Dell SonicWALL Secure Mobile Access 8.5Administration Guide 390To enable tunnel all mode:1 Navigate to Users > Local Groups.2 Click the configure icon next to the group you want to configure.3 In the Edit Local Group page, select the Nx Routes tab.4 Select Enable from the Tunnel All Mode drop-down list.5 Click Accept.Adding Group PoliciesWith group access policies, all traffic is allowed by default. Additional allow and deny policies could be createdby destination address or address range and by service type.The most specific policy takes precedence over less specific policies. For example, a policy that applies to onlyone IP address has priority over a policy that applies to a range of IP addresses. If there are two policies thatapply to a single IP address, then a policy for a specific service (for example RDP) takes precedence over apolicy that applies to all services.User policies take precedence over group policies and group policies take precedence over global policies,regardless of the policy definition. A user policy that allows access to all IP addresses takes precedence over agroup policy that denies access to a single IP address.To define group access policies:1 Navigate to Users > Local Groups.2 Click the configure icon next to the group you want to configure.3 In the Edit Local Group page, select the Policies tab.4 On the Policies tab, click Add Policy. The Add Policy screen is displayed.5 Define a name for the policy in the Policy Name field.6 In the Apply Policy To drop-down list, select whether the policy is applied to an individual host, a rangeof addresses, all addresses, a network object, a server path, or a URL object. You can also select anindividual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changesdepending on what type of object you select in the Apply Policy To drop-down list.NOTE: You can optionally tunnel-all Secure Mobile Access client traffic through the NetExtenderconnection by entering 0.0.0.0 for the Destination Network and Subnet Mask/Prefix in the AddClient Routes window.NOTE: Within the group policy scheme, the primary group policy is always enforced over any additionalgroup policies.NOTE: The Secure Mobile Access policies apply to the destination address(es) of the SMA/SRAconnection, not the source address. You cannot permit or block a specific IP address on theInternet from authenticating to the SMA/SRA gateway through the policy engine. It is possible tocontrol source logins by IP address from the user's Login Policies page. For more information,refer to Configuring Login Policies on page 380.
