Sonicwall SRA SSL VPN 5.0 ADMINISTRATORS GUIDE

COMPREHENSIVE INTERNET SECURITY

SonicWALL SRA SSL VPN 5.0

Administrator’s Guide

SonicWALL Secure Remote Access Appliances

SonicWALL SRA SSL VPN 5.0 Administrator’s Guide

SonicWALL, Inc.

2001 Logic Drive San Jose, CA 95124-3452

Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: info@sonicwall.com

SonicWALL SSL VPN 5.0 Administrator’s Guide

Copyright Notice

or part, without the written consent of the manufacturer, except in the normal use of th e software to make a backup copy. The same proprietary and copyright notices mu st be affixed to any permitted copies as were affixed to the original. This exception does not allo w copi es to be made fo r o ther s, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes transla ting into another language or format.

Specifications and descriptions subject to change without notice.

Trademarks

SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows 2000,

Windows NT, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.

Firefox is a trademark of the Mozilla Foundation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and

other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Cisco Systems and Cisco PIX 515e and Linksys and Linksys Playtoy23 are either registered trademarks or trademarks of Cisco Systems in the U.S. and /or other countries.

Watchguard and Watchguard Firebox X Edge are either registered trademarks or trademarks of Watchguard Technologies Corporation in the U.S. and/or other countries.

NetGear, NetGear FVS318, and NetGear Wireless Router MR814 SSL are either registered trademarks or trademarks of NetGear, Inc., in the U.S. and/or other countries.

Check Point and Check Point AIR 55 are either registered trademarks or trademarks of Check Point Software Technologies, Ltd., in the U.S. and/or other countries.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

SonicWALL SSL VPN 5.0 Administrator’s Guide

SonicWALL GPL Source Code

GNU General Public License (GPL)

SonicWALL will provide a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or m oney order in the amount of US $25.00 payable to "SonicWALL, Inc." to: General Public License Source Code Request SonicWALL, Inc. Attn: Jennifer Anderson 2001 Logic Drive San Jose, CA 95124-3452

Limited Warranty

SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's thencurrent Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL.

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR

SonicWALL SSL VPN 5.0 Administrator’s Guide

iii

INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

SonicWALL Technical Support

For timely resolution of technical support questions, visit SonicWALL on the Internet at

<http://www.sonicwall.com/us/support.html>. Web-based resources are available to help you

resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below. See

<http://www.sonicwall.com/us/support/contact.html> for the latest technical support telephone

numbers.

North America Telephone Support

U.S./Canada - 888.777.1476 or +1 408.752.7819

International Telephone Support

Australia - + 1800.35.1642 Austria - + 43(0)820.400.105 EMEA - +31(0)411.617.810 France - + 33(0)1.4933.7414 Germany - + 49(0)1805.0800.22 Hong Kong - + 1.800.93.0997 India - + 8026556828 Italy - +39.02.7541.9803 Japan - + 81(0)3.3457.8971 New Zealand - + 0800.446489 Singapore - + 800.110.1441 Spain - + 34(0)9137.53035

Switzerland - +41.1.308.3.977 UK - +44(0)1344.668.484

SonicWALL SSL VPN 5.0 Administrator’s Guide

More Information on SonicWALL Products

Contact SonicWALL, Inc. for information about SonicWALL products and services at:

Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300

Current Documentation

Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation.

http://www.sonicwall.com/us/support.html

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

The SonicWALL SSL VPN Administrator’s Guide provides network administrators with a highlevel overview of SonicWALL SSL VPN technology, including activation, configuration, and administration of the SonicWALL SSL VPN management interface and the SonicWALL SSL-VPN appliance.

Note Always check <http://www.sonicwall.com/support/documentation.html> for the latest

version of this guide as well as other SonicWALL products and services documentation.

Guide Conventions

The following conventions used in this guide are as follows:

Convention Use Bold Highlights dialog box, window, and screen names. Also

About This Guide

highlights buttons and tabs. Also used for file names and text or values you are being instructed to type into the interface.

Italic Indicate s the name of a technica l manual, e mphasis on cer-

Menu Item > Menu Item Indicates a multiple step Management Interface menu

Icons Used in this Manual

These special messages refer to noteworthy information, and include a symbol for quick identification:

Tip Useful information about security features and configurations on your SonicWALL.

Note Important information on a feature that requires callout for special attention.

Timesaver Useful tips about features that may save you time

tain words in a sentence, or the first instance of a significant term or concept.

choice. For example, System > Status means select the Status page under the System menu.

Indicates a client feature that is only supported on the Microsoft Windows platform.

Indicates a client feature that is supported on Microsoft Windows, Apple MacOS, and Linux

SonicWALL SSL VPN 5.0 Administrator’s Guide

vii

About This Guide

Organization of This Guide

The SonicWALL SSL VPN Administrator’s Guide is organized in chapters that follow the SonicWALL SSL VPN Web-based management interface structure.

This section contains a description of the following chapters and appendices:

• “SSL VPN Overview” on page viii

• “System Configuration” on page viii

• “Network Configuration” on page ix

• “Portals Configuration” on page ix

• “NetExtender Configuration” on page ix

• “Virtual Assist Configuration” on page ix

• “Web Application Firewall Configuration” on page ix

• “Users Configuration” on page ix

• “Log Configuration” on page x

• “Virtual Office Configuration” on page x

• “Appendix A: Accessing Online Help” on page x

• “Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page x

• “Appendix C: Use Cases” on page x

• “Appendix D: NetExtender Troubleshooting” on page x

• “Appendix E: FAQ” on page x

• “Appendix F: Glossary” on page xi

• “Appendix G: SMS Email Formats” on page xi

SSL VPN Overview

“SSL VPN Overview” on page 7 provides an introduction to SSL VPN technology and an

overview of the SonicWALL SSL-VPN appliance and Web-based management interface features. The SSL VPN Overview chapter includes SSL VPN concepts, a Web-based management interface overview, and deployment guidelines.

System Configuration

“System Configuration” on page 59 provides instructions for configuring SonicWALL SSL VPN

options under System in the navigation bar of the management interface, including:

• Registering the SonicWALL appliance

• Setting the date and time

• Working with configuration files

• Managing firmware versions and preferences

• General appliance administration

• Certificate management

• Viewing SSL VPN monitoring reports

• Using diagnostic tools

viii

SonicWALL SSL VPN 5.0 Administrator’s Guide

Network Configuration

“Network Configuration” on page 91 provides instructions for configuring SonicWALL SSL VPN

options under Network in the navigation bar of the management interface, including:

• Configuring network interfaces

• Configuring DNS settings

• Setting network routes and static routes

• Configuring hostname and IP address information for internal name resolution

• Creating reusable network objects representing network resources like FTP, HTTP, RDP,

SSH and File Shares

Portals Configuration

“Portals Configuration” on page 105 provides instructions for configuring SonicWALL SSL VPN

options under Portals in the navigation bar of the management interface, including portals, domains (including RADIUS, NT , LDAP and Active Directory authentication), and custom logos.

NetExtender Configuration

“NetExtender Configuration” on page 167 provides instructions for configuring SonicWALL SSL

VPN options under NetExtender in the navigation bar of the management interface, including NetExtender status, setting NetExtender address range, and configuring NetExtender routes.

About This Guide

Virtual Assist Configuration

“Virtual Assist Configuration” on page 177 provides instructions for configuring SonicWALL

SSL VPN options under Virtual Assist in the navigation bar of the management interface, including Virtual Assist status, settings and licensing.

High Availability Configuration

“High Availability Configuration” on page 189 provides information and configuration tasks

specific to High Availability in the navigation bar of the management interface.

Web Application Firewall Configuration

“Web Application Firewall Configuration” on page 195 provides instructions for configuring

SonicWALL SSL VPN options under Web Application Firewall in the navigation bar of the management interface, including Web Application Firewall status, settings, signatures, log, and licensing.

Users Configuration

“Users Configuration” on page 237 provides instructions for configuring SonicWALL SSL VPN

options under Users in the navigation bar of the management interface, including:

• Access policy hierarchy overview

• Configuring local users and local user policies

• Configuring user groups and user group policies

• Global configuration

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

Log Configuration

“Log Configuration” on page 291 provides instructions for configuring SonicWALL SSL VPN

options under Log in the navigation bar of the management interface, including viewing and configuring logs and creating alert categories.

Virtual Office Configuration

“Virtual Office Configuration” on p age 301 provides a brief introduction to the Virtual Office, the

user portal feature of SonicWALL SSL VPN. The administrator can access the Virtual Office user portal using Virtual Office in the navigation bar of the SonicWALL SSL VPN Web-based management interface. Users access the Virtual Office using a Web browser. The SonicWALL SSL VPN User’s Guide provides detailed information about the Virtual Office.

Appendix A: Accessing Online Help

“Online Help” on page 305 provides a description of the help available from the Online Help

button in the upper right corner of the management interface. This appendix also includes an overview of the context-sensitive help found on most pages of the SonicWALL SSL VPN management interface.

Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway

“Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page 307 provides

configuration instructions for configuring the SonicWALL SSL-VPN appliance to work with thirdparty gateways, including:

• Cisco PIX

• Linksys WRT54GS

• WatchGuard Firebox X Edge

• NetGear FVS318

• Netgear Wireless Router MR814

• Check Point AIR 55

• Microsoft ISA Server 2000

Appendix C: Use Cases

“Use Cases” on page 327 provides use cases for importing CA certificates and for configuring

group-based access policies for multiple Active Directory groups needing access to Outlook Web Access and SSH.

Appendix D: NetExtender Troubleshooting

“NetExtender Troubleshooting” on page 345 provides troubleshooting support for the

SonicWALL SSL VPN NetExtender feature.

Appendix E: FAQ

“FAQs” on page 349 provides a list of frequently asked questions about the SonicWALL SSL

VPN Web-based management interface and SonicWALL SSL-VPN appliance.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Appendix F: Glossary

“Glossary” on page 373 provides a glossary of technical terms used in the

SonicWALL SSL VPN Administrator’s Guide.

Appendix G: SMS Email Formats

“SMS Email Formats” on page 375 provides a list of SMS email formats for selected worldwide

cellular carriers.

About This Guide

SonicWALL SSL VPN 5.0 Administrator’s Guide

About This Guide

xii

SonicWALL SSL VPN 5.0 Administrator’s Guide

SonicWALL SRA SSL VPN 5.0

Administrator’s Guide ...............................................................................................i

Copyright Notice ..................................................................................................................................................ii

Trademarks ............... ......................................... ........................................ ............................................................ii

SonicWALL GPL Source Code .................................................. ......................... ......................... ....................iii

GNU General Public License (GPL) .......................................................................................................iii

Limited Warranty ............................. ......................... ......................... ......................... .........................................iii

SonicWALL Technical Support ......................... ......................... ......................... ............................................ iv

More Information on SonicWALL Products .................................................................................. .. ...............v

About This Guide .............................................................................................................................................. vii

Guide Conventions ................................................................................................................................... vii

Organization of This Guide ....................................................................................................................viii

Table of Contents ......................................................................................................1

SSL VPN Overview ....................................................................................................7

Overview of SonicWALL SSL VPN ..................................................... .. ............................. .. ...........................8

SSL for Virtual Private Networking (VPN) .............................................................................................8

SSL VPN Software Components ...............................................................................................................9

SSL-VPN Hardware Components .............................................................................................................9

Concepts for SonicWALL SSL VPN .............................................................................................................11

Encryption Overview ...................... ......................... ......................... ......................... .............................. 11

SSL Handshake Procedure ....................................................................................................................... 11

IPv6 Support Overview ............................................................................................................................ 12

Browser Requirements for the SSL VPN Administr at o r ............................... ..................................... 14

Browser Requirements for the SSL VPN End User ............................................................................ 15

Portals Overview ............... ......................... ......................... ......................... .............................................15

Domains Overview ............. ......................... ......................... ......................... ...........................................16

NetExtender Overview ....................... ......................... ......................... ......................... .......................... 16

Network Resources Overview ........ .. ............................. .. ............................. .. ............................ ............. 20

SNMP Overview ....................................................................................................................................... 26

DNS Overview ................................... ......................... ......................... ......................... ............................ 26

Network Routes Overview .................................. ........................ ......................... ...................................26

Two-Factor Authentication Overview .. ......................... ......................... ......................... ...................... 26

One Time Password Overview ................................... ......................... ......................... ..........................28

Virtual Assist Overview .......................................... ......................... ........................ .................................30

Web Application Firewall Overview ...................................................................................................... 42

What is Web Application Firewall? ........................ ............................. .. ............................. .. ..................42

Benefits of Web Application Firewall ................................................... .. ............................. .. ................ 44

How Does Web Application Firewall Work? ... .. ............................. .. ............................. .. .................... 44

Navigating the SSL VPN Management Interface ......... ............................. .. ............................. .. .................. 49

Management Interface Introduct ion ............................ .. ............................. .. ............................. .. .......... 49

Navigating the Management Interface ................................................................................................... 51

Navigation Bar .............................................. ......................... ......................... ........................................... 54

SonicWALL SSL VPN 5.0 Administrator’s Guide

Deployment Guidelines ....................................................................................................................................56

Support for Numbers of User Connections ..........................................................................................56

Resource Type Support .............................................................................................................................57

Integration with SonicWALL Products ..................................................................................................57

Typical Deployment ........................... ......................... ........................ ......................... .............................57

System Configuration ............................................................................................59

System > Status .................................... ......................... ......................... ............................................................60

System > Status Overview ........ .......................................................... ... ............................. .. ....................60

Registering Your SonicWALL SSL-VPN from System Status ...........................................................62

Configuring Network Interfaces .............................................. ......................... .......................................64

System > Licenses ................ ......................... ......................... ......................... ...................................................64

System > Licenses Overview ................ .. ............................. .. ............................. .. ...................................64

Registering the SSL-VPN from System > Licenses .............................. .. ............................. .. ..............67

Activating or Upgrading Licenses ........................................... ......................... ......................... ..............69

System > Support Services ...............................................................................................................................70

System > Time .................................... ......................... ......................... ......................... .....................................71

System > Time Overview ....... .. ........................................................................................ .. ......................71

Setting the Time ........................................ ......................... ......................... ...............................................72

Enabling Network Time Protocol .......................... ... ............................. .. ............................. .. ................72

System > Settings .. ......................... ......................... ......................... ......................... .........................................73

System > Settings Overview ......................................................................................... ... ........................73

Managing Configuration Files ................................................ ......................... .........................................74

Managing Firmware ............................................ ......................... ......................... .....................................76

System > Administration ................ ......................... ......................... ......................... .......................................78

System > Administration Overview ........................................... .. ............................. .. ...........................78

Configuring Login Security ............. ........................ ......................... ......................... ...............................80

Enabling GMS Management ....................................................................................................................80

Configuring Web Management Setting s ............................... ......................... ......................... ................81

Configuring the Management Interface Language ...............................................................................81

System > Certificates ......................... ......................... ......................... ......................... .....................................81

System > Certificates Overview ........................................................................................ .. ....................82

Certificate Management .................................................... ......................... ......................... ......................83

Generating a Certificate Signing Reque st ................................................ ......................... ......................83

Viewing and Editing Certificate Information ........................................................................................84

Importing a Certificate ............................................. ......................... ......................... ...............................84

Adding Additional CA Certificates .........................................................................................................85

System > Monitoring ................. ......................... ......................... ......................... .............................................85

System > Monitoring Overview ................................................ .. ............................. .. .............................85

Setting The Monitoring Period ................... ......................... ......................... ......................... ..................87

Refreshing the Monitors ...........................................................................................................................87

System > Diagnostics .................. .. ......................... ......................... ......................... .........................................88

System > Diagnostics Overview .................. ............................. .. ............................. .. .............................88

Downloading the Tech Support Report .................................................................................................89

Performing Diagnostic Tests ...................... ............................. .. ............................. .. ...............................89

System > Restart . ......................... ......................... ......................... ......................... ...........................................90

System > Restart Overview ............................................................................... .. .....................................90

Restarting the SonicWALL SSL-VPN . ......................... ......................... ......................... ........................90

SonicWALL SSL VPN 5.0 Administrator’s Guide

Network Configuration ...........................................................................................91

Network > Interfaces ................... ......................... ......................... ......................... .........................................92

Network > Interfaces Overview ........ .. ............................. .. ............................. .. ..................................... 92

Configuring Network Interfaces ........................................... ......................... ......................... ................ 92

Network > DNS ...................... ......................... ......................... ......................... ............................................... 94

Network > DNS Overview .................. ......................... ......................... ......................... ........................94

Configuring Hostname Settings ............... ......................... ......................... ......................... ....................95

Configuring DNS Settings ........ ........................ ......................... ......................... .....................................95

Configuring WINS Settings ......................................... ......................... ......................... .......................... 95

Network > Routes ........................... ......................... ......................... ......................... .......................................96

Network > Routes Overview ........................... ........................................................... .. .......................... 96

Configuring a Default Route for the SSL-VPN Appliance ........... ............................. .. ...................... 97

Configuring Static Routes for the Appliance ................................................................ .. ...................... 97

Network > Host Resolution ................................. .. ............................. ... ............................. .. ..........................99

Network > Host Resolution Overview ............................. .. ............................. .. ............................. . ..... 99

Configuring Host Resolution ......................... .. .............................. .. ............................. .. ........................99

Network > Network Objects ........................................................................................................................100

Network > Network Objects Overview .............................................................................................. 100

Adding Network Objects .............................. .......................................................... ... ............................101

Editing Network Objects ................................................... ......................... ......................... ..................101

Portals Configuration ...........................................................................................105

Portals > Portals ........................................... ......................... ......................... ................................................. 106

Portals > Portals Overview ........... ......................... ......................... ........................ ............................... 106

Adding Portals ......................... ......................... ......................... ......................... .....................................107

Configuring General Portal Settings ..................... ......................... ........................ ............................... 109

Configuring the Home Page ..................................................................................................................110

Configuring Per-Portal Virtual Assist Settings ................................................................................... 114

Configuring Virtual Host Settings .......................... .......................................................... .. ..................115

Adding a Custom Portal Logo ....................................................... .. ............................. .. ......................116

Portals > Application Offloading .................................................................. .. .............................................118

Application Offloading Overview ........................................................................................................118

Configuring an Offloaded Application with HTTP/HTTPS .............................................. .. .......... 119

Configuring Generic SSL Offloading .. .......................................................... .. ............................. ........122

Portals > Domains ................ ......................... ......................... ......................... ...............................................124

Portals > Domains Overview ...................................... .. ............................. .. ......................................... 124

Viewing the Domains Table ..................................................................................................................125

Removing a Domain ............................................................................................................................... 125

Adding or Editing a Domain .............. .......................................................... .. ....................................... 125

Adding or Editing a Domain with Local User Authentication .............................. .. .. ...................... 127

Adding or Editing a Domain with Active Directory Authenticat ion .................... .......................... 128

Adding or Editing a Domain with LDAP Authentication ................................ .............................. . 130

Adding or Editing a Domain with NT Domain Authentication .. ............................. .. .................... 132

Adding or Editing a Domain with RADIUS Authentication ........ ............................. .. .................... 133

Configuring Two-Factor Authentication ................................. .. .............................. .. ..........................136

Portals > Custom Logo .................................................. ......................... ........................ ...............................146

Portals > Load Balancing ........................ ......................... ......................... ......................... ............................147

Portals > Load Balancing Overview .......................... .. ............................. .. ............................. .. ..........147

Configuring a Load Balancing Group ............................................................... .. ................................. 148

SonicWALL SSL VPN 5.0 Administrator’s Guide

Services Configuration ........................................................................................153

Services > Settings ...........................................................................................................................................154

Services > Bookmarks .....................................................................................................................................157

Services > Policies ............................................................................................................................................164

NetExtender Configuration ..................................................................................167

NetExtender > Status ...................... ......................... ......................... ......................... .....................................168

NetExtender > Status Overview ........................................... ......................... ......................... ..............168

Viewing NetExtender Status ....................... ......................... ......................... ......................... ................168

NetExtender > Client Settings ...................................... ......................... ......................... ...............................169

NetExtender > Client Settings Overview ............................................... .. ............................. .. ............169

Configuring the Global NetExtender IP Address Range ..................................................................169

Configuring Global NetExtender Se ttings ................................. ......................... ......................... ........170

NetExtender > Client Routes ...... ......................... ......................... ......................... .......................................171

NetExtender > Client Routes Overview .......................... .. ............................. .. ............................. ......171

Adding NetExtender Client Routes ........................................................................................ .. ............171

NetExtender User and Group Settings .................................................. ............................. ... ......................172

Configuring User-Level NetExten der Settings .. ............................. ... ............................. .. ..................172

Configuring Group-Level NetExtender Settings ................................................................................175

Virtual Assist Configuration ................................................................................177

Virtual Assist > Status .....................................................................................................................................178

Virtual Assist > Status ...................................... ......................... ......................... .....................................178

Virtual Assist > Settings ..................................................................................................................................179

General Settings ........................... ......................... ......................... ......................... .................................179

Request Settings .......................................................................................................................................180

Notification Settings ................................................................................................................................181

Customer Portal Settings ........................... ......................... ......................... ...........................................182

Restriction Settings ..................................................................................................................................183

Virtual Assist > Log .........................................................................................................................................184

Virtual Assist > Licensing ...............................................................................................................................186

Virtual Assist > Licensing Overview ..................... ... ............................. .. ............................. .. ..............186

Enabling Virtual Assist ............................................................................................................................186

High Availability Configuration ...........................................................................189

High Availability Overview ....... ......................... ......................... ......................... ...........................................190

Stateful High Availability Support .........................................................................................................190

Supported Platforms ................................................................................................................................190

Configuring High Availability ........................................................................................................................191

Physical Connectivity ................................ ......................... ......................... .............................................191

Configuring a High Availability Pa ir .... ......................... ......................... ......................... ......................191

Technical FAQ ................................... ......................... ......................... ......................... ...................................193

Web Application Firewall Configuration .............................................................195

Licensing Web Application Firewall .............................................................................................................196

SonicWALL SSL VPN 5.0 Administrator’s Guide

Configuring Web Application Firewall ...................... .......................................................... .. ...................... 199

Viewing and Updating Web Application Firewall Status ...... .. .............................. .. .......................... 199

Configuring Web Application Firewall Settings ... .. .. ................................. ............................. .. .......... 200

Configuring Web Application Firewall Signature Act ions ................................. ... ............................ 205

Determining the Host Entry for Exclusions ....................... ............................. .. ............................. ....209

Configuring Web Application Firewall Custom Rules ............................. .. ............................. .. ........212

Using Web Application Firewall Monitoring ............................... .......................................................226

Using Web Application Firewall Logs .................................................... .. ............................. .. ............ 231

Verifying and Troubleshooting Web Application Firewall ....................................................................... 234

Users Configuration .............................................................................................237

Users > Status .................. ......................... ......................... ......................... ..................................................... 238

Access Policies Concepts .......................................................................................................................239

Access Policy Hierarchy ......................................................................................................................... 239

Users > Local Users ............ ......................... ......................... ......................... .................................................240

Users > Local Users Overview .......... .......................................................... .. .......................................240

Removing a User ..................................................................................................................................... 241

Adding a Local User ........................ ......................... ......................... ......................... ............................ 241

Editing User Settings .. ......................... ......................... ......................... ......................... ........................242

Users > Local Groups ................................... ......................... ......................... ............................................... 263

Users > Local Groups Overview ..... .. .. ............................................................ .. ................................... 263

Deleting a Group .....................................................................................................................................264

Adding a New Group .................... ......................... ......................... ........................ ...............................264

Editing Group Settings ......................................... ........................ ......................... .................................264

Group Configuration for LDAP Authentication Dom ains .......................................... .. .................. 276

Group Configuration for Active Directory, NT and RADIUS Domains .................. .................... 280

Creating a Citrix Bookmark for a Local Group .................................................................................. 282

Global Configuration ............................................... ......................... ......................... .....................................284

Edit Global Settings ........................... ......................... ......................... ......................... .......................... 284

Edit Global Policies .... ......................... ......................... ......................... ......................... ........................ 286

Edit Global Bookmarks ............... ......................... ........................ ......................... .................................288

Log Configuration .................................................................................................291

Log > View .......................................................................................................................................................292

Log > View Overview ............................................................................................................................292

Viewing Logs ................................... ......................... ......................... ........................ ............................... 294

Emailing Logs .............. ......................... ......................... ......................... .................................................295

Log > Settings .................................................................................................................................................. 296

Log > Settings Overview ....................................................................................................................... 296

Configuring Log Settings ................ ......................... ......................... ......................... ............................297

Configuring the Mail Server .................. ......................... ......................... ......................... ...................... 298

Log > Categories ............................................................................................................................................. 299

Log > ViewPoint .............................................................................................................................................300

Log > ViewPoint Overview ..................................................................................................................300

Adding a ViewPoint Server .............................................. ......................... ......................... ....................300

Virtual Office Configuration .................................................................................301

Virtual Office .............................................. ......................... ......................... ................................................... 301

Virtual Office Overview ......... ......................... ......................... ......................... .....................................302

Using the Virtual Office ........................................... ......................... ......................... ............................302

SonicWALL SSL VPN 5.0 Administrator’s Guide

Online Help ............................................................................................................305

Online Help .......................................................................................................................................................306

Using Context Sensitive Help ........................................................... ... ............................. .. ..................306

Configuring SonicWALL SSL VPN with a Third-Party Gateway .......................307

Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Depl oyment ........... ...........................308

Before you Begin . ......................... ......................... ......................... ......................... .................................308

Method One – SonicWALL SSL-VPN Appliance on LAN Interface ................. .. .........................308

Method Two – SonicWALL SSL-VPN Appliance on DMZ Interface ................. ... .. ....................311

Linksys WRT54GS ..........................................................................................................................................315

WatchGuard Firebox X Edge ........ ......................... ......................... ......................... .....................................316

NetGear FVS318 ......................................... ......................... ........................ ....................................................318

Netgear Wireless Router MR814 SSL configuration ..................................................................................320

Check Point AIR 55 .........................................................................................................................................321

Setting up a SonicWALL SSL-VPN with Check Point AIR 55 ............................................... .. ......321

Static Route .. ......................... ......................... ......................... ......................... .........................................322

ARP ................... .................................... ................................. ....................................................................322

Microsoft ISA Server .......................................................................................................................................324

Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server ......................... ....................324

Configuring ISA ................. ......................... ......................... ......................... ...........................................324

Use Cases ..............................................................................................................327

Importing CA Certificates on Windows ................ .. ............................. .. ............................. ... ......................327

Importing a goDaddy Certificate on Windows .................................................. .. ............................. ..327

Importing a Server Certificate on Windows .......................... .......................................................... ....330

Creating Unique Access Policies for AD Grou ps ........... ............................. .. ............................. .. ..............331

Creating the Active Directory Do main ....... ......................... ......................... ......................... ..............332

Adding a Global Deny All Policy ....................... ............................. .. .............................. .. ....................333

Creating Local Groups ............................................................................................................................334

Adding the SSHv2 PERMIT Policy ......................................................................................................336

Adding the OWA PERMIT Policies ....................................................................................................337

Verifying the Access Policy Configuration ..........................................................................................339

NetExtender Troubleshooting .............................................................................345

FAQs ......................................................................................................................349

Hardware FAQ ...... ......................... ......................... ......................... ......................... .......................................352

Digital Certificates and Certificate Authorities FAQ ..................................................................................357

NetExtender FAQ ............................. ......................... ......................... ......................... ...................................363

General FAQ ................................ ......................... ......................... ......................... .........................................366

Glossary ................................................................................................................373

SMS Email Formats ..............................................................................................375

SonicWALL SSL VPN 5.0 Administrator’s Guide

Chapter 1: SSL VPN Overview

This chapter provides an overview of the SonicWALL SSL VPN technology, concepts, basic navigational elements and standard deployment guidelines. This chapter includes the following sections:

• “Overview of SonicWALL SSL VPN” section on page 8

• “Concepts for SonicWALL SSL VPN” section on page 11

• “Navigating the SSL VPN Management Interface” section on page 49

• “Deployment Guidelines” section on page 56

SonicWALL SSL VPN 5.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use SonicWALL SSL VPN connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.

Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections over a public networking infrastructure, allowing them to reduce their communications expenses and to provide private, secure connections between a user and a site in the organization. By offering Secure Socket Layer (SSL) VPN, without the expense of special feature licensing, the SonicWALL SSL-VPN appliance provides customers with costeffective alternatives to deploying parallel remote-access infrastructures. This section contains the following subsections:

• “SSL for Virtual Private Networking (VPN)” section on page 8

• “SSL VPN Software Components” section on page 9

• “SSL-VPN Hardware Components” section on page 9

SSL for Virtual Private Networking (VPN)

A Secure Socket Layer-based Virtual Private Network (SSL VPN) allows applications and private network resources to be accessed remotely through a secure connection. Using SSL VPN, mobile workers, business partners, and customers can access files or applications on a company’s intranet or within a private local area network.

Although SSL VPN protocols are described as clientless, the typical SSL VPN portal combines Web, Java, and ActiveX components that are downloaded from the SSL VPN portal transparently , allowing users to connect to a remote network without needing to manually inst all and configure a VPN client application. In addition, SSL VPN enables users to connect from a variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only supported on Windows platforms.

For administrators, the SonicWALL SSL VPN Web-based management interface provides an end-to-end SSL VPN solution. This interface can configure SSL VPN users, access policies, authentication methods, user bookmarks for network resources, and system settings.

For clients, Web-based SonicWALL SSL VPN customizable user portals enable users to access, update, upload, and download files and use remote applications installed on desktop machines or hosted on an application server. The platform also supports secure Web-based FTP access, network neighborhood-like interface for file sharing, Secure Shell versions 1 and 2 (SSHv1) and (SSHv2), Telnet emulation, VNC (Virt u a l Ne t wo r k Co m pu t i ng ) and RDP (Remote Desktop Protocol) support, Citrix Web access, bookmarks for offloaded portals (external Web sites), and Web and HTTPS proxy forwarding.

The SonicWALL SSL VPN network extension client, NetExtender , is available through the SSL VPN Web portal via an ActiveX control on Windows or using Java on MacOS or Linux systems. It is also available through stand-alone applications for Windows, Linux, and MacOS platforms. The NetExtender standalone applications are automatically installed on a client system the first time the user clicks the NetExtender link in the Virtual Office portal. SonicWALL SSL VPN NetExtender enables end users to connect to the remote network without needing to install and configure complex software, providing a secure means to access any type of data on the remote network. When used with a SonicWALL SSL-VPN 2000 or higher model, NetExtender supports IPv6 client connections from Windows systems running V ista or newer , and from Linux clients.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Note The SSHv2 applet requires SUN JRE 1.6.0_10 or higher and can only connect to a server

that supports SSHv2. The RDP Java applet requires SUN JRE 1.6.0_10 or higher. Telnet, SSHv1 and VNC applets support MS JVM in Internet Explorer, and run on other browsers with SUN JRE 1.6.0_10 or higher.

SSL VPN Software Components

SonicWALL SSL VPN provides clientless identity-based secure remote access to the protected internal network. Using the Virtual Office environment, SonicW ALL SSL VPN can provide users with secure remote access to your entire private network, or to individual components such as File Shares, Web servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers.

SSL-VPN Hardware Components

See the following sections for descriptions of the hardware components on SonicWALL SSL-VPN appliances:

• “SRA 4200 Front and Back Panels Overview” on page 9

Overview of SonicWALL SSL VPN

SRA 4200 Front and Back Panels Overview

Figure 1 SonicWALL SRA 4200 Front and Back Panels

SonicWALL SSL VPN 5.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

Front Panel Feature Description

Console Port RJ-45 port, provides access to console messages with serial

USB Ports Provides access to USB interface (for future use). Reset Button Provides access to SafeMode. Power LED Indicates the SonicWALL SRA 4200 is powered on. Test LED Indicates the SonicWALL SRA 4200 is in test mode. Alarm LED Indicates a critical error or failure. X3 Provides access to the X3 interface and to SSL VPN

X2 Provides access to the X2 interface and to SSL VPN

X1 Provides access to the X1 interface and to SSL VPN

X0 Default management port. Provides connectivity between the

Table 1 SonicWALL SRA 4200 Front Panel Features

connection (1 15200 Baud). Provides access to command line interface (for future use).

resources.

SonicWALL SRA 4200 and your gateway.

Table 2 SonicWALL SRA 4200 Back Panel Features

Back Panel Feature Description

Exhaust fans Provides optimal cooling for the SonicWALL SRA 4200

appliance. Power plug Provides power connection using supplied power cord. Power switch Powers the SonicWALL SRA 4200 on and off.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

This section provides an overview of the following key concepts, with which the administrator should be familiar when using the SonicWALL SSL-VPN appliance and Web-based management interface:

• “Encryption Overview” section on page 11

• “SSL Handshake Procedure” section on page 11

• “IPv6 Support Overview” section on page 12

• “Browser Requirements for the SSL VPN Administrator” section on page 14

• “Browser Requirements for the SSL VPN End User” section on page 15

• “Portals Overview” section on page 15

• “Domains Overview” section on page 16

• “NetExtender Overview” section on page 16

• “Network Resources Overview” section on page 20

• “SNMP Overview” section on page 26

• “DNS Overview” section on page 26

• “Network Routes Overview” section on page 26

• “Two-Factor Authentication Overview” section on page 26

• “One Time Password Overview” section on page 28

• “Virtual Assist Overview” section on page 30

• “Web Application Firewall Overview” section on page 42

Concepts for SonicWALL SSL VPN

Encryption Overview

Encryption enables users to encode data, making it secure from unauthorized viewers. Encryption provides a private and secure method of communication over the Internet.

A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public key encryption, an entity, such as a secure Web site, generates a public and a private key . A secure W eb server sends a public key to a user who accesses the Web site. The public key allows the user’s Web browser to decrypt data that had been encrypted with the private key. The user ’s Web browser can also transparently encrypt data using the public key and this data can only be decrypted by the secure Web server’s private key.

Public key encryption allows the user to confirm the identity of the Web site through an SSL certificate. After a user contacts the SSL-VPN appliance, the appliance sends the user it s own encryption information, including an SSL certificate with a public encryption key.

SSL Handshake Procedure

The following procedure is an example of the standard steps required to establish an SSL session between a user and an SSL VPN gateway using the SonicWALL SSL VPN Web-based management interface:

Step 1 When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web

browser sends information about the types of encryption supported by the browser to the appliance.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 2 The appliance sends the user its own encryption information, including an SSL certificate with

a public encryption key.

Step 3 The Web browser validates the SSL certificate with the Certificate Authority identified by the

SSL certificate.

Step 4 The Web browser generates a pre-master encryption key, encrypts the pre-master key using

the public key included with the SSL certificate and sends the encrypted pre-master key to the SSL VPN gateway.

Step 5 The SSL VPN gateway uses the pre-master key to create a master key and sends the new

master key to the user’s Web browser.

Step 6 The browser and the SSL VPN gateway use the master key and the agreed upon encryption

algorithm to establish an SSL connection. From this point on, the user and the SSL VPN gateway will encrypt and decrypt data using the same encryption key . This is called symmetric encryption.

Step 7 Once the SSL connection is established, the SSL VPN gateway will encrypt and send the Web

browser the SSL VPN gateway login page.

Step 8 The user submits his user name, password, and domain name. Step 9 If the user’s domain name requires authentication through a RADIUS, LDAP, NT Domain, or

Active Directory Server, the SSL VPN gateway forwards the user’s information to the appropriate server for authentication.

Step 10 Once authenticated, the user can access the SSL VPN portal.

IPv6 Support Overview

Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently used on networked devices. IPv6 is a suite of protocols and standards developed by the Internet Engineering Task Force (IETF) that provides a larger address space than IPv4, additional functionality and security, and resolves IPv4 design issues. You can use IPv6 without affecting IPv4 communications.

Supported on SonicWALL SSL-VPN models 2000 and higher, IPv6 supports stateful address configuration, which is used with a DHCPv6 server, and st ateless address configuration, where hosts on a link automatically configure themselves with IPv6 addresses for the link, called link- local addresses.

In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the 32-bit IPv4 address is represented in dotted-decimal format, divided by periods along 8-bit boundaries. The 128-bit IPv6 address is divided by colons along 16-bit boundaries, where each 16-bit block is represented as a 4-digit hexadecimal number . This is called colon-hexadecimal.

The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by removing the leading zeros within each 16-bit block, as long as each block has at least one digit. When suppressing leading zeros, the address representation becomes: 2008:AB1:0:1E2A:123:45:EE37:C9B4

When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can be compressed to ::, a double-colon. For example, the link-local address of 2008:0:0:0:B67:89:ABCD:1234 can be compressed to 2008::B67:89:ABCD:1234. The multicast address 2008:0:0:0:0:0:0:2 can be compressed to 2008::2.

SonicWALL SSL VPN 5.0 Administrator’s Guide

The IPv6 prefix is the part of the address that indicates the bits of the subnet prefix. Prefixes for IPv6 subnets, routes, and address ranges are written as address/prefix-length, or CIDR notation. For example, 2008:AA::/48 and 2007:BB:0:89AB::/64 are IPv6 address prefixes.

SonicOS SSL VPN supports IPv6 in the following areas:

Services

• FTP Bookmark – Define a FTP bookmark using an IPv6 address.

• Telnet Bookmark – Define a Telnet bookmark using an IPv6 address.

• SSHv1 / SSHv2 Bookmark – Define an SSHv1 or SSHv2 bookmark using an IPv6 address.

• Reverse proxy for HTTP/HTTPS Bookmark – Define an HTTP or HTTPS bookmark using

an IPv6 address.

• Citrix Bookmark – Define a Citrix bookmark using an IPv6 address.

• RDP Bookmark - Define an RDP bookmark using an IPv6 address.

• VNC Bookmark - Define a VNC bookmark using an IPv6 address.

Note IPv6 is not supported for File Shares.

Settings

• Interface Settings – Define an IPv6 address for the interface. The link-local address is

displayed in a tooltip on Interfaces page.

• Route Settings – Define a static route with IPv6 destination network and gateway.

• Network Object – Define the network object using IPv6. An IPv6 address and IPv6 network

can be attached to this network object.

Concepts for SonicWALL SSL VPN

NetExtender

When a client connects to NetExtender , it can get an IPv6 address from the SSL-VPN appliance if the client machine supports IPv6 and an IPv6 address pool is configured on the SSL-VPN. NetExtender supports IPv6 client connections from Windows systems running Vista or newer, and from Linux clients.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

SSL VPN

Management

Interface

Minimum Browser/Version

Requirements

44444

222

Browser

Windows XP

Windows Vista

Windows 7 Linux

MacOS X

Virtual Assist

Users and Technicians can request and provide support when using IPv6 addresses.

Rules

• Policy rule – User or Group Policies. Three IPv6 options in the Apply Policy To drop-down

list:

–

IPv6 Address

–

IPv6 Address Range

–

All IPv6 Address

• Login rule – Use IPv6 for address fields:

–

Define Login From Defined Addresses using IPv6

–

Two IPv6 options in the Source Address drop-down list: IPv6 Address / IPv6 Network

Virtual Hosts

An administrator can assign an IPv6 address to a virtual host, and can use this address to access the virtual host.

Application Offloading

An administrator can assign an IPv6 address to an application server used for application offloading, and can use this address to access the server.

Browser Requirements for the SSL VPN Administrator

The following Web browsers are supported for the SonicWALL SSL VPN Web-based management interface and the user portal, Virtual Office. Java is only required for various aspects of the SSL VPN Virtual Office, not the management interface.

• Internet Explorer 6.0+, 7.0+, 8.0+

• Firefox 2.0+

• Safari 2.0+

• Chrome 4.0+

The following table provides specific browser requirements.

To configure SonicWALL SSL-VPN appliance using the Web-based management interface, an administrator must use a Web browser with Java, JavaScript, ActiveX, cookies, popups, and SSLv3 or TLS 1.0 enabled.

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

SSL VPN

Management

Interface

Minimum Browser/Version

Requirements

4444

222

Browser

Windows XP

Windows Vista

Windows 7 Linux

Browser Requirements for the SSL VPN End User

The following is a list of Web browser and operating system support for various SSL VPN protocols including NetExtender and various Application Proxy elements. Requirements are shown for Windows, Windows Vista, Windows 7, Linux, and MacOS.

Portals Overview

File Shares

Custom Portals

The SonicWALL SSL-VPN appliance provides a mechanism called Virtual Office, which is a Web-based portal interface that provides clients with easy access to internal resources in your organization. Components such as NetExtender, Virtual Assist, and bookmarks to file shares and other network resources are presented to users through the Virtual Office portal. For organizations with multiple user types, the SSL-VPN allows for multiple customized portals, each with its own set of shared resource bookmarks. Portals also allow for individual domain and security certificates on a per-portal basis. The components in a port al are customized when adding a portal.

File shares provide remote users with a secure Web interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft’ s familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. File shares can be configured to allow restricted server path access.

SonicWALL SSL VPN enables you to configure multiple portals, each with its own title, banner, login message, logo and set of available resources. Each portal also enables you to set individual Virtual Hosts/Domain Names (on SonicWALL SSL-VPN models 2000 and higher) to create a unique default portal URL. When a user logs into a port al, he or she sees a set of pre-configured links and bookmarks that are specific to that portal. You can

SonicWALL SSL VPN 5.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

configure whether or not NetExtender is displayed on a Virtual Office portal, and if you want NetExtender to automatically launch when users log in to the portal. The administrator configures which elements each portal displays through the Portal Set tings dialog box. For information on configuring portals, refer to the “Portals > Portals” section on page 106.

Domains Overview

A domain in the SonicWALL SSL VPN environment is a mechanism that enables authentication of users attempting to access the network being serviced by the SSL-VPN appliance. Domain types include the SSL VPN's internal LocalDomain, and the external platforms Microsoft Active Directory, NT Authentication, LDAP, and RADIUS. Often, only one domain will suffice to provide authentication to your organization, although a larger organization may require distributed domains to handle multiple nodes or collections of users attempting to access applications through the portal. For information about configuring domains, refer to the “Port als > Domains”

section on page 124.

NetExtender Overview

This section provides an overview to the NetExtender feature. This section contains the following subsections:

• “What is NetExtender?” section on page 16

• “Benefits” section on page 16

• “NetExtender Concepts” section on page 17

For information on using NetExtender, refer to the “NetExtender > Status” section on page 168 or refer to the SonicWALL SSL VPN User’s Guide.

What is NetExtender?

SonicWALL NetExtender is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender , remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.

Benefits

NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin w hen using Firefox. On Linux or MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal.

The NetExtender Windows client also has a custom-dialer that allows it to be launched from the Windows Network Connections menu. This custom-dialer allows NetExtender to be connected before the Windows domain login. The NetExtender Windows client also supports a single active connection, and displays real-time throughput and data compression ratios in the client.

SonicWALL SSL VPN 5.0 Administrator’s Guide

After installation, NetExtender automatically launches and connects a virtual adapter for SSLsecure NetExtender point-to-point access to permitted hosts and subnets on the internal network.

NetExtender Concepts

The following sections describe advanced NetExtender concepts:

• “Stand-Alone Client” section on page 17

• “Multiple Ranges and Routes” section on page 17

• “NetExtender with External Authentication Methods” section on page 18

• “Point to Point Server IP Address” section on page 18

• “Connection Scripts” section on page 18

• “Tunnel All Mode” section on page 19

• “Proxy Configuration” section on page 19

Stand-Alone Client

SonicWALL SSL VPN provides a stand-alone NetExtender application. NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.

Concepts for SonicWALL SSL VPN

Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder , or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragg ed to the shortcut bar in environments like Gnome and KDE.

Multiple Ranges and Routes

Multiple range and route support for NetExtender on SonicWALL SSL-VPN models 2000 and higher enables network administrators to easily segment groups and users without the need to configure firewall rules to govern access. This user segmentation allows for granular control of access to the network—allowing users access to necessary resources while restricting access to sensitive resources to only those who require it.

For networks that do not require segmentation, client addresses and routes can be configured globally as in the SSL VPN 1.0 version of NetExtender. The follo wing sections describe the new multiple range and route enhancements:

• “IP Address User Segmentation” on page 18

• “Client Routes” on page 18

SonicWALL SSL VPN 5.0 Administrator’s Guide

+ 364 hidden pages

Sonicwall SRA SSL VPN 5.0 ADMINISTRATORS GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

SonicWALL SRA SSL VPN 5.0 Administrator’s Guide

Copyright Notice

Trademarks

SonicWALL GPL Source Code

GNU General Public License (GPL)

Limited Warranty

SonicWALL Technical Support

North America Telephone Support

International Telephone Support

More Information on SonicWALL Products

About This Guide

Guide Conventions

Icons Used in this Manual

Organization of This Guide

SSL VPN Overview

System Configuration

Network Configuration

Portals Configuration

NetExtender Configuration

Virtual Assist Configuration

High Availability Configuration

Web Application Firewall Configuration

Users Configuration

Log Configuration

Virtual Office Configuration

Appendix A: Accessing Online Help

Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway

Appendix C: Use Cases

Appendix D: NetExtender Troubleshooting

Appendix E: FAQ

Appendix F: Glossary

Appendix G: SMS Email Formats

Table of Contents

Chapter 1: SSL VPN Overview

Overview of SonicWALL SSL VPN

SSL for Virtual Private Networking (VPN)

SSL VPN Software Components

SSL-VPN Hardware Components

SRA 4200 Front and Back Panels Overview

Concepts for SonicWALL SSL VPN

Encryption Overview

SSL Handshake Procedure

IPv6 Support Overview

Browser Requirements for the SSL VPN Administrator

Browser Requirements for the SSL VPN End User

Portals Overview

File Shares

Custom Portals

Domains Overview

NetExtender Overview

What is NetExtender?

Benefits

NetExtender Concepts

Stand-Alone Client

Multiple Ranges and Routes