Sonicwall AVENTAIL 10.5.1 GETTING STARTED GUIDE
10.5.1 Getting Started GuideSonicWALL / Aventail Secure Remote Access
Thank You
®
For Selecting SonicWALL
SonicWALL offers a wide range of high performance network securit y , content security
for Web and e-mail security, secure remote access, continuous data protection, and
management and reporting solutions. To take a deeper look at all the SonicWALL
solutions please visit http://www.sonicwall.com/products/. To ensure the optimal
performance and operation, visit https://www.mysonicwall.com to register your
appliance and download the latest firmware, product documentation, and release
notes.
Protection.
E-Class Support 24x7
In case you need assistance, contact our Global Support Center at the numbers listed
here: http://www.sonicwall.com/us/support/contact.html. Have the serial number of
your appliance available so that we can validate your contr act and begin resolving any
issues you may have.
If you are located in the Americas or Asia Pacific:
Call our toll-free Enterprise Support phone number at 1-866-360-1949 (your call will
be transferred to SonicWALL's E-Class Technical Support team), or contact us at
E-ClassSupport@SonicWALL.com.
If you are located in Europe, the Middle East, or Africa:
Call the phone number listed for your country, and then select the “Enterprise
Support” option when prompted so that your call is transferred to our Enterprise
Technical Support team.
SonicWALL Aventail E-Class SRA Getting Started Guide | i
Table of Contents
Registering and Licensing Your Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction to SonicWALL Aventail Secure Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Key SSL VPN Concepts and SonicWALL Aventail Features . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Communities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Access Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
End Point Control (EPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
SSL and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Higher Availability and Capacity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Sharing Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Role-Based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
System Monitoring and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
SonicWALL Aventail Secure Remote Access Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Client Components and Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
End Point Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Virtual Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Administrator Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Chapter 2
Planning Your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Who Will Access Your VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
What Types of Resources Should Users Have Access To? . . . . . . . . . . . . . . . . . . . . . . . . . . .20
How Will Users Access Your Resources? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Security Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Defining Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Managing Access Control with an Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
End Point Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Advanced EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Putting It All Together: Using Realms and Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Chapter 3
Preparing for Installation and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Step 1: Make a note of your serial number and authentication code. . . . . . . . . . . . . . . . . 33
Step 2: Rack-mount the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
ii | Table of Contents
Step 3: Connect the appliance and turn it on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Step 4: Enter basic network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Step 5: Run Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Step 6: Connect to the Aventail Management Console (AMC) . . . . . . . . . . . . . . . . . . . . .36
Step 7: Create a MySonicWALL Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Verifying Your Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Deployment Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Deploying Aventail WorkPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Deploying the SonicWALL Aventail Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Deploying an End Point Control Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Chapter 4
Common VPN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Deployment Scenario: Remote Access for Employees and Partners . . . . . . . . . . . . . . . . . . . .43
Establishing an Authentication Realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Identifying Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Adding Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Creating Zones of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Customizing WorkPlace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Creating an Employee Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Creating a Partner Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Testing the Deployment Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Other Remote Access VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Providing Access to Web Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Web-Based File Access to Entire Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Remote Access for Mobile Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Additional Partner VPN Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Access to a Specific Web Resource Using an Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Web-based Access to a Client/Server Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
End Point Control Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Quarantining Employees on Untrusted Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Secure Desktop Emulator for Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Denying Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Access Policy Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Application-Specific Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Providing Access to Outlook Web Access (OWA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Providing Access to Voice Over IP (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Providing Access to Windows Terminal Services or Citrix Resources . . . . . . . . . . . . . . . . .68
Authentication Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Using Multiple Realms vs. a Single Real m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Access Component Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Deploying the Same Agents to All Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Deploying Different Agents to Different Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
SonicWALL Aventail E-Class SRA Getting Started Guide | iii
Chapter 5
Safety and Regulatory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Safety Information for E-Class SRA EX6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Lithium Battery Warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Sicherheit Information für das E-Class SRA EX6000 Gerät. . . . . . . . . . . . . . . . . . . . . . . . . . .73
Hinweis zur Lithiumbatterie. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Kabelverbindungen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Safety Information for E-Class SRA EX7000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Lithium Battery Warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Sicherheit Information für das E-Class SRA EX7000 Gerät. . . . . . . . . . . . . . . . . . . . . . . . . . .77
Hinweis zur Lithiumbatterie. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Kabelverbindungen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
FCC Part 15 Class A Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
iv | Table of Contents SonicWALL Aventail E-Class SRA Getting Started Guide | v
Registering and Licensing Your Appliance
Before getting started with the installation of your SonicWALL Aventail
appliance, you must follow these steps, which are described in more detail
below:
z Create a MySonicWALL account, if you don't already have one. Y ou nee d
an account in order to register your SonicWALL Aventail E-Class SRA.
Note: MySonicWALL registration information is not sold or shared with
any other company.
z Register your device on MySonicWALL. Registration provides access to
essential resources, such as your license file, firmware updates,
documentation, and technical support information.
z Use your MySonicWALL account to retrieve the license file for your
SonicWALL Aventail E-Class SRA.
z Import your license file using the Aventail Management Console (AMC).
Creating a MySonicWALL Account
To create a MySonicWALL account, just complete the online registration:
1. In your Web browser, go to https://www.mysonicwall.com.
2. On the user login page, follow the link for users who are not yet
registered.
3. Enter your account information, personal information, and preferences,
and then click Submit. Be sure to use a valid email address.
4. Follow the prompts to finish creating your account. SonicWALL will send
a subscription code to the email address you entered in step 3.
5. When you return to the login screen, log in with your new username and
password.
6. Confirm your account by entering the subscription code you received by
email.
vi | Registering and Licensing Your Appliance
You have now created and logged into your MySonicWALL account. Your next
steps are to register your appliance and retrieve its lice nse file.
Appliance Registration for New Users
To register your appliance, log in to your MySonicWALL account:
1. In your Web browser, go to https://www.mysonicwall.com and log in
with your username and password.
2. Locate your software serial number and authentication code, which
you’ll find in one or both of these places, depending on your appliance
model:
{
Printed on your appliance label
{
Displayed on the General Settings page once you complete setup
and start the Aventail Management Console
3. Enter a friendly name for this appliance.
4. Click Register to continue and follow the online prompts to fill out the
survey and complete the registration process.
The serial number and authentication code are also displayed in the Aventail
Management Console (AMC) once you connect to your appliance. Click
General Settings in AMC, and then go to the Licensing area. Printed
instructions for getting connected and initial system configuration are
included in your product box.
Retrieving Your SonicWALL Aventail License
To retrieve the license file for your appliance, log in to your MySonicWALL
account:
1. In your Web browser, go to https://www.mysonicwall.com/, log in with
your username and password, and then click the link for the appliance
that requires a license.
2. On the Service Management page, follow the link for the license file.
3. Save the license file (.xml) to your computer. After you get your
appliance up and running you must import this license file using the
Aventail Management Console.
SonicWALL Aventail E-Class SRA Getting Started Guide | vii
Importing Your SonicWALL Aventail License
You can retrieve an initial user license from MySonicWALL that is valid for one
user (the administrator plus one end user) for an unlimited number of days.
To become familiar with the Aventail Management Console (AMC) and test it
in your environment with additional users, request a lab license.
After initial setup and testing, download your appliance license file from
https://www.mysonicwall.com and then import it to the appliance. The
number of concurrent users supported with your appliance license varies,
depending on the appliance model you have:
z SRA EX7000 and EX-2500—For up to 2,000 concurrent users; can be
used in an HA pair
z SRA EX6000 and EX-1600—For up to 250 users; can be used in an HA
pair
z SRA EX-750—For up to 50 users
The process for importing an appliance license file is described in detail in the
online help for the Aventail Management Console (AMC). Briefly, the steps
are as follows:
1. From the main navigation menu in AMC, click General Settings, and
then click the Edit link in the Licensing area. The Manage Licenses
page appears.
2. Click Import License.
3. In the License file box, type the path for the license file you retrieved
from your MySonicWALL account, or click Browse to locate it.
4. Click Upload, and then apply the change by clicking the Pending
changes link in the upper-right corner.
Note: When you upload a Spike License, the countdown of the number
of days it is valid begins once you activate it and apply the pending
change in AMC. Don't click the Activate link until you are ready to start
using it.
viii | Registering and Licensing Your Appliance
SonicWALL Aventail E-Class SRA Getting Started Guide | 1
Chapter 1
Introduction
This chapter provides a brief overview of the features of the SonicWALL
Aventail SSL VPN appliance and some of the key concepts associated with a
virtual private network. For detailed information and step-by-step
procedures describing how to install and configure the appliance, see the
separate Installation and Administration Guide or online help for the A ventail
Management Console (AMC).
Introduction to SonicWALL Aventail Secure Remote Access
The SonicWALL Aventail appliance provides secure remote access—to Web
applications, client/server applications, and file shares—to employees,
business partners, and customers. All traffic is encrypted using Secure
Sockets Layer (SSL) to protect it from unauthorized users.
The appliance makes applications available using different access methods
and devices on a wide range of platforms, including Windows, Macintosh, and
Linux. You might use the appliance to:
z Create a remote access VPN that gives remo te employees secu re access
to private company applications such as email.
z Create a business partner VPN that provides designated suppliers with
access to an internal supply chain application.
2 | Chapter 1 - Introduction
Aventail WorkPlace
Kiosk
users
Business
partners
Teleworkers
PDA
smartphone
users
Windows
servers
Windows
desktops
Branch office
applications
Wireless
LANs
Internal
users
IT-managed
devices
Windows Mobile-powered devices
Web-based
applications
File shares
Thin client/server
applications
Traditional client/
server applications
As the administrator , you determine the resources that users have access to,
and the SSL VPN transparently and dynamically uses the access methods
appropriate for those resources.
Key SSL VPN Concepts and SonicWALL Aventail Features
The appliance’s access control enables you to define policy and control access
in broad or very specific terms. To increase efficiency, the appliance is
managed from a Web-based management console. With the Aventail
Management Console (AMC), you can configure the appliance from a
standard Web browser, and centrally manage and distribute policy.
This section describes the essential concepts that you should become familiar
with before installing, configuring, and managing the SonicWALL Aventail
SRA appliance.
SonicWALL Aventail E-Class SRA Getting Started Guide | 3
Resources
The appliance manages a wide variety of corporate resources in three main
categories:
z Web resources—Applications or services that run over the HTTP or
HTTPS protocol, such as Microsoft Outlook Web Access
z Client/server resources—Ent erprise applications that run o ver TCP/IP,
such as Citrix, and Voice over Internet Protocol (VoIP) telephony
applications
z File shares—Network servers or computers containing shared folders
and files
When specifying a resource type, keep the intended audience in mind. For
example, you can give business partners narrow access to a Web application
by defining a URL as a resource (and even “alias” the host name for an extra
measure of security). To give remote employees broader access, you could
define the network segment in which the Web application is located as a
domain, IP range, or subnet resource. Employees would then have access to
all of the Web resources in that domain.
Users and Groups
A user is an individual who needs access to resources on your network, and
a group is a collection of users. After you’ve created users or user groups on
the appliance that are mapped to an external authentication server , you can
reference them in access control rules to permit or deny them access to
resources. You can even form dynamic groups if you want to reference a user
population that isn’t already defined in the external directory.
Authentication
Authentication is the process of verifying a user’s identity. To manage user
authentication with the appliance, use AMC to define one or more external
authentication servers (also known as dire ctory serv ers or use r stores) th at
contain the credentials for your user population. The actual management of
the user information is still done on your authentication servers; the
appliance simply makes use of that information to authenticate us ers.
Creating an authentication realm in AMC also involves specifying an
authentication method (username/password or one-time password, token or
smart card, or digital certificate).
4 | Chapter 1 - Introduction
The appliance supports the following directories and authentication me thods:
z LDAP with username/password
z Microsoft Active Directory with username/password, configured with
either a single root domain, or one or more subordinate (child) domains
z RADIUS with username/password or token-based authentication (such
as SecurID or SoftID)
z Public Key Infrastructure (PKI) with digital certificate
z RSA Authentication Manager server authentication using token-based
user credentials
z RSA ClearTrust with credentials
z Local users with username/password (used primarily for testing
purposes and not recommended in a production environment)
An authentication realm is what users log in to on the appliance to gain
access to your resources. If your organization has only one authentication
server, you would create one realm on the appliance. If you have several
authentication servers, you can create a realm for each of them, o r set up
pairs of servers for chained authentication. T o take a more granular approach
to deployment and security , you can further subdivide the user population of
a realm into communities.
Communities
Communities are a cornerstone of the appliance’s approach to deployment
and security. They are used to aggregate users and groups for the purpose
of deploying access agents and controlling the end point, and can also be
referenced in access control rules.
You can create communities for specific types of users, such as remote
employees or business partners, or take a more granular approach and
create communities of users in a particular department or location.
For example, employees who require broad access to resources and
applications on your network could be assigned to a community that offers
the network tunnel client as an access method. To make sure that they are
using laptops managed by your IT department, specify which End Point
Control zones are available to users in this community.
You may have another group of users who require only limited access to
resources because they’re logging in from public kiosks or other non-secure
locations. To give these two different groups access to your network
resources, you could create separ ate communities, each configured to deploy
the appropriate access agents, and (in the case of users with non-secure
devices) use End Point Control to prevent sensitive data from being left on
the device.
Access Policy
An access policy is a set of rules that defines the applications or network
resources that users or groups are given access to throug h the appliance.
Access to a resource can be based on several criteria. Most rules control
access based on who the user is—that is, the user’s name or group
membership—and the destination resource. You can use other criteria in
access control rules, such as the access method for a resource, the user’s
network address, the zone of trust, or the date and time of the connection
request.
The appliance gives you wide latitude in creating access control rules,
depending on whether your organization’s security policy is relatively
permissive or demands stringent control. For example, if your VPN is
accessed only by highly trusted employees who are using computers
managed by your IT department, you could create an open access policy that
defines your entire network domain as a resource and grants broad access
to your employees.
Conversely, if you are providing access to a diverse group of users with
varying degrees of access privileges, or who connect from less-secure
devices such as public kiosks, you might use an access policy that defines
individual resources and establishes more granular access requirements.
As the network changes over time, so should your access control rules.
SonicWALL Aventail E-Class SRA Getting Started Guide | 5
End Point Control (EPC)
Traditional VPN solutions typically provide access only from the relative
safety of an IT-managed device. In that environment, the major security
concern is unauthorized net work access. Because an SSL VPN enables access
from any Web-enabled system, it may bring the additional risk of computers
in untrusted environments, such as a kiosk at an airport or hotel, or an
employee-owned computer.
6 | Chapter 1 - Introduction
The appliance’s EPC configuration options give you granular control over VPN
access using device profiles and zones to protect sensitive data and ensure
that your network is not compromised:
z A device profile is a set of attributes that characterize the device
requesting the connection, such as a Windows domain name, the
presence of a certain software program, a registry entry , or other unique
characteristics.
z An End Point Control zone classifies a connection request based on the
presence or absence of a device profile. The zone in which a device is
then placed controls the provis ioning of data protection components and
can be used to determine which resources are available. A device can be
placed in a Standard zone, a Quarantine zone (with instructions on
installing the required security programs), or in a Deny zone, where the
user is denied access to the network.
SSL and Encryption
The SonicWALL Aventail appliance encrypts information using the Secure
Sockets Layer (SSL) protocol. SSL is an authentication and encryption
protocol that uses a key exchange method to establish a secure environment
in which all data exchanged is encrypted to protect it from eavesdropping
and alteration.
The appliance uses SSL certificates to validate the appliance’s identity to
connecting users, and to provide a public key to secure information that the
client computer sends to the server. The appliance requires a minimum of
two SSL certificates:
z The appliance services use a certificate to secure user traffic.
z The Aventail Management Console (AMC) uses a certificate to secure
management traffic.
There are two types of certificates: self-signed and commercial. With a selfsigned SSL certificate, the appliance identifies itself with a certificate that has
not been signed by a commercial CA, and the associated private key data is
encrypted using a password. AMC uses a self-signed certificate.
A self-signed certificate can also be a wildcard certificate, allowing it to be
used by multiple servers which share the same IP address and certificate, but
have different FQDNs. For example, a wildcard certificate such as
*.company.com could be used for iPhone acce ss at iphonemail.company.com
and for VPN access at vpn.company.com.
SonicWALL Aventail E-Class SRA Getting Started Guide | 7
You can al so configure an aut hentication s erver to tru st an intermediate CA.
For example, you could create a root certificate signing auth ority on a system
that is not connected to the corporate network. You can then issue a set of
trusted intermediate signing author it y certificates to be deployed in various
sectors of the network (often by department or organizational unit).
Although a self-signed SSL certificate is secure, you may want to secure user
traffic with a certificate from a commercial certificate authority (CA), such as
VeriSign.
When deciding which type of certificate to use for the servers, consider who
will be connecting to the appliance and how they will use resources on your
network:
z If business partners are connecting to Web resources through the
appliance, they will likely want some assurance of your identity before
performing a transaction or providing confidential information. In this
case, you would probably want to obtain a certi ficate from a commerci al
CA for the appliance.
z On the other hand, employees connecting to W eb resour ces may tr ust a
self-signed certificate. Even then, you may want to obtain a third-party
certificate so that users are not prompted to accept a self-signed
certificate each time they connect. Or, add the self-signed certificate to
the user’s list of Trusted Root Certificate Authorities in the Web browser.
Single Sign-On
Single sign-on (SSO) is an option that controls whether user credentials are
forwarded to back-end W eb resources. Configuring the appliance to use SSO
prevents the user from having to log in multiple times (once to get to the
appliance, and again to access an application resource).
The appliance supports several types of Web-based SSO:
z Basic authentication forwarding is a widely supported form of
authentication forwarding, but is not very secure because it sends
passwords in the clear across the network. The appliance can be
configured to send each user’s unique authentication credentials, or
“static” credentials (that is, the same credentials for all users). Basic
authentication forwarding is configured within a Web application profile,
which is assigned to one or more application resources in AMC.
z NTLM authentication forwarding provides a secure method for
sending Windows network credentials to a Microsoft IIS (Internet
Information Services) Web server. NTLM (Windows NT LAN Manager , also
known as Windows NT challenge/response authentication) uses a
8 | Chapter 1 - Introduction
challenge/response mechanism to securely authenticate users without
sending passwords in the clear across the network. NTLM authentication
forwarding passes a Windows domain name along with the user’s
authentication credentials.
z RSA ClearTrust is a third-party product that provides a centralized
mechanism for administering authentication and single sign-on. You can
configure the appliance to receive user authentication credentials and
forward them to any back-end Web resources it is protecting.
Higher Availability and Capacity
A high-availability cluster of SonicWALL Aventail appliances is designed to
prevent a single point of failure by providing integrated load balancing,
stateful user authentication failover, and centralized administration. The
cluster is administered from a single point and appears as a single appliance
to users, applications, and the network.
A two-node cluster supports an Active/Active configuration, meaning that
both nodes in the cluster are actively sharing the user load at any given time:
z The SonicWALL Aventail EX6000 or EX-1600 appliance supports a
two-node cluster for up to 250 users.
z In a similar two-node configuration with internal load-balancing, the
EX7000 or EX-2500 can handle up to 2,000 users.
To increase capacity and support more users, the SonicWALL Aventail
EX7000 and EX-2500 appliances support the clustering of up to eight
appliances using an external load balancer.
Sharing Configuration Data
To keep settings matched up, you can replicate and distribute configuration
data to a group of Aventail appliances. For example, you might have
appliances behind an external load-balancer supporting thousands of users,
or appliances in different locations that must share configurations. This is not
a merging of data: some of the settings on the receiving appliances are
overwritten (security policy and CA certificates, for example), and others are
not (network settings).
When you define a collection of appliances that will share settings, the nodes
in the collection communicate over the internal interface using SSL. They
operate in peer-to-peer mode: replication can be initiated from any system
that knows the shared secret for a collection. This is in contrast to the
synchronization that occurs in a high-availability cluster of Aventail
appliances, in which one node is designated the master.
SonicWALL Aventail E-Class SRA Getting Started Guide | 9
Role-Based Administration
Permission to manage the appliance and perform specific administration
functions using AMC is assigned in AMC. The primary administrator defines
the roles and identities of all secondary administrators, setting the
permission levels for each administrative role, and creating a passwordprotected account for each administrator.
System Monitoring and Logging
System monitoring and logging features allow administrators to view both
real-time and historical data about the performance of the appliance and its
access services, as well as user activity.
The AMC home page displays a graphical summary of the current number of
active users, network bandwidth, disk space usage, and CPU usage. More
detailed views of this graphical data are available in hourly , daily , weekly , and
monthly increments.
If a user is experiencing trouble—for example, he is logged in but cannot
establish a connection or is denied access to resources—you can view his
session details to diagnose the problem. You can quickly see why a user’s
device is classified into a particular zone, and what policy rules are applied,
editing them as needed.
If you have an SMTP (Simple Network Management Protocol) tool, you can
use it to monitor the appliance as an SNMP agent. The appliance provides a
variety of management data in MIB (Management Information Base) format.
The AMC log viewer provides a detailed view of appliance, user access, and
other activities contained in a series of log files. The viewer allows you to
customize the display of log message data using sorting, searching, and
filtering options. If you need to perform additional analysis of the log
message data, or display the data differently than how it appears in the log
viewer, you can export data to comma-separated values (.csv) files for use
by another application, such as Microsoft Excel.
SonicWALL Aventail Secure Remote Access Components
Your SonicWALL A ventail SRA appliance consists of several administrator and
client components. For Web-based access, when a user logs in to Aventail
WorkPlace for the firs t time, the appliance automatically provisions t he agent
that will provide the broadest range of access based on the user’s privileges,
10 | Chapter 1 - Introduction
operating system, browser configuration, and any other constraints on the
user’s system. Stand-alone clients, such as Connect Tunnel, can be
provisioned from the appliance or distributed manually.
Client Components and Access Methods
The appliance includes several components that provide users with access to
resources on your network.
Aventail WorkPlace
The Aventail W orkPlace portal provides your users with access to We b-based
resources. You can create customized WorkPlace sites, each with a unique
URL and appearance (colors, logo, and greeting text). This enables you to
configure and deploy unique portals for different audiences, such as partners
and employees.
For Windows users, Av e n tai l Acce ss M anage r takes care of installing agents
and clients through the browser, and client installation log files make the
process easy to troubleshoot. Once Access Manager is installed on a user
device, most users will be able to receive client updates without requiring
administrator privileges.
After a user logs in to WorkPlace, a Web page presents an administratordefined list of shortcuts. These shortcuts reference the Web-based
resources, Windows file system resources, and terminal servers to which the
user has access privileges. Users can also add their own WorkPlace
bookmarks to Web sites or network shares. The means of access to these
resources depends on the user’s browser:
z Web resources and file system resources can be accessed from any Web
browser that supports JavaScript and SSL. By default, the appliance is
configured to deploy a Microsoft ActiveX control (the Web proxy agent)
on Microsoft Windows systems running Internet Explorer. The Web proxy
agent proxies Web content directly through the appliance.
SonicWALL Aventail E-Class SRA Getting Started Guide | 11
z For users running other browsers, the appliance automatically provides
T ranslated W eb access. If you’d rather not install an agent or your users’
systems don’t support ActiveX, you can configure the appliance to
provide Translated Web access.
z As an alternative to Translated Web access, which may have limitations
with some Web applications such as AJAX, custom port mapping or
custom FQDN mapping can be used. These methods involve mappin g the
backend resource either to a port on the EX-Series appliance, or to an
external fully qualified domain name.
The appliance also supports Web-based access to Windows T erminal Services
(WTS) and Citrix hosts. These hosts are accessed by Web-based terminal
agents that use proprietary protocols to communicate with the terminal
server.
12 | Chapter 1 - Introduction
Network Explorer
Network Explorer is a Web-based extension, accessible from Aventail
WorkPlace, that provides access to any Windows file system resources that
the user has permission to use (even from desktop browsers on nonWindows platforms). These resources can include servers, computers,
workgroups, folders, and files.
Connect Tunnel Client
Connect Tunnel is an application that provides broad access to network
resources from devices running a Windows, Macintosh, or Linux operating
system. It provides access to any IP-based type of application protocol and
ICMP, and it will route VoIP (Voice Over Internet Protocol) over TCP/IP.
Connect Tunnel is initially installed from the WorkPlace portal or from a
separate installer package.
SonicWALL Aventail E-Class SRA Getting Started Guide | 13
OnDemand Tunnel Agent
The OnDemand Tunnel agent is lightweight, Web-based, and provides the
same broad access to applications and protocols as Connect Tunnel. It is
similar in all respects to Connect T unnel except that it is activated each time
a user logs in to the Aventail WorkPlace portal from an ActiveX or Javaenabled device.
Connect Mobile Client
The Connect Mobile client is a lightweight application for Windows Mobilepowered devices. It provides access to a broad range of resources, including
client/server applications, thin-client applications, file servers, and Web
resources. The Connect Mobile client is installed using a Windows setup
program that extracts the application files and then copies the files to the
user’s mobile device using ActiveSync.
Web Proxy Agent
The Web proxy agen t provides access through Avent ail WorkPlace to any W eb
resource, including Web-based applications, Web portals, and Web servers,
as well as Windows network shares. Web proxy access eliminates the need
for Web content translation and provides broad access to enterprise Web
applications for Microsoft Windows users who are running Internet Explorer
with ActiveX enabled.
Translated Web Access
Translated Web access provides access to Web resources and Windows
network shares. It is available from any Web browser that supports SSL and
has JavaScript enabled.
Custom Port Mapping
Custom port mapping provides Web-based access by mapping the backend
resource or server to a port number at the EX-Series appliance. Custom port
mapping does not require installation of a client agent, and works with any
Web browser.
14 | Chapter 1 - Introduction
Custom FQDN Mapping
Custom FQDN mapping provides Web-based access by mapping the backend
resource or server to an external fully qualified domain name (host and
domain). The FQDN name should be resolvable to an IP address in the public
domain. Custom FQDN mapping does not require installation of a client
agent, and works with any Web browser.
End Point Control
End Point Control (EPC) components ensure that your network is not
compromised when accessed from PCs in untrusted environments. As
devices attempt to connect to the appliance, EPC “interrogates” them to
determine whether they are running the programs that you require. You can
also use EPC to specify that a data protection agent—Aventail Cache
Control—automatically removes session data from the PC.
Advanced EPC provides an extended and detailed list of personal firewall,
antivirus, and spyware programs to check for in device profiles for clients
running on Microsoft Windows and Mac OS X. For clients running on Microsoft
Windows, it provides additional session-related security with OPSWAT Secure
Desktop Emulator. Advanced EPC is included with the EX7000 and EX-2500
appliances and licensed separately for all other appliance models.
Virtual Assist
SonicWALL Virtual Assist is a remote support tool that enables an
administrator or help desk technician to assume control of a user’s PC or
laptop in order to provide remote technical assistance. With the user’s
permission, the technician gains instant access to the computer using a Web
browser and can then diagnose and fix a problem remotely. It also gives
technicians the ability to transfer files from a user’s computer (such as log
files), and to chat online with the user.
Virtual Assist does not require the installation of any external software. For
computers that do not support Java, Virtual Assist can be manually installed
by downloading an executable file that is available in the SonicWALL Aventail
Management Console.
There are two sides to a Virtual Assist session: the client view and the
technician view. The client is the person requesting assistance on their
computer. The technician is the person providing assistance. Technicians
install the stand-alone Virtual Assist application from AMC.
SonicWALL Aventail E-Class SRA Getting Started Guide | 15
To initiate a Virtual Assist session, an end user can request assistance
directly by clicking the Assistance butt on at the top of the WorkPlace portal
and downloading and running a small client program. Or, a technician can
send email invitations to users that contain a direct URL link to initiate a
Virtual Assist session.
Administrator Components
This section highlights the key components that you’ll use to set up and
manage the SonicWALL Aventail appliance and services.
Setup Wizard
Setup Wizard streamlines the initial config uration of the appliance. It guides
you through the process of selecting basic network settings, configuring
appliance options, defining resources, creating a basic access policy, and
creating local users for testing purposes.
16 | Chapter 1 - Introduction
Aventail Management Console
AMC is a Web-based administrative tool for managing the appliance. It
provides centralized access for managing security policies, configuring the
system (including networking and certificate configuration), distributing
configuration data, monitoring, troubleshooting, and setting up
administrator accounts.
Aventail Access Services
The appliance uses various access services to manage the access clients and
agents that users employ to connect to your network resources:
z The network tunnel service is a network routing technology that
provides secure network tunnel access to a wide range of applications
and protocols, including non- TCP protocols such as VoIP (Voice o ver IP)
and ICMP, reverse-connection protocols like SMS, and bi-directional
protocols such as FTP. It works in conjunction with the Connect Tunnel
client and the OnDemand Tunnel agent to provide authenticated and
encrypted access.
SonicWALL Aventail E-Class SRA Getting Started Guide | 17
z The Web proxy service provides users with secure access to Web-
based applications and servers from a Web browser, or Web-based
applications and servers from a Windows Mobile-powered device using
the Connect Mobile client. The Web proxy service contains a secure HTTP
reverse proxy that brokers and encrypts access to W eb-based resources.
z The Aventail WorkPlace service controls access to WorkPlace
resources accessed from a Web browser . The Aventail W orkPlace service
communicates with Windows file servers and n etw ork sh are s (inc luding
Microsoft Distributed file system, or DFS, resources) using the Server
Message Block (SMB) file-sharing protocol.
18 | Chapter 1 - Introduction
Loading...