Global VPN Client 4.10 Admin Guide

Adding VPN Connections

Understanding VPN Connections

The Global VPN Client allows multiple connections to be configured at the same time, whether they are provisioned from multiple gateways or imported from one or more files. Because connections may be provisioned from multiple gateways, each connection explicitly states allowed behavior in the presence of any connection policy conflicts. You may have VPN connections that don’t allow other VPN connections or Internet and network connections while the VPN policy is enabled.

The VPN connection policy includes all the parameters necessary to establish secure IPsec tunnels to the gateway. A connection policy includes Phase 1 and Phase 2 Security Associations (SA) parameters:

Encryption and authentication proposals
Phase 1 identity payload type
Phase 2 proxy IDs (traffic selectors)
Client Phase 1 credential
Allowed behavior of connection in presence of other active connections
Client caching behavior

Adding a new VPN connection is easy because SonicWall’s Client Policy Provisioning automatically provides all the necessary configuration information to make a secure connection to the local or remote network. The burden of configuring the VPN connection parameters is removed from the Global VPN Client user. VPN connections can be created using three methods:

Download the VPN policy from the SonicWall VPN Gateway to the Global VPN Client using the New Connection Wizard. This wizard walks you through the process of locating the source of your configuration information and automatically downloads the VPN configuration information over a secure IPsec VPN tunnel.
Import a VPN policy file into the SonicWall Global VPN Client. The VPN policy is sent to you as a .rcf file, which you install using the Import Connection dialog.
Install the default.rcf file as part of the Global VPN Client software installation or add it after installing the Global VPN Client. If the SonicWall VPN Gateway administrator included the default.rcf file as part of the Global VPN Client software, one or more preconfigured VPN connections are automatically created when the program is installed.
NOTE: Creating a default.rcf file and distributing it with the Global VPN Client software allows the SonicWall VPN Gateway administrator to streamline VPN client deployment and allows users to quickly establish VPN connections. If a default.rcf file is included with the downloaded Global VPN Client software, the VPN policy configured by the SonicWall VPN Gateway administrator is used to create a connection automatically when the client software is installed. For more information on creating the default.rcf file, see Using the default.rcf File.
NOTE: To facilitate the automatic provisioning of Global VPN Clients, configure your SonicWall appliance be configured with GroupVPN . For instructions on configuring your appliance with GroupVPN, see the SonicOS Administration Guide.
NOTE: For instructions on importing a certificate into the Global VPN Client, see Using Certificates.

Creating a VPN Connection Using the New Connection Wizard

The following instructions explain how to use the New Connection Wizard to automatically download a VPN connection policy for the Global VPN Client from a local or remote SonicWall VPN gateway.

To use the New Connection Wizard:
Choose Start > Programs > Global VPN Client. The first time you open the SonicWall Global VPN Client, the New Connection Wizard launches automatically.

If the New Connection Wizard does not display, to launch it, click the New Connection button.
Click Next. The New Connection page displays.

Enter the IP address or FQDN of the gateway in the IP Address or Domain Name field. The information you type in the IP Address or Domain Name field appears in the Connection Name field.
Optionally, if you want a different name for your connection, type the new name for your VPN connection in the Connection Name field.
Click Next. The Completing the New Connection Wizard page displays.

Optionally, select either or both:
Create a desktop shortcut for this connection if you want to create a shortcut icon on your desktop for this VPN connection.
Enable this connection when the program is launched if you want to automatically establish this VPN connection when you launch the SonicWall Global VPN Client.
Click Finish. The new VPN connection appears in the Global VPN Client window.

Importing a VPN Configuration File

A VPN connection can be created as a file and sent to you by the SonicWall VPN gateway administrator. This VPN configuration file has the filename extension .rcf. If you received a VPN connection file from your administrator, you can install it using the Import Connection dialog.

The VPN policy file is in the XML format to provide more efficient encoding of policy information. Because the file can be encrypted, pre-shared keys can also be exported in the file. The encryption method is specified in the PKCS#5 Password-Based Cryptography Standard from RSA Laboratories and uses Triple-DES encryption and SHA-1 message digest algorithms.

NOTE: If the .rcf file exported from the SonicWall appliance is encrypted, you must have the password to import the configuration file into the Global VPN Client.
To add a VPN connection by importing a connection file provided by your gateway administrator:
Choose Start > Programs > Global VPN Client.
Select File > Import. The Import Connection dialog displays.

Type the file path for the configuration file in the Specify the name of the configuration file to import field.
Click the Browse button to locate the file.
If the file is encrypted, enter the password in the If the file is encrypted, specify the password field.
Click OK.

Using Global VPN Client from a Different Workstation

Using the SonicWall Global VPN Client to connect to a Microsoft Network has certain limitations. Typically, when a computer is attached to a Microsoft Network it has a persistent network connection to the domain controller that is used to verify the user credentials. When the user credentials have been verified by the domain controller, the computer then creates a locally cached profile that is used when the domain controller is not available. However, the SonicWall Global VPN Client provides an ad hoc secure network connection over the Internet back to the Microsoft Network containing the domain controller and thus is not a persistent connection. Since the remote computer cannot connect to the domain controller to verify the logon credentials until the connection is provided by the SonicWall Global VPN Client, the logon fails unless a locally cached profile is available.

The following steps illustrate the classic problem:

A Global VPN Client session must be established to communicate remotely with a Microsoft domain controller.
Global VPN Client can only be launched after you have logged on to the workstation. Because there is no way for the Global VPN Client to connect before you log on, you cannot use it for domain logon when initially logging on.
If you have logged on to the workstation before, there will be a locally cached profile that is used to log on.
You can then start the Global VPN Client, and a connection to the domain is established.
After connecting to the domain, you can run logon scripts, change password, access domain resources, etc.
When you log off, the Global VPN Client terminates, preventing domain communications.
If you have never logged on to the workstation before, there will not be a locally cached profile, so logon will not be possible.

Because logging off (Step c) terminates the SonicWall Global VPN Client, it has historically precluded a different user from logging on and creating a new locally cached profile. This has the undesirable effect that only a user with a pre-existing (locally cached) profile can log on over the Global VPN Client.

The standard workaround for this is to first connect locally to the domain controller and logon with each account expected to use the SonicWall Global VPN Client. This creates a locally cached profile for each account and enables client logon without connection to the Domain Controller.

The unfortunate result of this workaround is that a user without a cached profile on the computer cannot logon without a sojourn to the network containing the domain controller. This can be extremely cumbersome in certain situations such as being located in a distant satellite office and trying to get back to the main office.

Workaround — Forced Creation of a New Locally Cached Profile

The workaround is to create an induced local profile, and then log on to the Microsoft domain using the SonicWall Global VPN Client.

To create an induced local profile:
Log on to the workstation with any locally cached profile (for example, mydomain\user1 or a local machine account). The locally cached profiles are usually stored in the C:\Documents and Settings directory. You should see a folder, called user1, in this path, which contains user1’s profile.
Launch the SonicWall Global VPN Client.
After the SonicWall Global VPN Client establishes a connection and the workstation can communicate with the domain controller, you can create another locally cached profile. You can use the runas command to create a locally cached profile for a new user (for example, mydomain\user2) while using the Global VPN Client connection provided by user1.
From a command prompt, type runas /user:mydomain\user2 explorer.exe (substitute your actual domain for mydomain and actual username for user2). You can use notepad.exe instead of explorer.exe if you prefer.
At the prompt, enter the domain password for user2.
It will take anywhere from a few seconds to a few minutes to create the local profile for user2, and to launch the explorer.exe program. You may quit the explorer.exe program after it launches.
The C:\Documents and Settings directory should now contain a folder for user2.
Close the Global VPN Client.
Log off as user1 from the workstation. You will see the familiar Log On to Windows dialog.
Log onto the workstation as user2 using the newly created locally cached profile.
Launch the SonicWall Global VPN Client. The user2 profile will now provide the credentials for all domain access (including running logon scripts).
You can repeat this procedure as many times as necessary to create additional profiles.

It is also possible to change an expired user password with this procedure if you have another account available to make the Global VPN Client connection back to the domain controller. A simple way to change passwords is from the Windows Security dialog, accessed by:

Pressing Ctrl+Alt Delete.
Select Change a password ….
Enter the old password.
Enter the new password.
Confirm the new password.
Click the Arrow button.