Working with Appliance Management Console
This section introduces the Appliance Management Console (AMC), a Web-based interface for managing the appliance.
• Logging In to AMC
• AMC Basics
• Administrator Accounts
• Working with Configuration Data
• Deleting Referenced Objects
Logging In to AMC
Before logging in to AMC, you need the host name or IP address you typed for the internal interface during the initial setup with Setup Tool.
To log in to AMC
1. Start your Web browser and type the URL https://<ipaddress>:8443/console, where <ipaddress> matches the address you specified for the internal interface when you ran Setup Tool or Setup Wizard.
Enter admin in the Username text field.
3. Enter the root password you created using Setup Tool in the Password text field.
4. Select the Management Console in the Log in using drop-down list.
5. Click Login.
The AMC home page appears.
6. Review the system statistics and use the functions on the right to configure and maintain your system.
7. Click the Help Icon at the top for details about configuring your appliance.
For information on changing the AMC password, see Editing Administrator Accounts.
Note Avoid multiple administrators making changes to AMC simultaneously. For more information, see Avoiding Configuration File Conflicts with Multiple Administrators.
Logging Out
It is important to preserve the security of your AMC administrator account. When you’re finished working in AMC, click Log out in the upper-right portion of the screen. If you terminate a session by simply closing your Web browser, your session remains active until it times out (after 15 minutes of inactivity). There is an exception to this rule that you should be aware of; see Appliance Sessions for details.
AMC Basics
This section describes the basics of working with AMC. All configuration data is encrypted using SSL as it’s transferred between AMC and your browser, ensuring that it remains secure. To increase security, AMC should be used within a trusted network (on an internal network that is behind a firewall). See Certificate FAQ for more details.
• A Quick Tour of the AMC Interface
• Adding, Editing, Copying, and Deleting Objects in AMC
• Getting Help
A Quick Tour of the AMC Interface
The AMC interface will be familiar to anyone who has worked with similar Web-based security management applications. Here are some basic notes about working with AMC.
Summary pages
Several top-level pages in AMC are summary pages that provide quick access to subordinate configuration pages and display summaries of key configuration settings and other status information. These summary pages are:
• Agent Configuration
• General Settings
• Network Settings
• SSL Settings
• Authentication Servers
• Services
For example, the Agent Configuration page provides links to pages for configuring End Point Control, Secure Mobile Access access, and other agents. You can see right away on this summary page whether a specific agent is enabled or disabled.
Tables and tabs
Many AMC pages use a tabular layout to present the objects you’ll be managing. The tables include scroll bars, which make it easier for you to keep the main elements on the page (including the navigation bar, header, and footer) in view when working with long lists. You can also sort the data displayed in some tables by clicking the underlined column headings.
In some cases, you’ll use tabs to switch between modes. For example, you’ll use tabs to switch between managing resources, groups of resources, and variables used in defining resources.
Filters
On pages in AMC that contain a list of items that can grow to many pages in a large configuration, filtering is available to make it easier for you to find what you are looking for. Filters are available on the following pages in AMC:
• Resources
• Resource Groups
• Access Control
• Users
• Groups
• Shortcuts
• Shortcut Groups
• Browse for Users (creating an access rule)
• Browse for Resources (creating an access rule)
The exact filters vary slightly with each page, but the following functionality is consistent across all pages:
• There is a reset link that resets the filter fields to their default values.
• There is a red active indicator that indicates that the page was loaded using filters, meaning that the list may not be displaying all the configured items.
• There is a Refresh button that reloads the page with the specified filters applied.
• The filters are stored so that the next time you loads the page, it uses the same filters that were last applied. The filters are stored across sessions, so even if you log out and log back in, the same filters will be used.
• There is a footer at the bottom of the list that shows the number of items displayed and the total number of items in the list. If filtering is active, there is a (filtered) indicator and a Show all link that will reset the filters to the defaults and refresh the page to display all items in the list.
In general, the available filters map to the displayed columns in the list. In some cases, such as Resource Groups or Shortcut Groups, you can filter the list based on the members of the group, which is not a column in the list. As another example, on the Resources page you could filter the list based on something in the Value attribute, which is not a column but is visible when an item in the list is expanded.
One way that you could use this feature for custom filtering is to create your own “tags” by adding a custom string to the Description field of related items. For example, if a certain set of resources are all used by one department or for one customer, you could add a keyword or tag to the description of those resources, and then use the filtering capability to quickly display only the resources that contain the special keyword or tag.
Page links
To save space, some AMC pages use a multi-page format with links at the top of the pages to access the related configuration settings. The Configure Community page is an example of this:
Editing an object
In most of the tables used to display lists of objects, notice that the name field (or in the case of the Access Control page, the rule number) is hyperlinked. To edit an object, click its hyperlink.
Changing the page view
Some of the longer, more complex pages in AMC hide the edit controls used to configure advanced features. This makes it easier for you to focus on the most important configuration options. To view hidden options, click the down arrow button (click the up arrow to hide them again):
Expanded view of list details
AMC pages that display lists of objects, such as the Access Control page, let you view details about an object by clicking the plus sign (+) to the left of it. To return to the one-line view, click the minus sign (-).
Required fields and errors
Required fields are indicated in AMC with an asterisk. If you omit a value for a required field and click Save, a red message appears beneath the field indicating that it is required. A red message is also used to indicate an error (for example, if you type an invalid value).
Assigning names and descriptions
Most of your time in AMC will be spent managing three types of objects:
• Access control rules
• Resources
• Users and groups
When you create these objects, AMC requires that you type a name. AMC also has a space for you to type an optional description.
Although not required, meaningful descriptions can help you remember critical details about the objects you’re managing, such as the purpose of an access rule or what resources are in a subnet range. A good description is especially helpful when managing a group of objects; when you return to AMC later to manage a large group of network resources, for example, you’ll be glad to have a description reminding you of what’s in the group.
Saving changes on a page
On some AMC pages you can Save or Cancel the changes you make. If you click Cancel, or use the Back button in your browser, your changes are not saved.
The AMC status area
A status area just beneath the AMC header displays important information:
|
Status area link
|
Description
|
|
If your appliance license or a component license has expired, click License warning to review and manage software licenses.
|
|
If more than one administrator is logged into AMC, click Multiple administrators and check the list on the Administrator Sessions page.
|
|
If this appliance is configured to receive policy updates, click Configuration recipient to see the appliances with which it will be synchronized.
|
|
If you’ve made configuration changes but have not applied them, click Pending changes. On the Apply Changes page you can activate, schedule, or discard the pending changes.
|
|
If you want to immediately apply configuration changes that are scheduled for a later time, click Pending changes.
|
|
If you have pending scheduled configuration changes that you want to apply to other appliances, click Pending changes and select the appliances where you want to apply the changes.
|
|
The version number and product serial number
The version of the current system software and the product serial number are displayed at the bottom of the left-hand navigation bar on every page in AMC. If the appliance is configured to send or receive configuration data, its replication name is shown here.
In addition to the version number, the System Status and Maintenance pages display a list of any hot fixes that have been applied. The version number and hot fix information is useful for planning system updates, and you need to have it when contacting Dell Technical Support.
Adding, Editing, Copying, and Deleting Objects in AMC
AMC features a standardized user interface for managing most objects, such as resources, access control rules, users, communities, End Point Control zones and device profiles, and other items used to organize and operate your VPN.
Following are the basic procedures for adding, editing, copying, and deleting objects in AMC, although there may be some minor variations depending on the object and AMC page you’re working on. The examples provided here use the End Point Control Zones page.
To add a new object in AMC
1. Click New on the page listing the type of object you want to create, and then select the option you want to create.
This example uses Standard zone....
The Zone Definition - Standard Zone page appears.
2. Complete the relevant information for the object, and click Save at the bottom of the screen.
To edit an object in AMC
1. On the page that lists the object you want to edit, click the link for the name (or in some cases, the number) of the object you want to modify. For a quick description of the object, an expand (+) button is available on most lists.
2. Make any changes to the information for the object, and then click Save.
To copy an object in AMC
1. On the page that lists the object you want to copy, select the check box to the left of the object, and then click Copy.
2. Make any changes to the information about the source object, and be certain to assign the object a new name, and then click Save.
To delete an object in AMC
• On the page that lists the object you want to delete, select the check box to the left of the object, and then click Delete.
You cannot delete an object that is still associated with other objects. For information, see Deleting Referenced Objects.
Getting Help
Every AMC page includes a Help button (in the upper right portion of the screen) that displays context-sensitive online Help in a new browser window:
The Help window includes a navigation pane on the left and help content on the right. Click an item in the navigation pane to display help content for that item.
Administrator Accounts
This section describes how to manage AMC administrator accounts and how to avoid problems if more than one administrator is managing the appliance.
• Managing Administrator Accounts and Roles
• Avoiding Configuration File Conflicts with Multiple Administrators
Managing Administrator Accounts and Roles
AMC enables you to create multiple administrator accounts, each with a separate username and password. You can then assign roles to administrators, specifying which features in AMC they can use, and their levels of access.
By default, AMC is configured with a primary administrator role that has full access to all areas of AMC. Only the primary administrator can add, edit, or delete other administrator accounts.
• Adding Administrator Accounts
• Editing Administrator Accounts
• Defining Administrator Roles
• Editing Administrator Roles
Adding Administrator Accounts
You can create additional administrator accounts if more than one person is responsible for managing policy and you want each person to have individual login credentials. Only the “primary” administrator—whose default name of admin cannot be changed—can create, modify, and delete secondary administrator accounts.
To add an administrator account
1. From the main navigation menu, click General Settings.
2.
In the Administrator accounts area, click Edit.
The Manage Administrator Accounts page appears.
3.
Click New > Administrator....
The Add/Edit Administrator page appears.
4.
In the User drop-down, select a user.
5. In the Role drop-down, select an Administrator Role.
AMC provides the following preconfigured roles, which are defined on the Add/Edit Administrator Role page. You can modify these preconfigured roles, or create new roles (see Defining Administrator Roles):
|
Preconfigured role
|
Description
|
|
Super Admin
|
Has read/write access to all pages in AMC
|
|
Security Admin
|
Has read/write access to security administration and monitoring pages in AMC, and view access to system settings
|
|
System Admin
|
Has read/write access to system and monitoring pages, and view access to security pages
|
|
6. Click Save and then click Pending Changes at the top of the page.
7. Click Apply Changes.
Note For information on deleting administrator accounts, see Adding, Editing, Copying, and Deleting Objects in AMC.
By default, the preconfigured roles include the ability to view all forms of session data and to terminate sessions. See Viewing User Sessions and Ending User Sessions for more information.
Editing Administrator Accounts
To help keep your AMC password secure, you should change it from time to time. Each administrator can edit his or her own account to change the password or update the description. The primary AMC administrator (whose username is “admin”) can edit the account settings for any other administrator.
Your password must contain between eight and 20 characters, and is case-sensitive. A “strong” password—with a combination of uppercase and lowercase letters, and numbers—is recommended. You should also avoid using words found in a dictionary.
After you change your password, record it somewhere and keep it secure. If you change a secondary administrator’s password, be sure to share the password with the appropriate administrator.
To edit an administrator account
1. From the main navigation menu, click General Settings.
2.
On the General Settings page, in the Administrator accounts area, click Edit.
3.
In the Name column on the Manage Administrator Accounts page, click the name of the administrator that you want to edit.
4.
On the Add/Edit Administrator page, change the textual description, login password, or role.
Note The username and role of the primary or legacy local administrator cannot be changed.
If the password for the primary administrator (whose username is “admin”) is changed, the password for logging in to the appliance directly (as “root”) is also changed.
• Adding Administrator Accounts
• Editing Administrator Accounts
• Adding/Editing Legacy Local Administrator Accounts
• Defining Administrator Roles
• Editing Administrator Roles
Adding/Editing Legacy Local Administrator Accounts
You can create or modify legacy local administrator accounts, which are supported for backwards compatibility only. The recommended way to configure local administrators is to create users in a local authentication server and map them to administrative roles. In previous versions, administrators could only be defined locally on the appliance, rather than defined in an authentication server.
To add or edit a legacy local administrator account
1. From the main navigation menu, click General Settings.
2. In the Administrator accounts area, click Edit.
The Manage Administrator Accounts page appears.
3. To add a legacy local administrator account, click New > Legacy Local Administrator....
To edit an existing legacy local administrator account, click the name of the administrator that you want to edit. The Add/Edit Administrator page appears.
4. In the Username field, enter the legacy local administrator’s username.
5. In the Description field, enter a descriptive comment about the legacy local administrator account.
6. In the Password field, enter the legacy local administrator’s password.
7. In the Confirm password field, type in the legacy local administrator’s password again.
8. In the Role drop-down, select an Administrator Role.
AMC provides the following preconfigured roles, which are defined on the Add/Edit Administrator Role page. You can modify these preconfigured roles, or create new roles (see Defining Administrator Roles):
|
Preconfigured role
|
Description
|
|
Super Admin
|
Has read/write access to all pages in AMC
|
|
Security Admin
|
Has read/write access to security administration and monitoring pages in AMC, and view access to system settings
|
|
System Admin
|
Has read/write access to system and monitoring pages, and view access to security pages
|
|
9. Click Save and then click Pending Changes at the top of the page.
10. Click Apply Changes.
For information on deleting administrator accounts, see Adding, Editing, Copying, and Deleting Objects in AMC.
By default, the preconfigured roles include the ability to view all forms of session data and to terminate sessions. See Viewing User Sessions and Ending User Sessions for more information.
Defining Administrator Roles
Role-based administration enables the primary administrator to grant limited administrative control to secondary AMC administrators.
For defining administrator roles, the features in AMC are grouped into four categories. For each category, you must specify the permissions you want to grant a role. The four categories of administrator permissions in AMC are described in the following table:
|
Category
|
Administrator permissions
|
|
Security administration
|
Controls administrator access to pages for access control rules, resources, users and groups, WorkPlace, OnDemand, and End Point Control.
|
|
System configuration
|
Controls administrator access to pages for network settings, general appliance settings, SSL settings, access and network services, authentication servers, and realms.
|
|
System maintenance
|
Controls administrator permission to shut down or restart the appliance, update or roll back the system software, and import or export configuration data.
|
|
System monitoring
|
View access permits the administrator to view system logs and graphs, view active users, and run troubleshooting tools (such as starting, stopping, downloading, and deleting network traces). Modify provides additional permissions to terminate user sessions and modify log settings.
|
|
The permission level for each category can be set as follows:
|
Permission level
|
Description
|
|
Modify
|
Permits read/write access within a category.
|
|
View
|
Provides read-only access within a category.
|
|
None
|
Disables access to the relevant AMC pages within a category. When you select None as the permission level for a category, AMC will not display either the pages within that category, or the main navigation menu commands that lead to those pages.
|
|
To create an administrator role
1. From the main navigation menu, click General Settings.
2.
In the Administrators area, click Edit for the Administrator accounts.
The Manage Administrator Roles page appears and displays an overview of administrators’ roles and permission levels.
3.
Click the Roles tab.
4.
Click New.
The Add Administrator Role page appears.
In the Name text field, type the name for the administrator role.
6. Optional. In the Description text field, type a descriptive comment about the role.
7. In the Administrator permissions area, select one or more categories of permissions that will be granted to the role.
8. Click Save.
Adding Authentication Server
Secure Mobile Access allows you to choose the authentication server where your appliance administrators are defined. If you do not already have accounts defined in an external directory server, you can create a local authentication store and assign administrative roles to locally defined users and groups.
To add an authentication server
1. From the main navigation menu, click Authentication Servers.
2.
Click New....
The New Authentication Server page appears.S
3.
Enter your configuration settings, and then click Continue....
The Configure Authentication Server page appears.
4.
Enter your configuration settings, and then click Save.
5. Navigate to General Settings.
6.
In the Administrators area, click Edit for the Administrator accounts.
The Manage Administrator Roles page appears.
7.
Click the Authentication tab.
8.
In the Authentication server: drop-down, select the authentication server you added in step
9. Keep all other options as default.
10. Click Save.
11. Click Pending Changes in the upper-right of the page.
12. Click Apply Changes.
Editing Administrator Roles
The primary AMC administrator can modify any secondary administrator role to change permission levels, and can also delete secondary roles. For more information, see Defining Administrator Roles.
Avoiding Configuration File Conflicts with Multiple Administrators
If more than one administrator is managing your appliance, you should avoid working in AMC at the same time. If multiple administrators make changes to the same object, AMC saves the most recent one. This can cause unintentional results, and potentially cause security problems if conflicting changes are made to access control rules.
If more than one administrator is logged into AMC, you are alerted by a link in the upper-right corner of AMC:
To see a list of the user names and IP addresses of all administrators who are logged into AMC, click this link: the Administrator Sessions page appears in a separate window. If an administrator has multiple instances of the Web browser logged into AMC, the administrator’s user name and IP address is listed more than once.
You should contact the other administrators and coordinate your activities to avoid configuration file conflicts.
To view the complete list of AMC administrators
1. Click General Settings in the main AMC navigation menu.
2. Click Edit in the Administrator accounts area. The Manage Administrator Accounts page lists all administrators, and shows which ones are currently logged in.
The management console audit log tracks any AMC configuration changes made by administrators. See Management Audit Log.
To end an AMC session you must click Log Out; if you terminate a session by closing your Web browser, the session appears in the list of active sessions until it times out (by default, in 15 minutes).
Managing Multiple Dell Secure Mobile Access Devices
You can configure an E-Class SRA appliance to be managed by Global Management System (GMS), to be included in ViewPoint reports, or both.
• The Global Management System (GMS) gives you a single management interface for centrally managing and deploying E-Class SRA appliances and security policy configurations. GMS also provides centralized real-time monitoring, and policy and compliance reporting.
• The ViewPoint Reporting Module is a separate Web-based reporting tool that gives you detailed reports for individual E-Class SRA appliances. You can track network utilization, monitor critical network events and activity—such as security threats, inappropriate Web use, and bandwidth levels—using a customizable dashboard and a variety of historical reports.
To configure centralized management in AMC, you must specify the settings for these servers, such as the server address and port, and supply a password that will be used by GMS and the ViewPoint server to gain access to the SRA EX-Series appliance.
• Configuring an Appliance for GMS
• Configuring GMS for SNMP Monitoring of the Appliance
• Configuring an Appliance for ViewPoint
Configuring an Appliance for GMS
The Global Management System (GMS) gives you a single management interface for centrally managing and deploying E-Class SRA appliances and security policy configurations. GMS also provides centralized real-time monitoring, and policy and compliance reporting. You can schedule appliance reports to be automatically sent by e-mail on a regular basis. These reports currently contain the following:
• User authentication-related events: The user login report shows the user name, source host IP address, and time of login for users who have logged in to the appliance during the specified day; the failed login report shows unsuccessful login attempts, which is useful for identifying unauthorized access attempts and potentially malicious activity.
• Status information: The GMS can log in to the E-Class SRA appliance automatically and request its up/down status and appliance details, such as its model and serial numbers, language, up-time, and firmware version.
• Resource access events: The aggregated data on GMS is summarized by access method and user/realm name; you can also go into further detail and see individual access items. If a user has logged in to WorkPlace, for example, and clicked on various links, that information is relayed to GMS and can be viewed in summary or detailed reports.
You can also configure the E-Class SRA appliance to be included in ViewPoint reporting.
To configure your SRA EX-Series appliance for GMS or ViewPoint
1. Click General Settings in the main AMC navigation menu.
2. Click Edit in the Centralized management area.
3. Select the Enable GMS/ViewPoint check box, and then enter the host name or IP address of the GMS or ViewPoint server, and the port number.
4. In the Heartbeat interval text box, set the interval (in seconds) at which the appliance indicates its readiness to send a report on authentication-related events, in addition to status information (status.xml). An interval of 60 seconds is typical.
5. Select Send only heartbeat status messages check box if you want to only manage the appliance, and not generate any reports.
6. If needed, enable an additional server in the Additional ViewPoint server area.
7. In the GMS/ViewPoint credentials area, enter and confirm the password that will be used to add the SRA E-Class appliance. On the GMS/ViewPoint Add Unit screen, you will add this E-Class SRA appliance by entering GMS as the login name and the credentials you specified in the Password box.
8. Select Enable single sign-on for AMC configuration if you want to be able to open the Appliance Management Console and make changes to its configuration from within GMS. If this setting is cleared, you can still open AMC, but you must first enter your AMC login credentials; this is less convenient, but more secure.
9. Click Save.
Refer to the documentation for the Dell Global Management System on www.MySonicwall.com for further information.
Related Topics
• Configuring GMS for SNMP Monitoring of the Appliance
Configuring an Appliance for ViewPoint
The ViewPoint Reporting Module is a separate Web-based reporting tool that gives you detailed reports for individual E-Class SRA appliances. You can track network utilization, monitor critical network events and activity—such as security threats, inappropriate Web use, and bandwidth levels—using a customizable dashboard and a variety of historical reports. Information is sent from the appliance as a stream of syslog data and stored in the ViewPoint database or as files on the hard disk.
To configure your SRA EX-Series appliance for ViewPoint
1. Click General Settings in the main AMC navigation menu.
2. Click Edit in the Centralized management area.
3. Select the Enable GMS/ViewPoint check box, and then enter the host name or IP address of the ViewPoint server, and its port number.
4. In the GMS/ViewPoint credentials area, enter and confirm the password that will be used on the ViewPoint server to add the SRA E-Class appliance (the login name is GMS).
5. Select Enable single sign-on for AMC configuration if you want to be able to open the Appliance Management Console and make changes to its configuration from the ViewPoint server. If this setting is cleared, you can still open AMC, but you must first enter your AMC login credentials; this is less convenient, but more secure.
6. Click Save.
Working with Configuration Data
This section explains how to save and activate configuration changes in AMC.
• Saving Configuration Changes to Disk
• Applying Configuration Changes
• Discarding Pending Configuration Changes
• Scheduling Pending Changes
Saving Configuration Changes to Disk
When you’re finished making changes on a page in AMC and you click Save, your changes are saved to disk. If you click Cancel or use the Back button in your browser, your changes are not saved.
To save configuration changes to disk
1. Make any changes on a page in AMC.
2. Click Save at the bottom of the page.
Configuration changes are saved to disk, but are not applied to the active configuration. The status area in AMC changes to indicate that you have pending changes that need to be applied to the appliance.
See Applying Configuration Changes for more information.
There are several options for managing configuration data—exporting it or saving it on the appliance, or restoring it, for example. See Managing Configuration Data for more information.
Applying Configuration Changes
As you make configuration changes to the appliance, they are saved to disk but are not immediately applied. These changes can either be activated (described in this section) or discarded (see Discarding Pending Configuration Changes for more information).
To activate your changes, you must apply them. You can apply most changes without interrupting service to users, and new connections will use the new configuration. Low-level configuration changes (for example, an IP address change) are a bit more disruptive: network services are automatically restarted and user connections are terminated, forcing users to reauthenticate. If possible, you should apply these sorts of configuration changes during off-peak houwrs (perhaps during a maintenance window) and notify your users beforehand.
If you need to restart services manually, see Stopping and Starting the Secure Mobile Access Services.
To apply your changes
1. From the main navigation menu, click Maintenance.
2. On the Maintenance page, click Apply changes. (You can also click the Pending changes link in the upper-right corner of AMC.)
Assess the impact of applying your changes by looking at the message on the Apply Changes page:
|
Warning message
|
Description
|
|
• Applying changes will restart all services and terminate all user connections.
• Applying changes will terminate existing TCP/IP user connections.
• Applying changes will terminate existing HTTP user connections.
|
Applying any of these changes terminates existing user connections.
CAUTION: This requires users to reauthenticate, and may cause them to lose data.
|
|
Your changes will require AMC to restart, which will end your current administrative session. When the request is complete, open a new browser and log in to AMC again.
|
AMC will be unavailable after your current session ends. Close your browser and then log in to AMC again.
|
|
No authentication realms are enabled. This will prevent users from accessing any resources.
|
At least one authentication realm must be enabled for users to have access to resources. Otherwise, users cannot authenticate to the appliance.
|
|
4. Click Apply Changes to apply configuration changes.
When you apply configuration changes to WorkPlace, AMC performs a restart of the services. Users do not need to reauthenticate to WorkPlace, but if they provided Windows login credentials to access a network share, they are prompted to re-enter them when WorkPlace restarts.
Any connections that exist when you apply changes continue to use the old configuration until the connection terminates. Because Web connections are short-lived, most users accessing Web resources pick up configuration changes fairly quickly. On the other hand, client/server connections can survive for a long period of time.
If the new configuration fails to load, existing connections remain in effect but new connection attempts will fail. For details on what to do in this situation, see AMC Issues.
Related Topics
• Discarding Pending Configuration Changes
Discarding Pending Configuration Changes
Configuration changes you make in AMC are saved to disk, but they are not in effect until you apply them, as described in Applying Configuration Changes. You can use the AMC log file to find out what changes are pending, and go to the Apply changes page in AMC to discard them. Pending changes can only be discarded as a group: you cannot discard them selectively.
To discard pending changes
1. (Optional) You can review the list of pending changes in the management console audit log file.
a.From the main navigation menu, click Logging, and then select Management Console audit log in the Log file list.
b.Any Info level item added since the last Applied configuration changes message appears is a change that can be discarded.
See Management Audit Log for more information.
2. From the main navigation menu, click Maintenance, and then click Apply changes.
3. On the Apply Changes page, click Discard. The time- and date-stamp of the configuration that will be restored when you discard pending changes is displayed.
4. Click OK to confirm that you want to discard changes.
Scheduling Pending Changes
To schedule changes:
1. Either click the Pending changes link in the upper-right corner of AMC, or click the Apply changes button on the Maintenance page to display the Apply Pending Changes dialog:
2. Expand the Advanced section by clicking the 
down arrow icon to the right of the Advanced heading.
3. To schedule the pending changes to be applied at a later time, click the At radio button and select the desired time and date.
You also may apply the pending changes immediately by selecting the Now radio button or discard the pending changes by clicking Discard.
4. Click Apply Changes. Thereafter, clicking Pending Changes displays the scheduled actions.
A schedule can be changed or discarded at any time before the scheduled time using this same dialog.
Deleting Referenced Objects
You cannot delete an object (such as a resource or a user) if it is still referenced by another object (the check box next to it in AMC cannot be selected). In this example, the resource ahsiple cannot be deleted:
In order to delete an object that is in use by anther object—such as a Web shortcut, a WorkPlace layout, or an access rule—you must first out what objects are using it. To do this, expand the list item by clicking on the plus (+) sign next to it. In this example the resource is used by a WorkPlace shortcut named DFS; it can be deleted only after the WorkPlace shortcut is removed. (The resource is also part of a resource group named Default Resources, but it can be deleted if that is the only reference.)
The following table lists the object types that cannot be deleted if they are referenced by other objects.
|
This object type...
|
Can be referenced by this object type
|
|
Resource
|
Access control rules, resource groups, WorkPlace Web shortcuts
|
|
Resource groups
|
Access control rules
|
|
Users
|
Access control rules
|
|
User groups
|
Access control rules
|
|
Realms
|
Users, user groups
|
|
Authentication servers
|
Realms
|
|
Communities
|
Realms
|
|
Web application profiles
|
Resources
|
|
End Point Control zones
|
Access control rules, communities
|
|
Device profiles
|
End Point Control zones
|
|