Accessing remote site resources when connected to the main site via remote VPN client
10/14/2021 
1246 
28844
DESCRIPTION:
In many scenarios, VPN users who are connected to the main site via a remote VPN Client need to have access to the resources behind the remote site in addition to the resources on main site. This KB article shows how to configure SonicWall to meet this need.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- Login to the SonicWall management GUI
- Click Network tab.
- Navigate to IPSec VPN | Rules and Settings.
- Click on the Configure option of the appropriate VPN policy intended for remote site.
- Navigate to Networks tab in the new window and make a note of the address object/group set in the Choose destination network from list drop down list. (This may vary depending upon the remote site resource access privilege of the VPN users).
EXAMPLE: If the remote site resources access for the VPN user is restricted to a single IP address or subnet, then appropriate address object must be created in Network | Address Objects page with zone VPN.
- Navigate to the Device| Users | Local Users & Groups page and click configure option of the remote VPN user account.
- Navigate to VPN Access tab in the new window and enforce the respective Address Object/Group of the remote site from left to right by clicking on the appropriate option as shown below in the image - In the example the object was NSA2650 Site.
How to Test this Scenario
- Disconnect the Global VPN Client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
- Click Policy tab.
- Navigate to Rules and Policies | Access Rules, click on view style matrix.
- Click on SSLVPN to VPN matrix button.
- Ensure there is an Allow Rule as shown below in the image.
- Check the same from VPN to SSLVPN zones.
- Disconnect the NetExtender client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Login to the SonicWall management GUI.
- Click Manage tab.
- Navigate to VPN | Base Settings.
- Click on the Configure option of the appropriate VPN policy intended for remote site.
- Navigate to Networks tab in the new window and make a note of the address object/group set in the Choose destination network from list drop down list. (This may vary depending upon the remote site resource access privilege of the VPN users).
EXAMPLE: If the remote site resources access for the VPN user is restricted to a single IP address or subnet, then appropriate address object must be created in Network | Address Objects page with zone VPN.
- Navigate to the Users | Local Users & Groups page and click configure option of the remote VPN user account.
- Navigate to VPN Access tab in the new window and enforce the respective Address Object/Group of the remote site from left to right by clicking on the appropriate option as shown below in the image - In the example the object was NSA2650 Site.
How to Test this Scenario
- Disconnect the Global VPN Client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
- ClickManage tab.
- Navigate to Rules | Access Rules, click on view style matrix.
- Click on SSLVPN to VPN matrix button.
- Ensure there is an Allow Rule as shown below in the image.
- Check the same from VPN to SSLVPN zones.
- Disconnect the NetExtender client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- Login to the SonicWall management GUI.
- Navigate to VPN | Settings page.
- Click on the Configure option of the appropriate VPN policy intended for remote site.
- Navigate to Networks tab in the new window and make a note of the address object/group set in the Choose destination network from list drop down list. (This may vary depending upon the remote site resource access privilege of the VPN users).
EXAMPLE: If the remote site resources access for the VPN user is restricted to a single IP address or subnet, then appropriate address object must be created in Network | Address Objects page with zone VPN.
- Navigate to the Users | Local Users page and click on the configure option of the remote VPN user account.
- Navigate to VPN Access tab in the new window and enforce the respective address object/group of the remote site from left to right by clicking on the appropriate option as shown below in the image.
How to Test this Scenario
- When using GVC
- Disconnect the Global VPN client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
- When using NetExtender
- Navigate to Firewall | Access Rules, click on view style matrix.
- Click on SSLVPN to VPN matrix button.
- Ensure there is an allow rule as shown below in the image.
- Check the same from VPN to SSLVPN zones.
- Disconnect the NetExtender Client session, reconnect & try to access (ping) the remote site resource.
- The client will be able to access the resources without any issues.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
