A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public
key encryption, an entity, such as a secure Web site, generates a public and a private key. A secure Web server sends a public key to a user who accesses
the Web site. The public key allows the user’s Web browser to decrypt data that had been encrypted with the private key. The user’s Web browser can
also transparently encrypt data using the public key and this data can only be decrypted by the secure Web server’s private key.
Public key encryption allows the user to confirm the identity of the Web site through an SSL certificate. After a user contacts the SMA/SRA appliance, the
appliance sends the user its own encryption information, including an SSL certificate with a public encryption key.
SSL for Virtual Private Networking (VPN)
A Secure Socket Layer-based Virtual Private Network (SSL VPN) allows applications and private network resources to be accessed remotely through a
secure connection. Using SSL VPN, mobile workers, business partners, and customers can access files or applications on a company’s intranet or within a
private local area network.
Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections over a public networking infrastructure,
allowing them to reduce their communications expenses and to provide private, secure connections between a user and a site in the organization. By
offering Secure Socket Layer (SSL) VPN, without the expense of special feature licensing, the SMA/SRA appliance provides customers with cost-
effective alternatives to deploying parallel remote-access infrastructures.
SSL Handshake Procedure
The following procedure is an example of the standard steps required to establish an SSL session between a user and an SMA/SRA gateway using the
Secure Mobile Access web-based management interface:
1 When a user attempts to connect to the SMA/SRA appliance, the user’s Web browser sends information about the types of encryption supported
by the browser to the appliance.
2 The appliance sends the user its own encryption information, including an SSL certificate with a public encryption key.
3 The Web browser validates the SSL certificate with the Certificate Authority identified by the SSL certificate.
4 The Web browser generates a pre-master encryption key, encrypts the pre-master key using the public key included with the SSL certificate and
sends the encrypted pre-master key to the SMA/SRA gateway.
5 The SMA/SRA gateway uses the pre-master key to create a master key and sends the new master key to the user’s Web browser.
6 The browser and the SMA/SRA gateway use the master key and the agreed upon encryption algorithm to establish an SSL connection. From this
point on, the user and the SMA/SRA gateway encrypts and decrypts data using the same encryption key. This is called symmetric encryption.
7 After the SSL connection is established, the SMA/SRA gateway encrypts and sends the Web browser the SMA/SRA gateway login page.
8 The user submits their user name, password, and domain name.
9 If the user’s domain name requires authentication through a RADIUS, LDAP, or Active Directory Server, the SMA/SRA gateway forwards the
user’s information to the appropriate server for authentication.
10 After being authenticated, the user can access the Secure Mobile Access portal.
IPv6 Support Overview
Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently used on networked devices. IPv6 is a suite of protocols and
standards developed by the Internet Engineering Task Force (IETF) that provides a larger address space than IPv4, additional functionality and security,
and resolves IPv4 design issues. You can use IPv6 without affecting IPv4 communications.
IPv6 supports stateful address configuration that is used with a DHCPv6 server, and stateless address configuration, where hosts on a link automatically
configure themselves with IPv6 addresses for the link, called link-local addresses.
In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the 32-bit IPv4 address is represented in dotted-decimal
format, divided by periods along 8-bit boundaries. The 128-bit IPv6 address is divided by colons along 16-bit boundaries, where each 16-bit block is
represented as a 4-digit hexadecimal number. This is called colon-hexadecimal.
The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by removing the leading zeros within each 16-bit block, as long as
each block has at least one digit. When suppressing leading zeros, the address representation becomes: 2008:AB1:0:1E2A:123:45:EE37:C9B4
When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can be compressed to :: , a double-colon. For example, the link-
local address of 2008:0:0:0:B67:89:ABCD:1234 can be compressed to 2008::B67:89:ABCD:1234. The multicast address 2008:0:0:0:0:0:0:2 can be
compressed to 2008::2.
The IPv6 prefix is the part of the address that indicates the bits of the subnet prefix. Prefixes for IPv6 subnets, routes, and address ranges are written as
address/prefix-length, or CIDR notation. For example, 2008:AA::/48 and 2007:BB:0:89AB::/64 are IPv6 address prefixes.
Secure Mobile Access supports IPv6 in the following areas:
Services
• FTP Bookmark – Define a FTP bookmark using an IPv6 address.
• Telnet Bookmark – Define a Telnet bookmark using an IPv6 address.
• SSHv2 Bookmark – Define an SSHv2 bookmark using an IPv6 address.
• Reverse proxy for HTTP/HTTPS Bookmark – Define an HTTP or HTTPS bookmark using an IPv6 address.
• Citrix Bookmark – Define a Citrix bookmark using an IPv6 address.
• RDP Bookmark - Define an RDP bookmark using an IPv6 address.
• VNC Bookmark - Define a VNC bookmark using an IPv6 address.
NOTE: IPv6 is not supported for File Shares (CIFS).