• Logs > Debug Logging - Enables full debug log messages of Mobile Connect activity. Leave this setting disabled unless instructed to enable it by Dell SonicWALL Support staff.

• Logs > Clear Logs - Deletes all log files saved on the device.

The Support section of the Settings tab provides the following support information:

• User Guide - Displays the SonicWALL Mobile Connect User Guide.

• Device Information - Displays information about the device, Wi-Fi connection, Cellular connection, and DNS servers.

• Email Logs - Creates an email to send the Mobile Connect log to Dell SonicWALL Support staff. Tap Send to send the email.

E-Class SRA Settings

Connections to Dell SonicWALL E-Class SRA appliances have two additional options that are available on the Edit Connection window. To view this option, go to the Connection tab and tap and hold on the Connection line to bring up the Edit Connection window.

The following options can be configured:

• Remember Credentials - Enables saving of user authentication credentials for the VPN connection. This is enabled by default and can be controlled by the E-Series SRA server setting. This feature requires E-Class SRA 10.7.x firmware.

• Forget Selections - Mobile Connect remembers the Login Group that you specified when configuring the connections. To change to a different Login Group, tap Forget Selections. The next time you connect to the server, you will be prompted to select a new Login Group.

Note If this option is not displayed, you are connecting to either a Dell SonicWALL firewall or SRA appliance.

http://server/example%20file.html

mobileconnect://connect?callbackurl=http%3A%2F%2Fserver%2Fexample%2520file.html

Bookmarks

When there are more than five bookmarks, the bookmarks are replaced by a Filter screen that groups bookmarks by type. Select the type of bookmarks to display or select All Bookmarks to display all bookmarks.

When connected to an SMB SRA server, SRA 7.0 or higher is required for Bookmarks support.

Note When connected to a Dell Secure Mobile Access appliance with Application Access Control enabled, the Bookmarks list is replaced by a list of trusted apps that can access the corporate network.

Selecting a bookmark for an app that is not installed will prompt you to install the app. Apps referenced by bookmarks also can be installed at any time using the Settings > Bookmarks tab. In addition to installing apps for bookmarks, the Settings > Bookmarks tab is also used to select and install apps for bookmarks that support multiple third party apps. For example, you might select Chrome or Firefox for a Web bookmark.

Mobile Connect supports the following types of bookmarks and associated apps.

Desktop Bookmarks:

Portal name: Terminal Services (RDP – ActiveX), Terminal Services (RDP – Java) Internal type: RDP5ActiveX, RDP5Java

RDP bookmark types attempt to launch with the associated RDP application, as configured in the Settings tab.

Additional details such as screen resolution should be provided to the client. However, support for passing such parameters will vary based on the application. For example:

• Wyse PocketCloud Pro does not support the “connect to console” option

Portal name: Virtual Network Computing (VNC)
Internal type: VNC

VNC bookmark types attempt to launch with the associated VNC application as configured in the Settings tab.

Additional details such as screen resolution should be provided to the client. However, support for passing such parameters varies based on the application.

Portal name: Citrix Portal (Citrix)
Internal type: Citrix, Citrix_https

Citrix bookmark types will attempt to launch with the associated Citrix application.

Additional details such as screen resolution should be provided to the client. However, support for passing such parameters will very based on the application.

Web Bookmarks:

Portal name: Web (HTTP), Secure Web (HTTPS), External Web Site
Internal type: HTTP, HTTPS, URL, URL_https

These bookmarks will launch in an associated web browser and the provided ‘Name or IP Address’ (HostID) will be passed as the parameter to display in the browser.

Portal name: Mobile Connect
Internal type: MC

The Mobile Connect bookmark type will rely on the operating system to determine and launch the proper application. The bookmark is expected to be properly configured for launch. The Mobile Connect app will attempt to launch it as is. (for example, telnet://server)

Terminal Bookmarks:

Portal name: Telnet, Secure Shell Version 1 (SSHv1), Secure Shell Version 2 (SSHv2)
Internal type: Telnet, SSH, SSHv1

ConnectBot notes: Proper formatting is required for ConnectBot SSH (server bookmark field requires username@server).

Note Some supported third party apps may not yet be available in the Amazon Appstore.

Files Bookmarks

Mobile Connect 3.0 introduced secure mobile access to files through Files bookmarks. Files bookmarks are displayed after the VPN is connected in the table of bookmarks. Tapping a Files bookmark allows secure access to files by first checking and enforcing the server-configured file policy, and then securely downloading and displaying the file within the Mobile Connect app.

Granular policy controls can be configured to allow other Android apps to use each file. On Android, policies include control over whether a file may be opened in a third-party app or securely cached on the device. Files bookmarks can also be created to folders or file share root directories to allow directory navigation.

Note Beginning in Mobile Connect for Android 3.0, Files bookmarks are supported on the Dell SonicWALL SRA appliances starting with SRA 7.5 firmware. Support for Files bookmarks in Dell Secure Mobile Access and Next Generation Firewalls is expected in a future release.

When Files bookmarks are configured for the user on the server appliance, they appear in the list of bookmarks after the VPN is established and can be filtered by selecting the Showing: Files row that is displayed when there are more than five bookmarks.

Tapping a Files bookmark queries and enforces the server-configured file policy for that file bookmark. If the file is not already cached on the device, it securely downloads the file from the SRA appliance. Once the file is downloaded, it is opened in the Android default file viewer app for that file type.

Tapping a Files bookmark to a folder or directory allows for directory browsing and file download and viewing of any file in the folder. All attempts to browse a file folder or view a file query the server to enforce access policies. On Android, the default file viewer app is automatically launched after a file is downloaded.

Supported File Types

Mobile Connect supports all file types natively supported by Android, including the following:

Unsupported Files

If a file type is not supported, the user will be prompted that the file may not be viewable unless there is another app installed that can view the file. The user can tap ‘Try Anyway’ and if there is another app that is registered to handle that file type, the user will have the option to open the file in that app.

File Policies

On Android, server-configured policies control whether a file can be opened in a third-party app or securely cached on the device.

For example, if a file has the Allow Open In policy disabled, the file cannot be viewed on an Android device. Mobile Connect launches third-party apps to view all file types, so the Allow Open in policy must be enabled to view a file.

App Access Control

Mobile Connect 3.1 supports the Application Access Control feature in Dell Secure Mobile Access 11.0 and higher on E-Class SRA appliances. Application Access Control allows remote access administrators to control exactly which resources on the corporate network each application (app) can access. Meanwhile, the device owner can still use their personal Android device for their own activities such as personal email, financial data, pictures, music, accessing third party web sites, and so on.

If the E-Class SRA administrator has configured this feature, you will log in to a Login Group that allows a list of trusted apps to access corporate resources. The specific version of each app is included in the configuration. The Application Access Control rule list controls:

• Which applications can send data through the VPN tunnel

• Which destinations on the corporate network those applications are allowed to access

The first time you connect and log in, you must agree to the displayed terms and conditions.

Your device is then registered with the server, and will be recognized in later connections. If the policy or list of trusted apps changes, you will be asked to re-accept the terms and conditions.

Multiple personal devices can be authorized for a single user, and a single personal device may be registered by multiple users.

The list of trusted apps is displayed on your device after you agree to the above terms. You can block trusted apps from sending data to the corporate network by clearing the checkbox for them on your device. Typically, you would uncheck any application that is only being used for personal tasks or information, to prevent the app from sending any traffic to the corporate network. Tapping Accept continues with the connection.

The device is now fully connected to the E-Class SRA server.

To request that additional apps be added to the trusted apps list, contact the E-Class SRA appliance administrator.

If your device has an app installed that is not the same version as the one approved on the server, or if an approved app is not installed on your device, the app name is displayed without a check mark. Instead, a red circle “no” symbol is displayed next to it.

When connected to an E-Class SRA server running Dell Secure Mobile Access 11.0 or higher with Application Access Control configured, device traffic is handled in four ways:

1. For applications listed and selected in the application list, traffic destined for the corporate network from those applications is allowed to enter the VPN tunnel. The application ID and signature are used by the server to identify the application.

2. For applications that are on that list and are not selected (or any other application on the device), traffic destined for the corporate network is blocked and/or dropped by Mobile Connect and does NOT enter the tunnel.

3. All applications (regardless of whether or not they are on the application list) send traffic out the default interface of the device if the traffic is NOT destined for the corporate network.

4. The information status symbol “i” displays on applications that are “learned” by the appliance but still have at least one version pending approval.

About Learning Mode (Administrators Only)

Designated administrators can use Android devices as trusted learning devices when working with E-Class SRA appliances running SMA 11.0 and higher (with Application Access Control enabled). A trusted learning device is assigned special privileges to perform signature lookups as a part of learning application version information. When the trusted learning device is connected to the E-Class SRA server, apps that need versions to be learned are displayed. After launching the app, a Pending Approval icon displays next to the app name. The app can then be approved by the E-Class SRA administrator.

For more information about configuring Application Access Control on the E-Class SRA appliance running SMA 11.0 and higher, see the Dell Secure Mobile Access Application Access Control Feature Guide.

Client Certificates

Note Client certificate support is only available for connections to Dell SonicWALL E-Class SRA , Dell Secure Mobile Access, and SMB SRA appliances.

Configuring Client Certificates with E-Class SRA Appliances

If a client certificate is required during authentication, you are automatically prompted to select a client certificate from the Android device client certificate store.

Select the client certificate from the list of certificates and tap Allow.

By default a VPN configuration prompts you to select the client certificate during authentication. If you successfully authenticate with a client certificate, the VPN configuration profile is automatically updated to use the client certificate for each subsequent connection attempt. To reset the client certificate selection, edit the connection and tap the Forget Selections button.

Note If no client certificates are installed, an Android No certificates found dialog appears with an option to install a PKCS#12 file located in external storage.

Configuring Client Certificates with SMB SRA Appliances

On Dell SonicWALL SMB SRA appliances, client certificate authentication is available as a second factor authentication method in addition to standard user name and password authentication. If a client certificate is required during authentication, you are automatically prompted to select a client certificate from the Android device client certificate store.

Select the client certificate from the list of certificates and tap Allow.

By default the client certificate is set to Choose during login for a VPN configuration. If you successfully authenticate with a client certificate, the VPN configuration profile is automatically updated to set the client certificate to the one that was chosen. To reset the client certificate selection, edit the connection and set the Client Certificate field back to Choose during login.

Note If no client certificates are installed, an Android No certificates found dialog appears with an option to install a PKCS#12 file located in external storage.

Monitor Mobile Connect

The Monitor tab displays additional details about the connection, statistics on traffic transmitted, DNS information, and routes that have been installed. The compression ratio is shown when connected to an appliance running SRA 7.5 or higher with compression enabled. Traffic over the VPN tunnel is compressed using the LZ4 algorithm.

The About tab of SonicWALL Mobile Connect displays the version number and legal text.

When a Mobile Connect session is active, the Android System Notifications area includes an entry indicating that the VPN is connected.

Tapping on the SonicWALL Mobile Connect entry in the Android System Notifications area displays a summary of statistics on the VPN session. The statistics page displays the server name, duration of the session, and the amount of traffic that has been sent and received. Three buttons are also provided on this screen:

• Cancel – Closes the statistics screen.

• Disconnect – Disconnects the Mobile Connect session.

• Configure – Launches the SonicWALL Mobile Connect app.

Mobile Connect Widget

When the SonicWALL Mobile Connect app is installed, a widget for Android is also created in the widgets tab. It can then be dragged from the widgets tab to the home screen. This widget is used as follows:

• The widget shows the connection status (connected, disconnected, connecting, and so on.)

• Tap the icon to establish a tunnel when disconnected.

• Tap the icon to disconnect the tunnel when connected.

• Tap any other area of the widget to launch the Mobile Connect client.

Troubleshooting

This section describes some troubleshooting you can try if you are unable to connect to the Dell SonicWALL server.

Failed End Point Control Check

End Point Control can prevent the connection when the server is an E-Class SRA appliance or an SMB SRA appliance running SRA 7.5 (or higher). During the connection process, the connection status displays “EPC checking...” while the End Point Security policy checks are performed. If the device is not compliant because a security check failed, an error message is then displayed.

 

You can view the Mobile Connect log for more detailed information about which check failed. For example, you might see the following if an EPC policy was set up to restrict access to only a single device ID (EQUIPMENT ID).

2014-07-10 13:08:23:974 DEBUG Thread-142 - SraEpcManager - Allow Profile: {AndroidEPCExamplePolicy:[Literal=EQUIPMENTID,1,1234567890]}

2014-07-10 13:08:23:976 DEBUG Thread-142 - SraEpcManager - Deny Profile: {}

2014-07-10 13:08:23:977 DEBUG Thread-142 - SraEpcManager - Recurring Mode: 1

2014-07-10 13:08:23:978 DEBUG Thread-142 - SraEpcManager - Recurring Period: 1

2014-07-10 13:08:24:200 DEBUG Thread-142 - SraEvaluator - Evaluate literal: Literal=EQUIPMENTID,1,1234567890

2014-07-10 13:08:24:200 DEBUG Thread-142 - SraEvaluator - DeviceID<abcda50e-e13b-1234-b89d-b3da7384a2f5>, expect<1234567890>

2014-07-10 13:08:24:201 INFO Thread-142 - SraEpcManager - Failed allow profile:Literal=EQUIPMENTID,1,1234567890

When the server is either an E-Class SRA appliance or an SMB SRA appliance running SRA 7.5 (or higher), policies can be created to check different attributes of the Android device, including:

• Rooted or Not Rooted

• Client certificate installed

• Android OS version

• Device ID / Equipment ID

• Anti-Virus App

• Personal Firewall App

• Application

• Directory name

• File name

See the Administrator Guide for the server for complete information about End Point Control policy options.

General Troubleshooting

If you are unable to connect to the Dell SonicWALL server, perform the following steps to troubleshoot the connection.

1. Double check that you have entered the server name properly in the connection configuration.

2. Go to the web browser on your device and attempt to navigate to the SSL VPN appliance web portal.

3. If you are unable to load the web portal, the problem is with the Dell SonicWALL appliance. Contact your network administrator if the problem persists.

4. If the web portal loads successfully on the browser and you still cannot establish a Mobile Connect connection, notify Dell SonicWALL Support, as follows:

a. On the Settings tab, enable the Debug Logging option.

b. Attempt a connection to the server again to ensure that full debugging messages are logged for the attempt.

c. Then return to the Settings tab and tap the Email Logs button. An email will launch in your mail client with the Mobile Connect log attached. Address the email to Support@sonicwall.com. Add any additional comments to the email and tap Send. Dell SonicWALL Support staff will contact you after reviewing your case.