- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How do I configure SonicWall access points for layer 3 management over SSLVPN?
03/26/2020 
1,198 People found this article helpful
44,862 Views
Description
SonicWall UTM appliances running SonicOS Enhanced firmware are capable of discovering and managing SonicPoints over SSL-VPN
- A SSL VPN connection is established between the SonicPoint and the managing UTM appliance
- GRE / DTLS (phase II) tunnel is established between the SonicWall UTM appliance and the SonicPoint to carry management and data traffic(Within the SSLVPN session)
Resolution
Scenario:
Discovering and managing SonicPoints using SSLVPN over the Internet / WAN.
Please Note: The settings shown in this technote is just an example, you must substitute the settings as per your setup.
Deployment Steps:
Part 1: Configuration on the SonicWall UTM appliance
Step 1: Create WLAN Tunnel Interface
Step 2: Enable SSL VPN and Create a SSLVPN profile for SonicPoint layer3 Mgmt.
Step 3: Create a user account on the UTM for use on the SonicPoint for sslvpn login from the SonicPoint into the UTM
Step 2: Enable SSL VPN and Create a SSLVPN profile for SonicPoint layer3 Mgmt.
Step 3: Create a user account on the UTM for use on the SonicPoint for sslvpn login from the SonicPoint into the UTM
Part2: Configuration on the SonicPoint
Step 1: Downloading the SonicOS 5.9 compatible firmware for SonicPoints
Step 2: Accessing the SonicPoint Management Interface in Standalone Mode
Step 3: Uploading the SonicOS 5.9 compatible firmware for SonicPoints
Step 4: Configuring the SSLVPN Management Settings
Step 2: Accessing the SonicPoint Management Interface in Standalone Mode
Step 3: Uploading the SonicOS 5.9 compatible firmware for SonicPoints
Step 4: Configuring the SSLVPN Management Settings
Detailed configuration steps:
Part 1: Configuration on the SonicWall UTM appliance
Step 1: Creating a WLAN Tunnel Interface
- Login to the SonicWall Management Interface and go to Network > Interfaces page
- Select WLAN tunnel interface in the Add Interface drop down menu and configure as per your setup
Zone: WLAN
Tunnel ID: 0 (zero)
Tunnel Source Interface: X0 / LAN
Mode / IP Assignment: Static
IP Address: 172.16.35.1
Subnet Mask: 255.255.255.0
Tunnel ID: 0 (zero)
Tunnel Source Interface: X0 / LAN
Mode / IP Assignment: Static
IP Address: 172.16.35.1
Subnet Mask: 255.255.255.0
Step 2: Enable SSL VPN and Create a SSLVPN profile for SonicPoint Layer-3 Management
- Enable SSLVPN on the WAN zone
- Ensure https mgmt is enabled on the wan interface.
- Create a address object for SSL VPN IP Pool. Network | Address Object | Create a new Address object with the Address type as range/network for SSL VPN IP POOL (refer the note)
- Goto SSLVPN ----->Client settings and configure the "SonicPoint L3 Management Default Device Profile" as below
Note : The SSLNEW NW is a range address object having an unused eip range from the X0 subnet (LAN) (the interface to which the WT0 is bound to)
This object must be assigned with the zone SSLVPN
Step 3: Create a user account on the UTM for use on the SonicPoint for SSLVPN login from the SonicPoint into the UTM
Create a local user account on the firewall and ensure that the user is a member of the SSLVPN services group
Add X0 subnet and WLAN subnets to the VPN access list
Part 2: Configuration on the SonicPoint
Step 1: Downloading the SonicOS 5.9 compatible firmware for SonicPoint
Method 1: Connecting SonicPoints to SonicWall UTM appliance running SonicOS 5.9 and above
When the SonicPoints are connected to a SonicWall UTM appliance's WLAN interface/Zone running SonicOS 5.9 and above, they will be automatically updated with the latest firmware.
Method 2: Manually updating the SonicPoint firmware
- Download the TSR from a SonicWall UTM appliance
- Open the TSR in a Text reader/editor and find the SonicPoint download URL
- Copy-Paste the Download URL in a Web Browser and download the appropriate SonicPoint Image
Step 2: Accessing the SonicPoint Management Interface in Standalone Mode:
- The default management interface of the SonicPoint is 192.168.1.20
- If you are connecting to the LAN port on the SonicPoint directly from a PC or through only the PoE injector, you need to configure the Local Area Connection on the PC to be in the same subnet as the SonicPoint.
- IP address: 192.168.1.100.
- Netmask: 255.255.255.0.
- Connect directly to the LAN port of the SonicPoint with a crossover cable or regular cat. 5 Ethernet cable.
- Connect to the LAN port of the SonicPoint through the PoE injector with a regular cat. 5 Ethernet cable.
- If the SonicPoint is connected to a port in a SonicWall security appliance and the port is not in a Wireless zone, you can connect to it through the security appliance provided there are rules to allow HTTP management traffic between the zone your management station is in and the zone the SonicPoint is in.
- Start your Web browser and direct it to the default management IP address for the SonicPoint, 192.168.1.20
Troubleshooting Tip: If you are unable to access the SonicPoint you may press the Reset Button to access it in SafeMode and then follow the above step #2:
Step 3: Uploading the SonicOS 5.9 compatible firmware for SonicPoints
- Start your Web browser and direct it to the default management IP address for the SonicPoint, 192.168.1.20
- Login to the SonicPoint management interface with the default username "admin" and default password "password".
Step 4: Configuring the L3 Management Settings
- Navigate to SonicPoint Network > SSL-VPN page
- Enter the WAN ip-address of the UTM along with the SSLVPN port number
- Enter the SSLVPN user credentials , enable the Auto-Reconnect checkbox and click connect
- Navigate to SonicPoint Network > Interfaces page
- Enable the Disable local DHCP Client option. (This setting is optional , incase of the ISP Router/Firewall acting as DHCP server for local LAN , you need not enable this option)
Enter Local IP address: 192.168.2.5
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.1 (ISP Router/Firewall IP address)
Click on Accept button on top.
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.1 (ISP Router/Firewall IP address)
Click on Accept button on top.
- You will get a prompt at the bottom to Restart the SonicPoint, click on the link and restart the appliance.
Please Note: After the reboot the SonicPoint will try to establish a SSLVPN connection with the UTM and a GRE/DTLS tunnel would be setup within this SSLVPN connection to complete the SonicPoint provisioning. SonicPoint might reboot and SSL VPN user logout several times before SonicPoint shows up as operational because of the provisioning process that the SonicPoint goes through.
How to Test
Go to SonicPoint > Status page, you must see the remote SonicPoint labeled MGMT: SSL -VPN
Related Articles
- Running Diagnostic Tests on Wireless Network Manager (WNM)
- Content Filter Configuration on Wireless Network Manager (WNM)
- Generate reports on Wireless Network Manager (WNM)
YES
NO