Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMAConnectAgent - admin permissions needed

BWCBWC Cybersecurity Overlord ✭✭✭


how do you handle that the SMAConnectAgent needs administrative rights to be installed?

Having Device Management enabled on the SMA needs the SMAConnectAgent to be deployed, but it's usual that on employer-provided systems the user does not have any admin permissions.

With the firmware update from to the user got prompted to install a newer version, but can't install because of the missing rights. The prompt can be canceled, but causes confusion on the user side. The endpoints (Notebooks) are located in Home-Offices and will probably not return into the HQ for a while to get refueled via GPO etc. The Home-Offices just connect to the browser-based VirtualOffice, no VPN.

Any help highly appreciated.


Category: Secure Mobile Access Appliances


  • Hi,

    once connect agent is installed and when they upgrade to but it should work fine, if GPO is not causing here..

    Admin rights are needed for NX for first time and subsequent upgrades not needed.

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Vijay_Kumar_KV

    if I get you right, you're saying admin rights are not needed for upgrades? This does not seem to be the case, after logging into the SMA I'am greeted with an option to upgrade the SMAConnectAgent because there is a newer version available, when I'am hitting yes to upgrade I'am asked for Admin credentials.

    That was the point of my initial question, is this a bug and admin rights shouldn't be needed for upgrades like you elaborated?


  • @BWC .

    Admin rights needed while we install SMAConnectAgent is required to upgrade, admin permission will be required again because we need to update registry settings each installation. so admin is needed for every time..

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • admin permission is needed for every time..

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I need to come back about this, actually in retrospect, my question isn't answered. The question was: "How do you handle that the SMAConnectAgent needs administrative rights to be installed?"

    What I mean here, how should we upgrade the SMAConnectAgent in the field on machines where the enduser does not have administrative rights? Should the SMAConnectAgent pre-deployed with some form of software-distribution (GPO, etc.) prior to an upgrade of the SMA to avoid this confusing upgrade messages, which cannot be fullfilled without the admin rights anyhow?

    Whats a common way?


  • I got it, but since this needs to registered in Registry so admin nights are needed, I agree with your points for subsequent upgrades I don't think we need admin rights..we'll check with engineering and if possible to do without rights.

    We can file an RFE?

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Vijay_Kumar_KV

    the problem could be solved if upgrades would not need admin rights, but I'am not sure if this is technically possible.

    For some "HTML Portal-only" deployments I don't even have a chance to deploy the newer Agent manually, because of the lack of a VPN connection. The whole process needs to be as simple as possible, because there a mainly no IT-people sitting in the Home-Offices at the moment.


  • @BWC I got it, we'll check on ourside how to fix this going forward.

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • This is also an issue for many of our clients. As a best practice, users are not given local admin rights. After upgrading SMA firmware, we receive several calls from clients that can’t connect due to not having local admin rights to update the SMA Connect Agent, NetExtender, EPC software, etc. Can you provide an update on this?
  • ThKThK Cybersecurity Overlord ✭✭✭
    edited February 2021

    @BWC @Arthur @Vijay_Kumar_KV

    got this issue that the EPC should be updated after the Patch Clicked download in the Window and then it failed with an notification in the Browserwindow.

    I tried to download the agent from the download section under the User Icon in the upper right corner. But there is no EPC agent available. (Netextender is available.)

    Checked this on other SMAs and finally found one where I could download the agent from. No change to find it in MYSWL.

    Installed it on the client and login was ok for now.

    Did you see this "lost" agent in your instances too?


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @ThK

    I checked on my SMA 500v and I was able to download them via VirtualOffice.

    You having problems on SMA 2x0/4x0 or 500v? On hardware appliance there seems to be a case a while back:


  • ThKThK Cybersecurity Overlord ✭✭✭

    @BWC all are 500v. the post exatly describes what i have.

    and it does not depend on user. so same as admin or user and LocalDomain or Portal

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I double checked, SMA 500v deployed from OVA and SMA 500v updated to via .sig both having the Files downloadable via VirtualOffice.

    Is it a VMware or Hyper-V deployment, maybe thats the difference? Mine are on ESXi.


  • ThKThK Cybersecurity Overlord ✭✭✭

    @BWC yes on ESXi.

  • ArthurArthur Newbie
    edited March 2021
    We upgraded our SMA 410 to this evening and had the same issue with SMA Connect Agent and NetExtender saying Not Available in the SMA downloads. The files finally became available after 45 minutes. TSR clientdownload log file had the following errors.

    Mon Mar 1 20:45:57 2021 target file(/usr/src/EasyAccess/www/htdocs/NXSetupU.exe) doesn't exist
    -Mon Mar 1 20:45:57 2021 backup file(/usr/src/EasyAccess/var/clients/NXSetupU-10.2.309.exe) doesn't exist

    Local admin rights are still required to update SMA Connect Agent, EPC/NAC Agent, etc. This is a nightmare for most environments as users don’t have local admin rights. At the very least, SMA Connect Agent and EPC/NAC Agent need to be made available for download on to allow apps to be deployed/updated via RMM or other means prior to upgrading SMA firmware. EPC/NAC Agent cannot be downloaded manually on SMA as well, only SMA Connect Agent and NetExtender.
  • I too have been unable to find anywhere to download the EPC Agent so even though we were able to download the SMA agent and push it out via Labtech as soon as the EPC check tries to run the first time they are prompted for admin creds. Nothing like going live with 5 SMAs and waking up to 90 end user tickets. I opened a ticket with Sonicwall to see about getting a MSI that we can push.

  • MartyBMartyB Newbie ✭

    I have the same issue. I want to deploy the SMAConnect using the MSI which works by using our Batchpatch software but the NACAgent still needs admin rights the first time it makes changes to the system.

  • Sonicwall, please advise.
  • EnaEna SonicWall Employee

    Hi @Arthur

    Thanks for following up. I'll will look into this and get back to you.

  • ArthurArthur Newbie
    edited December 2021
    A new issue that needs to be addressed. NetExtender auto upgrade is failing on all endpoints with the following error. The issue started with the NetExtender version included with SMA firmware NetExtender has been installed using the exe file in the SMA virtual office. Subsequence NetExtender upgrades from any newer versions yields the same result. I opened a support case in June and was told the Engineering team would resolve this in the backend. This is extremely frustrating as our users and clients don’t have admin rights on their machines.

    An error occurs in the installation process.

    Another version of SonicWall Netextender has been detected on your system, please uninstall it before running this installation.
  • User316831User316831 Newbie ✭

    Years later, and still not fixed - any SonicWall folk care to explain? @Arthur have you heard anything on the status of this from your ticket?

    We don't give users admin rights, and we have folks connect at all hours of the day/night, so our process following a SMAConnect update that a user has to log a ticket in our helpdesk, who contacts the user to arrange for them to be online so we can use a third party tool to control their machine to login (with assistance from the user to complete mfa login), and finally get SMAConnect updated. Our helpdesk team rather hates SMA updates because of this issue.

    Has anyone found a solution to push SMAConnect updates to clients out of band? I know no product is perfect, but it seems keeping a sonicwall SMA running smoothly requires a set of auxiliary tools and effort (something we'll keep in mind as we face some SMA EOL and replacements within a year).

  • ktdt00ktdt00 Newbie ✭

    I know this is an old thread but it still comes up near the top in search engines. It's fairly obvious and documented above that you can get the SMA Agent from within the portal's download section. I just wanted to add that, at least on current versions, you can download the NAC/EPC agent from the appliance. There are a couple Sonicwall support articles that reference https://x.x.x.x/NACAgent.exe. They don't really tell you this but x.x.x.x is the IP or URL of your appliance. The filename is also case sensitive. So if you want to distribute these out of band you can.

Sign In or Register to comment.