SonicWALL SSL VPN 5.0 User Manual

COMPREHENSIVE INTERNET SECURITY

SonicWALL Secure Remote Access Appliances

SonicWALL SSL VPN 5.0

User’s Guide

Table of Contents

Using This Guide

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Organization of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Icons Used in this Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Current Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Important Information You Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Virtual Office Overview

Virtual Office Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Accessing Virtual Office Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Browser Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Web Management Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Using Virtual Office Features

Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Using Two-Factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

User Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

User Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Using One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

User Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

User Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Verifying User One-Time Password Configuration. . . . . . . . . . . . . . . . . . . . . . . 23

Troubleshooting Common Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using NetExtender. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

User Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

User Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SonicWALL SSL VPN 5.0 User Guide

iii

Installing NetExtender on Android Smartphones. . . . . . . . . . . . . . . . . . . . . . . . .59

Using NetExtender on Android Smartphones . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Related Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Using Virtual Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Understanding Virtual Assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Installing and Launching Virtual Assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Configuring Virtual Assist Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Selecting a Virtual Assist Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Launching a Virtual Assist Technician Session . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Performing Virtual Assist Technician Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Using Virtual Assist from the Customer View . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Using Virtual Assist in Unattended Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Enabling a System for Virtual Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Using the Request Assistance Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Using File Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Using the File Shares Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Using HTML-Based File Shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Managing Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Adding Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Editing Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Removing Bookmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Using Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Using Remote Desktop Bookmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Using VNC Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Using FTP Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Using Telnet Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Using SSHv1 Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Using SSHv2 Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Using HTTP and HTTPS Bookmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Using File Share Bookmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Using Citrix Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Global Bookmark Single Sign-On Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

Per-Bookmark Single Sign-On Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Logging Out of the Virtual Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Limited Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

SonicWALL SSL VPN 5.0 User Guide

Using This Guide

About this Guide

Welcome to the SonicWALL SSL VPN User’s Guide. This manual is a user's guide. It provides information on using the SonicWALL SSL VPN user portal called Virtual Office that allows you to create bookmarks and run services over the SonicWALL SSL-VPN security appliance.

Note Always check http://www .sonicwall.com/us/Support.html for the latest version of this manual

as well as other SonicWALL products and services documentation.

Organization of this Guide

The SonicWALL SSL VPN User’s Guide organization is structured into the following parts:

Chapter 1 Virtual Office Overview

This chapter provides an overview of new SonicWALL SSL-VPN security appliance user features, NetExtender, File Shares, services, sessions, bookmarks, and service tray menu options.

Chapter 2 Using Virtual Office

This chapter provides procedures on how to install NetExtender, working with the NetExtender system tray, displaying the NetExtender log, configuring bookmarks, and using file shares.

Guide Conventions

The following conventions used in this guide are as follows:

Convention Use

Bold Highlights dialog box, window, and screen names. Also

Italic Indicates the name of a technical manual. Also indicates

highlights buttons. Also used for file names and text or values you are being instructed to type into the interface.

emphasis on certain words in a sentence. Also, sometimes indicates the first instance of a significant term or concept.

SonicWALL SSL VPN 5.0 User Guide

Guide Conventions

Icons Used in this Manual

These special messages refer to noteworthy information, and include a symbol for quick identification:

Tip Useful information about security features and configurations on your SonicWALL.

Note Important information on a feature that requires callout for special attention.

SonicWALL Technical Support

For timely resolution of technical support questions, visit SonicWALL on the Internet at

http://www.sonicwall.com/us/Support.html. Web-based resources are available to help you

resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below:

North America Telephone Support

U.S./Canada - 888.777.1476 or +1.408.752.7819

International Telephone Support

Australia - + 1.800.35.1642 Austria - + 43(0)820.400.105 EMEA - +31(0)411.617.810 France - + 33(0)1.4933.7414 Germany - + 49(0)1805.0800.22 Hong Kong - + 1.800.93.0997 India - + 8026556828 Italy - +39(0)2.7541.9803 Japan - +81 (0) 3-3457-8971 New Zealand - + 0800.446489 Singapore - + 800.110.1441 Spain - + 34(0)9137.53035 Switzerland - +41(0)1.308.3.977 UK - +44(0)1344.668.484

Note Please visit http://www.sonicwall.com/us/support/contact.html for the latest technical

support telephone numbers.

SonicWALL SSL VPN 5.0 User Guide

Guide Conventions

More Information on SonicWALL Products

Contact SonicWALL, Inc. for information about SonicWALL products and services at:

Web: http://www.sonicwall.com Email: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408)745-9300

Current Documentation

Check the SonicWALL document ation Web site for the latest versions of all SonicW ALL product documentation at http://www.sonicwall.com/us/Support.html

Quick Access Work Sheet

This section should be completed by your network administrator to allow remote users SSL VPN access.

Important Information You Need

IP Address:___________________________________________________ User Name:___________________________________________________ Password:___________________________________________________ Domain:_____________________________________________________

SonicWALL SSL VPN 5.0 User Guide

Guide Conventions

SonicWALL SSL VPN 5.0 User Guide

Virtual Office Overview

This chapter provides an overview of the SonicWALL SSL VPN user portal. It also includes an introduction to the SSL-VPN and its features and applications. This chapter contains the following sections:

• “Virtual Office Overview” section on page 9

• “Browser Requirements” section on page 10

• “Web Management Interface Overview” section on page 12

Virtual Office Overview

SonicWALL SSL VPN Virtual Of fice provides secure remote access to network resources, such as applications, files, intranet Web sites, and email through Web access interface such as Microsoft Outlook Web Access (OWA). The underlying protocol used for these sessions is SSL.

With SSL VPN, mobile workers, telecommuters, partners, and customers can access information and applications on your intranet or extranet. What information should be accessible to the user is determined by access policies configured by the SonicWALL SSL VPN administrator.

Accessing Virtual Office Resources

Remote network resources can be accessed in the following ways:

• Using a standard Web browser - To access network resources, you must log into the SSL

VPN portal. Once authenticated, you may access intranet HTTP and HTTPS sites, offloaded portals, Web-based applications, and Web-based email. In addition, you may upload and download files using FTP or Windows Network File Sharing. All access is performed through a standard Web browser and does not require any client applications to be downloaded to remote users’ machines.

• Using Java thin-client access to corporate desktops and applications – The

SonicWALL SSL-VPN security appliance includes several Java or ActiveX thin-client programs that can be launched from within the SonicWALL SSL-VPN security appliance. Terminal Services and VNC Java clients allow remote users to access corporate servers and desktops, open files, edit and store data as if they were at the office. Terminal Services provides the ability to open individual applications and support remote sound and print services. In addition, users may access Telnet and SSH servers for SSH version 1 (SSHv1) and SSH version 2 (SSHv2), from the SSL VPN portal.

SonicWALL SSL VPN 5.0 User Guide

Browser Requirements

• Using the NetExtender SSL VPN client – The SonicWALL SSL VPN network extension

client, NetExtender, is available through the SSL VPN Virtual Office portal via an ActiveX control or through stand-alone applications for Windows, Linux, MacOS, Windows Mobile, and Android smartphone platforms. To connect using the SSL VPN client, log into the portal, download the installer application and then launch the NetExtender connector to establish the SSL VPN tunnel. The NetExtender Android client has a different installation process, described in this guide. Once you have set up the SSL VPN tunnel, you can access network resources as if you were on the local network.

The NetExtender standalone applications are automatically installed on a client system the first time you click on the NetExtender link in the Virtual Of fice portal. The st andalone client can be launched directly from users’ computers without requiring them to log in to the SSL VPN portal first.

For SSL VPN to work as described in this guide, the SonicWALL SSL-VPN security appliance must be installed and configured according to the directions provided in the SonicWALL SSL- VPN Getting Started Guide for your model.

Browser Requirements

The following Web browsers are supported for the SSL VPN Virtual Office portal:

• Internet Explorer 7.0+, 8.0+

• Firefox 3.0+

• Safari 5.0+

• Chrome 6.0+, 7.0+

For administrator management interface Web browser compatibility, refer to the SonicWALL SSL VPN Administrator’s Guide.

SonicWALL SSL VPN 5.0 User Guide

The following table provides specific browser requirements.

Browser Requirements

Application Proxy

Features and Browser

Requirements

NetExtender

RDP5 (ActiveX)

RDP5 (Java 1.6.0_10+)

VNC (Java 1.6.0_10+)

Telnet (Java 1.6.0_10+)

SSHv1, SSHv2(Java 1.6.0_10+)

Windows XP Windows Vista Windows 7 Linux MacOS X

browser independent

(Java 1.6.0_10+)

browser independent

(Java 1.6.0_10+)

How to read this table:

RDP5 (Java 1.6.0_10)

Feature

OS Platform

Minimum Recommended

Browser

Browser Versions:

736

HTTP, HTTPS, FTP (Browser)

File Sharing (Browser)

File Sharing (Java 1.6.0_10+)

Citrix (ActiveX)

Citrix (Java 1.6.0_10+)

Virtual Assist

(Java not required)

browser independent (Java 1.6.0_10+)

Notes:

1 MacOS supports Virtual Assist on the client-side only. Technician must be running a supported version of Windows operating system.

To configure SonicOS SSL VPN firmware, an administrator must use a Web browser with JavaScript, cookies, and SSL enabled.

SonicWALL SSL VPN 5.0 User Guide

Web Management Interface Overview

Virtual Assist is fully supported on Windows platforms. Virtual Assist is certified to work on Windows 7, Windows Vista and Windows XP. Limited functionality is supported on MAC OS where customers can request for assistance via web-requests.

Web Management Interface Overview

From your workstation at your remote location, launch an approved Web browser and browse to your SSL-VPN appliance at the URL provided to you by your network administrator.

Step 1 Open a Web browser and enter https://192.168.200.1 (the default LAN management IP

address) in the Location or Address field.

Step 2 A security warning may appear. Click the Yes button to continue.

Step 3 The SonicWALL SSL VPN Management Interface displays and prompts you to enter your

user name and password. As a default value, enter admin in the User Name field, password in the Password field, and select a domain from the Domain drop-down list and click the Login button. Only LocalDomain allows administrator privileges. Note that your administrator may have set up another login and password for you that has only user privileges.

The default page displayed is the Virtual Office home page. The default version of this page shows a SonicWALL logo, although your company’s system administrator may have customized this page to contain a logo and look and feel of your company. Go to the Virtual

Office Overview, page 9 to learn more about the Virtual Office home page.

SonicWALL SSL VPN 5.0 User Guide

Web Management Interface Overview

Note From the Virtual Office portal home page, you cannot navigate to the administrator’s

environment. If you have administrator’s privileges and want to enter the administrator environment, you need to go back to the login page and enter a username and password that have administrator privileges, and login again using the LocalDomain domain. Only the LocalDomain allows administrator access to the management interface. Also note that the domain is independent of the privileges set up for the user.

Logging in as a user takes you directly to Virtual Office. The Virtual Of fice Home p age displays as shown here.

Note The Virtual Office content will vary based on the configuration of your network administrator .

Some bookmarks and services described in the SonicWALL SSL VPN User’s Guide may not be displayed when you log into the SonicWALL SSL-VPN security appliance.

SonicWALL SSL VPN 5.0 User Guide

Web Management Interface Overview

The Virtual Office consists of the nodes described in the following table.

Node Description

File Shares Provides access to the File Shares utility, which gives remote

NetExtender Provides access to the NetExtender utility, a transparent SSL

Virtual Assist Provides access to Virtual Assist, an easy to use tool that

Virtual Access (if configured by administrator

Bookmarks Provides a list of available bookmarks which are objects that

Options Provides the option to change user password and use single

Online Help Launches online help for Virtual Office. Tips/Help Provides a short list of common questions and tips about the

Logout Logs you out of the Virtual Office environment.

users with a secure Web interface access to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft’s familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall.

VPN client for Windows, MacOS, Linux, Windows Mobile, or Android smartphone users that allows you to run any application securely on the remote network. It acts as an IPlevel mechanism provided by the virtual interface that negotiates the ActiveX component (on Windows with IE), using a Point-to-Point Protocol (PPP) adapter instance. On non-Windows platforms except Android, Java controls are used to automatically install NetExtender from the Virtual Office portal. After installation, NetExtender automatically launches and connects a virtual adapter for SSL secure NetExtender point-to-point access to permitted hosts and subnets on the internal network.

allows SonicWALL SSL VPN users to remotely support customers by taking control of their computers while the customer observes. Virtual Assist is a lightweight, thin client that installs automatically using Java from the SonicWALL SSL VPN Virtual Office without requiring the inst allation of any external software. For computers that do not support Java, Virtual Assist can be manually installed by downloading an executable file from the Virtual Office.

Virtual Access allows technicians to gain access to systems outside the LAN of the SRA appliance. After downloading and installing the thin client for Virtual Access mode, the system will appear only on that technician’s Virtual Assist support queue, within the SRA’s management interface.

enable you to connect to a location or application conveniently and quickly.

sign-on, if enabled by the administrator.

Virtual Office.

SonicWALL SSL VPN 5.0 User Guide

Web Management Interface Overview

The Home page provides customized content and links to network resources. The Home Page may contain support contact information, VPN instructions, company news, or technical updates.

Only a Web browser is required to access intranet Web sites, File Shares, and FTP sites. VNC, Telnet and SSHv1 require Java. SSHv2 provides stronger encryption than SSHv1, requires SUN JRE 1.4 or above and can only connect to servers that support SSHv2. T ermina l Services requires either Java or ActiveX on the client machine.

As examples of tasks you can perform and environments you can reach through V i rtual Of fice, you can connect to:

• Intranet Web or HTTPS sites – If your organization supports Web-based email, such as

Outlook Web Access, you can also access Web-based email

• The entire network by launching the NetExtender client

• FTP servers for uploading and downloading files

• The corporate network neighborhood for file sharing

• Telnet and SSH servers

• Desktops and desktop applications using Terminal Services or VNC.

• Email servers via the NetExtender client.

The administrator determines what resources are available to users from the SonicWALL SSL VPN Virtual Office. The administrator can create user, group, and global policies that disable access to certain machines or applications on the corporate network.

Certificates

The administrator may also define bookmarks, or preconfigured links, to Web sites or computers on the intranet. Additional bookmarks may be defined by the end user.

SonicWALL NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network.

If the SSL-VPN appliance uses a self-signed SSL certificate for HTTPS authentication, then it is recommended to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWALL recommends that you import the certificate. The easiest way to import the certificate is to click the Import Certificate button at the bottom of the Virtual Office home page.

SonicWALL SSL VPN 5.0 User Guide

Web Management Interface Overview

SonicWALL SSL VPN 5.0 User Guide

Using Virtual Office Features

This chapter provides details on how to use the features in the SonicWALL SSL VPN user portal, including NetExtender, configuring bookmarks, accessing services, and using file shares. This chapter contains the following sections:

• “Importing Certificates” section on page 17

• “Using Two-Factor Authentication” section on page 18

• “Using One-Time Passwords” section on page 21

• “Using NetExtender” section on page 23

• “Using Virtual Assist” section on page 77

• “Using File Shares” section on page 97

• “Managing Bookmarks” section on page 114

• “Using Bookmarks” section on page 121

• “Logging Out of the Virtual Office” section on page 141

Importing Certificates

If the SSL VPN gateway uses a self-signed SSL certificate for HTTPS authentication, then it is recommended to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority , SonicWALL recommends that you import the certificate.

The easiest way to import the certificate is to click the Import Certificate button at the bottom of the Virtual Office home page. The following warning messages may be displayed:

Click Yes. The certificate will be imported.

SonicWALL SSL VPN 5.0 User Guide

Using Two-Factor Authentication

The following sections describe how to log in to the SSL VPN Virtual Office portal using twofactor authentication:

• “User Prerequisites” on page 18

• “User Configuration Tasks” on page 18

User Prerequisites

Before you can log in using two-factor authentication, you must meet the following prerequisites:

• Your administrator has created your user account.

• You have either an RSA SecurID token or a VASCO Digipass token.

User Configuration Tasks

The following sections describe how users log in to the SonicWALL SSL-VPN appliance using the two types of two-factor authentication:

• “RSA User Authentication Process” on page 18

• “VASCO User Authentication Process” on page 20

RSA User Authentication Process

The following sections describe user tasks when using RSA two-factor authentication to log in to the SonicWALL SSL VPN Virtual Office:

• “Logging into the SSL VPN Virtual Office Using RSA Two-Factor Authentication” on

page 18

• “Creating a New PIN” on page 19

• “Waiting for the Next Token Mode” on page 20

Logging into the SSL VPN Virtual Office Using RSA Two-Factor Authentication

To log in to the SonicWALL SSL VPN Virtual Office using RSA two-factor authentication, perform the following steps.

Step 1 Enter the IP address of the SSL-VPN appliance in your computers browser. The authentication

window is displayed.

SonicWALL SSL VPN 5.0 User Guide

Step 2 Enter your username in the Username field. Step 3 The first time you log in to the Virtual office, your entry in the password field depends on

Step 4 Select the appropriate Domain.

Note If manually entering the Domain, it is case-sensitive.

Step 5 Click Login.

Creating a New PIN

Using Two-Factor Authentication

whether you have been given a PIN or if you need to create the PIN.

–

If you already have a PIN, enter the passcode in the Password field. The passcode is

the user PIN and the SecurID token code. For example, if the user’s PIN is 8675 and

the token code is 30966673, then the passcode is 867530966673.

–

If you do not have a PIN, enter the SecurID token code in the Password field.

The RSA Authentication Manager automatically determines when users are required to create a new PIN. will determines that user associated with a particular token requires a new PIN. The SSL-VPN appliance prompts the user to enter new PIN.

Step 1 If the user is configured for the Allowed to Create a PIN option, users are first asked if they

want the system to generate a PIN. To have the system generate a PIN, type y and click OK. To create your own PIN, type n and click OK.

Step 2 The new PIN is displayed. To accept the PIN type y and click OK. To have the system generate

a different PIN, type n and click OK.

Step 3 If you declined to accept a system-generated PIN, or if your username is configured for

Required to Create a PIN, you are prompted to enter your new PIN. Enter the PIN in the New PIN field and again in the Confirm PIN field and click OK.

SonicWALL SSL VPN 5.0 User Guide

Using Two-Factor Authentication

Step 4 The RSA Authentication Manager verifies that the new PIN is an acceptable PIN. If the PIN is

accepted, the user is prompted to log in with the new passcode.

Waiting for the Next Token Mode

If user authentication fails three consecutive times, the RSA server requires the user to generate and enter a new token. To complete authentication, the user is prompted to wait for the token to change and enter the next token.

VASCO User Authentication Process

The following sections describe user tasks when using RSA two-factor authentication:

• “Logging into the SSL VPN Virtual Office Using VASCO Two-Factor Authentication” on

page 20

• “Creating a New PIN” on page 19

Logging into the SSL VPN Virtual Office Using VASCO Two-Factor Authentication

To log in to the SonicWALL SSL VPN Virtual Office using VASCO two-factor authentication, perform the following steps:

Step 1 Enter the IP address of the SSL-VPN appliance in your computers browser. The authentication

window is displayed.

Step 2 Enter your username in the Username field.

SonicWALL SSL VPN 5.0 User Guide

Step 3 Enter the passcode in the Password field. The passcode is the user PIN and the VASCO

Digipass token code. For example, if the users PIN is 8675 and the token code is 30966673, then the passcode is 867530966673.

Step 4 Select the appropriate Domain.

Note If manually entering the Domain, it is case-sensitive.

Step 5 Click Login.

Using One-Time Passwords

The following sections describe how to use one-time passwords:

• User Prerequisites, page 21

• User Configuration Tasks, page 21

• Verifying User One-Time Password Configuration, page 23

• Troubleshooting Common Errors, page 23

Using One-Time Passwords

User Prerequisites

Users must have a user account enabled in the SSL VPN management interface. Only users enabled by the administrator to use the One-Time Password feature will need to perform the following configuration tasks. The administrator must enable a correct email address that is accessible by the user. Users cann ot enable the One-T ime Password feature and they must be able to access the SSL VPN Virtual Office portal.

User Configuration Tasks

To use the One-Time Password feature, perform the following steps:

Step 1 If you are not logged into the SSL VPN Virtual Office user interface, open a Web browser and

type the Virtual Office interface URL in the Location or Address bar and press Enter. Type in your user name in the User Name field and your password in the Password field, then select the appropriate domain from the Domain pull-down. Click Login.

SonicWALL SSL VPN 5.0 User Guide

Using One-Time Passwords

Step 2 The prompt “A temporary password has been sent to user@email.com” will appear, displaying

your pre-configured email account.

Step 3 Login to your email account to retrieve the one-time password. Step 4 Type or p aste the one-time password into the Password: field where pr ompted and click Login. Step 5 You will be logged in to the Virtual Office.

Note One-time passwords are immediately deleted after a successful login, and cannot be used

again. Unused one-time passwords will expire according to each user’s timeout policy.

Configuring One-Time Passwords for SMS-Capable Phones

SonicWALL SSL VPN One-Time Passwords can be configured to be sent via email directly to SMS-capable phones. Contact your cell phone service provider for further information about enabling SMS.

Below is a list of SMS email formats for selected major carriers, where 4085551212 represents a 10-digit telephone number and area code.

Note These SMS email formats are for reference only. These email formats are subject to change

and may vary. You may need additional service or information from your provider before using SMS. Contact the SMS provider directly to verify these formats and for further information on SMS services, options, and capabilities.

• Verizon: 4085551212@vtext.com

• Sprint: 4085551212@messaging.sprintpcs.com

• AT&T: 4085551212@mobile.att.net

• Cingular: 4085551212@mobile.mycingular.com

• T-Mobile: 4085551212@tmomail.net

• Nextel: 4085551212@messaging.nextel.com

• Virgin Mobile: 4085551212@vmobl.com

• Qwest: 4085551212@qwestmp.com

For a more complete list, see the SonicWALL SSL VPN Administrator's Guide.

SonicWALL SSL VPN 5.0 User Guide

Verifying User One-Time Password Configuration

If you are successfully logged in to Virtual Office, you have correctly used the One-Time Password feature.

If you cannot login using the One-Time Password feature, verify the following:

• Are you able to login to the Virtual Office without being prompted to check your email for a

one-time password? You have not been enabled to use the One-Time Password feature. Contact your SSL VPN administrator.

• Is your email address correct? If your email address has been entered incorrectly, contact

your SSL VPN administrator to correct it.

• Is there no email with a one-time password? Wait a few minutes and refresh your email

inbox. Check your spam filter. If there is no email after several minutes, try to login again to generate a new one-time password.

• Have you accurately typed the one-time password in the correct field? Re-type or copy and

paste the one-time password.

Troubleshooting Common Errors

Using NetExtender

Symptom I see an error message indicating that an email configuration is invalid, and I have

verified that the One-Time Password feature is configured correctly.

Possible Cause The SonicWALL SSL VPN One-Time Password feature does not support

email servers that require passwords or other authentication. Your email server must allow anonymous access to allow the One-Time Password feature to successfully send a one-time password.

Using NetExtender

The following sections describe how to use NetExtender:

• “User Prerequisites” section on page 23

• “User Configuration Tasks” section on page 25

• “Verifying NetExtender Operation from the System Tray” section on page 46

User Prerequisites

Prerequisites for Windows Clients:

Windows clients must meet the following prerequisites in order to use NetExtender:

• One of the following platforms:

–

Windows 7

–

Windows Vista Service Pack 2 (32-bit & 64-bit)

–

Windows XP Home or Professional, Windows XP Service Pack 3

–

Windows 2000 Professional, Windows 2000 Server, Windows 2003 Server

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

• One of the following browsers:

–

Internet Explorer 7.0 and higher

–

Mozilla Firefox 3.0 and higher

–

Google Chrome 6.0 and higher

• To initially install the NetExtender client, the user must be logged in to the PC with

administrative privileges.

• Downloading and running scripted ActiveX files must be enabled on Internet Explorer.

• If the SSL VPN gateway uses a self-signed SSL certificate for HTTPS authentication, then

it is necessary to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWALL recommends that you import the certificate. The easiest way to import the certificate is to click the Import Certificate button at the bottom of the Virtual Office home page.

Prerequisites for Windows Mobile Clients

NetExtender supports the following Windows Mobile platforms:

• Windows Mobile 5 PocketPC version

• Windows Mobile 6 Professional/Classic version

Windows Mobile 5 Smart Phone version and Windows Mobile 6 Standard version are not currently supported.

Prerequisites for MacOS Clients:

MacOS clients meet the following prerequisites in order to use NetExtender:

• MacOS 10.5 and higher

• Java 1.5 and higher

• Both PowerPC and Intel Macs are supported.

Prerequisites for Linux Clients:

Linux 32-bit or 64-bit clients are supported for NetExtender when running one of the following distributions (32-bit or 64-bit):

• Linux Fedora Core 8 or higher, Ubuntu 7 or higher, or OpenSUSE 10.3 or higher

• Sun Java 1.4 and higher is required for using the NetExtender GUI.

The NetExtender client has been known to work on other distributions as well, but these are not officially supported.

Note Open source Java Virtual Machines (VMs) are not currently supported. If you do not have

Sun Java 1.5 or higher, you can use the command-line interface version of NetExtender.

Prerequisites for Android Smartphone Clients

The NetExtender Android client is supported on rooted smartphones running the following versions of the Android operating system:

• 1.6 or higher

The NetExtender Android client is compatible with any SonicWALL SSL VPN firmware version that supports the NetExtender Linux client, specifically:

• SSL VPN 4.0 and higher

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

As new features are added, users must install the updated client to access all the features supported by the new firmware. Likewise, if a new client is used with older firmware, some client features may not be functional. For best results, the latest firmware should always be used with the latest client.

Note Only rooted devices are supported for NetExtender Android in SonicWALL SSL VPN 5.0.

The rooting requirement is due to limitations and restrictions of the Android platform. A layer 3 VPN client like NetExtender requires root permission for certain necessary OS level operations. Until a future version of the Android OS provides a flexible API to do these operations without root access, the rooting requirement will remain.

Warning

Rooting your phone may void your warranty. Consult your contract or User’s Guide, or call your service provider for more information.

User Configuration Tasks

The following sections describe how to use NetExtender on the various supported platforms:

Windows Platform Installation

• “Installing NetExtender Using the Mozilla Firefox Browser” section on page 26

• “Installing NetExtender Using the Internet Explorer Browser” section on page 30

Windows Platform Usage

• “Launching NetExtender Directly from Your Computer” section on page 34

• “Configuring NetExtender Properties” section on page 35

• “Configuring NetExtender Connection Scripts” section on page 36

• “Configuring Proxy Settings” section on page 38

• “Configuring NetExtender Log Properties” section on page 40

• “Disconnecting NetExtender” section on page 44

• “Upgrading NetExtender” section on page 44

• “Authentication Methods” section on page 44

• “Verifying NetExtender Operation from the System Tray” section on page 46

• “Using the NetExtender Command Line Interface” section on page 46

MacOS Platform

• “Installing NetExtender on MacOS” section on page 48

• “Using NetExtender on MacOS” section on page 50

Linux Platform

• “Installing and Using NetExtender on Linux” section on page 52

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

Windows Mobile Platform

• “Installing and Using NetExtender for Windows Mobile” section on page 55

Android Smartphone Platform

• “Installing NetExtender on Android Smartphones” section on page 59

• “Using NetExtender on Android Smartphones” section on page 62

Installing NetExtender Using the Mozilla Firefox Browser

To use NetExtender for the first time using the Mozilla Firefox browser, perform the following:

Step 1 To launch NetExtender, first log in to the SSL VPN portal. Step 2 Click the NetExtender button.

Step 3 The first time you launch NetExtender, it will automatically install the NetExtender stand-alone

application on your computer. If a warning message is displayed in a yellow banner at the top of your Firefox banner, click the Edit Options... button.

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

Step 4 The Allowed Sites - Sof tware Inst allation window may appea r , with the address of the Vi rtual

Office server in the address window. Click Allow to allow Virtual Office to install NetExtender, and click Close.

Step 5 The Allowed Sites window displays. Click Allow to add the SSL-VPN appliance to the list of

allowed sites.

Step 6 Return to the Virtual Office window and click NetExtender again. Step 7 You may see a security warning. Click Install. Step 8 You may see a Web site certificate warning message. Select the Accept this certificate

permanently button and click OK.

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

Step 9 You may see a Security Error: Domain Name Mismatch warning. Click OK.

Step 10 The Software Installation window is displayed. After a five second countdown, the Install Now

Step 11 You may be prompted to re-start Firefox in order to inst all NetExtender. Click Restart FireFox.

button will become active. Click it.

Step 12 Firefox will restart and you will need to login again. NetExtender will then install as a Firefox

extension.

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

Step 13 When NetExtender completes installing, the NetExtender Status window displays, indicating

that NetExtender successfully connected.

Closing the windows (clicking on the x icon in the upper right corner of the window) will not close the NetExtender session, but will minimize it to the system tray for continued operation.

Step 14 Review the following table to understand the fields in the NetExtender Status window.

Field Description

Status Indicates what operating state the NetExtender client is in,

either Connected or Disconnected.

Server Indicates the name of the server to which the NetExtender

client is connected. Client IP Indicates the IP address assigned to the NetExtender client. Sent Indicates the amount of traffic the NetExtender client has

transmitted since initial connection. Received Indicates the amount of traffic the NetExtender client has

received since initial connection. Throughput Indicates the current NetExtender throughput rate.

Step 15 Additionally , a balloon icon in the system tray appears, indicating NetExtender has successfully

installed.

Step 16 The NetExtender icon is displayed in the task bar.

SonicWALL SSL VPN 5.0 User Guide

Using NetExtender

Installing NetExtender Using the Internet Explorer Browser

SonicWALL SSL VPN NetExtender is fully compatible with Microsoft Windows Vista 32-bit and 64-bit, and supports the same functionality as with other Windows operating systems.

Note It may be necessary to restart your computer when installing NetExtender on Windows V ista

or Windows 7.

Internet Explorer Prerequisites

It is recommended that you add the URL or domain name of your SSL VPN server to Internet Explorer’s trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive. To add a site to Internet Explorer’s trusted sites list, complete the following procedure:

Step 1 In Internet Explorer, go to Tools > Internet Options. Step 2 Click on the Security tab. Step 3 Click on the Trusted Sites icon and click on the Sites... button to open the Trusted sites

window.

Step 4 Enter the URL or domain name of your SSL VPN server in the Add this Web site to the zone

field and click Add.

Step 5 Click Ok in the Trusted Sites and Internet Options windows.

Installing NetExtender from Internet Explorer

To install and launch NetExtender for the first time using the Internet Explorer browser , perform the following:

Step 1 Log in to the SSL VPN Virtual Office portal.

SonicWALL SSL VPN 5.0 User Guide

+ 113 hidden pages