Sonicwall SSL VPN 4.0 ADMINISTRATORS GUIDE

COMPREHENSIVE INTERNET SECURITY

SonicWALL Secure Remote Access Appliances

SonicWALL SSL VPN 4.0

Administrator’s Guide

SonicWALL SSL VPN 4.0 Administrator’s Guide

SonicWALL, Inc.

2001 Logic Drive San Jose, CA 95124-3452

Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: info@sonicwall.com

SonicWALL SSL VPN 4.0 Administrator’s Guide

Copyright Notice

or part, without the written consent of the manufacturer, except in the normal use of th e software to make a backup copy. The same proprietary and copyright notices mu st be affixed to any permitted copies as were affixed to the original. This exception does not allo w copi es to be made fo r o ther s, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes transla ting into another language or format.

Specifications and descriptions subject to change without notice.

Trademarks

SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows 2000,

Windows NT, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.

Firefox is a trademark of the Mozilla Foundation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and

other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Cisco Systems and Cisco PIX 515e and Linksys and Linksys Playtoy23 are either registered trademarks or trademarks of Cisco Systems in the U.S. and /or other countries.

Watchguard and Watchguard Firebox X Edge are either registered trademarks or trademarks of Watchguard Technologies Corporation in the U.S. and/or other countries.

NetGear, NetGear FVS318, and NetGear Wireless Router MR814 SSL are either registered trademarks or trademarks of NetGear, Inc., in the U.S. and/or other countries.

Check Point and Check Point AIR 55 are either registered trademarks or trademarks of Check Point Software Technologies, Ltd., in the U.S. and/or other countries.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

SonicWALL SSL VPN 4.0 Administrator’s Guide

SonicWALL GPL Source Code

GNU General Public License (GPL)

SonicWALL will provide a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or m oney order in the amount of US $25.00 payable to "SonicWALL, Inc." to: General Public License Source Code Request SonicWALL, Inc. Attn: Jennifer Anderson 2001 Logic Drive San Jose, CA 95124-3452

Limited Warranty

SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's thencurrent Support Services policies.

This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL.

DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR

SonicWALL SSL VPN 4.0 Administrator’s Guide

iii

INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

SonicWALL Technical Support

For timely resolution of technical support questions, visit SonicWALL on the Internet at

<http://www.sonicwall.com/us/support.html>. Web-based resources are available to help you

resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below. See

<http://www.sonicwall.com/us/support/contact.html> for the latest technical support telephone

numbers.

North America Telephone Support

U.S./Canada - 888.777.1476 or +1 408.752.7819

International Telephone Support

Australia - + 1800.35.1642 Austria - + 43(0)820.400.105 EMEA - +31(0)411.617.810 France - + 33(0)1.4933.7414 Germany - + 49(0)1805.0800.22 Hong Kong - + 1.800.93.0997 India - + 8026556828 Italy - +39.02.7541.9803 Japan - + 81(0)3.3457.8971 New Zealand - + 0800.446489 Singapore - + 800.110.1441 Spain - + 34(0)9137.53035

Switzerland - +41.1.308.3.977 UK - +44(0)1344.668.484

SonicWALL SSL VPN 4.0 Administrator’s Guide

More Information on SonicWALL Products

Contact SonicWALL, Inc. for information about SonicWALL products and services at:

Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300

Current Documentation

Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation.

http://www.sonicwall.com/us/support.html

SonicWALL SSL VPN 4.0 Administrator’s Guide

About This Guide

The SonicWALL SSL VPN Administrator’s Guide provides network administrators with a highlevel overview of SonicWALL SSL VPN technology, including activation, configuration, and administration of the SonicWALL SSL VPN management interface and the SonicWALL SSL-VPN appliance.

Note Always check <http://www.sonicwall.com/support/documentation.html> for the latest

version of this guide as well as other SonicWALL products and services documentation.

Guide Conventions

The following conventions used in this guide are as follows:

Convention Use Bold Highlights dialog box, window, and screen names. Also

About This Guide

highlights buttons and tabs. Also used for file names and text or values you are being instructed to type into the interface.

Italic Indicate s the name of a technica l manual, e mphasis on cer-

Menu Item > Menu Item Indicates a multiple step Management Interface menu

Icons Used in this Manual

These special messages refer to noteworthy information, and include a symbol for quick identification:

Tip Useful information about security features and configurations on your SonicWALL.

Note Important information on a feature that requires callout for special attention.

Timesaver Useful tips about features that may save you time

tain words in a sentence, or the first instance of a significant term or concept.

choice. For example, System > Status means select the Status page under the System menu.

Indicates a feature that is supported only on the SSL-VPN 2000, 4000, and SRA 4200 platforms.

SonicWALL SSL VPN 4.0 Administrator’s Guide

vii

About This Guide

Indicates a client feature that is only supported on the Microsoft Windows platform.

Indicates a client feature that is supported on Microsoft Windows, Apple MacOS, and Linux

Organization of This Guide

The SonicWALL SSL VPN Administrator’s Guide is organized in chapters that follow the SonicWALL SSL VPN Web-based management interface structure.

This section contains a description of the following chapters and appendices:

• “SSL VPN Overview” on page viii

• “System Configuration” on page viii

• “Network Configuration” on page ix

• “Portals Configuration” on page ix

• “NetExtender Configuration” on page ix

• “Virtual Assist Configuration” on page ix

• “Web Application Firewall Configuration” on page ix

• “Users Configuration” on page ix

• “Log Configuration” on page x

• “Virtual Office Configuration” on page x

• “Appendix A: Accessing Online Help” on page x

• “Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page x

• “Appendix C: Use Cases” on page x

• “Appendix D: NetExtender Troubleshooting” on page x

• “Appendix E: FAQ” on page x

• “Appendix F: Glossary” on page xi

• “Appendix G: SMS Email Formats” on page xi

SSL VPN Overview

“SSL VPN Overview” on page 7 provides an introduction to SSL VPN technology and an

overview of the SonicWALL SSL-VPN appliance and Web-based management interface features. The SSL VPN Overview chapter includes SSL VPN concepts, a Web-based management interface overview, and deployment guidelines.

System Configuration

“System Configuration” on page 63 provides instructions for configuring SonicWALL SSL VPN

options under System in the navigation bar of the management interface, including:

• Registering the SonicWALL appliance

• Setting the date and time

• Working with configuration files

• Managing firmware versions and preferences

• General appliance administration

viii

SonicWALL SSL VPN 4.0 Administrator’s Guide

• Certificate management

• Viewing SSL VPN monitoring reports

• Using diagnostic tools

Network Configuration

“Network Configuration” on page 95 provides instructions for configuring SonicWALL SSL VPN

options under Network in the navigation bar of the management interface, including:

• Configuring network interfaces

• Configuring DNS settings

• Setting network routes and static routes

• Configuring hostname and IP address information for internal name resolution

• Creating reusable network objects representing network resources like FTP, HTTP, RDP,

SSH and File Shares

Portals Configuration

“Portals Configuration” on page 109 provides instructions for configuring SonicWALL SSL VPN

options under Portals in the navigation bar of the management interface, including portals, domains (including RADIUS, NT , LDAP and Active Directory authentication), and custom logos.

About This Guide

NetExtender Configuration

“NetExtender Configuration” on page 163 provides instructions for configuring SonicWALL SSL

VPN options under NetExtender in the navigation bar of the management interface, including NetExtender status, setting NetExtender address range, and configuring NetExtender routes.

Virtual Assist Configuration

“Virtual Assist Configuration” on page 175 provides instructions for configuring SonicWALL

SSL VPN options under Virtual Assist in the navigation bar of the management interface, including Virtual Assist status, settings and licensing.

Web Application Firewall Configuration

“Web Application Firewall Configuration” on page 185 provides instructions for configuring

SonicWALL SSL VPN options under Web Application Firewall in the navigation bar of the management interface, including Web Application Firewall status, settings, signatures, log, and licensing.

Users Configuration

“Users Configuration” on page 207 provides instructions for configuring SonicWALL SSL VPN

options under Users in the navigation bar of the management interface, including:

• Access policy hierarchy overview

• Configuring local users and local user policies

• Configuring user groups and user group policies

• Global configuration

SonicWALL SSL VPN 4.0 Administrator’s Guide

About This Guide

Log Configuration

“Log Configuration” on page 259 provides instructions for configuring SonicWALL SSL VPN

options under Log in the navigation bar of the management interface, including viewing and configuring logs and creating alert categories.

Virtual Office Configuration

“Virtual Office Configuration” on p age 269 provides a brief introduction to the Virtual Office, the

user portal feature of SonicWALL SSL VPN. The administrator can access the Virtual Office user portal using Virtual Office in the navigation bar of the SonicWALL SSL VPN Web-based management interface. Users access the Virtual Office using a Web browser. The SonicWALL SSL VPN User’s Guide provides detailed information about the Virtual Office.

Appendix A: Accessing Online Help

“Online Help” on page 273 provides a description of the help available from the Online Help

button in the upper right corner of the management interface. This appendix also includes an overview of the context-sensitive help found on most pages of the SonicWALL SSL VPN management interface.

Appendix B: Configuring SonicWALL SSL VPN with a Third-Party Gateway

“Configuring SonicWALL SSL VPN with a Third-Party Gateway” on page 275 provides

configuration instructions for configuring the SonicWALL SSL-VPN appliance to work with thirdparty gateways, including:

• Cisco PIX

• Linksys WRT54GS

• WatchGuard Firebox X Edge

• NetGear FVS318

• Netgear Wireless Router MR814

• Check Point AIR 55

• Microsoft ISA Server 2000

Appendix C: Use Cases

“Use Cases” on page 295 provides use cases for importing CA certificates and for configuring

group-based access policies for multiple Active Directory groups needing access to Outlook Web Access and SSH.

Appendix D: NetExtender Troubleshooting

“NetExtender Troubleshooting” on page 313 provides troubleshooting support for the

SonicWALL SSL VPN NetExtender feature.

Appendix E: FAQ

“FAQs” on page 317 provides a list of frequently asked questions about the SonicWALL SSL

VPN Web-based management interface and SonicWALL SSL-VPN appliance.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Appendix F: Glossary

“Glossary” on page 341 provides a glossary of technical terms used in the

SonicWALL SSL VPN Administrator’s Guide.

Appendix G: SMS Email Formats

“SMS Email Formats” on page 343 provides a list of SMS email formats for selected worldwide

cellular carriers.

About This Guide

SonicWALL SSL VPN 4.0 Administrator’s Guide

About This Guide

xii

SonicWALL SSL VPN 4.0 Administrator’s Guide

SonicWALL SSL VPN 4.0

Administrator’s Guide ...............................................................................................i

Copyright Notice ..................................................................................................................................................ii

Trademarks ............... ......................................... ........................................ ............................................................ii

SonicWALL GPL Source Code .................................................. ......................... ......................... ....................iii

GNU General Public License (GPL) .......................................................................................................iii

Limited Warranty ............................. ......................... ......................... ......................... .........................................iii

SonicWALL Technical Support ......................... ......................... ......................... ............................................ iv

More Information on SonicWALL Products .................................................................................. .. ...............v

About This Guide .............................................................................................................................................. vii

Guide Conventions ................................................................................................................................... vii

Organization of This Guide ....................................................................................................................viii

Table of Contents ......................................................................................................1

SSL VPN Overview ....................................................................................................7

Overview of SonicWALL SSL VPN ..................................................... .. ............................. .. ...........................8

SSL for Virtual Private Networking (VPN) .............................................................................................8

SSL VPN Software Components ...............................................................................................................9

SSL-VPN Hardware Components .............................................................................................................9

Concepts for SonicWALL SSL VPN .............................................................................................................14

Encryption Overview ...................... ......................... ......................... ......................... .............................. 14

SSL Handshake Procedure ....................................................................................................................... 14

IPv6 Support Overview ............................................................................................................................ 15

Browser Requirements for the SSL VPN Administr at o r ............................... ..................................... 17

Browser Requirements for the SSL VPN End User ............................................................................ 18

Portals Overview ............... ......................... ......................... ......................... .............................................19

Domains Overview ............. ......................... ......................... ......................... ...........................................19

NetExtender Overview ....................... ......................... ......................... ......................... .......................... 20

Network Resources Overview ........ .. ............................. .. ............................. .. ............................ ............. 23

SNMP Overview ....................................................................................................................................... 29

DNS Overview ................................... ......................... ......................... ......................... ............................ 30

Network Routes Overview .................................. ........................ ......................... ...................................30

Two-Factor Authentication Overview .. ......................... ......................... ......................... ...................... 30

One Time Password Overview ................................... ......................... ......................... ..........................31

Virtual Assist Overview .......................................... ......................... ........................ .................................34

Web Application Firewall Overview ...................................................................................................... 46

What is Web Application Firewall? ........................ ............................. .. ............................. .. ..................46

Benefits of Web Application Firewall ................................................... .. ............................. .. ................ 48

How Does Web Application Firewall Work? ... .. ............................. .. ............................. .. .................... 48

Navigating the SSL VPN Management Interface ......... ............................. .. ............................. .. .................. 52

Management Interface Introduct ion ............................ .. ............................. .. ............................. .. .......... 52

Navigating the Management Interface ................................................................................................... 54

Navigation Bar .............................................. ......................... ......................... ........................................... 57

SonicWALL SSL VPN 4.0 Administrator’s Guide

Deployment Guidelines ....................................................................................................................................59

Support for Numbers of User Connections ..........................................................................................59

Resource Type Support .............................................................................................................................60

Integration with SonicWALL Products ..................................................................................................60

Typical Deployment ........................... ......................... ........................ ......................... .............................60

System Configuration ............................................................................................63

System > Status .................................... ......................... ......................... ............................................................64

System > Status Overview ........ .......................................................... ... ............................. .. ....................64

Registering Your SonicWALL SSL-VPN from System Status ...........................................................66

Configuring Network Interfaces .............................................. ......................... .......................................68

System > Licenses ................ ......................... ......................... ......................... ...................................................68

System > Licenses Overview ................ .. ............................. .. ............................. .. ...................................68

Registering the SSL-VPN from System > Licenses .............................. .. ............................. .. ..............71

Activating or Upgrading Licenses ........................................... ......................... ......................... ..............73

System > Support Services ...............................................................................................................................74

System > Time .................................... ......................... ......................... ......................... .....................................75

System > Time Overview ....... .. ........................................................................................ .. ......................75

Setting the Time ........................................ ......................... ......................... ...............................................76

Enabling Network Time Protocol .......................... ... ............................. .. ............................. .. ................76

System > Settings .. ......................... ......................... ......................... ......................... .........................................77

System > Settings Overview ......................................................................................... ... ........................77

Managing Configuration Files ................................................ ......................... .........................................78

Managing Firmware ............................................ ......................... ......................... .....................................80

System > Administration ................ ......................... ......................... ......................... .......................................82

System > Administration Overview ........................................... .. ............................. .. ...........................82

Configuring Login Security ............. ........................ ......................... ......................... ...............................84

Enabling GMS Management ....................................................................................................................84

Configuring Web Management Setting s ............................... ......................... ......................... ................85

Configuring the Management Interface Language ...............................................................................85

System > Certificates ......................... ......................... ......................... ......................... .....................................85

System > Certificates Overview ........................................................................................ .. ....................86

Certificate Management .................................................... ......................... ......................... ......................87

Generating a Certificate Signing Reque st ................................................ ......................... ......................87

Viewing Certificate and Issuer Information ............................................... .. ............................. .. ..........88

Importing a Certificate ............................................. ......................... ......................... ...............................88

Adding Additional CA Certificates .........................................................................................................89

System > Monitoring ................. ......................... ......................... ......................... .............................................89

System > Monitoring Overview ................................................ .. ............................. .. .............................89

Setting The Monitoring Period ................... ......................... ......................... ......................... ..................91

Refreshing the Monitors ...........................................................................................................................91

System > Diagnostics .................. .. ......................... ......................... ......................... .........................................92

System > Diagnostics Overview .................. ............................. .. ............................. .. .............................92

Downloading the Tech Support Report .................................................................................................93

Performing Diagnostic Tests ...................... ............................. .. ............................. .. ...............................93

System > Restart . ......................... ......................... ......................... ......................... ...........................................94

System > Restart Overview ............................................................................... .. .....................................94

Restarting the SonicWALL SSL-VPN . ......................... ......................... ......................... ........................94

SonicWALL SSL VPN 4.0 Administrator’s Guide

Network Configuration ...........................................................................................95

Network > Interfaces ................... ......................... ......................... ......................... .........................................96

Network > Interfaces Overview ........ .. ............................. .. ............................. .. ..................................... 96

Configuring Network Interfaces ........................................... ......................... ......................... ................ 96

Network > DNS ...................... ......................... ......................... ......................... ............................................... 98

Network > DNS Overview .................. ......................... ......................... ......................... ........................98

Configuring Hostname Settings ............... ......................... ......................... ......................... ....................99

Configuring DNS Settings ........ ........................ ......................... ......................... .....................................99

Configuring WINS Settings ......................................... ......................... ......................... .......................... 99

Network > Routes ........................... ......................... ......................... ......................... .....................................100

Network > Routes Overview ........................... ........................................................... .. ........................100

Configuring a Default Route for the SSL-VPN Appliance ................. ............................................. 101

Configuring Static Routes for the Appliance ................................................................ .. .................... 101

Network > Host Resolution ................................. .. ............................. ... ............................. .. ........................103

Network > Host Resolution Overview ............................. .. ............................. .. ............................. . ... 103

Configuring Host Resolution ......................... .. .............................. .. ............................. .. ......................103

Network > Network Objects ........................................................................................................................104

Network > Network Objects Overview .............................................................................................. 104

Configuring Network Objects ................................... ......................... ......................... .......................... 105

Portals Configuration ...........................................................................................109

Portals > Portals ........................................... ......................... ......................... ................................................. 110

Portals > Portals Overview ........... ......................... ......................... ........................ ............................... 110

Adding Portals ......................... ......................... ......................... ......................... .....................................111

Configuring General Portal Settings ..................... ......................... ........................ ............................... 113

Configuring the Home Page ..................................................................................................................114

Configuring Per-Portal Virtual Assist Settings ................................................................................... 118

Configuring Virtual Host Settings .......................... .......................................................... .. ..................119

Adding a Custom Portal Logo ....................................................... .. ............................. .. ......................120

Portals > Application Offloading .................................................................. .. .............................................122

Application Offloading Overview ........................................................................................................122

Configuring an Offloaded Application .................... .. ............................. .. ............................. .. ............ 123

Portals > Domains ................ ......................... ......................... ......................... ...............................................126

Portals > Domains Overview ...................................... .. ............................. .. ......................................... 126

Adding a Domain with Local User Database Authentication ... .. ............................. .. ...................... 127

Adding a Domain with RADIUS Authentication .................................................. .. .......................... 128

Adding a Domain with NT Domain Authentication .............. ... ............................. .. ........................ 131

Adding a Domain with LDAP Authentication .............................................. .. ............................. .. ....132

Adding a Domain with Active Directory Authenti cation ................ ............................. .. .................. 134

Viewing the Domain Settings Table ......................... ......................... ......................... .......................... 136

Removing a Domain ............................................................................................................................... 136

Configuring Two-Factor Authentication ................................. .. .............................. .. ..........................137

Portals > Custom Logo .................................................. ......................... ........................ ...............................147

Services Configuration .........................................................................................149

Services > Settings ........................................................................................................................................... 150

Services > Bookmarks .................................................................................................................................... 153

Services > Policies ........................................................................................................................................... 160

SonicWALL SSL VPN 4.0 Administrator’s Guide

NetExtender Configuration ..................................................................................163

NetExtender > Status ...................... ......................... ......................... ......................... .....................................164

NetExtender > Status Overview ........................................... ......................... ......................... ..............164

Viewing NetExtender Status ....................... ......................... ......................... ......................... ................164

NetExtender > Client Settings ...................................... ......................... ......................... ...............................165

NetExtender > Client Settings Overview ............................................... .. ............................. .. ............165

Configuring the Global NetExtender IP Address Range ..................................................................165

Configuring Global NetExtender Se ttings ................................. ......................... ......................... ........166

NetExtender > Client Routes ...... ......................... ......................... ......................... .......................................167

NetExtender > Client Routes Overview .......................... .. ............................. .. ............................. ......167

Adding NetExtender Client Routes ........................................................................................ .. ............167

NetExtender User and Group Settings .................................................. ............................. ... ......................168

Configuring User-Level NetExten der Settings .. ............................. ... ............................. .. ..................168

Configuring Group-Level NetExtender Settings ................................................................................171

Virtual Assist Configuration ................................................................................175

Virtual Assist > Status .....................................................................................................................................176

Virtual Assist > Status ...................................... ......................... ......................... .....................................176

Virtual Assist > Settings ..................................................................................................................................177

General Settings ........................... ......................... ......................... ......................... .................................177

Request Settings .......................................................................................................................................178

Notification Settings ................................................................................................................................179

Customer Portal Settings ........................... ......................... ......................... ...........................................180

Restriction Settings ..................................................................................................................................181

Virtual Assist > Log .........................................................................................................................................182

Virtual Assist > Licensing ...............................................................................................................................183

Virtual Assist > Licensing Overview ..................... ... ............................. .. ............................. .. ..............183

Enabling Virtual Assist ............................................................................................................................183

Web Application Firewall Configuration .............................................................185

Licensing Web Application Firewall .............................................................................................................186

Configuring Web Application Firewall ...................... .......................................................... ... ......................189

Viewing and Updating Web Application Firewall Status .................... ...............................................189

Configuring Web Application Firewall Settings ...... .......................................................... .. ................191

Configuring Web Application Firewall Signature Actions ............ .............................. .. ....................196

Determining the Host Entry for Exclusions ............................................................ .. .........................199

Using Web Application Firewall Logs .................................. ................................................................202

Verifying and Troubleshooting Web Application Firewall ........................................................................205

Users Configuration .............................................................................................207

Users > Status .............................................. ......................... ........................ ....................................................208

Access Policies Concepts ........................................................................................................................209

Access Policy Hierarchy ..........................................................................................................................209

Users > Local Users ............................................... ......................... ......................... .......................................210

Users > Local Users Overview ............... .......................................................... .. ...................................210

Adding a Local User .................................................... ........................ ......................... ...........................211

Removing a User ......................................................................................................................................212

Editing User Settings .............................. ......................... ......................... ...............................................212

SonicWALL SSL VPN 4.0 Administrator’s Guide

Users > Local Groups ................................... ......................... ......................... ............................................... 233

Users > Local Groups Overview ..... .. .. ............................................................ .. ................................... 233

Adding a New Group .................... ......................... ......................... ........................ ...............................233

Deleting a Group .....................................................................................................................................234

Editing Group Settings ......................................... ........................ ......................... .................................234

Group Configuration for LDAP Authentication Dom ains .......................................... .. .................. 245

Group Configuration for Active Directory, NT and RADIUS Domains .................. .................... 249

Creating a Citrix Bookmark for a Local Group .................................................................................. 251

Global Configuration ............................................... ......................... ......................... .....................................252

Edit Global Settings ........................... ......................... ......................... ......................... .......................... 252

Edit Global Policies .... ......................... ......................... ......................... ......................... ........................ 254

Edit Global Bookmarks ............... ......................... ........................ ......................... .................................256

Log Configuration .................................................................................................259

Log > View .......................................................................................................................................................260

Log > View Overview ............................................................................................................................260

Viewing Logs ................................... ......................... ......................... ........................ ............................... 262

Emailing Logs .............. ......................... ......................... ......................... .................................................263

Log > Settings .................................................................................................................................................. 264

Log > Settings Overview ....................................................................................................................... 264

Configuring Log Settings ................ ......................... ......................... ......................... ............................265

Configuring the Mail Server .................. ......................... ......................... ......................... ...................... 266

Log > Categories ............................................................................................................................................. 267

Log > ViewPoint .............................................................................................................................................268

Log > ViewPoint Overview ..................................................................................................................268

Adding a ViewPoint Server .............................................. ......................... ......................... ....................268

Virtual Office Configuration .................................................................................269

Virtual Office .............................................. ......................... ......................... ................................................... 269

Virtual Office Overview ......... ......................... ......................... ......................... .....................................270

Using the Virtual Office ........................................... ......................... ......................... ............................270

Online Help ............................................................................................................273

Online Help ...................................................................................................................................................... 274

Using Context Sensitive Help ............................ .. ............................. .. ............................. .. ..................274

Configuring SonicWALL SSL VPN with a Third-Party Gateway .......................275

Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment ............................. .. ......276

Before you Begin ..................... ......................... ......................... ......................... .....................................276

Method One – SonicWALL SSL-VPN Appliance on LAN Inte rface ..................................... .. ....276

Method Two – SonicWALL SSL-VPN Appliance on DMZ Interfac e .............................. ............ 279

Linksys WRT54GS ..........................................................................................................................................283

WatchGuard Firebox X Edge ......................... ......................... ......................... ......................... ....................284

NetGear FVS318 ............. ......................... ......................... ......................... .....................................................286

Netgear Wireless Router MR814 SSL configuration ................................................................................. 288

Check Point AIR 55 ........................................................................................................................................ 289

Setting up a SonicWALL SSL-VPN with Check Point AIR 55 ................................. .. .................... 289

Static Route .......................... ......................... ......................... ......................... .........................................290

ARP ...........................................................................................................................................................290

SonicWALL SSL VPN 4.0 Administrator’s Guide

Microsoft ISA Server .......................................................................................................................................292

Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server ......................... ....................292

Configuring ISA ................. ......................... ......................... ......................... ...........................................292

Use Cases ..............................................................................................................295

Importing CA Certificates on Windows ................ .. ............................. .. ............................. ... ......................295

Importing a goDaddy Certificate on Windows .................................................. .. ............................. ..295

Importing a Server Certificate on Windows .......................... .......................................................... ....298

Creating Unique Access Policies for AD Grou ps ........... ............................. .. ............................. .. ..............299

Creating the Active Directory Do main ....... ......................... ......................... ......................... ..............300

Adding a Global Deny All Policy ....................... ............................. .. .............................. .. ....................301

Creating Local Groups ............................................................................................................................302

Adding the SSHv2 PERMIT Policy ......................................................................................................304

Adding the OWA PERMIT Policies ....................................................................................................305

Verifying the Access Policy Configuration ..........................................................................................307

NetExtender Troubleshooting .............................................................................313

FAQs ......................................................................................................................317

Hardware FAQ ...... ......................... ......................... ......................... ......................... .......................................320

Digital Certificates and Certificate Authorities FAQ ..................................................................................325

NetExtender FAQ ............................. ......................... ......................... ......................... ...................................331

General FAQ ................................ ......................... ......................... ......................... .........................................334

Glossary ................................................................................................................341

SMS Email Formats ..............................................................................................343

SonicWALL SSL VPN 4.0 Administrator’s Guide

Chapter 1: SSL VPN Overview

This chapter provides an overview of the SonicWALL SSL VPN technology, concepts, basic navigational elements and standard deployment guidelines. This chapter includes the following sections:

• “Overview of SonicWALL SSL VPN” section on page 8

• “Concepts for SonicWALL SSL VPN” section on page 14

• “Navigating the SSL VPN Management Interface” section on page 52

• “Deployment Guidelines” section on page 59

SonicWALL SSL VPN 4.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and clientless method of access to applications and network resources specifically for remote and mobile employees. Organizations can use SonicWALL SSL VPN connections without the need to have a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location by accessing a standard Web browser.

Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections over a public networking infrastructure, allowing them to reduce their communications expenses and to provide private, secure connections between a user and a site in the organization. By offering Secure Socket Layer (SSL) VPN, without the expense of special feature licensing, the SonicWALL SSL-VPN appliance provides customers with costeffective alternatives to deploying parallel remote-access infrastructures. This section contains the following subsections:

• “SSL for Virtual Private Networking (VPN)” section on page 8

• “SSL VPN Software Components” section on page 9

• “SSL-VPN Hardware Components” section on page 9

SSL for Virtual Private Networking (VPN)

A Secure Socket Layer-based Virtual Private Network (SSL VPN) allows applications and private network resources to be accessed remotely through a secure connection. Using SSL VPN, mobile workers, business partners, and customers can access files or applications on a company’s intranet or within a private local area network.

Although SSL VPN protocols are described as clientless, the typical SSL VPN portal combines Web, Java, and ActiveX components that are downloaded from the SSL VPN portal transparently , allowing users to connect to a remote network without needing to manually inst all and configure a VPN client application. In addition, SSL VPN enables users to connect from a variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only supported on Windows platforms.

For administrators, the SonicWALL SSL VPN Web-based management interface provides an end-to-end SSL VPN solution. This interface can configure SSL VPN users, access policies, authentication methods, user bookmarks for network resources, and system settings.

For clients, Web-based SonicWALL SSL VPN customizable user portals enable users to access, update, upload, and download files and use remote applications installed on desktop machines or hosted on an application server. The platform also supports secure Web-based FTP access, network neighborhood-like interface for file sharing, Secure Shell versions 1 and 2 (SSHv1) and (SSHv2), Telnet emulation, VNC (Virt u a l Ne t wo r k Co m pu t i ng ) and RDP (Remote Desktop Protocol) support, Citrix Web access, bookmarks for offloaded portals (external Web sites), and Web and HTTPS proxy forwarding.

The SonicWALL SSL VPN network extension client, NetExtender , is available through the SSL VPN Web portal via an ActiveX control on Windows or using Java on MacOS or Linux systems. It is also available through stand-alone applications for Windows, Linux, and MacOS platforms. The NetExtender standalone applications are automatically installed on a client system the first time the user clicks the NetExtender link in the Virtual Office portal. SonicWALL SSL VPN NetExtender enables end users to connect to the remote network without needing to install and configure complex software, providing a secure means to access any type of data on the remote network. When used with a SonicWALL SSL-VPN 2000 or higher model, NetExtender supports IPv6 client connections from Windows systems running V ista or newer , and from Linux clients.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Note The SSHv2 applet requires SUN JRE 1.6.0_10 or higher and can only connect to a server

that supports SSHv2. The RDP Java applet requires SUN JRE 1.6.0_10 or higher. Telnet, SSHv1 and VNC applets support MS JVM in Internet Explorer, and run on other browsers with SUN JRE 1.6.0_10 or higher.

SSL VPN Software Components

SonicWALL SSL VPN provides clientless identity-based secure remote access to the protected internal network. Using the Virtual Office environment, SonicW ALL SSL VPN can provide users with secure remote access to your entire private network, or to individual components such as File Shares, Web servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers.

SSL-VPN Hardware Components

See the following sections for descriptions of the hardware components on SonicWALL SSL-VPN appliances:

• “SRA 4200 Front and Back Panels Overview” on page 10

• “SSL-VPN 2000 and 4000 Front and Back Panels Overview” on page 11

Overview of SonicWALL SSL VPN

SonicWALL SSL VPN 4.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

SRA 4200 Front and Back Panels Overview

Figure 1 SonicWALL SRA 4200 Front and Back Panels

Table 1 SonicWALL SRA 4200 Front Panel Features

Front Panel Feature Description

Console Port RJ-45 port, provides access to console messages with serial

connection (1 15200 Baud). Provides access to command line

interface (for future use). USB Ports Provides access to USB interface (for future use). Reset Button Provides access to SafeMode. Power LED Indicates the SonicWALL SRA 4200 is powered on. Test LED Indicates the SonicWALL SRA 4200 is in test mode. Alarm LED Indicates a critical error or failure. X3 Provides access to the X3 interface and to SSL VPN

resources. X2 Provides access to the X2 interface and to SSL VPN

resources. X1 Provides access to the X1 interface and to SSL VPN

resources. X0 Default management port. Provides connectivity between the

SonicWALL SRA 4200 and your gateway.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Table 2 SonicWALL SRA 4200 Back Panel Features

Back Panel Feature Description

Exhaust fans Provides optimal cooling for the SonicWALL SRA 4200

appliance. Power plug Provides power connection using supplied power cord. Power switch Powers the SonicWALL SRA 4200 on and off.

SSL-VPN 2000 and 4000 Front and Back Panels Overview

Figure 2 SonicWALL SSL-VPN 2000 Front and Back Panels

Overview of SonicWALL SSL VPN

SonicWALL SSL VPN 4.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

Figure 3 SonicWALL SSL-VPN 4000 Front and Back Panels

Table 3 SonicWALL SSL-VPN 2000/4000 Front Panel Features

Front Panel Feature Description

Console Port Provides access to command-line interface. Power LED Indicates the SonicWALL SSL-VPN appliance is powered on. Test LED Indicates the SonicWALL SSL-VPN is in test mode. Alarm LED Indicates a critical error or failure. X0 Default management port. Provides connectivity between the

SonicWALL SSL-VPN and your gateway.

X1 Provides access to the X1 interface and to SSL VPN

resources.

X2 Provides access to the X2 interface and to SSL VPN

resources.

X3 Provides access to the X3 interface and to SSL VPN

resources.

X4 (4000 only) Provides access to the X4 interface and to SSL VPN

resources.

X5 (4000 only) Provides access to the X5 interface and to SSL VPN

resources.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Overview of SonicWALL SSL VPN

Table 4 SonicWALL SSL-VPN 2000/4000 Back Panel Features

Back Panel Feature Description

Exhaust fans Provides optimal cooling for the SonicWALL SSL-VPN

appliance. Power plug Provides power connection using supplied power cord. Power switch Powers the SonicWALL SSL-VPN appliance on and off.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

This section provides an overview of the following key concepts, with which the administrator should be familiar when using the SonicWALL SSL-VPN appliance and Web-based management interface:

• “Encryption Overview” section on page 14

• “SSL Handshake Procedure” section on page 14

• “IPv6 Support Overview” section on page 15

• “Browser Requirements for the SSL VPN Administrator” section on page 17

• “Browser Requirements for the SSL VPN End User” section on page 18

• “Portals Overview” section on page 19

• “Domains Overview” section on page 19

• “NetExtender Overview” section on page 20

• “Network Resources Overview” section on page 23

• “SNMP Overview” section on page 29

• “DNS Overview” section on page 30

• “Network Routes Overview” section on page 30

• “Two-Factor Authentication Overview” section on page 30

• “One Time Password Overview” section on page 31

• “Virtual Assist Overview” section on page 34

• “Web Application Firewall Overview” section on page 46

Encryption Overview

Encryption enables users to encode data, making it secure from unauthorized viewers. Encryption provides a private and secure method of communication over the Internet.

A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public key encryption, an entity, such as a secure Web site, generates a public and a private key . A secure W eb server sends a public key to a user who accesses the Web site. The public key allows the user’s Web browser to decrypt data that had been encrypted with the private key. The user ’s Web browser can also transparently encrypt data using the public key and this data can only be decrypted by the secure Web server’s private key.

Public key encryption allows the user to confirm the identity of the Web site through an SSL certificate. After a user contacts the SSL-VPN appliance, the appliance sends the user it s own encryption information, including an SSL certificate with a public encryption key.

SSL Handshake Procedure

The following procedure is an example of the standard steps required to establish an SSL session between a user and an SSL VPN gateway using the SonicWALL SSL VPN Web-based management interface:

Step 1 When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web

browser sends information about the types of encryption supported by the browser to the appliance.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Step 2 The appliance sends the user its own encryption information, including an SSL certificate with

a public encryption key.

Step 3 The Web browser validates the SSL certificate with the Certificate Authority identified by the

SSL certificate.

Step 4 The Web browser generates a pre-master encryption key, encrypts the pre-master key using

the public key included with the SSL certificate and sends the encrypted pre-master key to the SSL VPN gateway.

Step 5 The SSL VPN gateway uses the pre-master key to create a master key and sends the new

master key to the user’s Web browser.

Step 6 The browser and the SSL VPN gateway use the master key and the agreed upon encryption

algorithm to establish an SSL connection. From this point on, the user and the SSL VPN gateway will encrypt and decrypt data using the same encryption key . This is called symmetric encryption.

Step 7 Once the SSL connection is established, the SSL VPN gateway will encrypt and send the Web

browser the SSL VPN gateway login page.

Step 8 The user submits his user name, password, and domain name. Step 9 If the user’s domain name requires authentication through a RADIUS, LDAP, NT Domain, or

Active Directory Server, the SSL VPN gateway forwards the user’s information to the appropriate server for authentication.

Step 10 Once authenticated, the user can access the SSL VPN portal.

IPv6 Support Overview

Internet Protocol version 6 (IPv6) is a replacement for IPv4 that is becoming more frequently used on networked devices. IPv6 is a suite of protocols and standards developed by the Internet Engineering Task Force (IETF) that provides a larger address space than IPv4, additional functionality and security, and resolves IPv4 design issues. You can use IPv6 without affecting IPv4 communications.

Supported on SonicWALL SSL-VPN models 2000 and higher, IPv6 supports stateful address configuration, which is used with a DHCPv6 server, and st ateless address configuration, where hosts on a link automatically configure themselves with IPv6 addresses for the link, called link- local addresses.

In IPv6, source and destination addresses are 128 bits (16 bytes) in length. For reference, the 32-bit IPv4 address is represented in dotted-decimal format, divided by periods along 8-bit boundaries. The 128-bit IPv6 address is divided by colons along 16-bit boundaries, where each 16-bit block is represented as a 4-digit hexadecimal number. This is called colon-hexadecimal.

The IPv6 address, 2008:0AB1:0000:1E2A:0123:0045:EE37:C9B4 can be simplified by removing the leading zeros within each 16-bit block, as long as each block has at least one digit. When suppressing leading zeros, the address representation becomes: 2008:AB1:0:1E2A:123:45:EE37:C9B4

When addresses contain contiguous sequences of 16-bit blocks set to zeros, the sequence can be compressed to ::, a double-colon. For example, the link-local address of 2008:0:0:0:B67:89:ABCD:1234 can be compressed to 2008::B67:89:ABCD:1234. The multicast address 2008:0:0:0:0:0:0:2 can be compressed to 2008::2.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

The IPv6 prefix is the part of the address that indicates the bits of the subnet prefix. Prefixes for IPv6 subnets, routes, and address ranges are written as address/prefix-length, or CIDR notation. For example, 2008:AA::/48 and 2007:BB:0:89AB::/64 are IPv6 address prefixes.

SonicOS SSL VPN supports IPv6 in the following areas:

Services

• FTP Bookmark – Define a FTP bookmark using an IPv6 address.

• Telnet Bookmark – Define a Telnet bookmark using an IPv6 address.

• SSHv1 / SSHv2 Bookmark – Define an SSHv1 or SSHv2 bookmark using an IPv6 address.

• Reverse proxy for HTTP/HTTPS Bookmark – Define an HTTP or HTTPS bookmark using

an IPv6 address.

• Citrix Bookmark – Define a Citrix bookmark using an IPv6 address.

• RDP Bookmark - Define an RDP bookmark using an IPv6 address.

• VNC Bookmaek - Define a VNC bookmark using an IPv6 address.

Note IPv6 is not supported for File Shares.

Settings

• Interface Settings – Define an IPv6 address for the interface. The link-local address is

displayed in a tooltip on Interfaces page.

• Route Settings – Define a static route with IPv6 destination network and gateway.

• Network Object – Define the network object using IPv6. An IPv6 address and IPv6 network

can be attached to this network object.

NetExtender

When a client connects to NetExtender , it can get an IPv6 address from the SSL-VPN appliance if the client machine supports IPv6 and an IPv6 address pool is configured on the SSL-VPN. NetExtender supports IPv6 client connections from Windows systems running Vista or newer, and from Linux clients.

SonicWALL SSL VPN 4.0 Administrator’s Guide

Concepts for SonicWALL SSL VPN

Virtual Assist

Users and Technicians can request and provide support when using IPv6 addresses.

Rules

• Policy rule – User or Group Policies. Three IPv6 options in the Apply Policy To drop-down

list:

–

IPv6 Address

–

IPv6 Address Range

–

All IPv6 Address

• Login rule – Use IPv6 for address fields:

–

Define Login From Defined Addresses using IPv6

–

Two IPv6 options in the Source Address drop-down list: IPv6 Address / IPv6 Network

Virtual Hosts

An administrator can assign an IPv6 address to a virtual host, and can use this address to access the virtual host.

Application Offloading

An administrator can assign an IPv6 address to an application server used for application offloading, and can use this address to access the server.

Browser Requirements for the SSL VPN Administrator

The following Web browsers are supported for the SonicWALL SSL VPN Web-based management interface and the user portal, Virtual Office. Java is only required for various aspects of the SSL VPN Virtual Office, not the management interface.

• Internet Explorer 6.0+, 7.0+, 8.0+

• Firefox 2.0+

• Safari 2.0+

• Chrome 4.0+

The following table provides specific browser requirements.

SSL VPN

Management

Interface

Minimum Browser/Version

Requirements

Browser

Windows XP

44444

Windows Vista

Windows 7 Linux

222

MacOS X

To configure SonicWALL SSL-VPN appliance using the Web-based management interface, an administrator must use a Web browser with Java, JavaScript, ActiveX, cookies, popups, and SSLv3 or TLS 1.0 enabled.

SonicWALL SSL VPN 4.0 Administrator’s Guide

+ 332 hidden pages