How to Disable Virtual Office Portal Access

The Virtual Office portal is the website access of SSLVPN Services where users log in to launch NetExtender or access internal resources via Bookmarks.

When we enable SSLVPN services for WAN zone, we open default port 4433 on the firewall IP for SSLVPN services, which includes access either via client - NetExtender and SonicWALL Mobile Connect or via web browser - Virtual Office portal. Both access methods require valid credentials (username, password and domain name).

As of version 7.0.1-5145 and 6.5.4.13-105n, we have the option to disable the Virtual Office portal on all non-LAN zones. Prior to 7.0.1-5145 and 6.5.4.13-105n, we must take a different approach by using SSL certificates, domain account integration (LDAP, RADIUS, etc), or by restricting access for SSLVPN services to limited source IP addresses.

This article describes how we can disable Virtual Office for non-LAN zones and how we can restrict SSLVPN access to limited source IP address.

Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

For products on firmware 7.0.1-5145 or later:

To disable Virtual Office on all Non-LAN interfaces:

1. Ensure you are on version 7.0.1-5145 or later.
2. Navigate to  Network > Portal Settings > Enable option 'Disable Virtual Office on Non-LAN Interfaces'
3. Save setting.

  NOTE: If you have SSLVPN enabled under Server Settings for LAN, Virtual Office will still be accessible, but only on the LAN zone. This is good if you are using TOTP for Multi-Factor-Authentication (MFA), users can still reset/set-up MFA on the LAN zone when connecting to Virtual Office.

For products on firmware prior to 7.0.1-5145 - Resolution/Workaround:

1. Navigate to Objects | Match objects | Addresses > Address Objects.
   
   
   
   
2. Click on Add.
3. Create Address Object as below :
   
   
   
   NOTE: Zone should be "WAN" and "IP Address" should be Public IP of PC from which you want to allow access to SSLVPN.
   
   
4. If you want to allow access from multiple IPs, create Address Objects for all Public IPs as in step 3.
5. Click on Address Groups.
   
6. Click on Add.
   
   
   
   
7. Select all the WAN IP address objects created in step 4 and Add them to the Address Group.
   
   
   
   
8. Navigate to Policy | Rules and Policy > Access Rules.
   
   
   
   
9. Click on Zone Matrix and select WAN to WAN radio button as shown below :
   
   
   
   
10. Click on Configure icon for default WAN to WAN access rule for SSLVPN service.
    
    
    
    CAUTION: Default rules can only be modified when "Enable the ability to remove and fully edit auto-added access rules " is checked in the internal settings page.
    
    
11. Modify source address from ANY to Address Object / Address Group created in step 3/step 5.
    
    
    
    
12. Click SAVE.
    
    Now only the Public IPs mentioned in the Source of Access rule can access SSLVPN services using Netextender and Virtual Office Portal.
    
    
    
    

Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

For products on firmware 6.5.4.13-105n or later:

To disable Virtual Office on all Non-LAN interfaces:

1. Ensure you are on version 6.5.4.13-105n or later.
2. Navigate to  SSLVPN > Portal Settings > Enable option 'Disable Virtual Office on Non-LAN Interfaces'
3. Save setting.

  NOTE: If you have SSLVPN enabled under Server Settings for LAN, Virtual Office will still be accessible, but only on the LAN zone. This is good if you are using TOTP for Multi-Factor-Authentication (MFA), users can still reset/set-up MFA on the LAN zone when connecting to Virtual Office.

For products on firmware prior to 6.5.4.13-105n - Resolution/Workaround:

1. Navigate to MANAGE | Objects > Address Objects.
   
   
   
   
2. Click on Add.
   
3. Create Address Object as below :
   
   
   
   NOTE: Zone should be "WAN" and "IP Address" should be Public IP of PC from which you want to allow access to SSLVPN.
   
   
   

4. If you want to allow access from multiple IPs, create Address Objects for all Public IPs as in step 3.

5. Click on Address Groups.

6. Click on Add.
   
   
   

   
   

   
   

   
   

   
   

7. Select all the WAN IP address objects created in step 4 and Add them to the Address Group.
   
   
   
   

8. Navigate to MANAGE | Rules > Access rules.
   
   
   
   
9. Click on Zone Matrix and select WAN to WAN radio button as shown below :
   
   
   
   
10. Click on Configure icon for default WAN to WAN access rule for SSLVPN service.
    
    
    
    
    CAUTION: Default rules can only be modified when "Enable the ability to remove and fully edit auto-added access rules " is checked in the internal settings page.
    
    
11. Modify Source from ANY to Address Object / Address Group created in step 3/step 5.
    
    
    
    
    
12. Click OK.
    
    Now only the Public IPs mentioned in the Source of Access rule can access SSLVPN services using Netextender and Virtual Office Portal.