en-US
search-icon

Secure Mobile Access 12.0 Connect Tunnel User Guide

Connect Tunnel Client for Mac/Linux

About Connect Tunnel

SonicWall Secure Mobile Access Connect Tunnel with Smart Tunneling is a client component of the Secure Mobile Access Virtual private network (VPN) solution, which enables secure, authorized access to Web-based and client/server applications, and file shares. This section describes Connect Tunnel for the MacOS and Linux operating systems and consists of the following sections:

With Connect Tunnel, you can connect to network resources that are protected by the Secure Mobile Access VPN and access the following types of resources:

Client/server resources: Client/server applications, thin client applications, and terminal services.
Web sites and applications: Web content and Web-based applications that can be accessed through a browser.
Network shares: Shared folders and files, and mapped drives.

Connect Tunnel on MacOS and Linux platforms supports IPv6, which is preferred if both IPv4 and IPv6 are available.

System Requirements

This client application requires JVM (Java Virtual Machine) and is intended for use on 32-bit and 64-bit Linux computers and Apple Macintosh-based PPC/IA-32 and PPC/IA-64 computers.

Starting Connect Tunnel

To access network resources through Connect Tunnel, your identity must first be verified. This ensures that only authorized users can access protected network resources. The credentials used to verify your identity typically consist of a username and password or passcode.

Topics:

Connect Tunnel on MacOS

To start Connect Tunnel on MacOS:
1
In the Finder, double-click Applications, and then double-click the Connect Tunnel icon. The Connect Tunnel login dialog appears.
2
In the Configuration list, select a VPN configuration and click Connect.

If there are no saved configurations, you must create one; see Editing Connect Tunnel Settings for more information.

3
If you access a network resource that uses a self-signed or invalid server certificate, Connect Tunnel will display the certificate. Verify that the server certificate is from a trusted source before accepting it.
* 
NOTE: As anyone can issue a certificate, you should accept certificates only from trusted sources as the information you receive may be invalid. If you have any concerns about whether or not to accept a certificate, check with your administrator.
4
In the Login Group selection, choose your Login Group and then click OK.
5
In the Username field, type your username.
6
In the Password or Passcode field, type your password or passcode. (Passwords may be case-sensitive: make sure the Caps Lock and Num Lock keys are not enabled.)
7
Click OK. A message in the login dialog indicates the status of the VPN connection.
* 
TIP: In the Connect Tunnel login dialog, you can initiate a connection to a list.
* 
TIP: From the Applications directory, you can drag the Connect Tunnel icon to the dock for easier access

Connect Tunnel on Linux

To start Connect Tunnel on the Linux platform:
1
After Connect Tunnel is installed, you can run startctui from any location. You can also start Connect Tunnel by double-clicking the Connect Tunnel icon in the desktop. The Connect Tunnel login dialog appears.
2
In the Configuration list, select a VPN configuration and click Connect. If there are no saved configurations, you must create one; see Creating a New Configuration for more information.
3
If you access a network resource that uses self-signed or invalid server certificate, Connect Tunnel will display the certificate. Verify that the server certificate is from a trusted source before accepting it. Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.
4
In the Login Group selection, choose your Login Group and click OK.
5
In the Username field, type your username.
6
In the Password or Passcode field, type your password or passcode. (Passwords may be case-sensitive: make sure the Caps Lock and Num Lock keys are not enabled.)
7
Click OK. A message in the login dialog indicates the status of the VPN connection.
* 
TIP: In the Connect Tunnel login dialog, you can initiate a connection to a different VPN or login group by choosing a different configuration from the Configuration list.

Specifying a Login Group

Connect Tunnel enables you to log in to different login groups; for example, you can alternate between logging in to the Sales and Marketing groups. You may need to provide different authentication credentials for each login group.

You must specify a login group each time you initiate a connection to your VPN. This option is available only when Connect Tunnel is offline; that is, when not connected to your VPN.

To specify the login group
1
In the Connect Tunnel login dialog box, choose a Configuration and click Edit.
2
In the Edit Configuration dialog, click Forget Selection and choose Save.
3
Choose the saved Configuration and click Connect.
4
Select the new Login Group and click OK.

Connecting to a Different VPN

To specify a different VPN to connect to, Connect Tunnel must be offline (that is, not connected to your VPN - Status: Disconnected).

To specify the host name or IP address of the VPN:
1
In the Connect Tunnel login dialog box, click Add Configuration.
2
Enter a name for the configuration in the Name field.
3
In the Server field, type the host name or the IP address of the VPN you want to connect to.
4
Click OK. The login dialog appears.

How to Tell if Connect Tunnel is Running

When Connect Tunnel is running and connected to the VPN, a connection status dialog appears. This dialog contains basic connection information, including the name of the configuration you are currently using and the host name or IP address of the VPN you are connected to. You can minimize this dialog’ on Linux systems, however, closing this dialog will end your network connection and close Connect Tunnel.

Quitting Connect Tunnel

To end your VPN session and disconnect from the remote network, click Disconnect in the Connect Tunnel login dialog.

Managing Configurations

To simplify the login process, you can set up one or more VPN configurations. If, for example, you sometimes connect to a different login group or a different VPN, you can save these settings under different names.

Topics:  

Viewing Connect Tunnel Settings

* 
NOTE: Connect Tunnel must be offline; that is, not connected to your VPN (Status: Disconnected).
To view your settings:
1
In the Connect Tunnel login dialog, select the configuration from the Configuration list.

2
Click Edit. From here you can view your previously made configuration settings after selecting the desired configuration.

Editing Connect Tunnel Settings

* 
NOTE: Connect Tunnel must be offline; that is, not connected to your VPN (Status: Disconnected).
To edit your settings:
1
In the Connect Tunnel login dialog, select the configuration from the Configuration drop-down menu.

2
Click Edit to edit the configuration. The Edit Configuration dialog appears.

3
Make edits to the Name or Server field as necessary.
4
Click Save to save your changes.

Deleting a Configuration

* 
NOTE: Connect Tunnel must be offline; that is, not connected to your VPN (Status: Disconnected).
To delete a configuration:
1
In the Connect Tunnel login dialog, select the configuration from the Configuration list and click Edit.
2
Click Delete to delete the configuration.

Creating a New Configuration

* 
NOTE: Connect Tunnel must be offline; that is, not connected to your VPN (Status: Disconnected).
To create a new configuration:
1
In the Connect Tunnel login dialog, select Add Configuration from the Configuration list.

2
Assign a name to the new configuration (for example, Connect from home).

This is the name that you will see in the Configuration list when you log in, so specify one that best describes its function.

3
In the Server field, enter the host name or IP address for the VPN.
4
Click Save to save your changes.

Selecting the Advanced Button

* 
NOTE: Connect Tunnel must be offline; that is, not connected to your VPN (Status: Disconnected).

These tabs appear upon clicking Advanced: General, Certificate Manager, Proxy, and About.

General

Certificate Manager

Proxy

About

Advanced Options

When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in Appliance Management Console (AMC).

In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance. All other traffic is routed as normal.

In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything not spelled out in the resource list (for example, other Internet sites).

In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance. You are not allowed to access anything that is not in the list of allowed resources.
Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.

If you are having trouble accessing resources, your administrator may instruct you to make a change in the Advanced settings. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode for this particular VPN configuration. If you need to make a configuration change, it must be done while Connect Tunnel is disconnected.

For example, let’s say you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center and uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Advanced settings, click Prefer local network resource access, and then click Update.

Credential Caching/Secure Network Detection

If your administrator has allowed the Credential Caching policy, you can enable or disable it via the Remember Credential checkbox on the Connect Tunnel Options dialog. If enabled (checked) on Linux, the policy works while Connect Tunnel is running. However, on the MacOS, the information is stored in the keychain and persists across reboots.

If Secure Network Detection is enabled, Connect Tunnel is put into one of three states when connecting to an appliance for the first time:

Connected: The machine is not in a secure location and requires a VPN connection to access resources.
Idle: The machine is in a secure network and does not need the VPN connection to access resources.
Disconnect/Error: The connection is dropped and disconnected due to external network events (for example, network change, dropped wifi signal).

Processing Server Certificates

Some VPN configurations require that you accept a server certificate before you can gain access to a protected network resource. A server certificate is essentially a digital signature that verifies the server identity.

If you access a network resource that uses a server certificate, Connect Tunnel may display the certificate. Verify that the server certificate is from a trusted source before accepting it.

* 
NOTE: As anyone can issue a certificate, you should accept certificates only from trusted sources as the information you receive may be invalid. If you have any concerns about whether or not to accept a certificate, check with your administrator.

Configuring Proxy Server Settings (Linux Only)

For Linux users, some network resources may require traffic to pass through an Internet proxy server, which provides access from your local network to the Internet. Your administrator determines whether a proxy server is required, but you may occasionally be required to specify settings for it.

In many cases, Connect Tunnel can automatically detect your Internet proxy server settings. However, if the settings cannot be automatically detected, you must manually specify them.

This section describes how to specify outbound proxy server settings. This option is available only when Connect Tunnel is offline (that is, when not connected to your VPN), and only in the Linux version of the program.

To configure outbound proxy server settings (Linux):
1
In the Connect Tunnel login dialog, click Advanced.
2
Click the Proxy tab.
3
Click one of the following options:
a
Direct Connection to the Internet: Enables a direct connection to the Internet, with no outbound proxy server redirection.
b
Automatically detect proxy settings: Configures the client to detect and use the outbound proxy server settings as defined on your remote network.
c
Manual proxy configuration: Enables you to manually specify proxy server settings. In the SSL field, type the host name or IP address of the Internet proxy server. In the Port field, type the number of the port on which the server is listening. Select the Use the same proxy server for all protocols to use the specified SSL server for all traffic, or specify different proxy servers and their port numbers for HTTP, FTP, or SOCKS traffic. Optionally, in the No proxy for field, you can specify host names or IP addresses that you do not want redirected through a proxy server.
d
Automatic proxy configuration URL: Configures the client to retrieve a proxy auto-configuration (.pac) file that specifies proxy-server settings. In the field, type the URL of the server that hosts the .pac file.
 
4
Click OK. The login dialog appears.

Troubleshooting

This section describes how to troubleshoot basic Connect Tunnel client problems. If you are having trouble connecting to your VPN, or accessing local or remote network resources, see if your problem is addressed by the following. If the problem persists, contact your system administrator.

Topics:  

Unable to Connect

Here are a few items to check if you are having trouble connecting to your VPN:

Make sure that Connect Tunnel is running and actively connected to the network. For more information, see How to Tell if Connect Tunnel is Running.
Verify in the Connect TunnelProperties dialog that you are initiating a connection to the correct host name or IP address. For more information, see Starting Connect Tunnel.
Verify in the Connect TunnelProperties dialog that you are initiating a connection to the correct login group. For more information, see How to Tell if Connect Tunnel is Running
If you use a personal firewall, you may need to configure it before you can access your VPN. To do this, configure the firewall to enable traffic to the VPN host name or IP address over port 443.

Unable to Access Resources or the Internet

Your device may have been classified into the wrong security zone.
Your administrator may ask you to confirm the security zone into which you have been classified. If security zones have been configured, you can view your current zone by pausing on the Connect Tunnel icon in the taskbar notification area with your cursor.
When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in AMC:
In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance, and all other traffic is routed as normal. In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything not spelled out in the resource list (for example, other Internet sites).
In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance: you are not allowed to access anything that is not in the list of allowed resources.
Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.

If you are having trouble accessing resources, your administrator may instruct you to make a change in the Connect Tunnel Properties dialog, on the Advanced tab. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode. If you need to make a configuration change, it must be done while the Connect Tunnel is disconnected.

For example, you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center and uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Connect Tunnel Properties dialog, click the Advanced tab, and then click Prefer local network resource access for your session.