SonicWALL SSL-VPN 2000 User Manual
Secure Remote Access Solutions
APPLIANCES
SonicWALL SSL-VPN Series
SSL-VPN 2000
Getting Started Guide
SonicWALL SSL-VPN 2000 Appliance
Getting Started Guide
Thank you for your purchase of the SonicWALL SSL-VPN 2000, the solution for secure
remote access to mission-critical resources from virtually any end point—including
desktops, laptops, PDAs and smartphones.
The SonicWALL SSL-VPN 2000 appliance provides organizations of all sizes with an
affordable, simple and secure remote network and application access solution that
requires no pre-installed client software. Utilizing only a standard Web browser, users
can easily and securely access email, files, intranets, applications and other resources
on the corporate LAN from any location.
Note: To ensure optimal performance, please visit <https://www.mysonicwall.com>
to register your new appliance, download the latest version of SonicOS SSL-VPN
firmware, and view complete product documentation.
This Getting Started Guide contains installation procedures and configuration guidelines
for deploying a SonicWALL SSL-VPN 2000 appliance into an existing or new network.
This document addresses the most common use- case scenarios and netwo rk topologies
in which the SonicWALL SSL-VPN 2000 appliance can be deployed.
For complete documentation, refer to the SonicW ALL SSL-VPN Administrator’s Guide at:
<http://www.sonicwall.com/us/Support.html>.
SonicWALL SSL-VPN 2000 Configuration Steps
“Selecting a SonicWALL Recommended Deployment Scenario” on page 3
“Applying Power to the SonicWALL SSL-VPN 2000” on page 4
“Accessing the Management Interface” on page 5
“Configuring Your SonicW ALL SSL-VPN 2000” on page 7
“Connecting the SonicW ALLSSL-VPN 2000” on page 15
“Configuring Your Gateway Device” on page 20
“Testing Your SSL-VPN Connection” on page 54
“Registering Your SonicW ALL SSL-VPN 2000” on page 56
“Mounting Guidelines” on page 64
SonicWALL SSL-VPN 2000 Getting Started Guide Page 1
Before You Begin
Check Package Contents
• One SonicWALL SSL-VPN 2000
appliance
• One SonicWALL SSL-VPN 2000
Getting Started Guide
• One SonicWALL SSL-VPN
Any Items Missing?
If any items are missing from your package,
contact:
SonicWALL Support
Web:
http://www.sonicwall.com/us/Support.html
Email:
customer_service@sonicwall.com
Release Notes
• One straight-through Ethernet cable
• One rack-mount kit
• One power cord*
* A power cord is included only with units shipped to North America.
What You Need to Begin
• Administrative access to your network’s gateway device, such as your SonicWALL
Unified Threat Management (UTM) appliance, or your perimeter firewall
• A Windows, Linux, or MacOS computer to use as a management station for initial
configuration of the SonicWALL SSL-VPN 2000
• A Web browser supporting Java (version 1.4 or high er), a nd HTTP upload s, such as
Internet Explorer 6.5 or higher, Firefox 1.0 or higher, Opera 7.0 or higher, or Safari
1.2 or higher is recommended**
• An Internet connection
** While these browsers are acceptable for use in configuring your SonicWALL SSL-
VPN 2000, end users will need to use IE 6.5 or higher, Firefox 1.5 or higher, Opera 9.0
or higher, or Safari 2.0 or higher for supporting JavaScript, Java, cookies, SSL and
ActiveX in order to take advantage of the full su ite of applications.
Page 2
Network Configuration Information
Collect the following information about your current network con fig ur at ion :
Primary DNS:
Secondary DNS (optional):
DNS Domain:
WINS server(s) (optional):
Other Information
These are the default settings for accessing your SonicWALL SSL-VPN management
interface:
User Name: admin
Password: (default: password)
Selecting a SonicWALL Recommended
Deployment Scenario
The deployment scenarios described in this section are based on actual customer
deployments and are SonicWALL-recommended deployment best practices. This section
describes three common deployments of the SonicWALL SSL-VPN 2000.
In Table 1, select the scenario that most closely matches your deployment.
Scenario A
SSL-VPN on a New DMZ
SonicWALL
Router
Remote Users
in Internet Zone
UTM Appliance
SonicWALL
SSL-VPN 2000
on DMZ
Switch/
LAN
Resources
Hub
SSL-VPN on an Existing DMZ SSL-VPN on the LAN
Remote Users
in Internet Zone
Scenario B Scenario C
SonicWALL
Router
UTM Appliance
SonicWALL
SSL-VPN 2000
on Existing DMZ
Table 1: SonicWALL SSL-VPN 2000 Deployment Scenarios
Gateway Device SonicWALL Recommended
Deployment Scenarios
SonicOS Enhanced 3.1 or higher:
TZ 170 Series
TZ 180 Series
TZ 190 Series
PRO Series
NSA E-Class (SonicOS 5.0+)
NSA Series (SonicOS 5.0+)
SonicOS Standard 3.1 or hig her:
TZ 170
TZ 180 Series
PRO 1260
PRO 2040
PRO 3060
SonicOS Standard 3.1 or hig her:
TZ 150 Series
TZ 170 Wireless
TZ 170 SP
TZ 180 Series
PRO 1260 / 2040 / 3060
SonicWALLs with legacy firmware
Third-Party Gateway Device
Scenario A: SSL-VPN on a New DMZ • OPT or unused interface
Scenario B: SSL-VPN on Existing DMZ • No unused interfaces
Scenario C: SSL-VPN on the LAN • No unused interfaces
Scenario A: SSL-VPN on a New DMZ • OPT or X2 interface is unused
Scenario B: SSL-VPN on Existing DMZ • OPT or X2 interface is in use with an
Scenario C: SSL-VPN on the LAN • Not planning to use SonicWALL deep
Switch/
Hub
Switch/
Hub
LAN
Resources
Remote Users
in Internet Zone
Conditions or Requirements
• A new DMZ configured for either NAT or
Transparent Mode operation.
• One dedicated interface in use as an
existing DMZ
• No dedicated interface for a DMZ
• A new DMZ configured for either NAT or
Transparent Mode operation.
• (Optional) Plan to provide SonicW ALL deep
packet inspection security services such as
GAV, IPS, and Anti-Spyware.
existing DMZ
• (Optional) Plan to provide SonicW ALL deep
packet inspection security services such as
GAV, IPS, and Anti-Spyware.
packet inspection security services such as
GAV, IPS, and Anti-Spyware.
• Interoperability with a third-party gateway
device
Gateway
Device
SonicWALL
SSL-VPN 2000
on LAN
Switch/
Hub
SonicWALL SSL-VPN 2000 Getting Started Guide Page 3
Applying Power to the SonicWALL SSL-VPN 2000
1. Plug the power cord into the SonicWALL SSL-VPN 2000 and into an appropriate
power outlet.
2. Turn on the power switch on the rear of the appliance next to the power cord.
Console Port: Provides access
to command line interface.
(for future use)
Power LED
Test LED
Alarm LED
Exhaust fans
X2:
X1:
10/100 Ethernet
X0:
Default management port.
Provides connectivity between
the SSL-VPN and your gateway.
Power plug
10/100 Ethernet
Power switch
X3:
10/100 Ethernet
The Power LED on the front panel lights up green when you turn on the
SonicWALL SSL-VPN 2000. The Test LED lights up yellow and may blink for up
to a minute while the appliance performs a series of diagnostic tests. When the Test
light is no longer lit, the SonicWALL SSL-VPN 2000 is ready for configuration.
If the Test or Alarm LEDs remain lit or if the Test LED blinks red after the
SonicWALL SSL-VPN 2000 has booted, restart the SonicWALL SSL-VPN 2000. For
more troubleshooting information, refer to the SonicWALL SSL-VPN Administrator’s
Guide.
Page 4
Continue to Step
Accessing the Management Interface
To access the Web-based management interface of th e SonicWALL SSL-VPN 2000:
1. Connect one end of an Ethernet cable into the X0 port of your SonicWALL SSLVPN 2000. Connect the other end of the cable into the computer you are using to
manage the SonicWALL SSL-VPN 2000.
SonicWALL SSL VPN 2000
X0
Management Station
2. Set the computer you use to manage the SonicW ALL SSL-VPN 2000 to have a static
IP address in the 192.168.200.x/24 subnet, such as 192.168.200.20. For help with
setting up a static IP address on your computer, refer to “Configuring a Static IP
Address” on page 62.
Alert: A Web browser supporting Java and HTTP uploads, such as Internet Explorer
6.5 or higher, Firefox 1.0 or higher, Opera 7.0 or higher, or Safari 1.2 or higher
is recommended.*
3. Open a Web browser and enter http://192.168.200.1 (the default X0 management IP
address) in the Location or Address field.
4. A security warning may appear. Click Continue to this website or the OK button to
accept the certificate and continue.
* While these browsers are acceptable for use in configuring your SonicWALL SSL-
VPN 2000, end users will need to use IE 6.5 or higher , Firefox 1.5 or higher, Opera 9.0
or higher, or Safari 2.0 or higher in order to take advantage of the full suite of applications.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 5
5. The SonicWALL SSL-VPN management interface displays and prompts you to
enter your user name and password. Enter “admin” in the User Name field,
“password” in the Password field, select LocalDomain from the Domain drop-down
list and click the Login button.
Continue to Step
If You Cannot Login to the SSL-VPN
If you cannot connect to the SonicWALL SSL-VPN 2000, verify the
following configurations:
• Did you plug your management workstation into the interface X0 on the
SonicWALL SSL-VPN appliance?
Management can only be performed through X0.
• Is the link light lit on both the management station and the SonicWALL SSL-VPN
appliance?
• Did you correctly enter the SonicW ALL SSL-VPN 2000 management IP address
in your Web browser?
• Is your computer set to a static IP address of 192.168.200.20? Refer to
“Configuring a Static IP Address” on page 62 for instructions on setting your IP
address.
• Is your Domain set to LocalDomain on the login screen?
Page 6
4
Configuring Your SonicWALL SSL-VPN 2000
Once your SonicWALL SSL-VPN 2000 is connected to a computer through the
management port (X0), it can be configured through the Web-based management
interface.
This section includes the following subsections:
• “Setting Your Administrator Password” on page 7
• “Adding a Local User” on page 8
• “Setting Time Zone” on page 9
• “Configuring SSL-VPN Network Settings” on page 9
• “Configuring DNS / WINS” on page 9
• “Configuring the X0 IP address for Scenario B and Scenario C” on page 10
• “Configuring a Default Route” on page 11
• “Adding a NetExtender Client Route” on page 12
Setting Your Administrator Password
1. Navigate to the Users > Local Users page
2. Click the Configure button corresponding to the “admin” account.
Note: Changing your password from the factory default is optional but strongly
recommended. If you do change your password, be sure to keep it in a safe place. If you
lose your password, you will have to reset the SonicWALL SSL-VPN 2000 to factory
settings, losing your configuration.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 7
3. Enter a password for the “admin” account in the Password field. Re-enter the
password in the Confirm Password field.
4. Click the OK button to apply changes.
Adding a Local User
1. Navigate to the Users > Local Users page.
2. Click the Add User button.
3. Enter the desired user name in the User Name field.
4. Select LocalDomain from the GroupDomain drop-down menu.
5. Supply a password for the user in the Password field. Confirm the new password.
6. Select User from the User Type drop-down menu.
Page 8
7. Click the Add button.
Setting Time Zone
1. Navigate to the System > Time page.
2. Select the appropriate time zone from the drop-down menu.
3. Click the Accept button.
Note: Setting the time correctly is essential to many of the operations of the
SonicWALL SSL-VPN 2000. Be sure to set the time-zone correctly. Automatic
synchronization with an NTP server (default settin g) is enco ura ge d to ensur e acc ur ac y.
Configuring SSL-VPN Network Settings
You will now configure your SSL-VPN 2000 network settings. Refer to the notes you took
in “Network Configuration Information” on page 2 to complete this section.
Configuring DNS / WINS
1. Navigate to the Network > DNS page.
2. Enter a unique name for your SonicWALL SSL-VPN 2000 in the SSL-VPN Gateway
Hostname field.
3. Enter your primary DNS server information in the Primary DNS Server field.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 9
4. (Optional) Enter a secondary DNS server in the Secondary DNS Server field.
5. (Optional) Enter your DNS Domain in the DNS Domain Field.
6. (Optional) Enter your WINS servers in the Primary WINS Server and Secondary
WINS Server fields.
7. Click the Accept button.
Configuring the X0 IP address for Scenario B and Scenario C
If you are deploying the SSL-VPN in either Scenario B, SSL-VPN on an Existing DMZ
or Scenario C, SSL-VPN on the LAN, you need to reset the IP address of the X0
interface on the SSL-VPN to an address within the range of the existing DM Z or the
existing LAN.
Page 10
1. Navigate to the Network > Interfaces page.
2. In the Interfaces table, click the Configure icon for the X0 interface.
3. In the Interface Settings dialog box, set the IP address and netmask to:
If you are using scenario: Set the X0 interface to:
B - SSL-VPN on an Existing
DMZ
C - SSL-VPN on the LAN IP Address: An unused address within your LAN subnet, for
IP Address: An unused address within your DMZ subnet,
for example: 10.1.1.240.
Subnet Mask: Must match your DMZ subnet mask.
example: 192.168.168.200.
Subnet Mask: Must match your LAN subnet mask.
4. Click OK. When you click OK, you will lose your connection to the SSL-VPN.
5. Reset the computer you use to manage the SonicWALL SSL-VPN 2000 to have a
static IP address in the range you just set for the X0 interface, for example, 10.1.1.20
or 192.168.200.20.
For help with setting up a static IP address on your computer, refer to “Configuring a
Static IP Address” on page 62.
6. Log into the SSL-VPN management interface again, using the IP address you just
configured for the X0 interface. For example, point your browser to
http://192.168.168.200.
Configuring a Default Route
Refer to the following table to correctly configure your default route. If you do not know
your scenario, refer to “Selecting a SonicW ALL Recommended Deployment Scenar io” on
page 3.
If you are using scenario: Your upstream gateway device will be:
A - SSL-VPN on a New DMZ The DMZ you will create (for example, 192.168.200.2).
B - SSL-VPN on an Existing DMZ Your existing DMZ interface.
C - SSL-VPN on the LAN Your LAN gateway.
1. Navigate to the Network > Routes page.
2. Enter the IP address of your upstream gateway device in the Default Gateway field.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 11
3. Select X0 in the Interfaces drop down list.
4. Click the Accept button.
Adding a NetExtender Client Route
NetExtender allows remote clients to have seamless access to resources on your local
network.
1. Navigate to the NetExtender > Client Routes page.
2. Click the Add Client Route button.
3. Enter the IP address of the trusted network to which you would like to provide access
with NetExtender in the Destination Network field. (For example, if you are
connecting to an existing DMZ with the network 192.168.50.0/24 and you want to
provide access to your LAN network 192.168.168.0/24, you would enter
192.168.168.0).
Page 12
Note: You can optionally tunnel-all SSL-VPN client traffic through the NetExtender
connection by entering 0.0.0.0 for the Destination Network and Subnet Mask.
Some operating systems or system environments do not correctly apply the 0.0.0.0
default route. If this is the case, you may also specify tunnel-all operation by using
two more specific routes as follows:
Route 1 Destination Network: 0.0.0.0
Subnet Mask: 128.0.0.0
Route 2 Destination Network: 128.0.0.0
Subnet Mask: 128.0.0.0
4. Enter your subnet mask in the Subnet Mask field.
5. Click the Add button to add this client route.
Setting your NetExtender Address Range
The NetExtender IP range defines the IP address pool from which addresses will be
assigned to remote users during NetExtender sessions. The range needs to be large
enough to accommodate the maximum number of concurrent NetExtender users you
wish to support.
The range should fall within the same subnet as the interface to which the SonicWALL
SSL-VPN appliance is connected, and in cases where there are other hosts on the same
segment as the SonicWALL SSL-VPN appliance, it must not overlap or collide with any
assigned addresses. You can determine the correct subnet based on your network
scenario selection:
Scenario A Use the default NetExtender range:
192.168.200.100 to 192.168.200.200
Scenario B Select a range that falls within your existing DMZ subnet. For
example, if your DMZ uses the 192.168.50.0/24 subnet, and
you want to support up to 30 concurrent NetExtender sessions,
you could use 192.168.50.220 to 192.168.50.249, providing
they are not already in use.
Scenario C Select a range that falls within your existing LAN subnet. For
example, if your LAN uses the 192.168.168.0/24 subnet, and
you want to support up to 10 concurrent NetExtender sessions,
you could use 192.168.168.240 to 192.168.168.249, providing
they are not already in use.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 13
To set your NetExtender address range, perform the following steps:
1. Navigate to the NetExtender > Client Settings page.
2. Enter an address range for your clients in the Client Address Range Begin and
Client Address Range End fields.
Scenario A 192.168.200.100 to
192.168.200.200
(default range)
Scenario B An unused range within
your DMZ subnet.
Scenario C An unused range within
your LAN subnet.
If you have too few available addresses to support your desired number of concurrent
NetExtender users you may use a new subnet for NetExtender. This condition might
occur if your existing DMZ or LAN is configured in NAT mode with a small subnet space,
such as 255.255.255.224, or more commonly if your DMZ or LAN is configured in
Transparent mode and you have a limited number of public addresses from your ISP.
Page 14
In either case, you may assign a new, unallocated IP range to NetExtender (such as
192.168.10.100 to 192.168.10.200) and configure a route to this range on your gateway
appliance.
For example, if your current Transparent range is 67.115.118.75 through 67.115.118.80,
and you wish to support 50 concurrent NetExtender clients, configure your SSL-VPN X0
interface with an available IP address in the Tr ansparent range, such as 67.115.118.80,
and configure your NetExtender range as 192.168.10.100 to 192.168.10.200. Then, on
your gateway device, configure a static route to 192.168.10.0/255.255.255.0 using
67.115.118.80.
Continue to Step
Connecting the SonicWALL SSL-VPN 2000
Before continuing, reference the diagrams on the following pages to connect the
SonicWALL SSL-VPN 2000 to your network. Refer to the table in “Selecting a
SonicWALL Recommended Deployment Scenario” on page 3 to determine the p roper
scenario for your network configuration.
• “Scenario A: Connecting the SonicWALL SSL-VPN 2000” on page 15
• “Scenario B: Configuring Your Network Interface” on page 16
• “Scenario B: Connecting the SonicWALL SSL-VPN 2000” on page 17
• “Scenario C: Configuring Your Network Interface” on page 18
• “Scenario C: Connecting the SonicWALL SSL-VPN 2000” on page 19
Scenario A: Connecting the SonicWALL SSL-VPN 2000
To connect the SonicWALL SSL-VPN 2000 using Scenario A, perform the following
steps:
1. Connect one end of an Ethernet cable to the OPT, X2, or other unused port on your
existing SonicWALL UTM appliance.
Scenario A: SSL-VPN on a New DMZ
SonicWALL UTM Appliance
Router
X1
X0
OPT, X2, etc.
Switch/
Hub
SonicWALL SSL-VPN 2000
X0
Remote Users
Internet Zone
DMZ
Network Nodes
LAN
2. Connect the other end of the Ethernet cable to the X0 port on the front of your
SonicWALL SSL-VPN 2000. The X0 Port LED lights up green indicating an active
connection.
Continue to Step
SonicWALL SSL-VPN 2000 Getting Started Guide Page 15
Scenario B: Configuring Your Network Interface
Configure your SonicWALL SSL-VPN 2000 to connect with your SonicWALL UTM
appliance under network configurations given in Scenario B.
On your SonicWALL SSL-VPN 2000:
1. Navigate to the Network > Interfaces page.
2. Click the Configure button for the X0 port.
3. If configuring with Scenario B, enter an unused IP address in your DMZ subnet in
the IP Address field.
4. Enter your subnet mask in the Subnet Mask field.
5. Click the OK button to apply changes.
Page 16
Scenario B: Connecting the SonicWALL SSL-VPN 2000
To connect the SonicWALL SSL-VPN 2000 using Scenario B, perform the following
steps:
1. Connect one end of an Ethernet cable to an unused port on your DMZ, either dire ctly
to the OPT or X2 on your existing SonicWALL UTM appliance or to a hub or switch
on your DMZ.
Scenario B: SSL-VPN on an Existing DMZ
Remote Users
Internet Zone
Router
SonicWALL UTM Appliance
X1
SonicWALL SSL VPN 2000
X0
Existing DMZ
X2
X0
Network Node
Switch/
Hub
Network Nodes
LAN
Switch/
Hub
2. Connect the other end of the Ethernet cable to the X0 port on the front of your
SonicWALL SSL-VPN 2000. The X0 Port LED lights up green indicating an active
connection.
Continue to Step
SonicWALL SSL-VPN 2000 Getting Started Guide Page 17
Scenario C: Configuring Your Network Interface
Configure your SonicWALL SSL-VPN 2000 to connect to your SonicWALL UTM
appliance under network configurations given in Scenario C.
On the SonicWALL SSL-VPN 2000:
1. Navigate to the Network > Interfaces page.
2. Click the Configure button for the X0 port.
3. Enter an unused IP address in your LAN in the IP Address field.
4. Enter your subnet mask in the Subnet Mask field.
5. Click the OK button to apply changes.
Page 18
Scenario C: Connecting the SonicWALL SSL-VPN 2000
To conn e ct the Son icWALL SSL-VPN 2000 using Scenar io C, pe rf or m the followin g
steps:
1. Connect one end of an Ethernet cable to an unused port on your LAN hub
or switch.
Scenario C: SSL-VPN on the LAN
Gateway Device
Switch/
Hub
Internet connection
SonicWALL SSL VPN 2000
Remote Users
Internet Zone
LAN port
X0
Network Nodes
LAN
2. Connect the other end of the Ethernet cable to the X0 port on the front of your
SonicWALL SSL-VPN 2000. The X0 Port LED lights up green indicating an active
connection.
Continue to Step
SonicWALL SSL-VPN 2000 Getting Started Guide Page 19
Configuring Your Gateway Device
Now that you have set up your SonicWALL SSL-VPN 2000, you need to configure your
gateway device to work with the SonicWALL SSL-VPN 2000. Refer to the table in
“Selecting a SonicWALL Recommended Deployment Scenario” on page 3 to determine
the proper scenario for your network configuration.
This section contains the following subsections:
• “Scenario A: SSL-VPN on a New DMZ” on page 20
• “Scenario B: SSL-VPN on Existing DMZ” on page 35
• “Scenario C: SSL-VPN on the LAN” on page 47
Scenario A: SSL-VPN on a New DMZ
This section provides procedures to configure your gateway appliance based on
Scenario A. This section contains the following subsections:
• “Scenario A: Connecting to the SonicWALL UTM Appliance” on page 20
• “Scenario A: Configuring a DMZ or OPT Port in SonicOS Standard” on page 21
• “Scenario A: Allowing WAN -> DMZ Connection in SonicOS Standard” on page 21
• “Scenario A: Allowing DMZ -> LAN Connection in SonicOS Standard” on page 23
• “Scenario A: Adding a New SSL-VPN Custom Zone in SonicOS Enhanced” on
page 27
• “Scenario A: Allowing WAN -> SSL-VPN Connection in SonicOS Enhanced” on
page 28
• “Scenario A: Allowing SSL-VPN -> LAN Connection in SonicOS Enhanced” on
page 31
Page 20
Scenario A: Connecting to the SonicWALL UTM Appliance
1. Using a computer connected to your LAN, launch your Web browser and enter the IP
address of your existing SonicWALL UTM appliance in the Location or Address
field.
2. When the management interface displays, enter your user name and password in
the appropriate fields and press the Login button.
Note: Remember that you are logging into your SonicWALL UTM appliance, not the
SonicWALL SSL-VPN 2000. Your user name and password combination may be
different from the user name and passwor d you recor ded for your Soni cWALL SSL- VPN
2000.
Scenario A: Configuring a DMZ or OPT Port in SonicOS Standard
1. Navigate to the Network > Settings page.
2. Click the Configure button for the DMZ or OPT interface.
3. Select the DMZ in NAT Mode radio button.
4. Enter 192.168.200.2 in the DMZ Private Address field.
5. Enter 255.255.255.0 in the DMZ Subnet Mask field.
6. Click the OK button.
Scenario A: Allowing WAN -> DMZ Connection in SonicOS Standard
Follow this procedure if you are connecting the SonicWALL SSL-VPN 2000 to a
SonicWALL UTM appliance running SonicOS Standard. If your SonicWALL UTM
appliance is running SonicOS Enhanced, skip to “Scenario A: Allowing WAN -> SSLVPN Connection in SonicOS Enhanced” on page 28
Tip: Leave the default rule to deny any access from WAN to DMZ in place, and use the
9
Public Server Rule Wizard to create an access rule to allow HTTP and HTTPS
specifically to the SonicWALL SSL-VPN appliance. As you add different servers to the
DMZ, you can use the wizard to create access to the new servers while still restricting all
other traffic.
Note: If you are allowing HTTP access to your SonicWALL SSL-VPN appliance as well
as HTTPS access, you need to run the wizard twice to create public server access rules
for both HTTP and HTTPS.
Create a public server access rule for HTTPS traffic:
1. Navigate to the Firewall > Access Rules page.
2. Click .
3. In the Welcome to the SonicWALL Network Access Rules Wizard page,
click Next.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 21
4. In the Step 1: Access Rule Type page, select Public Server Rule and then click
Next.
5. In the Step 2: Public Server page, perform the following selections and then click
Next:
Page 22
Service HTTPS
Server IP Address The X0 IP ad dress of the SonicWALL SSL-VPN appliance,
192.168.200.1 by default
Destination Interface DMZ
6. In the Congratulations page, click Apply to create the rules and allow access from
the WAN to the SonicWALL SSL-VPN appliance on the DMZ.
If you are allowing HTTP access to the SonicWALL SSL-VPN appliance, create a public
server access rule for HTTP:
1. In the Firewall > Access Rules page, click .
2. In the Welcome to the Network Access Rules Wizard page, click Next.
3. In the Step 1: Access Rule Type page, select Public Server Rule. Click Next.
4. In the Step 2: Public Server page, perform the following selections and click Next:
Service Web (HTTP)
Server IP Address The X0 IP address of the SonicWALL SSL-VPN appliance,
192.168.200.1 by default
Destination Interface DMZ
5. In the Congratulations page, click Apply to create the rules and allow access from
the WAN to the SonicWALL SSL-VPN appliance on the DMZ.
Scenario A: Allowing DMZ -> LAN Connection in SonicOS Standard
When users have connected to the SSL-VPN, they need to be able to connect to
resources on the LAN. You need to create two rules--one to allow traffic from the
SonicWALL SSL-VPN appliances X0 interface to your LAN, and one to allow traffic from
NetExtender to your LAN.
Note: This procedure uses the Access Rule Wizard to create the rules. You can add
the rules manually by clicking Add at the bottom of the Firewall > Access Rules page.
Create access to the LAN for the SSL-VPN X0 interface:
1. In the Firewall > Access Rules page, click .
2. In the Welcome to the SonicWALL Network Access Rules Wizard page,
click Next.
3. In the Step 1: Access Rule Type page, select General Rule. Click Next.
4. In the Step 2: Access Rule Service page, select Any. Click Next.
5. In the Step 3: Access Rule Action page configure the following:
Select Action for this
Rule
TCP Connection
Inactivity Timeout
6. Click Next.
Allow
30 minutes
SonicWALL SSL-VPN 2000 Getting Started Guide Page 23
7. In the Step 4: Access Rule Source Interface and Address page, perform the
following selections and then click Next:
Interface DMZ
IP Address Begin The X0 IP address of the SonicWALL SSL-VPN appliance,
192.168.200.1 by default
IP Address End The X0 IP address of the SonicWALL SSL-VPN appliance,
192.168.200.1 by default
Page 24
8. In the Step 5: Access Rule Destination Interface and Address page, perform the
following selections and then click Next:
Interface LAN
IP Address Begin *
IP Address End Leave blank
9. In the Step 6: Access Rule Time page, leave Time Active set to Always Active
unless you want to limit when you want SSL-VPN clients to have access to the LAN.
10. In the Congratulations page, click Apply to create the access rule.
SonicWALL SSL-VPN 2000 Getting Started Guide Page 25
Loading...