•

E-Mail ID and Domain Name - The Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter will not work. The E-Mail ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@SonicWall.com when E-Mail ID is selected, would allow anyone with an email address that ended in SonicWall.com to have access; the string *sv.us.SonicWall.com when Domain Name is selected, would allow anyone with a domain name that ended in sv.us.SonicWall.com to have access.

•

Distinguished Name - based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object that must be converted to a string for matching purposes. The fields are separated by the forward slash character (/), for example: /C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub

•

Select the DH Group from the DH Group menu.

•

Select 3DES, AES-128, or AES-256 from the Encryption menu.

•

Select the desired authentication method from the Authentication menu.

•

Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

•

Select the desired protocol from the Protocol menu.

•

Select 3DES, AES-128, or AES-256 from the Encryption menu.

•

Select the desired authentication method from the Authentication menu.

•

Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. Select Group 2 from the DH Group menu.

•

Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

•

Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows Network Neighborhood.

•

Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.

•

Permit Acceleration - Enables redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.

•

Management via this SA - If using the VPN policy to manage the SonicWall security appliance, select the management method, either HTTP or HTTPS.

•

Default Gateway - Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA check box. Default LAN Gateway allows the network administrator to specify the IP address of the default LAN route for incoming IPsec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

•

Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. See the Using OCSP with SonicWall Security Appliances.

•

Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.

•

User group for XAUTH users - Allows you to select a defined user group for authentication.

•

All Unauthenticated VPN Client Access - Allows you to specify network segments for unauthenticated Global VPN Client access.

•

Cache XAUTH User Name and Password - Allows the Global VPN Client to cache the user name and password. Select from:

•

Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.

•

Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.

•

Always - The user will be prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.

•

Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter. In instances where predictable addressing was a requirement, it is necessary to obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration. This feature requires the use of GVC version 3.0 or later.

•

None - A Virtual Adapter will not be used by this GroupVPN connection.

•

DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.

•

DHCP Lease or Manual Configuration - When the GVC connects to the SonicWall, the policy from the SonicWall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the SonicWall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.

•

Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.

•

This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.

•

All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.

•

Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.

•

Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.

•

Use Default Key for Simple Client Provisioning - Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.