en-US
search-icon

SonicOS 5.9 Admin Guide

SSL VPN

Configuring SSL VPN

SSL VPN

This chapter provides information on how to configure the SSL VPN features on the SonicWALL security appliance. SonicWALL’s SSL VPN features provide secure remote access to the network using the NetExtender client.

NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on the company’s network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:

Logging in to the Virtual Office web portal provided by the SonicWALL security appliance and clicking on the NetExtender button.
Launching the standalone NetExtender client.

The NetExtender standalone client is installed the first time you launch NetExtender. Thereafter, it can be accessed directly from the Start menu on Windows systems, from the Application folder or dock on MacOS systems, or by the path name or from the shortcut bar on Linux systems.

Topics:

SSL VPN NetExtender Overview

This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature.

Topics:

What is SSL VPN NetExtender?

SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.

Benefits

NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPsec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.

After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.

NetExtender Concepts

Topics:
Stand-Alone Client

NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.

Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.

Client Routes

NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources.

Tunnel All Mode

Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the routes in Routes to Be Added to Remote Client’s Route Table to the remote client’s route table:

 

Routes to Be Added to Remote Client’s Route Table

IP Address

Subnet mask

0.0.0.0
0.0.0.0
0.0.0.0
128.0.0.0
128.0.0.0
128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

Tunnel All mode is configured on the SSL VPN > Client Routes page.

Connection Scripts

SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

Proxy Configuration

SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.

NetExtender provides three options for configuring proxy settings:

Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.

When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SonicWALL security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

SonicWALL Mobile Connect

SonicWALL Mobile Connect is an app for iPhone, iPad, and iPod Touch that enables secure, mobile connections to private networks protected by SonicWALL security appliances. The SonicWALL Mobile Connect app for iPhone and iPad provides secure, mobile access to sensitive network resources using the iPhone and iPad. SonicWALL Mobile Connect establishes a Secure Socket Layer Virtual Private Network (SSL VPN) connection to private networks that are protected by SonicWALL security appliances. All traffic to and from the private network is securely transmitted over the SSL VPN tunnel.

The process for using SonicWALL Mobile Connect is as follows:

1
Install SonicWALL Mobile Connect from the App Store.
2
Enter connection information (server name, username, password, etc.).
3
Initiate a connection to the network.
4
SonicWALL Mobile Connect establishes a SSL VPN tunnel to the SonicWALL security appliance.
5
You can now access resources on the private network. All traffic to and from the private network is securely transmitted over the trouble shooting report SSL VPN tunnel.

From your perspective, SonicWALL Mobile Connect functions virtually the same as NetExtender. The configuration that is required:

Configure Users for NetExtender – For a user to be able to connect with SonicWALL Mobile Connect, their user account must be assigned to the SSLVPN Services group. See Configuring Users for SSL VPN Access for details.

Configuring Users for SSL VPN Access

* 
NOTE: Complete instructions for installing NetExtender on a SonicWALL appliance can be found in How to setup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above in the Knowledge Base.

For users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users who attempt to login through the Virtual Office who do not belong to the SSLVPN Services group are denied access.

The maximum number of SSL VPN concurrent users for each SonicWALL network security appliance model supported in Release 5.9 is shown in Maximum Number of SSL VPN Concurrent Users Based on Model:

 

Maximum Number of SSL VPN Concurrent Users Based on Model

SonicWALL Hardware Model

Maximum Concurrent SSL VPN Users

NSA E8510

1500

NSA E8500

1500

NSA E7500

1000

NSA E6500

750

NSA E5500

500

NSA 5000

350

NSA 4500

350

NSA 3500

250

NSA 2400 / 2400MX

125

NSA 250M / 250MW

50

NSA 240

50

NSA 220 / 220W

50

TZ 215 / 215W

25

TZ 210 / 210W

25

TZ 205 / 205W

15

TZ 200 / 200W

10

TZ 105 / 105W

10

TZ 100 / 100W

5

SOHO

15

These sections describe how to configure user accounts for SSL VPN access:

Configuring SSL VPN Access for Local Users

To configure users in the local user database for SSL VPN access, you must add the users to the SSLVPN Services user group.

To configure users in the local user database for SSL VPN access:
1
Navigate to the Users > Local Users page.
2
Click either the
Configure icon for the user you want to edit.
Add User button to create a new user.

The Edit User dialog is launched.

3
Click on the Groups tab.
4
In the User Groups column, click on SSLVPN Services.
5
Click the right arrow to move SSLVPN Services to the Member Of column.
6
Click on the VPN Access tab. The VPN Access tab configures which network resources VPN users (either GVC, NetExtender, or Virtual Office bookmarks) can access.
7
Select one or more network address objects or groups from the Networks list.
8
Click the Right Arrow button (->) to move the address(es) to the Access List column.

To remove the user’s access to a network address objects or groups, select the network from the Access List, and click the left arrow button (<-).

* 
NOTE: The VPN access tab affects the ability of remote clients using GVC, NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access tab.
9
Click OK.
* 
NOTE: The feature, One-Time Password, is a two-factor authentication scheme utilizing system-generated, random passwords in addition to standard user name and password credentials, for users attempting to login through SSL VPN connections.

Configuring SSL VPN Access for RADIUS Users

To configure RADIUS users for SSL VPN access, you must add the users to the SSLVPN Services user group.

To configure RADIUS users for SSL VPN access:
1
Navigate to the Users > Settings page.
2
In the Authentication Method for login drop-down menu, select RADIUS or RADIUS + Local Users.
3
Click the Configure button for Authentication Method for login. The RADIUS Configuration dialog displays.
4
Click the RADIUS Users tab.
5
In the Default user group to which all RADIUS users belong drop-down menu, select SSLVPN Services.
* 
TIP: The VPN Access tab in the Edit User dialog is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
6
Click OK.

Configuring SSL VPN Access for LDAP Users

To configure LDAP users for SSL VPN access, you must add the LDAP user groups to the SSLVPN Services user group.

To configure LDAP users for SSL VPN access:
1
Navigate to the Users > Settings page.
2
Set the Authentication method for login to either LDAP or LDAP + Local Users.
3
Click the Configure button to launch the LDAP Configuration dialog.
4
Click on the LDAP Users tab.
5
In the Default LDAP User Group drop-down menu, select SSLVPN Services.
* 
TIP: The VPN Access tab in the Edit User dialog is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
6
Click OK.

 

Displaying SSL VPN Session Data

SSL VPN > Status

The SSL VPN > Status page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time, length of time logged in and logout time.

SSL VPN Status Items describes the status items.

 

SSL VPN Status Items

Status Item

Description

User Name

The user name.

Client Virtual IP

The IP address assigned to the user from the client IP address

Client WAN IP

The physical IP address of the user.

Login Time

The amount of time since the user first established connection with the SonicWALL SSL VPN appliance expressed as number of days and time (HH:MM:SS).

Inactivity Time

Duration of time that the user has been inactive.

Logged In

The time when the user initially logged in.

Statistics Icon

Mousing over the statistics icon provides a summary of traffic statistics for the user.

Logout

Provides the ability to logout a NetExtender session.

 

Configuring SSL VPN Server Behavior

SSL VPN > Server Settings

The SSL VPN > Server Settings page configures details of the SonicWALL security appliance’s behavior as an SSL VPN server.

You configure the Virtual Office portal through settings as follows:

SSL VPN Status on Zones

This section displays the SSL VPN Access status on each zone:

Green indicates active SSL VPN status.
Red indicates inactive SSL VPN status.

To enable or disable SSL VPN access, click the zone name.

SSL VPN Server Settings

The following settings configure the SSL VPN server:

SSL VPN Port - Enter the SSL VPN port number in the field. The default is 4433.
Certificate Selection – From this drop-down menu, select the certificate to use to authenticate SSL VPN users. The default method is Use Selfsigned Certificate.
* 
NOTE: To manage certificates, go to the Network > Certificates page.
User Domain – Enter the user’s domain, which must match the domain field in the NetExtender client. The default is LocalDomain.
Enable Web Management over SSL VPN – To enable web management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.
Enable SSH Management over SSL VPN – To enable SSH management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.
Inactivity Timeout (minutes) – Enter the number of minutes of inactivity before logging out the user. The default is 10 minutes.
OTP Sending State Check Retry Times (sec) – Enter the number seconds for OTP sending state check retries. The default is 10 seconds.

RADIUS User Settings

This section is available only when either RADIUS or LDAP is configured to authenticate SSL VPN users.

Use RADIUS in – Select this checkbox to have RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS will allow users to change expired passwords at login time. Choose between these two modes:
* 
NOTE: In LDAP, password updates can only be done when using either Active Directory with TLS and binding to it using an administrative account or Novell eDirectory.

If this option is set when is selected as the authentication method of log in on the Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for SSL VPN users are performed using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

MSCHAP
MSCHAPV2 mode (allows users to change expired passwords)

SSL VPN Client Download URL

This section allows you to download client SSL VPN files to your HTTP server.

Click here to download the SSL VPN zip file which includes all SSL VPN client files – To download from the appliance, click the Click here link to display an Opening application.zip dialog:

Open and unzip the file, and then put the folder on your HTTP server.

Use customer’s HTTP server as downloading URL: (http://) – Select this checkbox to enter your SSL VPN client download URL in the supplied field.

For NetExtender and WXAC downloads to be successful when this option is enabled, you must configure the following directories on the Local HTTP server:

For NetExtender:

\\wwwroot\applications\netextender\windows\7.0.197\NXSetupU.exe

For WXAC:

\\wwwroot\applications\wxaclient\100\wxac_install_files

 

Configuring SSL VPN Client Settings

SSL VPN > Client Settings

The SSL VPN > Client Settings page allows you to edit the Default Device Profile to enable SSL VPN access on zones, configure client routes, and configure the client DNS and NetExtender settings. The SSL VPN > Client Settings page displays the configured IPv4 and IPv6 network addresses and zones that have SSL VPN access enabled.

You can also edit the SonicPoint Layer 3 Management Default Device Profile on this page.

Topics:

Creating an Address Object for the NetExtender Range

You can create address objects for both an IPv4 address range and an IPv6 address range to be used in the SSL VPN > Client Settings configuration.

The address range configured in the address object defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.168.100 to 192.168.168.115).

* 
NOTE: Where there are other hosts on the same segment as the SSL VPN appliance, the address range must not overlap or collide with any assigned addresses.
To create an address object for the NetExtender IP address range:
1
Navigate to the Network > Address Objects page.
2
Scroll to the Address Objects section.
3
Click the Add button. The Add Address Object dialog displays.

4
For Name, type in a descriptive name for the address object.
5
For Zone Assignment, select SSLVPN from the drop-down list.
6
For Type, select Range. The dialog changes.

7
In the Starting IP Address field, type in the lowest IP address in the range you want to use.
* 
NOTE: The IP address range must be on the same subnet as the interface used for SSL VPN services.
8
In the Ending IP Address field, type in the highest IP address in the range you want to use.
9
Click Add. When the address object has been added, a message displays:

10
Optionally, repeat Step 4 through Step 9 to create an address object for an IPv6 address range.
11
Click Close.

Configuring the Default Device Profile

To configure general settings, client routes, and client settings for DNS or NetExtender, refer to the following:

Configuring Device Profile Settings

To configure the basic device profile settings:
1
On the SSL VPN > Client Settings page, click the Configure icon for Default Device Profile. The Edit Device Profile dialog displays.

The Name and Description fields for the Default Device Profile cannot be modified, so they are dimmed.

2
Select the IPv4 Zone binding for this profile from the Zone IPv4 drop-down menu. For Net Extender, select SSLVPN.
3
Select the IP Pool and Zone binding for this profile from the Network Address IPv4 drop-down menu.
* 
NOTE: The NetExtender client gets an IP address from this address object if it matched this profile. Select the Address Object created for the SSLVPN range.
4
Optionally, select a Zone and Network Address from the Network Address IP V6 drop-down menu.
* 
NOTE: The NetExtender client gets an IP address from this address object if it matched this profile. Select the Address Object created for the SSLVPN range.
5
Do one of the following:
Click the Client Routes tab to proceed with the client settings configuration. See Configuring Client Routes.
To save the settings and close the dialog, click OK.

Configuring Client Routes

You control the network access allowed for SSL VPN users through settings on the Client Routes tab. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote users can access via the SSL VPN connection.

To configure the Client Route settings:
1
Click the Client Routes tab of the Edit Device Profile dialog.

2
From the Tunnel All Mode drop-down menu, select Disabled or Enabled.
* 
NOTE: To pass the traffic from SSL VPN to WAN, an SSL VPN > WAN access rule is added automatically.
3
In the Networks list, select all networks and subnets to be used for client routes:
A single entry at a time, and then clicking the Right Arrow button for each entry.
Multiple entries by clicking an entry, pressing the Ctrl key, scrolling to another entry until all are selected, and then clicking the Right Arrow button.
A group of entries by clicking the first entry, pressing the Shift key, and clicking the last entry in the group and then clicking the Right Arrow button.
4
When all the desired networks and subnets are move to the Client Routes list, do one of these:
Click the Client Routes tab to proceed with the client settings configuration. See Configuring Client Settings.
To save the settings and close the dialog, click OK.

Configuring Client Settings

NetExtender client settings are configured in the Edit Device Profile dialog.

To configure Client Settings:
1
Click the Client Settings tab on the Edit Device Profile dialog.

2
In the DNS Server 1 field, either:
Enter the IP address of the primary DNS server.
Click the Default DNS Settings button to use the default settings for both DNS Server 1 and DNS Server 2 fields.
* 
NOTE: Both IPv4 and IPv6 are supported.
3
(Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
4
(Optional) In the DNS Search List (in order) field:
a
Enter the DNS address.
b
Click the Add button. The DNS address is added to the list.
c
Repeat Step a and Step b for each DNS to be added to the search list.
5
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
* 
NOTE: Only IPv4 is supported for WINS Server 1 and WINS Server 2.
6
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
7
In the NetExtender Client Settings section, select Enabled or Disabled (default) for the options you want:
Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users have to either return to the SSL VPN portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users have to return to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client creates a connection profile recording the SSL VPN Server name, the Domain name, and, optionally, the username and password.
8
From the User Name & Password Caching drop-down menu, select:
Allow saving of user name only (default)
Allow saving of user name & password
Prohibit saving of user name & password

This option provides flexibility in allowing users to cache their user names and passwords in the NetExtender client and enable you to balance security needs against ease of use for users.

9
When finished on all tabs, click OK.

Configuring L3 SSL VPN for SonicPoint Layer 3 Management

Layer 3 management of SonicPoints requires SSL VPN. This section describes how to configure the Layer 3 settings in a SonicPoint device profile.

To configure the SonicPoint L3 Settings for the Default Device Profile:
1
Navigate to the SSL VPN > Client Settings page.
2
In the SonicPoint L3 Management Default Device Profile section, click the Configure icon. The Edit Device Profile dialog displays.

The Name and Description fields for the Default Device Profile cannot be modified, so they are dimmed.

3
Configure the Settings and Client Routes options as described in Configuring Device Profile Settings and Configuring Client Routes respectively.
4
Click the SP L3 Settings tab.

5
From the WLAN Tunnel Interface drop-down menu, select the corresponding WLAN Tunnel interface for SonicPoint SSL VPN management.
6
Click OK.

 

Configuring the Virtual Office Web Portal

SSL VPN > Portal Settings

The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. You can customize the Virtual Office web portal to match any existing company website or design style.

Topics:

Configuring Portal Settings

Topics:

Configuring the Virtual Office Login Portal

These options customize what the user sees when attempting to log in:

Portal Site Title - Enter the text displayed in the top title of the web browser in this field. The default is SonicWALL - Virtual Office.
Portal Banner Title - Enter the text displayed next to the logo at the top of the page in this field. The default is Virtual Office.
Home Page Message - Enter the HTML code that is displayed above the NetExtender icon. To:
See how the message displays, click the Preview button to launch a pop-up window that displays the HTML code.
Revert to the default message, click the Example Template button to launch a pop-up dialog that displays the HTML code.
Login Message - Enter the HTML code that is displayed when users are prompted to log in to the Virtual Office. To
See how the message displays, click the Preview button to launch a pop-up dialog that displays the HTML code.
Revert to the default message, click the Example Template button.

Customizing Virtual Office Portal Functionality

The following options customize the functionality of the Virtual Office portal:

Launch NetExtender after login - Select to launch NetExtender automatically after a user logs in. This option is not selected by default.
Display Import Certificate Button - Select to display an Import Certificate button on the Virtual Office page. This initiates the process of importing the firewall’s self-signed certificate onto the web browser. This option is not selected by default.
* 
NOTE: This option only applies to the Internet Explorer browser on PCs running Windows when Use Selfsigned Certificate is selected from the Certificate Selection drop-down menu on the SSL VPN > Server Settings page.
Enable HTTP meta tags for cache control recommended) - Select to inserts into the browser HTTP tags that instruct the web browser not to cache the Virtual Office page. This option is not selected by default.
* 
NOTE: SonicWALL recommends enabling this option.
Display UTM management link on SSL VPN portal (not recommended) – Select to display the SonicWALL appliance’s management link on the SSL VPN portal. This option is not selected by default.
* 
IMPORTANT: SonicWALL does not recommend enabling this option.

Customizing the Virtual Office Portal Logo

This section allows you to customize the logo displayed at the top of the Virtual Office portal:

Default Portal Logo – Displays the default portal logo:

Use Default SonicWALL Logo – Select to use the SonicWALL logo supplied with the appliance. This option is not selected by default.
Customized Logo (Input URL of the Logo) – Enter in this field the URL of the logo, in GIF format, you want to display.
* 
TIP: The logo must be in GIF format of size 155 x 36; a transparent or light background is recommended.

 

Configuring Virtual Office

SSL VPN > Virtual Office

The SSL VPN > Virtual Office page displays the Virtual Office web portal inside of the SonicOS UI.

Topics:

Accessing the SonicWall SSL VPN Portal

To view the SonicWall SSL VPN Virtual Office web portal, navigate to the IP address of the SonicWall security appliance. Click the link at the bottom of the Login page that says Click here for sslvpn login.

Using NetExtender

Topics:

User Prerequisites

To use NetExtender, clients must meet the prerequisites described in the most recent version of the SonicWall SRA User Guide, available on http://www.sonicwall.com/us/en/support/3893.html.

User Configuration Tasks

SonicWall NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network.

 

Installation and Usage Instructions by Platform

Platform

Sections

Windows

Installing:

Using:

MacOS

Installing:

Using:

Linux

Installing NetExtender Using the Mozilla Firefox Browser
To use NetExtender for the first time using the Mozilla Firefox browser:
1
Navigate to the IP address of the SonicWall security appliance.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.
3
Click the NetExtender button.

4
The first time you launch NetExtender, it installs the NetExtender stand-alone application automatically on your computer.
5
If a warning message is displayed in a yellow banner at the top of your Firefox banner, click the Edit Options... button.
6
The Allowed Sites - Software Installation dialog is displayed, with the address of the Virtual Office server in the Address of web site field.

7
Click Allow to allow Virtual Office to install NetExtender
8
Click Close.
9
Return to the Virtual Office window.
10
Click NetExtender again.
11
The Software Installation dialog displays. After a five second countdown, the Install Now button becomes active. Click it.

NetExtender is installed as a Firefox extension.

When NetExtender completes installing, the NetExtender Status dialog displays, indicating that NetExtender connected successfully. The Status tab indicates the operating state of the NetExtender client.

* 
NOTE: Closing the dialog (clicking on the x icon in the upper right corner of the dialog) does not close the NetExtender session, but does minimize the dialog to the system tray for continued operation.
12
Review the following table to understand the Status tab in the NetExtender Status dialog.
 

NetExtender Status Dialog: Status Tab

Entry

Description

Server

Indicates the name of the server to which the NetExtender client is connected.

Client IP

Indicates the IP address assigned to the NetExtender client.

Sent

Indicates the amount of traffic the NetExtender client has transmitted since initial connection.

Received

Indicates the amount of traffic the NetExtender client has received since initial connection.

Duration

The amount of time the NetExtender has been connected, expressed as days, hours, minutes, and seconds.

Status button

Toggles the operating state of the NetExtender client: Connect or Disconnect.

When NetExtender successfully installs, the NetExtender icon displays in the task bar. Mousing over the icon displays a tool tip containing the same information (except for Duration) as the NetExtender dialog.

Installing NetExtender Using the Internet Explorer Browser

SonicWall SSL VPN NetExtender is fully compatible with Microsoft Windows Vista 32-bit and 64-bit, and supports the same functionality as with other Windows operating systems.

* 
NOTE: It may be necessary to restart your computer when installing NetExtender on Windows Vista.
Topics:
Internet Explorer Prerequisites

It is recommended that you add the URL or domain name of your SonicWall security appliance to Internet Explorer’s trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.

To add a site to Internet Explorer’s trusted sites list:
1
In Internet Explorer, go to Tools > Internet Options. The Internet Options dialog displays.

2
Click on the Security tab.
3
Click on the Trusted Sites icon.
4
Click on the Sites... button to open the Trusted sites dialog.

5
Enter the URL or domain name of your SonicWall security appliance in the Add this Web site to the zone field.
6
Click Add.
7
Click OK. The Internet Options dialog displays again.
8
Click OK.
Installing NetExtender from Internet Explorer
To install and launch NetExtender for the first time using the Internet Explorer browser:
1
Navigate to the IP address of the SonicWall security appliance.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.
3
Click the NetExtender button.

4
The first time you launch NetExtender, you must add the SSL VPN portal to your list of trusted sites. If you have not done so, this message displays:

5
Click Instructions to add SSL VPN server address into trusted sites for help. The instructions display.

6
In Internet Explorer, go to Tools > Internet Options. The Internet Options dialog displays.

7
Click on the Security tab.
8
Click on the Trusted Sites icon.
9
Click on the Sites... button to open the Trusted sites dialog.

10
Enter the URL or domain name of your SonicWall security appliance in the Add this Web site to the zone field.
11
Click Add.
12
Click OK. The Internet Options dialog displays again.
13
Click OK.
14
Return to the SSL VPN portal.
15
Click the NetExtender button. The portal installs the NetExtender stand-alone application automatically on your computer. The NetExtender installer dialog opens.

* 
NOTE: If an older version of NetExtender is installed on the computer, the NetExtender launcher removes the old version and then installs the new version.
16
If a warning message that NetExtender has not passed Windows Logo testing is displayed, click Continue Anyway. SonicWall testing has verified that NetExtender is fully compatible with Windows Vista, XP, and higher.

When NetExtender completes installing, the NetExtender Status dialog displays, indicating that NetExtender connected successfully. For information about the information displayed on this page, see NetExtender Status Dialog: Status Tab.

Installing NetExtender WAN Acceleration Client

The NetExtender WAN Acceleration Client (WXAC) is an addition to the NetExtender Client that accelerates traffic though the VPN connection.

To install the NetExtender WXAC:
1
Uninstall (if applicable) the existing NetExtender WXAC from your system.
2
Launch the NetExtender Client. The NetExtender Setup dialog displays.

3
Enter the following in the text-fields:
Server—the WAN IP address of the managing NSA/TZ appliance that is on the site where the WXA appliance and server are located. Enter a colon (:) after the WAN IP address, and then enter the server port number.
Username—the username created by the Administrator.
Password—the password created by the Administrator.
Domain—the domain name displayed in the SSL VPN > Server Settings page of the managing NSA/TZ appliance’s management interface.
4
Click the Connect button. The NetExtender Status dialog displays.
5
Click on the WXAC tab

6
Click the Install WAN Acceleration Client link.
* 
NOTE: The WXAC tab displays if the system is licenced for WXAC and a WXA appliance is attached/operational. If the WXAC tab is not displayed, refer to the WXA 1.2 User’s Guide for detailed information on how to configure the NetExtender WXAC.
7
After the NetExtender WXAC is installed, you need to disconnect and then reconnect to the NetExtender Client. Doing this reconnects you to the server, which is required for WAN Acceleration to become active.
Launching NetExtender Directly from Your Computer

After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the SSL VPN portal.

To launch NetExtender:
1
Navigate to Start > All Programs.
2
Select the SonicWall SSL VPN NetExtender folder.
3
Click on SonicWall SSL VPN NetExtender. The NetExtender login dialog displays.
4
The IP address of the last server you connected to is displayed in the SSL VPN Server field. To display a list of recent servers you have connected to, select it from the Server drop-down menu.

5
Enter your username and password.
6
The last domain you connected to is displayed in the Domain field.
7
The drop-down menu at the bottom of the dialog provides three options for remembering your username and password:
Save user name & password if server allows
Save user name only if server allows
Always ask for user name & password
* 
TIP: Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
Configuring NetExtender Preferences
To configure NetExtender preferences:
1
Right click on the NetExtender icon in the system tray.
2
Click on Preferences... The NetExtender Preferences dialog displays.

The Connection Profiles pane displays the SSL VPN connection profiles you have used, including the IP address of the server, the domain, and the username.

3
To delete a profile:
a
Click the profile.
b
Click the Remove button.

Click the Remove All buttons to delete all connection profiles.

4
To customize the behavior of NetExtender, click the Settings entry. The Settings pane displays.

5
To have NetExtender automatically connect when you start your computer:
a
Select the Automatically connect with Connection Profile checkbox.
b
Select the appropriate connection profile from the drop-down menu.
* 
NOTE: Only connection profiles that allow you to save your username and password can be set to automatically connect.
6
To have NetExtender launch when you log in to your computer, check the Automatically start NetExtender UI. When NetExtender starts, it displays only in the system tray.
To have the NetExtender log-in window display, check the Display NetExtender UI checkbox.
7
To have the NetExtender icon display in the system tray, select Minimize to the tray icon when NetExtender window is closed. If this option is not checked, you can access the NetExtender UI only through Window’s Program menu.
8
To have NetExtender display tips when you mouse over the NetExtender icon, select Display Connect/Disconnect Tips from the System Tray.
9
To have NetExtender attempt to reconnect when it loses connection, select Automatically reconnect when the connection is terminated.
10
To have precise data displayed in the connection status, select Display precise number in connection status.
11
To have NetExtender uninstall every time you end a session, select Uninstall NetExtender automatically.
12
To have NetExtender log out of all of your SSL VPN sessions when you exit a NetExtender session, select Disconnect an active connection.
13
Click Apply.
Configuring NetExtender Connection Scripts

SonicWall SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drivers and printers, launch applications, or open files or websites.

To configure NetExtender Connection Scripts:
1
Right click on the NetExtender icon in the task bar.
2
Click on Preferences... The NetExtender Preferences dialog displays.
3
Click on Connection Scripts. The Connection Scripts pane displays.

4
To enable the domain login script, select the Attempt to execute domain login script checkbox. When enabled, NetExtender attempts to contact the domain controller and execute the login script.
* 
NOTE: Enabling this feature may cause connection delays while the remote client’s printers and drives are mapped. Ensure the domain controller and any machines in the logon script are accessible via NetExtender routes.
5
To enable the script that runs when NetExtender connects, select the Automatically execute the batch file “NxConnect.bat” check box.
6
To edit the NxConnect.bat file, click the Edit “NxConnect.bat” button. See Configuring Batch File Commands.
7
To enable the script that runs when NetExtender disconnects, select the Automatically execute the batch file “NxDisconnect.bat” check box.
8
To hide either of the console windows, select the appropriate Hide the console window check box. If this checkbox is not selected, the DOS console window remains open while the script runs.
9
Click Apply.
Configuring Batch File Commands

NetExtender Connection Scripts support any valid batch file commands. For more information on batch files, see the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat. Table tasks provide an introduction to some commonly used batch file commands.

To configure the script that runs when NetExtender:

Connects
Disconnects

Click the Edit “NxDisconnect.bat” button. The NxDisconnect.bat file displays. When you have finished editing the scripts, save the file and close it.

* 
TIP: By default, the NxConnect.bat file contains examples of commands that can be configured, but no actual commands. To add commands, scroll to the bottom of the file.
 

NxDisconnect.bat File Examples

To perform this task

Enter this command in the specified format

Map a network drive

net use drive-letter\\server\share password /user:Domain\name

For example, if the drive letter is z, the server name is engineering, the share is docs, the password is 1234, the user’s domain is eng and the username is admin, enter:

net use z\\engineering\docs 1234 /user:eng\admin

Disconnect a network drive

net use drive-letter: /delete

For example, to disconnect network drive z, enter:

net use z: /delete

Map a network printer

net use LPT1 \\ServerName\PrinterName /user:Domain\name

For example, if the server name is engineering, the printer name is color-print1, the domain name is eng, and the username is admin, enter:

net use LPT1 \\engineering\color-print1 /user:eng\admin

Disconnect a network printer

net use LPT1 /delete

Launch an application

C:\Path-to-Application\Application.exe

For example, to launch Microsoft Outlook, enter:

C:\Program Files\Microsoft Office\OFFICE11\outlook.exe

Open a website in your default browser

start http://www.website.com

Open a file on your computer

C:\Path-to-file\myFile.doc
Configuring Proxy Settings

SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings.

To manually configure NetExtender proxy settings:
1
Right click the NetExtender icon in the task bar.
2
Click on Preferences... The NetExtender Preferences dialog displays.
3
Click on Proxy. The Proxy pane displays.

4
Check the Enable proxy settings box.
5
NetExtender provides three options for configuring proxy settings:
Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD), which can push the proxy settings script to the client automatically.
Use automatic configuration script - If you know the location of the proxy settings script, select this option.
Enter the URL of the scrip in the Address field.
Use proxy server - Select this option to enter settings manually:
Enter the address of the proxy server in the Address field.
Enter the port of the proxy server in the Port field. The default port is 1080.
Optionally, to allow direct connections to those addresses that bypass the proxy server, you can enter an IP address or domain in the BypassProxy field.
If entering a user name and password is required for the proxy server, enter them in he User name and Password fields. If you do not specify them in the Preferences dialog, a NetExtender dialog prompts you to enter them when you first connect.

6
Click the Internet Explorer proxy settings button to open Internet Explorer’s proxy settings.
7
Configure the Internet Explorer proxy settings.
8
Click OK.
Viewing the NetExtender Log

The NetExtender log displays information on NetExtender session events. The log is a file named NetExtender.dbg and is stored in the directory: C:\Program Files\ SonicWall\SSL VPN\NetExtender.

To view the NetExtender log:
1
Right click on the NetExtender icon in the system tray.
2
Click Log Viewer.

To view details of a log message:
1
Either:
Double-click on a log entry.
Go to View > Log Detail to open the Log Detail pane.
To save the log:
1
Either:
Click the Export icon.
Go to Log > Export.
To filter the log:
1
To display entries from a specific duration of time, go to the Filter menu and select the cutoff threshold.
2
By type of entry, go to Filter > Level and select one of the level categories. The available options, in descending order of severity, are:
Fatal
Error
Warning
Info

The log displays all entries that match or exceed the severity level. For example, when selecting the Error level, the log displays all Error and Fatal entries, but not Warning or Info entries.

To view the Debug Log:
1
Either:
Click the Debug Log icon.
Go to Log > Debug Log.
* 
NOTE: It may take several minutes for the Debug Log to load. During this time, the Log dialog is not accessible, although you can open a new Log window while the Debug Log is loading.

To clear the log:
1
Click on Log > Clear Log.
Disconnecting NetExtender
To disconnect NetExtender:
1
Right click on the NetExtender icon in the system tray to display the NetExtender icon menu.
2
Click Disconnect. Wait several seconds. The NetExtender session disconnects.

You can also disconnect by:

1
Double clicking on the NetExtender icon to open the NetExtender dialog.
2
Clicking the Disconnect button.

When NetExtender becomes disconnected, the NetExtender dialog displays to give you the option to either Reconnect or Close NetExtender.

Upgrading NetExtender

You can configure NetExtender to automatically notify users when an updated version of NetExtender is available. Users are prompted to click OK. NetExtender downloads and installs the update from the SonicWall security appliance.

If auto-update notification is not configured, users should periodically launch NetExtender from the Virtual Office to ensure they have the latest version. Check with your administrator to determine if you need to manually check for updates.

Uninstalling NetExtender

The NetExtender utility is automatically installed on your computer.

To remove NetExtender:
1
Click on Start > All Programs.
2
Click on SonicWall SSL VPN NetExtender.
3
Click on Uninstall.

You can also configure NetExtender to automatically uninstall when your session is disconnected.

To uninstall NetExtender automatically upon session disconnection:

1
Right click on the NetExtender icon in the system tray.
2
Click on Preferences... The NetExtender Preferences dialog displays.
3
Click the Settings tab.
4
Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
5
Click OK.
Verifying NetExtender Operation from the System Tray

To view options in the NetExtender system tray, right click on the NetExtender icon in the system tray. The following are some tasks you can perform with the system tray.

Displaying Route Information

To display the routes that NetExtender has installed on your system, click the Route Information option in the system tray menu. The system tray menu displays the default route and the associated subnet mask.

Displaying Connection Information

You can display connection information by mousing over the NetExtender icon in the system tray.

Installing NetExtender on MacOS
To install NetExtender on your MacOS system:
1
Navigate to the IP address of the SonicWall security appliance.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.
3
Click the NetExtender button.
4
The Virtual Office displays the status of NetExtender installation. If a dialog appears, prompting you to accept a certificate, click Trust.

5
A second dialog may appear, prompting you to accept a certificate. Click Trust.

6
When NetExtender is successfully installed and connected, the NetExtender Status dialog displays.

Using NetExtender on MacOS
1
To launch NetExtender, go the Applications folder in the Finder.
2
Double click on NetExtender.app. The SonicWall NetExtender dialog displays.

3
The first time you connect, you must enter the server name or IP address in the SSL VPN Server field.
4
Enter your username and password.
5
The first time you connect, you must enter the domain name.
6
Click Connect.
7
You can instruct NetExtender to remember your profile server name in the future. In the Save profile drop-down menu you can select:
Save name and password (if allowed)
Save username only (if allowed)
Do not save profile.
* 
TIP: Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
8
When NetExtender is connected, the NetExtender icon displays in the status bar at the top right of your display. Click on the NetExtender icon to display NetExtender options.

9
To display a summary of your NetExtender session, click Connection Status.
10
To view the routes that NetExtender has installed, go to the NetExtender menu.
11
Select Routes.

12
To view the NetExtender Log, go to Window > Log.

13
To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.

14
Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
Installing and Using NetExtender on Linux
To install NetExtender on your Linux system:
1
Navigate to the IP address of the SonicWall security appliance.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.
3
Click the NetExtender button. A dialog indicates that you have chosen to open the NetExtender.tgz file.

4
Click OK to save it to your default download directory.
5
To install NetExtender from the CLI, navigate to the directory where you saved NetExtender.tgz.
6
Enter the tar -zxf NetExtender.tgz command.

7
Type the cd netExtenderClient command.
8
Type ./install to install NetExtender.
9
Launch the NetExtender.tgz file.
10
Follow the instructions in the NetExtender installer. The new netExtender directory contains a NetExtender shortcut that can be dragged to your desktop or toolbar.

11
The first time you connect, you must enter the server name or IP address in the SSL VPN Server field. NetExtender remembers the server name in the future.

12
Enter your username and password.
13
The first time you connect, you must enter the domain name. NetExtender remembers the domain name in the future.
* 
NOTE: You must be logged in as root to install NetExtender, although many Linux systems allow the sudo ./install command to be used if you are not logged in as root.
14
To view the NetExtender routes:
a
Go to the NetExtender menu.
b
Select Routes.

15
To view the NetExtender Log, go to NetExtender > Log.

16
To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.

17
Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.

Configuring SSL VPN Bookmarks

When user bookmarks are defined, they are displayed on the SSL VPN > Virtual Office page. Users can modify or delete their own bookmarks, but cannot modify or delete bookmarks created by the administrator.

To configure an SSL VPN Bookmark:
1
Go to the SSL VPN > Virtual Office page.
2
Click Add Bookmark. The Add Portal Bookmark dialog displays.

3
In the Bookmark Name field, type a descriptive name for the bookmark.
4
In the Name or IP Address field, enter the fully qualified domain name (FQDN) or the IPv4 address of a host machine on the LAN.

Some services run on non-standard ports, and some services expect a path when connecting. The format for the Name or IP Address field is shown in Formats for the Name or IP Address Field and is listed by the service you select from the Service menu in Step 5.

 

Formats for the Name or IP Address Field

Service

Format

Example

Terminal Services (RDP5 - ActiveX)

Terminal Services (RDP5 - Java)

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.SonicWall.com

JBJONES-PC

Virtual Network Computing (VNC)

IP Address

IP:Port (mapped to session)

FQDN

Host name

NOTE: Do not use session or display number instead of port.

10.20.30.4

10.20.30.4:5901 (mapped to session 1)

JBJONES-PC.sv.us.SonicWall.com

JBJONES-PC

NOTE: Do not use 10.20.30.4:1

TIP: For a bookmark to a Linux server, see the Tip below this table.

Telnet

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.SonicWall.com

JBJONES-PC

Secure Shell Version 1 (SSHv1)

Secure Shell Version 2 (SSHv2)

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.SonicWall.com

JBJONES-PC

5
In the Service menu, select the service that you want.
* 
NOTE: Depending on the Service you select, different menus, input boxes, and options are displayed in the Add Portal Bookmark dialog.
* 
TIP: In some environments, you can enter the host name only, such as a Virtual Network Computing (VNC) bookmark for a Windows local network. When creating a Virtual Network Computing (VNC) bookmark to a Linux server, in the Name or IP Address box, you must specify the Linux server IP address, the port number, and the server number, in the format ipaddress:port:server. For example, if the Linux server IP address is 192.168.2.2, the port number is 5901, and the server number is 1, you would enter 192.168.2.2:5901:1 in the Name or IP Address box.
* 
NOTE: For additional information on configuring SSL VPN bookmarks, see Editing Local Users.

If you are using a browser other than Internet Explorer, if you select Terminal Services (RDP5 - ActiveX), the selection is automatically switched to Terminal Services (RDP5 - Java), and a pop-up dialog notifies you of the switch.

6
If you select Terminal Services (RDP5 - ActiveX) or Terminal Services (RDP5 - Java) from the Service menu, configure the following fields:
a
From the Screen Size menu, select the default screen size to be used on the terminal service screen when users execute this bookmark.
b
From the Colors menu, select the default color depth for the terminal service screen when users execute this bookmark.
c
In the Application Path box, enter the path where the client application resides on the remote device. (Optional)
d
In the Start in the following folder box, enter the local folder in which to execute application commands.
e
If you want to use Windows advanced options, expand Show windows advanced options (only available in 32-bit Windows client) and select any of the following redirect options:

To redirect devices or features on a local network for use in a bookmark session, select any of the following options:
Redirect Printers
Redirect Drives
Redirect Ports
Redirect SmartCards
Redirect clipboard
Redirect plug and play devices
* 
NOTE: To see local printers on your remote device, select both Redirect Printers and Redirect Ports.
To use other options in a bookmark session, select any of the following options:
Display connection bar
Auto reconnection
Desktop background
Window drag
Menu/window animation
Themes
Bitmap caching
If the client application is RDP 6 (Java), select any of the following options:
Dual monitors
Font smoothing
Desktop composition
Remote Application
* 
NOTE: Remote Application enables you to monitor the server and client connection. You must register remote applications in the Windows 2008 RemoteApp list. If Remote Application is selected, the Java Console displays messages regarding connectivity with the terminal server.
f
To allow login as console, select the Login as console session option.
* 
NOTE: In RDC 6.1 and newer, Login as console session is replaced by Login as admin session.
g
For Windows clients, if you selected Terminal Services (RDP5 - ActiveX), you can select Enable plugin DLLs and enter the name(s) of client DLLs, which must be accessed by the remote desktop or terminal service, in the PluginDLLs box.

Multiple entries in the PluginDLLs box must be separated by a comma with no spaces.

* 
NOTE: The Enable plugin DLLs option is not available for Terminal Services (RDP5 - Java). Terminal Services (RDP5 - Java) on Windows is a native RDP client that supports Plugin DLLs by default. See Enabling Plugin DLLs.
h
For automatic login, select Automatically log in and select Use SSL VPN account credentials to forward the current SSL VPN session credentials to the RDP server.
i
To enter a custom username, password, and domain for this bookmark, select Use custom credentials. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
If you select Virtual Network Computing (VNC) from the Service drop-down menu, the dialog displays as follows with the fields shown.

If you select Telnet from the Service drop-down menu, the dialog displays as follows with the fields shown.

If you select Secure Shell version 1 (SSHv1) from the Service drop-down menu, the dialog displays as follows with the fields shown.

If you select Secure Shell version 2 (SSHv2) from the Service drop-down menu, the dialog displays as follows with the fields shown.

Select Automatically accept host key if you want it. (Optional)
If you are using an SSHv2 server without authentication, such as a SonicWall firewall, select the Bypass username option. (Optional)
Select Display Bookmark to Mobile Connect clients if you want it.
7
Click OK to update the configuration.
* 
NOTE: On mobile devices, the user must install Mobile Connect which supports Mobile Connect Bookmark. The user must also install a mobile application for the bookmark service. For example, for RDP service, the user must install 2X Client RDP.

To install and launch Mobile Connect and Mobile Connect Bookmark, refer to the Mobile Connect documentation for your device. Go to https://support.sonicwall.com/ and select Mobile Connect product. Then filter on device type.

When you launch Mobile Connect client on your mobile device, and it connects successfully, you should see the Mobile Connect Bookmark list.

Enabling Plugin DLLs

The plugin DLLs feature is available for RDP (ActiveX or Java), and allows for the use of certain third party programs such as print drivers, on a remote machine. This feature requires RDP Client Control version 5 or higher.

* 
NOTE: The RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. No action (or checkbox) is needed.
To enable plugin DLLs for the RDP ActiveX client:
1
Navigate to Users > Local Users.
2
Click the Configure icon corresponding to the user bookmark you wish to edit.
3
In the Bookmarks tab, click Add Bookmark.
4
Select Terminal Services (RDP5 - ActiveX) as the Service.
5
Configure the bookmark as described in the section Configuring SSL VPN Bookmarks.
6
Enter the name(s) of client DLLs which need to be accessed by the remote desktop or terminal service. Separate multiple entries by a comma with no spaces.
7
Ensure that any necessary DLLs are located on the individual client systems in %SYSTEMROOT% (for example: C:\Windows\system32).
* 
NOTE: Ensure that your Windows system and RDP client are up to date prior to using the Plugin DLLs feature. This feature requires RDP 5 Client Control or higher.

Creating Bookmarks with Custom SSO Credentials

The administrator can configure custom Single Sign On (SSO) credentials for each user, group, or globally in RDP bookmarks. This feature is used to access resources that need a domain prefix for SSO authentication. Users can log into SonicWall SSL VPN as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or variables may be used for login credentials.

To configure custom SSO credentials:
1
Create or edit an RDP bookmark as described in Configuring SSL VPN Bookmarks.
2
In the Bookmarks tab, select the Use Custom Credentials option.
3
Enter the appropriate username and password, or use dynamic variables; see Dynamic variables:
 

Dynamic variables

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN\%USERNAME%

Group Name

%USERGROUP%

%USERGROUP%\%USERNAME%

4
Click Add.

Using SSL VPN Bookmarks

Topics:

Using Remote Desktop Bookmarks

Remote Desktop Protocol (RDP) bookmarks enable you to establish remote connections with a specified desktop. SonicWall SSL VPN supports the RDP5 standard with both Java and ActiveX clients. RDP5 ActiveX can only be used through Internet Explorer, while RDP5 Java can be run on any platform and browser supported by the SonicWall SSL VPN. The basic functionality of the two clients is the same; however, the Java client is a native RDP client and supports the following features that the ActiveX client does not:

Redirect clipboard
Redirect plug and play devices
Display connection bar
Auto reconnection
Desktop background
Window drag
Menu/window animation
Themes
Bitmap caching

If the Java client application is RDP 6, it also supports:

Dual monitors
Font smoothing
Desktop composition
* 
NOTE: RDP bookmarks can use a port designation if the service is not running on the default port.
* 
TIP: To terminate your remote desktop session, be sure to log off from the Terminal Server session. If you wish to suspend the Terminal Server session (so that it can be resumed later) you may simply close the remote desktop window.
1
Click on the RDP bookmark.
2
Continue through any warning dialogs that display by clicking Yes or OK.

3
Enter your username and password at the login screen.
4
Select the proper domain name from the drop-down menu.
5
A dialog displays indicating that the Remote Desktop Client is loading. The remote desktop then loads in its own window. You can now access all of the applications and files on the remote computer.

Using VNC Bookmarks

1
Click the VNC bookmark. The following dialog is displayed while the VNC client is loading.
* 
NOTE: VNC can have a port designation if the service is running on a different port.

2
When the VNC client has loaded, you are prompted to enter your password in the VNC Authentication dialog.

3
To configure VNC options, click the Options button. The Options dialog displays.

VNC Options describes the options that can be configured for VNC.

 

VNC Options

Option

Default

Description of Options

Encoding

Tight

Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections. From the other side, the Tight decoder in TightVNC Java viewer is more efficient than Hextile decoder so this default setting can also be acceptable for fast networks.

Compression Level

Default

Use specified compression level for Tight and Zlib encodings. Level 1 uses minimum of CPU time on the server but achieves weak compression ratios. Level 9 offers best compression but may be slow in terms of CPU time consumption on the server side. Use high levels with very slow network connections, and low levels when working over higher-speed networks. The Default value means that the server's default compression level should be used.

JPEG image quality

6

This cannot be modified.

Cursor shape updates

Enable

Cursor shape updates is a protocol extension used to handle remote cursor movements locally on the client side, saving bandwidth and eliminating delays in mouse pointer movement.

NOTE: Current implementation of cursor shape updates does not allow a client to track mouse cursor position at the server side. This means that clients would not see mouse cursor movements if the mouse was moved either locally on the server or by another remote VNC client.

Set this parameter to Disable if you always want to see real cursor position on the remote side. Setting this option to Ignore is similar to Enable, but the remote cursor will not be visible at all. This can be a reasonable setting if you don't care about cursor shape and don't want to see two mouse cursors, one above another.

Use CopyRect

Yes

CopyRect saves bandwidth and drawing time when parts of the remote screen are moving around. Most likely, you don't want to change this setting.

Restricted colors

No

If set to No, then 24-bit color format is used to represent pixel data. If set to Yes, then only 8 bits are used to represent each pixel. 8-bit color format can save bandwidth, but colors may look very inaccurate.

Mouse buttons 2 and 3

Normal

If set to Reversed, the right mouse button (button 2) acts as if it is the middle mouse button (button 3), and vice versa.

View only

No

If set to Yes, then all keyboard and mouse events in the desktop window are silently ignored and will not be passed to the remote side.

Share desktop

Yes

If set to Yes, then the desktop can be shared between clients. If this option is set to No, then an existing user session ends when a new user accesses the desktop.

Using Telnet Bookmarks

1
Click on the Telnet bookmark.
* 
NOTE: Telnet bookmarks can use a port designation for servers not running on the default port.
2
Click OK to any warning messages that are displayed. A Java-based Telnet dialog launches.

3
If the device you are Telnetting to is configured for authentication, enter your username and password.

Using SSHv1 Bookmarks

* 
NOTE: SSH bookmarks can use a port designation for servers not running on the default port.
1
Click on the SSHv1 bookmark. A Java-based SSH window is launched.

2
Enter your username and password.
3
A SSH session is launched in the Java applet.
* 
TIP: Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window.

Using SSHv2 Bookmarks

* 
NOTE: SSH bookmarks can use a port designation for servers not running on the default port.
1
Click on the SSHv2 bookmark. A Java-based SSH dialog displays. Type your user name in the Username field and click Login.

2
A host key popup displays. Click Yes to accept and proceed with the login process.

3
Enter your password and click OK.

4
The SSH terminal launches in a new screen.

Configuring Device Profile Settings for IPv6

For complete information on the SonicOS implementation of IPv6, see About IPv6.

SonicOS supports NetExtender connections for users with IPv6 addresses. On the SSLVPN > Client Settings page, first configure the traditional IPv6 IP address pool, and then configure an IPv6 IP Pool. Clients will be assigned two internal addresses: one IPv4 and one IPv6.

* 
NOTE: IPv6 DNS/Wins Server are not supported

On the SSLVPN > Client Routes page, user can select a client routes from the drop-down list of all address objects including all the pre-defined IPv6 address objects.

* 
NOTE: IPv6 FQDN is supported.

Configuring Security Attributes

1
Click on the Security Attributes tab.
2
In the Select Attribute(s) drop-down menu, select the appropriate type of attribute. The following sections describe how to configure the Security Attributes:
3
Complete the attribute-specific configuration (described below) and click Add to current attributes.
4
Repeat as needed to configure multiple attributes. When more than one Security Attribute is configured, the device must match all of them in order for it to match the Device Profile.
5
When finished click the Client Routes tab and continue to Configuring Client Routes.

Antivirus Program

The Device Profile verifies the specified Antivirus program is installed.

The following information is used to define the Antivirus program attribute:

Vendor – Select the vendor for the Antivirus program.
Product name – Select the supported Antivirus programs.
Product version – After you select an Antivirus program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
* 
TIP: For all of these numeric searches in Security Attributes, you can specify one of five types of comparison operators in the drop-down menu: greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
Signature updated – Enter a value in days for how recently the client device has updated its Antivirus signature and select a comparison operator type.
File system scanned – Enter a value in days for how recently the client device has been scanned by the Antivirus program and select a comparison operator type
Realtime protection required – Select this check box to require that realtime protection be enabled on the Antivirus program.

Antispyware Program

The Device Profile verifies the specified Antispyware program is installed.

The following information is used to define the Antispyware program attribute:

Vendor – Select the vendor for the Antispyware program.
Product name – Select the supported Antispyware programs.
Product version – After you select an Antispyware program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
Signature updated – Enter a value in days for how recently the client device has updated its Antispyware signature and select a comparison operator.
File system scanned – Enter a value in days for how recently the client device has been scanned by the Antispyware program and select a comparison operator.
Realtime protection required – Select this check box to require that realtime protection be enabled on the Antivirus program.

Application

The Device Profile verifies the specified application is installed.

Enter the file name of the application. Wildcard characters (* and ?) can be used, and the entry is not case sensitive.

Client Certificate

The Device Profile verifies a Certificate Authority (CA) certificate is installed.

Select the certificate from the CA certificate drop-down menu. All of the certificates installed on the SonicWall security appliance are displayed in the drop-down menu. For a client device to match this profile, the appliance must be configured with the root certificate for the CA that issued the client certificate to your users (intermediate certificates do not work).

Select the certificate store(s) you want searched:

System store only – Searches HKLM\SOFTWARE\Microsoft\SystemCertificates.
System store and user store – The system store directory is searched first, followed by the user store: HKCU\Software\Microsoft\SystemCertificates.

Directory Name

The Device Profile verifies a specific directory is present on the device’s file system.

Enter the Directory name that must be present on the hard disk of the device. Directory names are not case-sensitive.

Equipment ID

The Device Profile verifies the Equipment ID, a unique hardware identifier, of the device.

Enter the Device identifier for the user’s device. Only one device will be able to match this Device Profile. The device identifier is usually an attribute in the authentication directory represented by a variable; for example, {unique_id}.

A hard disk utility program such, as HD Tune, can be used to determine the Device Identifier. In the following figure of HD Tune, the Device Identifier is listed as Serial number.

File Name

The Device Profile verifies a specific file is installed.

The following information defines the file name attribute:

File name – Enter the name of the file, including its extension and full path. File names are not case-sensitive. You can use wildcard characters (* and ?) or environment variables (such as %windir% or %userprofile%).
File size – Enter the file size in bytes and select a comparison operator.
Last modified – You can either select an absolute time by entering a date (in mm/dd/yyyy) format, or a relative time by entering the number of days (and optionally hours, minutes and seconds), since the file was modified.
Validate file integrity – Select this check box to validate the file using either a MD5, SHA-1 has, or Windows catalog file.

Personal Firewall Program

The Device Profile verifies a personal firewall program is installed.

The following information defines the Personal firewall program attribute:

Vendor – Select the vendor for the Personal firewall program.
Product name – Select the supported Personal firewall programs.
Product version – After you select an Personal firewall program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.

Windows Domain

The Device Profile verifies the specified Windows domain is present.

In the Computer is a member of domain field, enter one or more domain names, without a DNS suffix. Multiple entries can be separated with semicolons. The domain can contain wildcard characters (* and ?).

Windows Registry Entry

The Device Profile verifies the specified Windows registry entry is present.

The following information is used to define the Windows registry entry attribute:

Key name – Enter the Windows registry entry.
Value name – (Optional) Enter a specific value for registry entry.
Registry entry – (Optional) Enter a numeric value for the registry entry and select a comparison operator.

Wildcards can be used for the Value name and Registry entry fields, but not for the key. To enter a special character (such as a wildcard or backslash), you must precede it with a backslash.

Windows Version

The Device Profile verifies the version of Windows that the device is running.

The following information is used to define the Windows version search:

Operator – Select greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
Major – Enter the Windows major version number.
Minor – Enter the Windows minor version number.
Build – (Optional) Enter the Windows build version number.
The recent Windows versions are defined with the following Major and Minor release numbers; for example:
Windows 2000 – Major: 5, Minor: 0
Windows XP – Major: 5, Minor: 1
Windows Vista – Major: 6, Minor: 0
Windows 7 – Major: 6, Minor: 1

The comparison Operator applies to all three values.

When you have completed the Security Attributes configuration, click on the Client Routes tab.

Configuring Client Routes

The Client Routes tab governs the network access granted to SSL VPN users.

Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

 

Routes Added to Remote Client’s Route Table

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

* 
NOTE: In addition to configuring Tunnel All Mode, you must also configure the individual SSL VPN user accounts. See Configuring Users and Groups for Client Routes and Tunnel All Mode.

Configuring Client Routes

To configure client routes to grant SSL VPN users network access:
1
Select the appropriate Address Object in the Networks list.
2
Click the Right Arrow button to add it to the Client Routes list.
3
Repeat for any additional Address Objects.
4
When finished, click on the Client Settings tab.
5
When you are finished with configuring the Device Profile, see Configuring Users and Groups for Client Routes and Tunnel All Mode for how to configure SSL VPN users and groups for SSL VPN access.

Configuring Users and Groups for Client Routes and Tunnel All Mode

* 
NOTE: After completing the Client Routes configuration in the Device Profile, you must also assign all SSL VPN users and groups access to these routes on the Users > Local Users or Users > Local Groups pages.
Configuring Client Routes
To configure SSL VPN NetEextender users and groups to access Client Routes:
1
Navigate to the Users > Local Users or Users > Local Groups page.
2
Click on the Configure button for the SSL VPN NetExtender user or group.
3
Click on the VPN Access tab.
4
Select the address object for the Client Route, and click the Right Arrow (->) button.
5
Click OK.
6
Repeat Step 1 through Step 5 for all local users and groups that use SSL VPN NetExtender.
Configuring Tunnel All Mode
To configure SSL VPN users and groups for Tunnel All Mode:
1
Navigate to the Users > Local Users or Users > Local Groups page.
2
Click on the Configure button for an SSL VPN NetExtender user or group.
3
Click on the VPN Access tab.

4
Select the WAN RemoteAccess Networks address object.
5
Click the Right Arrow (->) button.
6
Click OK.
7
Repeat Step 1 through Step 6 for all local users and groups that use SSL VPN NetExtender.

Configuring Client Settings

The Client Settings tab configures the DNS settings for SSL VPN clients as well as several options for the NetExtender client.

To configure Client Settings:
1
Click the Default DNS Settings to use the default DNS settings of the SonicWall security appliance. The DNS and WINS configuration is auto-propagated.
2
To manually configure the DNS information, In the DNS Server 1 field:
Enter the IP address of the primary DNS server.
Click the Default DNS Settings to use the default settings.
* 
NOTE: Both IPv4 and IPv6 are supported.
3
(Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
4
In the DNS Search List (in order) field, enter the IP addresses to be searched.
5
Click Add. The IP address appears in the list below the field.

Use the up and down arrow icons to order the addresses.

To remove an address, select it and then click Remove.

6
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
* 
NOTE: Only IPv4 is supported.
7
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
8
Configure the following NetExtender client settings to customize the behavior of NetExtender when users connect and disconnect:
Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users have to either return to the SSL VPN portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users have to return to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client creates a connection profile recording the SSL VPN Server name, the Domain name, and optionally the username and password.
User Name & Password Caching - To balance security needs against ease of use for users and provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client, select one of these options:
Allow saving of user name only
Allow saving of user name & password
Prohibit saving of user name & password
* 
TIP: Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
9
Click OK to complete the Device Profile configuration process.