SMB SSL-VPN: Setting up SSl-VPN behind SonicWall UTM Appliance with multiple portals with unique Ce
03/26/2020 
3 
10762
DESCRIPTION:
SMB SSL-VPN: Setting up SSl-VPN behind SonicWall UTM Appliance with multiple portals with unique Certificate per portal.
RESOLUTION:
Introduction
This technote is an example of how to stup an SSL-VPN device with multiple portals, and a unique certificate per portal behind a SonicWall UTM device.
It is possible to set up 2 portals with 2 separate certificates if you have more that one public IP available to use. In order to do this, first import the certificates.
Setup
1) Create and import certificates
For step by step instructions for importing certificates click here SSL_VPN: Creating and Installing Digital Certificates on SonicWall SSL VPN Appliances
2) Create the portals
In this example we’ll create two portals, one for sales and one for accounting.
Go to Portals and click add.
In this example we will call the portal sales.
Modify the HTML for the login message if you would wish to customize the login page.
Now click on the virtual host tab.
Type in sales for the Virtual Host Domain Name.
Set the drop down menu for Virtual Host Interface to X0.
For the virtual host IP put in an IP address that is in the same subnet as the SSL's X0 IP, in this example 192.168.200.254.
Now choose the sales certificate from the Virtual Host Certificate drop down menu.
Click OK.
Repeat this process for accounting, only make the virtual host IP different than sales, in this case 192.168.200.253.
3) Setup the UTM device
In order to complete this install, you will need to make Nat policies mapping the public IP’s to the private virtual IP’s of the Portals on the SSL.
Create an inbound and outbound NAT policy per portal.
In this example two NAT policy pairs must be created, one for sales and one for accounting.
In this example we will Nat the public IP of 75.42.50.26 to the virtual host IP for sales which was 192.168.200.254. and we will Nat the public IP of 75.42.50.25 to the virtual host IP for accounting which was 192.168.200.253.
Inbound NAT Policy
From Network>Nat policies click Add.
Original source is.............. any
Translated source is .........Original
Original destination is.......Create a new address object
Call the object.....................sales public
Zone assignment is ............WAN
Type is................................. Host
Ip Address...........................75.42.50.26
Click OK.
Translated destination is.....Create a new address object
Call the object..................... sales private
Zone assignment is.............. LAN
Type is..................................Host
Ip address is..........................192.168.200.254
Click OK
Original service is.................HTTPS
Translated service is..............Original
Inbound interface is..............Wan or X1
Outbound interface is............Any
Comment...............................Inbound sales ssl
Click OK
Outbound NAT policy
From Network>Nat policies click Add.
Original source is .................sales private
Translated source is ...............sales public
Original destination is ............Any
Translated destination is.........Original
Original service is ....................HTTPS
Translated service is ................Original
Inbound interface is..................LAN or X0
Outbound interface is................WAN or X1
Comment...................................Outbound sales ssl
Click OK.
Above needs to be repeated for the Accounting portal using address object pair: accounting public/private 75.42.50.25/192.168.200.253
In our example the SSL-VPN device is on the LAN zone, thus WAN to LAN firewall rules will also be needed to allow HTTPS to the public IP address objects “sales public” and “accounting public”
From Firewall>Access Rules in matrix view, WAN to LAN.
Click Add
Action is....................................Allow
Service is ..................................HTTPS
Source is....................................Any
Destination is.............................sales public
Check the “Allow Fragmented Packets” check box.
Click OK
Duplicate this rule for a destination of accounting public.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
