SonicWALL SRA 1200-4200 User Manual

SonicWALL Secure Remote Access Appliances
SECURE REMOTE ACCESS
SonicWALL Anti-Virus Router 80 Getting Started Guide Page 1
SRA 1200/4200 Getting Started Guide
Getting Started Guide
SonicWALL
1
23456
SRA 1200/4200 Getting Started Guide
This Getting Started Guide contains installation procedures and configuration guidelines for deploying a SonicWALL SRA 1200/4200 appliance into an existing or new network. This document addresses the most common use-case scenarios and network topologies in which the SonicWALL SRA 1200/4200 appliance can be deployed.

Document Contents

This document contains the following sections:
Setting Up Your Network - page 3 Connecting Your Appliance - page 11 Registering Your Appliance - page 21
Network Configuration - page 27
Upgrading Y our Appliance - page 41 Safety and Regulatory Information - page 53
SonicWALL SRA 1200/4200 Getting Started Guide Page 1
Page 2 Document Contents
In this Section:
1
This section provides pre-configuration information. Review this section before setting up your SonicWALL SRA 1200/4200 appliance.
SRA 1200 System Requirements - page 4
SRA 4200 System Requirements - page 5
Selecting a Deployment Scenario - page 7
Applying Power to the SonicWALL SRA - page 9

Setting Up Your Network

SonicWALL SRA 1200/4200 Getting Started Guide Page 3
SRA 1200 System Requirements
(x6)
(x2)
(Power cord inlucded in North America only)
1200
SRA
Secure Remote Access
X0X1
CONSOLE
PWR TEST ALARM
Before you begin the setup process, verify that your package contains the following parts:
One SonicWALL SRA 1200 appliance
One SonicWALL SRA 1200/4200 Getting Started Guide
One straight-through Ethernet cable
One serial CLI cable
One rack-mount kit
One power cord*
A Web browser supporting Java Script and HTTP uploads. Supported browsers include the following:
Supported Browsers Browser Version
Number
Internet Explorer 8.0 or higher

Package Contents for the SonicWALL SRA 1200

Firefox 4.0 or higher
Safari 4.0 or higher
for MacOS
Chrome 11.0 or higher
*Power cord intended for use in North America only . For other areas, please refer to your product reseller.
Page 4 SRA 1200 System Requirements

Missing Items?

If any items are missing from your package, contact SonicWALL Support:
Web: http://www.sonicwall.com/us/Support.html Email: customer_service@sonicwall.com
SRA 4200 System Requirements
Secure Remote Access
SRA 4200
(x6)
(x2)
(Power cord inlucded in North America only)
Before you begin the setup process, verify that your package contains the following parts:
One SonicWALL SRA 4200 appliance
One SonicWALL SRA 1200/4200 Getting Started Guide
One straight-through Ethernet cable
One serial CLI cable
One rack-mount kit
One power cord*
A Web browser supporting Java Script and HTTP uploads.
Supported browsers include the following:
Supported Browsers Browser Version
Number
Internet Explorer 8.0 or higher

Package Contents for the SonicWALL SRA 4200

Firefox 4.0 or higher
Safari 4.0 or higher
for MacOS
Chrome 11.0 or higher
*Power cord intended for use in North America only . For other areas, please refer to your product reseller.

Missing Items?

If any items are missing from your package, contact SonicWALL Support:
Web: http://www.sonicwall.com/us/Support.html Email: customer_service@sonicwall.com
SonicWALL SRA 1200/4200 Getting Started Guide Page 5
What You Need to Begin
Administrative access to the network gateway device
A Windows, Linux, or MacOS computer to use as a management station for initial configuration of the SonicWALL SRA 1200/4200
A Web browser supporting Java Script and HTTP uploads (See previous pages for supported Web browsers)
An Internet connection

Recording Configuration Information

Record the following setup information to use during the setup process and for future reference:
Registration Information
Serial Number:
Authentication Code:
Administrator Information
Admin Name:
Admin Password:
Network Configuration Information
Collect the following information about your current network configuration:
Primary DNS: Secondary DNS (optional): DNS Domain:
Record the serial number found on the bottom panel of your SonicWALL appliance.
Record the authentication code found on the bottom panel of your SonicWALL appliance.
Select an administrator account name. (default is admin)
Select an administrator password. (default is password)
Page 6 What You Need to Begin
WINS server(s) (optional):
Selecting a Deployment Scenario
WAN DMZ LAN
1200
SRA
Secure Remote Access
X0X1
CONSOLE
PWRTESTALARM
SRA Appliance
OPT, X2, etc
X1
X0
X0
Remote Users
Switch
Router
Network Nodes
SonicWALL UTM Appliance
E7500
Network Security Appliance
The deployment scenarios described in this section are based on actual customer deployments and are SonicWALL­recommended deployment best practices for SRA appliances .
A SonicWALL SRA appliance is commonly deployed in “one­arm” mode over the DMZ or Opt interface on an accompanying gateway appliance, such as a SonicWALL NSA E7500. This method of deployment offers additional layers of security control, plus the ability to use SonicWALL’s UTM services, including Gateway Anti-Virus, Anti-Spyware, Content Filtering, Intrusion Prevention Service, and Comprehensive Anti-Spam Service, to scan all incoming and outgoing NetExtender traffic.
The primary interface (X0) on the SonicWALL SRA connects to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SonicWALL SRA appliance. The SonicWALL SRA appliance decrypts the session and determines the requested resource.
The session traffic then traverses the gateway appliance to reach the internal network resources. The gateway appliance applies security services, such as Intrusion Prevention, Gateway Anti-Virus, and Anti-Spyware inspection as data traverses the gateway. The internal network resource then returns the requested content to the SonicWALL SRA appliance through the gateway, where it is encrypted and sent to the client.

Scenario Overviews

Scenario A: SRA on a New DMZ
SonicWALL SRA 1200/4200 Getting Started Guide Page 7
Scenario B: SRA on an Existing DMZ
DMZ
LANWAN
OPT, X2, etc
X1
X0
X0
Remote Users
Network Nodes
SonicWALL UTM Appliance
E7500
Network Security Appliance
SwitchSwitch
Router
1200
SRA
Secure Remote Access
X0X1
CONSOLE
PWRTESTALARM
SRA Appliance
LAN
WAN
LAN Port
X0
Remote Users
Existing Gateway Device
or Switch / Hub
Internet Router
1200
SRA
Secure Remote Access
X0X1
CONSOLE
PWRTESTALARM
SRA Appliance
SonicWALL SRA 1200/4200 Deployment Scenarios
Scenario C: SRA on the LAN
Page 8 Selecting a Deployment Scenario
Gateway
Device
SonicOS Enhanced
3.1 or higher:
TZ Series
•PRO Series
NSA E-Class (SonicOS
5.0+)
•NSA Series (SonicOS
5.0+)
SonicOS Standard
3.1 or higher:
TZ Series
PRO Series
Deployment
Scenario
SRA on a New DMZ OPT or unused interface
SRA on Existing DMZ
Conditions or Requirements
New DMZ configured for NAT or Transparent Mode
No unused interfaces
One dedicated interface in use as an existing DMZ
SRA on the LAN No unused interfaces
No dedicated interface for a DMZ
SRA on a New DMZ Open OPT or X2 interface
New DMZ configured for either NAT or Transparent Mode
Provide SonicWALL deep packet inspection security services (optional)
SonicOS Standard
3.1 or higher:
TZ Series
•PRO Series SonicWALLs with
legacy firmware Third-Party Gateway
Device
SRA on Existing DMZ
SRA on the LAN Not planning to use
OPT or X2 interface in use with an existing DMZ
Provide SonicWALL deep packet inspection security services (optional)
SonicWALL deep packet inspection security services
Interoperability with a third-party gateway device
Applying Power to the SonicWALL SRA
PWR TEST ALARM
1. Plug one end of the power cord into the SonicWALL SRA 1200/4200 and the other into an appropriate power outlet.
2. Turn on the power switch located on the rear of the appliance next to the power cord.
The 'Pwr' LED on the front panel lights up blue when the appliance is turned on. The 'Test' LED lights up yellow and may blink for up to a minute while the appliance performs a series of diagnostic tests. When the 'Test' LED is no longer lit, the SonicWALL SRA 1200/4200 is ready for configuration.

Accessing the Management Interface

To access the Web-based management interface of the SonicWALL SRA 1200/4200:
1. Connect one end of an Ethernet cable into the ‘X0’ port of your SonicWALL SRA 1200/4200. Connect the other end of the cable into the computer you are using to manage the SonicWALL SRA 1200/4200.
2. Set the computer you use to manage the SonicWALL SRA 1200/4200 to have a static IP address in the 192.168.200.x/24 subnet, such as 192.168.200.20.
However, do not use 192.168.200.1, as this address will conflict with the appliance.
3. Open a Web browser, and enter http://192.168.200.1 (the default X0 management IP address) in the Location or Address field.
If the 'Test' or 'Alarm' LEDs remain lit, or if the 'Test' LED blinks red after the SonicWALL SRA 1200/4200 has booted, restart the appliance. For more troubleshooting information, refer to the SonicWALL SSL VPN Administrator’s Guide.
Note: A security warning may appear. Click Continue to this
website or OK to accept the certificate and continue.
SonicWALL SRA 1200/4200 Getting Started Guide Page 9
4. The ‘SonicWALL SRA Management Interface Login’ displays and prompts you to enter your user name and password. Enter “admin” in the User Name field, “password” in the Password field, select “LocalDomain” from the Domain drop-down list, and click the Login button.

Troubleshooting

If you cannot connect to the SonicWALL SRA 1200/4200, verify the following configurations:
Did you plug your management workstation into the interface X0 on the SonicWALL SRA appliance? Management can only be performed through X0.
Is the link light illuminated on both the management station and the SonicWALL SRA appliance?
Did you correctly enter the SonicWALL SRA 4200 management IP address in your Web browser?
Is your computer set to a static IP address of
192.168.200.20?
Is your Domain set to LocalDomain on the login screen?
If you are still unable to connect to the SonicWALL SRA appliance, contact SonicWALL Support:
You are now succe s sfully connected to the SRA Management Interface.
Page 10 Applying Power to the SonicWALL SRA
Web: http://www.sonicwall.com/us/Support.html Email: customer_service@sonicwall.com
In this Section:
2
This section provides procedures for connecting your SonicWALL SRA 1200/4200 appliance.
Configuring Your SRA 1200/4200 - page 12
Connecting Your SRA 1200/4200 - page 18

Connecting Your Appliance

SonicWALL SRA 1200/4200 Getting Started Guide Page 11
Configuring Your SRA 1200/4200
Once your SonicWALL SRA 1200/4200 is connected to a computer through the management port (X0), it can be configured through the Web-based management interface.

Setting Your Administrator Password

1. From the management interface, select the Users > Local Users page.
2. Click the Configure button corresponding to the “admin” account.
Note: Changing your password from the factory default is
strongly recommended. If you change your password, be sure to keep it in a safe place. If you lose your password, you will have to reset the SonicWALL SRA to factory settings losing your configuration.
3. Enter a password for the “admin” account in the Password field. Re-enter the password in the Confirm Password field.
4. Click OK to apply changes.
Page 12 Configuring Your SRA 1200/4200

Adding a Local User

1. Navigate to Users > Local Users pa ge.
2. Click the Add User button.
3. Enter a User Name.
4. Select LocalDomain from the Group/Domain drop-down menu.
5. Enter a Password for the user. Confirm the new password.
6. Select User from the User Type drop-down menu.
7. Click Add to finish adding a local user.

Setting the Time Zone

1. Navigate to the System > Time page.
2. Select the appropriate Time Zone from the drop-down menu.
3. Click Accept to save changes to the time settings.
Note: Setting the correct time is essential to operations of the
SonicWALL SRA 1 200/4200. Be sure to set the time zone correctly. Automatic synchronization with an NTP server (default setting) is encouraged for accuracy.
SonicWALL SRA 1200/4200 Getting Started Guide Page 13

Configuring SRA Network Settings

You will now config ure your SRA 1200/4200 network settings. Refer to the notes you took in the “Recording Configuration
Information” on page 6 to complete this section.

Configuring DNS / WINS

1. Navigate to the Network > DNS page in the management interface.
2. Enter a unique name for your SonicWALL SRA in the SSL-VPN Gateway Hostname field.
3. Enter your Primary DNS Server information.
4. (Optional) Enter a secondary DNS server in the Secondary DNS Server field.
5. (Optional) Enter your DNS Domain.
6. (Optional) Enter your WINS servers in the Primary WINS Server and Secondary WINS Server fields.
7. Click Accept.

Configuring the X0 IP Address for Scenario B and Scenario C

If you are deploying the SRA in either Scenario B, SRA on an Existing DMZ or Scenario C, SRA on the LAN, you need to
reset the IP address of the X0 interface on the SRA to an address within the range of the existing DMZ or the existing LAN.
To configure the X0 IP address for either of these scenarios:
1. Navigate to the Network > Interfaces page.
2. Click the Configure icon for the X0 interface from the Interfaces table.
Page 14 Configuring Your SRA 1200/4200
3. In the Interface Settings dialog box, set the IP address and subnet mask to:
If you are using scenario: Set the X0 interface to: B - SRA on an Existing DMZ IP Address: An unused
address within your DMZ subnet, for example:
10.1.1.240 Subnet Mask: Must match your DMZ subnet mask

Configuring a Default Route

Refer to the following table to correctly configure your default route. If you do not know your scenario, refer to “Selecting a
Deployment Scenario” on page 7.
If you are using scenario: Your upstream gateway device
will be:
A - SRA on a New DMZ The DMZ interface you will
create
C - SRA on the LAN IP Address: An unused
address within your LAN subnet, for example:
192.168.168.200 Subnet Mask: Must match your LAN subnet mask
4. Click OK. Note that you will lose connection to the SRA.
5. Reset the management computer to have a static IP address in the range you just set for the X0 interface, for example, 10.1.1.20 or 192.168.200.20.
6. Log into the SRA management interface again, using the IP address you just configured for the X0 interface. For example, point your browser to
http://192.168.168.200.
B - SRA on an Existing DMZ The existing DMZ interface C - SRA on the LAN The LAN gateway
To configure a default route:
1. Navigate to the Network > Routes page.
2. Enter the IP address of your upstream gateway device in the Default Gateway field.
3. Select X0 in the Interfaces drop-down list.
4. Click Accept.
SonicWALL SRA 1200/4200 Getting Started Guide Page 15

Adding a NetExtender Client Route

NetExtender allows remote clients to have seamless access to resources on your local network. You can also enable Tunnel All Mode so that, when NetExtender clients connect, all the traffic will be tunneled through the NetExtender connection.
To configure a NetExtender client route:
1. Navigate to the NetExtender > Client Routes page.
2. To force all SRA client traffic to pass through the NetExtender tunnel, select Enabled from the Tunnel All Mode drop-down list.
3. Click Add Client Route.
4. Enter the IP address of the trusted network to which you would like to provide access with NetExtender in the Destination Network field. For example, if you are connecting to an existing DMZ with the network
192.168.50.0/24 and you want to provide access to your LAN network 192.168.168.0/24, you would enter
192.168.168.0.
5. Enter your subnet mask in the Subnet Mask field.
6. Click Add to finish adding this client route.
Page 16 Configuring Your SRA 1200/4200

Setting Your NetExtender Address Range

The NetExtender IP range defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support.
The range should fall within the same subnet as the interface to which the SonicWALL SRA appliance is connected, and in cases where there are other hosts on the same segment as the SonicWALL SRA appliance, it must not overlap or collide with any assigned addresses. Y ou can determine the correct subnet based on your network scenario selection:
Scenario A Use the default NetExtender range:
192.168.200.100 to 192.168.200.200
Scenario B Select a range that falls within your existing DMZ
subnet. For example, if your DMZ uses the
192.168.50.0/24 subnet, and you want to support up to 30 concurrent NetExtender sessions, you could use 192.168.50.220 to 192.168.50.249, providing they are not already in use.
Scenario C Select a range that falls within your existing LAN
subnet. For example, if your LAN uses the
192.168.168.0/24 subnet, and you want to support up to 10 concurrent NetExtender sessions, you could use 192.168.168.240 to 192.168.168.249, providing they are not already in use.
To set your NetExtender address range in the management interface:
1. Navigate to the NetExtender > Client Settings page.
2. Enter an address range for your clients in the Client
Address Range Begin and Client Address Range End fields.
Scenario A 192.168.200.100 to 192.168.200.200
(default range) Scenario B An unused range within your DMZ subnet Scenario C An unused range within your LAN subnet
If you do not have enough available addresses to support your desired number of concurrent NetExtender users, you may use a new subnet for NetExtender. This condition may occur if your existing DMZ or LAN is configured in NAT mode with a small subnet space, such as 255.255.255.224, or more commonly if your DMZ or LAN is configured in Transparent mode and you have a limited number of public addresses from your ISP. In either case, you may assign a new, unallocated IP range to NetExtender (such as 192.168.10.100 to 192.168.10.200) and configure a route to this range on you r gateway appliance.
For example, if your current Transparent range is 67.1 15.1 18.75 through 67.115.118.80, and you wish to support 50 concurrent NetExtender clients, configure your SRA X0 interface with an available IP address in the Transparent range, such as
67.115.118.80, and configure your NetExtender range as
192.168.10.100 to 192.168.10.200. Then, on your gateway device, configure a static route to 192.168.10.0/255.255.255.0 using 67.115.118.80.
SonicWALL SRA 1200/4200 Getting Started Guide Page 17
Connecting Your SRA 1200/4200
WAN DMZ LAN
1200
SRA
Secure Remote Access
X0X1
CONSOLE
PWRTESTALARM
SRA Appliance
OPT, X2, etc
X1
X0
X0
Remote Users
Switch
Router
Network Nodes
SonicWALL UTM Appliance
E7500
Network Security Appliance
Before continuing, reference the diagrams on the following pages to connect the SonicWALL SRA 1200/4200 to your network.
Refer to the options in “Selecting a Deployment Scenario” on
page 7 to determine the proper scena rio for your network
configuration:
Scenario A: Connecting Your Network Interfaces - page 18
Scenario B: Connecting Your Network Interfaces - page 19
Scenario C: Connecting Your Network Interfaces - page 19

Scenario A: Connecting Your Network Interfaces

Scenario A: SRA on a New DMZ
To connect the SonicWALL SRA 1200/4200 using Scenario A, perform the following steps:
1. Connect one end of an Ethernet cable to the OPT, X2, or other unused port on your existing SonicWALL security appliance.
2. Connect the other end of the Ethernet cable to the X0 port on the front of your SonicWALL SRA 1200/4200. The X0 Port LED lights up green indicating an active connection.
Page 18 Connecting Your SRA 1200/4200
Continue to Chapter
Loading...
+ 43 hidden pages