en-US
search-icon

SonicOS 6.2 Admin Guide

SSL VPN

Configuring SSL VPN

About SSL VPN

This section provides information on how to configure the SSL VPN features on the SonicWall network security appliance. SonicWall’s SSL VPN features provide secure remote access to the network using the NetExtender client.

NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on the company’s network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:

Logging in to the Virtual Office web portal provided by the SonicWall network security appliance and clicking on the NetExtender button.
Launching the standalone NetExtender client.

The NetExtender standalone client is installed the first time you launch NetExtender. Thereafter, it can be accessed directly from the Start menu on Windows systems, from the Application folder or dock on MacOS systems, or by the path name or from the shortcut bar on Linux systems.

Topics:  

About SSL VPN NetExtender

Topics:  

What is SSL VPN NetExtender?

SonicWall’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.

Benefits

NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client.

After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.

NetExtender Concepts

Topics:  
Stand-Alone Client

NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version.

Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.

Client Routes

NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources.

Tunnel All Mode

Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

 

Routes to be added to remove client’s route table

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

Connection Scripts

SonicWall SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

Proxy Configuration

SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.

NetExtender provides three options for configuring proxy settings:

Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.

When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the firewall server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

Configuring Users for SSL VPN Access

For users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users who attempt to login through the Virtual Office who do not belong to the SSLVPN Services group are denied access.

* 
NOTE: Complete instructions for installing NetExtender on a SonicWall appliance can be found in How to setup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above (SW10657) in the Knowledge Base.
VIDEO: The video, How to configure SSL VPN, also explains the procedure for configuring NetExtender.

The maximum number of SSL VPN concurrent users for each SonicWall network security appliance model supported is shown in Maximum number of concurrent SSL VPN users.

 

Maximum number of concurrent SSL VPN users

SonicWall appliance model

Maximum concurrent SSL VPN connections

SonicWall appliance model

Maximum concurrent SSL VPN connections

SonicWall appliance model

Maximum concurrent SSL VPN connections

SM 9800

3000

NSA 6600

1500

TZ600

200

SM 9600

3000

NSA 5600

1000

TZ500/TZ500 W

150

SM 9400

3000

NSA 4600

500

TZ400/TZ400 W

100

SM 9200

3000

NSA 3600

350

TZ300/TZ300 W

50

 

 

NSA 2600

250

 

 

 

 

 

 

SOHO W

50

Topics:  

Configuring SSL VPN Access for Local Users

To configure users in the local user database for SSL VPN access, you must add the users to the SSLVPN Services user group.

To configure SSL VPN access for local users:
1
Navigate to the Users > Local Users page.

2
Click on the Configure icon for the user you want to edit, or click the Add User button to create a new user. The Edit User or Add User dialog displays.

3
Click on the Groups tab.

4
In the User Groups column, click on SSLVPN Services.
5
Click the Right Arrow button to move it to the Member Of column.
6
Click on the VPN Access tab. The VPN Access tab configures which network resources VPN users (GVC, NetExtender, or Virtual Office bookmarks) can access.
* 
NOTE: The VPN Access tab affects the ability of remote clients using GVC, NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the Access List on the VPN Access tab.

7
Select one or more network address objects or groups from the Networks list and click the Right Arrow button to move them to the Access List column.

To remove the user’s access to a network address objects or groups, select the network from the Access List, and click the Left Arrow button .

8
Click OK.

Configuring SSL VPN Access for RADIUS Users

To configure RADIUS users for SSL VPN access, you must add the users to the SSLVPN Services user group.

To configure SSL VPN access for RADIUS users:
1
Navigate to the Users > Settings page.

2
In the Authentication Method for login drop-down menu, select RADIUS or RADIUS + Local Users. The options change slightly.
3
Click the Configure RADIUS button. The RADIUS Configuration dialog displays.

4
Click the RADIUS Users tab.

5
In the Default user group to which all RADIUS users belong drop-down menu, select SSLVPN Services.
* 
NOTE: The VPN Access tab in the Edit User dialog is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
6
Click OK.

Configuring SSL VPN Access for LDAP Users

To configure LDAP users for SSL VPN access, you must add the LDAP user groups to the SSLVPN Services user group.

To configure SSL VPN access for LDAP users:
1
Navigate to the Users > Settings page.

2
From the User authentication method drop-down menu, select either LDAP or LDAP + Local Users. The options change slightly.
3
Click the Configure LDAP button to launch the LDAP Configuration dialog.

4
Click on the Users & Groups tab.

5
From the Default LDAP User Group drop-down menu, select SSLVPN Services.
* 
NOTE: The VPN Access tab in the Edit User dialog is also another granular control on access for both Virtual Office Bookmarks and for NetExtender access.
6
Click OK.

Displaying SSL VPN Session Data

SSL VPN > Status

The SSL VPN > Status page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time, length of time logged in and logout time.

SSL VPN status items provides a description of the status items.

 

SSL VPN status items

Status Item

Description

User Name

The user name.

Client Virtual IP

The IP address assigned to the user from the client IP address

Client WAN IP

The physical IP address of the user.

Login Time

The amount of time since the user first established connection with the SSL VPN appliance, expressed as number of days and time (HH:MM:SS).

Inactivity Time

Duration of time the user has been inactive.

Logged In

The time when the user initially logged in.

Logout

Provides the ability to logout a NetExtender session.

 

Configuring SSL VPN Server Behavior

SSL VPN > Server Settings

The SSL VPN > Server Settings page configures details of the firewall’s behavior as an SSL VPN server.

Topics:  

SSL VPN Status on Zones

This section displays the SSL VPN Access status on each zone:

Green indicates active SSL VPN status.
Red indicates inactive SSL VPN status.

To enable or disable SSL VPN access, click the zone name.

SSL VPN Server Settings

Topics:  

About Suite B Cryptography

SonicOS supports Suite B cryptography, which is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It serves as an interoperable cryptographic base for both classified and unclassified information. Suite B cryptography is approved by National Institute of Standards and Technology (NIST) for use by the U.S. Government.

* 
NOTE: There is also a Suite A that is defined by the NSA, but is used primarily in applications where Suite B is not appropriate.

Most of the Suite B components are adopted from the FIPS standard:

Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits (provides adequate protection for classified information up to the SECRET level).
Elliptic Curve Digital Signature Algorithm (ECDSA) - digital signatures (provides adequate protection for classified information up to the SECRET level).
Elliptic Curve Diffie-Hellman (ECDH) - key agreement (provides adequate protection for classified information up to the SECRET level).
Secure Hash Algorithm 2 (SHA-256 and SHA-384) - message digest (provides adequate protection for classified information up to the TOP SECRET level).

Configuring the SSL VPN Server

The following settings configure the SSL VPN server:

SSL VPN Port - Enter the SSL VPN port number in the field. The default is 4433.
Certificate Selection – From this drop-down menu, select the certificate that will be used to authenticate SSL VPN users. The default method is Use Selfsigned Certificate.

To manage certificates, go to the System > Certificates page.

* 
NOTE: On NSA 2600 and above appliances, you can configure Suite B mode and specify cipher preferences in the following two settings.
Enable SuiteB Mode in SSL VPN – Select this checkbox to enable SSL VPN Suite B mode. This option is not selected by default.
Enable Server Cipher Preference – Select this checkbox to configure a preferred cipher method. This option is not selected by default.
Select a cipher from the Cipher Methods drop-down menu:
RC4_MD5 (default)
3DES_SHA1
AES256_SHA1
User Domain – Enter the user’s domain, which must match the domain field in the NetExtender client. The default is LocalDomain.
Enable Web Management over SSL VPN – To enable web management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.
Enable SSH Management over SSL VPN – To enable SSH management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.
Inactivity Timeout (minutes) – Enter the number of minutes of inactivity before logging out the user. The default is 10 minutes.

RADIUS User Settings

This section is available only when either RADIUS or LDAP is configured to authenticate SSL VPN users.

Use RADIUS in – Select this checkbox to have RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS allows users to change expired passwords at login time. Choose between these two modes:
* 
NOTE: In LDAP, password updates can only be done when using either Active Directory with TLS and binding to it using an administrative account or Novell eDirectory.

If this option is set when is selected as the authentication method of log in on the Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for SSL VPN users are performed using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

MSCHAP
MSCHAPV2 mode (allows users to change expired passwords)

SSL VPN Client Download URL

This section allows you to download client SSL VPN files to your HTTP server.

Click here to download the SSL VPN zip file which includes all SSL VPN client files – To download from the appliance, click the Click here link to display an Opening application.zip dialog:

Open and unzip the file, and then put the folder on your HTTP server.

Use customer’s HTTP server as downloading URL: (http://) – Select this checkbox to enter your SSL VPN client download URL in the supplied field.

Configuring SSL VPN Client Settings

SSL VPN > Client Settings

The SSL VPN > Client Settings page allows you to edit the Default Device Profile to enable SSL VPN access on zones, configure client routes, and configure the client DNS and NetExtender settings. The SSL VPN > Client Settings page displays the configured IPv4 and IPv6 network addresses and zones that have SSL VPN access enabled.

You can also edit the SonicPoint Layer 3 Management Default Device Profile on this page.

In SonicOS 6.2.2.x and later releases, NetExtender IP address ranges are configured by first creating an address object for the NetExtender IP address range, and then using this address object when configuring one of the Device Profiles. See Creating an Address Object for the NetExtender Range.

Biometric Authentication

* 
IMPORTANT: To use this feature, ensure that Mobile Connect 4.0 or higher is installed on the mobile device, and configure it to connect with the firewall.

SonicOS 6.2.7 introduces support for biometric authentication in conjunction with SonicWall Mobile Connect. Mobile Connect is an app that allows users to securely access private networks from a mobile device. Mobile Connect 4.0 supports using finger touch for authentication as a substitute for username and password.

SonicOS 6.2.7 provides configuration settings on the SSL VPN > Client Settings page to allow this method of authentication when using Mobile Connect to connect to the firewall.

After configuring biometric authentication on the SSL VPN > Client Settings page, on the client smart phone or other mobile device, enable Touch ID (iOS) or Fingerprint Authentication (Android).

Configuring Client Settings

The following tasks are configured on the SSL VPN > Client Settings page:

* 
NOTE: For how to configure SSL VPN settings for SonicPoint management over SSL VPN, see Configuring SonicPoint Management over SSL VPN.

Creating an Address Object for the NetExtender Range

You can create address objects for both an IPv4 address range and an IPv6 address range to be used in the SSL VPN > Client Settings configuration.

The address range configured in the address object defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.168.100 to 192.168.168.115).

* 
NOTE: In cases where there are other hosts on the same segment as the SSL VPN appliance, the address range must not overlap or collide with any assigned addresses.
To create an address object for the NetExtender IP address range:
1
Navigate to the Network > Address Objects page.
2
Click the Add button. The Add Address Object dialog displays.

3
For Name, type in a descriptive name for the address object.
4
For Zone Assignment, select SSLVPN from the drop-down list.
5
For Type, select Range. The dialog changes.

6
In the Starting IP Address field, type in the lowest IP address in the range you want to use.
* 
NOTE: The IP address range must be on the same subnet as the interface used for SSL VPN services.
7
In the Ending IP Address field, type in the highest IP address in the range you want to use.
8
Click Add. When the address object has been added, a message displays:

9
Optionally, repeat Step 3 through Step 8 to create an address object for an IPv6 address range.
10
Click Close.

Configuring the Default Device Profile

Edit the Default Device Profile to select the zones and NetExtender address objects, configure client routes, and configure the client DNS and NetExtender settings.

SSL VPN access must be enabled on a zone before users can access the Virtual Office web portal. SSL VPN Access can be configured on the Network > Zones page by clicking the Configure icon for the zone.

* 
NOTE: For SonicOS to terminate SSL VPN sessions, HTTPS for Management or User Login must be enabled on the Network > Interfaces page, in the Edit Interface dialog for the WAN interface.
Topics:  

Configuring the Settings tab

To configure the Settings tab of the Default Device Profile:
1
Navigate to Default Device Profile section of the SSL VPN > Client Settings page.

2
Click the Configure button for the Default Device Profile. The Edit Device Profile dialog displays.

* 
NOTE: The Name and Description of the Default Device Profile cannot be changed.
3
For the zone binding for this profile, on the Settings tab, select SSLVPN or a custom zone from the Zone IP V4 drop-down menu.
4
From the Network Address IP V4 drop-down menu, select the IPv4 NetExtender address object that you created. See Creating an Address Object for the NetExtender Range for instructions. This setting selects the IP Pool and zone binding for this profile. The NetExtender client gets the IP address from this address object if it matches this profile.
5
Select SSLVPN or a custom zone from the Zone IP V6 drop-down menu. This is the zone binding for this profile.
6
From the Network Address IP V6 drop-down menu, select the IPv6 NetExtender address object that you created.
7
Click the Client Routes tab to proceed with the client settings configuration. See Configuring the Client Routes Tab.
8
To save settings and close the dialog, click OK.

Configuring the Client Routes Tab

The Client Routes tab allows you to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote users can access via the SSL VPN connection.

The following tasks are configured on the Client Routes tab:

Configuring Tunnel All Mode

Select Enabled from the Tunnel All Mode drop-down menu to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:

 

Routes to be added to client’s route table

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

* 
NOTE: To configure Tunnel All Mode, you must also configure an address object for 0.0.0.0, and assign SSL VPN NetExtender users and groups to have access to this address object.
To configure SSL VPN NetExtender users and groups for Tunnel All Mode:
1
Navigate to the Users > Local Users or Users > Local Groups page.
2
Click on the Configure button for an SSL VPN NetExtender user or group. The Edit Group dialog displays.

3
Click on the VPN Access tab.

4
Select the WAN RemoteAccess Networks address object.
5
Click the Right Arrow button.
6
Click OK.
7
Repeat Step 1 through Step 6 for all local users and groups that use SSL VPN NetExtender.
Adding Client Routes

Client Routes are used to configure access to network resources for SSL VPN users.

To configure Client Routes for SSL VPN:
1
Navigate to Default Device Profile section of the SSL VPN > Client Settings page.

2
Click the Configure button for the Default Device Profile. The Edit Device Profile dialog displays.

3
Click the Client Routes tab.

4
From the Networks list, select the address object to which you want to allow SSL VPN access.
5
Click the Right Arrow button to move the address object to the Client Routes list.
6
Repeat Step 4 and Step 5 until you have moved all the address objects you want to use for Client Routes.

Creating client routes causes access rules allowing this access to be created automatically. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more information, see Firewall > Access Rules.

* 
NOTE: After configuring Client Routes for SSL VPN, you must also configure all SSL VPN NetExtender users and user groups to be able to access the Client Routes on the Users > Local Users or Users > Local Groups pages.
* 
IMPORTANT: Add the NetExtender SSL VPN gateway to the DPI SSL excluded IP addresses.
To configure SSL VPN NetExtender users and groups to access Client Routes:
1
Navigate to the Users > Local Users or Users > Local Groups page.
2
Click on the Configure button for an SSL VPN NetExtender user or group.
3
Click on the VPN Access tab.
4
Select the address object for the Client Route
5
Click the Right Arrow button.
6
Click OK.
7
Repeat Step 1 through Step 6 for all local users and groups that use SSL VPN NetExtender.

Configuring the Client Settings tab

NetExtender client settings are configured in the Edit Device Profile dialog.

To configure Client Settings:
1
Navigate to the Default Device Profile section of the SSL VPN > Client Settings page.

2
Click the Configure button for the Default Device Profile. The Edit Device Profile dialog displays.

3
Click the Client Settings tab.

4
In the DNS Server 1 field, either:
Enter the IP address of the primary DNS server,.
Click the Default DNS Settings to use the default settings for both the DNS Server 1 and DNS Server 2 fields. The fields are populated automatically.
* 
NOTE: Both IP v4 and IP v6 are supported.
5
(Optional) In the DNS Server 2 field, if you did not click Default DNS Settings, enter the IP address of the backup DNS server.
6
(Optional) In the DNS Search List field:
a
Enter the IP address for a DNS server.
b
Click Add to add it to the list below.
c
Repeat Step a and Step b as many times as necessary.

Use the up and down arrow buttons to scroll through the list, as needed.

To remove an address from the list, select it, and then click Remove.

7
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
* 
NOTE: Only IPv4 is supported.
8
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
9
To customize the behavior of NetExtender when users connect and disconnect, select Enabled or Disabled for each of the following settings under NetExtender Client Settings. By default, all have been set to Disabled.

Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users have to either return to the SSL VPN portal or launch NetExtender from their Programs menu.
Allow Touch ID on IOS devices – The NetExtender client allows Touch ID authentication on IOS smart phones.
Allow Fingerprint Authentication on Android devices – The NetExtender client allows fingerprint authentication on Android devices.
Enable NetBIOS over SSL VPN – The NetExtender client allows NetBIOS protocol.
Uninstall Client After Exit - The NetExtender client uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users have to return to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client creates a connection profile recording the SSL VPN Server name, the Domain name, and optionally the username and password.
10
To provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client, select one of these actions from the User Name & Password Caching field. These options enable you to balance security needs against ease of use for users.
Allow saving of user name only
Allow saving of user name & password
Prohibit saving of user name & password
11
When finished on all tabs, click OK.

Configuring the SonicPoint L3 Management Default Device Profile

The Default Device Profile for SonicPointN L3 settings are configured in the Edit Device Profile dialog.

To configure Client Settings:
1
Navigate to the SonicPoint L3 Management Default Device Profile section of the SSL VPN > Client Settings page.

2
Click the Configure button for the Default Device Profile. The Edit Device Profile dialog displays.

* 
NOTE: The Name and Description of the Default Devices Profile for SonicPointN cannot be changed.
3
For the zone binding for this profile, on the Settings tab, select SSLVPN or a custom zone from the Zone IP V4 drop-down menu.
4
From the Network Address IP V4 drop-down menu, select the IPv4 NetExtender address object that you created. See Creating an Address Object for the NetExtender Range for instructions. This setting selects the IP Pool and zone binding for this profile. The NetExtender client gets the IP address from this address object if it matches this profile.
5
Click the Client Routes tab.

6
From the Networks list, select the address object to which you want to allow SSL VPN access.
7
Click the Right Arrow button to move the address object to the Client Routes list.
8
Repeat Step 6 and Step 7 until you have moved all the address objects you want to use for Client Routes.

Creating client routes causes access rules allowing this access to be created automatically. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more information, see Firewall > Access Rules.

* 
NOTE: After configuring Client Routes for SSL VPN, you must also configure all SSL VPN NetExtender users and user groups to be able to access the Client Routes on the Users > Local Users or Users > Local Groups pages.
9
Click the SP L3 Settings tab.

10
Select an interface from the WLAN Tunnel Interface drop-down menu.
11
Click OK.

 

Configuring the Virtual Office Web Portal

SSL VPN > Portal Settings

The SSL VPN > Portal Settings page configures the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style.

Topics:  

Portal Settings

These options customize what the user sees when attempting to log in:

Portal Site Title - Enter the text displayed in the top title of the web browser in this field. The default is SonicWall - Virtual Office.
Portal Banner Title - Enter the text displayed next to the logo at the top of the page in this field. The default is Virtual Office.
Home Page Message - Enter the HTML code that is displayed above the NetExtender icon. To:
See how the message displays, click the Preview button to launch a popup window that displays the HTML code.
Revert to the default message, click the Example Template button to launch a popup window that displays the HTML code.

Login Message - Enter the HTML code that is displayed when users are prompted to log in to the Virtual Office. To
See how the message displays, click the Preview button to launch a pop-up window that displays the HTML code.
Revert to the default message, click the Example Template button to launch a pop-up window that displays the HTML code.

The following options customize the functionality of the Virtual Office portal:

Launch NetExtender after login - Select to launch NetExtender automatically after a user logs in. This option is not selected by default.
Display Import Certificate Button - Select to display an Import Certificate button on the Virtual Office page. This initiates the process of importing the firewall’s self-signed certificate onto the web browser. This option is not selected by default.
* 
NOTE: This option only applies to the Internet Explorer browser on PCs running Windows when Use Selfsigned Certificate is selected from the Certificate Selection drop-down menu on the SSL VPN > Server Settings page.
Enable HTTP meta tags for cache control recommended) - Select to inserts into the browser HTTP tags that instruct the web browser not to cache the Virtual Office page. This option is not selected by default.
* 
NOTE: SonicWall recommends enabling this option.
Display UTM management link on SSL VPN portal (not recommended) – Select to display the SonicWall appliance’s management link on the SSL VPN portal. This option is not selected by default.
* 
IMPORTANT: SonicWall does not recommend enabling this option.

Portal Logo Settings

This section allows you to customize the logo displayed at the top of the Virtual Office portal:

Default Portal Logo – Displays the default portal logo:

Use Default SonicWall Logo – Select to use the SonicWall logo supplied with the appliance. This option is not selected by default.
Customized Logo (Input URL of the Logo) — Enter in this field the URL of the logo, in GIF format, you want to display.
* 
TIP: The logo must be in GIF format of size 155 x 36; a transparent or light background is recommended.

 

Configuring Virtual Office

SSL VPN > Virtual Office

The SSL VPN > Virtual Office page displays the Virtual Office web portal inside of the SonicOS management interface.

Topics:  

Accessing the SSL VPN Portal

To view the SSL VPN Virtual Office web portal:
1
Navigate to the IP address of the firewall.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.

Using NetExtender

NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on you company’s network. Using Point-to-Point Protocol (PPP), NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:

Logging in to the Virtual Office web portal provided by the SonicWall security appliance and clicking on the NetExtender button.
Launching the standalone NetExtender client. The NetExtender standalone client is installed the first time you launch NetExtender. Thereafter, it can be accessed directly from the:
Start menu on Windows systems.
Application folder or dock on MacOS systems.
Path name or shortcut bar on Linux systems.
Topics:  

User Prerequisites

Prerequisites for Windows Clients:

Windows clients must meet the following prerequisites in order to use NetExtender:

One of the following platforms:
Windows 10, Windows 8.1, Windows 8, Windows 7 Services Pack 1
Windows Vista Service Pack 2 (32-bit & 64-bit)
One of the following browsers:
Internet Explorer 9 or later
Mozilla Firefox 16.0 or later
Chrome 22.0 or later
To initially install the NetExtender client, the user must be logged in to the PC with administrative privileges.
Downloading and running scripted ActiveX files must be enabled on Internet Explorer.
If the firewall uses a self-signed SSL certificate for HTTPS authentication, then it is necessary to install the certificate before establishing a NetExtender connection. If you are unsure whether the certificate is self-signed or generated by a trusted root Certificate Authority, SonicWall recommends that you import the certificate. The easiest way to import the certificate is to click the Import Certificate button at the bottom of the Virtual Office home page.
Prerequisites for MacOS Clients

MacOS clients meet the following prerequisites in order to use NetExtender:

Mac OS X 10.7 through 10.10
* 
NOTE: Mac NetExtender is End Of Support on El Capitan (10.11) and later. In future releases of SonicOS firmware, an error appears when a user tries to launch NetExtender, asking the user to install Mobile Connect from the App Store. Secure Mobile Access 8.1 is the final version that has Mac NetExtender support. SonicWall strongly recommends using SonicWall Mobile Connect for Mac OS X devices instead of NetExtender, currently and in future releases.
Java 1.7 and higher
Both PowerPC and Intel Macs are supported.
Prerequisites for Linux Clients:

Linux 32-bit or 64-bit clients are supported for NetExtender when running one of the following distributions (32-bit or 64-bit):

Linux Fedora Core 20 or later; Ubuntu 12.04, 13.10, or later; or OpenSUSE 10.3 or later
Java 1.7 or later is required for using the NetExtender user interface

The NetExtender client has been known to work on other distributions as well, but these are not officially supported.

* 
NOTE: Open source Java Virtual Machines (VMs) are not currently supported. If you do not have Java 1.5 or later, you can use the command-line interface version of NetExtender.

User Configuration Tasks

SonicWall NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network.

* 
TIP: For the procedure on setting up NetExtender access, see the Knowledge Base article, How to configure SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & Above (SW10657).
 

Installation and usage instructions by platform

Platform

Sections

Windows

MacOS

Linux

Installing NetExtender Using the Mozilla Firefox Browser
To use NetExtender for the first time using the Mozilla Firefox browser:
1
Navigate to the IP address of the firewall.
2
Click the link at the bottom of the Login page that says Click here for sslvpn login.
3
Click the NetExtender button.

4
The first time you launch NetExtender, it installs the NetExtender stand-alone application automatically on your computer. If a warning message is displayed in a yellow banner at the top of your Firefox banner, click the Edit Options... button.
5
The Allowed Sites - Software Installation dialog is displayed, with the address of the Virtual Office server in the address field. Click Allow to allow Virtual Office to install NetExtender, and click Close.

6
Return to the Virtual Office dialog.
7
Click NetExtender again.
8
The Software Installation dialog displays. After a five second countdown, the Install Now button becomes active. Click it.
9
NetExtender is installed as a Firefox extension.

10
When NetExtender completes installing, the NetExtender Status dialog displays, indicating that NetExtender successfully connected.

Closing the dialog (clicking on the x icon in the upper right corner of the window) does not close the NetExtender session, but minimizes it to the system tray for continued operation.

11
Review NetExtender status window to understand the fields in the NetExtender Status window.
 

NetExtender status window

Field

Description

Status

Indicates what operating state the NetExtender client is in, either Connected or Disconnected.

Server

Indicates the name of the server to which the NetExtender client is connected.

Client IP

Indicates the IP address assigned to the NetExtender client.

Sent

Indicates the amount of traffic the NetExtender client has transmitted since initial connection.

Received

Indicates the amount of traffic the NetExtender client has received since initial connection.

Duration

The amount of time the NetExtender has been connected, expressed as days, hours, minutes, and seconds.

12
Additionally, a balloon icon in the system tray appears, indicating NetExtender has successfully installed.

13
The NetExtender icon is displayed in the task bar.
Installing NetExtender Using the Internet Explorer Browser

SonicWall SSL VPN NetExtender is fully compatible with Microsoft Windows Vista 32-bit and 64-bit, and supports the same functionality as with other Windows operating systems.

* 
NOTE: It may be necessary to restart your computer when installing NetExtender on Windows Vista.
Internet Explorer Prerequisites

It is recommended that you add the URL or domain name of your firewall to Internet Explorer’s trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.

To add a site to Internet Explorer’s trusted sites list:
1
In Internet Explorer, go to Tools > Internet Options.
2
Click on the Security tab.
3
Click on the Trusted Sites icon and click on the Sites... button to open the Trusted sites window.

4
Enter the URL or domain name of your firewall in the Add this Web site to the zone field and click Add.
5
Click OK in the Trusted Sites and Internet Options windows.
Installing NetExtender from Internet Explorer
To install and launch NetExtender for the first time using the Internet Explorer browser:
1
Navigate to the IP address of the firewall. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2
Click the NetExtender button.

3
The first time you launch NetExtender, you must first add the SSL VPN portal to your list of trusted sites. If you have not done so, the follow message will display.

4
Click Instructions to add SSL VPN server address into trusted sites for help.

5
In Internet Explorer, go to Tools > Internet Options.
6
Click on the Security tab.
7
Click on the Trusted Sites icon and click on the Sites... button to open the Trusted sites window.

8
Enter the URL or domain name of your firewall in the Add this Web site to the zone field.
9
Click Add.
10
Click OK in the Trusted Sites and Internet Options windows.
11
Return to the SSL VPN portal and click on the NetExtender button. The portal installs the NetExtender stand-alone application on your computer automatically. The NetExtender installer window opens.

12
If an older version of NetExtender is installed on the computer, the NetExtender launcher will remove the old version and then install the new version.
13
If a warning message that NetExtender has not passed Windows Logo testing is displayed, click Continue Anyway. SonicWall testing has verified that NetExtender is fully compatible with Windows Vista, XP, 2000, and 2003 and later.

14
When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected.

Launching NetExtender Directly from Your Computer

After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the SSL VPN portal.

To launch NetExtender:
1
Navigate to Start > All Programs.
2
Select SSL VPN NetExtender folder, and then click on SonicWall SSL VPN NetExtender. The NetExtender login window is displayed.
3
The IP address of the last server you connected to is displayed in the SSL VPN Server field. To display a list of recent servers you have connected to, click on the arrow.

4
Enter your username and password.
5
The last domain you connected to is displayed in the Domain field.
6
The drop-down menu at the bottom of the window provides three options for remembering your username and password:
Save user name & password if server allows
Save user name only if server allows
Always ask for user name & password
* 
TIP: Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
Configuring NetExtender Preferences

Complete the following procedure to configure NetExtender preferences:

1
Right click on the NetExtender icon in the system tray.
2
Click on Preferences... The NetExtender Preferences dialog displays.
3
The Connection Profiles tab displays the SSL VPN connection profiles you have used, including the IP address of the server, the domain, and the username.

4
To delete a profile, highlight it by clicking on it and then click the Remove buttons. Click the Remove All buttons to delete all connection profiles.
5
The Settings tab allows you to customize the behavior of NetExtender.

6
To have NetExtender automatically connect when you start your computer, check the Automatically connect with Connection Profile checkbox and select the appropriate connection profile from the drop-down menu.
* 
NOTE: Only connection profiles that allow you to save your username and password can be set to automatically connect.
7
To have NetExtender launch when you log in to your computer, check the Automatically start NetExtender UI. NetExtender will start, but will only be displayed in the system tray. To have the NetExtender log-in window display, check the Display NetExtender UI checkbox.
8
Select Minimize to the tray icon when NetExtender window is closed to have the NetExtender icon display in the system tray. If this option is not checked, you will only be able to access the NetExtender UI through Window’s program menu.
9
Select Display Connect/Disconnect Tips from the System Tray to have NetExtender display tips when you mouse over the NetExtender icon.
10
Select Automatically reconnect when the connection is terminated to have NetExtender attempt to reconnect when it loses connection.
11
Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
12
Select Disconnect an active connection to have NetExtender log out of all of your SSL VPN sessions when you exit a NetExtender session
13
Click Apply.
Configuring NetExtender Connection Scripts

SonicWall SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or websites.

To configure NetExtender Connection Scripts, perform the following tasks.
1
Right click on the NetExtender icon in the task bar and click on Preferences... The NetExtender Preferences dialog displays.
2
Click on Connection Scripts.

3
To enable the domain login script, select the Attempt to execute domain login script checkbox. When enabled, NetExtender attempts to contact the domain controller and execute the login script.
* 
NOTE: Enabling this feature may cause connection delays while remote client’s printers and drives are mapped. Make sure the domain controller and any machines in the logon script are accessible via NetExtender routes.
4
To enable the script that runs when NetExtender connects, select the Automatically execute the batch file “NxConnect.bat” checkbox.
5
To enable the script that runs when NetExtender disconnects, select the Automatically execute the batch file “NxDisconnect.bat” checkbox.
6
To hide either of the console windows, select the appropriate Hide the console window checkbox. If this checkbox is not selected, the DOS console window will remain open while the script runs.
7
Click Apply.
Configuring Batch File Commands

NetExtender Connection Scripts can support any valid batch file commands. For more information on batch files, see the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat. The following tasks provide an introduction to some commonly used batch file commands.

To configure the script that runs when NetExtender connects, click the Edit “NxConnect.bat” button. The NxConnect.bat file is displayed.
To configure the script that runs when NetExtender disconnects, click the Edit “NxDisconnect.bat” button. The NxConnect.bat file is displayed.
8
By default, the NxConnect.bat file contains examples of commands that can be configured, but no actual commands. Too add commands, scroll to the bottom of the file.

To map a network drive, enter a command in this format:

net use drive-letter\\server\share password /user:Domain\name

For example to if the drive letter is z, the server name is engineering, the share is docs, the password is 1234, the user’s domain is eng and the username is admin, the command would be the following:

net use z\\engineering\docs 1234 /user:eng\admin

To disconnect a network drive, enter a command in this format:

net use drive-letter: /delete

For example, to disconnect network drive z, enter this command:

net use z: /delete

To map a network printer, enter a command in this format:

net use LPT1 \\ServerName\PrinterName /user:Domain\name

For example, if the server name is engineering, the printer name is color-print1, the domain name is eng, and the username is admin, the command would be:

net use LPT1 \\engineering\color-print1 /user:eng\admin

To disconnect a network printer, enter a command in this format:

net use LPT1 /delete

To launch an application enter a command in this format:

C:\Path-to-Application\Application.exe

9
For example, to launch Microsoft Outlook, enter this command:

C:\Program Files\Microsoft Office\OFFICE11\outlook.exe

To open a website in your default browser, enter a command in this format:

start http://www.website.com

To open a file on your computer, enter a command in this format:

C:\Path-to-file\myFile.doc

When you have finished editing the scripts, save the file and close it.

Configuring Proxy Settings

SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings.

To manually configure NetExtender proxy settings:
1
Right click on the NetExtender icon in the task bar,
2
Click Preferences... The NetExtender Preferences dialog displays.
3
Click Proxy.

4
Select the Enable proxy settings checkbox.
5
NetExtender provides three options for configuring proxy settings:
Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
Use automatic configuration script - If you know the location of the proxy settings script, select this option and enter the URL of the scrip in the Address field.
Use proxy server - Select this option to enter the Address and Port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses that bypass the proxy server. If required, enter a User name and Password for the proxy server. If the proxy server requires a username and password, but you do not specify them in the Preferences window, a NetExtender pop-up window will prompt you to enter them when you first connect.

6
Click the Internet Explorer proxy settings button to open Internet Explorer’s proxy settings.
Viewing the NetExtender Log

The NetExtender log displays information on NetExtender session events. The log is a file named NetExtender.dbg. It is stored in the directory, C:\Program Files\SonicWall\SSL VPN\NetExtender. To view the NetExtender log, right click on the NetExtender icon in the system tray, and click View Log.

To view details of a log message, double-click on a log entry, or go to View > Log Detail to open the Log Detail pane.

To save the log, either click the Export icon or go to Log > Export.

To filter the log to display entries from a specific duration of time, go to the Filter menu and select the cutoff threshold.

To filter the log by type of entry, go to Filter > Level and select one of the level categories. The available options are Fatal, Error, Warning, and Info, in descending order of severity. The log displays all entries that match or exceed the severity level. For example, when selecting the Error level, the log displays all Error and Fatal entries, but not Warning or Info entries.

To view the Debug Log, either click the Debug Log icon or go to Log > Debug Log.

* 
NOTE: It may take several minutes for the Debug Log to load. During this time, the Log window will not be accessible, although you can open a new Log window while the Debug Log is loading.

To clear the log, click on Log > Clear Log.

Disconnecting NetExtender
To disconnect NetExtender:
1
Right click on the NetExtender icon in the system tray to display the NetExtender icon menu and click Disconnect.
2
Wait several seconds. The NetExtender session disconnects.

You can also disconnect by double clicking on the NetExtender icon to open the NetExtender window and then clicking the Disconnect button.

When NetExtender becomes disconnected, the NetExtender window displays and gives you the option to either Reconnect or Close NetExtender.

Upgrading NetExtender

NetExtender can be configured by the administrator to automatically notify users when an updated version of NetExtender is available. Users are prompted to click OK and NetExtender downloads and installs the update from the firewall.

If auto-update notification is not configured, users should periodically launch NetExtender from the Virtual Office to ensure they have the latest version. Check with your administrator to determine if you need to manually check for updates.

Uninstalling NetExtender

The NetExtender utility is automatically installed on your computer. To remove NetExtender, click on Start > All Programs, click on SonicWall SSL VPN NetExtender, and then click on Uninstall.

You can also configure NetExtender to automatically uninstall when your session is disconnected.

To have NetExtender uninstall automatically at session end:
1
Right click on the NetExtender icon in the system tray and click on Preferences... The NetExtender Preferences window is displayed.
2
Click on the Settings tab.
3
Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
Verifying NetExtender Operation from the System Tray

To view options in the NetExtender system tray, right click on the NetExtender icon in the system tray. The following are some tasks you can perform with the system tray.

Displaying Route Information

To display the routes that NetExtender has installed on your system, click the Route Information option in the system tray menu. The system tray menu displays the default route and the associated subnet mask.

Displaying Connection Information

You can display connection information by mousing over the NetExtender icon in the system tray.

Installing NetExtender on MacOS

SonicWall SSL VPN supports NetExtender on MacOS. To use NetExtender on your MacOS system, your system must meet the following prerequisites:

MacOS 10.4 and higher
Java 1.4 and higher
Both PowerPC and Intel Macs are supported.
To install NetExtender on your MacOS system:
1
Navigate to the IP address of the firewall. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2
Click the NetExtender button.
3
The Virtual Office displays the status of NetExtender installation. A pop-up dialog may appear, prompting you to accept a certificate. Click Trust.

4
A second pop-up dialog may appear, prompting you to accept a certificate. Click Trust.

5
When NetExtender is successfully installed and connected, the NetExtender status window displays.

Using NetExtender on MacOS
1
To launch NetExtender, go the Applications folder in the Finder and double click on NetExtender.app.

2
The first time you connect, you must enter the server name or IP address in the SSL VPN Server field.
3
Enter your username and password.
4
The first time you connect, you must enter the domain name.
5
Click Connect.
6
You can instruct NetExtender remember your profile server name in the future. In the Save profile drop-down menu you can select Save name and password (if allowed), Save username only (if allowed), or Do not save profile.
7
When NetExtender is connected, the NetExtender icon is displayed in the status bar at the top right of your display. Click on the icon to display NetExtender options.

8
To display a summary of your NetExtender session, click Connection Status.
9
To view the routes that NetExtender has installed, go to the NetExtender menu and select Routes.

10
To view the NetExtender Log, go to Window > Log.

11
To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.

12
Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
Installing and Using NetExtender on Linux

SonicWall SSL VPN supports NetExtender on Linux. To use NetExtender on your Linux system, your system must meet the following prerequisites:

i386-compatible distribution of Linux
Linux Fedora Core 3+, Ubuntu 7+ or OpenSUSE Linux 10.3+
Sun Java 1.4 and higher is required for using the NetExtender GUI.
* 
NOTE: Open source Java Virtual Machines (VMs) are not currently supported. If you do not have Sun Java 1.4, you can use the command-line interface version of NetExtender.
To install NetExtender on your Linux system:
1
Navigate to the IP address of the firewall. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2
Click the NetExtender button. A pop-up window indicates that you have chosen to open the NetExtender.tgz file. Click OK to save it to your default download directory.

3
To install NetExtender from the CLI, navigate to the directory where you saved NetExtender.tgz and enter the tar -zxf NetExtender.tgz command.

4
Type the cd netExtenderClient command.
5
Type ./install to install NetExtender.
6
Launch the NetExtender.tgz file and follow the instructions in the NetExtender installer. The new netExtender directory contains a NetExtender shortcut that can be dragged to your desktop or toolbar.

7
The first time you connect, you must enter the server name or IP address in the SSL VPN Server field. NetExtender will remember the server name in the future.

8
Enter your username and password.
9
The first time you connect, you must enter the domain name. NetExtender will remember the domain name in the future.
* 
NOTE: You must be logged in as root to install NetExtender, although many Linux systems will allow the sudo ./install command to be used if you are not logged in as root.
10
To view the NetExtender routes, go to the NetExtender menu and select Routes.

11
To view the NetExtender Log, go to NetExtender > Log.

12
To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.

13
Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.

Configuring SSL VPN Bookmarks

For information on configuring SSL VPN bookmarks, see Editing Local Users.

1
Click Add Bookmark. The Add Bookmark window displays.

When user bookmarks are defined, the user sees the defined bookmarks from SSL VPN Virtual Office home page. Individual user members are not able to delete or modify bookmarks created by you.

2
Type a descriptive name for the bookmark in the Bookmark Name field.
3
Enter the fully qualified domain name (FQDN) or the IPv4 address of a host machine on the LAN in the Name or IP Address field. In some environments you can enter the host name only, such as when creating a VNC bookmark in a Windows local network.

Some services can run on non-standard ports, and some expect a path when connecting. Depending on the choice in the Service field, format the Name or IP Address field like one of the examples shown in Bookmark name or IP Address formats by service type.

 

Bookmark name or IP Address formats by service type

Service Type

Format

Example for Name or IP Address Field

RDP - ActiveX

RDP - Java

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

VNC

IP Address

IP:Port (mapped to session)

FQDN

Host name

NOTE: Do not use session or display number instead of port.

10.20.30.4

10.20.30.4:5901 (mapped to session 1)

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

NOTE: Do not use 10.20.30.4:1

TIP: For a bookmark to a Linux server, see the Tip below this table.

Telnet

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

SSHv1

SSHv2

IP Address

IP:Port (non-standard)

FQDN

Host name

10.20.30.4

10.20.30.4:6818

JBJONES-PC.sv.us.sonicwall.com

JBJONES-PC

* 
TIP: When creating a Virtual Network Computing (VNC) bookmark to a Linux server, you must specify the port number and server number in addition to the Linux server IP the Name or IP Address field in the form of ipaddress:port:server. For example, if the Linux server IP address is 192.168.2.2, the port number is 5901, and the server number is 1, the value for the Name or IP Address field would be 192.168.2.2:5901:1.
4
For the specific service you select from the Service drop-down menu, additional fields may appear. Fill in the information for the service you selected. Select one of the following service types from the Service drop-down menu:
Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java)
* 
NOTE: If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet Explorer, the selection is automatically switched to Terminal Services (RDP - Java). A popup dialog box notifies you of the switch.
In the Screen Size drop-down menu, select the default terminal services screen size to be used when users execute this bookmark.

Because different computers support different screen sizes, when you use a remote desktop application, you should select the size of the screen on the computer from which you are running a remote desktop session. Additionally, you may want to provide a path to where your application resides on your remote computer by typing the path in the Application Path field.

In the Colors drop-down menu, select the default color depth for the terminal service screen when users execute this bookmark.
Optionally enter the local path for this application in the Application and Path (optional) field.
In the Start in the following folder field, optionally enter the local folder in which to execute application commands.
Select the Login as console/admin session checkbox to allow login as console or admin.
For RDP - Java on Windows clients, or on Mac clients running Mac OS X 10.5 or above with RDC installed, expand Show advance Windows options and select the checkboxes for any of the following redirect options: Redirect Printers, Redirect Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug and play devices to redirect those devices or features on the local network for use in this bookmark session.

You can hover your mouse pointer over the Help icon next to certain options to display tooltips that indicate requirements.

To see local printers show up on your remote machine (Start > Settings > Control Panel > Printers and Faxes), select Redirect Ports as well as Redirect Printers.

Select the checkboxes for any of the following additional features for use in this bookmark session: Display connection bar, Auto reconnection, Desktop background, Window drag, Menu/window animation, Themes, or Bitmap caching.

If the client application will be RDP 6 (Java), you can select any of the following options as well: Dual monitors, Font smoothing, Desktop composition, or Remote Application.

Remote Application monitors server and client connection activity; to use it, you need to register remote applications in the Windows 2008 RemoteApp list. If Remote Application is selected, the Java Console will display messages regarding connectivity with the Terminal Server.

For RDP - ActiveX on Windows clients, optionally select Enable plugin DLLs and enter the name(s) of client DLLs which need to be accessed by the remote desktop or terminal service. Multiple entries are separated by a comma with no spaces.
* 
NOTE: The RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. The Enable plugin DLLs option is not available for RDP - Java. See Enabling Plugin DLLs.
Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current SSL VPN session for login to the RDP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials.
Virtual Network Computing (VNC)
No additional fields
Telnet
No additional fields
Secure Shell version 1 (SSHv1)
No additional fields
Secure Shell version 2 (SSHv2)
Optionally select the Automatically accept host key checkbox.
If using an SSHv2 server without authentication, such as a SonicWall firewall, you can select the Bypass username checkbox.
5
Click Add to update the configuration.

Enabling Plugin DLLs

The plugin DLLs feature is available for RDP (ActiveX or Java), and allows for the use of certain third party programs such as print drivers, on a remote machine. This feature requires RDP Client Control version 5 or higher.

* 
NOTE: The RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. No action (or checkbox) is needed.
To enable plugin DLLs for the RDP ActiveX client:
1
Navigate to Users > Local Users.
2
Click the configure icon corresponding to the user bookmark you wish to edit.
3
In the Bookmarks tab, click Add Bookmark.
4
Select Terminal Services (RDP - ActiveX) as the Service and configure as described in the section Configuring SSL VPN Bookmarks.
5
Enter the name(s) of client DLLs which need to be accessed by the remote desktop or terminal service. Multiple entries are separated by a comma with no spaces.
6
Ensure that any necessary DLLs are located on the individual client systems in %SYSTEMROOT% (for example: C:\Windows\system32).
* 
NOTE: Ensure that your Windows system and RDP client are up to date prior to using the Plugin DLLs feature. This feature requires RDP 5 Client Control or higher.

Creating Bookmarks with Custom SSO Credentials

You can configure custom Single Sign On (SSO) credentials for each user, group, or globally in RDP bookmarks. This feature is used to access resources that need a domain prefix for SSO authentication. Users can log into SonicWall SSL VPN as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or variables may be used for login credentials.

To configure custom SSO credentials:
1
Create or edit an RDP bookmark as described in Configuring SSL VPN Bookmarks.
2
In the Bookmarks tab, select the Use Custom Credentials option.
3
Enter the appropriate username and password, or use dynamic variables as follows:
 

Dynamic variables

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN\%USERNAME%

Group Name

%USERGROUP%

%USERGROUP%\%USERNAME%

4
Click Add.

Using SSL VPN Bookmarks

Topics:  

Using Remote Desktop Bookmarks

Remote Desktop Protocol (RDP) bookmarks enable you to establish remote connections with a specified desktop. SonicWall SSL VPN supports the RDP5 standard with both Java and ActiveX clients. RDP5 ActiveX can only be used through Internet Explorer, while RDP5 Java can be run on any platform and browser supported by SSL VPN. The basic functionality of the two clients is the same; however, the Java client is a native RDP client and supports the following features that the ActiveX client does not:

Redirect clipboard
Redirect plug and play devices
Display connection bar
Auto reconnection
Desktop background
Window drag
Menu/window animation
Themes
Bitmap caching

If the Java client application is RDP 6, it also supports:

Dual monitors
Font smoothing
Desktop composition
* 
NOTE: RDP bookmarks can use a port designation if the service is not running on the default port.
* 
TIP: To terminate your remote desktop session, be sure to log off from the Terminal Server session. If you wish to suspend the Terminal Server session (so that it can be resumed later) you may simply close the remote desktop window.
1
Click on the RDP bookmark. Continue through any warning screens that display by clicking Yes or OK.

2
Enter your username and password at the login screen and select the proper domain name from the drop-down menu.
3
A window is displayed indicating that the Remote Desktop Client is loading. The remote desktop then loads in its own windows. You can now access all of the applications and files on the remote computer.

Using VNC Bookmarks

1
Click the VNC bookmark. A window displays while the VNC client is loading.
* 
NOTE: VNC can have a port designation if the service is running on a different port.

2
When the VNC client has loaded, you are prompted to enter your password in the VNC Authentication dialog.

3
To configure VNC options, click the Options button. The Options dialog displays.

VNC options describes the options that can be configured for VNC.

 

VNC options

Option

Default

Description of Options

Encoding

Tight

Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections. From the other side, the Tight decoder in TightVNC Java viewer is more efficient than Hextile decoder so this default setting can also be acceptable for fast networks.

Compression Level

Default

Use specified compression level for Tight and Zlib encodings. Level 1 uses minimum of CPU time on the server but achieves weak compression ratios. Level 9 offers best compression but may be slow in terms of CPU time consumption on the server side. Use high levels with very slow network connections, and low levels when working over higher-speed networks. The Default value means that the server's default compression level should be used.

JPEG image quality

6

This cannot be modified.

Cursor shape updates

Enable

Cursor shape updates is a protocol extension used to handle remote cursor movements locally on the client side, saving bandwidth and eliminating delays in mouse pointer movement. Note that current implementation of cursor shape updates does not allow a client to track mouse cursor position at the server side. This means that clients would not see mouse cursor movements if the mouse was moved either locally on the server, or by another remote VNC client.

Set this parameter to Disable if you always want to see real cursor position on the remote side. Setting this option to Ignore is similar to Enable but the remote cursor will not be visible at all. This can be a reasonable setting if you don't care about cursor shape and don't want to see two mouse cursors, one above another.

Use CopyRect

Yes

CopyRect saves bandwidth and drawing time when parts of the remote screen are moving around. Most likely, you don't want to change this setting.

Restricted colors

No

If set to No, then 24-bit color format is used to represent pixel data. If set to Yes, then only 8 bits are used to represent each pixel. 8-bit color format can save bandwidth, but colors may look very inaccurate.

Mouse buttons 2 and 3

Normal

If set to Reversed, the right mouse button (button 2) will act as if it was the middle mouse button (button 3), and vice versa.

View only

No

If set to Yes, then all keyboard and mouse events in the desktop window will be silently ignored and will not be passed to the remote side.

Share desktop

Yes

If set to Yes, then the desktop can be shared between clients. If this option is set to No then an existing user session will end when a new user accesses the desktop.

Using Telnet Bookmarks

1
Click on the Telnet bookmark.
* 
NOTE: Telnet bookmarks can use a port designation for servers not running on the default port.
2
Click OK to any warning messages that are displayed. A Java-based Telnet window launches.

3
If the device you are Telnetting to is configured for authentication, enter your username and password.

Using SSHv1 Bookmarks

* 
NOTE: SSH bookmarks can use a port designation for servers not running on the default port.
1
Click on the SSHv1 bookmark. A Java-based SSH window launches.

2
Enter your username and password.
3
A SSH session is launched in the Java applet.
* 
TIP: Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window.

Using SSHv2 Bookmarks

* 
NOTE: SSH bookmarks can use a port designation for servers not running on the default port.
1
Click on the SSHv2 bookmark. A Java-based SSH window displays.

2
Type your user name in the Username field.
3
Click Login.
4
A hostkey popup displays. Click Yes to accept and proceed with the login process.

5
Enter your password and click OK.

6
The SSH terminal launches in a new screen.

Configuring Device Profile Settings for IPv6

For complete information on the SonicOS implementation of IPv6, see IPv6.

SonicOS supports NetExtender connections for users with IPv6 addresses. On the SSL VPN > Client Settings page, first configure the traditional IPv6 IP address pool, and then configure an IPv6 IP Pool. Clients will be assigned two internal addresses: one IPv4 and one IPv6.

* 
NOTE: IPv6 DNS/Wins Server are not supported

On the SSL VPN > Client Routes page, user can select a client routes from the drop-down list of all address objects including all the pre-defined IPv6 address objects.

* 
NOTE: IPv6 FQDN is supported.