For complete information on SonicWALL’s implementation of IPv6, see the Appendix C: IPv6 AppendixFor complete information on SonicWALL’s implementation of IPv6, see the Appendix C: IPv6 Appendix
SonicOS supports NetExtender connections for users with IPv6 addresses. On the SSLVPN > Client Settings page, first configure the traditional IPv6 IP address pool, and then configure an IPv6 IP Pool. Clients will be assigned two internal addresses: one IPv4 and one IPv6.
Note IPv6 DNS/Wins Server are not supported
On the SSLVPN > Client Routes page, user can select a client routes from the drop-down list of all address objects including all the pre-defined IPv6 address objects.
Note IPv6 FQDN is supported.
Configuring Security Attributes
1. Click on the Security Attributes tab.
2. In the Select Attribute(s) pulldown menu, select the appropriate type of attribute. The following sections describe how to configure the Security Attributes:
3. Complete the attribute-specific configuration (described below) and click Add to current attributes.
4. Repeat as needed to configure multiple attributes. When more than one Security Attribute is configured, the device must match all of them in order for it to match the Device Profile.
5. When finished click the Client Routes tab and continue to Configuring Client Routes.
The Device Profile checks that the specified Antivirus program is installed.
The following information is used to define the Antivirus program attribute:
• Vendor – Select the vendor for the Antivirus program.
• Product name – Select the supported Antivirus programs.
• Product version – After you select an Antivirus program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
Tip For all of these numeric searches in Security Attributes, you can specify one of five types of comparison operators in the pulldown menu: greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
• Signature updated – Enter a value in days for how recently the client device has updated its Antivirus signature and select a comparison operator type.
• File system scanned – Enter a value in days for how recently the client device has been scanned by the Antivirus program and select a comparison operator type
• Realtime protection required – Select this checkbox to require that realtime protection be enabled on the Antivirus program.
The Device Profile checks that the specified Antispyware program is installed.
The following information is used to define the Antispyware program attribute:
• Vendor – Select the vendor for the Antispyware program.
• Product name – Select the supported Antispyware programs.
• Product version – After you select an Antispyware program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
• Signature updated – Enter a value in days for how recently the client device has updated its Antispyware signature and select a comparison operator.
• File system scanned – Enter a value in days for how recently the client device has been scanned by the Antispyware program and select a comparison operator.
• Realtime protection required – Select this checkbox to require that realtime protection be enabled on the Antivirus program.
The Device Profile checks that the specified application is installed.
Enter the file name of the application. Wildcard characters (* and ?) can be used, and the entry is not case sensitive.
The Device Profile checks that a Certificate Authority (CA) certificate is installed.
Select the certificate from the CA certificate pulldown menu. All of the certificates installed on the SonicWALL security appliance are displayed in the pulldown menu. In order for a client device to match this profile, the appliance must be configured with the root certificate for the CA that issued the client certificate to your users (intermediate certificates do not work).
Select the certificate store(s) you want searched:
• System store only – Searches HKLM\SOFTWARE\Microsoft\SystemCertificates.
• System store and user store – The system store directory is searched first, followed by the user store: HKCU\Software\Microsoft\SystemCertificates.
The Device Profile checks that a specific directory is present on the device’s file system.
Enter the Directory name that must be present on the hard disk of the device. Directory names are not case-sensitive.
The Device Profile verifies the Equipment ID, a unique hardware identifier, of the device.
Enter the Device identifier for the user’s device. Only one device will be able to match this Device Profile. The device identifier is usually an attribute in the authentication directory represented by a variable; for example, {unique_id}.
A hard disk utility program such as HD Tune can be used to determine the Device Identifier. In the following screenshot of HD Tune, the Device Identifier is listed as “Serial number.”
The Device Profile checks that a specific file is installed.
The following information is used to define the file name attribute:
• File name – Enter the name of the file, including its extension and full path. File names are not case-sensitive. You can use wildcard characters (* and ?) or environment variables (such as %windir% or %userprofile%).
• File size – Enter the file size in bytes and select a comparison operator.
• Last modified – You can either select an absolute time by entering a date (in mm/dd/yyyy) format, or a relative time by entering the number of days (and optionally hours, minutes and seconds), since the file was modified.
• Validate file integrity – Select this checkbox to validate the file using either an MD5 or SHA-1 has, or a Windows catalog file.
The Device Profile checks that a personal firewall program is installed.
The following information is used to define the Personal firewall program attribute:
• Vendor – Select the vendor for the Personal firewall program.
• Product name – Select the supported Personal firewall programs.
• Product version – After you select an Personal firewall program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
The Device Profile checks that the specified Windows domain is present.
In the Computer is a member of domain field, enter one or more domain names, without a DNS suffix. Multiple entries can be separated with semicolons. The domain can contain wildcard characters (* and ?).
The Device Profile checks that the specified Windows registry entry is present.
The following information is used to define the Windows registry entry attribute:
• Key name – Enter the Windows registry entry.
• Value name – (Optional) Enter a specific value for registry entry.
• Registry entry – (Optional) Enter a numeric value for the registry entry and select a comparison operator.
Wildcards can be used for the Value name and Registry entry fields, but not for the key. To enter a special character (such as a wildcard or backslash), you must precede it with a backslash.
The Device Profile checks the version of Windows that the device is running.
The following information is used to define the Windows version search:
• Operator – Select greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
• Major – Enter the Windows major version number.
• Minor – Enter the Windows minor version number.
• Build – (Optional) Enter the Windows build version number.
• The recent Windows versions are defined with the following Major and Minor release numbers:
– Windows 2000 – Major: 5, Minor: 0
– Windows XP – Major: 5, Minor: 1
– Windows Vista – Major: 6, Minor: 0
– Windows 7 – Major: 6, Minor: 1
The comparison Operator applies to all three values.
When you have completed the Security Attributes configuration, click on the Client Routes tab.
The Client Routes tab is used to govern the network access that is granted to SSL VPN users.
Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:
|
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
Note In addition to configuring Tunnel All Mode, you must also configure the individual SSL VPN user accounts. See Configuring Users and Groups for Client Routes and Tunnel All Mode.
To configure client routes to grant SSL VPN users network access, perform the following steps:
1. Select the appropriate Address Object in the Networks list.
2. Click the -> button to add it to the Client Routes list.
3. Repeat for any additional Address Objects.
4. When finished, click on the Client Settings tab. When you are finished with configuring the Device Profile, see the following section on how to configure SSL VPN users and groups for SSL VPN access.
Configuring Users and Groups for Client Routes and Tunnel All Mode
Note After completing the Client Routes configuration in the Device Profile, you must also assign all SSL VPN users and groups access to these routes on the Users > Local Users or Users > Local Groups pages.
To configure SSL VPN NetEextender users and groups to access Client Routes, perform the following steps.
1. Navigate to the Users > Local Users or Users > Local Groups page.
2. Click on the Configure button for the SSL VPN NetExtender user or group.
3. Click on the VPN Access tab.
4. Select the address object for the Client Route, and click the right arrow (->) button.
5. Click OK.
6. Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender.
To configure SSL VPN users and groups for Tunnel All Mode, perform the following steps.
1. Navigate to the Users > Local Users or Users > Local Groups page.
2. Click on the Configure button for an SSL VPN NetExtender user or group.
3. Click on the VPN Access tab.
4. Select the WAN RemoteAccess Networks address object and click the right arrow (->) button.
5. Click OK.
6. Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender.
The Client Settings tab is used to configure the DNS settings for SSL VPN clients as well as several options for the NetExtender client.
To configure Client Settings, perform the following tasks:
1. Click the Default DNS Settings to use the default DNS settings of the SonicWALL security appliance. The DNS and WINS configuration is auto-propagated.
2. Or you can manually configure the DNS information. In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings.
3. (Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
4. DNS Search List
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
6. (Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
7. Configure the following NetExtender client settings to customize the behavior of NetExtender when users connect and disconnect:
• Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched.
• Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender from their Programs menu.
• Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users will have to return to the SSL VPN portal.
• Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
• User Name & Password Caching - Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users.
8. Click OK to complete the Device Profile configuration process.