This section provides an overview to the NetExtender feature. This section contains the following subsections:
For information on using NetExtender, refer to the NetExtender > Status or refer to the Dell SonicWALL SRA User’s Guide.
Dell SonicWALL NetExtender is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.
In SRA 5.5 and higher, NetExtender capabilities include the Dell SonicWALL Mobile Connect app for Apple iPhone, iPad, and iPod Touch. Mobile Connect enables secure, mobile connections to private networks protected by Dell SonicWALL security appliances. For information about installing and using Dell SonicWALL Mobile Connect, see the Dell SonicWALL Mobile Connect User’s Guide.
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On Linux or MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal.
The NetExtender Windows client also has a custom-dialer that allows it to be launched from the Windows Network Connections menu. This custom-dialer allows NetExtender to be connected before the Windows domain login. The NetExtender Windows client also supports a single active connection, and displays real-time throughput and data compression ratios in the client.
After installation, NetExtender automatically launches and connects a virtual adapter for SSL-secure NetExtender point-to-point access to permitted hosts and subnets on the internal network.
The following sections describe advanced NetExtender concepts:
SRA appliances provide a stand-alone NetExtender application. NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.
Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots.
NetExtender can establish a VPN session before the user logs into the Windows domain. For Windows Vista or later, users can click Switch User on the Windows login screen and click the blue computer icon that appears at the right bottom of the screen to view the dialup connection list, and then can select NetExtender to connect.
Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.
NetExtender is compatible with the following Dell SonicWALL appliances:
NetExtender is also backward compatible with older SSL-VPN 2000/4000 appliances for connectivity.
NetExtender is officially supported on the following client platforms:
NetExtender may work properly on other Linux distributions, but they are not officially supported by Dell SonicWALL.
Multiple range and route support for NetExtender on SRA appliances enables network administrators to easily segment groups and users without the need to configure firewall rules to govern access. This user segmentation allows for granular control of access to the network—allowing users access to necessary resources while restricting access to sensitive resources to only those who require it.
For networks that do not require segmentation, client addresses and routes can be configured globally as in the SRA 1.0 version of NetExtender. The following sections describe the new multiple range and route enhancements:
Administrators can configure separate NetExtender IP address ranges for users and groups. These settings are configured on the Users > Local Users and Users > Local Groups pages, using the NetExtender tab in the Edit User and Edit Group windows.
When configuring multiple user and group NetExtender IP address ranges, it is important to know how the SRA appliance assigns IP addresses. When assigning an IP address to a NetExtender client, the SRA appliance uses the following hierarchy of ranges:
To reserve a single IP address for an individual user, the administrator can enter the same IP address in both the Client Address Range Begin and Client Address Range End fields on the NetExtender tab of the Edit Group window.
NetExtender client routes are used to allow and deny access to various network resources. Client routes can also be configured at the user and group level. NetExtender client routes are also configured on the Edit User and Edit Group windows. The segmentation of client routes is fully customizable, allowing the administrator to specify any possible permutation of user, group, and global routes (such as only group routes, only user routes, group and global routes, user, group, and global routes, etc.). This segmentation is controlled by the Add Global NetExtender Client routes and Add Group NetExtender Client routes check boxes.
Networks that use an external authentication server will not configure local usernames on the SRA appliance. In such cases, when a user is successfully authenticated, a local user account is created if the Add Global NetExtender Client routes and Add Group NetExtender Client routes settings are enabled.
In SRA, the PPP server IP address is 192.0.2.1 for all connecting clients. This IP address is transparent to both the remote users connecting to the internal network and to the internal network hosts communicating with remote NetExtender clients. Because the PPP server IP address is independent from the NetExtender address pool, all IP addresses in the global NetExtender address pool will be used for NetExtender clients.
SRA appliances provide users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Tunnel All mode routes all traffic to and from the remote user over the SRA NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SRA tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SRA tunnel.
Tunnel All mode can be configured at the global, group, and user levels.
SRA appliances support NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
|
•
|
Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
|
|
•
|
Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.
|
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SRA server directly. The proxy server then forwards traffic to the SRA server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.
