en-US
search-icon

Secure Mobile Access 12.0 Connect Tunnel User Guide

Connect Tunnel Client for Windows

About Connect Tunnel

The Connect Tunnel client is a Windows client component of the Connect Tunnel (SMA) solution, which enables secure, authorized access to Web-based client/server applications and Windows file shares.

The Connect Tunnel client enables you to connect to network resources that are protected by the SonicWall SMA 1000 Series appliances.

Connect Tunnel is supported on Windows 7 and above and Windows 10 Anniversary Update and above. Windows Vista is not supported.

Resources Available from Connect Tunnel

Connect Tunnel enables you to securely access the following types of resources:

 

Resource types

Resource type

Description

Client/server resources

Client/server applications, thin client applications, and terminal services, such as Microsoft Outlook, Citrix, and Windows Terminal Services.

Web sites and applications

Web content and Web-based applications that can be accessed through a browser, such as Microsoft Outlook Web Access, Domino Web Access, and general Web sites (such as intranets).

Windows network shares

Shared Windows folders and files through Windows Network Neighborhood, and mapped drives.

How to Tell if Connect Tunnel is Running

When Connect Tunnel is running and connected to the VPN, an icon may appear in the taskbar notification area. If you pause on the icon with your cursor, connection status information will appear:

You can configure Connect Tunnel to not display this during active connections: for more information, see Configuring Connect Tunnel Settings.

You can also verify the state of the Connect Tunnel VPN connection in the Windows Network Connections window.

Viewing Connection Status Information

To view connection status information:
1
On the Start menu, click Control Panel. Continue with the following steps, depending on your operating system. To display all available wireless, wired, dial-up, and VPN connections:
a
Click Network and Internet.
b
Click Network and Sharing Center.
c
Click the Connect to a network link.
2
On the View menu, click Details.
3
In the Dial-up section, view connection status information for the Connect Tunnel connection.
* 
NOTE: Your administrator may have customized the name of this application.)

If Connect Tunnel experiences a temporary network interruption, a red circle with an X appears on the Connect Tunnel icon in the taskbar notification area. If the network connection is reestablished, the red circle with the X disappears, and the Connect Tunnel icon returns to its normal state.

Running the Connect Tunnel Client

Topics:  

Downloading Connect Tunnel

Connect Tunnel can be downloaded from the WorkPlace menu. You must have administrator privileges to install the software.

To download Connect Tunnel:
1
Log in to WorkPlace.

Depending on your configuration, you might be issued a one-time password by your administrator, that allows you to download Connect Tunnel.

2
Enter the password that was sent to you. The Workplace application appears and allows you to download the software.
3
In WorkPlace, click the entry for Install Connect Tunnel.

4
Click Install. When the installation is complete, log out of Workplace.

Starting Connect Tunnel

To access network resources through Connect Tunnel, you must first verify your identity. This ensures that only authorized users can access protected network resources. The credentials used to verify your identity typically consist of a username and password (or passcode).

Depending on the resources, you may also need to enter a one-time password and/or accept an Acceptable Use Policy.

To start Connect Tunnel:
1
For:
Windows 7, click on Start > All Programs > SonicWall Secure Mobile Access > SonicWall VPN Connection.

For Windows 8.x and above:
1)
Click the Start button, then select either:
* 
NOTE: Your administrator may have customized the name of this application.
All Programs > SonicWall VPN Connection, point to Connections, select the Connect Tunnel connection you want to use.

Network > SonicWall VPN Connection.

2)
Click the Connect button.
2
You will see an initial login screen.

3
Enter your authentication credentials. Depending on how your administrator has configured Connect Tunnel, you may see a combination of these prompts:
Type your username in the Username field.
In the Password or Passcode field, type your password or passcode. (Passwords may be case-sensitive. Make sure the Caps Lock or Num Lock keys are not enabled.)
Enter a one-time password that was sent to you by your administrator.
If a client certificate is required for authentication, the Certificate list displays the ones on your device that match the certificate authority (CA) used by the authentication server. Often there will be only one listed.
4
If an Acceptable Use Policy is displayed, click Accept to accept it.
5
Click Connect.

The Connect Tunnel icon appears in the taskbar notification area, indicating that Connect Tunnel is running and connected to the VPN.

Your login may not be exactly the same as that shown above. Your administrator could send you a login that allows you to connect to a specific network.

 
* 
NOTE: In the Connect Tunnel login dialog, you can click Properties to display the Connect Tunnel Properties dialog, where you can initiate a different connection or change program preferences. For more information, see Configuring Connect Tunnel Settings.

Specifying a Login Group

Connect Tunnel enables you to log in to different groups if necessary (for example, if you alternate between logging in to the Sales group and the Marketing group). You may need to provide different authentication credentials for each login group.

You must specify a login group each time you initiate a connection to your VPN. This option is available only when Connect Tunnel is offline (that is, when not connected to your VPN). You do not need administrative privileges to change a host name or login group.

To specify the login group:
1
In the Secure Mobile Access VPN Connection login dialog, click Properties.
2
To the right of the Login group field, click Change.

The Secure Mobile Access VPN Connection Login Groups dialog appears and displays the current list of login groups.

3
In the Select or enter your login group field, select or type the name of the login group you want to log in to.

If the correct login group does not appear in the list, click Refresh to update the list of available login groups.

Depending on how your administrator configured Connect Tunnel, some login groups may not appear in the list; however, you can still log in to a “hidden” login group (if you are authorized to do so) by typing its name in the Select or enter your login group.

4
Click OK.

Processing Server Certificates

Some VPN configurations require that you accept a server certificate before you can gain access to a protected network resource. A server certificate is essentially a digital signature that verifies a server’s identity.

If you access a network resource that uses a server certificate, Connect Tunnel may display the certificate. Connect Tunnel will display a certificate warning only if the VPN appliance certificate is not from a trusted source. You must then verify that the server certificate is from a trusted source before accepting it. Otherwise, the login process will continue without any prompt.

* 
NOTE: Connect Tunnel will process/warn only certificates of the VPN during the login process but not from resources. Applications, such as Internet Explorer, used to access resources should handle any certificates that are associated with resources.

Because anyone can issue a certificate, you should accept certificates only from trusted sources, as the information you receive may be invalid. You do not need Administrator privileges to process server certificates. If you have any concerns about whether to accept a certificate or not, check with your administrator.

To process a server certificate:
1
When a trusted certificate appears, verify that the certificate is associated with the correct server.
2
Accept or reject the certificate:
If you click Reject, your connection is not established.
If you click Accept, the certificate is accepted as valid, and the login process will continue.

Similarly, you may be asked to accept a license agreement or Acceptable Use Policy.

Quitting Connect Tunnel

Quitting Connect Tunnel ends your VPN session and disconnects you from the remote network.

To quit Connect Tunnel:
1
In the taskbar notification area, right-click the Connect Tunnel icon.
2
Click Disconnect.

Configuring Connect Tunnel Settings

This section describes how to view and configure the Connect Tunnel client settings. You must have administrator privileges on your computer to change any of these settings.

Topics:  

Viewing Current Connect Tunnel Settings

To view current Connect Tunnel settings:
1
On the Start menu, click Control Panel. Continue with the following steps depending on your operating system. To display all available wireless, wired, dial-up, and VPN connections:
a
Click Network and Internet.
b
Click Network and Sharing Center.
c
Click the Connect to a network link.
2
In the Dial-up section, right-click the name of the Connect Tunnel connection (your administrator may have customized the name of this application), and then click Properties. The Connect Tunnel Properties dialog appears.
3
Review the information on the Connection and About tabs:
Click the Connections tab to view the current connection settings.
Click the About tab to view basic information about the application.
Click File Info on the About tab for more detailed information.

Configuring General Settings

This section describes how to configure general settings for Connect Tunnel.

To configure general Connect Tunnel settings:
1
On the Start menu, click Control Panel. Continue with the following steps depending on your operating system. To display all available wireless, wired, dial-up, and VPN connections:
a
Click Network and Internet.
b
Click Network and Sharing Center.
c
Click the Connect to a network link.
2
In the Dial-up section, right-click the name of the Connect Tunnel connection.
* 
NOTE: Your administrator may have customized the name of this application).
3
Click Properties. The Connect Tunnel Properties dialog appears.
4
Click the Connections tab, and configure the Connection settings as necessary. To display:
A status bar during the connection process, select the Display progress while connecting checkbox.
The Connect Tunnel icon in the taskbar notification area during active connections, select the Show icon in notification area when connected checkbox.
A notification if the network connection is experiencing limited or no connectivity, select the Notify me when this connection has limited or no connectivity checkbox.
A prompt to establish a new connection if network connectivity is lost, select the Prompt to connect if connection is lost or dropped checkbox.
5
Click OK.

Connecting to a Different VPN

To specify the host name or IP address of the VPN:
1
On the Start menu, click Control Panel. Continue with the following steps depending on your operating system. To display all available wireless, wired, dial-up, and VPN connections:
a
Click Network and Internet.
b
Click Network and Sharing Center.
c
Click the Connect to a network link.
2
In the Dial-up section, right-click the name of the Connect Tunnel connection.
* 
NOTE: Your administrator may have customized the name of this application).
3
Click Properties. The Connect Tunnel Properties dialog appears.
4
Click the Connections tab, and then, in the Host name or IP address of the VPN field, type the host name or the IP address of the VPN you want to connect to.
5
Click OK.

Configuring Connections

Clicking the Properties button on the login menu takes you to the Connections tab, which contains the list of connections and their associated properties, along with operations for modifying, adding, and deleting connections.

The Connections tab list shows all of the connections configured for the client machine. Selecting one item from the list populates all data fields under the Properties section for both the Connection and Logging tabs.

Default Connection is a connection you can use to modify and/or connect to an appliance to pull down the administrator-defined list of connections.

The Properties section is hidden for AMC Administrator defined connections, visible for Default Connection.

The Connections tab contains general parameters for the selected connection.

Connection Name shows a user-friendly name for the connection, used in the connection display list. It is disabled for Default Connection.

Configuring a Default Connection

The login for your Connect Tunnel may have the option for default connections. In this case, Default Connection is available in the Connections list.

If Default Connection is selected, clicking the Properties button brings up the Connections Properties dialog.

The Connections tab displays information about the Host name and Login group (Realm). If you wish to change login groups, clicking Change will allow you to choose from a list of your current login groups. If no other groups are available, click Cancel to return to the Connection dialog.

The Network Conflict Resolution section allows you to choose what type of network conflict resolution should be performed. If Network Conflict Resolution is administrator controlled by community settings, this section is not available.

The First Connect section allows you to establish an Internet connection prior to establishing a VPN connection. This is most often used when establishing connections by running dialup over VPN. To use this option, select the Establish this connection from check box and then select from the drop-down list of connections.

Display progress while connecting is an option that controls whether or not to display the logon sequence messages while the connection is being established. This includes, but is not limited to: Authentication, EPC Checks and VPN Establishment.

Show icon in notification area is an option that lets you specify whether or not the Secure Mobile Access VPN Connection icon (Knight head) is displayed in the Windows system tray.

Notify me when this connection has limited or no connectivity is an option that lets you see messages about possible connection problems (slowness, packet loss, etc.) that may be incurred while Connect Tunnel is running.

Prompt to connect if connection is lost or dropped is an option that controls whether or not the Secure Mobile Access VPN Connection login dialog pops back up if the connection is dropped or lost for any reason.

When finished making your choices, click OK. Connect Tunnel saves the current configuration and closes the Connection Properties dialog.

Establishing an Initial Network Connection

In some cases, you may need to establish a network connection before you can connect to the VPN; this is usually necessary only if you use a dial-up connection to connect to the Internet.

This section describes how to configure a connection that must be established before you connect to the VPN.

To configure a first connection:
1
On the Start menu, click Control Panel. Continue with the following steps depending on your operating system. To display all available wireless, wired, dial-up, and VPN connections:
a
Click Network and Internet.
b
Click Network and Sharing Center.
c
Click the Connect to a network link.
2
In the Dial-up section, right-click the name of the Connect Tunnel connection.
* 
NOTE: Your administrator may have customized the name of this application).
3
Click Properties. The Connect Tunnel Properties dialog appears.
4
Click the Connections tab and then, under First connect, select the Establish this connection first checkbox.
5
From the list, select the connection that must be established first, and then click OK.

Updating the Connect Tunnel Software

Your network administrator may issue software updates when a new version of the Connect Tunnel software becomes available, or when your network requirements change. Your administrator determines whether to make software updates available to you, and when.

If your administrator has enabled Connect Tunnel software updating, an alert appears during the login process whenever an Connect Tunnel update is ready for download.

To download and install a software update:
During login, if the Connect Tunnel Software Update dialog appears and indicates that a software update is available, the available options depend on how your administrator has configured software updating:
Click Update to immediately download and install the software update. If you select this option, the software update will be installed, and then the login process will continue.
Click Remind Me Later to postpone the software update and continue logging in. If you select this option, Connect Tunnel will reprompt you (once per day) until you download and install the update by clicking Update. Depending on how your administrator has configured Connect Tunnel, this option may be unavailable.
Click Cancel to cancel the software update and the login process.

Troubleshooting

This section describes how to troubleshoot basic Connect Tunnel client problems. If you are having trouble connecting to your VPN, or accessing local or remote network resources, see if your problem is addressed by the following. If the problem persists, contact your system administrator.

Topics:  

Unable to Connect

Here are a few items to check if you are having trouble connecting to your VPN:

Make sure that Connect Tunnel is running and actively connected to the network. For more information, see .
Verify in the Connect Tunnel Properties dialog that you are initiating a connection to the correct host name or IP address. For more information, see Connecting to a Different VPN.
Verify in the Connect Tunnel Properties dialog that you are initiating a connection to the correct login group. For more information, see Specifying a Login Group.
If you use a personal firewall, you may need to configure the firewall before you can access your VPN. To do this, configure the firewall to allow ngvpnmgr.exe traffic to access the Internet, and add the VPN’s host name or IP address as a trusted host or zone.
Authentication may require that you have a particular client certificate on your device. If you make changes to the certificates installed on your computer between logon attempts, update the list presented during login by clicking Refresh.

Unable to Access Resources or the Internet

Your device may have been classified into the wrong security zone:

Your administrator may ask you to confirm the security zone into which you have been classified. If security zones have been configured, you can view your current zone by pausing on the Connect Tunnel icon in the taskbar notification area with your cursor.

When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in AMC:

In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance, and all other traffic is routed as normal. In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything that’s not spelled out in the resource list (for example, other Internet sites).
In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance: you are not allowed to access anything that is not in the list of allowed resources.
Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.

If you are having trouble accessing resources, your administrator may instruct you to make a change in the Secure Mobile Access VPN Connection Properties dialog, on the Connections tab. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode. If you need to make a configuration change, it must be done while the Connect Tunnel is disconnected.

For example, you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center, and it uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Secure Mobile Access VPN Connection Properties dialog, click the Connections tab, and then click Prefer local network resource access for your session.

Working with Logs

You may need to respond to an administrator request to enable debug logs, to reproduce a problem, or download logs for another reason.

1
To enable logging, click the Properties button.
2
Click on the Logging tab.

3
Clear the existing log by clicking Clear Logs, then click Apply.
4
Select the checkbox for Enable Debug Logging and click OK. Let the log run for the specified time. The log will be named according to the formula:

ngutil-YYYYMMDD_at_HHMMSS.txt

5
When you want to export the log, return to the Settings tab, click Export Logs, and then click OK.