Hardware FAQ

What are the hardware specs for the SRA 1600 and SRA 4600?

What are the hardware specs for the SRA 1200 and SRA 4200?

What are the SRA virtual appliance virtualized environment requirements?

Do the SRA appliances have hardware-based SSL acceleration onboard?

What operating system do the SRA appliances run?

Can I put multiple SRA appliances behind a load-balancer?

Digital Certificates and Certificate Authorities FAQ

What do I do if when I log in to the SRA appliance my browser gives me an error, or if my Java components give me an error?

I get this message below when I log into my SRA appliance – what do I do?

I get this message below when I log into my SRA appliance using Firefox 3.0 – what do I do?

I get the warning below when I log into my SRA using Firefox 3.5 – what do I do?

When I launch any of the Java components it gives me an error – what should I do?

Do I have to purchase a SSL certificate?

What format is used for the digital certificates?

Are wild card certificates supported?

What CA’s certificates can I use with the SRA appliance?

Does the SRA appliance support chained certificates?

Any other tips when I purchase the certificate for the SRA appliance?

Can I use certificates generated from a Microsoft Certificate Server?

Why can’t I import my new certificate and private key?

Why do I see the status “pending” after importing a new certificate and private key?

Can I have more than one certificate active if I have multiple virtual hosts?

I imported the CSR into my CA’s online registration site but it’s asking me to tell them what kind of Webserver it’s for. What do I do?

Can I store the key and certificate?

Are PKCS#7 (chained certs) or PKCS#12 (key and cert PFX container) supported on the SRA appliance?

Does the SRA appliance support client-side digital certificates?

When client authentication is required my clients cannot connect even though a CA certificate has been loaded. Why?

NetExtender FAQ

Does NetExtender work on other operating systems than Windows?

Which versions of Windows does NetExtender support?

I tried to run NetExtender but it says I must have admin rights – why?

Can I block communication between NetExtender clients?

Can NetExtender run as a Windows service?

What range do I use for NetExtender IP client address range?

What do I enter for NetExtender client routes?

What does the ‘Tunnel All Mode’ option do?

Is there any way to see what routes the SRA appliance is sending NetExtender?

Once I install the NetExtender is it uninstalled when I leave my session?

How do I get new versions of NetExtender?

How is NetExtender different from a traditional IPSec VPN client, such as Dell SonicWALL’s Global VPN Client (GVC)?

Is NetExtender encrypted?

Is there a way to secure clear text traffic between the SRA appliance and the server?

What is the PPP adapter that is installed when I use the NetExtender?

What are the advantages of using the NetExtender instead of a Proxy Application?

Does performance change when using NetExtender instead of proxy?

The SRA appliance is application dependent; how can I address non-standard applications?

What applications are supported using Application Offloading?

Speaking of SSH, is SSHv2 supported?

Why is it required that an ActiveX component be installed?

Does NetExtender support desktop security enforcement, such as AV signature file checking, or Windows registry checking?

Does NetExtender work with the 64-bit version of Microsoft Windows?

Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?

Does NetExtender support client-side certificates?

My firewall is dropping NetExtender connections from my SonicWALL SRA as being spoofs. Why?

General FAQ

Is the SRA appliance a true reverse proxy?

What browser and version do I need to successfully connect to the SRA appliance?

What needs to be activated on the browser for me to successfully connect to the SRA appliance?

What version of Java do I need?

What operating systems are supported?

Why does the ‘File Shares’ component not recognize my server names?

Does the SRA appliance have a SPI firewall?

Can I access the SRA appliance using HTTP?

What is the most common deployment of the SRA appliances?

Why is it recommended to install the SRA appliance in one-port mode with a Dell SonicWALL security appliance?

Is there an installation scenario where you would use more than one interface or install the appliance in two-port mode?

Can I cascade multiple SRA appliances to support more concurrent connections?

Why can’t I log into the management interface of the SRA appliance?

Can I create site-to-site VPN tunnels with the SRA appliance?

Can the Dell SonicWALL Global VPN Client (or any other third-party VPN client) connect to the SRA appliance?

Can I connect to the SRA appliance over a modem connection?

What SSL ciphers are supported by the SRA appliance?

Is AES supported in the SRA appliance?

Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?

Is Two-factor authentication (RSA SecurID, etc) supported?

Does the SRA appliance support VoIP?

Is Syslog supported?

Does NetExtender support multicast?

Are SNMP and Syslog supported?

Does the SRA appliance have a Command Line Interface (CLI)?

Can I Telnet or SSH into the SRA appliance?

When controlling user access, can I apply permissions on both a domain as well as a Forest basis?

What does the Web cache cleaner do?

Why didn’t the Web cache cleaner work when I exited the Web browser?

What does the ‘encrypt settings file’ check box do?

What does the ‘store settings’ button do?

What does the ‘create backup’ button do?

What is ‘SafeMode’?

How do I access the SafeMode menu?

Can I change the colors of the portal pages?

What authentication methods are supported?

I configured my SRA appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why?

My Windows XPSP2 system cannot use the RDP-based connectors. Why?

I created a FTP bookmark, but when I access it, the filenames are garbled – why?

Where can I get a VNC client?

Are the SRA 4600/4200/1600/1200 appliances fully supported by GMS or Analyzer?

Does the SRA appliance support printer mapping?

Can I integrate the SRA appliance with wireless?

Can I manage the appliance on any interface IP address of the SRA appliance?

Can I allow only certain Active Directory users access to log into the SRA appliance?

Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?

Why are my RDP sessions dropping frequently?

Can I create my own services for bookmarks rather than the services provided in the bookmarks section?

Why can’t I see all the servers on my network with the File Shares component?

What port is the SRA appliance using for the Radius traffic?

Do the SRA appliances support the ability for the same user account to login simultaneously?

Does the SRA appliance support NT LAN Manager (NTLM) Authentication?

I cannot connect to a web server when Windows Authentication is enabled. I get the following error message when I try that: ‘It appears that the target web server is using an unsupported HTTP(S) authentication scheme through the SRA, which currently supports only basic and digest authentication schemes. Please contact the administrator for further assistance.’ - why?

Why do Java Services, such as Telnet or SSH, not work through a proxy server?

Why won’t the SSH client connect to my SSH server?

How are the F1-F12 keys handled in the Java-based SSHv1 and Telnet proxies?

There is no port option for the service bookmarks – what if these are on a different port than the default?

What if I want a bookmark to point to a directory on a Web server?

What versions of Citrix are supported?

Hardware FAQ

1. What are the hardware specs for the SRA 1600 and SRA 4600?

Answer:

Interfaces

SRA 1600: (2) gigabit Ethernet, (2) USB, (1) console

SRA 4600: (4) gigabit Ethernet, (2) USB, (1) console

Processors

SRA 1600: 1.66 GHz Intel Atom Processor, x86

SRA 4600: 1.66 GHz Intel Atom Dual Core Processor, x86

Memory (RAM)

SRA 1600: 1 GB

SRA 4600: 2 GB

Flash Memory

SRA 1600: 1 GB

SRA 4600: 1 GB

Power Supply

SRA 1600: Internal, 100-240Vac, 50-60Mhz

SRA 4600: Internal, 100-240Vac, 50-60Mhz

Max Power Consumption

SRA 1600: 47 W

SRA 4600: 50 W

Total Heat Dissipation

SRA 1600: 158 BTU

SRA 4600: 171 BTU

Dimensions

SRA 1600: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

SRA 4600: 17.00 x 10.13 x 1.75 in (43.18 x 25.73 x 4.45 cm)

Weight

SRA 1600: 9.5 lbs (4.3 kg)

SRA 4600: 9.5 lbs (4.3 kg)

Major Regulatory Compliance

SRA 1600/4600:
FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, KCC, ANATEL, BSMI, NOM, UL,
: cUL, TUV/GS, CB

Environment:

Temperature:

SRA 1600/4600: 32-105ª F, 0-40ª C

Relative Humidity:

SRA 1600/4600: 5-95% RH non-condensing

MTBF

SRA 1600: 18.3 years

SRA 4600: 17.8 years

2. What are the hardware specs for the SRA 1200 and SRA 4200?

Answer:

Interfaces

SRA 1200: (2) 10/100/1000 Ethernet, (1) RJ-45 Serial port (115200 Baud)

SRA 4200: (4) 10/100/1000 Ethernet, (1) RJ-45 Serial port (115200 Baud)

Processors

SRA 1200: 1.5 GHz Via C7 x86 processor

SRA 4200: 1.8 GHz Via C7 x86 processor, cryptographic accelerator

Memory (RAM)

SRA 1200: 1 GB

SRA 4200: 2 GB

Flash Memory

SRA 1200: 1 GB

SRA 4200: 1 GB

Power Supply

SRA 1200: Internal

SRA 4200: Internal

Max Power Consumption

SRA 1200: 53 W

SRA 4200: 75 W

Total Heat Dissipation

SRA 1200: 181 BTU

SRA 4200: 256 BTU

Dimensions

SRA 1200: 17.00 x 10.125 x 1.75 in (43.18 x 25.70 x 4.45 cm)

SRA 4200: 17.00 x 10.125 x 1.75 in (43.18 x 25.70 x 4.45 cm)

Weight

SRA 1200: 8.7 lbs (3.95 kg)

SRA 4200: 9.5 lbs (4.31 kg)

Major Regulatory Compliance

SRA 1200/4200:
FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, MIC, NOM, UL, cUL, TUV/GS,
: CB, WEEE, RoHS (Europe), RoHS (China)

FIPS: Mechanically Designed for FIPS 140-2 Level 2

Environment

Temperature:

SRA 1200/4200: 32-105ª F, 0-40ª C

Relative Humidity:

SRA 1200/4200: 5-95% non-condensing

MTBF

SRA 1200: 13 years

SRA 4200: 8.3 years

3. What are the SRA virtual appliance virtualized environment requirements?

Hypervisor: VMWare ESXi and ESX (version 4.0 and newer)

Appliance size (on disk): 2 GB

Allocated memory: 2 GB

4. Do the SRA appliances have hardware-based SSL acceleration onboard?

Answer: The SRA 4200 has a hardware-based SSL accelerator onboard. The SRA 1200 does not have a hardware-based SSL accelerator processor. The SRA 1600 and SRA 4600 do not have a hardware-based SSL accelerator processor.

5. What operating system do the SRA appliances run?

Answer: The appliance runs Dell SonicWALL’s own hardened Linux distribution.

6. Can I put multiple SRA appliances behind a load-balancer?

Answer: Yes, this should work fine as long as the load-balancer or content-switch is capable of tracking sessions based upon SSL Session ID persistence, or cookie-based persistence.

Table 31 SRA Max Count Table

Type

Max Supported on 1200/1600

Max Supported on 4200/4600

Max Supported on Virtual Appliance

Portal entries

32

64

64

Domain entries

32

64

64

Group entries

512

512

512

User entries

1,000

2,000

2,000

NetExtender global client routes

100

100

100

NetExtender group client routes

100

100

100

NetExtender user client routes

100

100

100

Maximum concurrent users

200

1024

1024

Maximum concurrent Nx connections

50

500

500

Route entries

32

32

32

Host entries

32

32

32

Bookmark entries

500

500

500

User Policy entries

64

64

64

Group Policy entries

64

64

64

Global Policy entries

64

64

64

Policy address entries

32

32

32

Network Objects

128

128

128

‘Address’ Network Objects

32

32

32

‘Network’ Network Objects

64

64

64

‘Service’ Network Objects

64

64

64

SMB shares

1,024

1,024

1,024

SMB nodes

1,024

1,024

1,024

SMB workgroups

8

8

8

Concurrent FTP sessions

8

8

8

Log size

250 KB

250 KB

250 KB

Digital Certificates and Certificate Authorities FAQ

1. What do I do if when I log in to the SRA appliance my browser gives me an error, or if my Java components give me an error?

Answer: These errors can be caused by any combination of the following three factors:

– The certificate in the SRA appliance is not trusted by the browser

The certificate in the SRA appliance may be expired.

– The site requested by the client Web browser does not match the site name embedded in the certificate.

Web browsers are programmed to issue a warning if the above three conditions are not met precisely. This security mechanism is intended to ensure end-to-end security, but often confuses people into thinking something is broken. If you are using the default self-signed certificate, this error will appear every time a Web browser connects to the SRA appliance. However, it is just a warning and can be safely ignored, as it does not affect the security negotiated during the SSL handshake. If you do not want this error to happen, you will need to purchase and install a trusted SSL certificate onto the SRA appliance.

cert_warning_IE6.jpg

 

 

2. I get this message below when I log into my SRA appliance – what do I do?

cert_warning_IE7.jpg

 

Answer: It’s the same problem as noted in the previous topic, but this is the new “improved” security warning screen in Microsoft Internet Explorer 8.0. Whereas before IE5.x and IE6.x presented a pop-up that listed the reasons why the certificate is not trusted, IE8.0 simply returns a generic error page which recommends that the user close the page. The user is not presented with a direct ‘Yes’ option to proceed, and instead has to click on the embedded Continue to this Website (not recommended) link. For these reasons, it is strongly recommended that all SRA appliances, going forward, have a trusted digital certificate installed.

3. I get this message below when I log into my SRA appliance using Firefox 3.0 – what do I do?

Answer: Much like the errors shown above for Internet Explorer, Firefox 3.0 has a unique error message when any certificate problem is detected. The conditions for this error are the same as for the above Internet Explorer errors.

cert_warning_FF3.jpg

 

To get past this screen, click the Or you can add an exception link at the bottom, then click the Add Exception button that appears. In the Add Security Exception window that opens, click the Get Certificate button, ensure that Permanently store this exception is checked, and finally, click the Confirm Security Exception button. See below:

cert_warning_fix_FF3.jpg

 

To avoid this inconvenience, it is strongly recommended that all SRA appliances, going forward, have a trusted digital certificate installed.

4. I get the warning below when I log into my SRA using Firefox 3.5 – what do I do?

Answer: This is the Firefox 3.5 warning message when any certificate problem is detected. The conditions for this error are the same as for the above Internet Explorer errors.

cert_warning1_FF3.jpg

 

To get past this screen, click the arrow next to I Understand the Risks to expand the section, then click the Add Exception button that appears.

cert_warning2_FF3.jpg

 

In the Add Security Exception window that opens, click the Get Certificate button, ensure that Permanently store this exception is checked, and finally, click the Confirm Security Exception button. See below:

cert_warning3_fix_FF3.jpg

 

To avoid this inconvenience, it is strongly recommended that all SRA appliances, going forward, have a trusted digital certificate installed.

5. When I launch any of the Java components it gives me an error – what should I do?

Answer: See the previous section. This occurs when the certificate is not trusted by the Web browser, or the site name requested by the browser does not match the name embedded in the site certificate presented by the SRA appliance during the SSL handshake process. This error can be safely ignored.

Appendix_FAQ00044.jpg

 

6. Do I have to purchase a SSL certificate?

Answer: No, you can simply ignore the security warnings, which are a message to users that the certificate is not trusted or contains mismatched information. Accepting a non-trusted certificate does not have anything to do with the level of encryption negotiated during the SSL handshake. However, Dell SonicWALL tested digital certificates from www.rapidssl.com, which are inexpensive, work fine in the SRA appliance, and do not require the background check that other Certificate Authorities require during the purchase process. You can find a white paper on how to purchase and install a certificate online at:
http://www.sonicwall.com/us/support/3165.html.

7. What format is used for the digital certificates?

Answer: X509v3.

8. Are wild card certificates supported?

Answer: Yes.

9. What CA’s certificates can I use with the SRA appliance?

Answer: Any CA certificate should work if the certificate is in X509v3 format, including Verisign, Thawte, Baltimore, RSA, etc.

10. Does the SRA appliance support chained certificates?

Answer: Yes, it does. On the System > Certificates page, do the following:

– Under “Server Certificates”, click Import Certificate and upload the SSL server certificate and key together in a .zip file. The certificate should be named ‘server.crt’. The private key should be named ‘server.key’.

– Under “Additional CA Certificates”, click Import Certificate button and upload the intermediate CA certificate(s). The certificate should be PEM encoded in a text file.

After uploading any intermediate CA certificates, the system should be restarted. The web server needs to be restarted with the new certificate included in the CA certificate bundle.

11. Any other tips when I purchase the certificate for the SRA appliance?

Answer: We recommend you purchase a multi-year certificate to avoid the hassle of renewing each year (most people forget and when the certificate expires it can create an administrative nightmare). It is also good practice to have all users that will connect to the SRA appliance run Windows Update (also known as Microsoft Update) and install the ‘Root Certificates’ update.

12. Can I use certificates generated from a Microsoft Certificate Server?

Answer: Yes, but to avoid a browser warning, you will need to install the Microsoft CA’s root certificate into all Web browsers that will connect to the appliance.

13. Why can’t I import my new certificate and private key?

Answer: Be sure that you upload a .zip file containing the PEM formatted private key file named "server.key" and the PEM formatted certificate file named "server.crt". The .zip file must have a flat file structure (no directories) and contain only "server.key" and "server.crt" files. The key and the certificate must also match, otherwise the import will fail.

14. Why do I see the status “pending” after importing a new certificate and private key?

Answer: Click the ‘configure’ icon next to the new certificate and enter the password you specified when creating the Certificate Signing Request (CSR) to finalize the import of the certificate. Once this is done, you can successfully activate the certificate on the SRA appliance.

15. Can I have more than one certificate active if I have multiple virtual hosts?

Answer: Prior to 2.5 firmware: No, only one can be active, other virtual sites with names that do not match the name embedded on the SRA appliance’s certificate will show security warnings to any Web browser connecting to them.

With 2.5 firmware or later, it is possible to select a certificate for each Portal under the Portals > Portals: Edit Portal - Virtual Host tab. The portal Virtual Host Settings fields allow you to specify separate IP address, and certificate per portal. If the administrator has configured multiple portals, it is possible to associate a different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”.

16. I imported the CSR into my CA’s online registration site but it’s asking me to tell them what kind of Webserver it’s for. What do I do?

Answer: Select ‘Apache’.

17. Can I store the key and certificate?

Answer: Yes, the key is exported with the CSR during the CSR generation process. It’s strongly recommended that you can keep this in a safe place with the certificate you receive from the CA. This way, if the SRA appliance ever needs replacement or suffers a failure, you can reload the key and cert. You can also always export your settings from the System > Settings page.

18. Are PKCS#7 (chained certs) or PKCS#12 (key and cert PFX container) supported on the SRA appliance?

Answer: No, neither one is currently supported. Dell SonicWALL is investigating supporting these in a future release.

19. Does the SRA appliance support client-side digital certificates?

Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local Users: Edit User – Login Policies tab.

– Per Domain/Per User client certificate enforcement settings:

: : Option to Verify the user name matches the Common Name (CN) of the client certificate

: : Option to Verify partial DN in the client certificate subject (optional). The following variables are supported:

User name: %USERNAME%

Domain name: %USERDOMAIN%

Active Directory user name: %ADUSERNAME%

Wildcard: %WILDCARD%

Note Firmware prior to 3.5 required the client certificate CN field to be the username (CN=username) entered to login to the appliance.

– Support for Microsoft CA Subject Names where CN=<Full user name>, e.g. CN=John Doe. Client certificate authentication attempts for users in Active Directory domains will have the CN compared against the user’s full name in AD.

– Detailed client certificate authentication failure messages and log messages are available in the Log > View page.

– Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional CRL via file import or periodic import via URL.

The client certificate must be loaded into the client’s browser. Also, remember that any certificates in the trust chain of the client certificates must be installed onto the SRA appliance.

20. When client authentication is required my clients cannot connect even though a CA certificate has been loaded. Why?

Answer: After a CA certificate has been loaded, the SRA appliance must be rebooted before it is used for client authentication. Failures to validate the client certificate will also cause failures to logon. Among the most common are certificate is not yet valid, certificate has expired, login name does not match common name of the certificate, certificate not sent.

NetExtender FAQ

1. Does NetExtender work on other operating systems than Windows?

Answer: Yes. Version 2.5 firmware added support for Mac and Linux platforms.

Mac Requirements:

– Mac OS X 10.6.8+

– Apple Java 1.6.0_10+ (can be installed/upgraded by going to Apple Menu > Software Update; should be pre-installed on OS X 10.6.8+):

Linux Requirements:

– i386-compatible distribution of Linux

– Sun Java 1.6.0_10+

– Fedora 14+

– Suse: Tested successfully on 10.3

– Ubuntu 11.04+

Separate NetExtender installation packages are also downloadable from mysonicwall.com for each release.

2. Which versions of Windows does NetExtender support?

Answer: NetExtender supports:

– Windows XP Service Pack 3 (SP3)

– Vista SP2

– Windows 7

3. I tried to run NetExtender but it says I must have admin rights – why?

Answer: If your SRA appliance is running 1.0 firmware, then on Windows 2000, XP, 2003, Vista, and Windows 7 systems the logged-in user must have administrative rights to be able to install ActiveX-based components such as NetExtender, and it will not be possible to run NetExtender on systems where you do not have administrative rights (this often is seen in kiosk or public computer environments, where the OS is locked down to prevent this sort of behavior). If your SRA appliance is running firmware 1.5 firmware or newer, a user can run NetExtender provided that a user with administrative rights previously installed NetExtender onto the system.

4. Can I block communication between NetExtender clients?

Answer: Yes, this can be achieved with the User/Group/Global Policies by adding a ‘deny’ policy for the NetExtender IP range.

5. Can NetExtender run as a Windows service?

Answer: The Windows version of NetExtender found in the 1.5 firmware release and newer can be installed and configured to run as a Windows service, which will allow systems to login to domains across the NetExtender client.

6. What range do I use for NetExtender IP client address range?

Answer: This range is the pool that incoming NetExtender clients will be assigned – NetExtender clients actually appear as though they are on the internal network – much like the Virtual Adapter capability found in Dell SonicWALL’s Global VPN Client. You will need to dedicate one IP address for each active NetExtender session, so if you expect 20 simultaneous NetExtender sessions to be the maximum, create a range of 20 open IP addresses. Make sure that these IP addresses are open and are not used by other network appliances or contained within the scope of other DHCP servers. For example, if your SRA appliance is in one-port mode on the X0 interface using the default IP address of 192.168.200.1, create a pool of addresses from 192.168.200.151 to 192.168.200.171. In the 1.5 firmware release, you can create multiple unique pools on a per-group or per-user basis.

7. What do I enter for NetExtender client routes?

Answer: These are the networks that will be sent to remote NetExtender clients and should contain all networks that you wish to give your NetExtender clients access to. For example, if your SRA appliance was in one-port mode, attached to a Dell SonicWALL NSA 3500 appliance on a DMZ using 192.168.200.0/24 as the subnet for that DMZ, and the Dell SonicWALL NSA 3500 had two LAN subnets of 192.168.168.0/24 and 192.168.170.0/24, you would enter those two LAN subnets as the client routes to provide NetExtender clients access to network resources on both of those LAN subnets.

8. What does the ‘Tunnel All Mode’ option do?

Answer: Activating this feature will cause the SRA appliance to push down two default routes that tell the active NetExtender client to send all traffic through the SRA appliance. This feature is useful in environments where the SRA appliance is deployed in tandem with a Dell SonicWALL security appliance running all UTM services, as it will allow you to scan all incoming and outgoing NetExtender user traffic for viruses, spyware, intrusion attempts, and content filtering.

9. Is there any way to see what routes the SRA appliance is sending NetExtender?

Answer: Yes, right-click on the NetExtender icon in the taskbar and select route information. You can also get status and connection information from this same menu.

10. Once I install the NetExtender is it uninstalled when I leave my session?

Answer: By default, when NetExtender is installed for the first time it stays resident on the system, although this can be controlled by selecting the Uninstall On Browser Exit > Yes option from the NetExtender icon in the taskbar while it is running. If this option is checked, NetExtender will remove itself when it is closed. It can also be uninstalled from the “Add/Remove Program Files” in Control Panel. NetExtender remains on the system by default to speed up subsequent login times.

11. How do I get new versions of NetExtender?

Answer: New versions of NetExtender are included in each Dell SonicWALL SRA firmware release and have version control information contained within. If the SRA appliance has been upgraded with new software, and a connection is made from a system using a previous, older version of NetExtender, it will automatically be upgraded to the new version.

There is one exception to the automatic upgrading feature: it is not supported for the MSI version of NetExtender. If NetExtender was installed with the MSI package, it must be upgraded with a new MSI package. The MSI package is designed for the administrator to deploy NetExtender through Active Directory, allowing full version control through Active Directory.

12. How is NetExtender different from a traditional IPSec VPN client, such as Dell SonicWALL’s Global VPN Client (GVC)?

Answer: NetExtender is designed as an extremely lightweight client that is installed via a Web browser connection, and utilizes the security transforms of the browser to create a secure, encrypted tunnel between the client and the SRA appliance.

13. Is NetExtender encrypted?

Answer: Yes, it uses whatever cipher the NetExtender client and SRA appliance negotiate during the SSL connection.

14. Is there a way to secure clear text traffic between the SRA appliance and the server?

Answer: Yes, you can configure the Microsoft Terminal Server to use encrypted RDP-based sessions, and use HTTPS reverse proxy.

15. What is the PPP adapter that is installed when I use the NetExtender?

Answer: This is the transport method NetExtender uses. It also uses compression (MPPC). You can elect to have it removed during disconnection by selecting this from the NetExtender menu.

16. What are the advantages of using the NetExtender instead of a Proxy Application?

Answer: NetExtender allows full connectivity over an encrypted, compressed PPP connection allowing the user to directly to connect to internal network resources. For example, a remote user could launch NetExtender to directly connect to file shares on a corporate network.

17. Does performance change when using NetExtender instead of proxy?

Answer: Yes. NetExtender connections put minimal load on the SRA appliances, whereas many proxy-based connections may put substantial strain on the SRA appliance. Note that HTTP proxy connections use compression to reduce the load and increase performance. Content received by the SRA from the local Web server is compressed using gzip before sending it over the Internet to the remote client. Compressing content sent from the SRA saves bandwidth and results in higher throughput. Furthermore, only compressed content is cached, saving nearly 40-50% of the required memory. Note that gzip compression is not available on the local (clear text side) of the SRA appliance, or for HTTPS requests from the remote client.

18. The SRA appliance is application dependent; how can I address non-standard applications?

Answer: You can use NetExtender to provide access for any application that cannot be accessed using internal proxy mechanisms - HTTP, HTTPS, FTP, RDP4 (firmware 1.0 only), ActiveX-based RDP, Java-based RDP (firmware 1.5 and newer), Telnet, and SSHv1. With 3.5 firmware and later, Application Offloading can be used for web applications. In this way, the SRA appliance functions similar to an SSL offloader and will proxy web applications pages without the need for URL rewriting.

19. What applications are supported using Application Offloading?

Answer: Application Offloading should support any application using HTTP/HTTPS. SRA has limited support for applications using Web services and no support for non-HTTP protocols wrapped within HTTP.

One key aspect to consider when using Application Offloading is that the application should not contain hard-coded self-referencing URLs. If these are present, the Application Offloading proxy rewrites the URLs. Since Web site development does not usually conform to HTML standards, the proxy can only do a best-effort translation when rewriting these URLs. Specifying hard-coded, self-referencing URLs is not recommended when developing a Web site because content developers must modify the Web pages whenever the hosting server is moved to a different IP or hostname.

For example, if the backend application has a hard-coded IP and scheme within URLs as follows, then Application Offloading will need to rewrite this URL.

: <a href="http://1.1.1.1/doAction.cgi?test=foo">

This can be done by enabling the Enable URL Rewriting for self-referenced URLs setting for the Application Offloading Portal, but all the URLs may not be rewritten, depending on how the Web application has been developed. (This limitation is usually the same for other WAF/SRA vendors employing reverse proxy mode.)

20. Speaking of SSH, is SSHv2 supported?

Answer: Yes, this is supported in firmware 2.0 and newer.

21. Why is it required that an ActiveX component be installed?

Answer: NetExtender is installed via an ActiveX-based plug-in from Internet Explorer. Users using Firefox browsers may install NetExtender via an XPI installer. NetExtender may also be installed via an MSI installer. Download the NetExtender MSI installer from mysonicwall.com.

22. Does NetExtender support desktop security enforcement, such as AV signature file checking, or Windows registry checking?

Answer: Not at present, although these sorts of features are planned for future releases of NetExtender.

23. Does NetExtender work with the 64-bit version of Microsoft Windows?

Answer: Yes, starting with 3.0 firmware, NetExtender supports 64-bit Windows 7, Vista and XP.

24. Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?

Answer: Yes, starting with 3.0.0.9-20sv and later firmware, NetExtender supports 32-bit and 64-bit Windows 7.

25. Does NetExtender support client-side certificates?

Answer: Yes, in 3.5 and up the Windows NetExtender client supports client certificate authentication from the stand-alone client. Users can also authenticate to the SRA portal and then launch NetExtender.

26. My firewall is dropping NetExtender connections from my SonicWALL SRA as being spoofs. Why?

Answer: If the NetExtender addresses are on a different subnet than the X0 interface, a rule needs to be created for the firewall to know that these addresses are coming from the SRA appliance.

General FAQ

1. Is the SRA appliance a true reverse proxy?

Answer: Yes, the HTTP, HTTPS, CIFS, FTP are Web-based proxies, where the native Web browser is the client. VNC, RDP - ActiveX, RDP - Java, SSHv1 and Telnet use browser-delivered Java or ActiveX clients. NetExtender on Windows uses a browser-delivered client.

2. What browser and version do I need to successfully connect to the SRA appliance?

Answer: Currently supported browsers and versions are listed in Browser Requirements for the SRA Administrator and Browser Requirements for the SRA End User.

3. What needs to be activated on the browser for me to successfully connect to the SRA appliance?

Answer:

– SSLv2, SSLv3, or TLS – recommend disabling SSLv2 if possible

– Enable cookies

– Enable pop-ups for the site

– Enable Java

– Enable Javascript

– Enable ActiveX

4. What version of Java do I need?

Answer: You will need to install SUN’s JRE 1.6.0_10 or higher (available at http://www.java.com) to use some of the features on the SRA appliance. On Google Chrome, you will need Java 1.6.0 update 10 or higher.

5. What operating systems are supported?

Answer:

– Microsoft Windows 2000 Professional SP4 and newer

– Microsoft XP, SP2 and newer

– Microsoft Vista

– Microsoft Windows 7

– Apple OSX 10.6.8 and newer

– Linux kernel 2.4.x and newer

6. Why does the ‘File Shares’ component not recognize my server names?

Answer: If you cannot reach your server by its NetBIOS name, there might be a problem with name resolution. Check your DNS and WINS settings on the SRA appliance. You might also try manually specifying the NetBIOS name to IP mapping in the “Network > Host Resolution” section, or you could manually specify the IP address in the UNC path, e.g. \\192.168.100.100\sharefolder.

Also, if you get an authentication loop or an error, is this File Share a DFS server on a Windows domain root? When creating a File Share, do not configure a Distributed File System (DFS) server on a Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SRA appliance is not a domain member and will not be able to connect to the DFS shares.DFS file shares on a stand-alone root are not affected by this Microsoft restriction.

7. Does the SRA appliance have a SPI firewall?

Answer: No. It must be combined with a Dell SonicWALL security appliance or other third-party firewall/VPN device.

8. Can I access the SRA appliance using HTTP?

Answer: No, it requires HTTPS. HTTP connections are immediately redirected to HTTPS. You may wish to open both 80 and 443, as many people forget to type https: and instead type
http://. If you block 80, it will not get redirected.

9. What is the most common deployment of the SRA appliances?

Answer: One-port mode, where only the X0 interface is utilized, and the appliance is placed in a separated, protected “DMZ” network/interface of a Dell SonicWALL security appliance, such as the Dell SonicWALL TZ 180, or the Dell SonicWALL NSA appliance.

10. Why is it recommended to install the SRA appliance in one-port mode with a Dell SonicWALL security appliance?

Answer: This method of deployment offers additional layers of security control plus the ability to use Dell SonicWALL’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic.

11. Is there an installation scenario where you would use more than one interface or install the appliance in two-port mode?

Answer: Yes, when it would be necessary to bypass a firewall/VPN device that may not have an available third interface, or a device where integrating the SRA appliance may be difficult or impossible.

12. Can I cascade multiple SRA appliances to support more concurrent connections?

Answer: No, this is not supported.

13. Why can’t I log into the management interface of the SRA appliance?

Answer: The default IP address of the appliance is 192.168.200.1 on the X0 interface. If you cannot reach the appliance, try cross-connecting a system to the X0 port, assigning it a temporary IP address of 192.168.200.100, and attempt to log into the SRA appliance at https://192.168.200.1. Then verify that you have correctly configured the DNS and default route settings on the Network pages.

14. Can I create site-to-site VPN tunnels with the SRA appliance?

Answer: No, it is only a client-access appliance. If you require this, you will need a Dell SonicWALL TZ series or NSA series security appliance.

15. Can the Dell SonicWALL Global VPN Client (or any other third-party VPN client) connect to the SRA appliance?

Answer: No, only NetExtender and proxy sessions are supported.

16. Can I connect to the SRA appliance over a modem connection?

Answer: Yes, although performance will be slow, even over a 56K connection it is usable.

17. What SSL ciphers are supported by the SRA appliance?

Answer: Starting with 4.0 firmware, Dell SonicWALL only uses HIGH security ciphers with SSLv3 and TLSv1:

– AES256-SHA

– DES-CBC3-SHA

– DHE-RSA-AES256-SHA

– EDH-RSA-DES-CBC3-SHA

18. Is AES supported in the SRA appliance?

Answer: Yes, if your browser supports it.

19. Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?

Answer: Yes, actually you may see better performance as NetExtender uses multiplexed PPP connections and runs compression over the connections to improve performance.

20. Is Two-factor authentication (RSA SecurID, etc) supported?

Answer: Yes, this is supported in the 2.0 firmware release and newer.

21. Does the SRA appliance support VoIP?

Answer: Yes, over NetExtender connections.

22. Is Syslog supported?

Answer: Yes.

23. Does NetExtender support multicast?

Answer: Not at this time. Look for this in a future firmware release.

24. Are SNMP and Syslog supported?

Answer: Syslog forwarding to up to two external servers is supported in the current software release. SNMP is supported beginning in the 5.0 release. MIBs can be downloaded from MySonicWALL>

25. Does the SRA appliance have a Command Line Interface (CLI)?

Answer: Yes, the SRA 4600, 4200, 1600, and 1200 have a simple CLI when connected to the console port. The SRA Virtual Appliance is also configurable with the CLI. The Dell SonicWALL SRA 6.0 CLI allows configuration of only the X0 interface on the Dell SonicWALL SRA appliances or SRA Virtual Appliance.

26. Can I Telnet or SSH into the SRA appliance?

Answer: No, neither Telnet or SSH are supported in the current release of the SRA appliance software as a means of management (this is not to be confused with the Telnet and SSH proxies, which the appliance does support).

27. When controlling user access, can I apply permissions on both a domain as well as a Forest basis?

Answer: Yes, using the LDAP connector.

28. What does the Web cache cleaner do?

Answer: The Web cache cleaner is an ActiveX-based applet that removes all temporary files generated during the session, removes any history bookmarks, and removes all cookies generated during the session. It will only run on Internet Explorer 8.0 or newer.

29. Why didn’t the Web cache cleaner work when I exited the Web browser?

Answer: In order for the Web cache cleaner to run, you must click on the Logout button. If you close the Web browser using any other means, the Web cache cleaner cannot run.

30. What does the ‘encrypt settings file’ check box do?

Answer: This setting will encrypt the settings file so that if it is exported it cannot be read by unauthorized sources. Although it is encrypted, it can be loaded back onto the SRA appliance (or a replacement appliance) and decrypted. If this box is not selected, the exported settings file is clear-text and can be read by anyone.

31. What does the ‘store settings’ button do?

Answer: By default, the settings are automatically stored on a SRA appliance any time a change to programming is made, but this can be shut off if desired. If this is disabled, all unsaved changes to the appliance will be lost. This feature is most useful when you are unsure of making a change that may result in the box locking up or dropping off the network. If the setting is not immediately saved, you can power-cycle the box and it will return to the previous state before the change was made.

32. What does the ‘create backup’ button do?

Answer: This feature allows you to create a backup snapshot of the firmware and settings into a special file that can be reverted to from the management interface or from SafeMode. Dell SonicWALL strongly recommends creating system backup right before loading new software, or making significant changes to the programming of the appliance.

33. What is ‘SafeMode’?

Answer: SafeMode is a feature of the SRA appliance that allows administrators to switch between software image builds and revert to older versions in case a new software image turns out to cause issues. In cases of software image corruption, the appliance will boot into a special interface mode that allows the administrator to choose which version to boot, or load a new version of the software image.

34. How do I access the SafeMode menu?

Answer: In emergency situations, you can access the SafeMode menu by holding in the Reset button on the SRA appliance (the small pinhole button located on the front of the SRA appliances) for 12-14 seconds until the ‘Test’ LED begins quickly flashing yellow. Once the SRA appliance has booted into the SafeMode menu, assign a workstation a temporary IP address in the 192.168.200.x subnet, such as 192.168.200.100, and attach it to the X0 interface on the SRA appliance. Then, using a modern Web browser (Microsoft IE6.x+, Mozilla 1.4+), access the special SafeMode GUI using the appliance’s default IP address of 192.168.200.1. You will be able to boot the appliance using a previously saved backup snapshot, or you can upload a new version of software with the Upload New Software image button.

35. Can I change the colors of the portal pages?

Answer: This is not supported in the current releases, but is planned for a future software release.

36. What authentication methods are supported?

Answer: Local database, RADIUS, Active Directory, NT4, and LDAP.

37. I configured my SRA appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why?

Answer: The appliances must be precisely time-synchronized with each other or the authentication process will fail. Ensure that the SRA appliance and the Active Directory server are both using NTP to keep their internal clocks synchronized.

38. My Windows XPSP2 system cannot use the RDP-based connectors. Why?

Answer: You will need to download and install a patch from Microsoft for this to work correctly. The patch can be found at the following site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=17d997d2-5034-4bbb-b74dad8430a1f7c8&DisplayLang=en.

You will need to reboot your system after installing the patch.

39. I created a FTP bookmark, but when I access it, the filenames are garbled – why?

Answer: If you are using a Windows-based FTP server, you will need to change the directory listing style to ‘UNIX’ instead of ‘MS-DOS’.

40. Where can I get a VNC client?

Answer: Dell SonicWALL has done extensive testing with RealVNC. It can be downloaded at:

http://www.realvnc.com/download.html

41. Are the SRA 4600/4200/1600/1200 appliances fully supported by GMS or Analyzer?

Answer: You need SonicOS SRA 1.5.0.3 or higher for basic management by Dell SonicWALL GMS; SonicOS SRA 2.1 or higher is required for SRA Reporting in Dell SonicWALL GMS or ViewPoint.

42. Does the SRA appliance support printer mapping?

Answer: Yes, this is supported with the ActiveX-based RDP client only. The Microsoft Terminal Server RDP connector must be enabled first for this to work. You may need to install the correct printer driver software on the Terminal Server you are accessing.

43. Can I integrate the SRA appliance with wireless?

Answer: Yes, refer to the Dell SonicWALL Secure Wireless Networks Integrated Solutions Guide, available through Elsevier, http://www.elsevierdirect.com/.

44. Can I manage the appliance on any interface IP address of the SRA appliance?

Answer: Prior to 2.5 firmware: No, the appliance can only by managed using the X0’s IP address. With 2.5 firmware and later, yes, you can manage on any of the interface IP addresses.

45. Can I allow only certain Active Directory users access to log into the SRA appliance?

Answer: Yes. On the Users > Local Groups page, edit a group belonging to the Active Directory domain used for authentication and add one or more AD Groups under the AD Groups tab.

46. Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?

Answer: Yes.

47. Why are my RDP sessions dropping frequently?

Answer: Try adjusting the session and connection timeouts on both the SRA appliance and any appliance that sits between the endpoint client and the destination server. If the SRA appliance is behind a firewall, adjust the TCP timeout upwards and enable fragmentation.

48. Can I create my own services for bookmarks rather than the services provided in the bookmarks section?

Answer: This is not supported in the current release of software but may be supported in a future software release.

49. Why can’t I see all the servers on my network with the File Shares component?

Answer: The CIFS browsing protocol is limited by the server's buffer size for browse lists. These browse lists contain the names of the hosts in a workgroup or the shares exported by a host. The buffer size depends on the server software. Windows personal firewall has been known to cause some issues with file sharing even when it is stated to allow such access. If possible, try disabling such software on either side and then test again.

50. What port is the SRA appliance using for the Radius traffic?

Answer: It uses port 1812.

51. Do the SRA appliances support the ability for the same user account to login simultaneously?

Answer: Yes, this is supported on 1.5 and newer firmware releases. On the portal layout, you can enable or disable ‘Enforce login uniqueness’ option. If this box is unchecked, users can log in simultaneously with the same username and password.

52. Does the SRA appliance support NT LAN Manager (NTLM) Authentication?

Answer: Yes, in SRA 5.0 and later releases, backend Web servers using NTLM or Windows Integrated Authentication are supported. Single Sign-On with NTLM is also supported. NTLM support is specific to Application Offloading and/or reverse-proxy bookmarks.

SRA 3.5 and earlier do not support NTLM authentication. As a work around, the administrator can turn on basic or digest authentication. Basic authentication specifies the username and password in clear text, but the security outside the intranet is not compromised because the SRA uses HTTPS. However, the intranet is required to be “trusted”. Digest authentication works better in this case, because the password is not sent in clear text and only a MD5 checksum that incorporates the password is sent.

53. I cannot connect to a web server when Windows Authentication is enabled. I get the following error message when I try that: ‘It appears that the target web server is using an unsupported HTTP(S) authentication scheme through the SRA, which currently supports only basic and digest authentication schemes. Please contact the administrator for further assistance.’ - why?

Answer: In SRA 3.5 and earlier releases, the HTTP proxy does not support Windows Authentication (formerly called NTLM). Only anonymous or basic authentication is supported.

54. Why do Java Services, such as Telnet or SSH, not work through a proxy server?

Answer: When the Java Service is started it does not use the proxy server. Transactions are done directly to the SRA appliance.

55. Why won’t the SSH client connect to my SSH server?

Answer: Check the version of SSH you have enabled on your server, and check the firmware release on the SRA appliance. SSHv2 support was not added until firmware 2.0 and newer. It’s possible that there is a mismatch between the two.

56. How are the F1-F12 keys handled in the Java-based SSHv1 and Telnet proxies?

Answer: The Telnet server must support function keys. If it does, the keyboard used is relevant. Currently, the Telnet proxy uses vt320 and the SSHv1 proxy uses vt100 key codes. This is the default and the SRA appliance does not support other types such as SCO-ANSI yet. This may be supported in a future firmware release.

57. There is no port option for the service bookmarks – what if these are on a different port than the default?

Answer: You can specify in the IP address box an ‘IPaddress:portid’ pair for HTTP, HTTPS, Telnet, Java, and VNC.

58. What if I want a bookmark to point to a directory on a Web server?

Answer: Add the path in the IP address box: IP/mydirectory/.

59. When I access Microsoft Telnet Server using a telnet bookmark it does not allow me to enter a user name -- why?

Answer: This is not currently supported on the appliance.

60. What versions of Citrix are supported?

Answer: Citrix Portal Bookmarks have been tested and verified to support the following Citrix Application Virtualization platforms through the Citrix Web Interface:

Servers:

– Citrix XenApp 6.0

– XenApp 5.0

– XenApp 4.5

– XenApp Server 4.5

– Presentation Server 4.0

Clients:

– Receiver for Windows 3.0 client, for Citrix ActiveX bookmarks

– Receiver for Java 10.1 client for Citrix Java bookmarks

– XenApp Plugin version 12.0.3 or earlier

– Java client version 10 or earlier

For browsers requiring Java to run Citrix, you must have Sun Java 1.6.0_10 or above.