Secure Mobile Access 12.0 Connect Tunnel User Guide

Connect Tunnel Service

About Connect Tunnel Service

The Connect Tunnel Service client is a Windows server component of the SonicWall Secure Mobile Access (SMA 1000) solution that enables secure, authorized access to Web-based and client/server applications and Windows file shares.

In a server environment, you can install and configure an add-on component—CTS —so that the VPN connection starts automatically without user intervention: no user login is required and no user interface or icons are displayed.

For example, you may want to synchronize data between a remote system in the field and a file server secured behind the VPN at corporate headquarters. On the remote system—running the Windows Server platform—CTS is configured to run at a specific time, connect to the corporate file server, and synchronize its database with the master database at headquarters.

CTS is supported on Windows Server 2008 R2 and above.

Installing Connect Tunnel Service

Using Connect Tunnel Service involves installing both Connect Tunnel (CT) and Connect Tunnel Service (CTS).

To install and configure Connect Tunnel Service:
Log into the Appliance Management Console (AMC) on your SonicWall SMA 1000 Series appliance.
Navigate to the Agent Configuration > Download page.
Under Client Installation Packages, download the 32-bit or 64-bit installation packages for both Connect Tunnel and Connect Tunnel Service.
Install Connect Tunnel first (ngsetup_<xx>.exe or ngsetup64_<xx>.exe). A shortcut named SonicWall VPN Connection is created on the desktop.
Install Connect Tunnel Service (ctssetup_<xx>.exe or ctssetup64_<xx>.exe). A shortcut named SonicWall VPN Service Options is created on the desktop.

On the desktop, double-click the SonicWall VPN Service Options shortcut. Alternatively, double-click SonicWall VPN Service Options in the Control Panel. The SonicWall VPN Service Properties dialog appears.

On the VPN tab, configure these settings:

VPN Connection Name

Type the name of the SonicWall Connect Client connection object exactly as it appears in the Windows Network Connections window (Start|Connect To|Show All Connections). By default, this is SonicWall VPN Connection.

Hostname or IP address

Type the host name or IP address of the SonicWall SMA 1000 Series appliance.

Login group

Type the name of the realm used by users in this login group.

Username and Password

Type the credentials for a user in this Login group. You must enter a username and password or a certificate CN. In some cases of chained authentication, both a username and certificate are required.

Certificate CN

A certificate's common name (CN) identifies its owner. Specify the CN for the certificate associated with this realm.

On the Service tab, configure the following settings:

Number of attempts to restart a failed connection

Specify how many times to attempt restarting if an initial connection attempt fails.

Endless Retries

Select this check box to continuously keep trying to connect until connected successfully.

Time interval between restart attempts

Specify the amount of time (in minutes) to wait between restart attempts.

Click the Start button. The Start and Stop buttons are used to control the service.

To verify that Connect Tunnel started, open the SonicWall VPN Connection shortcut on the desktop. You should see the established connection.

Alternatively, you can issue the ipconfig command on the command line to verify that you have a virtual IP address for the SonicWall VPN Connection.

Importing the Client Certificate

The certificate specified for CTS must be located in the Local Computer certificate store of the user’s device; certificates in a user's store are not available to the service. The Microsoft Management Console (MMC) is a tool for managing administrative tools, including snap-ins and extension snap-ins.

To import a certificate into the user’s Local Computer store:
To open the Microsoft Management Console, click the Windows start button and type mmc in the text field.
Press Enter.
In the File menu, choose the option for adding a snap-in.
To add a standalone snap-in, select Certificates, and then click the Add > button. Snap-ins can manage certificates for different accounts.
Select Computer account.
Click Next.
Select Local computer.
Click Finish.

You should now see Certificates (Local Computer) in the list of selected snap-ins. The certificate must now be copied to a certificate store.

In the Microsoft Management Console, right-click Personal > Certificates in the left navigation pane, and then select All Tasks > Import.
Specify the certificate file you want to import, along with its password.
Place the certificate in your Personal store.

Using Windows Services to run CTS

You can use Windows Services to manage CTS on a local or remote computer.

How to use Windows Services to configure and run CTS:
On the Windows Server platform running Connect Tunnel Service, run Windows Services.
Open the SonicWall VPN Service Properties dialog (Control Panel > Administrative Tools > Services > SonicWall SMA VPN Service).

Use these settings to control the service (start, stop, pause, resume, or disable), set up recovery actions in case of service failure, or disable the service for a particular hardware profile.
Click OK.

Using a Command or Script to run CTS

You can use the Windows sc.exe utility to communicate with Service Controller (services.exe) from the command prompt or in a batch file. This enables you to automate the startup and shutdown of the SonicWall VPN service.

In an environment where you want users to be able to start the VPN connection by clicking on a shortcut (and without being aware of the credentials), you could also create a shortcut on the desktop that launches a command or batch file. For example:

To start and stop Connect Tunnel Service on a remote computer use the following commands:

sc \\SERVERNAME start ctssrv
sc \\SERVERNAME stop ctssrv

To start or stop the Connect Tunnel Service from the command line or a third-party application, invoke these commands:

%windir%\system32\sc.exe start ctssrv
%windir%\system32\sc.exe stop ctssrv


Use the Windows Event Viewer (Control Panel > Administrative Tools > Event Viewer > Application, where the Source is CTS) to view any information, warning, or error messages related to running Connect Tunnel Service.

For more detailed messages, look in the service log; the default location is: ALLUSERSPROFILE%\Application Data\SonicWall.

NOTE: If your environment includes an outbound HTTP proxy for access to the Internet, you must use one that does not require authentication; otherwise, you will see the following error message in the log file for CTS (CTSsrv.log): Direct internet access is not available.
NOTE: You must also configure CTS to run under a Windows user account with administrative privileges.