Remotely manage the SonicWall through a VPN tunnel
10/20/2021 537 People found this article helpful 499,518 Views
Description
The SonicWall can be administered remotely using an existing VPN connection on HTTPS or HTTP. If you already have a running VPN connection to the firewall from behind another SonicWall or from the VPN client, simply log into the unit using its LAN IP address (as you would if located on the LAN segment). Follow the steps outlined in this article to configure the VPN policies to allow HTTPS management.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
There are two things that must be true for HTTPS management to be allowed through the VPN. First, the VPN policy must allow access to the firewalls LAN IP address (or X0 IP) from the remote site. Firewall subnets, LAN primary subnet or X0 Subnet address objects include the LAN interface IP for management, and are good choices to use for the local networks field on the network tab of Site-to-Site VPN policies or for the VPN Access Permissions of users or groups of users authenticating to GroupVPN policies. Please note that all internal interfaces in LAN, DMZ and other protected zones can be made accessible through VPNs.
Second, there is a checkbox on each VPN policy which controls HTTP and HTTPS Management. Follow these steps to configure this checkbox for the VPN policy on each end of the tunnel.
- Login to SonicWall Management Interface
- Navigate to NETWORK | IPSec VPN | Rules and Settings.
- Under Policies tab, click the Edit icon next to the VPN policy over which remote management is desired.
- Choose the Advanced tab.
- Under "MANAGEMENT VIA THIS SA" enable HTTPS.
- Click Save.
TIP: For a Tunnel Interface VPN, please enable management on the VPN interface under Network | System | Interfaces as well.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
SonicOS Firmware 6.X.
No rules or other configurations usually need to be done for this to work. Since HTTP and HTTPS management are enabled by default on the System | Administration page (or Access | Management page), both types of web management are usually allowed over a site-to-site VPN tunnel, or over a GroupVPN connection.
SonicOS Enhanced.
Since VPN configurations are very flexible in SonicOS Enhanced, there are two things that must be true for HTTPS management to be allowed through the VPN. First, the VPN policy must allow access to the firewalls LAN IP address (or X0 IP). In both site-to-site VPNs the firewalled subnets, LAN primary subnet or X0 Subnet objects include the LAN interface for management, and are good choices to use for the local networks field on the network tab of Site-to-Site VPN policies or for the VPN Access Permissions of users or groups of users authenticating to GroupVPN policies. Please note that all internal interfaces in LAN, DMZ and other protected zones can be made accessible through VPNs with SonicOS Enhanced.
Second, there is a checkbox on each VPN policy which controls HTTP and HTTPS Management. Follow these steps to configure this checkbox for the VPN policy on each end of the tunnel.
- Select VPN | Settings.
- Click the Edit icon next to the VPN policy over which remote management is desired.
- Choose the Advanced tab.
- Under "Management via this SA:" check HTTPS.
- Click OK.
TIP: For a Tunnel Interface VPN, please enable management on the VPN interface under System Setup | Network | Interfaces as well.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
SonicOS Firmware 6.X.
No rules or other configurations usually need to be done for this to work. Since HTTP and HTTPS management are enabled by default on the System | Administration page (or Access | Management page), both types of web management are usually allowed over a site-to-site VPN tunnel, or over a GroupVPN connection.
SonicOS Enhanced:
Since VPN configurations are very flexible in SonicOS Enhanced, there are two things that must be true for HTTPS management to be allowed through the VPN. First, the VPN policy must allow access to the firewalls LAN IP address (or X0 IP). In both site-to-site VPNs the firewalled subnets, LAN primary subnet or X0 Subnet objects include the LAN interface for management, and are good choices to use for the local networks field on the network tab of Site-to-Site VPN policies or for the VPN Access Permissions of users or groups of users authenticating to GroupVPN policies. Please note that all internal interfaces in LAN, DMZ and other protected zones can be made accessible through VPNs with SonicOS Enhanced.
Second, there is a checkbox on each VPN Policy which controls HTTP and HTTPS management. Follow these steps to configure this checkbox for the VPN policy on each end of the tunnel.
- Select VPN | Settings.
- Click the Edit icon next to the VPN policy over which remote management is desired.
- Choose the Advanced tab.
- Under "Management via this SA:" check HTTP, HTTPS or both.
- Click OK.
TIP: For a Tunnel Interface VPN, please enable management on the VPN interface under Network | Interfaces as well.
Related Articles
Categories