading? . . . . . . . . . . . . . . . . . . . . . 4

Benefits of HTTP(S) Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Benefits of Application Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How Does Application Offloading Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Software Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuring and Using Offloaded Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Application Offloading Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configuring an Offloaded Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Configuring with the Offloading Portal Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . .10General Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Load Balancing Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12URL-based Aliasing Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Configuring the Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Configuring the Miscellaneous Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Editing the General Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Configuring the Offloading Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Configuring Virtual Host Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Configuring an HTTP/HTTPS Application Offloading Portal . . . . . . . . . . . . . . . . . . .21

Using Offloaded Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Configuring and Using HTTP(S) User Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring an HTTP(S) user bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Using HTTP and HTTPS bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Using HTTP(S) bookmarks with SharePoint and Lotus Domino . . . . . . . . . . . . . . . . . . . .26Application configuration and considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .27SharePoint server 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28SharePoint server 2010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29SharePoint server 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Enabling basic authentication for SharePoint servers . . . . . . . . . . . . . . . . . . . . . .30Enabling basic authentication for a Web Application zone . . . . . . . . . . . . . . . . . . .30Disabling client integration on a Web Application zone . . . . . . . . . . . . . . . . . . . . .31Lotus Domino Web Access support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Securing Microsoft Exchange Access Using Dell SonicWALL SMA . . . . . . . . . . . . . . . 35

Securing Microsoft Exchange access with Application Offloading . . . . . . . . . . . . . . . . .35Configuring the Application Offloading portal . . . . . . . . . . . . . . . . . . . . . . . . . . .35Configuring and accessing with Outlook Anywhere . . . . . . . . . . . . . . . . . . . . . . . .37Configuring and accessing with ActiveSync clients . . . . . . . . . . . . . . . . . . . . . . . .39Accessing with OWA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41


1

OWA Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Microsoft Outlook Web Access Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Application and Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Premium and Basic Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Configuring URL Based Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

URL Based Aliasing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Adding a URL Based Aliasing Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Adding a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Deleting a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Deleting a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Creating Policies for URL Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Creating User/Group/Global Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Policy URL Object Field Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Configuring Single Sign-On and Cross Domain Sign-On . . . . . . . . . . . . . . . . . . . . . . 51

Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Configuring Cross Domain Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Technical support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55


2


1

3

Document Scope

This document describes the implementation of HTTP(S) reverse proxy to provide access to offloaded Web-based applications and HTTP/HTTPS bookmark access to Microsoft SharePoint, Microsoft Outlook Web Access (OWA) Premium, and IBM Lotus Domino Web Access 8.0.1, 8.5.1, and 8.5.2 on Dell SonicWALL Secure Mobile Access (SMA)/SRA appliances running the latest firmware. This document contains the following sections:

• Overview on page 4

• What are HTTP(S) Bookmarks and Application Offloading? on page 4

• Benefits of HTTP(S) Bookmarks on page 5

• Benefits of Application Offloading on page 5

• How Does Application Offloading Work? on page 5

• Supported Platforms on page 6

• Software Prerequisites on page 8

• Configuring and Using Offloaded Applications on page 9

• Application Offloading Portal Settings on page 9

• Configuring an Offloaded Application on page 9

• Using Offloaded Applications on page 23

• Configuring and Using HTTP(S) User Bookmarks on page 24

• Configuring an HTTP(S) user bookmark on page 24

• Using HTTP and HTTPS bookmarks on page 26

• Using HTTP(S) bookmarks with SharePoint and Lotus Domino on page 26

• Securing Microsoft Exchange Access Using Dell SonicWALL SMA on page 35

• Securing Microsoft Exchange access with Application Offloading on page 35

• OWA Bookmarks on page 41

• Configuring URL Based Aliasing on page 45

• URL Based Aliasing Overview on page 45

• Adding a URL Based Aliasing Group on page 45

• Creating Policies for URL Objects on page 49

• Creating User/Group/Global Policies on page 49

• Policy URL Object Field Elements on page 50

• Configuring Single Sign-On and Cross Domain Sign-On on page 51

• Configuring Single Sign-On on page 51

• Configuring Cross Domain Single Sign-On on page 53

• Glossary on page 54

• About Dell on page 55

2

Overview

This section provides an introduction to application offloading and HTTP(S) bookmarks. This section contains the following subsections:

• What are HTTP(S) Bookmarks and Application Offloading? on page 4

• Benefits of HTTP(S) Bookmarks on page 5

• Benefits of Application Offloading on page 5

• How Does Application Offloading Work? on page 5

• Supported Platforms on page 6

• Software Prerequisites on page 8

What are HTTP(S) Bookmarks and Application Offloading?Dell SonicWALL Secure Mobile Access uses HTTP(S) bookmarks and application offloading on Dell SonicWALL SMA/SRA appliances to provide access to Web-based applications running on servers within the intranet. This includes SharePoint 2007, SharePoint 2010, and the enhanced versions of commonly used Web mail interfaces, such as Microsoft OWA Premium and Lotus Domino Web Access. SharePoint 2010 is supported with application offloading.

Both application offloading and HTTP(S) bookmarks use an HTTP(S) reverse proxy. A reverse proxy is a proxy server that is deployed between a remote user outside an intranet and a target Web server within the intranet. The reverse proxy intercepts and forwards packets that originate from outside the intranet. An HTTP(S) reverse proxy specifically intercepts HTTP(S) requests and responses.

Application Offloading provides secure access to both internal and publicly hosted Web applications. An application offloading host is created as a special-purpose portal with an associated virtual host acting as a proxy for the backend Web application.

Unlike HTTP(S) bookmarks, access to offloaded applications is not limited to remote users. The administrator can enforce strong authentication and access policies for specific users or groups. For instance, in an organization certain guest users may need Two-factor or Client Certificate authentication to access Outlook Web Access (OWA), but are not allowed to access OWA public folders. If authentication is enabled, multiple layers of Dell SonicWALL advanced authentication features such as One Time Password, Two-factor Authentication, Client Certificate Authentication and Single Sign-On can be applied on top of each other for the offloaded host.

The offloaded application portal must be configured as a virtual host with a suitable Dell SonicWALL SMA domain. It is possible to disable authentication and access policy enforcement for such an offloaded host.

Web transactions can be centrally monitored by viewing the logs. In addition, Web Application Firewall can protect offloaded application hosts from any unexpected intrusion, such as Cross-site scripting or SQL Injection.

Access to offloaded Web applications happens seamlessly as URLs in the proxied page are not rewritten in the manner used by HTTP or HTTPS bookmarks.


4

Benefits of HTTP(S) BookmarksBy using HTTP(S) bookmarks, users can access the full-featured versions of SharePoint 2007, SharePoint 2010, Microsoft OWA with Autodiscover, Microsoft OWA Premium, and Domino Web Access Web mail interfaces. These interfaces are easier to use and provide more enhanced features than their basic counterparts. For a full description of the application features supported using application offloading and HTTP(S) bookmarks, refer to the following sections:

• SharePoint server 2007 on page 28



• Lotus Domino Web Access support on page 31

Benefits of Application OffloadingAn offloaded Web application has the following advantages over the Web application as an HTTP(S) bookmark in the Dell SonicWALL SMA/SRA appliance:

• No URL rewriting is necessary, thereby improving throughput significantly.

• The functionality of the original Web application is retained almost completely, while an HTTP(S) bookmark is a best-effort solution.

• Application offloading extends the Dell SonicWALL SMA/SRA appliance security features to publicly hosted Web sites.

Application offloading can be used in any of the following scenarios:

• To function as an SSL offloader to offload encryption operations for Web servers and add HTTPS support to the offloaded Web application, using the integrated SSL accelerator hardware of the Dell SonicWALL SMA/SRA appliances.

• In conjunction with the Web Application Firewall subscription service to provide the offloaded Web application continuous protection from malicious Web attacks.

• To add strong or stacked authentication to the offloaded Web application, including Two-factor authentication, One Time Passwords and Client Certificate authentication.

• To control granular access to the offloaded Web application using global, group or user based access policies.

• To control access to internal Web sites using host, URL, or port based access policies

• As an SSL accelerator to enhance throughput over the Internet using caching, compression, connection persistence and multiplexing

• To support Web applications not currently supported by HTTP/HTTPS bookmarks. Application Offloading does not require URL rewriting, thereby delivering complete application functionality without compromising throughput.

How Does Application Offloading Work?For example, Application Offloading portals can be used for Web applications and sites that already exist and could be accessed directly, such as an internal Web application, a resource on the internal network, or a public site. When using Application Offloading portals, remote access to these sites or applications is controlled by the Dell SonicWALL SMA/SRA appliance and mapped to Application Offloading portals that are protected by other functions of the Dell SonicWALL SMA/SRA appliance, such as SSL encryption and Web Application Firewall.


5

The following diagram provides a high level view of these Application Offloading portal use cases.

Supported Platforms

Appliance Platforms

Application Offloading and HTTP(S) bookmarks are supported on the following Dell SonicWALL SMA/SRA appliances:

• SMA 400

• SMA 200

• SRA 4600

• SRA 1600

• SMA 500v Virtual Appliance

HTTP Versions

HTTP(S) bookmarks and application offloading portals support both HTTP/1.0 and HTTP/1.1.

Certain performance optimization features, such as caching, compression, SSL hardware acceleration, HTTP connection persistence, TCP connection multiplexing and transfer-chunk encoding for proxies are automatically enabled depending on the usage.

GET /exchange/Host: webmail.company.com

GET /orders/Billing.aspxHost: www.company.com

GET /view_employee.asp?id=123Host: intranet.company.com

GET /exchange/Host: 192.168.2.4

GET /orders/Billing.aspxHost: 10.50.50.12

GET /view_employee?id=123Host: 192.168.2.5

ExchangeServer

CompanyNetwork/Servers

E-CommerceServer

Mapped IP’s ofActual Servers

Virtual Hostnamesfor ApplicationOffloading Portals

ExternalUser

EmployeeEmailUser

SonicWALL SMA ApplianceSecure Mobile Access 400

| O | O |

!

X2

X3

X0

X1

em68

ewtr

/ow

er50

/exw

ha.1

obil


6

Applications

SharePoint 2010 is supported with application offloading, but not with HTTP(S) bookmarks. The following features have been tested and verified as working well on the indicated browsers:

The following Web applications have been tested and verified to work with HTTP(S) bookmarks and as offloaded applications on all Dell SonicWALL SMA/SRA platforms:

• Microsoft Outlook Web Access 2013 (Application Offloading only)

Microsoft Outlook Web Access 2010 (Application Offloading only)

Microsoft Outlook Web Access 2007

• Microsoft Outlook Anywhere

• Windows SharePoint 2013

Windows SharePoint 2010

Windows SharePoint 2007

Windows SharePoint Services 3.0

• Lotus Domino Web Access 8.0.1

Lotus Domino Web Access 8.5.1

Lotus Domino Web Access 8.5.2

• Novell Groupwise Web Access 7.0

• ActiveSync with Microsoft Exchange 2010

ActiveSync with Microsoft Exchange 2007

ActiveSync with Microsoft Exchange 2003

Exchange ActiveSync is supported on the following:

• Apple iPhone

• Apple iPad

• Android 4.4x (KitKat) based phones

• Windows Mobile 8.0 based phones

• Windows Mobile 7.5 based phones

SharePoint Features Browsers

Add Announcement

Delete Announcement

Download Document

Add Document

Delete Document

Add New Item

Delete Item

Internet Explorer 10/11

Firefox 32 or later

Chrome 36 or later


7

Authentication Schemes

The following authentication schemes are supported for use with application offloading and HTTP(S) bookmarks:

• Basic – Collects credentials in the form of a username and password.

• NTLM (Microsoft NT LAN Manager) – Provides automatic authentication between Active Directory aware applications.

• Forms-based authentication – Uses a Web form to collect credentials.

Software PrerequisitesThe following end-user requirements must be met in order to access the complete set of application offloading and HTTP(S) bookmarks features:

• Internet Explorer 8.0 or later

• One of the following Windows operating systems:

• Windows 8.1

• Windows 8

• Windows 7

• Windows XP

• Windows Server 2003


8

3

Configuring and Using Offloaded Applications

The Dell SonicWALL SMA administrator can configure Web (HTTP) or Secure Web (HTTPS) offloaded applications or bookmarks to allow user access to Web-based resources and applications such as SharePoint 2007, Microsoft OWA Premium, or Domino Web Access. When user or group bookmarks are defined, the user or group member will see the defined bookmarks on the Dell SonicWALL SMA/SRA appliance Virtual Office home page.

This section contains the following subsections:

• Application Offloading Portal Settings on page 9

• Configuring an Offloaded Application on page 9

• Using Offloaded Applications on page 23

Application Offloading Portal SettingsThe table below shows appropriate Application Offloading portal settings when the portal is providing Web Application Firewall protection to remotely accessed internal sites and to public sites:

Dell SonicWALL recommends using the same FQDN for the Virtual Host Name and the application server site to avoid the need for URL rewriting.

Configuring an Offloaded ApplicationThis section contains the following subsections:

• Configuring with the Offloading Portal Wizard on page 10

• General Server Settings on page 11

• Load Balancing Server Settings on page 12

• URL-based Aliasing Server Settings on page 12

• Configuring the Security Settings on page 14

Application Offloading Portal Settings For Remote Access to an Internal Site For a Public Site

DNS Configuration Split DNS Public DNS

Authentication Enabled Disabled (likely)

Access Policies User/Group/Global Global

SSL VPN Domains Enabled None

Login Customization Optional None

Custom Logo Optional None

Dell SonicWALL Secure Mobile Access 8.5 Application Offloading and HTTP(S) Bookmarks Feature Guide

9

• Configuring the Miscellaneous Settings on page 15

• Editing the General Portal Settings on page 16

• Configuring the Offloading Settings on page 17

• Configuring Virtual Host Settings on page 20

• Configuring an HTTP/HTTPS Application Offloading Portal on page 21

Configuring with the Offloading Portal Wizard

To configure a portal with Offloading Portal Wizard:

1 Navigate to Portals > Portals and click Offload Web Application. The Offloading Portal Wizard opens.

2 Begin by selecting the Application Offloading Portal type. Options include:

• General portal - Can be selected for most scenarios.

• Load Balancing portal - This type of portal is used to setup a Load Balancing Offloading portal.

• URL-based Aliasing portal - Use to setup a URL-based Aliasing Offloading portal. Select URL Based Aliasing if you want the ability to access several Web sites using one portal and domain name. If this option is enabled, the screen options will change.

NOTE: The Application Offloading feature does not work well if the application refers to resources within the same host using absolute URLs. In this case, you may need to convert an absolute URL reference to its relative form.


10

3 Click This is an Exchange Portal which will be accessed by OWA, ActiveSync or Outlook Anywhere if using and Exchange portal.

4 Click Next.

General Server SettingsWhen General is selected on the initial page, the Server page appears as follows. The portal and application server settings can be set on this page.

1 In the Portal Name field, enter a unique name to identify different portals.

2 In the Portal Domain Name field, enter the domain name used to access the offloading portal.

3 In the Portal Interface field, enter the network interface to which the portal is bound. If one specific network interface is selected, a new IP address is assigned to the portal.

4 The Portal Certificate drop-down lists all certificates that have been imported.

5 The Application Server Address field accepts settings relevant to the application server. This can simply be the IP address of the application server. The scheme of the address is “HTTPS” by default. The port and default path can also be set in this single field.

All these settings are verified instantly from the Appliance when the mouse leaves the input field (green check). If the input fails, the reason it failed is shown. Only when all fields are satisfied, can you click Next to go to the next tab.


11

Load Balancing Server SettingsWhen Load Balancing is selected on the initial page, the Server page appears as follows.





5 The Load Balancing Group field replaces the Application Server Address field to show the existing Load Balancing Group to which you can assign to this portal. If no Load Balancing Group exists, you can create a new one by clicking “click here to create.”


URL-based Aliasing Server SettingsSelect URL Based Aliasing on the initial page when you want the ability to access several Web sites using one portal and domain name. When this option is enabled, the screen options change. You will need to select the


12

URL Based Aliasing Group from the drop down list. When URL Based Aliasing is selected on the initial page, the Server step appears as follows.




4 The Portal IP Address field is not required if All Interfaces is selected in the Portal Interface field, but you need to enter the Portal IP Address of specific X0, X1, X2, and X3 interfaces.


6 Any existing URL Based Aliasing Group(s) are listed in the drop-down and available to assign to this portal. If no URL Based Aliasing Group exists, you can create a new one by clicking the “click here to create” hyperlink.



13

Configuring the Security SettingsThe third step is for the Security settings, including Enable Web Application Firewall and Disable Authentication Controls. However, both options require a Web Application FIrewall license.


14

Configuring the Miscellaneous SettingsThe fourth and last step includes the general portal settings.

1 Enter the title for the Web browser window in the Portal Site Title field.

2 To display a banner message to users before they login to the portal, enter the banner title text in the Portal Banner Title field.

3 Enter an HTML compliant message, or edit the default message in the Login Message field. This message is shown to users on the custom login page.


15

Editing the General Portal Settings1 Navigate to Portals > Portals and click the Configure icon for the portal you would like to edit. The

General tab of the Portal Settings screen opens. This allows you to access the Portal directly.

2 You can edit the Portal Name, Portal Site Title, the Portal Banner Title, and the Login Message as needed.

3 To enable visibility of your custom logo, message, and title information on the login page, select the Display custom login page check box.

4 Select the Display login message on custom login page check box to display the login message (from the Login Message field) when users log into the custom login page.

5 Select the Hide Domain list on portal login page check box to replace the Domain list box displayed on the login page to a text box for you to type in the correct domain name.

6 Select Enable HttpOnly for SMA cookies to secure SMA cookies using the HTTPOnly flag.

Some client-side technologies such as Java applets do not have access to cookies marked HTTPOnly. This can break access to the web application when using an HTTP/HTTPS Bookmark or the App Offloading Portal. Disable this option to restore compatibility for these web applications.

7 Select the Enable HTTP meta tags for cache control check box to apply HTTP meta tag cache control directives to the portal. Cache control directives include:

<meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"><meta http-equiv="cache-control" content="must-revalidate">

NOTE: Custom logos can only be added to existing portals. To add a custom logo to a new portal, first complete general portal configuration, then add a logo.


16

These directives help prevent client browsers from caching the Dell SonicWALL SMA/SRA appliance portal pages and other Web content.

8 Select the Enforce login uniqueness check box to restrict each account to a single session at a time. When login uniqueness is not enforced, each account can have multiple, simultaneous sessions.

9 Select the Enforcement method. Options include Automatically logout existing session and Confirm logout of existing session.

10 Select the Enforce client source uniqueness check box to prevent multiple connections by a user with the same client source address when connecting with a Dell SonicWALL client (NetExtender, Mobile Connect, Virtual Assist etc.). This prevents a user from consuming multiple licenses when a user reconnects after an unexpected network interruption.

For example, a user on an unreliable network is disconnected due to a network issue. If login uniqueness is NOT enabled, the user session on the appliance stays active for this type of disconnect until the timeout value is reached. The user reconnects and consumes a second license with the potential of consuming more licenses before the original connection timeout disconnects them.

11 Specify the link(s) for the Small / Medium / Wide / Large Logo to be used with Live Tile.

12 Specify the Background Color for Live Tile. If no value is specified, the default color is #0085C3.

13 Specify the Site Name to be displayed for Live Tile. If no value is specified, the default is the Portal Name.

14 Click Accept to preserve your settings.

Configuring the Offloading Settings1 Navigate to Portals > Portals and click the Configure icon for the portal you would like to edit. The

General tab of the Portal Settings screen opens.

NOTE: Enabling HTTP meta tags is strongly recommended for security reasons and to prevent out-of-date Web pages and data being stored in a user Web browser cache.


17

2 Click the Offloading tab. The Application Offloader Settings screen appears.

3 On the Offloading tab, select the Enable Load Balancing check box for load balancing among offloaded application servers.

4 Select the Enable URL Based Aliasing check box. As a result, some fields become hidden and the Enable URL Rewriting for self-referenced URLs check box is automatically selected.

5 Select the group you wish to add a portal for from the URL Based Aliasing Group drop down list.

6 If not using a URL Based Aliasing Group, select one of the following from the Scheme drop-down list:

• Web (HTTP) – access the Web application using HTTP (default scheme)

• Secure Web (HTTPS) – access the Web application using HTTPS

• Auto (HTTP/HTTPS) – allows the user to determine the actual scheme used to talk to the backend server when accessing an offloading portal. Access is still under the control of the access policy.

When using the Auto scheme, users can type http://www.example.virtual.host.com or https://www.example.virtual.host.com in browser’s address bar to test this feature. Even scheme set to Auto, it’s still under the control of the access policy.

7 Enter the host name or private IP address of the backend host into the Application Server Host field.

8 Optionally enter the IPv6 address of the backend host into the Application Server IPv6 Address field.

9 In the Port Number (optional) field, optionally enter a custom port number to use for accessing the application.

CAUTION: It is the Administrator’s responsibility to configure the correct scheme used to talk to the backend server. Auto (HTTP/HTTPS) Scheme can operate only if HTTP access is enabled for the Virtual Host (under the Virtual Host tab) and authentication is disabled (under the Offloading tab), which may be insecure. Therefore, you will be prompted to click OK to enable HTTP for Virtual Host and enable Anonymous access.


18

http://www.example.virtual.host.com

https://www.example.virtual.host.com

10 In the Homepage URI (optional) field, optionally enter a URI to a specific resource on the Web server to which the user will be forwarded the first time the user tries to access the Application Offloading Portal. This is a string in the form of: /exch/test.cgi?key1=value1&key2=value2

When this field is configured, it redirects the user to the Web site’s home page the first time the user accesses the portal. This happens only when the user is accessing the site with no URL path (that is, when accessing the root folder, for example: https://www.google.com/). This is not an alias for the root folder. The user can edit the URL to go back to the root folder.

The key=value pairs allow you to specify URL query parameters in the URL. You can use these for any Web site that does not have a default redirect from the root folder to the home page URL. Outlook Web Access is one example, but note that most public sites do have a default redirect.

11 Select a Proxy Host from the drop-down menu. Options include Inherited from client request, Virtual Hostname, and Application Server Host (backend). The Inherited from client request option is the default value.

Security Settings1 Under Security Settings, select the Enable Web Application Firewall button to enable the feature.

2 Select Disable Access Policies to prevent existing Access Policies from taking precedence.

3 Select the Disable Authentication Controls, Access Policies, and CSRF Protection (if enabled) check box if you need no authentication, access policies, or CSRF protection enforced. This is useful for publicly hosted Web sites.

4 To configure ActiveSync authentication, clear the Disable Authentication Controls check box to display the authentication fields. Select the Enable ActiveSync authentication check box and then type the default domain name. The default domain name will not be used when the domain name is set in the email client’s setting.

5 Select the Automatically Login check box to configure Single Sign-On settings.

6 For Automatically log in using SSO, select one of the following radio buttons:

• Use SSL-VPN account credentials – allow login to the offloaded application using the credentials configured on the Dell SonicWALL SMA/SRA appliance

• Use custom credentials – displays Username, Password, and Domain fields where you can enter the custom credentials for the application or use dynamic variables. For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the offloaded application portal. For the other fields, dynamic variables can be used, such as those shown below:

7 If you selected Automatically Log in, select the Forms-based Authentication check box to configure Single Sign-On for forms-based authentication.

Table 1. Supported dynamic variables

Text Usage Variable Example Usage

Login Name %USERNAME% US\%USERNAME%

Domain Name %USERDOMAIN% %USERDOMAIN\%USERNAME%

Group Name %USERGROUP% %USERGROUP%\%USERNAME%


19

• Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example:

<input type=text name=’userid’>

• Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example:

<input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>

8 Select the Enable Email Clients Authentication check box to allow the portal to be accessed by Email clients, such as ActiveSync or Outlook. Specify a Default Domain Name from the drop down list. The Domain Name is used as the default for Dell SonicWALL SMA authentication if the domain name is not specified in the Email client.

Configuring Virtual Host SettingsCreating a virtual host allows users to access the application using a different host name than your default URL. For example, sales members can access https://sales.company.com instead of the default domain, https://vpn.company.com that you use for administration. The portal URL (for example, https://vpn.company.com/portal/sales) will still exist even if you define a virtual host name. Virtual host names enable administrators to give separate and distinct login URLs to different groups of users. URL rewriting should be enabled in this case.

To avoid the need for URL rewriting, use the same FQDN for the Virtual Host Name and the application server site.

To configure the settings on the Virtual Host tab for an offloaded application portal:

1 Enter a host name in the Virtual Host Domain Name field, for example, sales.company.com.

Only alphanumeric characters, hyphen (-) and underscore (_) are accepted in the Virtual Host Domain Name field.

2 Optionally enter a descriptive alias in the Virtual Host Alias field.

3 If you are using IP based virtual hosting, select a specific Virtual Host Interface for this portal. If using name based virtual hosts — where more than one hostname resides behind a single IP address — choose All Interfaces.

When selecting All Interfaces, you can import a wildcard certificate for all virtual hosts on the Dell SonicWALL SMA/SRA appliance. See Step 6.

4 If you selected a specific interface for this portal in the previous step, enter the desired Virtual Host IP Address in the field provided. This is the IP address users will access in order to access the portal.

5 If you selected a specific interface for this portal, you can specify an IPv6 address in the Virtual Host IPv6 Address field. You can use this address to access the virtual host. Enter the IPv6 address using decimal or hexadecimal numbers in the form:

2001::A987:2:3:4321

6 If you plan to use a unique security certificate for this sub-domain, select the corresponding port interface address from the Virtual Host Certificate list.

If you need to associate a certificate to this host, first import the relevant SSL certificate into the Dell SonicWALL SMA/SRA appliance:

• For name-based virtual hosting, you can import a wildcard certificate to use for all virtual hosts on the Dell SonicWALL SMA/SRA.

NOTE: This option is not necessary for OWA.

NOTE: For external access, be sure to add an entry in your external DNS server to resolve the virtual hostname and domain name to the external IP address of your Dell SonicWALL SMA/SRA appliance.


20

• For IP-based virtual hosting, import a regular SSL certificate. This type of certificate includes the hostname of the server.

7 Select the Enable Virtual Host Domain SSO check box to allow users logged into this portal to automatically log into other portals or Web sites that share the same Virtual Host Domain.

Configuring an HTTP/HTTPS Application Offloading Portal

To offload a Web application and create a portal for it:

1 Navigate to Portals > Portals and click the Virtual Host tab. The Virtual Host Settings screen opens. This allows you to access the Portal directly.

2 Enter a descriptive name in the Virtual Host Domain Name field.

3 On the Virtual Host tab, set a host name for the application in the Virtual Host Domain Name field, and optionally enter a descriptive alias in the Virtual Host Alias field.

If you need to associate a certificate to this host, you should additionally set a virtual interface and import the relevant SSL certificate. You could avoid creating a virtual interface by importing a wildcard certificate for all virtual hosts on the Dell SonicWALL SMA/SRA appliance.

NOTE: Unless you have a certificate for each virtual host domain name, or if you have purchased a *.domain SSL certificate, your users may see a Certificate host name mismatch warning when they log into the portal. The certificate hostname mismatch only affects the login page; the Dell SonicWALL SMA/SRA appliance client applications will not be affected by a hostname mismatch.

NOTE: Some ActiveSync clients do not work well with servers that have invalid SSL certificates.


21

4 If authentication is disabled for this portal, you have the option to Enable HTTP access for this Application Offloaded Portal. This feature is useful for setting up offloading in trial deployments.

5 Click Accept. You are returned to the Portals > Portals page where you will see the Web application listed as an Offloaded Web Application under Description.

6 If you have not disabled authentication, navigate to the Portals > Domains page and create a domain for this portal.

7 Update your DNS server for this virtual host domain name and alias (if any).


22

Using Offloaded ApplicationsAn offloaded application has its own portal page on the Dell SonicWALL SMA/SRA appliance. The portal can be accessed directly by entering the URL in a Web browser. You can also create an External Web site Bookmark on the Dell SonicWALL SMA Virtual Office portal that takes you to the offloaded application portal.

To use an offloaded application:

1 For direct access, point your Web browser to the URL of the offloaded application portal.

2 For access via an External Web site Bookmark, log into the Dell SonicWALL Virtual Office and then click on the bookmark.

A new window is launched in your default browser that connects to the offloaded application portal specified in the bookmark.

3 On the portal page, enter your login credentials to access the application if authentication is required.


23

4

Configuring and Using HTTP(S) User Bookmarks

Dell SonicWALL uses HTTP(S) bookmarks on Dell SonicWALL SMA/SRA appliances to provide access to Web-based applications running on SharePoint 2007 servers within the intranet.


• Configuring an HTTP(S) user bookmark on page 24

• Using HTTP and HTTPS bookmarks on page 26

• Using HTTP(S) bookmarks with SharePoint and Lotus Domino on page 26

Configuring an HTTP(S) user bookmarkTo create HTTP or HTTPS user bookmarks:

1 Log into your Dell SonicWALL SMA/SRA appliance.

2 From the Users tab, select either Local Users or Local Groups.

3 Click the Configure icon next to the user or group for which you want to create the bookmark.

4 Select the Bookmarks tab.


24

5 Click Add Bookmark. The Add Bookmark dialog box displays.

6 Use the Bookmark Owner drop-down menu to select whether the bookmark is owned as a Global Bookmark, a Local Domain group bookmark, or a bookmark assigned to an individual User.

7 Type the name of the bookmark in the Bookmark Name field.

8 Enter the HTTP or HTTP(S) address of your Web mail server in the Name or IP Address field. For example, webmail.company.com or company.notes.net/example/mail.

9 Optionally, type a brief description that will be used to identify the bookmark.

10 Optionally, in the Tabs field, identify a comma-separated list of tabs where the bookmark should appear. Standard tabs (Desktop, Web, Files, Terminal) include the bookmark by default and do not need to be specified.

11 If you are creating the bookmark for a Local User, you have the option to allow or deny users the ability to edit or delete this bookmark.

• Select Allow from the Allow user to edit/delete drop-down menu to allow them to edit or delete the bookmark.

• To prevent users from editing or deleting the bookmark, select Deny.

• To allow or deny based on the individual user policy, select Use user policy.

12 Select Web (HTTP) or Secure Web (HTTPS) the service type in the Service pull-down menu.

NOTE: For HTTP and HTTPS bookmarks you can specify custom ports and paths, for example www.mycompany.com:8080.

NOTE: IPv6 is not supported for File Shares (CIFS) bookmarks.

NOTE: Only Local Users bookmarks have the option of allowing users edit/delete privileges. Bookmarks created in the Local Groups tab are permanently displayed on portals for all users in the group and can only be removed or edited by the administrator.


25

13 Select the Automatically Login check box to use Single Sign-On. See Configuring Single Sign-On and Cross Domain Sign-On on page 51 for information about configuring SSO options for a bookmark.

14 Click Add to add the bookmark. Once the configuration has been updated, the new user bookmark will be displayed in the Edit User Settings window as shown below:

Figure 1. User Bookmarks

Using HTTP and HTTPS bookmarksHTTP or HTTPS bookmarks are accessed directly from the Virtual Office.

To use HTTP(S) bookmarks:

1 Log into the Dell SonicWALL Virtual Office.

2 Click on the Web (HTTP) or Secure Web (HTTPS) bookmark.

A new window is launched in your default browser that connects to the domain name or IP address specified in the bookmark.

Using HTTP(S) bookmarks with SharePoint and Lotus DominoThis section includes the following topics:

• Application configuration and considerations on page 27




• Enabling basic authentication for SharePoint servers on page 30

• Enabling basic authentication for a Web Application zone on page 30

• Disabling client integration on a Web Application zone on page 31

• Lotus Domino Web Access support on page 31

NOTE: Microsoft OWA Premium and Lotus Domino Web Access are supported in Dell SonicWALL SMA. For information about non HTTP(s) bookmarks, refer to the Dell SonicWALL Secure Mobile Access 8.5 Administrator Guide.


26

Application configuration and considerationsThe SharePoint and Lotus Domino both have general considerations when using these software applications with HTTP(S) bookmarks. This section lists includes details regarding configuration and deployment considerations.

Supported application deployment considerationsBe aware of these installation and general considerations when using application offloading and HTTP(S) bookmarks with the following software applications:

• SharePoint

• Client integration is supported for SharePoint 2010 and 2013 while it is accessed through an offloaded portal.

• Other authentication methods are supported when Application Offloading is used.

• Single Sign-On (SSO) is supported only for basic authentication.

• SharePoint 2010 is supported with application offloading, but not with HTTP(S) bookmarks.

• Domino Web Access

• This technology uses ActiveX controls for access using Internet Explorer 6.0 and later. Single Sign-On is not supported for Domino Web Access 8.0.1, 8.5.1, and 8.5.2 through the reverse proxy.

SharePoint utilizes distributed authoring to make additions and edits easy. Users can collaboratively create Wiki-style entries including events, contact information, documents, and news groups. Customized views can also be set up for diverse teams requiring multiple views and secured access to information.

Supported SharePoint featuresThe following features are supported in the Dell SonicWALL SMA/SRA appliance reverse proxy feature:

• Using Site Templates to Collaborate or Manage Meetings - The site templates in the Collaboration group are designed to help teams within an organization work on projects and collaborate on documents. The templates in this group support everything from basic meetings to decision-focused meetings or even social events.

• Sharing Documents, Contacts, Tasks, and Calendars - Synchronize your Office SharePoint Server calendar with Office Outlook, enter all-day events and specify more types of repeating, or recurring events. Track team projects more effectively with visual day and month views.

• Brainstorm Easily with Wiki Sites - Collaborate on a team design, build an encyclopedia of knowledge, or just gather routine information in a format that is easy to create and modify. Your team members can contribute to wikis from their browsers — they don't need a word processor or special technical knowledge.

• Share Ideas with Blogs - With just a few clicks, easily publish customized short posts that are displayed in order, starting with the most recent post.

• Receive updates to lists and libraries with RSS - Automatically update members of your workgroup about changes to content using Really Simple Syndication (RSS) technology.

• Manage Projects - Create a Project Tasks list, which includes a Gantt chart for a visual overview of project tasks to monitor dates and progress of team tasks.

NOTE: The maximum number of users supported is limited by the number of applications being accessed and the volume of application traffic being sent.

NOTE: Feature support varies based on your hardware and installation, see the respective sections for more detailed information about specific application support.

TIP: If you are using the correct Web browser and operating system, and a supported application does not work, delete the browser session cookies, close and reopen all instances of your browser, clear the browser cache, and then try again.


27

• Get Mobile Access to Content - View portals, team sites, and lists on a mobile device to help you stay current on team projects and tasks when you are travelling.

• Store and Share Information on Your Own “My Site” - Each user can store content, links, and contacts on their personal My Site. Your My Site also serves as a point of contact for others to find information about you such as your skills and roles, your colleagues and managers, the groups and distribution lists that you belong to, and the documents that you are working on. Each site contains stringent privacy control and security mechanisms so that you can choose how much information to present and to whom.

• Search from the Search Center - A central location for initiating queries and browsing search results to locate users with specific skill sets, documents, information about projects, and even data in enterprise applications such as SAP and Siebel.

• Manage Documents in the Document Center - Create large-scale document management sites that support highly structured document management scenarios with strong content control: Check-out, major and minor version control, multiple content types, and auditing to track content changes over time.

• Manage Document Translation - Create, store, and manage translated documents to facilitate the manual document translation process.

• Web Content Management - Office SharePoint Server includes many features that are useful for designing, deploying, and managing enterprise intranet portals, corporate Internet presence Web sites, and divisional portal sites.

• Streamline Processes with Workflows - Collaborate on documents and manage project tasks by implementing specific business processes on documents and items on an Office SharePoint Server site.

• Store Reports in a Report Center - Link to business applications such as SAP, Siebel, and Microsoft SQL Server 2005 to easily publish reports, lists, and key performance indicators (KPIs). The Report Center site provides a central location for storing reports that are common to a group.

SharePoint server 2007SharePoint is a Web portal management tool that lets users share information including spreadsheets, presentations, photographs, and more. SharePoint facilitates creating a site for each project and managing the relevant data, allowing management with nothing more than a browser.

Figure 2. SharePoint Web User Interface


28

SharePoint server 2010SharePoint 2010 is supported with application offloading, but not with HTTP(S) bookmarks. The client integration is only supported on Internet Explorer under the following caveats:

• The offloaded portal created for SharePoint must use a valid certificate.

• The Scheme used by the offloaded portal and the back end SharePoint must be the same. If the back end SharePoint is running on HTTP, the offloaded portal must enable HTTP access and be accessed with HTTP.

• The same Scheme between the offloaded portal and the back end SharePoint means that URL Rewriting for the offloaded portal does not need to be enabled.

• The Share session with other local application option must be enabled. This check box is located on the Portals > Portals > Offloading tab.

• The Restrict Request Headers option must be disabled. This check box is located on the Services > Settings page.

• If using Windows Vista or Windows 7 with the client, the offloaded portal should be added as a “Trusted Site” on the Internet Explorer browser. To configure your trusted sites, navigate to Tools > Internet Options. On the Security tab, click the Trusted Sites icon.

The Share session with other local applications option must be enabled at login.

SharePoint server 2013When the SharePoint 2013 server is accessed through an offloaded portal, basic functionalities, such as adding, editing, or deleting documents, tasks, or calender events are supported. The client integration is supported if the offloaded portal’s authentication controls are enabled or disabled. However, when the Authentication Controls are enabled, the client integration is only supported on Internet Explorer under the following caveats:

• The offloaded portal created for SharePoint must use a valid certificate.

• The Scheme used by the offloaded portal and the back end SharePoint must be the same. If the back end SharePoint is running on HTTP, the offloaded portal must enable HTTP access and be accessed with HTTP.

• The same Scheme between the offloaded portal and the back end SharePoint means that URL Rewriting for the offloaded portal does not need to be enabled.

• The Share session with other local application option must be enabled. This check box is located on the Portals > Portals > Offloading tab.

• The Restrict Request Headers option must be disabled. This check box is located on the Services > Settings page.

• If using Windows Vista or Windows 7 with the client, the offloaded portal should be added as a “Trusted Site” on the Internet Explorer browser. To configure your trusted sites, navigate to Tools > Internet Options. On the Security tab, click the Trusted Sites icon.

• The Share session with other local applications option must be enabled at login.

NOTE: In the following cases, the Enable URL Rewriting for self-referenced URLs option should be enabled for the offloaded portal:

1 The SharePoint 2010 server is using HTTP schema, and the offloaded portal pointing to the SharePoint server is using HTTPS schema.

2 The SharePoint 2010 server is using HTTPS schema, and the offloaded portal pointing to the SharePoint server is using HTTP schema.


29

Enabling basic authentication for SharePoint servers

To enable basic authentication for a SharePoint server:

1 Navigate to Administrative Tools panel, open the SharePoint Central Administration Web site application. The Central Administration home page displays.

2 Navigate to Application Management > Authentication Providers. The Authentication Providers page displays.

3 On the Authentication Providers page in the Site Actions section, select the application you want to configure by choosing Change Web Application from the Web Application drop-down list.

4 In the Select Web Application dialog box, choose the Web application that you want to configure.

5 On the Authentication Providers page, click the zone of the Web application on which you want to enable authentication. The zones that are configured for the selected Web application are listed on the Authentication Providers page.

6 On the Edit Authentication page, in the IIS Authentication section, clear the Integrated Windows authentication and Digest authentication check boxes.

7 Click Save to commit your changes.

Enabling basic authentication for a Web Application zone

To enable authentication for a zone of a Web application:

1 From Administrative Tools, open the SharePoint Central Administration Web site application.

2 On the Central Administration home page, click Application Management.

3 On the Application Management page, in the Application Security section, click Authentication Providers.

4 On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application.

5 In the Select Web Application dialog box, click the Web application that you want to configure.

6 On the Authentication Providers page, click the zone of the Web application on which you want to enable authentication. The zones that are configured for the selected Web application are listed on this page.

7 On the Edit Authentication page, in the IIS Authentication section, clear the Integrated Windows authentication and Digest authentication check boxes, and then click Save.

The reverse proxy does not support client integration capability on Internet Explorer. These are a set of features built into SharePoint that work exclusively on IE and not on other browsers.

NOTE: The SharePoint administrator should consider disabling client integration on the SharePoint server. Having these features appear on the UI and not supporting them through the HTTP bookmarks could confuse some users. Without client-integration, the SharePoint features look the same between IE and non-IE browsers.


30

Disabling client integration on a Web Application zoneDisabling client integration on the SharePoint server is an option to consider if users might be confused when client integration is not supported through HTTP bookmarks. Without client-integration, the SharePoint features look the same between IE and non-IE browsers.

To disable Client Integration support on the SharePoint server:

1 From Administrative Tools, open the SharePoint Central Administration Web site application.

2 On the Central Administration home page, click Application Management.

3 On the Application Management page, in the Application Security section, click Authentication providers.

4 On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application.

5 In the Select Web Application dialog box, click the Web application that you want to configure.

6 On the Authentication Providers page, click the zone of the Web application on which you want to disable client integration. The zones that are configured for the selected Web application are listed on this page.

7 Clear all of the client integration check boxes, and then click Save.

Lotus Domino Web Access supportLotus Domino Web Access 8.0.1, 8.5.1, and 8.5.2 is a Web client for IBM Lotus Domino server with an easy-to-use interface. It provides features such as advanced Web messaging and rich-text messages, scheduling meetings, managing tasks, collaboration, and managing personal information. Domino Web Access 8.0.1, 8.5.1, and 8.5.2 also provide increased server capability and reduced CPU usage to boost performance and response time. Figure 3 provides a view of the Lotus Domino Web Access 8.5.1 interface using the Dell SonicWALL SMA/SRA appliance HTTP(S) reverse proxy.


31

Figure 3. Lotus Domino Web Access 8.5.1

The Dell SonicWALL Secure Mobile Access/SRA appliance HTTP(S) reverse proxy application support for Domino Web Access 8.0.1, 8.5.1, and 8.5.2, using Internet Explorer 6.0 or higher, provides users with full functionality of the following features:

NOTE: Domino Web Access 8.0.1, 8.5.1, and 8.5.2 uses ActiveX controls for access using Internet Explorer 7.0 and later.

Table 2. Domino Web Access: Supported features

Domino Web Access 8.5.1 and 8.5.2 Domino Web Access 8.0.1

Full Mode Email Full Mode Email

Calendar Calendar

Contacts Contacts

To Do To Do

Notebook Notebook

Lite Mode Email Lite Mode Email

Calendar Calendar

Contacts

Ultra Lite Mode Inbox

Sent

All Docs

Day At a Glance

Contacts

Trash


32

• Email

• Send and receive email

• Send and receive attachments

• Delete messages

• Open attachment from reading and preview panes

• Spell check

• Quick Flags and message flags

• Set message importance

• Send and receive HTML mail

• Mark messages as read or unread

• Navigation

• Navigate folder hierarchy in navigation pane

• Sort message list by standard fields

• Search capabilities

• Logout

• Calendar

• Calendar views of different time periods

• Create a meeting

• Check schedule

• Use address book to pick attendees

• Search for resource

• Change invitee list

• Delete meeting

• Folders and Storage

• Create a folder

• Move messages using drag and drop

• Recover from trash

• Empty trash

• Contacts

• View by options

• Add and edit contacts

• Delete contact

• Tasks and Options

• Create a to-do list

• View to-do list

• Use notebook to create a new note.

• Delegation

• Change password

• Display options


33

• Change notes ID

• Out of office settings

• Rules

• Create new mail and quick rules

• Delete rules

• Test created rules

NOTE: Single sign-on is not supported for Domino Web Access 8.0.1, 8.5.1, and 8.5.2.


34

5

Securing Microsoft Exchange Access Using Dell SonicWALL SMA

This section provides information about configuring Microsoft Exchange access using Dell SonicWALL Secure Mobile Access. Outlook Anywhere, ActiveSync, and OWA are supported by the Application Offloading portal. OWA is also supported by HTTP(S) bookmarks. Authentication and Access Policy are enforced for access to these applications.

The Outlook Anywhere with Autodiscover Application Offloading is a feature that provides the ability for clients using Outlook 2013, Outlook 2010, or Outlook 2007 to access the Outlook Exchange Server from the Internet. Autodiscover support provides a simple configuration of the user’s account by only requiring the user’s email address and password. Autodiscover also updates the settings on the client side when the Outlook Exchange server settings have changed.

ActiveSync provides the ability for customers to use email clients on mobile phones to synch email messages.


• Securing Microsoft Exchange access with Application Offloading on page 35

• OWA Bookmarks on page 41

Securing Microsoft Exchange access with Application OffloadingThis section provides information about how Microsoft Exchange is accessed with Application Offloading portal. Outlook Anywhere with Autodiscover, ActiveSync, and OWA can be supported with just one Application Offloading portal.

See the following topics for more information:

• Configuring the Application Offloading portal on page 35

• Configuring and accessing with Outlook Anywhere on page 37

• Configuring and accessing with ActiveSync clients on page 39

• Accessing with OWA on page 41

Configuring the Application Offloading portalThe following configuration procedures for the Application Offloading portal applies to all clients.

To configure the Application Offloading portal:

1 Navigate to the Portals > Offloading tab.

NOTE: If Authentication Control of the Dell SonicWALL SMA/SRA appliance is enabled, only the Basic Authentication for Outlook Anywhere can be supported.


35

2 Configure an Application Offloading portal as described in Configuring and Using Offloaded Applications on page 9 with the following settings:

• Set the Scheme to the Exchange Server setting.

• Set the Application Server Host to your Exchange Server.

3 Under the Security Settings section, leave the Disable Authentication Controls check box unselected if you want to enforce Authentication for Dell SonicWALL SMA.

4 Select the Enable Email Clients Authentication check box to allow the portal to be accessed by Email clients, such as ActiveSync or Outlook. Specify a Default Domain Name from the drop down list. The Domain Name is used as the default for Dell SonicWALL SMA authentication if the domain name is not specified in the Email client.

NOTE: This option is not necessary for OWA.


36

5 Navigate to the Virtual Host tab.

6 Specify the Virtual Host Domain Name.

7 If Autodiscover is enabled, set the Virtual Host Alias as the Autodiscover URL.

8 If Autodiscover is enabled, specify the Virtual Host Certificate. If Autodiscover is enabled, a wildcard certificate is recommended.

9 Click Accept to save and apply all settings.

Configuring and accessing with Outlook Anywhere

1 Open Microsoft Outlook.

2 On the File > Info page, click the Add Account button. The Add New Account window displays.

NOTE: Outlook Anywhere with Autodiscover uses a different URL for fetching configuration. Verify that the Autodiscover URL is aligned with the Exchange Server settings.


37

You can select Auto or Manually to configure the email account. If Autodiscover is configured, select Auto Account Setup. If Autodiscover is not enabled or does not function properly, select the Manually configure server settings or additional server types check box to specify Outlook Anywhere settings manually. Then, click Next.

3 On the Microsoft Exchange Settings window, click the More Settings button.

4 Under the Connection tab, select the Connect to Microsoft Exchange using HTTP check box under the Outlook Anywhere section.

5 Next, click the Exchange Proxy Settings button.

6 On the Microsoft Exchange Proxy Settings Screen, specify the host name of the Outlook Anywhere portal in the Use this URL to connect to my proxy server for Exchange field.

7 Next, select the proxy authentication setting from the drop down list. If Dell SonicWALL SMA authentication is enabled, select Basic Authentication.

8 Click OK to save the configuration, and then exit out of Microsoft Outlook.

9 Open Microsoft Outlook to start a new session. Log messages will generate when the Outlook Anywhere portal is accessed.


38

Configuring and accessing with ActiveSync clientsThe following example shows how to set up ActiveSync to check Dell SonicWALL emails with an Android. Be sure to replace entries shown in this example with entries for your environment, and be careful to input the correct password. Otherwise, the account will be blocked.

1 If the virtual host name cannot be resolved by the DNS server, modify the hosts file in the Android.

2 Turn on the Android phone, open the Email application, and type your email address and password. Click Next.

3 Choose Exchange.

4 Input your Domain\Username, Password, and Server. No domain name is displayed, so use the default domain name specified in the offloading portal’s setting. Select Accept all SSL certificates and click Next.

5 If the AD authentication times out, the Setup could not finish message is displayed. Wait about 20 seconds and try again. You can also check the Dell SonicWALL SMA log described in ActiveSync Log Entries on page 41 to see if the user logged in successfully. You may not encounter this problem if the AD authentication is fast.


39

6 When the authentication finishes, a security warning appears. Click OK to continue, modify your account settings, and click Next.

7 Try to send and receive emails, and ensure that ActiveSync entries are included in the Dell SonicWALL SMA log, as shown in ActiveSync Log Entries on page 41.


40

ActiveSync Log EntriesUse the Log > View page to confirm that ActiveSync is working properly.

The Dell SonicWALL SMA log contains two ActiveSync entries (Android and Windows Mobile), each identifying when the client began to use ActiveSync through the offloading portal. The ActiveSync message identifies the device ID (ActiveSync: Device Id is…) for an ActiveSync request unless a client sets up the account and the request does not contain a device ID.

Accessing with OWAApplication Offloading is supported on Outlook Web Access (OWA). OWA is a Webmail service part of Microsoft Exchange Server and is supported with Dell SonicWALL SMA 8.5. OWA allows users to connect their email accounts through a Web browser without requiring the installation of Microsoft Outlook. Features on the installed version of Microsoft Outlook such as managing calendars, contacts, tasks, and documents, as well as other mailbox content is also available for OWA users. OWA does require an Internet connection in order to sync with the Exchange Server.

OWA BookmarksThe following section describes configuration information regarding Outlook Web Access and using it with the Dell SonicWALL SMA/SRA appliance. See the following topics for more details:

• Microsoft Outlook Web Access Premium on page 41

• Application and Feature Support on page 42

• Premium and Basic Modes on page 43

Microsoft Outlook Web Access PremiumMicrosoft OWA Premium mode is a Web client for Microsoft Outlook 2003/2007 that simulates the Microsoft Outlook interface and provides more features than basic OWA. Microsoft OWA Premium includes features such as

NOTE: The ActiveSync label is not used in log entries for anonymous users who use ActiveSync.


41

spell check, creation and modification of server-side rules, Web beacon blocking, support for tasks, auto-signature support, and address book enhancements.

Figure 4 provides a view of the Microsoft OWA Premium interface using the Dell SonicWALL SMA/SRA appliance HTTP(S) reverse proxy.

Figure 4. Microsoft OWA Premium

Application and Feature SupportThe Dell SonicWALL SMA/SRA appliance HTTP(S) reverse proxy application support for Microsoft OWA Premium, using Internet Explorer 6.0 or higher, provides users with full functionality of the following features:

• Access to email, calendar, and tasks

• New Outlook look-and-feel, including right-click functionality

• Ability to mark an email as unread

• Server-side spelling checker (limited to six languages)

• Forms-based authentication (session time-out)

• S/MIME support

• Two-line view

• Context menus

• Improved keyboard shortcuts

• Ability to forward meeting requests

• Notifications on navigation pane

• Ability to add to contacts

• Ability to pick names from address book

• Ability to set maximum number of messages displayed in views

NOTE: S/MIME support for Microsoft OWA Premium is only available on Internet Explorer 6 SP1.


42

• Support for bi-directional layout for Arabic and Hebrew

• Option to set message status “mark as read” when using the reading pane

• Public folders display in their own browser window

• Access to GAL property sheets within an email message or meeting request

• Message sensitivity settings on information bar

• Attendee reminder option for meeting request

• Ability to launch the calendar in its own window

• User interface to set common server-side rules

• Outlook style Quick Flags

• Support for message signatures

• Search folders (must be created in Outlook online mode)

• Deferred search for new messages after delete

• Attachment blocking

• Web beacon blocking to make it more difficult for senders of spam to confirm email addresses

• Protection of private information when a user clicks a hyperlink in the body of an email message

Premium and Basic ModesMicrosoft Internet Explorer defaults to loading OWA Premium, but in some cases clients may prefer to run Microsoft OWA in Basic mode for speed and accessibility reasons. There are two solutions for users wishing to use OWA Basic:

1 Use a browser that is not Microsoft Internet Explorer. All browsers that are HTML 3.2 compliant (Mozilla Firefox, Apple Safari, etc...) are compatible with OWA, although they are forced to load in Basic mode.

2 Give your clients the option of loading Basic or Premium mode at the OWA login screen shown in Figure 5. Accomplish this by setting the Microsoft Exchange server to use forms-based Authentication (FBA).

NOTE: Bi-directional layout support for Arabic and Hebrew for Microsoft OWA Premium is only available on Internet Explorer 6 SP1.

TIP: For better performance, it is recommended that the Exchange administrator configure OWA to list at the most 40 items in any page. This can be done in the Outlook Web Access Administration Web-based utility provided part of the Exchange installation. Navigate to Server Settings > Administration > View Settings. On the View Settings page, the Maximum View Rows attribute defines the maximum row count of items visible in any view. From the drop-down menu, select 40 or less and click OK.

NOTE: GZip compression supported by Microsoft OWA Premium is not supported through the reverse proxy.


43

Figure 5. OWA login screen with Forms-Based Authentication enabled

Configuring Forms-Based Authentication in Exchange

To use the Exchange Management Console to configure forms-based authentication for Outlook Web Access:

1 In the Exchange Management Console, locate the virtual directory that you want to configure to use forms-based authentication by using the information in step 2 or step 3.

2 If you are running the Mailbox server role on the computer that is running the Client Access server role, do one of the following:

a To modify an Exchange 2007 virtual directory, select Server Configuration, select Client Access, and then click the Outlook Web Access tab. The default Exchange 2007 virtual directory is /owa.

b To modify a legacy virtual directory, select Server Configuration, select Mailbox, and then click the WebDAV tab. The default legacy virtual directories are as follows: /Public, /Exchweb, /Exchange, and /Exadmin.

3 If you are not running the Mailbox server role on the computer that is running the Client Access server role, select Server Configuration, select Client Access, and then click the Outlook Web Access tab.

4 In the work pane, select the virtual directory that you want to configure to use forms-based authentication, and then click Properties.

5 Click the Authentication tab.

6 Select Use forms-based authentication.

7 Select the logon format that you want to use.

NOTE: For more information about configuring FBA for Microsoft Exchange Server, visit the Microsoft TechNet Library at http://technet.microsoft.com/en-us/library/ and perform a search for “forms-based authentication”.


44

6

Configuring URL Based Aliasing

This section provides an overview of the Portals > URL Based Aliasing page and a description of the configuration tasks available on this page.

• URL Based Aliasing Overview on page 45

• Adding a URL Based Aliasing Group on page 45

URL Based Aliasing OverviewURL Based Aliasing provides the ability to access several different Web sites through one portal using one domain name. This feature is designed to be consistent with the Load Balancing setting. Because URL Based Aliasing involves rewriting URLS found in the content served by the backend Web server, the backend Web application should be compatible with third-party proxies. If a Web application does not render properly using URL Based Aliasing, you may need to set up access to the application using App Offloading without URL rewriting or using NetExtender.

Adding a URL Based Aliasing GroupTo add a URL Based Aliasing group:

1 Navigate to the Portals > URL Based Aliasing page.


45

2 Under the URL Based Aliasing Groups section, click Add Group. The New URL Based Aliasing Group page displays.

3 Enter a Group Name in the field provided. Then, click Accept. The newly added group displays on the URL Based Aliasing Groups list.

Adding a Member

URL Based Aliasing allows you to add up to 100 members to a group.

To add members to a URL Based Aliasing group:

1 Navigate to the Portals > URL Based Aliasing page.

2 Click the Configure icon of the group you want to modify. The Group URL Based Aliasing Settings page displays.

NOTE: You must create a URL Based Aliasing group before you can begin adding members to the group.


46

3 Click Add Member. The Add URL Based Aliasing Member page displays.

Configure the following fields:

• URL — Enter the URL or name of the member.

• Comments — Enter any additional information. Anything entered in this field displays on the Index page.

• Scheme — Select from the dropdown list the scheme of the backend server. Select between HTTP, HTTPS, or AUTO.

• Application Server Host — Enter a Hostname, IPv4 address, or IPv6 address of the host.

• Port — Specify the port number. The default value is 443.

4 Click Accept to save changes and add a member to the group. The newly added member appears on the URL Based Aliasing Settings page.

Repeat steps 2 through 4 for each member you wish to add to the group.

Deleting a Group

To delete a specific group:

1 Navigate to the Portal > URL Based Aliasing page.

2 Click the Delete icon of the group you wish to delete.


47

3 A confirmation for deleting the group appears. Click OK.

Deleting a Member

To delete a specific member from a group:

1 Navigate to the URL Based Aliasing group settings page in which the member belongs.

2 Click the Delete icon of the member you wish to delete.

3 A confirmation for deleting the member appears. Click OK. Repeat these procedures for each group you want to delete.


48

7

Creating Policies for URL Objects

User policies control access to Web resources available at a specific location defined in a URL object. Policies apply to HTTP/HTTPS bookmarks and to offloaded application portals.

When an External Web site Bookmark is configured for an offloaded application portal, access to the bookmark is not controlled by policies. However, once the portal is reached through the bookmark, policies control further access. If the policy denies access, the user is denied access after attempting to log in.

This section includes the following subsections:

• Creating User/Group/Global Policies on page 49

• Policy URL Object Field Elements on page 50

Creating User/Group/Global PoliciesTo create object-based HTTP or HTTPS user policies:

1 Navigate to Users > Local Users.

2 Click the configure icon next to the user you want to configure.

3 Select the Policies tab.

4 Click Add Policy to display the Add Policy window.

5 In the Apply Policy To drop-down menu, select the URL Object option.

6 Type in a descriptive name for the policy in the Policy Name field.

7 In the Service drop-down menu, choose either Web (HTTP) or Web (HTTPS), or select the backend Web server for the offloaded application portal.

8 In the URL field, add the URL string to be enforced in this policy.

NOTE: In addition to standard URL elements, the administrator may enter port, path and wildcard elements to the URL field.

If a path is specified, the URL policy is recursive and applies to all subdirectories. If, for example “www.mycompany.com/users/*” is specified, the user is permitted access to any folder or file under the “www.mycompany.com/users/” folder.

For more information on using these additional elements, refer to Policy URL Object Field Elements on page 50.


49

9 In the Status pull-down menu, click on an access action, either Allow or Deny.

10 Click Accept.

Policy URL Object Field ElementsWhen creating an HTTP/HTTPS policy, the administrator must enter a valid host URL in the URL field. In addition, the administrator may enter port, path and wildcard elements to this field. The following chart provides an overview of standard URL field elements:

Table 3. Standard URL field elements

Element Usage

Host Can be a hostname that should be resolved or an IP address. Host information has to be present.

Port If port is not mentioned, then all ports for that host are matched. Specify a specific port or port range using digits [0-9], and/or wildcard elements. Zero “0” must not be used as the first digit in this field. The least possible number matching the wildcard expression should fall within the range of valid port numbers i.e. [1-65535].

Path This is the file path of the URL along with the query string. A URL Path is made of parts delimited by the file path separator ‘/’. Each part may contain wildcard characters. The scope of the wildcard characters is limited only to the specific part contained between file path separators.

Usernames %USERNAME% is a variable that matches the username appearing in a URL requested by a user with a valid session. Especially useful if the policy is a group or a global policy.

Wildcard Characters The following wildcard characters are used to match one or more characters within a port or path specification.

* – Matches one or more characters in that position.

^ – Matches exactly one character in the position.

[!<character set>] – Matches any character in that position not listed in character set. Such as [!acd], [!8a0]

[<range>] – Matches any character falling within the specified ASCII range. Can be an alphanumeric character. For example, [a-d], [3-5], [H-X]

NOTE: Entries in the URL field cannot contain (“http://”, “https://”) elements. Entries can also not contain fragment delimiters such as “#”.


50

8

Configuring Single Sign-On and Cross Domain Sign-On

Single Sign-On (SSO) allows a user to log in one time to a Web site with SSO and then transparently access multiple Web sites that require authorization. Once SSO verifies the user's login, the user can visit any of the other Web sites that SSO manages without having to enter his information again.

Cross domain Single Sign-On uses external Web site bookmarks for application offloading portals to achieve a single point of access for users.


• Configuring Single Sign-On on page 51

• Configuring Cross Domain Single Sign-On on page 53

Configuring Single Sign-OnThe administrator can configure SSO for each user, each group, or globally for offloaded applications and HTTP or HTTPS bookmarks. Either straight textual parameters or variables may be used for login credentials.

You can configure SSO with the Use SSL-VPN account credentials option to use account information from the local Dell SonicWALL SMA/SRA appliance, or with the Use custom credentials option to enter the credentials here while configuring the offloaded application or bookmark. You can also select Forms-based Authentication to configure the appliance to display an HTML-based Web form to prompt the user for login credentials.

To configure Single Sign-On options:

1 Create or edit an offloaded application or a bookmark as described in Configuring and Using Offloaded Applications on page 9 and Configuring an HTTP(S) user bookmark on page 24.

2 Under Security Settings, select the Automatically log in check box to configure Single Sign-On settings. The SSO settings appear on the Offloading tab when configuring an offloaded application or on the Add Bookmark page when configuring an HTTP(S) bookmark.

3 Select one of the following radio buttons:

NOTE: When using forms-based authentication, application support may be limited based on the complexity of the login page.


51

• Use SSL-VPN account credentials – allow login to the offloaded application or bookmark using the local user credentials configured on the Dell SonicWALL SMA/SRA appliance

• Use custom credentials – allow login to the offloaded application or bookmark using the credentials you enter here; when selected, this option displays Username, Password, and Domain fields:

You can enter the custom credentials as text or use dynamic variables such as those shown below:

For the Password, either type in the custom password to pass to the offloaded application or bookmark, or leave the field blank to pass the current user’s password.

4 To configure forms-based authentication for Single Sign-On, select the Forms-based Authentication check box.

• Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example:<input type=text name=’userid’>

• Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example:<input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>

Table 4. Dynamic variables used for entering credentials

Text Usage Variable Example Usage

Login Name %USERNAME% US\%USERNAME%

Domain Name %USERDOMAIN% %USERDOMAIN\%USERNAME%

Group Name %USERGROUP% %USERGROUP%\%USERNAME%

NOTE: If SSO is configured for an HTTP URL, the credentials entered for that user/group will also be used for HTTPS transactions within the specified site. However, the converse is not true. HTTPS credentials specified in SSO will not automatically be used for HTTP authentication.


52

The Dell SonicWALL SMA/SRA appliance supports SSO with forms-based authentication for both Outlook Web Access bookmarks and OWA offloaded application portals. Set the User Form Field to username (literally) and set the Password Form Field to password.

Configuring Cross Domain Single Sign-OnExternal Web site Bookmarks can be created for application offloading portals to achieve a single point of access for users. This allows users to automatically log into application offloading portals after logging into the main portal.

To use Cross Domain Single Sign-on (SSO):

1 Create two or more portals that need authentication and have the same shared domain (from virtual host domain name). One portal should be a regular portal. These portals must be in the same Dell SonicWALL SMA/SRA appliance’s domain so that users can log in to both of them with the same credentials. Instructions to create a portal are provided in Application Offloading Portal Settings on page 9.

The shared domain names do not need to be identical; a sub-domain also works. For example, one portal is a regular portal whose virtual host domain name is “www.example.com” and its shared domain name is “.example.com”. The other portal’s virtual host domain name is “intranet.eng.example.com” and the shared domain name is “.eng.example.com”. If a bookmark to xyz.eng.example.com is created in the www.example.com portal, Cross Domain SSO works because “.eng.example.com” is a sub-domain of “.example.com”.

2 Log into the portal and create a bookmark with the service set to External Web Site, as explained in Configuring an HTTP(S) user bookmark on page 24.

3 Enable Automatically log in for the bookmark to enable Cross Domain SSO for this bookmark.

4 Specify a Host, which is a portal with the same shared domain name.

5 Save the bookmark and launch it. The user is logged into the new portal automatically using credentials from the first portal.


53

http://www.sonicwall.com

Glossary

GGAL

Global Address List maintained by MS Exchange server.

HHTTP(S) Reverse Proxy

A reverse proxy that intercepts HTTP(S) requests and responses.

RReverse Proxy

A reverse proxy is a proxy server that is deployed between a remote user outside an intranet and a target Web server within the intranet. The reverse proxy intercepts and forwards packets that originate from outside the intranet.

WWeb beacon

A Web beacon is an often-transparent graphic image that is used to monitor the behavior of the user visiting the Web site or sending the email. It is used to send back information such as the IP address of the client, the browser type and any cookies that may have been set before.


54

About Dell

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.software.dell.com.

Contacting DellTechnical support:Online support

Product questions and sales:(800) 306-9329

Email:[email protected]

Technical support resourcesTechnical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to https://support.software.dell.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the portal provides direct access to product support engineers through an online Service Request system.

The site enables you to:

• Create, update, and manage Service Requests (cases)

• View Knowledge Base articles

• Obtain product notifications

• Download software. For trial software, go to Trial Downloads.

• View how-to videos

• Engage in community discussions

• Chat with a support engineer


55

http://software.dell.com/

https://support.software.dell.com/

mailto:[email protected]

https://support.software.dell.com/

http://software.dell.com/trials/