SonicWall SSL VPN Administration Guide
SonicOS and SonicOSX 7
SSL VPN
Administration Guide
Contents
About SSL VPN 3
About NetExtender 7
Creating an Address Object for the NetExtender Range 7
Setting Up Access 8
Configuring Proxies 9
Installing the Stand-Alone Client 9
Configuring Users for SSL VPN Access 10
For Local Users 10
For RADIUS, LDAP and TACACS+ Users 11
For Tunnel All Mode Access 12
Biometric Authentication 13
Configuring SSL VPN Server Behavior 14
Server Settings page 14
SSL VPN Status on Zones 14
SSL VPN Server Settings 14
RADIUS User Settings 16
SSL VPN Client Download URL 16
Configuring SSL VPN Client 17
Configuring the Settings Options 18
Configuring the Client Routes 18
Configuring Client Settings 19
Configuring the SSL VPN Web Portal 21
Portal Settings 21
Portal Logo Settings 23
Viewing SSL VPN Sessions 24
Status Page 24
Bookmark Page 24
Configuring Virtual Office 25
Accessing the Virtual Office Portal 25
Using NetExtender 25
Configuring SSL VPN Bookmarks 26
Configuring Device Profile Settings for IPv6 29
SonicWall Support 30
About This Document 31
SonicOS/X 7 SSL VPN Administration Guide
Contents
2
About SSL VPN
NOTE: References to SonicOS/X indicate that the functionality is available in both SonicOS and
SonicOSX.
This section provides information on how to configure the SSL VPN features on the SonicWall network
security appliance. SonicWall’s SSL VPN features provide secure remote access to the network using the
NetExtender client.
NetExtender is an SSL VPN client for Windows, or Linux users that is downloaded transparently. It allows
you to run any application securely on the network and uses Point-to-Point Protocol (PPP). NetExtender
allows remote clients seamless access to resources on your local network. Users can access NetExtender
two ways:
l Logging in to the Virtual Office web portal provided by the SonicWall network security appliance
l Launching the standalone NetExtender client
3
Each SonicWall appliance supports a maximum number of concurrent remote users. Refer to the the
Maximum number of concurrent SSL VPN users for details.
MAXIMUM CONCURRENT USERS
(HARDWARE FIREWALLS)
SonicWall appliance
model
NSa 9650 3000
NSa 9450 3000
NSa 9250 3000
NSa 6650 2000
NSa 5650 1500
NSa 4650 1000
NSa 3650 500
NSa 2650 350
SM 9600 3000
SM 9400 3000
SM 9200 3000
NSA 6600 1500
NSA 5600 1000
Maximum concurrent
SSL VPN connections
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
3
SonicWall appliance
model
Maximum concurrent
SSL VPN connections
NSA 4600 500
NSA 3600 350
NSA 2600 250
TZ600/TZ600P 200
TZ500/TZ500 W 150
TZ400/TZ400 W 100
TZ350/TZ350 W 75
TZ300/TZ300 W/TZ300P 50
SOHO 250/SOHO 250W 25
MAXIMUM CONCURRENT USERS (VMWARE)
VMware ESXi appliance
model
Maximum concurrent
SSL VPN connections
10 10
25 25
50 25
100 25
200 50
300 50
400 50
800 50
1600 50
MAXIMUM CONCURRENT USERS (AZURE)
Azure appliance model Maximum concurrent
SSL VPN connections
10 10
25 25
50 25
100 25
200 100
400 100
800 100
1600 100
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
4
MAXIMUM CONCURRENT USERS (AWS)
AWS appliance model Maximum concurrent
SSL VPN connections
10 10
25 25
50 25
100 25
200 50
400 50
800 50
1600 50
MAXIMUM CONCURRENT USERS (AWS - PAYG)
AWS - PAYG appliance
model
Maximum concurrent
SSL VPN connections
200 50
400 50
800 50
1600 50
MAXIMUM CONCURRENT USERS (LINUX KVM)
Linux KVM appliance
model
Maximum concurrent
SSL VPN connections
10 10
25 25
50 25
100 25
200 50
300 50
400 50
800 50
1600 50
MAXIMUM CONCURRENT USERS (MICROSOFT
HYPER-V)
Microsoft Hyper-V
appliance model
Maximum concurrent
SSL VPN connections
10 10
25 25
50 25
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
5
Microsoft Hyper-V
appliance model
Maximum concurrent
SSL VPN connections
100 25
200 50
300 50
400 50
800 50
1600 50
SonicOS/X supports NetExtender connections for users with IPv6 addresses. The address objects dropdown menu includes all the predefined IPv6 address objects.
NOTE: IPv6 Wins Server is not supported. IPv6 FQDN is supported.
NOTE: SSL VPN connectivity is available when Wireless Controller Mode on the DEVICE | System >
Administraton page in Wireless Controller, and is set to either Full-Feature-Gateway or Non-
Wireless. If Wireless-Controller-Only is enabled for Wireless Controller Mode, SSL VPN interfaces are
not available.
NETWORK|SSL VPN > Server Settings > SSL VPN SSL VPN Status on Zones displays inactive status for
all zones, and SSL VPN zones are not editable.
Topics:
l About NetExtender
l Configuring Users for SSL VPN Access
l Biometric Authentication
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
6
About NetExtender
SonicWall’s SSL VPN NetExtender is a transparent software application for Windows, and Linux users that
enables remote users to securely connect to the company network. With NetExtender, remote users can
securely run any application on the company network. Users can upload and download files, mount network
drives, and access resources as if they were on the local network.
NetExtender provides remote users with full access to your protected internal network. The experience is
virtually identical to that of using a traditional IPsec VPN client. Linux systems can also install and use the
NetExtender client. Windows users need to download the client from the portal, and those with mobile
devices need to download Mobile Connect from the application store.
The NetExtender standalone client can be installed the first time the user launches NetExtender from the
portal. Thereafter, it can be accessed directly from the Start menu on Windows systems, or by he path name
or from the shortcut bar on Linux systems.
After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL VPN,
point-to-point access to permitted hosts and subnets on the internal network.
Topics:
l Creating an Address Object for the NetExtender Range
l Setting Up Access
l Configuring Proxies
l Installing the Stand-Alone Client
Creating an Address Object for the NetExtender Range
As a part of the NetExtender configuration, you need to create an address object for the NetExtender IP
address range. This address object is then used when configuring the Device Profiles.
You can create address objects for both an IPv4 address range and an IPv6 address range to be used in the
SSL VPN > Client Settings configuration. The address range configured in the address object defines the
IP address pool from which addresses are assigned to remote users during NetExtender sessions. The range
needs to be large enough to accommodate the maximum number of concurrent NetExtender users you
intend to support. You might want to allow for a few extra addresses for growth, but it is not required.
NOTE: In cases where other hosts are on the same segment as the appliance, the address range must
not overlap or collide with any assigned addresses.
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
7
To create an address object for the NetExtender IP address range:
1.
Navigate to OBJECTS > Address Objects.
2.
Click Add.
3.
Type a descriptive name in the Name field.
4.
For Zone Assignment, select SSLVPN.
5.
For Type, select Range.
6.
In the Starting IP Address field, type in the lowest IP address in the range you want to use.
NOTE:The IP address range must be on the same subnet as the interface used for SSL VPN
services. Ensure that IPaddress range does not collide with other assigned ranges.
7.
In the Ending IP Address field, type in the highest IP address in the range you want to use.
8.
Click ADD.
9.
Click CLOSE.
Setting Up Access
NetExtender client routes are used to allow and deny access for SSL VPN users to various network
resources. Address objects are used to easily and dynamically configure access to network resources.
Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—
including traffic destined for the remote user’s local network. This is done by adding the following routes to
the remote client’s route table:
ROUTES TO BE ADDED TO REMOTE
CLIENT’S ROUTE TABLE
IP Address Subnet mask
0.0.0.0 0.0.0.0
0.0.0.0 128.0.0.0
128.0.0.0 128.0.0.0
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
8
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are
configured with higher metrics than any existing routes to force traffic destined for the local network over the
SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.*
network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
NOTE: To configure Tunnel All mode, you must also configure an address object for 0.0.0.0, and assign
SSL VPN NetExtender users and groups to have access to this address object.
Administrators also have the ability to run batch file scripts when NetExtender connects and disconnects.
The scripts can be used to map or disconnect network drives and printers, launch applications, or open files
or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Configuring Proxies
SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy
is supported. The proxy settings can also be manually configured in the NetExtender client preferences.
NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto
Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
l Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto
Discovery Protocol), which can push the proxy settings script to the client automatically.
l Use automatic configuration script - If you know the location of the proxy settings script, you can
select this option and provide the URL of the script.
l Use proxy server - You can use this option to specify the IP address and port of the proxy server.
Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct
connections to those addresses and bypass the proxy server. If required, you can enter a user name
and password for the proxy server. If the proxy server requires a username and password, but you do
not specify them, a NetExtender pop-up window prompts you to enter them when you first connect.
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server
instead of connecting to the firewall server directly. The proxy server then forwards traffic to the SSL VPN
server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy
server has no knowledge. The connecting process is identical for proxy and non-proxy users.
Installing the Stand-Alone Client
The first time a user launches NetExtender, the installer can be downloaded and run on the user's system.
The installer creates a profile based on the user’s login information. The installer window then closes and
automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer
uninstalls or requests the user to uninstall the old NetExtender first and then can install the new version.
After the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from
their PC’s Start > Programs menu or system tray and can configure NetExtender to launch when Windows
boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock
for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This
can be dragged to the shortcut bar in environments like Gnome and KDE.
SonicOS/X 7 SSL VPN Administration Guide
About SSL VPN
9
NOTE: Complete instructions for installing NetExtender on a SonicWall appliance can be found in How
to setup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above (SW10657) in the Knowledge
Base.
VIDEO: The video, How to configure SSL VPN, also explains the procedure for configuring NetExtender.
Configuring Users for SSL VPN Access
For users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group.
Users attempting to login through the Virtual Office and who do not belong to the SSLVPN Services group
are denied access.
Topics:
l For Local Users
l For RADIUS and LDAP Users
l For Tunnel All Mode Access
For Local Users
The following is a quick reference, listing the User settings needed to enable SSLVPN Services.
To configure SSL VPN access for local users:
1.
Navigate to MANAGE | System Setup | Users > Local Users & Groups.
2.
Click the Edit icon for the user you want to set up, or click Add User to create a new user.
3.
Select Groups.
SonicOS/X 7 SSL VPN Administration Guide
10
About SSL VPN
Loading...