UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...

UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
1 of 6
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
Question/Title
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) on SonicOS Enhanced (SonicOS 5.6 and above)
Answer/Article
Article Applies To:
Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W, NSA 240, NSA
250M, NSA 250MW
TZ series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200W, TZ 210, TZ 210 W. TZ 215, TZ 215 W, TZ 105, TZ 105W, TZ 205, TZ 205W
Firmware versions: Gen5 devices with SonicOS Enhanced 5.2.x.x or higher.
Services: SSL-VPN configuration embedded in SonicOS Enhanced, NetExtender configuration.
Overview / Scenario:
This article provides information on how to configure the SSL VPN features on the SonicWALL security appliance. SonicWALL’s SSL VPN features provide
secure remote access to the network using the NetExtender client.
NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on
the company’s network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users
can access NetExtender two ways:
• Logging in to the Virtual Office web portal provided by the SonicWALL security appliance and clicking on the NetExtender button.
• Launching the standalone NetExtender client.
The NetExtender standalone client is installed the first time you launch NetExtender. Thereafter, it can be accessed directly from the Start menu on Windows
systems, from the Application folder or dock on MacOS systems, or by the path name or from the shortcut bar on Linux systems.
For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?
Procedure:
Step 1. Login to the SonicWALL UTM appliance, go to SSL-VPN > Server Settings page allows the administrator to enable SSL VPN access on zones, from
SonicOS Enhanced 5.6.x.x onwards the SSL-VPN feature on UTM devices uses port 4433.
Please Note:
In older firmware versions the SSL-VPN Zones settings are available under SSL-VPN > Client Settings page.
SSL-VPN can only be connected using interface IP addresses. By default SSL-VPN is enabled on the WAN zone and users can connect to it using the WAN interface IP address. Likewise
for other zones and, if enabled, can only be connected using the interface IP address.
The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office
portal is the website that uses log in to launch NetExtender.
1/12/2013 11:46 PM
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
2 of 6
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
Step 2. Configure the SSL VPN > Client Settings.
The SSL VPN > Client Settings page allows the administrator to configure the client address range information and NetExtender client settings.
The most important being where the SSL-VPN will terminate (eg on the LAN in this case) and which IPs will be given to connecting clients. Finally, select
from where users should be able to login (probably, this will be the WAN, so just click on the WAN entry):
Note (New for SonicOS Enhanced 5.5 and above): NetExtender cannot be terminated on an interface that is paired to another interface using L2 Bridge
Mode. This includes interfaces bridged with a WLAN interface. Interfaces that are configured with L2 Bridge Mode are not listed in the "SSLVPN Client Address
Range" Interface drop-down menu. For NetExtender termination, an interface should be configured with as a LAN, DMZ, WLAN, or a custom Trusted, Public,
or Wireless zone, and also configured with the IP Assignment of "Static".
Screenshot from SonicOS Enhanced 5.5
Screenshot from SonicOS Enhanced 5.6
Configuring NetExtender Client Settings:
Enable the option Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the
Domain name and optionally the username and password.
1/12/2013 11:46 PM
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
Step 3. The SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client
routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN
connection.
Note: All clients can see these routes. Also, here you may enable/disable “Tunnel All Mode” (this is the equivalent of “This gateway only” option while
configuring GroupVPN).
Step 4. Under Users > Local users, ensure that the relevant user or user group is a member of the “SSLVPN Services” group:
Groups Tab: To setup membership for individual users
3 of 6
Members Tab: To setup membership for local or LDAP user group, edit the
SSLVPN Services user group and add the user group under the Members
tab
1/12/2013 11:46 PM
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
4 of 6
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
VPN Access Tab:
On the VPN Access Tab allows users to access networks using a VPN tunnel, select one or more networks from the Networks list and click the arrow
button -> to move them to the Access List. To remove the user’s access to a network, select the network from the Access List, and click the left arrow
button <-.
Step 5. Under Firewall > Access Rules, note the new SSLVPN zone:
Step 6. Firewall access rules are auto-created from and to SSLVPN zone from other zones. Optionally you could modify the auto-created SSLVPN to LAN
rule to allow access only to those users that are configured (recommended to use single rule with groups rather than multiple rules with individual
users). Ignore any warning that login needs to be enabled from SSLVPN zone.
Please note: Prior to SonicOS Enhanced 5.6, the “VPN access list” that we normally use for GVC VPNs has no effect. You can control access using the firewall
rules:
Step 7: Goto WAN interface and ensure HTTPS user login is enabled:
1/12/2013 11:46 PM
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
5 of 6
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
How to Test this Scenario:
1. Users can now go to the public IP of the sonicwall. Notice the new “click here for SSL login” hyper link:
2. Users can then login and start netextender:
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec
VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote
user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox.
On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install
and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
1/12/2013 11:46 PM
UTM SSL-VPN: How to setup SSL-VPN feature (NetExtender Access) ...
6 of 6
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=646...
See Also:
SSL-VPN: Installing NetExtender using Mozilla Firefox browser
SSL-VPN: Installing NetExtender using the Internet Explorer (IE) browser
SSL-VPN: Installing NetExtender on MacOS (Macintosh Computers)
SSL-VPN: Installing and Using NetExtender on Linux
Related Items
UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?
UTM SSL-VPN: How to create a profile for SSL-VPN clients and connect from the NetExtender Client automatically
UTM SSL-VPN: Unable to save username and password on UTM SSL VPN Netextender client
UTM and SMB SSL-VPN: How To Configure SSLVPN Enforcement
UTM SSL-VPN: Error "Server is busy, please try it later!" when downloading NetExtender
KBID
Date Modified
Date Created
6461
5/9/2012
3/23/2009
Use Alerts to be notified when new information is added or
changed in an individual answer or topic of information you care
about. All Alert notifications sent in a single email once each day.
Notify me if this item has activity
Notify me if content in this topic has activity
or you can subscribe to our RSS feed for this topic by clicking the
link below
Subscribe
1/12/2013 11:46 PM