Step-1: Creating Address object for SSLVPN IPV4 Address Range
Step-2: SSLVPN Configuration
Step-3: Adding User to SSLVPN Service Group
Step-4: Checking Access rule Information for SSLVPN Zone
Step-5: Enabling HTTPS user login in WAN Interface
Step-1: Creating Address object for SSLVPN IPV4 Address Range
Login to the SonicWALL UTM appliance,
1) Go to Network -> Address Object, Click on Custom Address object radio button at the top
2) Click on Add button under Address Object, to get Add address object Window. Create address object for SSLVPN lease Range
Step-2: SSLVPN Configuration
>> Server Settings
Login to the SonicWALL UTM appliance,
1) Go to SSL-VPN > Server Settings page allows the administrator to enable SSL VPN access on zones, from SonicOS Enhanced 5.6.x.x onwards the SSL-VPN feature on UTM devices uses port 4433.Please Note:
>> Client Settings
The SSL VPN -> Client Settings page allows the administrator to configure the client address range information and NetExtender client settings.
The most important being where the SSL-VPN will terminate (eg on the LAN in this case) and which IPs will be given to connecting clients. Finally, select from where users should be able to login (probably, this will be the WAN, so just click on the WAN entry):
Note (New for SonicOS Enhanced 5.5 and above): NetExtender cannot be terminated on an interface that is paired to another interface using L2 Bridge Mode. This includes interfaces bridged with a WLAN interface. Interfaces that are configured with L2 Bridge Mode are not listed in the "SSLVPN Client Address Range" Interface drop-down menu. For NetExtender termination, an interface should be configured with as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".
Click on the configure button for configuring SSL VPN client settings in the client settings page to get a new window as shown below
---->> Settings tab
-> Select zone IPV4 as SSLVPN
-> Select Network Address IPV4 as (SSL VPN Range) address object created for SSLVPN
----->> Client Routes tab
Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.
Note: All clients can see these routes. Also, here you may enable/disable “Tunnel All Mode” (this is the equivalent of “This gateway only” option while configuring GroupVPN).
---->> Client settings tab
Enable the option Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
>> Portal Settings
The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender.
Step-3: Adding Users to SSLVPN Services Group
Under Users > Local users, ensure that the relevant user or user group is a member of the “SSLVPN Services” group:
Groups Tab: To setup membership for individual user
Members Tab:
To setup membership for local or LDAP user group, edit theSSLVPN Services user group and add the user group under the Members ta
VPN Access Tab:
On the VPN Access Tab allows users to access networks using a VPN tunnel, select one or more networks from the Networks list and click the arrow button -> to move them to the Access List. To remove the user’s access to a network, select the network from the Access List, and click the left arrow button <-
Step-4: Checking Access rule Information for SSLVPN Zone
Under Firewall > Access Rules, note the new SSLVPN zone:
Firewall access rules are auto-created from and to SSLVPN zone from other zones. Optionally you could modify the auto-created SSLVPN to LAN rule to allow access only to those users that are configured (recommended to use single rule with groups rather than multiple rules with individual users). Ignore any warning that login needs to be enabled from SSLVPN zone
Please note: Prior to SonicOS Enhanced 5.6, the “VPN access list” that we normally use for GVC VPNs has no effect. You can control access using the firewall rules.
Step-5: Enabling HTTPS user login in WAN Interface
Goto WAN interface and ensure HTTPS user login is enabled:
How to Test this Scenario:
1. Users can now go to the public IP of the sonicwall. Notice the new “click here for SSL login” hyper link:
2. Users can then login and start NetExtender:
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox.
On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
Step-2: SSLVPN Configuration
Step-3: Adding User to SSLVPN Service Group
Step-4: Checking Access rule Information for SSLVPN Zone
Step-5: Enabling HTTPS user login in WAN Interface
Step-1: Creating Address object for SSLVPN IPV4 Address Range
Login to the SonicWALL UTM appliance,
1) Go to Network -> Address Object, Click on Custom Address object radio button at the top
2) Click on Add button under Address Object, to get Add address object Window. Create address object for SSLVPN lease Range
- Name: SSL VPN Range (Any Friendly Name as you wish but need to select that while configuring SSLVPN )
- Zone : SSLVPN
- Type : Range
- Starting IP Address: 192.168.168.100
- Ending IP Address : 192.168.168.110
Step-2: SSLVPN Configuration
>> Server Settings
Login to the SonicWALL UTM appliance,
1) Go to SSL-VPN > Server Settings page allows the administrator to enable SSL VPN access on zones, from SonicOS Enhanced 5.6.x.x onwards the SSL-VPN feature on UTM devices uses port 4433.Please Note:
- In older firmware versions the SSL-VPN Zones settings are available under SSL-VPN > Client Settings page.
- SSL-VPN can only be connected using interface IP addresses. By default SSL-VPN is enabled on the WAN zone and users can connect to it using the WAN interface IP address. Likewise for other zones and, if enabled, can only be connected using the interface IP address.
- From 5.9.x Firmware , the User Domain for SSLVPN will be in the Server settings tab. By default it will be LocalDomain, user can customize it to any name but need to use the same name while connecting (Note: User Domain is case sensitive)
- From 6.2.x Firmware , the Cipher options will be removed from the Server settings tab.
>> Client Settings
The SSL VPN -> Client Settings page allows the administrator to configure the client address range information and NetExtender client settings.
The most important being where the SSL-VPN will terminate (eg on the LAN in this case) and which IPs will be given to connecting clients. Finally, select from where users should be able to login (probably, this will be the WAN, so just click on the WAN entry):
Note (New for SonicOS Enhanced 5.5 and above): NetExtender cannot be terminated on an interface that is paired to another interface using L2 Bridge Mode. This includes interfaces bridged with a WLAN interface. Interfaces that are configured with L2 Bridge Mode are not listed in the "SSLVPN Client Address Range" Interface drop-down menu. For NetExtender termination, an interface should be configured with as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".
Click on the configure button for configuring SSL VPN client settings in the client settings page to get a new window as shown below
- From 6.2.x Firmware , the SonicPoint L3 Management Default Device Profile option will be added under Client settings tab.
---->> Settings tab
-> Select zone IPV4 as SSLVPN
-> Select Network Address IPV4 as (SSL VPN Range) address object created for SSLVPN
----->> Client Routes tab
Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.
Note: All clients can see these routes. Also, here you may enable/disable “Tunnel All Mode” (this is the equivalent of “This gateway only” option while configuring GroupVPN).
---->> Client settings tab
Enable the option Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
>> Portal Settings
The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender.
Step-3: Adding Users to SSLVPN Services Group
Under Users > Local users, ensure that the relevant user or user group is a member of the “SSLVPN Services” group:
Groups Tab: To setup membership for individual user
Members Tab:
To setup membership for local or LDAP user group, edit theSSLVPN Services user group and add the user group under the Members ta
VPN Access Tab:
On the VPN Access Tab allows users to access networks using a VPN tunnel, select one or more networks from the Networks list and click the arrow button -> to move them to the Access List. To remove the user’s access to a network, select the network from the Access List, and click the left arrow button <-
Step-4: Checking Access rule Information for SSLVPN Zone
Under Firewall > Access Rules, note the new SSLVPN zone:
Firewall access rules are auto-created from and to SSLVPN zone from other zones. Optionally you could modify the auto-created SSLVPN to LAN rule to allow access only to those users that are configured (recommended to use single rule with groups rather than multiple rules with individual users). Ignore any warning that login needs to be enabled from SSLVPN zone
Please note: Prior to SonicOS Enhanced 5.6, the “VPN access list” that we normally use for GVC VPNs has no effect. You can control access using the firewall rules.
Step-5: Enabling HTTPS user login in WAN Interface
Goto WAN interface and ensure HTTPS user login is enabled:
How to Test this Scenario:
1. Users can now go to the public IP of the sonicwall. Notice the new “click here for SSL login” hyper link:
2. Users can then login and start NetExtender:
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox.
On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
.png)
About
Posts
Reader Comments
I've heard this means your mobile devices will all broadcast the SSID when they start. Can anyone verify this or if there is malware in the wild that leverage that to pose as your home router?
About the malware: These days, anything is possible. With malware coders getting more and more advanced, you just don't know what kind of malware you might encounter in the "wild."
Post a Comment
Make your opinion count by posting a comment.