Sonicwall SRA SSL VPN 5.0 ADMINISTRATORS GUIDE

Download

COMPREHENSIVE INTERNET SECURITY

SonicWALL SRA SSL VPN 5.0

Administrator’s Guide

SonicWALL Secure Remote Access Appliances

SonicWALL SRA SSL VPN 5.0 Administrator’s Guide

SonicWALL, Inc.

2001 Logic Drive San Jose, CA 95124-3452

Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: info@sonicwall.com

SonicWALL SSL VPN 5.0 Administrator’s Guide

Copyright Notice

or part, without the written consent of the manufacturer, except in the normal use of th e software to make a backup copy. The same proprietary and copyright notices mu st be affixed to any permitted copies as were affixed to the original. This exception does not allo w copi es to be made fo r o ther s, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes transla ting into another language or format.

Specifications and descriptions subject to change without notice.

Trademarks

SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows 2000,

Windows NT, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.

Firefox is a trademark of the Mozilla Foundation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and

other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Cisco Systems and Cisco PIX 515e and Linksys and Linksys Playtoy23 are either registered trademarks or trademarks of Cisco Systems in the U.S. and /or other countries.

Watchguard and Watchguard Firebox X Edge are either registered trademarks or trademarks of Watchguard Technologies Corporation in the U.S. and/or other countries.

NetGear, NetGear FVS318, and NetGear Wireless Router MR814 SSL are either registered trademarks or trademarks of NetGear, Inc., in the U.S. and/or other countries.

Check Point and Check Point AIR 55 are either registered trademarks or trademarks of Check Point Software Technologies, Ltd., in the U.S. and/or other countries.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

SonicWALL SSL VPN 5.0 Administrator’s Guide

SonicWALL GPL Source Code

GNU General Public License (GPL)

SonicWALL will provide a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or m oney order in the amount of US $25.00 payable to "SonicWALL, Inc." to: General Public License Source Code Request SonicWALL, Inc. Attn: Jennifer Anderson 2001 Logic Drive San Jose, CA 95124-3452

Limited Warranty

SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's thencurrent Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL.

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR

SonicWALL SSL VPN 5.0 Administrator’s Guide

iii

INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

SonicWALL Technical Support

For timely resolution of technical support questions, visit SonicWALL on the Internet at

<http://www.sonicwall.com/us/support.html>. Web-based resources are available to help you

resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below. See

<http://www.sonicwall.com/us/support/contact.html> for the latest technical support telephone

numbers.

North America Telephone Support

U.S./Canada - 888.777.1476 or +1 408.752.7819

International Telephone Support

Australia - + 1800.35.1642 Austria - + 43(0)820.400.105 EMEA - +31(0)411.617.810 France - + 33(0)1.4933.7414 Germany - + 49(0)1805.0800.22 Hong Kong - + 1.800.93.0997 India - + 8026556828 Italy - +39.02.7541.9803 Japan - + 81(0)3.3457.8971 New Zealand - + 0800.446489 Singapore - + 800.110.1441 Spain - + 34(0)9137.53035

Switzerland - +41.1.308.3.977 UK - +44(0)1344.668.484

SonicWALL SSL VPN 5.0 Administrator’s Guide

More Information on SonicWALL Products

Contact SonicWALL, Inc. for information about SonicWALL products and services at:

Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300

Current Documentation

Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation.

http://www.sonicwall.com/us/support.html

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

The SonicWALL SSL VPN Administrator’s Guide provides network administrators with a highlevel overview of SonicWALL SSL VPN technology, including activation, configuration, and administration of the SonicWALL SSL VPN management interface and the SonicWALL SSL-VPN appliance.

Note Always check <http://www.sonicwall.com/support/documentation.html> for the latest

version of this guide as well as other SonicWALL products and services documentation.

Guide Conventions

The following conventions used in this guide are as follows:

Convention Use Bold Highlights dialog box, window, and screen names. Also

About This Guide

highlights buttons and tabs. Also used for file names and text or values you are being instructed to type into the interface.

Italic Indicate s the name of a technica l manual, e mphasis on cer-

Menu Item > Menu Item Indicates a multiple step Management Interface menu

Icons Used in this Manual

These special messages refer to noteworthy information, and include a symbol for quick identification:

Tip Useful information about security features and configurations on your SonicWALL.

Note Important information on a feature that requires callout for special attention.

Timesaver Useful tips about features that may save you time

tain words in a sentence, or the first instance of a significant term or concept.

choice. For example, System > Status means select the Status page under the System menu.

Indicates a client feature that is only supported on the Microsoft Windows platform.

Indicates a client feature that is supported on Microsoft Windows, Apple MacOS, and Linux

SonicWALL SSL VPN 5.0 Administrator’s Guide

vii

About This Guide

Organization of This Guide

The SonicWALL SSL VPN Administrator’s Guide is organized in chapters that follow the SonicWALL SSL VPN Web-based management interface structure.

This section contains a description of the following chapters and appendices:

• “SSL VPN Overview” on page viii

• “System Configuration” on page viii

• “Network Configuration” on page ix

• “Portals Configuration” on page ix

• “NetExtender Configuration” on page ix

• “Virtual Assist Configuration” on page ix

• “Web Application Firewall Configuration” on page ix

• “Users Configuration” on page ix

• “Log Configuration” on page x

• “Virtual Office Configuration” on page x

• “Appendix A: Accessing Online Help” on page x

• “Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page x

• “Appendix C: Use Cases” on page x

• “Appendix D: NetExtender Troubleshooting” on page x

• “Appendix E: FAQ” on page x

• “Appendix F: Glossary” on page xi

• “Appendix G: SMS Email Formats” on page xi

SSL VPN Overview

“SSL VPN Overview” on page 7 provides an introduction to SSL VPN technology and an

overview of the SonicWALL SSL-VPN appliance and Web-based management interface features. The SSL VPN Overview chapter includes SSL VPN concepts, a Web-based management interface overview, and deployment guidelines.

System Configuration

“System Configuration” on page 59 provides instructions for configuring SonicWALL SSL VPN

options under System in the navigation bar of the management interface, including:

• Registering the SonicWALL appliance

• Setting the date and time

• Working with configuration files

• Managing firmware versions and preferences

• General appliance administration

• Certificate management

• Viewing SSL VPN monitoring reports

• Using diagnostic tools

viii

SonicWALL SSL VPN 5.0 Administrator’s Guide

Network Configuration

“Network Configuration” on page 91 provides instructions for configuring SonicWALL SSL VPN

options under Network in the navigation bar of the management interface, including:

• Configuring network interfaces

• Configuring DNS settings

• Setting network routes and static routes

• Configuring hostname and IP address information for internal name resolution

• Creating reusable network objects representing network resources like FTP, HTTP, RDP,

SSH and File Shares

Portals Configuration

“Portals Configuration” on page 105 provides instructions for configuring SonicWALL SSL VPN

options under Portals in the navigation bar of the management interface, including portals, domains (including RADIUS, NT , LDAP and Active Directory authentication), and custom logos.

NetExtender Configuration

“NetExtender Configuration” on page 167 provides instructions for configuring SonicWALL SSL

VPN options under NetExtender in the navigation bar of the management interface, including NetExtender status, setting NetExtender address range, and configuring NetExtender routes.

About This Guide

Virtual Assist Configuration

“Virtual Assist Configuration” on page 177 provides instructions for configuring SonicWALL

SSL VPN options under Virtual Assist in the navigation bar of the management interface, including Virtual Assist status, settings and licensing.

High Availability Configuration

“High Availability Configuration” on page 189 provides information and configuration tasks

specific to High Availability in the navigation bar of the management interface.

Web Application Firewall Configuration

“Web Application Firewall Configuration” on page 195 provides instructions for configuring

SonicWALL SSL VPN options under Web Application Firewall in the navigation bar of the management interface, including Web Application Firewall status, settings, signatures, log, and licensing.

Users Configuration

“Users Configuration” on page 237 provides instructions for configuring SonicWALL SSL VPN

options under Users in the navigation bar of the management interface, including:

• Access policy hierarchy overview

• Configuring local users and local user policies

• Configuring user groups and user group policies

• Global configuration

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

Log Configuration

“Log Configuration” on page 291 provides instructions for configuring SonicWALL SSL VPN

options under Log in the navigation bar of the management interface, including viewing and configuring logs and creating alert categories.

Virtual Office Configuration

“Virtual Office Configuration” on p age 301 provides a brief introduction to the Virtual Office, the

user portal feature of SonicWALL SSL VPN. The administrator can access the Virtual Office user portal using Virtual Office in the navigation bar of the SonicWALL SSL VPN Web-based management interface. Users access the Virtual Office using a Web browser. The SonicWALL SSL VPN User’s Guide provides detailed information about the Virtual Office.

Appendix A: Accessing Online Help

“Online Help” on page 305 provides a description of the help available from the Online Help

button in the upper right corner of the management interface. This appendix also includes an overview of the context-sensitive help found on most pages of the SonicWALL SSL VPN management interface.

Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway

“Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page 307 provides

configuration instructions for configuring the SonicWALL SSL-VPN appliance to work with thirdparty gateways, including:

• Cisco PIX

• Linksys WRT54GS

• WatchGuard Firebox X Edge

• NetGear FVS318

• Netgear Wireless Router MR814

• Check Point AIR 55

• Microsoft ISA Server 2000

Appendix C: Use Cases

“Use Cases” on page 327 provides use cases for importing CA certificates and for configuring

group-based access policies for multiple Active Directory groups needing access to Outlook Web Access and SSH.

Appendix D: NetExtender Troubleshooting

“NetExtender Troubleshooting” on page 345 provides troubleshooting support for the

SonicWALL SSL VPN NetExtender feature.

Appendix E: FAQ

“FAQs” on page 349 provides a list of frequently asked questions about the SonicWALL SSL

VPN Web-based management interface and SonicWALL SSL-VPN appliance.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Appendix F: Glossary

“Glossary” on page 373 provides a glossary of technical terms used in the

SonicWALL SSL VPN Administrator’s Guide.

Appendix G: SMS Email Formats

“SMS Email Formats” on page 375 provides a list of SMS email formats for selected worldwide

cellular carriers.

About This Guide

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

xii

SonicWALL SSL VPN 5.0 Administrator’s Guide

SonicWALL SRA SSL VPN 5.0

Administrator’s Guide ...............................................................................................i

Copyright Notice ..................................................................................................................................................ii

Trademarks ............... ......................................... ........................................ ............................................................ii

SonicWALL GPL Source Code .................................................. ......................... ......................... ....................iii

GNU General Public License (GPL) .......................................................................................................iii

Limited Warranty ............................. ......................... ......................... ......................... .........................................iii

SonicWALL Technical Support ......................... ......................... ......................... ............................................ iv

More Information on SonicWALL Products .................................................................................. .. ...............v

About This Guide .............................................................................................................................................. vii

Guide Conventions ................................................................................................................................... vii

Organization of This Guide ....................................................................................................................viii

Table of Contents ......................................................................................................1

SSL VPN Overview ....................................................................................................7

Overview of SonicWALL SSL VPN ..................................................... .. ............................. .. ...........................8

SSL for Virtual Private Networking (VPN) .............................................................................................8

SSL VPN Software Components ...............................................................................................................9

SSL-VPN Hardware Components .............................................................................................................9

Concepts for SonicWALL SSL VPN .............................................................................................................11

Encryption Overview ...................... ......................... ......................... ......................... .............................. 11

SSL Handshake Procedure ....................................................................................................................... 11

IPv6 Support Overview ............................................................................................................................ 12

Browser Requirements for the SSL VPN Administr at o r ............................... ..................................... 14

Browser Requirements for the SSL VPN End User ............................................................................ 15

Portals Overview ............... ......................... ......................... ......................... .............................................15

Domains Overview ............. ......................... ......................... ......................... ...........................................16

NetExtender Overview ....................... ......................... ......................... ......................... .......................... 16

Network Resources Overview ........ .. ............................. .. ............................. .. ............................ ............. 20

SNMP Overview ....................................................................................................................................... 26

DNS Overview ................................... ......................... ......................... ......................... ............................ 26

Network Routes Overview .................................. ........................ ......................... ...................................26

Two-Factor Authentication Overview .. ......................... ......................... ......................... ...................... 26

One Time Password Overview ................................... ......................... ......................... ..........................28

Virtual Assist Overview .......................................... ......................... ........................ .................................30

Web Application Firewall Overview ...................................................................................................... 42

What is Web Application Firewall? ........................ ............................. .. ............................. .. ..................42

Benefits of Web Application Firewall ................................................... .. ............................. .. ................ 44

How Does Web Application Firewall Work? ... .. ............................. .. ............................. .. .................... 44

Navigating the SSL VPN Management Interface ......... ............................. .. ............................. .. .................. 49

Management Interface Introduct ion ............................ .. ............................. .. ............................. .. .......... 49

Navigating the Management Interface ................................................................................................... 51

Navigation Bar .............................................. ......................... ......................... ........................................... 54

SonicWALL SSL VPN 5.0 Administrator’s Guide

Deployment Guidelines ....................................................................................................................................56

Support for Numbers of User Connections ..........................................................................................56

Resource Type Support .............................................................................................................................57

Integration with SonicWALL Products ..................................................................................................57

Typical Deployment ........................... ......................... ........................ ......................... .............................57

System Configuration ............................................................................................59

System > Status .................................... ......................... ......................... ............................................................60

System > Status Overview ........ .......................................................... ... ............................. .. ....................60

Registering Your SonicWALL SSL-VPN from System Status ...........................................................62

Configuring Network Interfaces .............................................. ......................... .......................................64

System > Licenses ................ ......................... ......................... ......................... ...................................................64

System > Licenses Overview ................ .. ............................. .. ............................. .. ...................................64

Registering the SSL-VPN from System > Licenses .............................. .. ............................. .. ..............67

Activating or Upgrading Licenses ........................................... ......................... ......................... ..............69

System > Support Services ...............................................................................................................................70

System > Time .................................... ......................... ......................... ......................... .....................................71

System > Time Overview ....... .. ........................................................................................ .. ......................71

Setting the Time ........................................ ......................... ......................... ...............................................72

Enabling Network Time Protocol .......................... ... ............................. .. ............................. .. ................72

System > Settings .. ......................... ......................... ......................... ......................... .........................................73

System > Settings Overview ......................................................................................... ... ........................73

Managing Configuration Files ................................................ ......................... .........................................74

Managing Firmware ............................................ ......................... ......................... .....................................76

System > Administration ................ ......................... ......................... ......................... .......................................78

System > Administration Overview ........................................... .. ............................. .. ...........................78

Configuring Login Security ............. ........................ ......................... ......................... ...............................80

Enabling GMS Management ....................................................................................................................80

Configuring Web Management Setting s ............................... ......................... ......................... ................81

Configuring the Management Interface Language ...............................................................................81

System > Certificates ......................... ......................... ......................... ......................... .....................................81

System > Certificates Overview ........................................................................................ .. ....................82

Certificate Management .................................................... ......................... ......................... ......................83

Generating a Certificate Signing Reque st ................................................ ......................... ......................83

Viewing and Editing Certificate Information ........................................................................................84

Importing a Certificate ............................................. ......................... ......................... ...............................84

Adding Additional CA Certificates .........................................................................................................85

System > Monitoring ................. ......................... ......................... ......................... .............................................85

System > Monitoring Overview ................................................ .. ............................. .. .............................85

Setting The Monitoring Period ................... ......................... ......................... ......................... ..................87

Refreshing the Monitors ...........................................................................................................................87

System > Diagnostics .................. .. ......................... ......................... ......................... .........................................88

System > Diagnostics Overview .................. ............................. .. ............................. .. .............................88

Downloading the Tech Support Report .................................................................................................89

Performing Diagnostic Tests ...................... ............................. .. ............................. .. ...............................89

System > Restart . ......................... ......................... ......................... ......................... ...........................................90

System > Restart Overview ............................................................................... .. .....................................90

Restarting the SonicWALL SSL-VPN . ......................... ......................... ......................... ........................90

SonicWALL SSL VPN 5.0 Administrator’s Guide

Network Configuration ...........................................................................................91

Network > Interfaces ................... ......................... ......................... ......................... .........................................92

Network > Interfaces Overview ........ .. ............................. .. ............................. .. ..................................... 92

Configuring Network Interfaces ........................................... ......................... ......................... ................ 92

Network > DNS ...................... ......................... ......................... ......................... ............................................... 94

Network > DNS Overview .................. ......................... ......................... ......................... ........................94

Configuring Hostname Settings ............... ......................... ......................... ......................... ....................95

Configuring DNS Settings ........ ........................ ......................... ......................... .....................................95

Configuring WINS Settings ......................................... ......................... ......................... .......................... 95

Network > Routes ........................... ......................... ......................... ......................... .......................................96

Network > Routes Overview ........................... ........................................................... .. .......................... 96

Configuring a Default Route for the SSL-VPN Appliance ........... ............................. .. ...................... 97

Configuring Static Routes for the Appliance ................................................................ .. ...................... 97

Network > Host Resolution ................................. .. ............................. ... ............................. .. ..........................99

Network > Host Resolution Overview ............................. .. ............................. .. ............................. . ..... 99

Configuring Host Resolution ......................... .. .............................. .. ............................. .. ........................99

Network > Network Objects ........................................................................................................................100

Network > Network Objects Overview .............................................................................................. 100

Adding Network Objects .............................. .......................................................... ... ............................101

Editing Network Objects ................................................... ......................... ......................... ..................101

Portals Configuration ...........................................................................................105

Portals > Portals ........................................... ......................... ......................... ................................................. 106

Portals > Portals Overview ........... ......................... ......................... ........................ ............................... 106

Adding Portals ......................... ......................... ......................... ......................... .....................................107

Configuring General Portal Settings ..................... ......................... ........................ ............................... 109

Configuring the Home Page ..................................................................................................................110

Configuring Per-Portal Virtual Assist Settings ................................................................................... 114

Configuring Virtual Host Settings .......................... .......................................................... .. ..................115

Adding a Custom Portal Logo ....................................................... .. ............................. .. ......................116

Portals > Application Offloading .................................................................. .. .............................................118

Application Offloading Overview ........................................................................................................118

Configuring an Offloaded Application with HTTP/HTTPS .............................................. .. .......... 119

Configuring Generic SSL Offloading .. .......................................................... .. ............................. ........122

Portals > Domains ................ ......................... ......................... ......................... ...............................................124

Portals > Domains Overview ...................................... .. ............................. .. ......................................... 124

Viewing the Domains Table ..................................................................................................................125

Removing a Domain ............................................................................................................................... 125

Adding or Editing a Domain .............. .......................................................... .. ....................................... 125

Adding or Editing a Domain with Local User Authentication .............................. .. .. ...................... 127

Adding or Editing a Domain with Active Directory Authenticat ion .................... .......................... 128

Adding or Editing a Domain with LDAP Authentication ................................ .............................. . 130

Adding or Editing a Domain with NT Domain Authentication .. ............................. .. .................... 132

Adding or Editing a Domain with RADIUS Authentication ........ ............................. .. .................... 133

Configuring Two-Factor Authentication ................................. .. .............................. .. ..........................136

Portals > Custom Logo .................................................. ......................... ........................ ...............................146

Portals > Load Balancing ........................ ......................... ......................... ......................... ............................147

Portals > Load Balancing Overview .......................... .. ............................. .. ............................. .. ..........147

Configuring a Load Balancing Group ............................................................... .. ................................. 148

SonicWALL SSL VPN 5.0 Administrator’s Guide

Services Configuration ........................................................................................153

Services > Settings ...........................................................................................................................................154

Services > Bookmarks .....................................................................................................................................157

Services > Policies ............................................................................................................................................164

NetExtender Configuration ..................................................................................167

NetExtender > Status ...................... ......................... ......................... ......................... .....................................168

NetExtender > Status Overview ........................................... ......................... ......................... ..............168

Viewing NetExtender Status ....................... ......................... ......................... ......................... ................168

NetExtender > Client Settings ...................................... ......................... ......................... ...............................169

NetExtender > Client Settings Overview ............................................... .. ............................. .. ............169

Configuring the Global NetExtender IP Address Range ..................................................................169

Configuring Global NetExtender Se ttings ................................. ......................... ......................... ........170

NetExtender > Client Routes ...... ......................... ......................... ......................... .......................................171

NetExtender > Client Routes Overview .......................... .. ............................. .. ............................. ......171

Adding NetExtender Client Routes ........................................................................................ .. ............171

NetExtender User and Group Settings .................................................. ............................. ... ......................172

Configuring User-Level NetExten der Settings .. ............................. ... ............................. .. ..................172

Configuring Group-Level NetExtender Settings ................................................................................175

Virtual Assist Configuration ................................................................................177

Virtual Assist > Status .....................................................................................................................................178

Virtual Assist > Status ...................................... ......................... ......................... .....................................178

Virtual Assist > Settings ..................................................................................................................................179

General Settings ........................... ......................... ......................... ......................... .................................179

Request Settings .......................................................................................................................................180

Notification Settings ................................................................................................................................181

Customer Portal Settings ........................... ......................... ......................... ...........................................182

Restriction Settings ..................................................................................................................................183

Virtual Assist > Log .........................................................................................................................................184

Virtual Assist > Licensing ...............................................................................................................................186

Virtual Assist > Licensing Overview ..................... ... ............................. .. ............................. .. ..............186

Enabling Virtual Assist ............................................................................................................................186

High Availability Configuration ...........................................................................189

High Availability Overview ....... ......................... ......................... ......................... ...........................................190

Stateful High Availability Support .........................................................................................................190

Supported Platforms ................................................................................................................................190

Configuring High Availability ........................................................................................................................191

Physical Connectivity ................................ ......................... ......................... .............................................191

Configuring a High Availability Pa ir .... ......................... ......................... ......................... ......................191

Technical FAQ ................................... ......................... ......................... ......................... ...................................193

Web Application Firewall Configuration .............................................................195

Licensing Web Application Firewall .............................................................................................................196

SonicWALL SSL VPN 5.0 Administrator’s Guide

Configuring Web Application Firewall ...................... .......................................................... .. ...................... 199

Viewing and Updating Web Application Firewall Status ...... .. .............................. .. .......................... 199

Configuring Web Application Firewall Settings ... .. .. ................................. ............................. .. .......... 200

Configuring Web Application Firewall Signature Act ions ................................. ... ............................ 205

Determining the Host Entry for Exclusions ....................... ............................. .. ............................. ....209

Configuring Web Application Firewall Custom Rules ............................. .. ............................. .. ........212

Using Web Application Firewall Monitoring ............................... .......................................................226

Using Web Application Firewall Logs .................................................... .. ............................. .. ............ 231

Verifying and Troubleshooting Web Application Firewall ....................................................................... 234

Users Configuration .............................................................................................237

Users > Status .................. ......................... ......................... ......................... ..................................................... 238

Access Policies Concepts .......................................................................................................................239

Access Policy Hierarchy ......................................................................................................................... 239

Users > Local Users ............ ......................... ......................... ......................... .................................................240

Users > Local Users Overview .......... .......................................................... .. .......................................240

Removing a User ..................................................................................................................................... 241

Adding a Local User ........................ ......................... ......................... ......................... ............................ 241

Editing User Settings .. ......................... ......................... ......................... ......................... ........................242

Users > Local Groups ................................... ......................... ......................... ............................................... 263

Users > Local Groups Overview ..... .. .. ............................................................ .. ................................... 263

Deleting a Group .....................................................................................................................................264

Adding a New Group .................... ......................... ......................... ........................ ...............................264

Editing Group Settings ......................................... ........................ ......................... .................................264

Group Configuration for LDAP Authentication Dom ains .......................................... .. .................. 276

Group Configuration for Active Directory, NT and RADIUS Domains .................. .................... 280

Creating a Citrix Bookmark for a Local Group .................................................................................. 282

Global Configuration ............................................... ......................... ......................... .....................................284

Edit Global Settings ........................... ......................... ......................... ......................... .......................... 284

Edit Global Policies .... ......................... ......................... ......................... ......................... ........................ 286

Edit Global Bookmarks ............... ......................... ........................ ......................... .................................288

Log Configuration .................................................................................................291

Log > View .......................................................................................................................................................292

Log > View Overview ............................................................................................................................292

Viewing Logs ................................... ......................... ......................... ........................ ............................... 294

Emailing Logs .............. ......................... ......................... ......................... .................................................295

Log > Settings .................................................................................................................................................. 296

Log > Settings Overview ....................................................................................................................... 296

Configuring Log Settings ................ ......................... ......................... ......................... ............................297

Configuring the Mail Server .................. ......................... ......................... ......................... ...................... 298

Log > Categories ............................................................................................................................................. 299

Log > ViewPoint .............................................................................................................................................300

Log > ViewPoint Overview ..................................................................................................................300

Adding a ViewPoint Server .............................................. ......................... ......................... ....................300

Virtual Office Configuration .................................................................................301

Virtual Office .............................................. ......................... ......................... ................................................... 301

Virtual Office Overview ......... ......................... ......................... ......................... .....................................302

Using the Virtual Office ........................................... ......................... ......................... ............................302

SonicWALL SSL VPN 5.0 Administrator’s Guide

Online Help ............................................................................................................305

Online Help .......................................................................................................................................................306

Using Context Sensitive Help ........................................................... ... ............................. .. ..................306

Configuring SonicWALL SSL VPN with a Third-Party Gateway .......................307

Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Depl oyment ........... ...........................308

Before you Begin . ......................... ......................... ......................... ......................... .................................308

Method One – SonicWALL SSL-VPN Appliance on LAN Interface ................. .. .........................308

Method Two – SonicWALL SSL-VPN Appliance on DMZ Interface ................. ... .. ....................311

Linksys WRT54GS ..........................................................................................................................................315

WatchGuard Firebox X Edge ........ ......................... ......................... ......................... .....................................316

NetGear FVS318 ......................................... ......................... ........................ ....................................................318

Netgear Wireless Router MR814 SSL configuration ..................................................................................320

Check Point AIR 55 .........................................................................................................................................321

Setting up a SonicWALL SSL-VPN with Check Point AIR 55 ............................................... .. ......321

Static Route .. ......................... ......................... ......................... ......................... .........................................322

ARP ................... .................................... ................................. ....................................................................322

Microsoft ISA Server .......................................................................................................................................324

Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server ......................... ....................324

Configuring ISA ................. ......................... ......................... ......................... ...........................................324

Use Cases ..............................................................................................................327

Importing CA Certificates on Windows ................ .. ............................. .. ............................. ... ......................327

Importing a goDaddy Certificate on Windows .................................................. .. ............................. ..327

Importing a Server Certificate on Windows .......................... .......................................................... ....330

Creating Unique Access Policies for AD Grou ps ........... ............................. .. ............................. .. ..............331

Creating the Active Directory Do main ....... ......................... ......................... ......................... ..............332

Adding a Global Deny All Policy ....................... ............................. .. .............................. .. ....................333

Creating Local Groups ............................................................................................................................334

Adding the SSHv2 PERMIT Policy ......................................................................................................336

Adding the OWA PERMIT Policies ....................................................................................................337

Verifying the Access Policy Configuration ..........................................................................................339

NetExtender Troubleshooting .............................................................................345

FAQs ......................................................................................................................349

Hardware FAQ ...... ......................... ......................... ......................... ......................... .......................................352

Digital Certificates and Certificate Authorities FAQ ..................................................................................357

NetExtender FAQ ............................. ......................... ......................... ......................... ...................................363

General FAQ ................................ ......................... ......................... ......................... .........................................366

Glossary ................................................................................................................373

SMS Email Formats ..............................................................................................375

SonicWALL SSL VPN 5.0 Administrator’s Guide

Chapter 1: SSL VPN Overview

This chapter provides an overview of the SonicWALL SSL VPN technology, concepts, basic navigational elements and standard deployment guidelines. This chapter includes the following sections:

• “Overview of SonicWALL SSL VPN” section on page 8

• “Concepts for SonicWALL SSL VPN” section on page 11

• “Navigating the SSL VPN Management Interface” section on page 49

• “Deployment Guidelines” section on page 56

SonicWALL SSL VPN 5.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use SonicWALL SSL VPN connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.

Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections over a public networking infrastructure, allowing them to reduce their communications expenses and to provide private, secure connections between a user and a site in the organization. By offering Secure Socket Layer (SSL) VPN, without the expense of special feature licensing, the SonicWALL SSL-VPN appliance provides customers with costeffective alternatives to deploying parallel remote-access infrastructures. This section contains the following subsections:

• “SSL for Virtual Private Networking (VPN)” section on page 8

• “SSL VPN Software Components” section on page 9

• “SSL-VPN Hardware Components” section on page 9

SSL for Virtual Private Networking (VPN)

A Secure Socket Layer-based Virtual Private Network (SSL VPN) allows applications and private network resources to be accessed remotely through a secure connection. Using SSL VPN, mobile workers, business partners, and customers can access files or applications on a company’s intranet or within a private local area network.

Although SSL VPN protocols are described as clientless, the typical SSL VPN portal combines Web, Java, and ActiveX components that are downloaded from the SSL VPN portal transparently , allowing users to connect to a remote network without needing to manually inst all and configure a VPN client application. In addition, SSL VPN enables users to connect from a variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only supported on Windows platforms.

For administrators, the SonicWALL SSL VPN Web-based management interface provides an end-to-end SSL VPN solution. This interface can configure SSL VPN users, access policies, authentication methods, user bookmarks for network resources, and system settings.

For clients, Web-based SonicWALL SSL VPN customizable user portals enable users to access, update, upload, and download files and use remote applications installed on desktop machines or hosted on an application server. The platform also supports secure Web-based FTP access, network neighborhood-like interface for file sharing, Secure Shell versions 1 and 2 (SSHv1) and (SSHv2), Telnet emulation, VNC (Virt u a l Ne t wo r k Co m pu t i ng ) and RDP (Remote Desktop Protocol) support, Citrix Web access, bookmarks for offloaded portals (external Web sites), and Web and HTTPS proxy forwarding.

The SonicWALL SSL VPN network extension client, NetExtender , is available through the SSL VPN Web portal via an ActiveX control on Windows or using Java on MacOS or Linux systems. It is also available through stand-alone applications for Windows, Linux, and MacOS platforms. The NetExtender standalone applications are automatically installed on a client system the first time the user clicks the NetExtender link in the Virtual Office portal. SonicWALL SSL VPN NetExtender enables end users to connect to the remote network without needing to install and configure complex software, providing a secure means to access any type of data on the remote network. When used with a SonicWALL SSL-VPN 2000 or higher model, NetExtender supports IPv6 client connections from Windows systems running V ista or newer , and from Linux clients.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Note The SSHv2 applet requires SUN JRE 1.6.0_10 or higher and can only connect to a server

that supports SSHv2. The RDP Java applet requires SUN JRE 1.6.0_10 or higher. Telnet, SSHv1 and VNC applets support MS JVM in Internet Explorer, and run on other browsers with SUN JRE 1.6.0_10 or higher.

SSL VPN Software Components

SonicWALL SSL VPN provides clientless identity-based secure remote access to the protected internal network. Using the Virtual Office environment, SonicW ALL SSL VPN can provide users with secure remote access to your entire private network, or to individual components such as File Shares, Web servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers.

SSL-VPN Hardware Components

See the following sections for descriptions of the hardware components on SonicWALL SSL-VPN appliances:

• “SRA 4200 Front and Back Panels Overview” on page 9

Overview of SonicWALL SSL VPN

SRA 4200 Front and Back Panels Overview

Figure 1 SonicWALL SRA 4200 Front and Back Panels

SonicWALL SSL VPN 5.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

Front Panel Feature Description

Console Port RJ-45 port, provides access to console messages with serial

USB Ports Provides access to USB interface (for future use). Reset Button Provides access to SafeMode. Power LED Indicates the SonicWALL SRA 4200 is powered on. Test LED Indicates the SonicWALL SRA 4200 is in test mode. Alarm LED Indicates a critical error or failure. X3 Provides access to the X3 interface and to SSL VPN

X2 Provides access to the X2 interface and to SSL VPN

X1 Provides access to the X1 interface and to SSL VPN

X0 Default management port. Provides connectivity between the

Table 1 SonicWALL SRA 4200 Front Panel Features

connection (1 15200 Baud). Provides access to command line interface (for future use).

resources.

SonicWALL SRA 4200 and your gateway.

Table 2 SonicWALL SRA 4200 Back Panel Features

Back Panel Feature Description

Exhaust fans Provides optimal cooling for the SonicWALL SRA 4200

appliance. Power plug Provides power connection using supplied power cord. Power switch Powers the SonicWALL SRA 4200 on and off.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

This section provides an overview of the following key concepts, with which the administrator should be familiar when using the SonicWALL SSL-VPN appliance and Web-based management interface:

• “Encryption Overview” section on page 11

• “SSL Handshake Procedure” section on page 11

• “IPv6 Support Overview” section on page 12

• “Browser Requirements for the SSL VPN Administrator” section on page 14

• “Browser Requirements for the SSL VPN End User” section on page 15

• “Portals Overview” section on page 15

• “Domains Overview” section on page 16

• “NetExtender Overview” section on page 16

• “Network Resources Overview” section on page 20

• “SNMP Overview” section on page 26

• “DNS Overview” section on page 26

• “Network Routes Overview” section on page 26

• “Two-Factor Authentication Overview” section on page 26

• “One Time Password Overview” section on page 28

• “Virtual Assist Overview” section on page 30

• “Web Application Firewall Overview” section on page 42

Concepts for SonicWALL SSL VPN

Encryption Overview

Encryption enables users to encode data, making it secure from unauthorized viewers. Encryption provides a private and secure method of communication over the Internet.

A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public key encryption, an entity, such as a secure Web site, generates a public and a private key . A secure W eb server sends a public key to a user who accesses the Web site. The public key allows the user’s Web browser to decrypt data that had been encrypted with the private key. The user ’s Web browser can also transparently encrypt data using the public key and this data can only be decrypted by the secure Web server’s private key.

Public key encryption allows the user to confirm the identity of the Web site through an SSL certificate. After a user contacts the SSL-VPN appliance, the appliance sends the user it s own encryption information, including an SSL certificate with a public encryption key.

SSL Handshake Procedure

The following procedure is an example of the standard steps required to establish an SSL session between a user and an SSL VPN gateway using the SonicWALL SSL VPN Web-based management interface:

Step 1 When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web

browser sends information about the types of encryption supported by the browser to the appliance.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 2 The appliance sends the user its own encryption information, including an SSL certificate with

a public encryption key.

Step 3 The Web browser validates the SSL certificate with the Certificate Authority identified by the

SSL certificate.

Step 4 The Web browser generates a pre-master encryption key, encrypts the pre-master key using

the public key included with the SSL certificate and sends the encrypted pre-master key to the SSL VPN gateway.

Step 5 The SSL VPN gateway uses the pre-master key to create a master key and sends the new

master key to the user’s Web browser.

Step 6 The browser and the SSL VPN gateway use the master key and the agreed upon encryption

algorithm to establish an SSL connection. From this point on, the user and the SSL VPN gateway will encrypt and decrypt data using the same encryption key . This is called symmetric encryption.

Step 7 Once the SSL connection is established, the SSL VPN gateway will encrypt and send the Web

browser the SSL VPN gateway login page.

Step 8 The user submits his user name, password, and domain name. Step 9 If the user’s domain name requires authentication through a RADIUS, LDAP, NT Domain, or

Active Directory Server, the SSL VPN gateway forwards the user’s information to the appropriate server for authentication.

Step 10 Once authenticated, the user can access the SSL VPN portal.

IPv6 Support Overview

Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently used on networked devices. IPv6 is a suite of protocols and standards developed by the Internet Engineering Task Force (IETF) that provides a larger address space than IPv4, additional functionality and security, and resolves IPv4 design issues. You can use IPv6 without affecting IPv4 communications.

Supported on SonicWALL SSL-VPN models 2000 and higher, IPv6 supports stateful address configuration, which is used with a DHCPv6 server, and st ateless address configuration, where hosts on a link automatically configure themselves with IPv6 addresses for the link, called link- local addresses.

In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the 32-bit IPv4 address is represented in dotted-decimal format, divided by periods along 8-bit boundaries. The 128-bit IPv6 address is divided by colons along 16-bit boundaries, where each 16-bit block is represented as a 4-digit hexadecimal number . This is called colon-hexadecimal.

The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by removing the leading zeros within each 16-bit block, as long as each block has at least one digit. When suppressing leading zeros, the address representation becomes: 2008:AB1:0:1E2A:123:45:EE37:C9B4

When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can be compressed to ::, a double-colon. For example, the link-local address of 2008:0:0:0:B67:89:ABCD:1234 can be compressed to 2008::B67:89:ABCD:1234. The multicast address 2008:0:0:0:0:0:0:2 can be compressed to 2008::2.

SonicWALL SSL VPN 5.0 Administrator’s Guide

The IPv6 prefix is the part of the address that indicates the bits of the subnet prefix. Prefixes for IPv6 subnets, routes, and address ranges are written as address/prefix-length, or CIDR notation. For example, 2008:AA::/48 and 2007:BB:0:89AB::/64 are IPv6 address prefixes.

SonicOS SSL VPN supports IPv6 in the following areas:

Services

• FTP Bookmark – Define a FTP bookmark using an IPv6 address.

• Telnet Bookmark – Define a Telnet bookmark using an IPv6 address.

• SSHv1 / SSHv2 Bookmark – Define an SSHv1 or SSHv2 bookmark using an IPv6 address.

• Reverse proxy for HTTP/HTTPS Bookmark – Define an HTTP or HTTPS bookmark using

an IPv6 address.

• Citrix Bookmark – Define a Citrix bookmark using an IPv6 address.

• RDP Bookmark - Define an RDP bookmark using an IPv6 address.

• VNC Bookmark - Define a VNC bookmark using an IPv6 address.

Note IPv6 is not supported for File Shares.

Settings

• Interface Settings – Define an IPv6 address for the interface. The link-local address is

displayed in a tooltip on Interfaces page.

• Route Settings – Define a static route with IPv6 destination network and gateway.

• Network Object – Define the network object using IPv6. An IPv6 address and IPv6 network

can be attached to this network object.

Concepts for SonicWALL SSL VPN

NetExtender

When a client connects to NetExtender , it can get an IPv6 address from the SSL-VPN appliance if the client machine supports IPv6 and an IPv6 address pool is configured on the SSL-VPN. NetExtender supports IPv6 client connections from Windows systems running Vista or newer, and from Linux clients.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

SSL VPN

Management

Interface

Minimum Browser/Version

Requirements

44444

222

Browser

Windows XP

Windows Vista

Windows 7 Linux

MacOS X

Virtual Assist

Users and Technicians can request and provide support when using IPv6 addresses.

Rules

• Policy rule – User or Group Policies. Three IPv6 options in the Apply Policy To drop-down

list:

–

IPv6 Address

–

IPv6 Address Range

–

All IPv6 Address

• Login rule – Use IPv6 for address fields:

–

Define Login From Defined Addresses using IPv6

–

Two IPv6 options in the Source Address drop-down list: IPv6 Address / IPv6 Network

Virtual Hosts

An administrator can assign an IPv6 address to a virtual host, and can use this address to access the virtual host.

Application Offloading

An administrator can assign an IPv6 address to an application server used for application offloading, and can use this address to access the server.

Browser Requirements for the SSL VPN Administrator

The following Web browsers are supported for the SonicWALL SSL VPN Web-based management interface and the user portal, Virtual Office. Java is only required for various aspects of the SSL VPN Virtual Office, not the management interface.

• Internet Explorer 6.0+, 7.0+, 8.0+

• Firefox 2.0+

• Safari 2.0+

• Chrome 4.0+

The following table provides specific browser requirements.

To configure SonicWALL SSL-VPN appliance using the Web-based management interface, an administrator must use a Web browser with Java, JavaScript, ActiveX, cookies, popups, and SSLv3 or TLS 1.0 enabled.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

SSL VPN

Management

Interface

Minimum Browser/Version

Requirements

4444

222

Browser

Windows XP

Windows Vista

Windows 7 Linux

Browser Requirements for the SSL VPN End User

The following is a list of Web browser and operating system support for various SSL VPN protocols including NetExtender and various Application Proxy elements. Requirements are shown for Windows, Windows Vista, Windows 7, Linux, and MacOS.

Portals Overview

File Shares

Custom Portals

The SonicWALL SSL-VPN appliance provides a mechanism called Virtual Office, which is a Web-based portal interface that provides clients with easy access to internal resources in your organization. Components such as NetExtender, Virtual Assist, and bookmarks to file shares and other network resources are presented to users through the Virtual Office portal. For organizations with multiple user types, the SSL-VPN allows for multiple customized portals, each with its own set of shared resource bookmarks. Portals also allow for individual domain and security certificates on a per-portal basis. The components in a port al are customized when adding a portal.

File shares provide remote users with a secure Web interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft’ s familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. File shares can be configured to allow restricted server path access.

SonicWALL SSL VPN enables you to configure multiple portals, each with its own title, banner, login message, logo and set of available resources. Each portal also enables you to set individual Virtual Hosts/Domain Names (on SonicWALL SSL-VPN models 2000 and higher) to create a unique default portal URL. When a user logs into a port al, he or she sees a set of pre-configured links and bookmarks that are specific to that portal. You can

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

configure whether or not NetExtender is displayed on a Virtual Office portal, and if you want NetExtender to automatically launch when users log in to the portal. The administrator configures which elements each portal displays through the Portal Set tings dialog box. For information on configuring portals, refer to the “Portals > Portals” section on page 106.

Domains Overview

A domain in the SonicWALL SSL VPN environment is a mechanism that enables authentication of users attempting to access the network being serviced by the SSL-VPN appliance. Domain types include the SSL VPN's internal LocalDomain, and the external platforms Microsoft Active Directory, NT Authentication, LDAP, and RADIUS. Often, only one domain will suffice to provide authentication to your organization, although a larger organization may require distributed domains to handle multiple nodes or collections of users attempting to access applications through the portal. For information about configuring domains, refer to the “Port als > Domains”

section on page 124.

NetExtender Overview

This section provides an overview to the NetExtender feature. This section contains the following subsections:

• “What is NetExtender?” section on page 16

• “Benefits” section on page 16

• “NetExtender Concepts” section on page 17

For information on using NetExtender, refer to the “NetExtender > Status” section on page 168 or refer to the SonicWALL SSL VPN User’s Guide.

What is NetExtender?

SonicWALL NetExtender is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender , remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.

Benefits

NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin w hen using Firefox. On Linux or MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal.

The NetExtender Windows client also has a custom-dialer that allows it to be launched from the Windows Network Connections menu. This custom-dialer allows NetExtender to be connected before the Windows domain login. The NetExtender Windows client also supports a single active connection, and displays real-time throughput and data compression ratios in the client.

SonicWALL SSL VPN 5.0 Administrator’s Guide

After installation, NetExtender automatically launches and connects a virtual adapter for SSLsecure NetExtender point-to-point access to permitted hosts and subnets on the internal network.

NetExtender Concepts

The following sections describe advanced NetExtender concepts:

• “Stand-Alone Client” section on page 17

• “Multiple Ranges and Routes” section on page 17

• “NetExtender with External Authentication Methods” section on page 18

• “Point to Point Server IP Address” section on page 18

• “Connection Scripts” section on page 18

• “Tunnel All Mode” section on page 19

• “Proxy Configuration” section on page 19

Stand-Alone Client

SonicWALL SSL VPN provides a stand-alone NetExtender application. NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.

Concepts for SonicWALL SSL VPN

Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder , or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragg ed to the shortcut bar in environments like Gnome and KDE.

Multiple Ranges and Routes

Multiple range and route support for NetExtender on SonicWALL SSL-VPN models 2000 and higher enables network administrators to easily segment groups and users without the need to configure firewall rules to govern access. This user segmentation allows for granular control of access to the network—allowing users access to necessary resources while restricting access to sensitive resources to only those who require it.

For networks that do not require segmentation, client addresses and routes can be configured globally as in the SSL VPN 1.0 version of NetExtender. The follo wing sections describe the new multiple range and route enhancements:

• “IP Address User Segmentation” on page 18

• “Client Routes” on page 18

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

IP Address User Segmentation

Administrators can configure separate NetExtender IP address ranges for users and groups. These settings are configured on the Users > Local Users and Users > Local Groups pages, using the NetExtender tab in the Edit User and Edit Group windows.

When configuring multiple user and group NetExtender IP address ranges, it is important to know how the SonicWALL SSL-VPN appliance assigns IP addresses. When assigning an IP address to a NetExtender client, the SonicWALL SSL-VPN appliance uses the following hierarchy of ranges:

1. An IP address from the range defined in the user’s local profile.

2. An IP address from the range defined in the group profile to which the user belongs.

3. An IP address from the global NetExtender range.

To reserve a single IP address for an individual user, the administrator can enter the same IP address in both the Client Address Range Begin and Client Address Range End fields on the NetExtender tab of the Edit Group window.

Client Routes

NetExtender client routes are used to allow and deny access to various network resources. Client routes can also be configured at the user and group level. NetExtender client routes are also configured on the Edit User and Edit Group windows. The segmentation of client routes is fully customizable, allowing the administrator to specify any possible permutation of user, group, and global routes (such as only group routes, only user routes, group and global routes, user, group, and global routes, etc.). This segmentation is controlled by the Add Global

NetExtender Client routes and Add Group NetExtender Client routes checkboxes.

NetExtender with External Authentication Methods

Networks that use an external authentication server will not configure local usernames on the SonicWALL SSL-VPN appliance. In such cases, when a user is successfully authenticated, a local user account is created if the Add Global NetExtender Client routes and Add Group NetExtender Client routes settings are enabled.

Point to Point Server IP Address

In SonicWALL SSL VPN, the PPP server IP address is 192.0.2.1 for all connecting clients. This IP address is transparent to both the remote users connecting to the internal network and to the internal network hosts communicating with remote NetExtender clients. Because the PPP server IP address is independent from the NetExtender address pool, all IP addresses in the global NetExtender address pool will be used for NetExtender clients.

Connection Scripts

SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Tunnel All Mode

Concepts for SonicWALL SSL VPN

Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

IP Address Subnet mask

0.0.0.0 0.0.0.0

0.0.0.0 128.0.0.0

128.0.0.0 128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

Tunnel All mode can be configured at the global, group, and user levels.

Proxy Configuration

SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently , only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.

NetExtender provides three options for configuring proxy settings:

• Automatically detect settings - To use this setting, the proxy server must support Web

Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.

• Use automatic configuration script - If you know the location of the proxy settings script,

you can select this option and provide the URL of the script.

• Use proxy server - You can use this option to specify the IP address and port of the proxy

server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.

When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SSL VPN server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Network Resources Overview

Network Resources are the granular components of a trusted network that can be accessed using SonicWALL SSL VPN. Network Resources can be pre-defined by the administrator and assigned to users or groups as bookmarks, or users can define and bookmark their own Network Resources.

The following sections describe types of network resources supported by SonicWALL SSL VPN:

• “HTTP (Web) and Secure HTTPS (Web)” section on page 20

• “Telnet (Java)” section on page 21

• “SSHv1 and SSHv2 (Java)” section on page 21

• “FTP (Web)” section on page 21

• “File Shares (CIFS)” section on page 21

• “Remote Desktop Protocols and Virtual Network Computing” section on page 22

• “Application Protocols Using RDP” section on page 23

• “Microsoft Outlook Web Access” section on page 23

• “Windows Sharepoint Services” section on page 25

• “Lotus Domino Web Access 7” section on page 25

• “Citrix Portal” section on page 26

HTTP (Web) and Secure HTTPS (Web)

The SonicWALL SSL-VPN appliance provides proxy access to an HTTP or HTTPS server on the internal network, Internet, or any other network segment that can be reached by the appliance. The remote user communicates with the SonicWALL SSL-VPN appliance using HTTPS and requests a URL. The URL is then retrieved over HTTP by the SonicWALL SSLVPN. The URL is transformed as needed, and returned encrypted to the remote user.

The SSL VPN administrator can configure Web (HTTP) or Secure Web (HTTPS) bookmarks to allow user access to Web-based resources and applications such as Microsoft OW A Premium, Windows Sharepoint 2007, Novell Groupwise Web Access 7.0, or Domino Web Access 7 with HTTP(S) reverse proxy support. Reverse-proxy bookmarks also support the HTTP 1.1 protocol and connection persistence.

HTTPS bookmarks on SRA 4200 appliances support keys of up to 2048 bits. HTTP(S) caching is supported on the SSL-VPN appliance for use when it is acting as a proxy

Web server deployed between a remote user and a local Web server. The proxy is allowed to cache HTTP(S) content on the SSL-VPN appliance which the internal Web server deems cacheable based on the HTTP(S) protocol specifications. For subsequent requests, the cached content is returned only after ensuring that the user is authenticated with the SSL-VPN device and is cleared for access by the access policies. However, SSL VPN 5.0 optimizes traffic to the backend webserver by using TCP connection multiplexing, where a single TCP connection is used for multiple user sessions to the same web server. Caching is predominantly used for static Web content like JavaScript files, stylesheets, and images. The proxy can parse HTML/ JavaScript/CSS documents of indefinite length. The administrator can enable or disable caching, flush cached content and set the maximum size for the cache.

Content received by the SonicWALL SSL-VPN appliance from the local Web server is compressed using gzip before sending it over the Internet to the remote client. Compressing content sent from the SSL-VPN saves bandwidth and results in higher throughput.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Furthermore, only compressed content is cached, saving nearly 40-50% of the required memory. Note that gzip compression is not available on the local (clear text side) of the SSLVPN appliance, or for HTTPS requests from the remote client.

Telnet (Java)

A Java-based Telnet client delivered through the remote user’s Web browser. The remote user can specify the IP address of any accessible Telnet server and SonicWALL SSL VPN will make a connection to the server. Communication between the user over SSL and the server is proxied using native Telnet. The Telnet applet supports MS JVM (Microsoft Java Vir tu al M ac hi ne) in Internet Explorer, and requires Sun Java Runtime Environment (JRE) 1.1 or higher for other browsers.

SSHv1 and SSHv2 (Java)

Java-based SSH clients delivered through the remote user’s Web browser . The remote user can specify the IP address of any accessible SSH server and SonicWALL SSL VPN will make a connection to the server. Communication between the user over SSL and the server is proxied using natively encrypted SSH. The SSHv1 applet supports MS JVM in Internet Explorer, and requires SUN JRE 1.1 for other browsers. SSHv2 provides stronger encryption and has other advanced features, and can only connect to a server that supports SSHv2. SSHv2 support sets the terminal type to VT100. SSHv2 requires JRE 1.6.0_10 or higher, available from http://java.sun.com.

Concepts for SonicWALL SSL VPN

FTP (Web)

Proxy access to an FTP server on the internal network, the Internet, or any other network segment that can be reached by the SSL-VPN appliance. The remote user communicates with the SSL-VPN appliance by HTTPS and requests a URL that is retrieved over HTTP by SonicWALL SSL VPN, transformed as needed, and returned encrypted to the remote user. FTP supports 25 character sets, including four Japanese sets, two Chinese sets, and two Korean sets. The client browser and operating system must support the desired character set, and language packs may be required.

File Shares (CIFS)

File Shares provide remote users with a secure Web interface to Microsoft File Shares using the CIFS (Common Internet File System) or the older SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft’s familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. File shares can be configured to allow restricted server path access.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Remote Desktop Protocols and Virtual Network Computing

RDP Java and VNC are supported on Windows, Linux, and Mac operating systems, while RDP ActiveX is supported only on Windows. Most Microsoft workstations and servers have RDP server capabilities that can be enabled for remote access, and there are a number of freely available VNC servers that can be downloaded and installed on most operating systems. The RDP and VNC clients are automatically delivered to authorized remote users through their Web browser in the following formats:

• RDP Java – RDP Java is a Microsoft Remote Desktop Protocol that has the advantage of

broad platform compatibility because it is provided in a Java client. The RDP Java client runs on Windows, Linux, and Mac computers, and supports full-screen mode. On Windows clients, SonicWALL SSL VPN supports many advanced options. On Mac OS X 10.5 or above, RDP Java supports the Mac native RDC client.

• RDP ActiveX - RDP ActiveX is also a Microsoft Remote Desktop Protocol. The RDP

ActiveX client only runs on Windows, and is not supported on Mac or Linux computers. Four advanced options are supported by SonicWALL SSL VPN for RDP ActiveX.

• VNC (Java) - VNC was originally developed by A T&T, but is today widely available as open

source software. Any one of the many variants of VNC servers available can be installed on most any workstation or server for remote access. The VNC client to connect to those servers is delivered to remote users through the Web browser as a Java client.

RDP 6 Support

RDP 7 Support

The SonicWALL SSL-VPN appliance supports connections with RDP 6 clients, and supports the RDP 5 feature set plus four RDP 6 features.

The SonicWALL SSL-VPN appliance supports connections with RDP 6.1 clients. RDC 6.1 is included with the following operating systems:

• Windows Server 2008

• Windows Vista Service Pack 1 (SP1)

• Windows XP Service Pack 3 (SP3)

RDC 6.1 incorporates the following functionality in Windows Server 2008:

• Terminal Services RemoteApp

• Terminal Services EasyPrint driver

• Single Sign-On

For more information, see the “Adding or Editing User Bookmarks” section on page 251.

The SonicWALL SSL VPN appliance supports connections with RDP 7 clients and suppor ts the RDP 7 feature set. RDC 7 is available on following operating systems:

• Windows XP SP3

• Windows Vista SP1

• Windows Vista SP2

SonicWALL SSL VPN 5.0 Administrator’s Guide

Application Protocols Using RDP

Applications protocols are RDP sessions that provide access to a specific application rather than to an entire desktop. This allows defined access to an individual application, such as CRM or accounting software. When the application is closed, the session closes. The following RDP formats can be used as applications protocols:

RDP Java – Uses the Java-based RDP client to connect to the terminal server, and to automatically invoke an application at the specified path (for example,

C:\programfiles\microsoft office\office11\winword.exe) RDP ActiveX – Uses the ActiveX-based RDP client to connect to the terminal server, and to

automatically invoke an application at the specified path (for example,

C:\programfiles\wireshark\wireshark.exe).

Application Support for SSO, User Policies, Bookmarks

Table 3 provides a list of application-specific support for Single Sign-On (SSO), global/group/

user policies, and bookmark Single Sign-On control policies.

Table 3 Application Support

Concepts for SonicWALL SSL VPN

Application Supports SSO

Terminal Services (RDP - A ct iveX) Yes Yes Yes Terminal Services (RDP - Java) Yes Yes Yes Virtual Network Computing (VNC) No No No File Transfer Protocol (FTP) Yes Yes Yes Telnet No No No Secure Shell (SSH) No No No Web (HTTP) Yes No No Secure Web (HTTPS) Yes No No File Shares (CIFS) Yes Yes Yes Citrix Portal (Citrix) No Yes No

Microsoft Outlook Web Access

SonicWALL SSL-VPN models 2000 and higher include reverse proxy application support for all versions of OWA 2010, 2007, and 2003.

Global/Group/ User Policies

Bookmark Policies

Note SonicWALL SSL-VPN 200 supports OWA 2007 light version only.

Microsoft OWA Premium mode is a Web client for Microsoft Outlook 2003/2007/2010 that simulates the Microsoft Outlook interface and provides more features than basic OWA. Microsoft OWA Premium includes features such as spell check, creation and modification of

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

server-side rules, Web beacon blocking, support for tasks, auto-signature support, and address book enhancements. SonicWALL SSL VPN HTTP(S) reverse proxy functionality supports Microsoft OWA Premium.

Microsoft OWA Premium includes the following features:

• Access to email, calendar, and tasks

• New Outlook look-and-feel, including right-click functionality

• Ability to mark an email as unread

• Server-side spelling checker (limited to six languages)

• Forms-based authentication (session time-out)

• S/MIME support

Note S/MIME support for Microsoft OW A Premium is only available on Internet Exp lorer 6 SP1 or

higher.

• Two-line view

• Context menus

• Improved keyboard shortcuts

• Ability to forward meeting requests

• Notifications on navigation pane

• Ability to add to contacts

• Ability to pick names from address book

• Ability to set maximum number of messages displayed in views

• Support for bi-directional layout for Arabic and Hebrew

Note Bi-directional layout support for Arabic and Hebrew for Microsoft OWA Premium is only

available on Internet Explorer 6 SP1 or higher.

• Option to set message status “mark as read” when using the reading pane

• Public folders display in their own browser window

• Access to GAL property sheets within an email message or meeting request

• Message sensitivity settings on information bar

• Attendee reminder option for meeting request

• Ability to launch the calendar in its own window

• User interface to set common server-side rules

• Outlook style Quick Flags

• Support for message signatures

• Search folders (must be created in Outlook online mode)

• Deferred search for new messages after delete

• Attachment blocking

• Web beacon blocking to make it more difficult for senders of spam to confirm email

addresses

• Protection of private information when a user clicks a hyperlink in the body of an email

message

See “Creating Unique Access Policies for AD Groups” on page 331 for a use case involving configuring group-based access policies for multiple Active Directory groups needing access to Outlook Web Access.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Windows Sharepoint Services

SonicWALL SSL VPN reverse proxy application support for Windows Sharepoint 2007, Windows Sharepoint Services 3.0, and Windows Sharepoint Services 2.0 is supported on SonicWALL SSL-VPN models 2000 and higher, and includes the following features:

• Site Templates

• Wiki Sites

• Blogs

• RSS Feeds

• Project Manager

• Mobile Access to Content

• My Site

• Search Center

• Document Center

• Document Translation Management

• Web Content Management

• Workflow s

• Report Center

Concepts for SonicWALL SSL VPN

Note For features that rely on Windows Sharepoint Services-compatible client programs, SSL

VPN 5.0 Reverse Proxy does not support the client integration capabilities of Sharepoint. Single sign-on is supported only for basic authentication. Only forms-based authentication and basic authentication schemes are supported

Lotus Domino Web Access 7

SonicWALL SSL VPN reverse proxy application support for Domino Web Access 7 is supported on SonicWALL SSL-VPN models 2000 and higher, and includes the following features:

• Email

• Navigation

• Calendar

• Folders and storage

• Contacts

• Tasks and notes

• Rules

• Options and preferences

• Help

• Follow-up reminders

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Citrix Portal

Citrix is a remote access, application sharing service, similar to RDP. It enables users to remotely access files and applications on a central computer over a secure connection. The Citrix applet requires SUN JRE 1.6.0_10 or higher.

The Citrix ICA Client has been renamed as the Citrix XenApp plugin. SonicWALL SSL-VPN models 2000 and higher appliances support client computers running

Citrix XenApp plugin version 12.0.3 or earlier (including earlier versions of ICA Client) and Citrix Java client version 10.0 or earlier. The minimum working version of the Citrix ICA Client for Vista is 10.0.

SonicOS SSL VPN 5.0 supports Citrix XenApp Server 6.0, XenApp Server 5.0, XenApp Server

4.5, Presentation Server 4.0, and MetaframeXP Feature Release 3.

SNMP Overview

SonicWALL SSL VPN devices running SSL VPN 5.0 or higher support Simple Network Management Protocol (SNMP), which will report remote access statistics. SNMP support facilitates network management for administrators, allowing them to leverage standardized reporting tools.

DNS Overview

The administrator can configure DNS on the SonicWALL SSL-VPN appliance to enable it to resolve hostnames with IP addresses. The SonicWALL SSL VPN Web-based management interface allows the administrator to configure a hostname, DNS server addresses, and WINS server addresses.

Network Routes Overview

Configuring a default network route allows your SSL-VPN appliance to reach remote IP networks through the designated default gateway. The gateway will typically be the upstream firewall to which the SSL-VPN appliance is connected. In addition to default routes, it also possible to configure specific static routes to hosts and networks as a preferred path, rather than using the default gateway.

Two-Factor Authentication Overview

Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).

SonicWALL’s implementation of two-factor authentication partners with two of the leaders in advanced user authentication: RSA and VASCO.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Note Single sign-on (SSO) in SonicWALL SSL VPN does not support two-factor authentication.

See the following sections:

• “Benefits of Two-Factor Authentication” section on page 27

• “How Does Two-Factor Authentication Work?” section on page 27

• “Supported Two-Factor Authentication Providers” section on page 27

Benefits of Two-Factor Authentication

Two-factor authentication offers the following benefits:

• Greatly enhances security by requiring two independent pieces of information for

authentication.

• Reduces the risk posed by weak user passwords that are easily cracked.

• Minimizes the time administrators spend training and supporting users by providing a

strong authentication process that is simple, intuitive, and automated.

How Does Two-Factor Authentication Work?

Concepts for SonicWALL SSL VPN

Two-factor authentication requires the use of a third-party authentication service. The authentication service consists of two components:

• An authentication server on which the administrator configures user names, assigns

tokens, and manages authentication-related tasks.

• Tokens that the administrator gives to users which display temporary token codes.

With two-factor authentication, users must enter a valid temporary passcode to gain access. A passcode consists of the following:

• The user’s personal identification number (PIN)

• A temporary token code

Users receive the temporary token codes from their RSA or VASCO token cards. The token cards display a new temporary token code every minute. When the RSA or VASCO server authenticates the user, it verifies that the token code timestamp is current. If the PIN is correct and the token code is correct and current, the user is authenticated.

Because user authentication requires these two factors, the RSA SecureID and VASCO DIGIPASS solution offers stronger security than traditional passwords (single-factor authentication).

Supported Two-Factor Authentication Providers

RSA

RSA is an algorithm for public-key cryptography. RSA utilizes RSA SecurID tokens to authenticate through an RSA Authentication Manager server. RSA is not supported on all hardware platforms and is supported via RADIUS only.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

VASCO

VASCO is a public company that provides user authentication products. VASCO utilizes Digipass tokens to authenticate through a VACMAN Middleware server. VASCO is supported on all SonicWALL SSL-VPN platforms.

One Time Password Overview

This section provides an introduction to the One Time Password feature. This section contains the following topics:

• “What is One Time Password?” section on page 28

• “Benefits of One Time Passwords” section on page 28

• “How Does the SSL VPN One Time Password Feature Work?” section on page 28

• “Configuring One Time Passwords for SMS-Capable Phones” section on page 29

• “Verifying Administrator One Time Password Configuration” section on page 30

What is One Time Password?

SonicWALL SSL VPN One T ime Passwor d featu re adds a second layer of login secur ity to the standard username and password. A one-time password is a randomly generated, single-use password. The SonicWALL SSL VPN One T ime Password feature is a two-factor authentication scheme that utilizes one-time passwords in addition to standard user name and password credentials, providing additional security for SonicWALL SSL VPN users.

The SonicWALL SSL VPN One Ti me Password feature requires users to first submit the correct SonicWALL SSL VPN login credentials. After following the standard login procedure, the SSL VPN generates a one-time password, which is sent to the user at a pre-defin ed email address. The user must login to that email account to retrieve the one-time password and type it into the SSL VPN login screen when prompted, before the one-time password expires.

Benefits of One Time Passwords

The SonicWALL SSL VPN One Time Password feature provides more security than single, static passwords alone. Using a one-time password in addition to regular login credentials effectively adds a second layer of authentication. Users must be able to access the email address defined by the SSL VPN administrator before completing the SSL VPN One Time Password login process. Each one-time password is single-use and expires after a set time period, requiring that a new one-time password be generated after each successful login, cancelled or failed login attempt, or login attempt that has timed out, thus reducing the likelihood of a one-time password being compromised.

How Does the SSL VPN One Time Password Feature Work?

The SSL VPN administrator can enable the One Time Password feature on a per-user or perdomain basis. To enable the One Time Password feature on a per-user basis, the administrator must edit the user settings in the SSL VPN management interface. The administrator must also

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

enter an external email address for each user who is enabled for One Time Passwords. For users of Active Directory and LDAP, the administrator can enable the One Time Password feature on a per-domain basis.

Note Enabling the One Time Password feature on a per-domain basis overrides individual

“enabled” or “disabled” One Time Password settings. Enabling the One Time Password feature for domains does not override manually entered email addresses, which take precedence over those auto-configured by a domain policy and over AD/LDAP settings.

In order to use the SSL VPN One Time Password feature, the administrator must configure valid mail server settings in the Log > Settings page of the SSL VPN management interface. The administrator can configure the One Time Password feature on a per-user or per-domain basis, and can configure timeout policies for users.

If the email addresses to which you want to deliver your SSL VPN One T ime Passwords a re in an external domain (such as SMS addresses or external webmail addresses), you will need to configure your SMTP server to allow relaying from the SSL-VPN to the external domain.

For information about how to configure Microsoft Exchange to support SSL VPN One Time Password, see the SonicWALL SSL VPN One Time Password Feature Module, available online at:

http://www.sonicwall.com/us/Support.html

For users enabled for the One Time Password feature either on a per-user or per-domain basis, the login process begins with entering standard user name and password credentials in the SSL VPN interface. After login, users receive a message that a temporary password will be sent to a pre-defined email account. The user must login to the external email account and retrieve the one-time password, then type or paste it into the appropriate field in the SSL VPN login interface. Any user requests prior to entering the correct one-time password will re-direct the user to the login page.

The one-time password is automatically deleted after a successful login and can also be deleted by the user by clicking the Cancel button in the SSL VPN interface, or will be automatically deleted if the user fails to login within that user’s timeout policy period.

Configuring One Time Passwords for SMS-Capable Phones

SonicWALL SSL VPN One Time Passwords can be configured to be sent via email directly to SMS-capable phones. Contact your cell phone service provider for further information about enabling SMS (Short Message Service).

Below is a list of SMS email formats for selected major carriers, where 4085551212 represents a 10-digit telephone number and area code.

• Verizon: 4085551212@vtext.com

• Sprint: 4085551212@messaging.sprintpcs.com

• AT&T PCS: 4085551212@mobile.att.net

• Cingular: 4085551212@mobile.mycingular.com

• T-Mobile: 4085551212@tmomail.net

• Nextel: 4085551212@messaging.nextel.com

• Virgin Mobile: 4085551212@vmobl.com

• Qwest: 4085551212@qwestmp.com

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Tip Refer to the “SMS Email Formats” section on page 375 for a more detailed list of SMS email

formats.

Note These SMS email formats are for reference only. These email formats are subject to change

and may vary. You may need additional service or information from your provider before using SMS. Contact the SMS provider directly to verify these formats and for further information on SMS services, options, and capabilities.

To configure the SonicWALL SSL-VPN appliance to send one-time passwords to an SMS email address, follow the procedure described in the “Editing User Settings” section on page 242, and enter the user’s SMS address in the E-mail address field.

Verifying Administrator One Time Password Configuration

To verify that an individual user account has been enabled to use the One Time Password feature, login to the SonicWALL SSL VPN V irtual Of fice user interface using the credentials for that account.

If you are able to successfully login to Virtual Office, you have correctly used the One Time Password feature.

If you cannot login using One Time Password, verify the following:

–

Are you able to login without being prompted to check your email for One-time Password? The user account has not been enabled to use the One-time Password feature.

–

Is the email address correct? If the email address for the user account has been entered incorrectly, login to the management interface to correct the email address.

–

Is there no email with a one-time password? Wait a few minutes and refresh your email inbox. Check your spam filter. If there is no email after several minutes, try to login again to generate a new one-time password.

–

Have you accurately typed the one-time password in the correct field? Re-type or copy and paste the one-time password within the time allotted by the user’s timeout policy as set in the Log > Settings page.

Virtual Assist Overview

This section provides an introduction to the Virtual Assist feature. This section contains the following topics:

• “What is Virtual Assist?” on page 31

• “Benefits of Virtual Assist” on page 31

• “How Does Virtual Assist Work?” on page 31

• “Launching a Virtual Assist Technician Session” on page 33

• “Performing Virtual Assist Technician Tasks” on page 35

• “Enabling a System for Virtual Access” on page 40

SonicWALL SSL VPN 5.0 Administrator’s Guide

What is Virtual Assist?

Virtual Assist is an easy to use tool that allows SonicWALL SSL VPN users to remotely support customers by taking control of their computers while the customer observes. Providing support to customers is traditionally a costly and time consuming aspect of business. Virtual Assist creates a simple to deploy, easy to use remote support solution.

Benefits of Virtual Assist

Virtual Assist provides the following benefits:

• Simplified and effective customer support - Support staff can use Virtual Assist to

directly access customers computers to troubleshoot and fix problems. This eliminates the need for customers to try to explain their problems and their computer’s behavior over the phone.

• Time and cost savings - Virtual Assist eliminates the need for support staff to visit

customers to troubleshoot problems and reduces the average time-to-resolution of support calls.

• Educational tool - Trainers and support staff can use Virtual Assist to remotely show

customers how to use programs and tools.

• Seamless integration with existing authentication system - Ensures that the customers

are who they say they are. Alternatively , the local dat abase of the SSL-VPN appliance and tokenless two-factor authentication can be utilized.

• Secure connections - 256-bit AES SSL encryption of the data by the SSL-VPN appliance

provides a secure environment for the data and assists in the effort to be compliant with regulations like Sarbanes-Oxley and HIPAA.

• Greater flexibility for remote access - Using the Virtual Access functionality , support staff

can access their personal systems located outside the LAN of the SRA appliance.

Concepts for SonicWALL SSL VPN

How Does Virtual Assist Work?

The following sections describe how the Virtual Assist feature works:

• “Basic Operation” on page 31

• “Remote File Transfer” on page 32

• “Chat Feature” on page 32

• “Email Invitation” on page 32

• “Virtual Access” on page 32

Basic Operation

Virtual Assist is a lightweight, thin client that installs automatically using Java from the SonicWALL SSL VPN Virtual Office without requiring the installation of any external software. For computers that do not support Java, Virtual Assist can be manually installed by downloading an executable file from the Virtual Office.

Note When a user requests service as a customer, Virtual Assist should not be run while

connected to the system via RDP for Windows 7 and Windows Vista platforms. V irtual Assist runs as a service for proper access to the customer’s system, so correct permissions cannot be set if it is run from an RDP connection.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

There are two sides to a Virtual Assist session: the customer view and the technician view . The customer is the person requesting assistance on their computer. The technician is the person providing assistance. A Virtual Assist session consists of the following sequence of events:

1. The technician launches Virtual Assist from the SonicWALL SSL VPN Virtual Office.

2. The technician monitors the Assistance Queue for customers requesting assistance.

3. The customer requests assistance by one of the following methods:

–

Logs into the SonicWALL SSL VPN Virtual Office and clicks on the Virtual Assist link.

–

Receives an email invitation from the technician and clicks on the link to launch Virtual Assist.

–

Navigate directly to the URL of the Virtual Assist home page that is provided by the technician.

4. The Virtual Assist application installs and runs on the customer’s browser.

5. The customer appears in the Virtual Assist Assistance Queue.

6. The technician clicks on the customer’s name and launches a Virtual Assist session.

7. The customer clicks on a warning pop-up window that gives the technician control over the

customer’s computer.

8. The technician’s Virtual Assist window now displays the customer’s entire display. The

technician has complete control of the customer computer’s mouse and keyboard. The customer sees all of the actions that the technician performs.

9. If at anytime the customer wants to end the session, they can take control and click on the

End Virtual Assist button in the bottom right corner of the screen.

10. When the session ends, the customer resumes sole control of the computer.

Remote File Transfer

Virtual Assist includes a Remote File Transfer feature that enables the technician to transfer files directly to and from the customer’s computer. The technician launches the File Transfer process by clicking a button in the Virtual Assist taskbar in the top left corner of the Virtual Assist window. The File Transfer feature supports the upload and download of multiple files.

Chat Feature

Virtual Assist includes a chat feature that allows the technician and customer to communicate using an instant message-style chat function. Either the technician or the customer can initiate a chat session by clicking on the Chat button in the Virtual Assist taskbar.

Email Invitation

From the technician view of Virtual Assist, technicians can send email invitations to customers that contain a direct URL link to initiate a Virtual Assist session. The technician can optionally include a unique message to the customer. When the customer clicks on the email link to Virtual Assist, only the technician who sent the invitation can assist that customer.

Virtual Access

Virtual Access, as part of the larger Virtu al Assist feature, allows technicians to gain access to their personal systems outside the LAN of the SRA appliance. After downloading and installing a client from the portal page for Virtual Access mode, the personal system will appear only on

SonicWALL SSL VPN 5.0 Administrator’s Guide

that technician’s Virtual Assist support queue, within the SRA’s management interface. While Virtual Access must be enabled per-portal, this functionality provides greater remote access flexibility for support technicians.

Launching a Virtual Assist Technician Session

To launch a Virtual Assist session as a technician, perform the following steps.

Step 1 Log in to the SonicWALL SSL-VPN security appliance Virtual Office. If you are already logged

in to the SonicWALL SSL VPN customer interface, click on the Virtual Office button.

Step 2 Click on the Virtual Assist button.

Step 3 The File Download window displays, and Virtual Assist attempts to automatically install. Click

Run to launch the program directly, or click Save to save the inst aller file to your computer , and

then manually launch it.

Concepts for SonicWALL SSL VPN

When downloading through IPv6, the File Download window displays IPv6 information.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 4 When you launch the installer, you may see an additional warning message. Click Run.

Step 5 A pop-up window asks if you would like to install Virtual Assist as a standalone client. Click Yes

to save the application. A shortcut will be added to your desktop and a link to the application will be added to the program list on your Start Menu. Click No to launch Virtual Assist without saving the application for future use.

Step 6 If you clicked Yes to save the application, you will be prompted to select a location to save the

file. Select an appropriate location, such as C:\Program Files\SonicWALL.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 7 When Virtual Assist launches for the first time, you may see a security warning pop-up window .

De-select the Always ask before opening this file checkbox to avoid this window in the future. Click Run.

Step 8 The Virtual Assist standalone application launches.

Step 9 The technician is now ready to assist customers.

Performing Virtual Assist Technician Tasks

To get started, the technician logs into the SonicWALL SSL-VPN appliance and launches the Virtual Assist application.

Note Each technician can only assist one customer at a time.

Once the technician has launched the Virtual Assist application, the technician can assist customers by performing the following tasks:

• “Inviting Customers by Email” on page 36

• “Assisting Customers” on page 36

• “Using the Virtual Assist Taskbar” on page 37

• “Controlling the Virtual Assist Display” on page 38

• “Using the Virtual Assist File Transfer” on page 39

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Inviting Customers by Email

Step 1 To invite a customer to Virtual Assist, use the email invitation form on the left of the Virtual

Assist window.

Note Customers who launch Virtual Assist from an email invitation can only be assisted by the

technician who sent the invitation. Customers who manually launch Virtual Assist can be assisted by any technician.

Step 2 Enter the customer’s email address in the Customer E-mail field. Step 3 Optionally, enter Technician E-mail to use a different return email address than the default

technician email.

Step 4 Optionally, enter an Additional Message to the customer. Step 5 Click Invite. The customer will receive an email with an HTML link to launch Virtual Assist. Step 6 Customers requesting assistance will appear in the Assistance Queue, and the duration of time

they have been waiting will be displayed.

Assisting Customers

Step 1 A pop-up window in the lower right task bar alerts the technician when a customer is in the

assistance queue.

Step 2 Double-click on a customer’s user name to begin assisting the customer.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 3 The customer’s entire desktop is displayed in the bottom right window of the Virtual Assist

application.

The technician now has complete control of the customer’s keyboard and mouse. The customer can see all of the actions that the technician performs.

During a Virtual Assist session, the customer is not locked out of their computer. Both the technician and customer can control the computer, although this may cause confusion and consternation if they both attempt “to drive” at the same time.

The customer has a small tool bar in the bottom right of their screen, with three options. The customer has the following options during a Virtual Assist session, each enabled after

clicking the corresponding button.

• Active - Toggles to the View Only mode, where the technician can view the customer’s

computer but cannot control the computer.

• Chat - Initiates a chat window with the technician.

• End Virtual Assist - Terminates the session.

Using the Virtual Assist Taskbar

The Technician’s view of Virtual Assist includes a taskbar with a number of options.

• Refresh - R Refreshes the display of the customer’s computer.

• File Transfer - Launches a window to transfer files to and from the customer’s computer.

See the “Using the Virtual Assist File Transfer” section on page 39 for m ore information.

• Chat - Launches the chat window to communicate with the customer. The technician can

also use the dedicated chat window in the bottom left window of the Virtual Assist application.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

• System Info -Displays detailed information about the customer’s computer.

• Reboot Customer - Reboot the customer’s computer. Unless you have Requested full

control, the customer will be warned about and given the opportunity to deny the reboot.

• Switch Screen - Switches to a second monitor if the customer’s computer has more than

one monitor configured.

Controlling the Virtual Assist Display

• Full Screen - Hides all of the Virtual Assist toolbars and displays the customer’s desktop

on the technician’s entire screen with the Virtual Assist taskbar in the top left corner. If the Virtual Assist taskbar doesn’t display, move your mouse to the top middle of the

screen. Right-click on the taskbar and click Restore to exit full-screen mode.

• Auto Scaling - Zooms the display to fill the entire Virtual Assist window.

• Zoom - Zooms the display to one of several presets or allows you enter a specific value.

• True S ize - Zooms to 100%.

• Side Bar - Toggles the display of the side bar with the email invitation and chat windows.

• Top Bar - Toggles the display of the top bar with the customer queue and toolbar.

• All Bars - Displays both the side bar and top bar.

• No Bar - Hides both the side bar and top bar.

Note A number of these options can be configured from the pull-down menus at the top of the

Virtual Assist application.

Request Full Control

Technicians can request full control of a customer’s desktop, allowing them to reboot the system, delete files, or over-write files on the customer’s computer without the customer being repeatedly prompted for permission. Select Request Full Control under the Commands menu to issue a request that will appear on the customer’s desktop.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Using the Virtual Assist File Transfer

The File Transfer window is used to transfer files to and from the customer’s computer. The file directory of the technician’s computer is shown on the lef t and the customer’s computer on the right.

Concepts for SonicWALL SSL VPN

The File Transfer window functions in much the same manner as Windows Explorer or an FTP program. Navigate the File Transfer window by double-clicking on folders and selecting files. The File Transfer window includes the following controls:

• Desktop jumps to the desktop of the technician’s or customer’s computer.

• Up navigates up one directory on either the technician’s or customer’s computer.

• Download transfers the selected file or files from the technician’s computer to the

customer’s computer.

• Upload transfers the selected file or files from the customer’s computer to the

technician’s computer.

• Delete deletes the selected file or files.

Note When deleting or over-writing files, the customer is warned and must give the technician

permission unless the technician has elected Request Full Control and the customer has confirmed.

• New folder creates a new folder in the selected directory.

• Rename renames the selected file or directory.

When a file is transferring, the transfer progress is displayed at the bottom of the File Transfer window. Click the Exit button to cancel a transfer in progress.

Note File Transfer supports the transfer of single or multiple files. It does not currently support the

transfer of directories. T o select multiple files, hold down the Ctrl button while clicking on the files.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Enabling a System for Virtual Access

If Virtual Access has been enabled on the Virtual Assist tab on the Portals > Port als page of the management interface, users should see a link on the portal to set-up a system for Virtual Access. To enable Virtual Access within the SRA management interface, see “Configuring Per-

Portal Virtual Assist Settings” on page 114. The following process allows Virtual Access to bet

set-up on a system.

Step 1 Login to the portal through the system you wish to set-up for Virtual Access and click the Virtual

Access link.

Step 2 A file should download with parameters to install the VASAC.exe file that will provide the

needed client for Virtual Access mode. Save and run the file.

Note Running the file directly from this dialog box may not work on some systems. Save the file

to the system and then run the application.

Step 3 Fill in the necessary information in the provided fields to set-up the system in Virtual Access

mode and click OK.

• Server: This should be the name or IP address of the appliance the technician normally

accesses the Virtual Office from outside the management interface (Do not include “https://”).

• Portal: The name of the portal the technician would normally login to.

• Computer Name: This is an identifier for the system to help differentiate between other

systems that may be waiting for support in the queue.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

• Password: This is a password the technician must enter prior to accessing the system

through the support queue.

Step 4 After installation, the VASAC client should be left running in the desktop tray.

This system’s identifier name should now appear in the technician’s support queue displayed on the Virtual Assist > Status page within the management interface.Upon double-clicking the system listing, the technician will be prompted to provide the password established during system set-up to gain Virtual Access to the system.

Ending Virtual Access Mode

Disconnecting from a Virtual Access session will place the system back in the support queue for later access by the technician. From the personal system-side, the user/technician may uninstall or terminate the application from the tray option icons.

An administrator can forcibly remove a system from the queue. If this occurs, the Virtual Access system should no longer attempt to connect to the support queue and should display an error message.

Note For tasks and information on using Virtual Assist as an end-user, refer to the SonicWALL

SSL VPN User’s Guide.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Web Application Firewall Overview

This section provides an introduction to the Web Application Firewall feature. This section contains the following topics:

• “What is Web Application Firewall?” section on page 42

• “Benefits of Web Application Firewall” section on page 44

• “How Does Web Application Firewall Work?” section on page 44

What is Web Application Firewall?

Web Application Firewall is subscription-based software that runs on the SonicW ALL SSL-VPN appliance and protects Web applications running on servers behind the SSL-VPN. Web Application Firewall also provides real-time protection for resources such as HTTP(S) bookmarks, Citrix bookmarks, offloaded Web applications, and the SSL-VPN management interface and user portal that run on the SonicWALL SSL-VPN appliance itself.

Web Application Firewall provides real-time protection against a whole suite of Web attacks such as Cross-site scripting, SQL Injection, OS Command Injection, and many more. The top ten vulnerabilities for Web applications are tracked by OW ASP, an open source community that focuses its efforts on improving the security of Web applications. SonicOS SSLVPN Web Application Firewall protects against these top ten, defined in 2007 as follows:

Table 4 OWASP Top Ten Vulnerabilities

Name Description

A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user

supplied data and sends it to a Web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface Web sites, and possibly introduce worms.

A2 - Injection Flaws Injection flaws, particularly SQL injection, are common

in Web applications. Injection occurs when usersupplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

A3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows

attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

A4 - Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Name Description

A5 - Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable Web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the Web application that it attacks.

A6 - Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.

A7 - Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.

A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions

properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9 - Insecure Communications Applications frequently fail to encrypt network traffic

when it is necessary to protect sensitive communications.

A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive

functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Slowloris Protection

In addition to the top ten threats listed above, Web Application Firewall protects against Slowloris HTTP Denial of Service attacks. This means that Web Application Firewall also protects all the backend Web servers against this attack. Many Web servers, including Apache, are vulnerable to Slowloris. Slowloris is especially effective against Web servers that use threaded processes and limit the amount of threading allowed.

Slowloris is a stealthy, slow-acting attack that sends partial HTTP requests at regular intervals to hold connections open to the Web server. It gradually ties up all the sockets, consuming sockets as they are freed up when other connections are closed. Slowloris can send different host headers, and can send GET, HEAD, and POST requests. The string of partial requests makes Slowloris comparable to a SYN flood, except that it uses HTTP rather than TCP. Only the targeted Web server is affected, while other services and ports on the same server are still available. When the attack is terminated, the Web server can return to normal within as little as 5 seconds, making Slowloris useful for causing a brief downtime or distraction while other attacks are initiated. Once the attack stops or the session is closed, the Web server logs may show several hundred 400 errors.

For more information about how Web Application Firewall protects against the OW ASP top ten and Slowloris types of attacks, see the “How Does Web Application Firewall Work?” section on

page 44.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Offloaded Web Application Protection

Web Application Firewall can also protect an offloaded Web application, which is a special purpose portal created to provide seamless access to a Web application running on a server behind the SSL-VPN appliance. The portal must be configured as a virtual host. It is possible to disable authentication and access policy enforcement for such an offloaded host. If authentication is enabled, a suitable domain needs to be associated with this portal and all SonicWALL advanced authentication features such as One Time Password, Two-factor Authentication, and Single Sign-On apply to the offloaded host.

Benefits of Web Application Firewall

Web Application Firewall is secure and can be used in various areas, including financial services, healthcare, application service providers, and e-commerce. SonicOS SSLVPN uses SSL encryption to encrypt data between the Web Application Firewall and the client. SonicOS SSL VPN also satisfies OWASP cryptographic storage requirements by encrypting keys and passwords wherever necessary.

Companies using Web Application Firewall can reduce the development cost required to create secure applications and also cut out the huge turnaround time involved in deploying a newly found vulnerability fix in every Web application by signing up for Web Application Firewall signature updates.

Resources accessed over Application Offloaded portals and HTTP(S) bookmarks can be vulnerable due to a variety of reasons ranging from badly designed architecture to programming errors. Web Application Firewall provides an effective way to prevent a hacker from exploiting these vulnerabilities by providing real-time protection to Web applications deployed behind the SonicWALL SSL-VPN appliance.

Deploying Web Application Firewall at the SSL-VPN appliance lets network administrators use application offloading even when it exposes Web applications needing security to internal and remote users. Application offloading avoids URL rewriting, which improves the proxy performance and functionality.

There are several benefits of integrating Web Application Firewall with SonicWALL SSL-VPN appliances. Firstly, identity-based policy controls are core to Web Application Firewall and this is easily achievable using SSL VPN technology. Secondly, there are lower latencies due to the existing hardware-based SSL offloading. Most importantly, SSL-VPN appliances run Web applications and must be protected from such attacks.

As small businesses adopt hosted services to facilitate supplier collaboration, inventory management, online sales, and customer account management, they face the same strict compliance requirements as large enterprises. Web Application Firewall on a SonicW ALL SSLVPN appliance provides a convenient, cost-effective solution.

Web Application Firewall is easy to configure in the SonicWALL SSL-VPN management interface. The administrator can configure Web Application Firewall settings globally, by attack priority, and on a per-signature basis. Once custom configuration settings or exclusions are in place, you can disable Web Application Firewall without losing the configuration, allowing you to perform maintenance or testing and then easily re-enable it.

How Does Web Application Firewall Work?

To use the Web Application Firewall feature, the administrator must first license the software or start a free trial. Web Application Firewall must then be enabled on the Web Application Firewall > Settings page of the SonicWALL SSL-VPN management interface.Web Application Firewall can be configured to log or block detected attacks arriving from the Internet.

SonicWALL SSL VPN 5.0 Administrator’s Guide

The following sections describe how Web Application Firewall and SonicOS SSL VPN prevent attacks such as those listed in the OWASP top ten:

• “How are Signatures Used to Prevent Attacks?” on page 45

• “How is Cross-Site Request Forgery Prevented?” on page 47

• “How is Information Disclosure Prevented?” on page 47

• “How are Broken Authentication Attacks Prevented?” on page 48

• “How are Insecure Storage and Communications Prevented?” on page 48

• “How is Access to Restricted URLs Prevented?” on page 48

• “How are Slowloris Attacks Prevented?” on page 48

How are Signatures Used to Prevent Attacks?

For Cross Site Scripting, Injection Flaws, Malicious File Execution, and Insecure Direct Object Reference vulnerabilities, the Web Application Firewall feature uses a black list of signatures that are known to make Web applications vulnerable. New updates to these signatures are periodically downloaded from a SonicWALL signature database server, providing protection from recently introduced attacks.

Concepts for SonicWALL SSL VPN

When input arrives from the Internet, Web Application Firewall inspects HTTP/HTTPS request headers, cookies, POST data, query strings, response headers, and content. It compares the input to both a black list and a white list of signatures. If pattern matching succeeds for any signature, the event is logged and/or the input is blocked if so configured. If blocked, an error page is returned to the client and access to the resource is prevented. If blocked, an error page is returned to the client and access to the resource is prevented. The threat details are not

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

exposed in the URL of the error page. If configured for detection only, the attack is logged but the client can still access the resource. If no signature is matched, the request is forwarded to the Web server for handling.

The Web Application Firewall process is outlined in the following flowchart.

In the case of a blocked request, the following error page is returned to the client:

This page is customizable under Web Application Firewall > Settings in the SSL-VPN management interface. Some administrators may want to customize the HTML contents of this page. Others may not want to present a user friendly page for security reasons. Instead, they may prefer the option to present an HTTP error code such as 404 (Not found) or 403 (Access Denied).

SonicWALL SSL VPN 5.0 Administrator’s Guide

How is Cross-Site Request Forgery Prevented?

CSRF attacks are not detected with signature matching. Using this vulnerability, a hacker disguised as the victim can gain unauthorized access to application even without stealing the session cookie of a user. While a victim user is authenticated to a Web site under attack, the user may unwittingly load a malicious Web page from a different site within the same browser process context, for instance, by launching it in a new tab part of the same browser window. If this malicious page makes a hidden request to the victim Web server, the session cookies in the browser memory are made part of this request making this an authenticated request. The Web server serves the requested Web page as it assumes that the request was a result of a user action on its site. To maximize the benefits, typically, hackers targets actionab le request s, such as data updates to carry out this attack.

To prevent CSRF attacks, every HTTP request within a browser session needs to carry a token based on the user session. To ensure that every request carries this token, the Web Application Firewall feature rewrites all URLs contained in a Web page similarly to how they are rewritten by the Reverse Proxy for HTTP(S) Bookmarks feature. If CSRF protection is enabled, this is also performed for Application Offloading.

CSRF protection is provided for anonymous mode as well. If CSRF protection is enabled, then an idle timeout set to the global idle timeout is enforced for anonymous access. If the session times out, an error message is displayed, forcing the user to revisit the site in a new window. If authentication is enforced for the portal, then the user is redirected to the login page for the portal.

Concepts for SonicWALL SSL VPN

How is Information Disclosure Prevented?

Web Application Firewall prevents Information Disclosure and Improper Error Handling by providing a way for the administrator to configure text containing confidential and sensitive information so that no Web site accessed through the Web Application Firewall reveals this text. These text strings are entered on the Web Application Firewall > Settings page.

Beside the ability to pattern match custom text, signatures pertaining to information disclosur e are also used to prevent these types of attacks.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

The Web Application Firewall > Settings page also allows the administrator to configure the global idle session timeout. It is highly recommended that this timeout value is kept as low as possible.

How are Broken Authentication Attacks Prevented?

The requirement for Broken Authentication and Session Management requires Web Application Firewall to support strong session management to enhance the authorization requirements for Web sites. SonicOS SSLVPN already has strong authentication capabilities with the ability to support One Time Password, Two-factor Authentication, Single Sign-On, and client certificate authentication.

For Session Management, Web Application Firewall pops up a session logout dialog box when the user portal is launched or when a user logs into an application offloaded portal. This feature is enabled by default when Web Application Firewall is licensed and can be disabled from the Web Application Firewall > Settings page.

How are Insecure Storage and Communications Prevented?

Insecure Cryptographic Storage and Insecure Communications are prevented by encrypting keys and passwords wherever necessary, and by using SSL encryption to encrypt data between the Web Application Firewall and the client. SonicOS SSL VPN also supports HTTPS with the backend Web server.

How is Access to Restricted URLs Prevented?

SonicOS SSL VPN supports access policies based on host, subnet, protocol, URL path, and port to allow or deny access to Web sites. These policies can be configured globally or for users and groups.

How are Slowloris Attacks Prevented?

Slowloris attacks can be prevented if there is an upstream device, such as a SonicWALL SSLVPN security appliance, that limits, buffers, or proxies HTTP requests. Web Application Firewall uses a rate-limiter to thwart Slowloris HTTP Denial of Service attacks.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

SSL-VPN

2000

SECURE REMOTE ACCESS

Management Computer

SonicWALL SSL VPN Appliance

LAN

Navigating the SSL VPN Management Interface

The following sections describe how to navigate the SSL VPN management interface:

• “Management Interface Introduction” section on page 49

• “Navigating the Management Interface” section on page 51

• “Navigation Bar” section on page 54

Management Interface Introduction

The following is an overview of basic setup tasks that connect you to the Web-based management interface of the SonicWALL SSL-VPN appliance. For more detailed information on establishing a management session and basic setup tasks, refer to the SonicWALL SSL VPN Getting Started Guide. To access the Web-based management interface of the SonicWALL SSL VPN:

Step 1 Connect one end of a CAT-5 cable into the X0 port of your SonicWALL SSL-VPN appliance.

Connect the other end of the cable into the computer you are using to manage the SonicWALL SSL-VPN appliance.

Step 2 Set the computer you use to manage your SonicWALL SSL-VPN appliance to have a static IP

address in the 192.168.200.x/24 subnet, such as 192.168.200.20. For help with setting up a static IP address on your computer , refer to the SonicWALL SSL VPN Getting S tarted Guide for your model.

Note For configuring the SonicWALL SSL VPN using the Web-based management interface, a

Web browser supporting Java and HTTP uploads, such as Internet Explorer 5.5 or higher, Netscape Navigator 4.7 or higher, Mozilla 1.7 or higher, or Firefox is recommended. Users will need to use IE 5.0.1 or higher, supporting JavaScript, Java, cookies, SSL and ActiveX in order to take advantage of the full suite of SonicWALL SSL VPN applications.

Step 3 Open a Web browser and enter https://192.168.200.1 (the default LAN management IP

address) in the Location or Address field.

Step 4 A security warning may appear. Click the Yes button to continue. Step 5 The SonicWALL SSL VPN Management Interface is displayed and prompts you to enter your

user name and password. Enter admin in the User Name field, password in the Password field, select LocalDomain from the Domain drop-down list and click the Login button.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

Note The number and duration of login attempts can be controlled by the use of the SonicWALL

SSL VPN auto-lockout feature. For information on configuring the auto-lockout feature, refer to the “Configuring Login Security” section on page 80.

When you have successfully logged in, you will see the default page, System > Status.

Note If the default page after logging in is the Virtual Office user portal, you have selected a

domain with user-only privileges. Admin is tra ti on ca n o nl y b e per fo rm ed fr om th e L oc al Do ma in authentication domain. If you wish to log in as an administrator, make sure you select LocalDomain from the Domain drop-down list in the Login screen.

The System, Network, Portals, NetExtender, Virtual Assist, Web Application Firewall, Users and Log menu headings on the left side of the browser window configure administrative settings. When you click one of the headings, its submenu options are displayed below it. Click on submenu links to view the corresponding management pages.

The Virtual Office option in the navigation menu opens a separate browser window that displays the login page for the user portal, Virtual Office.

The Help button in the upper right corner of the management interface opens a separate browser window that displays SonicWALL SSL VPN help.

The Logout button in the upper right corner of the management interface terminates the management session and closes the browser window.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the Management Interface

Navigation Bar

Status Bar

Location

Main Window

Field Name

Check Box

Section Title

Button

Fill-in Field

Pull-down Menu

Field Name

Check Box

Section Title

Button

Fill-in Field

Pull-down Menu

Field Name

Check Box

Section Title

Button

Fill-in Field

Pull-down Menu

The SonicWALL SSL VPN Web-based management interface allows the administrator to configure the SonicWALL SSL-VPN appliance. The management interface contains two main types of objects:

• Windows - Displays information in a read-only format.

• Dialog boxes - Enables administrator interaction to add and change values that

characterize objects. For example, IP addresses, names, and authentication types.

Figure 2 is a sample window in the Web-based management interface. Note the various

elements of a standard SonicWALL interface window.

Figure 2 System > Status Page

Navigating the SSL VPN Management Interface

The following is a sample dialog box:

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

For descriptions of the elements in the management interface, see the following sections:

• “Status Bar” section on page 52

• “Accepting Changes” section on page 52

• “Navigating Tables” section on page 52

• “Restarting” section on page 53

• “Common Icons in the Management Interface” section on page 53

• “Tooltips in the Management Interface” section on page 54

• “Getting Help” section on page 54

• “Logging Out” section on page 54

Status Bar

The Status bar at the bottom of the management interface window displays the status of actions executed in the SonicWALL management interface.

Accepting Changes

Click the Accept button at the top right corner of the main window to save any configuration changes you made on the page.

If the settings are contained in a secondary window or dialog box within the management interface, the settings are automatically applied to the SonicWALL SSL-VPN appliance when you click OK.

Navigating Tables

Navigating tables with large number of entries is simplified by navigation buttons located on the upper right corner of the table. For example, the Log > View page contains an elaborate bank of navigation buttons:

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

Figure 3 Log > View

Table 5 Navigation Buttons in the Log View Page

Navigation Button Description

Find Allows the administrator to search for a log entry containing the content

specified in the Search field. The search is applied to the element of the log entry specified by the selection in the drop-down list. The selections in the drop-down list correspond to the elements of a log entry as designated by the column headings of the Log > View table. You can search in the Time, Priority, Source, Destination, User, and Message elements of log entries.

Exclude Allows the administrator to display log entries excluding the type specified

in the drop-down list. Reset Resets the listing of log entries to their default sequence. Export Log Allows the administrator to export a log. Clear Log Allows the administrators clear the log entries.

Restarting

The System > Restart page provides a Restart button for restarting the SonicWALL SSL-VPN appliance.

Note Restarting takes approximately 2 minutes and causes all users to be disconnected.

Common Icons in the Management Interface

The following icons are used throughout the SonicWALL management interface: Clicking on the configure icon displays a window for editing the settings. Clicking on the delete icon deletes a table entry Moving the pointer over the comment icon displays text from a Comment field entry.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

Tooltips in the Management Interface

Many pages throughout the management interface display popup tooltips with configuration information when the mouse cursor hovers over a checkbox, text field, or radio button. Some fields have a Help icon that provides a tooltip stating related requirements.

Getting Help

The Help button in the upper right corner of the management interface opens a separate Web browser that displays the main SonicWALL SSL VPN help.

SonicWALL SSL VPN also includes online context-sensitive help, available from the management interface by clicking the question mark button on the top-right corner of most pages. Clicking on the question mark button opens a new browser window that displays management page or feature-specific help.

Note Accessing the SonicWALL SSL-VPN appliance online help requires an active Internet

connection.

Logging Out

The Logout button in the upper right corner of the management interface terminates the management session.

When you click the Logout button, you are logged out of the SonicWALL SSL VPN management interface and the Web browser is closed.

Navigation Bar

The SonicWALL navigation bar is located on the left side of the SonicWALL SSL VPN management interface and is comprised of a hierarchy of menu headings. Most menu headings expand to a submenu of related management functions, and the first submenu item page is automatically displayed. For example, when you click the System heading, the System >

Status page is displayed. The navigation menu headings are: System, Network, Portals, NetExtender, Virtual Assist, Web Application Firewall, Users, Log, and Virtual Office.

The submenus of each heading on the navigation bar are described briefly in Table 6.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Navigating the SSL VPN Management Interface

Table 6 SonicWALL SSL VPN Navigation Bar Layout

Tab Submenu Action

System Status View status of the appliance.

Licenses View, activate, and synchronize licenses with the

SonicWALL licensing server for Nodes and Users, Virtual

Assist, and ViewPoint. Time Configure time parameters. Settings Import, export, and store settings. Administration Configure login security and GMS settings. Certificates Import or generate a certificate. Monitoring View graphs of bandwidth usage, active concurrent users,

CPU utilization, and memory utilization. Diagnostics Run diagnostics sessions. Restart Restart the system.

Network Interfaces Configure interfaces on the appliance.

DNS Configure the appliance to resolve domain names. Routes Set default and static routes. Host Resolution Configure network host name settings. Network Objects Create reusable entities that bind IP addresses to services.

Portals Portals Create a customized landing page to your users when they

are redirected to the SonicWALL SSL VPN for

authentication. Application

Offloading

This page provides information about offloading a Web

application. Domains Create authentication domains that enable you to create

access policies. Custom Logos This page informs you that Custom Logos may now be

uploaded per portal on the Portals > Portals page, by editing

a Portal and selecting the Logo tab.

NetExtender Status View active NetExtender sessions.

Client Settings Create client addresses for use with the NetExtender

application. Client Routes Create client routes for use with the NetExtender

application.

Virtual Assist Status View active Virtual Assist customer requests.

Settings Configure Virtual Assist email, ticket, and queue options, and

Assistance code settings. Log View log entries for technician and customer actions, and

export, email, or clear the log. Licensing View and configure current Virtual Assist license

information.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Deployment Guidelines

Tab Submenu Action

Web Application Firewall

Users Status View status of users and groups.

Log View View syslog entries that have been generated by the

Virtual Office N/A Access the Virtual Office portal home page.

Status View status of the Web Application Firewall license and

signature database. View a clickable list of threat s that were detected or prevented.

Settings Enable Web Application Firewall, configure global settings

for different priority attacks, global exclusions, persignature protection levels, and per-signature exclusions.

Log View log entries for detected or prevented att acks. Click on

a log instance to display additional information about the signature match, signature id, threat name, and other information.

Licensing View and configure current Web Application Firewall license

information.

Local Users Configure local users. Local Groups Configure local groups.

appliance. Export, email, or clear the log. Settings Configure settings for the log environment. ViewPoint Configure SonicWALL ViewPoint server for reporting.

Deployment Guidelines

This sections provides information about deployment guidelines for the SonicWALL SSL-VPN appliance. This section contains the following subsections:

• “Support for Numbers of User Connections” section on page 56

• “Resource Type Support” section on page 57

• “Integration with SonicWALL Products” section on page 57

• “Typical Deployment” section on page 57

Support for Numbers of User Connections

The following table lists the maximum and recommended numbers of concurrent tunnels supported for each appliance.

Maximum Concurrent

Appliance Model

SRA 4200 500 50 SRA 2400 50 20

Factors such as the complexity of applications in use and the sharing of large files can impact performance.

Tunnels Supported

Recommended Number of Concurrent Tunnels

SonicWALL SSL VPN 5.0 Administrator’s Guide

Resource Type Support

The following table describes the types of applications or resources you can access for each method of connecting to the SonicWALL SSL-VPN appliance.

Access Mechanism Access Types

Standard Web browser

SonicWALL NetExtender

Downloadable ActiveX or Java Client

Deployment Guidelines

• Files and file systems, including support for FTP and

Windows Network File Sharing

• Web-based applications

• Microsoft Outlook Web Access and other Web-enabled

applications

• HTTP and HTTPS intranets

• Any TCP/IP based application including:

–

Email access through native clients residing on the user’s laptop (Microsoft Outlook, Lotus Notes, etc.)

–

Commercial and home-grown applications

• Flexible network access as granted by the network

administrator

• An application installed on desktop machines or hosted on

an application server, remote contr ol of remote desktop or server platforms

• Terminal services, RDP, VNC, Telnet, SSH, and Citrix

Integration with SonicWALL Products

The SonicWALL SSL-VPN appliance integrates with other SonicWALL products, complementing the SonicWALL NSA, PRO and TZ Series product lines. Incoming HTTPS traffic is redirected by a SonicWALL firewall appliance to the SonicWALL SSL-VPN appliance. The SonicWALL SSL-VPN appliance then decrypts and passes the traf fic back to the firewall where it can be inspected on its way to internal network resources.

Typical Deployment

The SonicWALL SSL-VPN is commonly deployed in tandem in “one-arm” mode over the DMZ or Opt interface on an accompanying gateway appliance, for example, a SonicWALL UTM (Unified Threat Management) appliance, such as a SonicWALL NSA 4500.

This method of deployment offers additional layers of security control plus the ability to use SonicWALL’s Unified Threat Management (UTM) services, including Gateway Anti-Virus, AntiSpyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing NetExtender traffic.

The primary interface (X0) on the SonicWALL SSL-VPN connects to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SonicWALL SSL-VPN appliance (step 1). SonicWALL SSL VPN decrypts the session and determines the requested resource. The SonicWALL SSL VPN session traffic then traverses the gateway appliance (step 2) to reach the internal network resources. While traversing the gateway , security services, such as Intrusion Prevention, Gateway Anti-Virus and Anti-S pyware inspection can be applied by appropriately equipped gateway appliances. The internal network resource then returns the requested content to the SonicWALL SSL-VPN appliance through the gateway (step 3) where it is encrypted and returned to the client.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Deployment Guidelines

Internet Zone

SonicWALL SSL VPN 4000

DMZ

SonicWALL UTM Security Appliance

LAN

Network Nodes

Internet

Remote Users

33,60.



3%#52%2%-/4%!##%33

X0 interface connects to available segment on gateway. Encrypted session pasees to SSL VPN appliances.

The internal networks resource returns content to the SSL VPN appliance through the gateway.

SSL VPN traffic traverses the gateway to reach internal network resources.

%

.ETWORK3ECURITY!PPLIANCE

Figure 4 Sequence of Events in Initial Connection

The SonicWALL SSL-VPN and SRA 4200 appliances also support “two-arm” deployment scenarios, using one external (DMZ or WAN side) interface and one internal (LAN) interface. However, two-arm mode introduces a lot of routing issues that need to be considered before deployment. SonicWALL does not recommend this type of deployment, because it introduces a number of potential security issues and creates an additional breakpoint in the network since the appliance is essentially a packet filter and is not stateful.

For information about configuring the SonicW ALL SSL-VPN to work with third-party gateways, re fer to “Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page 307.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Chapter 2: System Configuration

This chapter provides information and configuration tasks specific to the System pages on the SonicWALL SSL VPN Web-based management interface, including registering your SonicWALL SSL-VPN appliance, setting the date and time, configuring system settings, system administration and system certificates.

This chapter contains the following sections:

• “System > Status” section on page 60

• “System > Licenses” section on page 64

• “System > Support Services” section on page 70

• “System > Time” section on page 71

• “System > Settings” section on page 73

• “System > Administration” section on page 78

• “System > Certificates” section on page 81

• “System > Monitoring” section on page 85

• “System > Diagnostics” section on page 88

• “System > Restart” section on page 90

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Status

This section provides an overview of the System > Status page and a description of the configuration tasks available on this page.

• “System > Status Overview” section on page 60

• “Registering Your SonicWALL SSL-VPN from System Status” section on page 62

• “Configuring Network Interfaces” section on page 64

System > Status Overview

The System > Status page provides the administrator with current system status for the SonicWALL SSL-VPN appliance, including information and links to help manage the SonicWALL SSL-VPN appliance and SonicWALL Security Services licenses. This section provides information about the page display and instructions to perform the configuration tasks on the System > Status page.

Figure 5 System > Status Page

Overviews of each area of the System > Status page are provided in the following sections:

• “System Messages” section on page 61

• “System Information” section on page 61

• “Latest Alerts” section on page 61

• “Licenses & Registration” section on page 62

• “Network Interfaces” section on page 62

SonicWALL SSL VPN 5.0 Administrator’s Guide

System Messages

The System Messages section displays text about recent events and important system messages, such as system setting changes. For example, if you do not set an outbound SMTP server, you will see the message, “Log messages and one-time passwords cannot be sent because you have not specified an outbound SMTP server address.”

System Information

The System Information section displays details about your specific SonicWALL SSL-VPN appliance. The following information is displayed in this section:

Field Description

Model The type of SonicWALL SSL-VPN appliance. Serial Number The serial number or the MAC address of the SonicWALL

Authentication Code The alphanumeric code used to authenticate the SonicWALL

Firmware Version The firmware version loaded on the SonicWALL appliance. ROM Version Indicates the ROM version. The ROM code controls low-level

CPU The type of the SonicWALL appliance processor and the

System Time The current date and time. Up Time The number of days, hours, minutes, and seconds, that the

Active Users The number of users who are currently logged into the

System > Status

Table 7 System Information

appliance.

appliance on the registration database at

<https://www.mysonicwall.com>.

functionality of the appliance.

average CPU usage over the last 5 minutes.

SonicWALL SSL-VPN appliance has been active since its most recent restart.

management interface of the SonicWALL SSL-VPN appliance.

Latest Alerts

The Latest Alerts section displays text about recent invasive events, irregular system behavior , or errors. Latest Alerts includes information about the date and time of the event, the host of the user that generated the event and a brief description of the event.

Any messages relating to system events or errors are displayed in this section. Clicking the arrow button located in upper right corner of this section displays the Log > Log View page.

Fields in the Latest Alerts section are:

• Date/Time - The date and time when the message was generated.

• User - The name of the user that generated the message.

• Message - A message describing the error.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Status

Licenses & Registration

The Licenses & Registration section indicates the user license allowance and registration status of your SonicWALL SSL-VPN appliance. The status of your ViewPoint, Virtual Assist, and Web Application Firewall licenses are also displayed here.

To register your appliance on MySonicWALL and manually enter the registration code in the available field at the bottom of this section, see the “Registering Your SonicW ALL SSL-VPN from

System Status” section on page 62.

To register your appliance on MySonicWALL from the System > Licenses page and allow the appliance to automatically synchronize registration and license st atus with the Son icWALL server , see the “Registering the SSL-VPN from System > Licenses” section on page 67.

Network Interfaces

The Network Interfaces section provides the administrator with a list of SonicWALL SSL-VPN interfaces by name. For each interface, the Network Interfaces tab provides the IP address that has been configured and the current link status.

For information about configuration tasks related to the Network Interfaces section, refer to the

“Configuring Network Interfaces” section on page 64.

Registering Your SonicWALL SSL-VPN from System Status

Register with MySonicWALL to get the most out of your SonicWALL SSL-VPN. Complete the steps in the following sections to register.

Before You Register

Verify that the time, DNS, and default route settings on your SonicWALL SSL VPN are correct before you register your appliance. These settings are generally configured during the initial SonicWALL SSL VPN setup process. To verify or configure the time settings, navigate to the System > Time page. To verify or configure the DNS setting, navigate to the Network > DNS page. To verify or configure the default route, navigate to the Network > Routes page. For more information about time and DNS setting configuration, refer to the “Setting the Time” section on

page 72, the “Configuring DNS Settings” section on page 95 and the “Configuring a Default

Route for the SSL-VPN Appliance” section on page 97.

Note You need a MySonicWALL account to register the SonicWALL SSL VPN.

Registering with MySonicWALL

There are two ways to register your SonicWALL SSL-VPN appliance:

• Log into your MySonicWALL account directly from a browser or click the SonicWALL link

on the System > Status page to access MySonicW ALL, enter the appliance serial number and other information there, and then enter the resulting registration code into the field on the System > Status page. This manual registration procedure is described in this section.

• Use the link on the System > Licenses page to access MySonicW ALL, then enter the serial

number and other information into MySonicWALL. When finished, your view of the System > Licenses page shows that the appliance has been automatically synchronized with the

licenses activated on MySonicWALL. This procedure is described in the “Registering the

SSL-VPN from System > Licenses” section on page 67.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Status

Step 1 If you are not logged into the SonicWALL SSL VPN management interface, log in with the

username admin and the administrative password you set during initial setup of your SonicWALL SSL-VPN (the default is password). For information about configuring the administrative password, refer to the SonicWALL SSL VPN Getting Started Guide.

Step 2 If the System > Status page is not automatically displayed in the management interface, click

System in the left-navigation menu, and then click Status.

Step 3 Record your Serial Number and Authentication Code from the Licenses & Registration

section.

Step 4 Do one of the following to access the MySonicWALL Web page:

–

Click the SonicWALL link in the Licenses & Registration section.

–

Type http://www.mysonicwall.com into the Address or Location field of your Web browser.

The MySonicWALL User Login page is displayed.

Step 5 Enter your MySonicWALL account user name and password.

Note If you are not a registered MySonicWALL user, you must create an account before

registering your SonicWALL product. Click the Not a registered user? link at the bottom of the page to create your free MySonicWALL account.

Step 6 Navigate to Products in the left hand navigation bar. Step 7 Enter your Serial Number and Authentication Code in the appropriate fields. Step 8 Enter a descriptive name for your SonicWALL SSL-VPN in the Friendly Name field. Step 9 Select the product group for this appliance, if any, from the Product Group drop-down list. Step 10 Click the Register button. Step 11 When the MySonicWALL server has finished processing your registration, the Registration

Code is displayed along with a statement that your appliance is registered. Click Continue.

Step 12 On the System > Status page of the SonicWALL SSL VPN management interface, enter the

Registration Code into the field at the bottom of the Licenses & Registration section, and then click Update.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Licenses

Configuring Network Interfaces

The IP settings and interface settings of the SonicWALL SSL-VPN appliance may be configured by clicking on the blue arrow in the corner of the Network Interfaces section of the System > Status page. The link redirects you to the Network > Interfaces page, which can also be accessed from the navigation bar. From the Network > Interfaces page, a SonicWALL SSL- VPN appliance administrator can configure the IP address of the primary (X0) interface, and also optionally configure additional interfaces for operation.

For a port on your SonicWALL SSL-VPN appliance to communicate with a firewall or target device on the same network, you need to assign an IP address and a subnet mask to the interface.

For more information about configuring interfaces, refer to the “Network > Interfaces” section

on page 92.

System > Licenses

This section provides an overview of the System > Licenses page and a description of the configuration tasks available on this page. See the following sections:

• “System > Licenses Overview” section on page 64

• “Registering the SSL-VPN from System > Licenses” section on page 67

• “Activating or Upgrading Licenses” section on page 69

System > Licenses Overview

Services upgrade licensing and related functionality is provided by the SonicWALL License Manager, which runs on the SonicWALL SSL-VPN appliance. The License Manager communicates periodically (hourly) with the SonicWALL licensing server to verify the validity of licenses. The License Manager also allows the administrator to purchase licenses directly or turn on free trials to preview a product before buying.

Note Initial registration of the unit is required for the License Manager to work.

The System > Licenses page provides a link to activate, upgrade, or renew SonicWALL Security Services licenses. From this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services licenses for your SonicWALL SSL-VPN appliance. The information listed in the Security Services Summary table is updated periodically from your MySonicWALL account.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Figure 6 System > Licenses Page

System > Licenses

Security Services Summary

The Security Services Summary table lists the number of Nodes/Users licenses and the available and activated security services on the SonicWALL SSL-VPN appliance.

The Security Service column lists all the available SonicWALL Security Services and upgrades available for the SonicWALL security appliance. The Status column indicates if the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired). ViewPoint and Virtual Assist services are licensed separately as upgrades.

The number of nodes/users allowed by the license is displayed in the Users column. A node is a computer or other device connected to your SonicWALL SSL-VPN appliance with an IP address. This number refers to the maximum number of simultaneous connections to the SonicWALL SSL-VPN appliance.

The Expiration column displays the expiration date for any licensed service that is time-based. The information listed in the Security Services Summary table is updated from the

SonicWALL licensing server every time the SonicWALL SSL-VPN appliance automatically synchronizes with it (hourly), or you can click the Synchronize button to synchronize immediately.

Note If the licenses do not update after a synchronize, you may need to restart your SSL-VPN

appliance. DNS must be configured properly and the appliance should be able to reach the sonicwall.com domain.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Licenses

Manage Security Services Online

You can login to MySonicWALL directly from the System > Licenses page by clicking the link Activate, Upgrade, or Renew services. You can click this link to register your appliance, to

purchase additional licenses for upgrading or renewing services, or to activate free trials.

Before You Register

page 72, the “Configuring DNS Settings” section on page 95 and the “Configuring a Default

Route for the SSL-VPN Appliance” section on page 97.

Note You need a MySonicWALL account to register the SonicWALL SSL VPN.

Creating a MySonicWALL Account from System > Licenses

Step 1 On the System > Licenses page, click Activate, Upgrade, or Renew services. The License

Management page is displayed.

Step 2 If you do not have a MySonicWALL account or if you forgot your user name or password, click

the https://www.mysonicwall.com link at the bottom of the page. The MySonicWALL User Login page is displayed.

Do one of the following:

–

If you forgot your user name, click the Forgot Username? link.

–

If you forgot your password, click the Forgot Password? link.

–

If you do not have a MySonicWALL account, click the Not a registered user? link.

Step 3 Follow the instructions to activate your MySonicWALL account.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Registering the SSL-VPN from System > Licenses

On a new SonicWALL SSL-VPN appliance or after upgrading to SonicWALL SSL VPN 3.0 firmware from an earlier release, you can register your appliance from the System > Licenses page.

To register your appliance from the System > Licenses page:

Step 1 On the System > Licenses page, click Activate, Upgrade, or Renew services. The License

Management page is displayed.

System > Licenses

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Licenses

Step 2 Enter your MySonicWALL user name and password into the fields and then click Submit. The

display changes.

Step 3 Enter a descriptive name for your SonicWALL SSL-VPN in the Friendly Name field. Step 4 Under Product Survey, fill in the requested information and then click Submit. The display

changes to inform you that your SonicWALL SSL VPN is registered.

Step 5 Click Continue. Step 6 In the License Management page, your latest license information is displayed.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Note After registration, some network environments require the SSL-VPN appliance to be offline

so that it is unable to connect to the SonicWALL licensing server . In this mode, the appliance will still honor the valid licenses; however, timed-based licenses may not be valid.

Activating or Upgrading Licenses

After your SonicWALL SSL-VPN ap pliance is registered, you can activate licenses or free trials for Virtual Assist and ViewPoint on the System > Licenses page. You can also upgrade a license. For example, if your appliance is licensed for a single Virtual Assist technician, you can upgrade the license for multiple technicians.

You must purchase the license subscription on MySonicWALL or from your reseller before you can activate or upgrade. You will receive an activation key to enter into the License Manager page.

To activate or upgrade licenses or free trials on your appliance:

Step 1 On the System > Licenses page, click Activate, Upgrade, or Renew services. The License

Management page is displayed.

Step 2 Enter your MySonicWALL user name and password into the fields and then click Submit. The

display changes to show the status of your licenses. Each service can have a Try link, an Activate link, or an Upgrade link.

System > Licenses

Step 3 To activate a free 30-day trial, click Try next to the service that you want to try. The page

explains that you will be guided through the setup of the service, and that you can purchase a SonicWALL product subscription at any time during or after the trial. Click Continue, and follow the setup instructions.

Step 4 To activate a new license which you have already purchased on MySonicWALL or from your

reseller, click Activate next to the service that you want to activate. Enter your license activation key into the <Product> Activation Key field, and then click Submit.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Support Services

Step 5 To upgrade an existing license with a new license that you have already purchased, click

Upgrade next to the service that you want to upgrade. Type or paste one or more new activation keys into the New License Key # field(s), and then click Submit.

Step 6 After completing the activation or upgrading process, click Synchronize to update the

appliance license status from the SonicWALL licensing server. Rebooting the appliance will also update the license status.

System > Support Services

The System > Support Services page displays the support service status for the appliance, including support and warranty information. The information is retrieved from the SonicWALL licensing server, and displays the most current settings.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Time

This section provides an overview of the System > Time page and a description of the configuration tasks available on this page.

• “System > Time Overview” section on page 71

• “Setting the Time” section on page 72

• “Enabling Network Time Protocol” section on page 72

System > Time Overview

The System > Time page provides the administrator with controls to set the SonicWALL SSLVPN system time, date and time zone, and to set the SonicWALL SSL-VPN appliance to synchronize with one or more NTP servers.

Figure 7 System > Time Page

System > Time

System Time

NTP Settings

The System Time section allows the administrator to set the time (hh:mm:ss), date (mm:dd:yyyy) and time zone. It also allows the administrator to select automatic synchronization with the NTP (Network Time Protocol) server and to display UTC (Coordina t ed Universal Time) instead of local time in logs.

The NTP Settings section allows the administrator to set an update interval (in seconds), an NTP server, and two additional (optional) NTP servers.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Time

Setting the Time

To configure the time and date settings, navigate to the System > Time page. The appliance uses the time and date settings to timestamp log events and for other internal purposes. It is imperative that the system time be set accurately for optimal performance and proper registration.

Note For optimal performance, the SonicWALL SSL-VPN appliance must have the correct time

and date configured.

To configure the time and date settings, perform the following steps:

Step 1 Select your time zone in the Time Zone drop-down list. Step 2 The current time, in 24-hour time format, will appear in the Time (hh:mm:ss) field and the

current date will appear in the Date (mm:dd:yyyy) field.

Step 3 Alternately, you can manually enter the current time in the Time (hh:mm:ss) field and the

current date in the Date (mm:dd:yyyy) field.

Note If the checkbox next to Automatically synchronize with an NTP server is selected, you

will not be able to manually enter the time and date. To manually enter the time and date, clear the checkbox.

Step 4 Click Accept to update the configuration.

Enabling Network Time Protocol

If you enable Network Time Protocol (NTP), then the NTP time settings will override the manually configured time settings. The NTP time settings will be determined by the NTP server and the time zone that is selected in the Time Zone drop-down list.

To set the time and date for the appliance using the Network Time Protocol (NTP), perform the following steps:

Step 1 Navigate to the System > Time page. Step 2 Select the Automatically synchronize with an NTP server checkbox. Step 3 In the NTP Settings section, enter the time interval in seconds to synchronize time settings with

the NTP server in the Update Interval field. If no period is defined, the appliance will select the default update interval, 64 seconds.

Step 4 Enter the NTP server IP address or fully qualified domain name (FQDN) in the NTP Server 1

field.

Step 5 For redundancy , enter a backup NTP server address in the NTP Server Address 2 (Optional)

and NTP Server Address 3 (Optional) fields.

Step 6 Click Accept to update the configuration.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Settings

This section provides an overview of the System > Settings page and a description of the configuration tasks available on this page.

• “System > Settings Overview” section on page 73

• “Managing Configuration Files” section on page 74

• “Managing Firmware” section on page 76

System > Settings Overview

The System > Settings page allows the administrator to manage the firmware and related settings of the SonicWALL SSL-VPN appliance:

Figure 8 System > Settings Page

System > Settings

Settings

The Settings section allows the administrator to automatically store settings after changes and to encrypt the settings file. This se ction also prov i de s b ut to n s to import settings, export settings, and store settings.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Settings

Firmware Management

The Firmware Management section allows t he ad min ist rat or to con tro l the fir mwa re th at i s ru nnin g on the SSL-VPN appliance. This section provides buttons for uploading new firmware, creating a backup of current firmware, downloading existing firmware to the management computer, rebo oting the appliance with current or recently uploaded firmware, and reboo ting the a pplia nce with fa ctory default settings. There is also an option to be notified when new firmware becomes available.

Managing Configuration Files

SonicWALL allows you to save and import file sets that hold the SSL VPN configuration settings. These file sets can be saved and uploaded through the System > Settings page in the SSL VPN management interface.

These tasks are described in the following sections:

• “Exporting a Backup Configuration File” section on page 74

• “Importing a Configuration File” section on page 75

• “Storing Settings” section on page 75

• “Automatically Storing Settings After Changes” section on page 76

• “Encrypting the Configuration File” section on page 76

Exporting a Backup Configuration File

Exporting a backup configuration file allows you to save a copy of your configuration settings on your local machine. Y ou may then save the configuration settings or export them to a backup file and import the saved configuration file at a later time, if necessary. The backup file is called sslvpnSettings-serialnumber.zip by default, and includes the contents in Figure 9.

Figure 9 Backup Configuration Directory Structure in Zip File

The backup directory structure contains the following elements:

• ca folder (not shown) – Contains CA certificates provided by a Certificate Authority.

SonicWALL SSL VPN 5.0 Administrator’s Guide

• cert folder – Contains the default folder with the default key/certification pair . Also contains

key/certification pairs generated by Certificate Signing Request s (CSRs) from the System > Certificates page, if any.

• uiaddon folder – Contains a folder for each portal. Each folder contains portal login

messages, portal home page messages, and the default logo or the custom logo for that portal, if one was uploaded. VirtualOffice is the default portal.

• firebase.conf file – Contains network, DNS and log settings.

• smm.conf file – Contains user, group, domain and portal settings.

To export a backup configuration file, perform the following steps:

Step 1 Navigate to the System > Settings page. Step 2 To save a backup version of the configuration, click Export Settings. The browser you are

working in displays a pop-up asking you if you want to open the configuration file.

Step 3 Select the option to Save the file. Step 4 Choose the location to save the configuration file. The file is named sslvpnSettings-

serialnumber.zip by default, but it can be renamed.

Step 5 Click Save to save the configuration file.

Importing a Configuration File

System > Settings

You may import the configuration settings that you previously exported to a backup configuration file. To import a configuration file, perform the following steps:

Step 1 Navigate to the System > Settings page. Step 2 To import a backup version of the configuration, click Import Settings. The Import Settings

dialog box is displayed.

Step 3 Click Browse to navigate to a location that contains the file (that includes settings) you want to

import. The file can be any name, but is named sslvpnSettings-serialnumber.zip by default.

Step 4 Click Upload. SonicOS SSL VPN import s the settings from the file and configures the appliance

with those settings.

Note Make sure you are ready to reconfigure your system. Once you import the file, the system

overwrites the existing settings immediately.

Step 5 Once the file has been imported, restart the appliance to make the changes permanent.

Storing Settings

To store settings you created in your recent configuration session, click the Store Settings button under the Settings section in the System > Settings page.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Settings

Automatically Storing Settings After Changes

The System > Settings page provides a way to save the current config uration to flash memory . To automatically store settings after changes, select the Automatically store settings after

changes checkbox. The system will automatically store configuration to a file in flash memory so that if is rebooted, the latest configuration will be reloaded. If you do not enable this checkbox, the system will prompt you to save settings every time you attempt to reboot the SonicWALL SSL-VPN appliance.

Encrypting the Configuration File

For security purposes, you can encrypt the configuration files in the System > Settings page. However, if the configuration files are encrypted, they cannot be edited or reviewed for troubleshooting purposes.

To encrypt the configuration files, select the Encrypt settin gs file checkbox in the System >

Settings page.

Managing Firmware

The Firmware Management section of System > Settings provides the administrator with the option to be notified when new firmware becomes available. It provides the configuration options for firmware images, including uploading new firmware and creating a backup.

These tasks are described in the following sections:

• “Setting Firmware Notification” section on page 76

• “Creating a Backup” section on page 76

• “Downloading Firmware” section on page 76

• “Booting a Firmware Image” section on page 77

• “Uploading New Firmware” section on page 77

Setting Firmware Notification

The administrator can be notified by email when a new firmware build is available. To be notified when new firmware is available, select the Notify me when new firmware is

available checkbox.

Creating a Backup

To create a system backup of the current firmware and settings, click the Create Backup button. The backup may take up to two minutes. When the backup is complete, the Status at the bottom of the screen will display the message “System Backup Successful.”

Downloading Firmware

To download firmware, click the download icon next to the Firmware Image version you want to download.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Booting a Firmware Image

To boot a firmware image, perform the following steps:

Step 1 Click the boot icon next to the Firmware Im age version that you want to run on the

SonicWALL SSL-VPN appliance.

Step 2 The pop-up message is displayed: Are you sure you wish to boot this firmware? Click OK.

Uploading New Firmware

To upload new firmware, perform the following steps:

Step 1 Login to MySonicWALL. Step 2 Download the latest SonicWALL SSL VPN firmware version. Step 3 In the SonicWALL SSL VPN management interface, navigate to System > Settings page. Step 4 Click the Upload New Firmware button under the Firmware Management section. Step 5 Click Browse. Step 6 Select the downloaded SonicWALL SSL VPN firmware. It should have a .sig file extension. Step 7 Click Open. Step 8 Click Upload.

System > Settings

Step 9 The SonicWALL SSL-VPN appliance will automatically reboot when the new firmware has been

uploaded.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Administration

This section provides an overview of the System > Administration page and a description of the configuration tasks available on this page.

• “System > Administration Overview” section on page 78

• “Configuring Login Security” section on page 80

• “Enabling GMS Management” section on page 80

• “Configuring Web Management Settings” section on page 81

• “Configuring the Management Interface Language” section on page 81

System > Administration Overview

This section provides the administrator with information about and instructions to perform the configuration tasks on the System > Administration page. The System > Administration page allows the administrator to configure login security, GMS settings, and to select the interface language.

See the following sections:

• “Login Security” section on page 79

• “GMS Settings” section on page 79

• “Web Management Settings” section on page 80

• “Language” section on page 80

SonicWALL SSL VPN 5.0 Administrator’s Guide

Figure 10 System > Administration Page

System > Administration

Login Security

GMS Settings

Note GMS 5.0 (or higher) is required to remotely manage SSL-VPN appliances.

The Login Security section provides a way to configure administrator/user lockout for a set period of time (in minutes) after a set number of maximum login attempts per minute.

The GMS Settings section allows the administrator to enable GMS management, and specify the GMS host name or IP address, GMS Syslog server port and heartbeat interval (in seconds).

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Administration

Web Management Settings

The Web Management Settings section allows the administrator to set the default page size for paged tables and the streaming update interval for dynamically updated tables in the management interface.

The following paged tables are affected by the Default Table Size setting:

• Virtual Assist > Log

• Web Application Firewall > Log

• Log > View

The minimum for the Default Table Size field is 10 rows, the default is 100, and the maximum is 99,999.

The following dynamically updated tables are affected by the S treaming Update Interval setting:

• System > Monitoring

• Network > Interfaces

• NetExtender > Status

• Users > Status

The minimum for the Streaming Update Interval field is 1 second, the default is 10 seconds, and the maximum is 99,999.

Language

The Language section allows the administrator to select which language pack is currently in use. After making a selection and clicking Accept at the top of the page, the management interface is displayed in the selected language.

Configuring Login Security

SonicWALL SSL VPN login security provides an auto lockout feature to protect against unauthorized login attempts on the user portal. Complete the following steps to enable the auto lockout feature:

Step 1 Navigate to System > Administration. Step 2 Select the Enable Administrator/User Lockout checkbox. Step 3 In the Maximum Login Attempts Per Minute field, type the number of maximum login attempts

allowed before a user will be locked out. The default is 5 attempts. The maximum is 99 attempts.

Step 4 In the Lockout Period (minutes) field, type a number of minutes to lockout a user that has

exceeded the number of maximum login attempts. The default is 55 minutes. The maximum is 9999 minutes.

Step 5 Click the Accept button to save your changes.

Enabling GMS Management

The SonicWALL Global Management System (SonicWALL GMS) is a Web-based application that can configure and manage thousands of SonicWALL Internet security appliances, including global administration of multiple site-to-site VPNs from a central location.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Complete the following steps to enable SonicWALL GMS management of your SonicWALL SSL-VPN appliance:

Step 1 Navigate to System > Administration. Step 2 Select the Enable GMS Management checkbox. Step 3 Type the host name or IP address of your GMS server in the GMS Host Name or IP Address

field.

Step 4 Type the port number of your GMS server in the GMS Syslog Server Port field. The default for

communication with a GMS server is port 514.

Step 5 Type the desired interval for sending heartbeats to the GMS server in the Heartbeat Interval

(seconds) field. The maximum heartbeat interval is 86400 seconds (24 hours).

Step 6 Click the Accept button to save your changes.

Configuring Web Management Settings

To set the table page size and streaming update interval, perform the following steps:

System > Certificates

Step 1 In the Default Table Size field, enter the number of rows per page for paged tables in the

management interface. The default is 100, the minimum is 10, and the maximum is 99,999.

Step 2 In the Streaming Update Interval field, enter the number of seconds between updates for

dynamically updated tables in the management interface. The default is 10, the minimum is 1, and the maximum is 99,999.

Configuring the Management Interface Language

To change the management interface to another language, perform the following steps:

Step 1 Select an option from the Language drop-down list. Step 2 Click the Accept button to change the display.

System > Certificates

This section provides an overview of the System > Certificates page and a description of the configuration tasks available on this page.

• “System > Certificates Overview” section on page 82

• “Certificate Management” section on page 83

• “Generating a Certificate Signing Request” section on page 83

• “Viewing and Editing Certificate Information” section on page 84

• “Importing a Certificate” section on page 84

• “Adding Additional CA Certificates” section on page 85

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Certificates

System > Certificates Overview

The System > Certificates page allows the administrator to import server certificates and additional CA (Certificate Authority) certificates.

Figure 11 System > Certificates Page

Server Certificates

The Server Certificates section allows the administrator to import and configure a server certificate, and to generate a CSR (certificate signing request).

A server certificate is used to verify the identity of the SonicWALL SSL-VPN appliance. The SSL-VPN presents its server certificate to the user’s browser when the user accesses the login page. Each server certificate contains the name of the server to which it belongs.

There is always one self-signed certificate (self-signed means that it is generated by the SonicWALL SSL-VPN appliance, not by a real CA), and there may be multiple certificates imported by the administrator. If the administrator has configur ed multiple portals, it is possible to associate a different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”.

A CSR is a certificate signing request. When preparing to get a certificate from a CA, you first generate a CSR with the details of the certificate. Then the CSR is sent to the CA with any required fees, and the CA sends back a valid signed certificate.

Additional CA Certificates

The Additional CA Certificates section allows the administrator to import additional certificates from a Certificate Authority server , either in side or outside of the local network. The certificates are in PEM encoded format for use with chained certificates, for example, when the issuing CA uses an intermediate (chained) signing certificate.

SonicWALL SSL VPN 5.0 Administrator’s Guide

The imported additional certificates only take effect after restarting the SonicWALL SSL-VPN appliance.

Certificate Management

The SonicWALL SSL-VPN comes with a pre-installed self-signed X509 certificate for SSL functions. A self-signed certificate provides all the same functions as a certificate obtained through a well-known certificate authority (CA), but will present an “untrusted root CA certificate” security warning to users until the self-signed certificate is imported into their trusted root store. This import procedure can be performed by the user by clicking the Import Certificate button within the portal after authenticating.

The alternative to using the self-signed certificate is to generate a certificate signing request (CSR) and to submit it to a well-known CA for valid certificate issuance. Well-known CAs include RapidSSL (www.rapidssl.com), Verisign (www.verisign.com), and Thawte (www.thawte.com).

Generating a Certificate Signing Request

In order to get a valid certificate from a widely accepted CA such as RapidSSL, Verisign, or Thawte, you must generate a Certificate Signing Request (CSR) for your SonicWAL L SSL-VPN appliance. To generate a certificate signing request, perform the following steps:

System > Certificates

Step 1 Navigate to the System > Certificates page. Step 2 Click Generate CSR to generate a CSR and Certificate Key . The Generate Certificate Signing

Request dialog box is displayed.

Step 3 Fill in the fields in the dialog box and click Submit. Step 4 If all information is entered correctly , a csr.zip file will be created. Save this .zip file to disk. Y ou

will need to provide the contents of the server.crt file, found within this zip file, to the CA.

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Certificates

Viewing and Editing Certificate Information

The Current Certificates table in System > Certificates lists the currently loaded SSL certificates.

T o view cer tificate and issuer information and edit the Common Name in the certificate, perform the following steps:

Step 1 Click the configure icon for the certificate. The Edit Certificate window is displayed, showing

issuer and certificate subject information.

Step 2 From the Edit Certificate window, you may view the issuer and certificate subject information. Step 3 On self-signed certificates, type in the Web server host name or IP address in the Common

Name field.

Step 4 Click Submit to submit the changes.

You may also delete an expired or incorrect certificate. Delete the certificate by clicking the

Delete button in the row for the certificate, on the System > Certificates page.

Note A certificate that is currently active cannot be deleted. To delete a certificate, upload and

enable another SSL certificate, then delete the inactive certificate on the System > Certificates page.

Importing a Certificate

When importing a certificate you must upload either a PKCS #12 (.p12 or.pfx) file containing the private key and certificate, or a zip file containing the PEM-formatted private key file named “server.key” and the PEM- formatted certificate file named server.crt. The .zip file must have a flat file structure (no directories) and contain only server.key and server.crt files.

To import a certificate, perform the following steps:

Step 1 Navigate to the System > Certificates page. Step 2 Click Import Certificate. The Import Certificate dialog box is displayed. Step 3 Click Browse.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Step 4 Locate the zipped file that contains the private key and certificate on your disk or network drive

and select it. Any filename will be accepted, but it must have the “.zip” extension. The zipped file should contain a certificate file named server.crt and a certificate key file named

server.key. The key and certificate must be at the root of the zip, or the file will not be uploaded.

Step 5 Click Upload.

Once the certificate has been uploaded, the certificate will be displayed in the Certificates list in the System > Certificates page.

Note Private keys may require a password.

Adding Additional CA Certificates

You can import additional CA certificates for use with chained certificates, for example, when the issuing CA uses an intermediate (chained) signing certificate. To import a CA certificate file, upload a PEM-encoded, DER-encoded, or PKCS #7 (.p7b) file.

To add additional certificates in PEM format, perform the following steps:

Step 1 Navigate to the System > Certificates page. Step 2 Click Import CA Certificate in the Additional CA Certificates section. The Import Certificate

dialog box is displayed.

Step 3 Click Browse.

System > Monitoring

Step 4 Locate the PEM-encoded, DER-encoded, or PKCS #7 CA certificate file on your disk or network

drive and select it. Any filename will be accepted.

Step 5 Click Upload.

Once the certificate has been uploaded, the CA certificate will be displayed in the Additional CA Certificates list in the System > Certificates page.

Step 6 T o add the new CA certificate to the W eb server’s active CA certificate list, the Web server must

be restarted. Restart the SonicWALL SSL-VPN appliance to restart the Web server.

System > Monitoring

This section provides an overview of the System > Monitoring page and a description of the configuration tasks available on this page.

• “System > Monitoring Overview” section on page 85

• “Setting The Monitoring Period” section on page 87

• “Refreshing the Monitors” section on page 87

System > Monitoring Overview

The SonicWALL SSL-VPN appliance provides configurable monitoring tools that enable you to view usage and capacity data for your appliance. The System > Monitoring page provides the administrator with four monitoring graphs:

• Active Concurrent Users

• Bandwidth Usage

SonicWALL SSL VPN 5.0 Administrator’s Guide

System > Monitoring

• CPU Utilization (%)

• Memory Utilization (%)

The administrator can configure the following monitoring periods: last 30 seconds, last 30 minutes, last 24 hours, last 30 days. For example, Last 24 Hours refers to the most recent 24 hour period.

Figure 12 System > Monitoring Page

Monitoring Graphs

The four monitoring graphs can be configured to display their respective data over a period of time ranging from the last hour to the last month.

Graph Description

Active Concurrent Users The number of users who are logged into the appliance at the

Bandwidth Usage (Kbps) Indicates the amount of data per second being transmitted and

SonicWALL SSL VPN 5.0 Administrator’s Guide

Table 8 Monitoring Graph Type s.

same time, measured over time by seconds, minutes, hours, or days. This figure is expressed as an integer , for example, 2, 3, or 5.

received by the appliance in Kbps measured over time by seconds, minutes, hours, or days.

Graph Description

CPU Utilization (%) The amount of capacity usage on the appliance processor

Memory Utilization (%) The amount of memory available used by the appliance,

Setting The Monitoring Period

To set the monitoring period, select one of the following options from the Monitor Period drop-down list in the System > Monitoring page:

–

Last 30 Seconds

–

Last 30 Minutes

–

Last 24 Hours

–

Last 30 Days

System > Monitoring

being used, measured over time by seconds, minutes, hours, or days. This figure is expressed as a percentage of the total capacity on the CPU.

measured over time by seconds, minutes, hours, or days. This monitoring graph displays memory utilization as a percentage of the total memory available.

Refreshing the Monitors

To refresh the monitors, click the Refresh button at the top right corner of the System > Monitoring page.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Sonicwall SRA SSL VPN 5.0 ADMINISTRATORS GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

SonicWALL SRA SSL VPN 5.0 Administrator’s Guide

Copyright Notice

Trademarks

SonicWALL GPL Source Code

GNU General Public License (GPL)

Limited Warranty

SonicWALL Technical Support

North America Telephone Support

International Telephone Support

More Information on SonicWALL Products

About This Guide

Guide Conventions

Icons Used in this Manual

Organization of This Guide

SSL VPN Overview

System Configuration

Network Configuration

Portals Configuration

NetExtender Configuration

Virtual Assist Configuration

High Availability Configuration

Web Application Firewall Configuration

Users Configuration

Log Configuration

Virtual Office Configuration

Appendix A: Accessing Online Help

Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway

Appendix C: Use Cases

Appendix D: NetExtender Troubleshooting

Appendix E: FAQ

Appendix F: Glossary

Appendix G: SMS Email Formats

Table of Contents

Chapter 1: SSL VPN Overview

Overview of SonicWALL SSL VPN

SSL for Virtual Private Networking (VPN)

SSL VPN Software Components

SSL-VPN Hardware Components

SRA 4200 Front and Back Panels Overview

Concepts for SonicWALL SSL VPN

Encryption Overview

SSL Handshake Procedure

IPv6 Support Overview

Browser Requirements for the SSL VPN Administrator

Browser Requirements for the SSL VPN End User

Portals Overview

File Shares

Custom Portals

Domains Overview

NetExtender Overview

What is NetExtender?

Benefits

NetExtender Concepts

Stand-Alone Client

Multiple Ranges and Routes

NetExtender with External Authentication Methods

Point to Point Server IP Address

Connection Scripts

Tunnel All Mode

Proxy Configuration

Network Resources Overview

HTTP (Web) and Secure HTTPS (Web)

Telnet (Java)

SSHv1 and SSHv2 (Java)

FTP (Web)

File Shares (CIFS)

Remote Desktop Protocols and Virtual Network Computing

RDP 6 Support

RDP 7 Support

Application Protocols Using RDP

Application Support for SSO, User Policies, Bookmarks

Microsoft Outlook Web Access

Windows Sharepoint Services

Lotus Domino Web Access 7

Citrix Portal

SNMP Overview