or part, without the written consent of the manufacturer, except in the normal use of th e software to
make a backup copy. The same proprietary and copyright notices mu st be affixed to any permitted
copies as were affixed to the original. This exception does not allo w copi es to be made fo r o ther s,
whether or not sold, but all of the material purchased (with all backup copies) can be sold, given,
or loaned to another person. Under the law, copying includes transla ting into another language or
format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows 2000,
Windows NT, Internet Explorer, and Active Directory are trademarks or registered trademarks of
Microsoft Corporation.
Firefox is a trademark of the Mozilla Foundation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and
other countries. Netscape Navigator and Netscape Communicator are also trademarks of
Netscape Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe
Systems Incorporated in the U.S. and/or other countries.
Cisco Systems and Cisco PIX 515e and Linksys and Linksys Playtoy23 are either registered
trademarks or trademarks of Cisco Systems in the U.S. and /or other countries.
Watchguard and Watchguard Firebox X Edge are either registered trademarks or trademarks of
Watchguard Technologies Corporation in the U.S. and/or other countries.
NetGear, NetGear FVS318, and NetGear Wireless Router MR814 SSL are either registered
trademarks or trademarks of NetGear, Inc., in the U.S. and/or other countries.
Check Point and Check Point AIR 55 are either registered trademarks or trademarks of Check
Point Software Technologies, Ltd., in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered
trademarks of their respective companies and are the sole property of their respective
manufacturers.
ii
SonicWALL SSL VPN 5.0 Administrator’s Guide
SonicWALL GPL Source Code
GNU General Public License (GPL)
SonicWALL will provide a machine-readable copy of the GPL open source on a CD. To obtain a
complete machine-readable copy, send your written request, along with a certified check or m oney
order in the amount of US $25.00 payable to "SonicWALL, Inc." to:
General Public License Source Code Request
SonicWALL, Inc. Attn: Jennifer Anderson
2001 Logic Drive
San Jose, CA 95124-3452
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and
continuing for a period of twelve (12) months, that the product will be free from defects in materials
and workmanship under normal use. This Limited Warranty is not transferable and applies only to
the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's
sole and exclusive remedy under this limited warranty will be shipment of a replacement product.
At SonicWALL's discretion the replacement product may be of equal or greater functionality and
may be of either new or like-new quality. SonicWALL's obligations under this warranty are
contingent upon the return of the defective product according to the terms of SonicWALL's thencurrent Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress,
damaged by accident, abuse, misuse or misapplication, or has been modified without the written
permission of SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS
OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR
ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE
HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE
EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED
IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS
DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE
LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL
RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION
TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set
forth above fails of its essential purpose.
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO
EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS
ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL,
INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED
AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR
SonicWALL SSL VPN 5.0 Administrator’s Guide
iii
INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall
SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence),
or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the
above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR
JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR
INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
<http://www.sonicwall.com/us/support.html>. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below. See
<http://www.sonicwall.com/us/support/contact.html> for the latest technical support telephone
numbers.
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.3457.8971
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
iv
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
SonicWALL SSL VPN 5.0 Administrator’s Guide
More Information on SonicWALL Products
Contact SonicWALL, Inc. for information about SonicWALL products and services at:
Check the SonicWALL documentation Web site for that latest versions
of this manual and all other SonicWALL product documentation.
http://www.sonicwall.com/us/support.html
SonicWALL SSL VPN 5.0 Administrator’s Guide
v
vi
SonicWALL SSL VPN 5.0 Administrator’s Guide
About This Guide
The SonicWALL SSL VPN Administrator’s Guide provides network administrators with a highlevel overview of SonicWALL SSL VPN technology, including activation, configuration, and
administration of the SonicWALL SSL VPN management interface and the SonicWALL
SSL-VPN appliance.
NoteAlways check <http://www.sonicwall.com/support/documentation.html> for the latest
version of this guide as well as other SonicWALL products and services documentation.
Guide Conventions
The following conventions used in this guide are as follows:
ConventionUse
BoldHighlights dialog box, window, and screen names. Also
About This Guide
highlights buttons and tabs. Also used for file names and
text or values you are being instructed to type into the interface.
ItalicIndicate s the name of a technica l manual, e mphasis on cer-
Menu Item > Menu ItemIndicates a multiple step Management Interface menu
Icons Used in this Manual
These special messages refer to noteworthy information, and include a symbol for quick
identification:
TipUseful information about security features and configurations on your SonicWALL.
NoteImportant information on a feature that requires callout for special attention.
Timesaver Useful tips about features that may save you time
tain words in a sentence, or the first instance of a significant
term or concept.
choice. For example, System > Status means select the
Status page under the System menu.
Indicates a client feature that is only supported on the Microsoft Windows platform.
Indicates a client feature that is supported on Microsoft Windows, Apple MacOS, and Linux
SonicWALL SSL VPN 5.0 Administrator’s Guide
vii
About This Guide
Organization of This Guide
The SonicWALL SSL VPN Administrator’s Guide is organized in chapters that follow the
SonicWALL SSL VPN Web-based management interface structure.
This section contains a description of the following chapters and appendices:
•“SSL VPN Overview” on page viii
•“System Configuration” on page viii
•“Network Configuration” on page ix
•“Portals Configuration” on page ix
•“NetExtender Configuration” on page ix
•“Virtual Assist Configuration” on page ix
•“Web Application Firewall Configuration” on page ix
•“Users Configuration” on page ix
•“Log Configuration” on page x
•“Virtual Office Configuration” on page x
•“Appendix A: Accessing Online Help” on page x
•“Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page x
•“Appendix C: Use Cases” on page x
•“Appendix D: NetExtender Troubleshooting” on page x
•“Appendix E: FAQ” on page x
•“Appendix F: Glossary” on page xi
•“Appendix G: SMS Email Formats” on page xi
SSL VPN Overview
“SSL VPN Overview” on page 7 provides an introduction to SSL VPN technology and an
overview of the SonicWALL SSL-VPN appliance and Web-based management interface
features. The SSL VPN Overview chapter includes SSL VPN concepts, a Web-based
management interface overview, and deployment guidelines.
System Configuration
“System Configuration” on page 59 provides instructions for configuring SonicWALL SSL VPN
options under System in the navigation bar of the management interface, including:
•Registering the SonicWALL appliance
•Setting the date and time
•Working with configuration files
•Managing firmware versions and preferences
•General appliance administration
•Certificate management
•Viewing SSL VPN monitoring reports
•Using diagnostic tools
viii
SonicWALL SSL VPN 5.0 Administrator’s Guide
Network Configuration
“Network Configuration” on page 91 provides instructions for configuring SonicWALL SSL VPN
options under Network in the navigation bar of the management interface, including:
•Configuring network interfaces
•Configuring DNS settings
•Setting network routes and static routes
•Configuring hostname and IP address information for internal name resolution
“Portals Configuration” on page 105 provides instructions for configuring SonicWALL SSL VPN
options under Portals in the navigation bar of the management interface, including portals,
domains (including RADIUS, NT , LDAP and Active Directory authentication), and custom logos.
NetExtender Configuration
“NetExtender Configuration” on page 167 provides instructions for configuring SonicWALL SSL
VPN options under NetExtender in the navigation bar of the management interface, including
NetExtender status, setting NetExtender address range, and configuring NetExtender routes.
About This Guide
Virtual Assist Configuration
“Virtual Assist Configuration” on page 177 provides instructions for configuring SonicWALL
SSL VPN options under Virtual Assist in the navigation bar of the management interface,
including Virtual Assist status, settings and licensing.
High Availability Configuration
“High Availability Configuration” on page 189 provides information and configuration tasks
specific to High Availability in the navigation bar of the management interface.
Web Application Firewall Configuration
“Web Application Firewall Configuration” on page 195 provides instructions for configuring
SonicWALL SSL VPN options under Web Application Firewall in the navigation bar of the
management interface, including Web Application Firewall status, settings, signatures, log, and
licensing.
Users Configuration
“Users Configuration” on page 237 provides instructions for configuring SonicWALL SSL VPN
options under Users in the navigation bar of the management interface, including:
•Access policy hierarchy overview
•Configuring local users and local user policies
•Configuring user groups and user group policies
•Global configuration
SonicWALL SSL VPN 5.0 Administrator’s Guide
ix
About This Guide
Log Configuration
“Log Configuration” on page 291 provides instructions for configuring SonicWALL SSL VPN
options under Log in the navigation bar of the management interface, including viewing and
configuring logs and creating alert categories.
Virtual Office Configuration
“Virtual Office Configuration” on p age 301 provides a brief introduction to the Virtual Office, the
user portal feature of SonicWALL SSL VPN. The administrator can access the Virtual Office
user portal using Virtual Office in the navigation bar of the SonicWALL SSL VPN Web-based
management interface. Users access the Virtual Office using a Web browser. The SonicWALL SSL VPN User’s Guide provides detailed information about the Virtual Office.
Appendix A: Accessing Online Help
“Online Help” on page 305 provides a description of the help available from the Online Help
button in the upper right corner of the management interface. This appendix also includes an
overview of the context-sensitive help found on most pages of the SonicWALL SSL VPN
management interface.
Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway
“Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page 307 provides
configuration instructions for configuring the SonicWALL SSL-VPN appliance to work with thirdparty gateways, including:
•Cisco PIX
•Linksys WRT54GS
•WatchGuard Firebox X Edge
•NetGear FVS318
•Netgear Wireless Router MR814
•Check Point AIR 55
•Microsoft ISA Server 2000
Appendix C: Use Cases
“Use Cases” on page 327 provides use cases for importing CA certificates and for configuring
group-based access policies for multiple Active Directory groups needing access to Outlook
Web Access and SSH.
Appendix D: NetExtender Troubleshooting
“NetExtender Troubleshooting” on page 345 provides troubleshooting support for the
SonicWALL SSL VPN NetExtender feature.
Appendix E: FAQ
“FAQs” on page 349 provides a list of frequently asked questions about the SonicWALL SSL
VPN Web-based management interface and SonicWALL SSL-VPN appliance.
x
SonicWALL SSL VPN 5.0 Administrator’s Guide
Appendix F: Glossary
“Glossary” on page 373 provides a glossary of technical terms used in the
SonicWALL SSL VPN Administrator’s Guide.
Appendix G: SMS Email Formats
“SMS Email Formats” on page 375 provides a list of SMS email formats for selected worldwide
SonicWALL Technical Support ......................... ......................... ......................... ............................................ iv
More Information on SonicWALL Products .................................................................................. .. ...............v
About This Guide .............................................................................................................................................. vii
Guide Conventions ................................................................................................................................... vii
Organization of This Guide ....................................................................................................................viii
Table of Contents ......................................................................................................1
System Configuration ............................................................................................59
System > Status .................................... ......................... ......................... ............................................................60
System > Status Overview ........ .......................................................... ... ............................. .. ....................60
Registering Your SonicWALL SSL-VPN from System Status ...........................................................62
Registering the SSL-VPN from System > Licenses .............................. .. ............................. .. ..............67
Activating or Upgrading Licenses ........................................... ......................... ......................... ..............69
System > Support Services ...............................................................................................................................70
System > Time .................................... ......................... ......................... ......................... .....................................71
System > Time Overview ....... .. ........................................................................................ .. ......................71
Setting the Time ........................................ ......................... ......................... ...............................................72
Virtual Assist > Status .....................................................................................................................................178
Virtual Assist > Status ...................................... ......................... ......................... .....................................178
Configuring High Availability ........................................................................................................................191
Users > Local Users ............ ......................... ......................... ......................... .................................................240
Users > Local Users Overview .......... .......................................................... .. .......................................240
Removing a User ..................................................................................................................................... 241
Adding a Local User ........................ ......................... ......................... ......................... ............................ 241
Editing User Settings .. ......................... ......................... ......................... ......................... ........................242
Users > Local Groups ................................... ......................... ......................... ............................................... 263
Users > Local Groups Overview ..... .. .. ............................................................ .. ................................... 263
Deleting a Group .....................................................................................................................................264
Adding a New Group .................... ......................... ......................... ........................ ...............................264
Editing Group Settings ......................................... ........................ ......................... .................................264
Group Configuration for LDAP Authentication Dom ains .......................................... .. .................. 276
Group Configuration for Active Directory, NT and RADIUS Domains .................. .................... 280
Creating a Citrix Bookmark for a Local Group .................................................................................. 282
Global Configuration ............................................... ......................... ......................... .....................................284
Edit Global Settings ........................... ......................... ......................... ......................... .......................... 284
Edit Global Policies .... ......................... ......................... ......................... ......................... ........................ 286
Edit Global Bookmarks ............... ......................... ........................ ......................... .................................288
Configuring the Mail Server .................. ......................... ......................... ......................... ...................... 298
Using the Virtual Office ........................................... ......................... ......................... ............................302
SonicWALL SSL VPN 5.0 Administrator’s Guide
5
Online Help ............................................................................................................305
Online Help .......................................................................................................................................................306
Using Context Sensitive Help ........................................................... ... ............................. .. ..................306
Configuring SonicWALL SSL VPN with a Third-Party Gateway .......................307
Before you Begin . ......................... ......................... ......................... ......................... .................................308
Method One – SonicWALL SSL-VPN Appliance on LAN Interface ................. .. .........................308
Method Two – SonicWALL SSL-VPN Appliance on DMZ Interface ................. ... .. ....................311
Check Point AIR 55 .........................................................................................................................................321
Setting up a SonicWALL SSL-VPN with Check Point AIR 55 ............................................... .. ......321
Microsoft ISA Server .......................................................................................................................................324
Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server ......................... ....................324
Configuring ISA ................. ......................... ......................... ......................... ...........................................324
Use Cases ..............................................................................................................327
Importing CA Certificates on Windows ................ .. ............................. .. ............................. ... ......................327
Importing a goDaddy Certificate on Windows .................................................. .. ............................. ..327
Importing a Server Certificate on Windows .......................... .......................................................... ....330
Creating Unique Access Policies for AD Grou ps ........... ............................. .. ............................. .. ..............331
Creating the Active Directory Do main ....... ......................... ......................... ......................... ..............332
Adding a Global Deny All Policy ....................... ............................. .. .............................. .. ....................333
Creating Local Groups ............................................................................................................................334
Adding the SSHv2 PERMIT Policy ......................................................................................................336
Adding the OWA PERMIT Policies ....................................................................................................337
Verifying the Access Policy Configuration ..........................................................................................339
This chapter provides an overview of the SonicWALL SSL VPN technology, concepts, basic
navigational elements and standard deployment guidelines. This chapter includes the following
sections:
•“Overview of SonicWALL SSL VPN” section on page 8
•“Concepts for SonicWALL SSL VPN” section on page 11
•“Navigating the SSL VPN Management Interface” section on page 49
•“Deployment Guidelines” section on page 56
SonicWALL SSL VPN 5.0 Administrator’s Guide
7
Overview of SonicWALL SSL VPN
Overview of SonicWALL SSL VPN
The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and
clientless method of access to applications and network resources specifically for remote and
mobile employees. Organizations can use SonicWALL SSL VPN connections without the need
to have a pre-configured, large-installation host. Users can easily and securely access email
files, intranet sites, applications, and other resources on the corporate Local Area Network
(LAN) from any location by accessing a standard Web browser.
Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private
network connections over a public networking infrastructure, allowing them to reduce their
communications expenses and to provide private, secure connections between a user and a
site in the organization. By offering Secure Socket Layer (SSL) VPN, without the expense of
special feature licensing, the SonicWALL SSL-VPN appliance provides customers with costeffective alternatives to deploying parallel remote-access infrastructures. This section contains
the following subsections:
•“SSL for Virtual Private Networking (VPN)” section on page 8
•“SSL VPN Software Components” section on page 9
•“SSL-VPN Hardware Components” section on page 9
SSL for Virtual Private Networking (VPN)
A Secure Socket Layer-based Virtual Private Network (SSL VPN) allows applications and
private network resources to be accessed remotely through a secure connection. Using SSL
VPN, mobile workers, business partners, and customers can access files or applications on a
company’s intranet or within a private local area network.
Although SSL VPN protocols are described as clientless, the typical SSL VPN portal combines
Web, Java, and ActiveX components that are downloaded from the SSL VPN portal
transparently , allowing users to connect to a remote network without needing to manually inst all
and configure a VPN client application. In addition, SSL VPN enables users to connect from a
variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only
supported on Windows platforms.
For administrators, the SonicWALL SSL VPN Web-based management interface provides an
end-to-end SSL VPN solution. This interface can configure SSL VPN users, access policies,
authentication methods, user bookmarks for network resources, and system settings.
For clients, Web-based SonicWALL SSL VPN customizable user portals enable users to
access, update, upload, and download files and use remote applications installed on desktop
machines or hosted on an application server. The platform also supports secure Web-based
FTP access, network neighborhood-like interface for file sharing, Secure Shell versions 1 and
2 (SSHv1) and (SSHv2), Telnet emulation, VNC (Virt u a l Ne t wo r k Co m pu t i ng ) and RDP (Remote
Desktop Protocol) support, Citrix Web access, bookmarks for offloaded portals (external Web
sites), and Web and HTTPS proxy forwarding.
The SonicWALL SSL VPN network extension client, NetExtender , is available through the SSL VPN
Web portal via an ActiveX control on Windows or using Java on MacOS or Linux systems. It is also
available through stand-alone applications for Windows, Linux, and MacOS platforms. The
NetExtender standalone applications are automatically installed on a client system the first time
the user clicks the NetExtender link in the Virtual Office portal. SonicWALL SSL VPN
NetExtender enables end users to connect to the remote network without needing to install and
configure complex software, providing a secure means to access any type of data on the
remote network. When used with a SonicWALL SSL-VPN 2000 or higher model, NetExtender
supports IPv6 client connections from Windows systems running V ista or newer , and from Linux
clients.
8
SonicWALL SSL VPN 5.0 Administrator’s Guide
NoteThe SSHv2 applet requires SUN JRE 1.6.0_10 or higher and can only connect to a server
that supports SSHv2. The RDP Java applet requires SUN JRE 1.6.0_10 or higher. Telnet,
SSHv1 and VNC applets support MS JVM in Internet Explorer, and run on other browsers
with SUN JRE 1.6.0_10 or higher.
SSL VPN Software Components
SonicWALL SSL VPN provides clientless identity-based secure remote access to the protected
internal network. Using the Virtual Office environment, SonicW ALL SSL VPN can provide users
with secure remote access to your entire private network, or to individual components such as
File Shares, Web servers, FTP servers, remote desktops, or even individual applications
hosted on Microsoft Terminal Servers.
SSL-VPN Hardware Components
See the following sections for descriptions of the hardware components on SonicWALL
SSL-VPN appliances:
•“SRA 4200 Front and Back Panels Overview” on page 9
Overview of SonicWALL SSL VPN
SRA 4200 Front and Back Panels Overview
Figure 1SonicWALL SRA 4200 Front and Back Panels
SonicWALL SSL VPN 5.0 Administrator’s Guide
9
Overview of SonicWALL SSL VPN
Front Panel FeatureDescription
Console PortRJ-45 port, provides access to console messages with serial
USB PortsProvides access to USB interface (for future use).
Reset ButtonProvides access to SafeMode.
Power LEDIndicates the SonicWALL SRA 4200 is powered on.
Test LEDIndicates the SonicWALL SRA 4200 is in test mode.
Alarm LEDIndicates a critical error or failure.
X3Provides access to the X3 interface and to SSL VPN
X2Provides access to the X2 interface and to SSL VPN
X1Provides access to the X1 interface and to SSL VPN
X0Default management port. Provides connectivity between the
Table 1SonicWALL SRA 4200 Front Panel Features
connection (1 15200 Baud). Provides access to command line
interface (for future use).
resources.
resources.
resources.
SonicWALL SRA 4200 and your gateway.
Table 2SonicWALL SRA 4200 Back Panel Features
Back Panel FeatureDescription
Exhaust fansProvides optimal cooling for the SonicWALL SRA 4200
appliance.
Power plugProvides power connection using supplied power cord.
Power switchPowers the SonicWALL SRA 4200 on and off.
10
SonicWALL SSL VPN 5.0 Administrator’s Guide
Concepts for SonicWALL SSL VPN
This section provides an overview of the following key concepts, with which the administrator
should be familiar when using the SonicWALL SSL-VPN appliance and Web-based
management interface:
•“Encryption Overview” section on page 11
•“SSL Handshake Procedure” section on page 11
•“IPv6 Support Overview” section on page 12
•“Browser Requirements for the SSL VPN Administrator” section on page 14
•“Browser Requirements for the SSL VPN End User” section on page 15
•“Portals Overview” section on page 15
•“Domains Overview” section on page 16
•“NetExtender Overview” section on page 16
•“Network Resources Overview” section on page 20
•“SNMP Overview” section on page 26
•“DNS Overview” section on page 26
•“Network Routes Overview” section on page 26
•“Two-Factor Authentication Overview” section on page 26
•“One Time Password Overview” section on page 28
•“Virtual Assist Overview” section on page 30
•“Web Application Firewall Overview” section on page 42
Concepts for SonicWALL SSL VPN
Encryption Overview
Encryption enables users to encode data, making it secure from unauthorized viewers.
Encryption provides a private and secure method of communication over the Internet.
A special type of encryption known as Public Key Encryption (PKE) comprises a public and a
private key for encrypting and decrypting data. With public key encryption, an entity, such as a
secure Web site, generates a public and a private key . A secure W eb server sends a public key
to a user who accesses the Web site. The public key allows the user’s Web browser to decrypt
data that had been encrypted with the private key. The user ’s Web browser can also
transparently encrypt data using the public key and this data can only be decrypted by the
secure Web server’s private key.
Public key encryption allows the user to confirm the identity of the Web site through an SSL
certificate. After a user contacts the SSL-VPN appliance, the appliance sends the user it s own
encryption information, including an SSL certificate with a public encryption key.
SSL Handshake Procedure
The following procedure is an example of the standard steps required to establish an SSL
session between a user and an SSL VPN gateway using the SonicWALL SSL VPN Web-based
management interface:
Step 1When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web
browser sends information about the types of encryption supported by the browser to the
appliance.
SonicWALL SSL VPN 5.0 Administrator’s Guide
11
Concepts for SonicWALL SSL VPN
Step 2The appliance sends the user its own encryption information, including an SSL certificate with
a public encryption key.
Step 3The Web browser validates the SSL certificate with the Certificate Authority identified by the
SSL certificate.
Step 4The Web browser generates a pre-master encryption key, encrypts the pre-master key using
the public key included with the SSL certificate and sends the encrypted pre-master key to the
SSL VPN gateway.
Step 5The SSL VPN gateway uses the pre-master key to create a master key and sends the new
master key to the user’s Web browser.
Step 6The browser and the SSL VPN gateway use the master key and the agreed upon encryption
algorithm to establish an SSL connection. From this point on, the user and the SSL VPN
gateway will encrypt and decrypt data using the same encryption key . This is called symmetric
encryption.
Step 7Once the SSL connection is established, the SSL VPN gateway will encrypt and send the Web
browser the SSL VPN gateway login page.
Step 8The user submits his user name, password, and domain name.
Step 9If the user’s domain name requires authentication through a RADIUS, LDAP, NT Domain, or
Active Directory Server, the SSL VPN gateway forwards the user’s information to the
appropriate server for authentication.
Step 10 Once authenticated, the user can access the SSL VPN portal.
IPv6 Support Overview
Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently
used on networked devices. IPv6 is a suite of protocols and standards developed by the
Internet Engineering Task Force (IETF) that provides a larger address space than IPv4,
additional functionality and security, and resolves IPv4 design issues. You can use IPv6
without affecting IPv4 communications.
Supported on SonicWALL SSL-VPN models 2000 and higher, IPv6 supports stateful address
configuration, which is used with a DHCPv6 server, and st ateless address configuration, where
hosts on a link automatically configure themselves with IPv6 addresses for the link, called link-local addresses.
In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the
32-bit IPv4 address is represented in dotted-decimal format, divided by periods along 8-bit
boundaries. The 128-bit IPv6 address is divided by colons along 16-bit boundaries, where each
16-bit block is represented as a 4-digit hexadecimal number . This is called colon-hexadecimal.
The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by
removing the leading zeros within each 16-bit block, as long as each block has at least one
digit. When suppressing leading zeros, the address representation becomes:
2008:AB1:0:1E2A:123:45:EE37:C9B4
12
When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can
be compressed to ::, a double-colon. For example, the link-local address of
2008:0:0:0:B67:89:ABCD:1234 can be compressed to 2008::B67:89:ABCD:1234. The
multicast address 2008:0:0:0:0:0:0:2 can be compressed to 2008::2.
SonicWALL SSL VPN 5.0 Administrator’s Guide
The IPv6 prefix is the part of the address that indicates the bits of the subnet prefix. Prefixes
for IPv6 subnets, routes, and address ranges are written as address/prefix-length, or CIDR
notation. For example, 2008:AA::/48 and 2007:BB:0:89AB::/64 are IPv6 address prefixes.
SonicOS SSL VPN supports IPv6 in the following areas:
Services
•FTP Bookmark – Define a FTP bookmark using an IPv6 address.
•Telnet Bookmark – Define a Telnet bookmark using an IPv6 address.
•SSHv1 / SSHv2 Bookmark – Define an SSHv1 or SSHv2 bookmark using an IPv6 address.
•Reverse proxy for HTTP/HTTPS Bookmark – Define an HTTP or HTTPS bookmark using
an IPv6 address.
•Citrix Bookmark – Define a Citrix bookmark using an IPv6 address.
•RDP Bookmark - Define an RDP bookmark using an IPv6 address.
•VNC Bookmark - Define a VNC bookmark using an IPv6 address.
NoteIPv6 is not supported for File Shares.
Settings
•Interface Settings – Define an IPv6 address for the interface. The link-local address is
displayed in a tooltip on Interfaces page.
•Route Settings – Define a static route with IPv6 destination network and gateway.
•Network Object – Define the network object using IPv6. An IPv6 address and IPv6 network
can be attached to this network object.
Concepts for SonicWALL SSL VPN
NetExtender
When a client connects to NetExtender , it can get an IPv6 address from the SSL-VPN appliance
if the client machine supports IPv6 and an IPv6 address pool is configured on the SSL-VPN.
NetExtender supports IPv6 client connections from Windows systems running Vista or newer,
and from Linux clients.
SonicWALL SSL VPN 5.0 Administrator’s Guide
13
Concepts for SonicWALL SSL VPN
SSL VPN
Management
Interface
Minimum Browser/Version
Requirements
44444
22
2
2
222
6
78
Browser
Windows XP
Windows Vista
Windows 7Linux
MacOS X
Virtual Assist
Users and Technicians can request and provide support when using IPv6 addresses.
Rules
•Policy rule – User or Group Policies. Three IPv6 options in the Apply Policy To drop-down
list:
–
IPv6 Address
–
IPv6 Address Range
–
All IPv6 Address
•Login rule – Use IPv6 for address fields:
–
Define Login From Defined Addresses using IPv6
–
Two IPv6 options in the Source Address drop-down list: IPv6 Address / IPv6 Network
Virtual Hosts
An administrator can assign an IPv6 address to a virtual host, and can use this address to
access the virtual host.
Application Offloading
An administrator can assign an IPv6 address to an application server used for application
offloading, and can use this address to access the server.
Browser Requirements for the SSL VPN Administrator
The following Web browsers are supported for the SonicWALL SSL VPN Web-based
management interface and the user portal, Virtual Office. Java is only required for various
aspects of the SSL VPN Virtual Office, not the management interface.
•Internet Explorer 6.0+, 7.0+, 8.0+
•Firefox 2.0+
•Safari 2.0+
•Chrome 4.0+
The following table provides specific browser requirements.
14
To configure SonicWALL SSL-VPN appliance using the Web-based management interface, an
administrator must use a Web browser with Java, JavaScript, ActiveX, cookies, popups, and
SSLv3 or TLS 1.0 enabled.
SonicWALL SSL VPN 5.0 Administrator’s Guide
Concepts for SonicWALL SSL VPN
SSL VPN
Management
Interface
Minimum Browser/Version
Requirements
4444
2
2
222
6
78
Browser
Windows XP
Windows Vista
Windows 7Linux
Browser Requirements for the SSL VPN End User
The following is a list of Web browser and operating system support for various SSL VPN
protocols including NetExtender and various Application Proxy elements. Requirements are
shown for Windows, Windows Vista, Windows 7, Linux, and MacOS.
Portals Overview
File Shares
Custom Portals
The SonicWALL SSL-VPN appliance provides a mechanism called Virtual Office, which is a
Web-based portal interface that provides clients with easy access to internal resources in your
organization. Components such as NetExtender, Virtual Assist, and bookmarks to file shares
and other network resources are presented to users through the Virtual Office portal. For
organizations with multiple user types, the SSL-VPN allows for multiple customized portals,
each with its own set of shared resource bookmarks. Portals also allow for individual domain
and security certificates on a per-portal basis. The components in a port al are customized when
adding a portal.
File shares provide remote users with a secure Web interface to Microsoft File Shares using
the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using
a Web interface similar in style to Microsoft’ s familiar Network Neighborhood or My Network
Places, File Shares allow users with appropriate permissions to browse network shares,
rename, delete, retrieve, and upload files, and to create bookmarks for later recall. File
shares can be configured to allow restricted server path access.
SonicWALL SSL VPN enables you to configure multiple portals, each with its own title,
banner, login message, logo and set of available resources. Each portal also enables you
to set individual Virtual Hosts/Domain Names (on SonicWALL SSL-VPN models 2000 and
higher) to create a unique default portal URL. When a user logs into a port al, he or she sees
a set of pre-configured links and bookmarks that are specific to that portal. You can
SonicWALL SSL VPN 5.0 Administrator’s Guide
15
Concepts for SonicWALL SSL VPN
configure whether or not NetExtender is displayed on a Virtual Office portal, and if you want
NetExtender to automatically launch when users log in to the portal. The administrator
configures which elements each portal displays through the Portal Set tings dialog box. For
information on configuring portals, refer to the “Portals > Portals” section on page 106.
Domains Overview
A domain in the SonicWALL SSL VPN environment is a mechanism that enables authentication
of users attempting to access the network being serviced by the SSL-VPN appliance. Domain
types include the SSL VPN's internal LocalDomain, and the external platforms Microsoft Active
Directory, NT Authentication, LDAP, and RADIUS. Often, only one domain will suffice to provide
authentication to your organization, although a larger organization may require distributed
domains to handle multiple nodes or collections of users attempting to access applications
through the portal. For information about configuring domains, refer to the “Port als > Domains”
section on page 124.
NetExtender Overview
This section provides an overview to the NetExtender feature. This section contains the
following subsections:
•“What is NetExtender?” section on page 16
•“Benefits” section on page 16
•“NetExtender Concepts” section on page 17
For information on using NetExtender, refer to the “NetExtender > Status” section on page 168
or refer to the SonicWALL SSL VPN User’s Guide.
What is NetExtender?
SonicWALL NetExtender is a transparent software application for Windows, Mac, and Linux
users that enables remote users to securely connect to the remote network. With NetExtender ,
remote users can securely run any application on the remote network. Users can upload and
download files, mount network drives, and access resources as if they were on the local
network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.
Benefits
NetExtender provides remote users with full access to your protected internal network. The
experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender
does not require any manual client installation. Instead, the NetExtender Windows client is
automatically installed on a remote user’s PC by an ActiveX control when using the Internet
Explorer browser, or with the XPCOM plugin w hen using Firefox. On Linux or MacOS systems,
supported browsers use Java controls to automatically install NetExtender from the Virtual
Office portal.
The NetExtender Windows client also has a custom-dialer that allows it to be launched from the
Windows Network Connections menu. This custom-dialer allows NetExtender to be
connected before the Windows domain login. The NetExtender Windows client also supports a
single active connection, and displays real-time throughput and data compression ratios in the
client.
16
SonicWALL SSL VPN 5.0 Administrator’s Guide
After installation, NetExtender automatically launches and connects a virtual adapter for SSLsecure NetExtender point-to-point access to permitted hosts and subnets on the internal
network.
NetExtender Concepts
The following sections describe advanced NetExtender concepts:
•“Stand-Alone Client” section on page 17
•“Multiple Ranges and Routes” section on page 17
•“NetExtender with External Authentication Methods” section on page 18
•“Point to Point Server IP Address” section on page 18
•“Connection Scripts” section on page 18
•“Tunnel All Mode” section on page 19
•“Proxy Configuration” section on page 19
Stand-Alone Client
SonicWALL SSL VPN provides a stand-alone NetExtender application. NetExtender is a
browser-installed lightweight application that provides comprehensive remote access
without requiring users to manually download and install the application. The first time a user
launches NetExtender, the NetExtender stand-alone client is automatically installed on the
user’s PC or Mac. The installer creates a profile based on the user’s login information. The
installer window then closes and automatically launches NetExtender. If the user has a
legacy version of NetExtender installed, the installer will first uninstall the old NetExtender
and install the new version.
Concepts for SonicWALL SSL VPN
Once the NetExtender stand-alone client has been installed, Windows users can launch
NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch
when Windows boots. Mac users can launch NetExtender from their system Applications folder ,
or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop
shortcut in /usr/share/NetExtender. This can be dragg ed to the shortcut bar in environments like
Gnome and KDE.
Multiple Ranges and Routes
Multiple range and route support for NetExtender on SonicWALL SSL-VPN models 2000
and higher enables network administrators to easily segment groups and users without the
need to configure firewall rules to govern access. This user segmentation allows for granular
control of access to the network—allowing users access to necessary resources while
restricting access to sensitive resources to only those who require it.
For networks that do not require segmentation, client addresses and routes can be configured
globally as in the SSL VPN 1.0 version of NetExtender. The follo wing sections describe the new
multiple range and route enhancements:
•“IP Address User Segmentation” on page 18
•“Client Routes” on page 18
SonicWALL SSL VPN 5.0 Administrator’s Guide
17
Loading...
+ 364 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.