Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How do I configure the SSL-VPN feature for use with NetExtender or Mobile Connect?

12/22/2021 9,399 People found this article helpful 370,171 Views

    Download
    Print
    Translations
    • Portuguese
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

     

    SSL VPN is one method of allowing remote users to connect to the SonicWall and access the internal network resources. SSL VPN connections can be setup with one of three methods:

    • The SonicWall NetExtender client
    • The SonicWall Mobile Connect client
    • SSL VPN bookmarks via the SonicWall Virtual Office

    This article details how to setup the SSL VPN Feature for NetExtender and Mobile Connect users, both of which are software based solutions.

    NetExtender is available for the following Operating Systems:

    • Microsoft Windows
    • Linux Distributions

    Mobile Connect is available for the following Operating Systems:

    • Windows 8.1 & 10
    • OS X
    • iOS
    • Android

    Don't want to read? Watch instead!

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


    Creating an Address Object for the SSL VPN IPv4 Address Range

    • Login to the firewall management UI.
    • Click Object in the top navigation menu.
    • Navigate to Match Objects |Addresses and click Add.
      Image
    • In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
      • Name: SSL VPN Pool

         TIP: This is only a Friendly Name used for Administration.

      • Zone: SSL VPN
      • Type : Range

         NOTE: This does not have to be a range and can be configured as a Host or Network as well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall.

         Image

    SSL VPN Configuration

    • Navigate to the  Network |SSL VPN | Server Settings .
    • Navigate to SSL VPN STATUS ON ZONES which represents SSL VPN Access status on each Zone.
    • Enable or disable SSL-VPN access by toggling the zone below. The Green indicates active SSL VPN status.
    • Navigate to SSL VPN SERVER SETTINGS,  Select the SSL VPN Port, and Domain as desired.
      Image

      NOTE:The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.
    • Navigate to the Network|SSL VPN|Client Settings and Select configure Default Device Profile.
      Image

    • Set the Zone IP V4 as SSL VPN and Network Address IP V4 as the Address Object you created earlier.
      Image

    • The Client Routes tab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.
      Image

    • The Client Settings tab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client to access domain resources by name.
    • Enable Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
      Image

    Adding Users to SSL VPN Services Group

    NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you're interested in using LDAP please reference How to Configure LDAP Authentication for SSL VPN Users.

    • Navigate to Device|Users|Local Users & Groups. Add a new User if necessary by clicking Add.
      Image
    • On the Groups tab add SSL VPN Services to the Member Of: field.
      Image

    • On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.
      NOTE: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.
      Image

    • Click on Save and close the window.

    Checking Access rule Information for SSL VPN Zone

    • Navigate to Policy | Rules and Policies |Access Rules.
    • Select the SSL VPN to LAN rules via the highlighted matrix button below.
      Image

    • If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules.


    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


    Creating an Address Object for the SSL VPN IPv4 Address Range

    1. Login to the SonicWall management GUI.
    2. Click Manage in the top navigation menu
    3. Navigate to Objects | Address Objects and click Add at the top of the pane.
    4. In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
      • Name: SSL VPN Pool

        TIP: This is only a Friendly Name used for Administration.

      • Zone: SSL VPN
      • Type : Range

        NOTE: This does not have to be a range and can be configured as a Host or Network as well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall. 

      • Starting IP Address: 192.168.168.100
      • Ending IP Address: 192.168.168.110
        Image


    SSL VPN Configuration

    1. Navigate to the SSL VPN | Server Settings page.
    2. Click on the Red Bubble for WAN, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.
    3. Set the SSL VPN Port, and Domain as desired.

      NOTE: The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.

      Image
    4. Navigate to the SSL VPN | Client Settings page.
      The SSL VPN | Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients.

      CAUTION: NetExtender cannot be terminated on an Interface that is paired to another Interface using Layer 2 Bridge Mode. This includes Interfaces bridged with a WLAN Interface. Interfaces that are configured with Layer 2 Bridge Mode are not listed in the "SSL VPN Client Address Range" Interface drop-down menu. For NetExtender termination, an Interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".

    5. Click on the Configure button for the Default Device Profile.
      Image
    6. Set the Zone IP V4 as SSL VPN. Set Network Address IP V4 as the Address Object you created earlier (SSL VPN Range).
      Image
    7. The Client Routes tab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.

      CAUTION:All SSL VPN Users can see these routes but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Please make sure to set VPN Access appropriately.


      Image
    8. The Client Settings tab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.
    9. Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.
    10. Enable Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
      Image
      Image


    Adding Users to SSL VPN Services Group

    NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you're interested in using LDAP please reference How to Configure LDAP Authentication for SSL VPN Users.

    1. Navigate to Users | Local Users & Groups.  Add a new User if necessary by clicking Add.
      Image
    2. On the Groups tab add SSL VPN Services to the Member Of: field.
      Image
    3. On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.

      CAUTION: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.



      Image
    4. Click OK to save these settings and close the window.

     

    Checking Access rule Information for SSL VPN Zone

    1. Navigate to Rules | Access Rules.
    2. Access the SSL VPN to LAN rules via the Zone drop-down options or the highlighted matrix button below.
      Image

    3. You will need to create Access Rules similar to the image below allowing SSL VPN IPs to access your intended end devices.

      NOTE: This does not grant access to all users, individual access is still granted to users based on their VPN access and SSL VPN routes.  Access rules are needed for the firewall to allow this traffic through.

      Image
    4. If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules. If you're unsure how to create an Access Rule please reference How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall.


    Testing the Connection with NeNetextender

    Download and install SonicWall NetExtender that is available via SonicWall.com. You can follow this link for the instructions:

    https://www.sonicwall.com/support/knowledge-base/how-can-i-download-and-install-NetExtender-for-windows/170503561905844/


    Configure NetExtender like the following example.

    SSLVPN NetExtender

    Server:  specify the Ip Address of the SonicWall WAN (by default SSL VPN is enabled on every WAN Interface of the SonicWall) followed by the port (specified in Server Settings of SSL VPN)

    You can also specify a DNS name if you have a DNS published for your organization, e.g. sslvpn.mycompany.com:4433

    Username: insert the user that you want to connect with

    Password: specify the password for that user

    Domain: insert the Domain Name (case sensitive) specified in Server Settings of SSL VPN.


    Click Connect. 

    Once reached the SSL VPN Server on the SonicWall NetExder will prompt for a Security Alert, click Accept to establish the connection.

    SSLVPN Netextder



    Testing the Connection with Mobile Connect


    Mobile Connect is available to download from Sonicwall.com. You can select the desired option amoong iOS, macOS, Android and Chrome OS.

    Image


    Mobile Connect on WIndows 


    Start the program and click Manage


    Mobile Connect Windows Manage

    Click on OK to open the WIndows VPN Settings


    Mobile Connect Windows warning


    Click on Add a VPN connection


     Mobile Connect Windows Connect add VPN


    Configure as follow


    Mobile Connect Windows VPN config

    Connection name: insert a friendly name for the connection

    Server:  specify the Ip Address of the SonicWall WAN (by default SSL VPN is enabled on every WAN Interface of the SonicWall) followed by the port (specified in Server Settings of SSL VPN)

    You can also specify a DNS name if you have a DNS published for your organization, e.g. https://sslvpn.mycompany.com:443


     Click Save and click Connect to start the VPN Connection


    Mobile Connect Windows VPN


    When the warning is proposed click Next


    Mobile Connect Windows VPN Warning


    Insert username and password and click OK


    Mobile Connect Windows credentials


    VPN is established.


    Mobile Connect Windows VPN connected


    Mobile Connect on Mac OS


    Start the program and click on Add Connection, fill the forms like the example below and click Next

    Mobile Connect MAC add connection


    Click Continue


    Mobile Connect MAC verify


    Fill the forms like the example below and click 


    Mobile Connect MAC config VPN


    Click Connect


    Mobile Connect MAC Connect


    When prompted click Allow to establish the VPN Connetion


    Mobile Connect MAC Accept


    TIP: Ping is a great tool to test access to resources once the VPN Connection has established. If Pings are Timing Out it's advisable to perform a Packet Monitor on the SonicWall to determine what is happening to the traffic.  Keep in mind, pings to the SonicWall are considered management traffic and require specific access rules to allow this traffic..

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series > SSLVPN
    • Firewalls > NSa Series > SSLVPN
    • Firewalls > NSv Series > SSLVPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top