Sonicwall Cloud Edge Secure Access User Manual
Cloud Edge Secure Access
Advanced Settings
Contents
Networks 4
Private DNS 4
Selecting a Private DNS 4
DNS Filtering 5
Understanding DNS Filtering 5
Activating DNS Filtering 6
Routes 6
Split Tunneling 8
The Default Configuration is Automatic (Full Tunnel) 8
Split tunneling: Automatic Configuration 8
Split Tunneling: Manual Configuration 9
Site-to-Site Interconnectivity 9
IPSec based connections 9
WireGuard based connections 10
Multi-Tunneling 11
Whitelisting Resources 12
Benefits of Whitelisting 12
Microsoft Azure 12
SalesForce 13
AWS Management Console 14
Google Cloud Platform 17
Client-Based Access 19
Manual VPN Keys 19
App Deploy Using an MDM Solution 20
Deploy SonicWall Cloud Edge Windows App Using Central Desktop Management Tools 20
Manage Engine 20
System Center Configuration Manager (SCCM) 21
Automatic Wi-Fi Security 21
How to activate Automatic Wi-Fi Security 21
Enable or Disable Automatic Wi-Fi Security and Manage Trusted Networks 22
Native OS Client 23
MacOS 23
Manual Configuration for Windows 28
Manual Configuration for Chromebook 31
Manual Configuration for iOS 32
Public Servers DNS / Hostname List 35
Android 36
Cloud Edge Advanced Settings
Contents
2
Client-less Access (Zero Trust Applications) 40
URL Aliasing 40
Upload domain SSL certificates 40
Creating a URL alias for your application 42
SonicWall Support 43
About This Document 44
Cloud Edge Advanced Settings
Contents
3
Topics:
l Private DNS
l DNS Filtering
l Routes
l Split Tunneling
l Site-to-Site Interconnectivity
l Multi-Tunneling
l Whitelisting Resources
1
Networks
Private DNS
This article describes how to configure a private DNS.
Private DNS will enable you to reach an internal resource by its hostname (as published by your local DNS
server). This can ease your workflow, as you will now longer need to specify the resource's IP address.
NOTE: Do not configure a public DNS server, as by default your traffic will be routed through one, in
case the private DNS server are not able to resolve the address).
Selecting a Private DNS
You can assign a Private DNS to the selected Network (the default is Automatic). This will allow you to utilize
your organization’s DNS servers, as well as local domain names. You can choose to either obtain a DNS
server address automatically or select a primary and secondary DNS address manually.
Cloud Edge Advanced Settings
Networks
4
After defining the custom primary and secondary DNS addresses, this information will be highlighted on the
Networkspage.
NOTE: If your DNS server does not have a public IP address, set up a site-to-site connection to the
network containing the server, and enter its internal address.
DNS Filtering
This article describes how you can add many powerful security features to your networks such as DNS
Filtering to further limit exposure on your network.
Understanding DNS Filtering
DNS filtering allows you to block users in your network from navigating to webpage URLs with their internet
browser. Its ability to filter out bad websites and allow access to approved ones is accomplished with
blacklisting and whitelisting tools, respectively, and URLs can be blocked on an individual basis or by
category (gambling, social networks, etc.). When you blacklist a URL with our DNS filtering feature, you are
telling the DNS Resolver not to resolve the website associated with its unique IP address. Instead, it will
display a custom message notifying users that their access to the page is restricted. Accordingly, DNS
filtering is crucial for productivity and protection as well.
Cloud Edge Advanced Settings
Networks
5
Activating DNS Filtering
1.
Open Networksfrom the Management Platform and navigate to the network on which you'd like to
configure DNS filtering. Select the three-dotted icon on the right side, then select DNS Filtering.
2.
Fill in the following information:
l Enable DNS Filtering.
l URL Blacklist Categories: Block access to websites by content category (select none, one or
more).
l Whitelisted/Blacklisted URLs: Manually enter one or more specific URL(s) you'd like to make sure
stay unblocked/blocked, or upload a .CSV file containing the addresses. Make sure that the .CSV file
contains only one column, and that every cell contains one URL (as shown in the attached example).
The file must contain no more than 1000 addresses. Each address must follow the form domain.com
(that is, without www/http/https prefixes).
3.
Select Apply.
4.
A successful message appears. Once it has been closed the new settings will be applied the next
time a user connects to the network.
Routes
The article describes how to use routes. In most cases, once you set up the tunnel, you can specify remote
subnets to be automatically added as propagated Routes. However, if you defined the Remote Gateway
Proposal Subnets parameter as 0.0.0.0/0 (any), it is still possible to add manual routes and associate them
with the corresponding tunnel as the exit point.
Please follow the steps below:
Cloud Edge Advanced Settings
Networks
6
1.
Go to the Networkstab and select the network to which you'd like to add a route. Select the threedotted icon (...), then Routes Table.
The following window displays:
2.
Select Add Route and choose the relevant tunnel.
3.
Insert the desired range for the route then select Add Route.
4.
The route will be added to the table.
5.
Select Apply Configuration.
Cloud Edge Advanced Settings
Networks
7
Split Tunneling
This article describes how to incorporate split tunneling into your network. If you would like to select specific
network subnets to go through from the client to the SonicWall network, instead of full tunnel mode (where
all the traffic is encrypted and proxied through the SonicWallnetwork), you will need to manually specify
which subnets you’d like to include through the tunnel.
The Default Configuration is Automatic (Full Tunnel)
Split tunneling: Automatic Configuration
Cloud Edge Advanced Settings
Networks
8
Split Tunneling: Manual Configuration
After defining the split tunneling subnets, this information will be available on the Networkspage.
Site-to-Site Interconnectivity
This article describes how to ensure that two sites are connected securely using the SonicWall Platform.
If the two sites are both tunneled to your SonicWallnetwork, you can enable the two to communicate,
regardless of their location or dependency so that both sites will have a full and secure line between them.
Please follow the steps below:
IPSec based connections
1.
Ensure both tunnels are route-based tunnels; that is, they do not depend on a specific internal subnet
to create a handshake between the sites, but a route is configured on each device’s separate Route
Table indicating which subnets to forward into the tunnel.
2.
On the Management Platform, set both tunnel’s “Gateway Proposal Subnets” and “Remote
gateway Proposal Subnets” to ANY (0.0.0.0/0).
This may make the tunnel go down! Please make sure the device you are using supports route-based
VPN. This means the tunnel is set up to 0.0.0.0/0 and a route is added separately.
3.
Make sure the Routes Table on the SonicWallside has all of the routes of all of the sites configured
(Network/ Route Tables) so in case you had them defined within the tunnel module, instead you need
to add them here.
Cloud Edge Advanced Settings
Networks
9
4.
Click Add Route and add the routing to the internal LAN subnets that are behind each tunnel.
5.
After you are done, click Apply Configuration.
6.
Go to the first site's (labeled Site1) routing table, and in addition to the route that indicates all
subnets (usually 10.255.0.0/16) to go through the Site to site tunnel, add a route dictating all traffic
that goes to the second site's LAN subnet as well.
7.
Go to the second site's (labeled Site2) routing table, and set up a static route indicating both the LAN
subnet and Site1’s LAN subnet to go through the IPSEC Site-2-Site tunnel.
WireGuard based connections
1.
In order to establish a connection from one resource to another, you'll need to reinstall the connector,
as the default installation (Accessor mode) does not allow it.
Uninstall Commands
l Ubuntu
# Locate the WireGuard packages (the output of this command is the full
package name)
dpkg -l | grep wireguard
Cloud Edge Advanced Settings
Networks
10
# Delete all packages found that are associated with WireGuard (replace
pkg with the output from the previous command)
apt-get remove --purge pkg
l CentOS
# Locate the WireGuard packages (the output of this command is the full
package name)
yum list installed | grep wireguard
# Delete all packages found that are associated with WireGuard (replace
pkg with the output from the previous command)
yum remove pkg
2.
Once you successfully removed the files mentioned in the commands above, reboot the machine and
execute the connector installation script (the curl command that you copied from the Management
Platform).
3.
When you reach the 4th step, choose NO (n), which will prevent accessor mode installation.
4.
Proceed with the installation. Make sure to select YES (y) for both IP Forwarding and Routing all
traffic.
5.
Open the route table of the network in which the WireGuard connector is installed (usually your router
or firewall).
6.
Configure a static route dictating all traffic from your SonicWall LAN subnet (10.XXX.0.0/16) to go
through the IP of the machine that hosts the connector.
7.
Open the terminal of the machine that hosts the connector and execute the following command:
Shell
# Temporarily shut the connector down
wg-quick down wg0
# Open the connector's route table.
vi /etc/wireguard/wg0.conf
# Enter the subnets of the resources you'd like to communicate with each
other
set AllowedIPs = <SonicWall Subnet>, <Site1 Subnet>,< Site 2 Subnet>
# Turn the connector up
wg-quick up wg0
# Make sure that the desired change has taken place
wg show
Multi-Tunneling
SonicWall Cloud Edge does not limit the number of tunnels that can be connected to a single gateway, so in
case you only have one gateway in a particular network, but your company's infrastructure consists of a
hybrid environment (a mixture of different on-prem and cloud-based resources) you don't need to worry.
Cloud Edge Advanced Settings
Networks
11
IMPORTANT: Before you configure a second tunnel, make sure that the remote network's subnet does
not overlap with the existing network's subnet.
Once the two tunnels are up and running, you'll be able to set up a communication line between the two (see
Interconnectivity).
Whitelisting Resources
Topics:
l Benefits of Whitelisting
l Microsoft Azure
l SalesForce
l AWS Management Console
l Google Cloud Platform
Benefits of Whitelisting
This article describes what whitelisting is. Whitelisting is the practice of explicitly allowing some identified
entities access to a particular privilege, service, mobility, access, or recognition.
While IP whitelisting does not encrypt your data the way a site-to-site connection does, it can come in handy
if you'd like to save time and avoid the trouble to set one up, as it still limits access to your resources - an
entire network or a specific machine or application. Once whitelisting your gateway IP, the resource will be
accessible only for devices using this particular IP, that is, connected to the SonicWall.
Microsoft Azure
This article describes how to whitelistyour SonicWall Cloud Edge Gateway at the Microsoft Azure Portal,
which allows you to restrict access to a certain resource within an Azure Virtual Network to users connected
to the secure SonicWall Cloud Edgegateway only. While this method needs to be applied to every particular
resource, it is a good alternative for those who'd like to avoid setting up a Site-to-Site connection to a VNet.
1.
Open the Azure Portal and select the resource which you'd like to restrict access to.
2.
Navigate to the Networking tab and select Add inbound port rule.
3.
Fill in the following information:
Cloud Edge Advanced Settings
Networks
12
l Source: IP Addresses
l Source IP addresses/CIDR ranges: Insert your Gateway IP
l Source port ranges:(all)
l Destination: Any
l Destination port ranges: (all)
l Protocol: Any
l Action: Allow
l Priority:Leave default value
l Name:Connector
l Description:Optional
4.
Select Add rule.
SalesForce
This article describes how to whitelistSalesForce for your network. Trusted IP ranges in Salesforce block
unauthorized access as there are no location restrictions with the platform’s default settings. After specifying
a Trusted IP range, only authorized SonicWall users from your Private Server will have access to Salesforce
resources.
Cloud Edge Advanced Settings
Networks
13
Setting up SalesForce
1.
Navigate to the Setup section of Salesforce and in the Quick Find search box type "Network
Access".
2.
Select New and then fill in the Private Server IP address, entering both the start and end of the IP
range and adding a description.
3.
Select Save.
AWS Management Console
This article describes how to whitelist your SonicWall Cloud Edge Gateway at the AWS Management
Console, which will allow you to restrict the access to a certain resource within a VPC to users connected to
the secure SonicWall Cloud Edge gateway only. While this method needs to be applied to every particular
resource, it is a good alternative for those who'd like to avoid setting up a Site-to-Site connection to a VPC.
l Create a security group
l Attach resources to the security group
Please follow the steps below:
Create a security group
1.
Open the AWS Management Console EC2 dashboard.
2.
Navigate to Security Groups.
Cloud Edge Advanced Settings
Networks
14
Loading...