mopdf.com

Tunnel All Mode RoutesIP AddressSubnet .0NetExtender also adds routes for the local networks of all connected Network Connections. These routes areconfigured with higher metrics than any existing routes to force traffic destined for the local network over theSSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network,the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.Tunnel All mode is configured on the SSL VPN Client Routes page.Connection ScriptsSonicWall SSL VPN provides users with the ability to run batch file scripts when NetExtender connects anddisconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, oropen files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.Proxy ConfigurationSonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy issupported. When launching NetExtender from the Web portal, if your browser is already configured for proxyaccess, NetExtender automatically inherits the proxy settings. The proxy settings can also be manuallyconfigured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxyservers that support the Web Proxy Auto Discovery (WPAD) Protocol.NetExtender provides three options for configuring proxy settings: Automatically detect settings - To use this setting, the proxy server must support Web Proxy AutoDiscovery Protocol (WPAD)) that can push the proxy settings script to the client automatically. Use automatic configuration script - If you know the location of the proxy settings script, you can selectthis option and provide the URL of the script. Use proxy server - You can use this option to specify the IP address and port of the proxy server.Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections tothose addresses and bypass the proxy server. If required, you can enter a user name and password forthe proxy server. If the proxy server requires a username and password, but you do not specify them, aNetExtender pop-up window prompts you to enter them when you first connect.When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server insteadof connecting to the SonicWall security appliance. server directly. The proxy server then forwards traffic to theSSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxyserver has no knowledge. The connecting process is identical for proxy and non-proxy users.Configuring Users for SSL VPN AccessFor users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users whoattempt to login through the Virtual Office who do not belong to the SSLVPN Services group are denied access.NOTE: Complete instructions for installing NetExtender on a SonicWall appliance can be found in How tosetup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above (SW10657) in the Knowledge Base.Management Services SSL VPN Setup AdministrationAbout SSL VPN5

VIDEO: The video, How to configure SSL VPN, also explains the procedure for configuring NetExtender.The maximum number of SSL VPN concurrent users for each SonicWall network security appliance modelsupported is shown in Maximum number of concurrent SSL VPN users.Maximum Number of Concurrent SSL VPN rent SSLapplianceVPN connections modelMaximumconcurrent SSLVPN t SSLVPN connectionsSM 98003000 NSA 66001500 TZ600200SM 96003000 NSA 56001000 TZ500/TZ500 W150SM 94003000 NSA 4600500 TZ400/TZ400 W100SM 92003000 NSA 3600350 TZ300/TZ300 W50NSA 2600250SOHO W50Configuring SSL VPN Access for LocalUsersTo configure users in the local user database for SSL VPN access, you must add the users to the SSLVPN Servicesuser group.To configure SSL VPN access for local users:1 Navigate to the Users Local Users page.2 Click the Configure icon for the user you want to edit, or click Add User to create a new user. The EditUser or Add User dialog displays.3 Click the Groups tab.4 In the User Groups column, click on SSLVPN Services.5 Click the Right Arrow button to move it to the Member Of column.6 Click the VPN Access tab. The VPN Access tab configures which network resources VPN users (GVC,NetExtender, or Virtual Office bookmarks) can access.NOTE: The VPN Access tab affects the ability of remote clients using GVC, NetExtender, and SSLVPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or VirtualOffice users to access a network resource, the network address objects or groups must be added tothe Access List on the VPN Access tab.7 Select one or more network address objects or groups from the Networks list and click the Right Arrowbutton to move them to the Access List column.To remove the user’s access to a network address objects or groups, select the network from the AccessList, and click the Left Arrow button.8 Click OK.Management Services SSL VPN Setup AdministrationAbout SSL VPN6

2Configuring SSL VPN ServerBehaviorThe SSL VPN Server Settings page is used to configure details of the SonicWall security appliance’s behavioras an SSL VPN server.The server settings are configurable with IPv4 and IPv6 addresses. The configurations for both are nearlyidentical.Topics: SSL VPN Status on Zones SSL VPN Server Settings RADIUS User Settings SSL VPN Client Download URLSSL VPN Status on ZonesThis section displays the SSL VPN Access status on each zone: Green indicates active SSL VPN status. Red indicates inactive SSL VPN status.To enable or disable SSL VPN access on a zone, click on the Network Zones link to jump to the Edit Zonewindow.SSL VPN Server SettingsTopics: About Suite B Cryptography Configuring the SSL VPN ServerAbout Suite B CryptographyThe Management Service supports Suite B cryptography, which is a set of cryptographic algorithms promulgatedby the National Security Agency as part of its Cryptographic Modernization Program. It serves as aninteroperable cryptographic base for both classified and unclassified information. Suite B cryptography isapproved by National Institute of Standards and Technology (NIST) for use by the U.S. Government.Management Services SSL VPN Setup AdministrationConfiguring SSL VPN Server Behavior7

NOTE: There is also a Suite A that is defined by the NSA, but is used primarily in applications where Suite Bis not appropriate.Most of the Suite B components are adopted from the FIPS standard: Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits (provides adequate protection forclassified information up to the SECRET level). Elliptic Curve Digital Signature Algorithm (ECDSA) - digital signatures (provides adequate protection forclassified information up to the SECRET level). Elliptic Curve Diffie-Hellman (ECDH) - key agreement (provides adequate protection for classifiedinformation up to the SECRET level). Secure Hash Algorithm 2 (SHA-256 and SHA-384) - message digest (provides adequate protection forclassified information up to the TOP SECRET level).Configuring the SSL VPN ServerThe following settings configure the SSL VPN server: SSL VPN Port - Enter the SSL VPN port number in the field. The default is 4433. Certificate Selection – From this drop-down menu, select the certificate that will be used to authenticateSSL VPN users. The default method is Use Self signed Certificate.To manage certificates, go to the System Certificates page.NOTE: On NSA 2600 and above appliances, you can configure Suite B mode and specify cipherpreferences in the following two settings. User Domain – Enter the user’s domain, which must match the domain field in the NetExtender client.The default is LocalDomain. Enable Web Management over SSL VPN – To enable web management over SSL VPN, select Enabledfrom this drop-down menu. The default is Disabled. Enable SSH Management over SSL VPN – To enable SSH management over SSL VPN, select Enabled fromthis drop-down menu. The default is Disabled. Inactivity Timeout (minutes) – Enter the number of minutes of inactivity before logging out the user. Thedefault is 10 minutes.RADIUS User SettingsNOTE: This option is only available when either RADIUS or LDAP is configured to authenticate SSL VPNusers.Select the Use RADIUS in checkbox to have RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAPmode RADIUS allows users to change expired passwords at login time. Choose between these two modes: MSCHAP MSCHAPv2Management Services SSL VPN Setup AdministrationConfiguring SSL VPN Server Behavior8

NOTE: In LDAP, password updates can only be done when using either Active Directory with TLS andbinding to it using an administrative account or Novell eDirectory.If this option is set when is selected as the authentication method of log in on the Users Settings page,but LDAP is not configured in a way that allows password updates, then password updates for SSL VPNusers are performed using MSCHAP-mode RADIUS after using LDAP to authenticate the user.SSL VPN Client Download URLThis section allows you to download client SSL VPN files to your HTTP server.Select the Use customer’s HTTP server as downloading URL: (http://) checkbox to enter your SSL VPN clientdownload URL in the supplied field.Management Services SSL VPN Setup AdministrationConfiguring SSL VPN Server Behavior9

3Configuring the Virtual Office WebPortalThe SSL VPN Portal Settings page is used to configure the appearance and functionality of the SSL VPNVirtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It canbe customized to match any existing company website or design style.IPv4 and IPv6 IP addresses are accepted/displayed in the Portal Settings screen.Topics: Portal Settings Portal Logo SettingsPortal SettingsThese options customize what the user sees when attempting to log in: Portal Site Title - Enter the text displayed in the top title of the web browser in this field. The default isSonicWall - Virtual Office. Portal Banner Title - Enter the text displayed next to the logo at the top of the page in this field. Thedefault is Virtual Office. Home Page Message - Enter the HTML code that is displayed above the NetExtender icon. To: See how the message displays, click the Preview button to launch a popup window that displaysthe HTML code. Revert to the default message, click the Example Template button to launch a popup window thatdisplays the HTML code. Login Message - The HTML code that is displayed when users are prompted to log in to the Virtual Office.To See how the message displays, click the Preview button to launch a pop-up window that displaysthe HTML code. Revert to the default message, click the Example Template button to launch a pop-up windowthat displays the HTML code.The following options customize the functionality of the Virtual Office portal: Launch NetExtender after login - Select to launch NetExtender automatically after a user logs in. Thisoption is not selected by default.Management Services SSL VPN Setup AdministrationConfiguring the Virtual Office Web Portal10

Display Import Certificate Button - Select to display an Import Certificate button on the Virtual Officepage. This initiates the process of importing the firewall’s self-signed certificate onto the web browser.This option is not selected by default.NOTE: This option only applies to the Internet Explorer browser on PCs running Windows whenUse Selfsigned Certificate is selected from the Certificate Selection drop-down menu on the SSLVPN Server Settings page. Enable HTTP meta tags for cache control recommended) - Select to inserts into the browser HTTP tagsthat instruct the web browser not to cache the Virtual Office page. This option is not selected by default.NOTE: SonicWall recommends enabling this option. Display UTM management link on SSL VPN portal (not recommended) – Select to display the SonicWallappliance’s management link on the SSL VPN portal. This option is not selected by default.NOTE: SonicWall does not recommend enabling this option. Example Template - Resets the Home Page Message and Login Message fields to the default exampletemplate. Preview - Launch a pop-up window that displays the HTML code.Portal Logo SettingsThis section allows you to customize the logo displayed at the top of the Virtual Office portal: Default Portal Logo – Displays the default portal logo. Use Default SonicWall Logo – Select to use the SonicWall logo supplied with the appliance. This option isnot selected by default. Customized Logo (Input URL of the Logo) — The Customized Logo field is used to display a logo otherthan the SonicWall logo at the top of the Virtual Office portal. Enter the URL of the logo in theCustomized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or lightbackground is recommended.TIP: The logo must be in GIF format of size 155 x 36; a transparent or light background isrecommended.Management Services SSL VPN Setup AdministrationConfiguring the Virtual Office Web Portal11

4Configuring SSL VPN Client SettingsThe SSL VPN Client Settings page allows you to edit the Default Device Profile to enable SSL VPN access onzones, configure client routes, and configure the client DNS and NetExtender settings. The SSL VPN ClientSettings page displays the configured IPv4 and IPv6 network addresses and zones that have SSL VPN accessenabled.You can also edit the SonicPoint Layer 3 Management Default Device Profile on this page.NetExtender IP address ranges are configured by first creating an address object for the NetExtender IP addressrange, and then using this address object when configuring one of the Device Profiles. See Creating an AddressObject for the NetExtender Range on page.Topics: Biometric Authentication Configuring Client SettingsBiometric AuthenticationIMPORTANT: To use this feature, ensure that Mobile Connect 4.0 or higher is installed on the mobiledevice, and configure it to connect with the firewall.The Management Service introduces support for biometric authentication in conjunction with SonicWall MobileConnect. Mobile Connect is an app that allows users to securely access private networks from a mobile device.Mobile Connect 4.0 supports using finger touch for authentication as a substitute for username and password.The Management Service provides configuration settings on the SSL VPN Client Settings page to allow thismethod of authentication when using Mobile Connect to connect to the firewall.After configuring biometric authentication on the SSL VPN Client Settings page, on the client smart phone orother mobile device, enable Touch ID (iOS) or Fingerprint Authentication (Android).Configuring Client SettingsThe following tasks are configured on the SSL VPN Client Settings page: Creating an Address Object for the NetExtender Range Configuring the Default Device ProfileNOTE: For how to configure SSL VPN settings for SonicPoint management over SSL VPN, see ConfiguringSonicPoint Management over SSL VPN on page.Management Services SSL VPN Setup AdministrationConfiguring SSL VPN Client Settings12

Creating an Address Object for the NetExtenderRangeYou can create address objects for both an IPv4 address range and an IPv6 address range to be used in the SSLVPN Client Settings configuration.The address range configured in the address object defines the IP address pool from which addresses will beassigned to remote users during NetExtender sessions. The range needs to be large enough to accommodatethe maximum number of concurrent NetExtender users you wish to support plus one (for example, the rangefor 15 users requires 16 addresses, such as 192.168.168.100 to 192.168.168.115).NOTE: In cases where there are other hosts on the same segment as the SSL VPN appliance, the addressrange must not overlap or collide with any assigned addresses.To create an address object for the NetExtender IP address range:1 Navigate to the Firewall Address Objects page.2 Click Add New Address Object. The Add Address Object dialog displays.3 For Name, type in a descriptive name for the address object.4 For Zone Assignment, select SSLVPN from the drop-down list.5 For Type, select Range. The dialog changes adding starting and ending IP addresses.6 In the Starting IP Address field, type in the lowest IP address in the range you want to use.NOTE: The IP address range must be on the same subnet as the interface used for SSL VPN services.7 In the Ending IP Address field, type in the highest IP address in the range you want to use.8 Click Add. When the address object has been added, a message displays.9 Optionally, repeat Step 3 through Step 8 to create an address object for an IPv6 address range.10 Click Close.Configuring the Default Device ProfileEdit the Default Device Profile to select the zones and NetExtender address objects, configure client routes, andconfigure the client DNS and NetExtender settings.SSL VPN access must be enabled on a zone before users can access the Virtual Office web portal. SSL VPN Accesscan be configured on the Network Zones page by clicking the Configure icon for the zone.NOTE: For the Management Service to terminate SSL VPN sessions, HTTPS for Management or User Loginmust be enabled on the Network Interfaces page, in the Edit Interface dialog for the WAN interface.Topics: Configuring the Settings tab Configuring the Client Routes Tab Configuring the Client Settings tabManagement Services SSL VPN Setup AdministrationConfiguring SSL VPN Client Settings13

Configuring the Settings tabTo configure the Settings tab of the Default Device Profile:1 Navigate to Default Device Profile section of the SSL VPN Client Settings page.2 Click the Configure button for the Default Device Profile. The Edit Device Profile dialog displays.NOTE: The Name and Description of the Default Device Profile cannot be changed.3 For the zone binding for this profile, on the Settings tab, select SSLVPN or a custom zone from the Zone IPV4 drop-down menu.4 From the Network Address IP V4 drop-down menu, select the IPv4 NetExtender address object that youcreated. See Creating an Address Object for the NetExtender Range for instructions. This setting selectsthe IP Pool and zone binding for this profile. The NetExtender client gets the IP address from this addressobject if it matches this profile.5 Select SSLVPN or a custom zone from the Zone IP V6 drop-down menu. This is the zone binding for thisprofile.6 From the Network Address IP V6 drop-down menu, select the IPv6 NetExtender address object that youcreated.7 Click the Client Routes tab to proceed with the client settings configuration. See Configuring the ClientRoutes Tab.8 To save settings and close the dialog, click OK.Configuring the Client Routes TabThe Client Routes tab allows you to control the network access allowed for SSL VPN users. The NetExtenderclient routes are passed to all NetExtender clients and are used to govern which private networks and resourcesremote users can access via the SSL VPN connection.The following tasks are configured on the Client Routes tab: Configuring Tunnel All Mode Adding Client RoutesConfiguring Tunnel All ModeSelect Enabled from the Tunnel All Mode drop-down menu to force all traffic for NetExtender users over the SSLVPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished byadding the following routes to the remote client’s route table:Routes to be Added to Client’s Route TableIP AddressSubnet .0NetExtender also adds routes for the local networks of all connected Network Connections. These routes areconfigured with higher metrics than any existing routes to force traffic destined for the local network over theSSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.*network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.Management Services SSL VPN Setup AdministrationConfiguring SSL VPN Client Settings14

NOTE: To configure Tunnel All Mode, you must also configure an address object for 0.0.0.0, and assignSSL VPN NetExtender users and groups to have access to this address object.To configure SSL VPN NetExtender users and groups for Tunnel All Mode:1 Navigate to the Users Local Users or Users Local

Management Services SSL VPN Setup Administration About SSL VPN 1 3 About SSL VPN This section provides information on how to configure the SSL VPN features on the SonicWall network security appliance. SonicWall’s SSL VPN features provide secure r