How do I configure the SSL-VPN feature for use with NetExtender or Mobile Connect?

08/27/2020 7053 176645

DESCRIPTION:

SSL VPN is one method of allowing Remote Users to connect to the SonicWall and access internal network resources. SSL VPN Connections can be setup with one of three methods:

• The SonicWall NetExtender client
• The SonicWall Mobile Connect client
• SSL VPN bookmarks via the SonicWall Virtual Office

This article details how to setup the SSL VPN Feature for NetExtender and Mobile Connect users, both of which are software based solutions.

NetExtender is available for the following Operating Systems:

• Microsoft Windows
  
• Linux Distributions

Mobile Connect is available for the following Operating Systems:

• Windows 8.1 & 10
• OS X
• iOS
• Android

Don't want to read? Watch instead!

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Creating an Address Object for the SSL VPN IPv4 Address Range

• Login to the firewall management UI.
• Click Object in the top navigation menu.
• Navigate to Match Objects |Addresses and click Add at the top of the pane.
  

• In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
  • Name: SSL VPN Pool
    

     TIP: This is only a Friendly Name used for Administration.

  • Zone: SSL VPN
  • Type : Range
    

     NOTE: This does not have to be a range and can be configured as a Host or Network as well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall.

     
    
    

SSL VPN Configuration

• Navigate to the  Network |SSL VPN | Server Settings .
• Navigate to SSL VPN STATUS ON ZONES which represents SSL VPN Access status on each Zone.
• Enable or disable SSL-VPN access by toggling the zone below. The Green indicates active SSL VPN status.
• Navigate to SSL VPN SERVER SETTINGS,  Select the SSL VPN Port, and Domain as desired.
  
  
  NOTE:The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.
  

• Navigate to the Network|SSL VPN|Client Settings and Select configure Default Device Profile.
  
  
  

• Set the Zone IP V4 as SSL VPN and Network Address IP V4 as the Address Object you created earlier.
  
  
  

• The Client Routes tab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.
  
  
  

• The Client Settings tab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client to access domain resources by name.
• Enable Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
  
  
  

Adding Users to SSL VPN Services Group

NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you're interested in using LDAP please reference How to Configure LDAP Authentication for SSL VPN Users.

• Navigate to Device|Users|Local Users & Groups. Add a new User if necessary by clicking Add.
  

• On the Groups tab add SSL VPN Services to the Member Of: field.
  
  
  

• On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.
  NOTE: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.
  
  
  

• Click on Save and close the window.
  
  

Checking Access rule Information for SSL VPN Zone

• Navigate to Policy | Rules and Policies |Access Rules.
• Select the SSL VPN to LAN rules via the highlighted matrix button below.
  
  
  
• If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Creating an Address Object for the SSL VPN IPv4 Address Range

1. Login to the SonicWall management GUI.
2. Click Manage in the top navigation menu
3. Navigate to Objects | Address Objects and click Add at the top of the pane.
4. In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
   • Name: SSL VPN Pool
     

     TIP: This is only a Friendly Name used for Administration.

   • Zone: SSL VPN
   • Type : Range
     

     NOTE: This does not have to be a range and can be configured as a Host or Network as well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall. 

   • Starting IP Address: 192.168.168.100
   • Ending IP Address: 192.168.168.110
     

SSL VPN Configuration

1. Navigate to the SSL VPN | Server Settings page.
2. Click on the Red Bubble for WAN, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.
3. Set the SSL VPN Port, and Domain as desired.
   

   NOTE: The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.

   
4. Navigate to the SSL VPN | Client Settings page.
   The SSL VPN | Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients.
   
   

   CAUTION: NetExtender cannot be terminated on an Interface that is paired to another Interface using Layer 2 Bridge Mode. This includes Interfaces bridged with a WLAN Interface. Interfaces that are configured with Layer 2 Bridge Mode are not listed in the "SSL VPN Client Address Range" Interface drop-down menu. For NetExtender termination, an Interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".

5. Click on the Configure button for the Default Device Profile.
   
6. Set the Zone IP V4 as SSL VPN. Set Network Address IP V4 as the Address Object you created earlier (SSL VPN Range).
   
7. The Client Routes tab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.
   
   

   CAUTION:All SSL VPN Users can see these routes but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Please make sure to set VPN Access appropriately.

   
   
8. The Client Settings tab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.
9. Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.
10. Enable Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
    
    

Adding Users to SSL VPN Services Group

NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you're interested in using LDAP please reference How to Configure LDAP Authentication for SSL VPN Users.

1. Navigate to Users | Local Users & Groups.  Add a new User if necessary by clicking Add.
   
2. On the Groups tab add SSL VPN Services to the Member Of: field.
   
3. On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.
   
   

   CAUTION: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.

   
   
   
4. Click OK to save these settings and close the window.

Checking Access rule Information for SSL VPN Zone

1. Navigate to Rules | Access Rules.
2. Access the SSL VPN to LAN rules via the Zone drop-down options or the highlighted matrix button below.
   
   
   
3. You will need to create Access Rules similar to the image below allowing SSL VPN IPs to access your intended end devices.
   
   

   NOTE: This does not grant access to all users, individual access is still granted to users based on their VPN access and SSL VPN routes.  Access rules are needed for the firewall to allow this traffic through.

   
4. If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules. If you're unsure how to create an Access Rule please reference How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall.

Testing the Connection with NeNetextender

Download and install SonicWall NetExtender that is available via SonicWall.com. You can follow this link for the instructions:

https://www.sonicwall.com/support/knowledge-base/how-can-i-download-and-install-NetExtender-for-windows/170503561905844/

Configure NetExtender like the following example.

Server:  specify the Ip Address of the SonicWall WAN (by default SSL VPN is enabled on every WAN Interface of the SonicWall) followed by the port (specified in Server Settings of SSL VPN)

You can also specify a DNS name if you have a DNS published for your organization, e.g. sslvpn.mycompany.com:4433

Username: insert the user that you want to connect with

Password: specify the password for that user

Domain: insert the Domain Name (case sensitive) specified in Server Settings of SSL VPN.

Click Connect. 

Once reached the SSL VPN Server on the SonicWall NetExder will prompt for a Security Alert, click Accept to establish the connection.

Testing the Connection with Mobile Connect

Mobile Connect is available to download from Sonicwall.com. You can select the desired option amoong iOS, macOS, Android and Chrome OS.

Mobile Connect on WIndows 

Start the program and click Manage

Click on OK to open the WIndows VPN Settings

Click on Add a VPN connection

Configure as follow

Connection name: insert a friendly name for the connection

Server:  specify the Ip Address of the SonicWall WAN (by default SSL VPN is enabled on every WAN Interface of the SonicWall) followed by the port (specified in Server Settings of SSL VPN)

You can also specify a DNS name if you have a DNS published for your organization, e.g. https://sslvpn.mycompany.com:443

 Click Save and click Connect to start the VPN Connection

When the warning is proposed click Next

Insert username and password and click OK

VPN is established.

Mobile Connect on Mac OS

Start the program and click on Add Connection, fill the forms like the example below and click Next

Click Continue

Fill the forms like the example below and click 

Click Connect

When prompted click Allow to establish the VPN Connetion

TIP: Ping is a great tool to test access to resources once the VPN Connection has established. If Pings are Timing Out it's advisable to perform a Packet Monitor on the SonicWall to determine what is happening to the traffic.  Keep in mind, pings to the SonicWall are considered management traffic and require specific access rules to allow this traffic.