Users_editLocalGroup

Editing Group Settings

To edit the settings for a group, click the configure icon in the row for the group that you wish to edit in the Local Groups table on the Users > Local Groups page. The Edit Group Settings window contains six tabs: General, Portal, NxSettings, NxRoutes, Policies, and Bookmarks.

See the following sections for information about configuring settings:

• Editing General Group Settings
• Modifying Group Portal Settings
• Enabling Group NetExtender Settings
• Enabling NetExtender Routes for Groups
• Adding Group Policies
• Editing a Policy for a File Share
• Configuring Group Bookmarks

Editing General Group Settings

The General tab provides configuration options for a group’s inactivity timeout value and single sign-on settings. To modify the general user settings, perform the following steps:

1. In the left-hand column, navigate to the Users > Local Groups.
2. Click the configure icon next to the group you want to configure. The General tab of the Edit Group Settings window displays. The General tab displays the following non-configurable fields: Group Name and Domain Name.
3. To set the inactivity timeout for the group, meaning that users will be signed out of the Virtual Office after no activity on their computer for the specified time period, enter the number of minutes of inactivity to allow in the Inactivity Timeout field. Set to 0 to use the global timeout.

NoteThe inactivity timeout can be set at the user, group and global level. If one or more timeouts are configured for an individual user, the user timeout setting will take precedence over the group timeout and the group timeout will take precedence over the global timeout. Setting the global settings timeout to 0 disables the inactivity timeout for users that do not have a group or user timeout configured.

4. Under Single Sign-On Settings, select one of the following options from the Use SSL-VPN account credentials to log into bookmarks drop-down menu:
• Use Global Policy: Select this option to use the global policy settings to control single sign-on (SSO) for bookmarks.
• User-controlled (enabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) for bookmarks. This setting enables SSO by default for new users.

NoteSingle sign-on in the SRA appliance does not support two-factor authentication.

• User-controlled (disabled by default for new users): Select this option to allow users to enable or disable single sign-on (SSO) for bookmarks. This setting disables SSO by default for new users.
• Enabled: Select this option to enable single sign-on for bookmarks.
• Disabled: Select this option to disable single sign-on for bookmarks.
5. Click Accept to save the configuration changes.

Modifying Group Portal Settings

The Portal tab provides configuration options for portal settings for this group.

To configure portal settings for this group, perform the following steps:

1. In the left-hand column, navigate to the Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, click the Portal tab.





4. On the Portal tab under Portal Settings, for NetExtender, Launch NetExtender after login, FileShares, Virtual Assist Technician, Virtual Assist Request Help, Virtual Access Setup Link, select one of the following portal settings for this group:
• Use portal setting – The setting defined in the main portal settings will be used to determine if the portal feature is enabled or disabled. The main portal settings are defined by configuring the portal in the Portals > Portals page, on the Home tab of the Edit Portal screen.
• Enabled – Enable this portal feature for this group.
• Disabled – Disable this portal feature for this group.

Because Mobile Connect acts as a NetExtender client when connecting to the appliance, the setting for NetExtender also controls access by Mobile Connect users.

5. To allow users in this group to add new bookmarks, select Allow from the Allow user to add bookmarks drop-down menu. To prevent users from adding new bookmarks, select Deny. To use the setting defined globally, select Use global setting. See Edit Global Settings for information about global settings.
6. To allow users to edit or delete user-owned bookmarks, select Allow from the Allow user to edit/delete bookmarks drop-down menu. To prevent users from editing or deleting user-owned bookmarks, select Deny. To use the setting defined globally, select Use global setting.

NoteThe Allow User to Edit/Delete Bookmarks setting applies to user-owned bookmarks only. Users cannot edit or delete group and global bookmarks.

7. Click Accept.

Enabling Group NetExtender Settings

This feature is for external users, who will inherit the settings from their assigned group upon login. NetExtender client settings can be specified for the group, or use the global settings. For information about configuring global settings, see Edit Global Settings.

To enable NetExtender ranges and configure DNS and client settings for a group, perform the following steps:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the NxSettings tab.
4. Enter a beginning IPv4 address in the Client Address Range Begin field.
5. Enter an ending IPv4 address in the Client Address Range End field.
6. Enter a beginning IPv6 address in the Client IPv6 Address Range Begin field.
7. Enter an ending IPv6 address in the Client IPv6 Address Range End field.
8. Under DNS Settings, type the address of the primary DNS server in the Primary DNS Server field.
9. Optionally type the IP address of the secondary server in the Secondary DNS Server field.
10. In the DNS Search List field, type the DNS domain suffix and click Add. Next, use the up and down arrows to prioritize multiple DNS domains in the order they should be used.

For SRA appliances supporting connections from Apple iPhones, iPads, or other iOS devices using Dell SonicWALL Mobile Connect, use this DNS Search List. This DNS domain is set on the VPN interface of the iPhone/iPad after the device makes a connection to the appliance. When the mobile device user accesses a URL, iOS determines if the domain matches the VPN interface’s domain, and if so, uses the VPN interface’s DNS server to resolve the hostname lookup. Otherwise, the Wi-Fi or 3G DNS server is used, which will not be able to resolve hosts within the company intranet.

11. Under Client Settings, select one of the following from the Exit Client After Disconnect drop-down list:
• Use global setting - Take the action specified by the global setting. See Edit Global Settings.
• Enabled - Enable this action for all members of the group. Overrides the global setting.
• Disabled - Disable this action for all members of the group. Overrides the global setting.
12. In the Uninstall Client After Exit drop-down list, select one of the following:
• Use global setting - Take the action specified by the global setting. See Edit Global Settings.
• Enabled - Enable this action for all members of the group. Overrides the global setting.
• Disabled - Disable this action for all members of the group. Overrides the global setting.
13. In the Create Client Connection Profile drop-down list, select one of the following:
• Use global setting - Take the action specified by the global setting. See Edit Global Settings.
• Enabled - Enable this action for all members of the group. Overrides the global setting.
• Disabled - Disable this action for all members of the group. Overrides the global setting.
14. In the User Name & Password Caching drop-down list, select one of the following:
• Use global setting - Take the action specified by the global setting. See Edit Global Settings.
• Allow saving of user name only - Allow caching of the user name for members of the group. Group members will only need to enter their password when starting NetExtender. Overrides the global setting.
• Allow saving of user name & password - Allow caching of the user name and password for members of the group. Group members will be automatically logged in when starting NetExtender. Overrides the global setting.
• Prohibit saving of user name & password - Do not allow caching of the user name and password for members of the group. Group members will be required to enter both user name and password when starting NetExtender. Overrides the global setting.
15. Click Accept.

Enabling NetExtender Routes for Groups

The Nx Routes tab allows the administrator to add and configure client routes. IPv6 client routes are supported on SRA appliances.

To enable multiple NetExtender routes for a group, perform the following steps:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the Nx Routes tab.





4. In the Tunnel All Mode drop-down list, select one of the following:
• Use global setting - Take the action specified by the global setting. See Edit Global Settings.
• Enabled - Force all traffic for this user, including traffic destined to the remote users’ local network, over the SRA NetExtender tunnel. Affects all members of the group. Overrides the global setting.
• Disabled - Disable this action for all members of the group. Overrides the global setting.
5. To add globally defined NetExtender client routes for members of this group, select the Add Global NetExtender Client Routes check box.
6. To configure NetExtender client routes specifically for members of this group, click Add Client Route.
7. On the Add Client Route screen, enter a destination network in the Destination Network field. For example, enter the IPv4 network address 10.202.0.0. For IPv6, enter the IPv6 network address in the form 2007::1:2:3:0.
8. For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network, type the prefix, such as 112.
9. On the Add Client Route screen, click Accept.
10. On the Edit Local Group page, click Accept.

Enabling Group NetExtender Client Routes

To enable global NetExtender client routes for groups that are already created, perform the following steps:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the Nx Routes tab.
4. Select the Add Global NetExtender Client Routes check box.
5. Click Accept.

Enabling Tunnel All Mode for Local Groups

This feature is for external users, who will inherit the settings from their assigned group upon login. Tunnel all mode ensures that all network communications are tunneled securely through the SRA tunnel. To enable tunnel all mode, perform the following tasks:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the Nx Routes tab.
4. Select Enable from the Tunnel All Mode drop-down list.
5. Click Accept.

NoteYou can optionally tunnel-all SRA client traffic through the NetExtender connection by entering 0.0.0.0 for the Destination Network and Subnet Mask/Prefix in the Add Client Routes window.

Adding Group Policies

With group access policies, all traffic is allowed by default. Additional allow and deny policies may be created by destination address or address range and by service type.

The most specific policy will take precedence over less specific policies. For example, a policy that applies to only one IP address will have priority over a policy that applies to a range of IP addresses. If there are two policies that apply to a single IP address, then a policy for a specific service (for example RDP) will take precedence over a policy that applies to all services.

User policies take precedence over group policies and group policies take precedence over global policies, regardless of the policy definition. A user policy that allows access to all IP addresses will take precedence over a group policy that denies access to a single IP address.

NoteWithin the group policy scheme, the primary group policy is always enforced over any additional group policies.

To define group access policies, perform the following steps:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the Policies tab.
4. On the Policies tab, click Add Policy. The Add Policy screen is displayed.





5. Define a name for the policy in the Policy Name field.
6. In the Apply Policy To drop-down list, select whether the policy will be applied to an individual host, a range of addresses, all addresses, a network object, a server path, or a URL object. You can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending on what type of object you select in the Apply Policy To drop-down list.

NoteThe SRA policies apply to the destination address(es) of the SRA connection, not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SRA gateway through the policy engine. It is possible to control source logins by IP address from the user's Login Policies page. For more information, refer to Configuring Login Policies.

• IP Address - If your policy applies to a specific host, enter the IP address of the local host machine in the IP Address field. Optionally enter a port range (80-443) or a single port number into the Port Range/Port Number field.
• IP Address Range - If your policy applies to a range of addresses, enter the beginning IP address in the IP Network Address field and the subnet mask that defines the IP address range in the Subnet Mask field. Optionally enter a port range (4100-4200) or a single port number into the Port Range/Port Number field.
• Network Object - If your policy applies to a predefined network object, select the name of the object from the Network Object drop-down list. A port or port range can be specified when defining a Network Object. See Adding Network Objects.
• Server Path - If your policy applies to a server path, select one of the following radio buttons in the Resource field:
• Share (Server path) - When you select this option, type the path into the Server Path field.
• Network (Domain list)
• Servers (Computer list)

See Editing a Policy for a File Share.

• URL Object - If your policy applies to a predefined URL object, type the URL into the URL field.
• IPv6 Address - If your policy applies to a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
• IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
• All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter any IP address information.
7. Select the service type in the Service menu. If you are applying a policy to a network object, the service type is defined in the network object.
8. Select Allow or Deny from the Status drop-down list to either permit or deny SRA connections for the specified service and host machine.
9. Click Accept to update the configuration. Once the configuration has been updated, the new group policy will be displayed in the Edit Local Group window. The group policies are displayed in the Group Policies list in the order of priority, from the highest priority policy to the lowest priority policy.

Editing a Policy for a File Share

To edit file share access policies, perform the following steps:

1. Navigate to Users > Local Groups.
2. Click the configure icon next to the group you want to configure.
3. Select the Policies tab.
4. Click Add Policy...
5. Select Server Path from the Apply Policy To drop-down list.





6. Type a name for the policy in the Policy Name field.
7. For Resource, select Share (Server path) for the resource type.
8. In the Server Path field, enter the server path in the format servername/share/path or servername \share\path. The prefixes \\, //, \ and / are acceptable.

NoteShare and path provide more granular control over a policy. Both are optional.

9. Select Allow or Deny from the Status drop-down list.
10. Click Accept.

Configuring Group Bookmarks

SRA appliance bookmarks provide a convenient way for SRA users to access computers on the local area network that they will connect to frequently. Group bookmarks will apply to all members of a specific group. To define group bookmarks, perform the following steps:

1. Navigate to the Users > Local Groups window.
2. Click the configure icon for the group for which you want to create a bookmark. The Edit Local Group page is displayed.
3. On the Bookmarks tab, click Add Bookmark. The Add Bookmark screen is displayed.






NoteWhen group bookmarks are defined, all group members will see the defined bookmarks from the SRA user portal. Individual group members will not be able to delete or modify group bookmarks.

4. Enter a string that will be the name of the bookmark in the Bookmark Name field.
5. Enter the fully qualified domain name (FQDN) or the IPv4 or IPv6 address of a host machine on the LAN in the Name or IP Address field. In some environments you can enter the host name only, such as when creating a VNC bookmark in a Windows local network.

NoteIf a Port number is included with an IPv6 address in the Name or IP Address field, the IPv6 address must be enclosed in square brackets, for example: [2008::1:2:3:4]:6818. IPv6 is not supported for RDP - ActiveX, RDP - Java, File Shares, or VNC bookmarks.

For HTTP and HTTPS, you can add a custom port and path, for example, servername:port/path. For VNC, Telnet, and SSH, you can add a custom port, for example, servername:port.

6. Select one of the service types from the Service drop-down list. For the specific service you select from the Service drop-down list, additional fields may appear. Use the following information for the chosen service to complete the building of the bookmark:

Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java)

NoteIf you create a bookmark using the Terminal Services (RDP - ActiveX) service type, then when you click on that bookmark while using a browser other than Internet Explorer, the service is automatically switched to Terminal Services (RDP - Java). A popup window notifies you of the switch.

• In the Screen Size drop-down menu, select the default terminal services screen size to be used when users execute this bookmark.

Because different computers support different screen sizes, when you use a remote desktop application, you should select the size of the screen on the computer from which you are running a remote desktop session. Additionally, you may want to provide a path to where your application resides on your remote computer by typing the path in the Application Path field.

• In the Colors drop-down list, select the default color depth for the terminal service screen when users execute this bookmark.
• Optionally enter the local path for this application in the Application and Path (optional) field.
• In the Start in the following folder field, optionally enter the local folder in which to execute application commands.
• Select the Login as console/admin session check box to allow login as console or admin. Login as admin replaces login as console in RDC 6.1 and newer.
• Select the Enable wake-on-LAN check box to enable waking up a computer over the network connection. Selecting this check box causes the following new fields to be displayed:
• MAC/Ethernet Address – Enter one or more MAC addresses, separated by spaces, of target hosts to wake.
• Wait time for boot-up (seconds) – Enter the number of seconds to wait for the target host to fully boot up before cancelling the WoL operation.
• Send WOL packet to host name or IP address – To send the WoL packet to the hostname or IP of this bookmark, select the Send WOL packet to host name or IP address check box, which can be applied in tandem with a MAC address of another machine to wake.
• For Terminal Server Farm or Load Balancing support with RDP - Java bookmarks, select the Server is TS Farm check box to enable a proper connection. Note that only the pure Java RDP client supports this feature and some advanced options will not be available in this mode.
• For RDP - Java bookmarks, select the Force Java Client Usage check box to force the use of the Java RDP client rather than the locally installed RDP client if it exists. If this option is selected, no Windows Advanced options are supported.
• For Windows clients or on Mac clients running Mac OS X 10.5 or above with RDC installed, expand Show advanced Windows options and select the check boxes for any of the following redirect options: Redirect Printers, Redirect Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug and play devices to redirect those devices or features on the local network for use in this bookmark session. You can hover your mouse pointer over the Help icon
  
  
  
  next to certain options to display tooltips that indicate requirements.
  
  To see local printers show up on your remote machine (Start > Settings > Control Panel > Printers and Faxes), select Redirect Ports as well as Redirect Printers.
  
  Select the check boxes for any of the following additional features for use in this bookmark session: Display connection bar, Auto reconnection, Desktop background, Bitmap caching, Menu/window animation, Visual styles, or Show window contents while dragging/resizing.
  In the Remote Audio drop-down list, select Play on this computer, Play on remote computer, or Do not play.
  If the client application will be RDP 6 (Java), you can select any of the following options as well: Dual monitors, Font smoothing, Desktop composition, or Remote Application.
  Remote Application monitors server and client connection activity; to use it, you need to register remote applications in the Windows 2008 RemoteApp list. If Remote Application is selected, the Java Console will display messages regarding connectivity with the Terminal Server.
• Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current SRA session for login to the RDP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Virtual Network Computing (VNC)

• In the Encoding drop-down list, select one of:
• Raw – Pixel data is sent in left-to-right scanline order, and only rectangles with changes are sent after the original full screen has been transmitted.
• RRE – Rise-and-Run-length-Encoding uses a sequence of identical pixels that are compressed to a single value and repeat count. This is an efficient encoding for large blocks of constant color.
• CoRRE – A variation of RRE, using a maximum of 255x255 pixel rectangles, allowing for single-byte values to be used. More efficient than RRE except where very large regions are the same color.
• Hextile – Rectangles are split up in to 16x16 tiles of raw or RRE data and sent in a predetermined order. Best used in high-speed network environments such as within the LAN.
• Zlib – Simple encoding using the zlib library to compress raw pixel data, costing a lot of CPU time. Supported for compatibility with VNC servers that might not understand Tight encoding which is more efficient than Zlib in nearly all real-life situations.
• Tight – The default and the best encoding to use with VNC over the Internet or other low-bandwidth network environments. Uses zlib library to compress pre-processed pixel data to maximize compression ratios and minimize CPU usage.
• In the Compression Level drop-down list, select the level of compression as Default or from 1 to 9 where 1 is the lowest compression and 9 is highly compressed.
• The JPEG Image Quality option is not editable and is set at 6.
• In the Cursor Shape Updates drop-down list, select Enable, Ignore, or Disable. The default is Ignore.
• Select Use CopyRect to gain efficiency when moving items on the screen.
• Select Restricted Colors (256 Colors) for more efficiency with slightly less depth of color.
• Select Reverse Mouse Buttons 2 and 3, to switch the right-click and left-click buttons.
• Select View Only if the user will not be making any changes on the remote system.
• Select Share Desktop to allow multiple users to view and use the same VNC desktop.

Citrix Portal (Citrix)

• Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
• Optionally, select Always use Java in Internet Explorer to use Java to access the Citrix Portal when using Internet Explorer. Without this setting, a Citrix ActiveX client or plugin must be used with IE. This setting lets users avoid installing a Citrix client or plugin specifically for IE browsers. Java is used with Citrix by default on other browsers and also works with IE. Enabling this check box leverages this portability.
• Optionally, select Always use specified Citrix ICA Server and specify the IP address in the ICA Server Address field that appears. This setting allows you to specify the Citrix ICA Server address for the Citrix ICA session. By default, the bookmark uses the information provided in the ICA configuration on the Citrix server.

Web (HTTP)

• Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current SRA session for login to the Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
  
  Select the Forms-based Authentication check box to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.

Secure Web (HTTPS)

• Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current SRA session for login to the secure Web server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
  
  Select the Forms-based Authentication check box to configure Single Sign-On for forms-based authentication. Configure the User Form Field to be the same as the ‘name’ and ‘id’ attribute of the HTML element representing User Name in the Login form, for example: <input type=text name=’userid’>. Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128>.

External Web Site

• Select the HTTPS Mode check box to use SSL to encrypt communications with this Web site.
• Select the Disable Security Warning check box if you do not want to see any security warnings when accessing this Web site. Security warnings are normally displayed when this bookmark refers to anything other than an Application Offloaded Web site.

File Shares (CIFS)

• To allow users to use a Java Applet for File Shares that mimics Windows functionality, select the Use File Shares Java Applet check box.
• Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current SRA session for login to the RDP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
  
  When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SRA appliance is not a domain member and will not be able to connect to the DFS shares.
  
  DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

File Transfer Protocol (FTP)

• Expand Show advanced server configuration to select an alternate value in the Character Encoding drop-down list. The default is Standard (UTF-8).
• Optionally select Automatically log in and select Use SSL-VPN account credentials to forward credentials from the current SRA session for login to the FTP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.

Telnet

• No additional fields

Secure Shell version 1 (SSHv1)

• No additional fields

Secure Shell version 2 (SSHv2)

• Optionally select the Automatically accept host key check box.
• If using an SSHv2 server without authentication, such as a Dell SonicWALL firewall, you can select the Bypass username check box.
7. Check the Display Bookmark to Mobile Connect clients check box to display the bookmark on mobile devices.
8. Click Accept to update the configuration. Once the configuration has been updated, the new group bookmark will display in the Edit Local Group page.

Configuring Group End Point Control

To configure the End Point Control profiles used by local groups, perform the following steps:

1. Navigate to either the Users > Local Users or Users > Local Groups page.
2. Click the configure icon next to the group to be configured for EPC. The Edit Local Group window is displayed.
3. Click the EPC tab. The EPC window is displayed.
4. Configure EPC group settings and add or remove device profiles, as explained in Users > Local Groups

Group Configuration for LDAP Authentication Domains

NoteThe Microsoft Active Directory database uses an LDAP organization schema. The Active Directory database may be queried using Kerberos authentication (the standard authentication type; this is labeled “Active Directory” domain authentication in the Dell SonicWALL SRA management interface), NTLM authentication (labeled NT Domain authentication in the SRA management interface), or using LDAP database queries. An LDAP domain configured in the SRA management interface can authenticate to an Active Directory server.

LDAP (Lightweight Directory Access Protocol) is a standard for querying and updating a directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational units), the SRA appliance can query this information and provide specific group policies or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SRA appliance administrator can leverage the groups that have already been configured in an LDAP or Active Directory database, rather than needing to manually recreate the same groups in the SRA appliance.

Once an LDAP authentication domain is created, a default LDAP group will be created with the same name as the LDAP domain name. Although additional groups may be added or deleted from this domain, the default LDAP group may not be deleted. If the user for which you created LDAP attributes enters the Virtual Office home page, the bookmark you created for the group the user is in will display in the Bookmarks Table.

For an LDAP group, you may define LDAP attributes. For example, you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server. Or you can specify a unique LDAP distinguished name.

To add an LDAP attribute for a group so that a user will have a bookmark assigned when entering the Virtual Office environment, perform the following steps:

1. Navigate to the Portals > Domains page and click Add Domain to display the Add New Domain window.
2. Select LDAP from the Authentication Type menu. The LDAP domain configuration fields will be displayed.
3. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SRA user portal. It can be the same value as the Server address field.
4. Enter the IP address or domain name of the server in the Server address field.
5. Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.

Tip It is possible for multiple OUs to be configured for a single domain by entering each OU on a separate line in the LDAP baseDN field. In addition, any sub-OUs will be automatically included when parents are added to this field.

NoteDo not include quotes (“”) in the LDAP BaseDN field.

6. Enter the common name of a user that has been delegated control of the container that user will be in along with the corresponding password in the Login user name and Login password fields.

NoteWhen entering Login user name and Login password, remember that the SRA appliance binds to the LDAP tree with these credentials and users can log in with their sAMAccountName.

7. Enter the name of the portal in the Portal name field. Additional layouts may be defined in the Portals > Portals page.
8. Select the Allow password changes (if allowed by LDAP server) check box if you want to be able to change user’s passwords. The admin account must be used when changing user passwords.
9. Select the Delete external user accounts on logout check box to delete users who are not logged into a domain account after they log out.
10. Optionally select the One-time passwords check box to enable the One-time password feature. A drop-down list will appear, in which you can select if configured, required for all users, or using domain name. These are defined as:
• if configured - Only users who have a One Time Password email address configured will use the One Time Password feature.
• required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured will not be allowed to login.
• using domain name - Users in the domain will use the One Time Password feature. One Time Password emails for all users in the domain will be sent to username@domain.com.
11. If you select One-time passwords, an LDAP e-mail attribute drop-down list appears. Select one of the following:
• mail - Select mail if this is the name of your LDAP email attribute.
• userPrincipalName - Select userPrincipalName if this is the name of your LDAP email attribute.
• custom - Select custom to enter any other LDAP email attribute. Enter the attribute name into the Custom attribute field that appears.
12. Navigate to the Users > Local Groups page and click the configure icon. The Edit Group Settings page is displayed, with fields for LDAP attributes on the General tab.
13. On the General tab, you may optionally fill out one or multiple LDAP Attribute fields with the appropriate names where name=value is the convention for adding a series of LDAP attributes. To see a full list of LDAP attributes, refer to the Dell SonicWALL LDAP Attribute document.

As a common example, fill out an attribute field with the memberOf= attribute which can bundle the following common variable types:

CN= - the common name. DN= - the distinguished name. DC= - the domain component.

You need to provide quote delimiters around the variables you bundle in the memberOf line. You separate the variables by commas. An example of the syntax using the CN and DC variables would be:

memberOf="CN=<string>, DC=<string>"

An example of a line you might enter into the LDAP Attribute field, using the CN and DC variables would be:

memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"

14. Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to use the global inactivity timeout setting.
15. Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of the following:
• Use global policy – Use the global policy for using SSO to login to bookmarks.
• User-controlled (enabled by default for new users) – Enable SSO to login to bookmarks for new users, and allow users to change this setting.
• User-controlled (disabled by default for new users) – Disable SSO to login to bookmarks for new users, and allow users to change this setting.
• Enabled – Enable SSO to login to bookmarks
• Disabled – Disable SSO to login to bookmarks
16. Click Accept when done.

LDAP Attribute Information

When configuring LDAP attributes, the following information may be helpful:

• If multiple attributes are defined for a group, all attributes must be met by LDAP users.
• LDAP authentication binds to the LDAP tree using the same credentials as are supplied for authentication. When used against Active Directory, this requires that the login credentials provided match the CN (common name) attribute of the user rather than samAccountName (login name). For example, if your NT/Active Directory login name is gkam and your full name is guitar kam, when logging into the SRA appliance with LDAP authentication, the username should be provided in the following ways: If a login name is supplied, that name is used to bind to the tree. If the field is blank, you need to login with the full name. If the field is filled in with a full login name, users will login with the sAMAccountName.
• If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.
• If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user will be considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an equal number of attributes, then the user will be considered a member of the group based on the alphabetical order of the groups.
• If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SRA appliance, then the user will not be able to log into the portal. So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log into the portal.

Example of LDAP Users and Attributes

If a user is manually added to a LDAP group, then the user setting will take precedence over LDAP attributes.

For example, an LDAP attribute objectClass=“Person” is defined for group Group1 and an LDAP attribute memberOf=“CN=WINS Users,DC=sonicwall,DC=net” is defined for Group2.

If user Jane is defined by an LDAP server as a member of the Person object class, but is not a member of the WINS Users group, Jane will be a member of SRA appliance Group1.

But if the administrator manually adds the user Jane to SRA appliance Group2, then the LDAP attributes will be ignored and Jane will be a member of Group2.

Sample LDAP Attributes

You may enter up to four LDAP attributes per group. The following are some example LDAP attributes of Active Directory LDAP users:

name="Administrator"memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"objectClass="user"msNPAllowDialin="FALSE"

Querying an LDAP Server

If you would like to query your LDAP or Active Directory server to find out the LDAP attributes of your users, there are several different methods. From a machine with ldap search tools (for example a Linux machine with OpenLDAP installed) run the following command:

ldapsearch -h 10.0.0.5 -x -D

"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 –b

"dc=sonicwall,dc=net" > /tmp/file

Where:

• 10.0.0.5 is the IP address of the LDAP or Active Directory server
• cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user
• demo123 is the password for the user demo
• dc=sonicwall,dc=net is the base domain that you are querying
• > /tmp/file is optional and defines the file where the LDAP query results will be saved.

For instructions on querying an LDAP server from a Window server, refer to:

• www.microsoft.com/Resources/Documentation/ windowsserv/2003/all/techref/en-us/w2k3tr_adsrh_what.asp
• http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_adsrh_how.asp?frame=true

Group Configuration for Active Directory, NT and RADIUS Domains

For authentication to RADIUS, Microsoft NT domain or Active Directory servers (using Kerberos), you can individually define AAA users and groups. This is not required, but it enables you to create separate policies or bookmarks for individual AAA users.

When a user logs in, the SRA appliance will validate with the appropriate Active Directory, RADIUS, or NT server that the user is authorized to login. If the user is authorized, the SRA appliance will check to see if a user exists in the SRA appliance database for users and groups. If the user is defined, then the policies and bookmarks defined for the user will apply.

For example, if you create a RADIUS domain in the SRA appliance called “Miami RADIUS server”, you can add users to groups that are members of the “Miami RADIUS server” domain. These user names must match the names configured in the RADIUS server. Then, when users login to the portal, policies, bookmarks and other user settings will apply to the users. If the AAA user does not exist in the SRA appliance, then only the global settings, policies and bookmarks will apply to the user.

This section contains the following subsections:

• Bookmark Support for External (Non-Local) Users
• Adding a RADIUS Group
• Adding an Active Directory Group

Bookmark Support for External (Non-Local) Users

The Virtual Office bookmark system allows bookmarks to be created at both the group and user levels. The administrator can create both group and user bookmarks which will be propagated to applicable users, while individual users can create only personal bookmarks.

Since bookmarks are stored within the SRA appliance’s local configuration files, it is necessary for group and user bookmarks to be correlated to defined group and user entities. When working with local (LocalDomain) groups and users, this is automated since the administrator must manually define the groups and users on the appliance. Similarly, when working with external (non-LocalDomain, for example, RADIUS, NT, LDAP) groups, the correlation is automated since creating an external domain creates a corresponding local group.

However, when working with external (non-LocalDomain) users, a local user entity must exist so that any user-created (personal) bookmarks can be stored within the SRA configuration files. The need to store bookmarks on the SRA appliance itself is because LDAP, RADIUS, and NT Authentication external domains do not provide a direct facility to store such information as bookmarks.

Rather than requiring administrators to manually create local users for external domain users to use personal bookmarks, the SRA appliance automatically creates a corresponding local user entity upon user login. Bookmarks can be added to the locally-created user.

For example, if a RADIUS domain called myRADIUS is created, and RADIUS user jdoe logs on to the SRA appliance, the moment jdoe adds a personal bookmark, a local user called jdoe will be created on the SRA appliance as type External, and can then be managed like any other local user by the administrator. The external local user will remain until deleted by the administrator.