SSL_VPN
SSL VPN
This chapter provides information on how to configure the SSL VPN features on the SonicWALL security appliance. SonicWALL’s SSL VPN features provide secure remote access to the network using the NetExtender client.
NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on the company’s network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:
The NetExtender standalone client is installed the first time you launch NetExtender. Thereafter, it can be accessed directly from the Start menu on Windows systems, from the Application folder or dock on MacOS systems, or by the path name or from the shortcut bar on Linux systems.
This chapter contains the following sections:
SSL VPN NetExtender Overview
This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature. This section contains the following subsections:
What is SSL VPN NetExtender?
SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.
Benefits
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
NetExtender Concepts
The following sections describe advanced NetExtender concepts:
Stand-Alone Client
NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.
Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.
Client Routes
NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources.
Tunnel All Mode
Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:
|
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
Tunnel All mode is configured on the SSL VPN > Client Routes page.
Connection Scripts
SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Proxy Configuration
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SonicWALL security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.
Configuring Users for SSL VPN Access
In order for users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users who attempt to login through the Virtual Office who do not belong to the SSLVPN Services group will be denied access. The following sections describe how to configure user accounts for SSL VPN access:
Configuring SSL VPN Access for Local Users
To configure users in the local user database for SSL VPN access, you must add the users to the SSLVPN Services user group. To do so, perform the following steps:
Note: The VPN access tab affects the ability of remote clients using GVC, NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access tab.
Note: The feature, One-Time Password, is a two-factor authentication scheme utilizing system-generated, random passwords, in addition to standard user name and password credentials, for users attempting to login through SSL VPN connections. For more information on configuring this feature, see “One-Time Password” section on page 807.
Configuring SSL VPN Access for RADIUS Users
To configure RADIUS users for SSL VPN access, you must add the users to the SSLVPN Services user group. To do so, perform the following steps:
Note: The VPN Access tab in the Edit User window is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
Configuring SSL VPN Access for LDAP Users
To configure LDAP users for SSL VPN access, you must add the LDAP user groups to the SSLVPN Services user group. To do so, perform the following steps:
Note: The VPN Access tab n the Edit User window is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
SSL VPN > Status
The SSL VPN > Status page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time, length of time logged in and logout time.
The following table provides a description of the status items.
|
SSL VPN > Server Settings
The SSL VPN > Server Settings page is used to configure details of the SonicWALL security appliance’s behavior as an SSL VPN server.
The following options can be configured on the SSL VPN > Server Settings page.
Note: In LDAP, password updates can only be done when using either Novell eDirectory or Active Directory with TLS and binding to it using an administrative account. If LDAP is not configured as such, password updates for SSL VPN users will be performed using MSCHAP-mode RADIUS, after using LDAP to authenticate the user.
SSL VPN > Client Settings
Note: The SSL VPN > Client Settings page is moved to the SSL VPN > Remote Access EPC page. Client settings are now configured for each EPC profile.
If Remote Access EPC is not licensed or supported on your box, please click the Configure icon for the “Default Device Profile for Windows” to configure client settings for NetExtender users.
For more information, see SSL VPN > Remote Access EPC.
SSL VPN > Portal Settings
The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style.
The following settings configure the appearance of the Virtual Office portal:
The following options customize the functionality of the Virtual Office portal:
The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended.