This chapter provides information on how to configure the SSL VPN features on the SonicWALL
security appliance. SonicWALL’s SSL VPN features provide secure remote access to the network using the NetExtender client.
NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded
transparently and that allows you to run any application securely on the company’s network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:
The NetExtender standalone client is installed the first time you launch NetExtender.
Thereafter, it can be accessed directly from the Start menu on Windows systems, from the Application folder or dock on MacOS systems, or by the path name or from the shortcut bar on Linux systems.
This chapter contains the following sections:
This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature.
This section contains the following subsections:
SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows,
Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.
NetExtender provides remote users with full access to your protected internal network. The
experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
The following sections describe advanced NetExtender concepts:
NetExtender is a browser-installed lightweight application that provides comprehensive
remote access without requiring users to manually download and install the application. The
first time a user launches NetExtender, the NetExtender stand-alone client is automatically
installed on the user’s PC or Mac. The installer creates a profile based on the user’s login
information. The installer window then closes and automatically launches NetExtender. If
the user has a legacy version of NetExtender installed, the installer will first uninstall the old
NetExtender and install the new version.
Once the NetExtender stand-alone client has been installed, Windows users can launch
NetExtender from their PC’s Start > Programs
menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender
. This can be dragged to the shortcut bar in environments like Gnome and KDE.
NetExtender client routes are used to allow and deny access for SSL VPN users to various
network resources. Address objects are used to easily and dynamically configure access to network resources.
Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender
tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:
NetExtender also adds routes for the local networks of all connected Network Connections.
These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
Tunnel All mode is configured on the
SSL VPN > Client Routes
page.
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently,
only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
|
|
•
|
Automatically detect settings
- To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
|
|
|
•
|
Use proxy server
- You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy
field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.
|
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the
proxy server instead of connecting to the SonicWALL security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.
SonicWALL Mobile Connect is an app for iPhone, iPad, and iPod Touch that enables secure,
mobile connections to private networks protected by SonicWALL security appliances. The SonicWALL Mobile Connect app for iPhone and iPad provides secure, mobile access to sensitive network resources using the iPhone and iPad. SonicWALL Mobile Connect establishes a Secure Socket Layer Virtual Private Network (SSL VPN) connection to private networks that are protected by SonicWALL security appliances. All traffic to and from the private network is securely transmitted over the SSL VPN tunnel.
The process for using SonicWALL Mobile Connect is as follows:
From the administrator’s perspective, SonicWALL Mobile Connect functions virtually the same
as NetExtender. Two administrator configurations are required
For more information on SonicWALL Mobile Connect:
In order for users to be able to access SSL VPN services, they must be assigned to the
SSLVPN Services
group. Users who attempt to login through the Virtual Office who do not belong to the SSLVPN Services
group will be denied access. The following sections describe how to configure user accounts for SSL VPN access:
To configure users in the local user database for SSL VPN access, you must add the users to
the SSLVPN Services
user group. To do so, perform the following steps:
|
Step 4
|
In the
User Groups
column, click on SSLVPN Services
and click the right arrow to move it to the Member Of
column.
|
|
Step 5
|
Click on the
VPN Access
tab. The VPN Access
tab configures which network resources VPN users (either GVC, NetExtender, or Virtual Office bookmarks) can access. Select one or more network address objects or groups from the Networks
list and click the right arrow button (->
) to move them to the Access List
column. To remove the user’s access to a network address objects or groups, select the network from the Access List
, and click the left arrow button (<-
).
|
|
|
Note
|
The
VPN access
tab affects the ability of remote clients using GVC, NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access
tab.
|
To configure RADIUS users for SSL VPN access, you must add the users to the
SSLVPN
Services
user group. To do so, perform the following steps:
|
Step 2
|
In the
Authentication Method for login
pulldown menu, select RADIUS
or RADIUS + Local
Users
.
|
|
Step 3
|
Click the
Configure
button for Authentication Method for login
. The RADIUS Configuration window displays.
|
|
Step 5
|
In the
Default user group to which all RADIUS users belong
pulldown menu, select SSLVPN
Services
.
|
|
|
Note
|
The
VPN Access
tab in the Edit User
window is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
|
To configure LDAP users for SSL VPN access, you must add the LDAP user groups to the
SSLVPN Services
user group. To do so, perform the following steps:
|
Step 2
|
Set the
Authentication method for login
to either LDAP
or LDAP + Local Users
.
|
|
Step 3
|
Click the
Configure
button to launch the LDAP Configuration
window.
|
|
Step 5
|
In the
Default LDAP User Group
pulldown menu, select SSLVPN Services
.
|
|
|
Note
|
The
VPN Access
tab n the Edit User
window is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
|
for the user you want to edit, or click the
Add User
button to create a new user. The Edit User
window is launched.