Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA Deployment

Hello,

We are looking into SMA as we are trying to limit SSL VPN connections to only corporate devices.

Is it able to be deployed as portrayed in the attached image?


Any other advice on the topic would be appreciated. Thanks!

Category: Secure Mobile Access Appliances
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    @SWuser_123 that is not the way to go, you put the SMA usually in a seperate zone like DMZ behind the Firewall. The traffic between LAN and DMZ is controlled by the TZ.

    On the SMA side you have to use Endpoint Control combined with a proper Authentication to grant access only to Users and Devices of your choice.

    --Michael@BWC

Answers

  • SWuser_123SWuser_123 Newbie ✭

    @BWC so there is no way to have it sitting on the edge of the network? I'm confused as to why it would need to be internal?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SWuser_123 the SMA has "no" routing and security capabilities like a Firewall, look at it more as a Webserver with some bells and whistles. You wouldn't install a Webserver in front of a Firewall, would you? :)

    Internal is "relative" in that situation, because it's isolated from the rest of the network by the Firewall in a seperate Zone/Subnet.

    --Michael@BWC

  • SWuser_123SWuser_123 Newbie ✭

    @BWC Okay, so if I understand correctly, the traffic would flow from Outside -> TZ -> SMA -> TZ -> LAN ?

    Isolated, yes. But one misconfig or vulnerability away from access? Or am I overthinking it

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SWuser_123 yes, the traffic flow is correct.

    As always, Firewall configuration needs some caution but there is no alternative. Vulnerabilities with SMA are somewhat common, so always be on alert, but this counts for every externally exposed service to be fair.

    You need to be careful what your SMA (or the NetExtender IP Ranges) are allowed to access in your LAN.

    --Michael@BWC

  • SWuser_123SWuser_123 Newbie ✭

    @BWC very true. Thanks for the info!!

Sign In or Register to comment.