Using SonicWall NetExtender to Access FTP Servers

03/26/2020 7 10003

DESCRIPTION:

Using NetExtender to access an FTP Server on the LAN segment of a SonicWall Firewall.

RESOLUTION:

Perform the following setup steps. Step 1-4 are for the administrator while Step 5 is for the remote user.

1. Configure the SonicWall (running SonicOS Enhanced firmware) so that we can connect a
   SonicWall SSL-VPN appliance to it.
   1. Create a new public zone named SSL-VPN.
   2. Configure the X2 port with an appropriate IP address (192.168.200.2/24 in our case) and assign it to the X2 zone.
   3. Change the management port numbers for HTTP/HTTPS.
   4. Configure a port forwarding policy using the Public Server Wizard (alternatively an IP mapping policy can also be configured here).
   5. Configure the appropriate access rules.
2. Configure the SonicWall SSL-VPN appliance in stand-alone mode (PC connected to the X0 port of the SonicWall SSL-VPN appliance via cross-over cable) for basic network connectivity.
   1. For the XO port, setup the IP and mask.
   2. Setup the default route.
3. Connect the SonicWall SSL-VPN appliance (X0 Interface) to the SonicWall  (X2 in our case), and finalize the SSL-VPN configuration.
   1. Create a Local User in Local Domain.
   2. Add a Range for the NetExtender.
   3. Add Routes for NetExtender (in our case, it should know how to get to the FTP Server).
4. Setup an FTP Server on the LAN segment of the SonicWall SSL-VPN Using SonicWall NetExtender to Access FTP Servers.
5. As a Remote User, make a connection to the SonicWall SSL-VPN appliance, and the access FTP Server using NetExtender.

IP Addressing Scheme SonicWall
X0: 192.168.168.168/24
X1: 200.1.1.2/29
X2: 192.168.200.2/24
Default Gateway: 200.1.1.1
PC sitting on X0 of SonicWall
IP : 192.168.168.100/24
Default Gateway: 192.168.168.168
IP Addressing Scheme for SSL-VPN
X0: 192.168.200.1/24
Default Gateway: 192.168.200.2


SonicWall Firewall Configuration
We are assuming the SonicWall is already connected to the Internet which means that LAN Hosts (i.e., 192.168.168.100) can go the Internet and no configuration is required for the XO and X1 ports.

1. Create a New Public Zone by the name SSL-VPN
2. Go to Network | Zones and click Add.
3. Click OK.
4. X2 Configuration and Zone Assignment
5. Navigate to the Network | Interface and click Edit for the X2 port.
   Note: In case the X2 port is already in use for some other application, for example, WAN Failover, any other available port should be considered.
6. Same algorithm will be applied accordingly on the SonicWall TZ Series. Click OK.
7. Changing Management Port Numbers for HTTP and HTTPS.
8. Go to the System | Administration and make the following changes:
   Click Apply.
   Now you will be accessing the SonicWall units from the X0 port.
   http://192.168.168.168:8080
   https://192.168.168.168:444
9. Configure Port Forwarding Policy using Public Server Wizard
10. Go Network | NAT Policies, click Public Server Wizard and then click Next.
11. Click Next once you are done with the above parameters.Click Next and then click Apply.
12. Click Apply.
13. This will complete the Port Forwarding Policy for the SonicWall SSL VPN appliance. SonicWall
    Firewall will create the necessary NAT Policies and Access Rules.
14. Click Close to close the Public Server Wizard.
15. Configure appropriate Access Rules
    Go to the Firewall | Access Rules and click the Matrix radio button. Click Edit to make the
    modifications.
16. Once you are done with the changes, click Ok on each page.
    Note: These are generic access rules. You can make them more specific depending on your network access
    policy.

SSL-VPN Basic Configuration (Stand Alone mode)
Connect the X0 Interface of the SonicWall SSL-VPN appliance to a PC directly using a cross-over cable and configure the basic parameters, for example, IP address, subnet mask and default route. Make sure your PC is configured for the192.168.200.x/24 network.

a) IP Assignment to X0 along with the Subnet Mask
In our case, we are using Default IP addressing scheme of the SSL-VPN appliance (X0 = 192.168.200.1/24),
therefore we will not be making any changes on the Network | Interface page for the X0 port.
b) Default Gateway Configuration
Go to the Network | Routes page and configure the following:
Click Apply.
Note: Make sure the following option is checked on System | Settings:
Otherwise, click on the following link on the same page to save the running configuration as a startup
configuration.
3. Establishing Connectivity between SonicWall and SSL-VPN and finalizing the SSL-VPN Configuration
Connect the X2 port of the SonicWall Firewall to the X0 port of the SonicWall SSL-VPN appliance either
directly or using a hub or switch, depending on your network configuration.
To access the SonicWall Firewall, enter the following in a Web browser.
http://200.1.1.2:8080
https://200.1.1.2:444
Note: Assumption is that, HTTP and HTTPS is enabled for the X1 port on the SonicWall Firewall
To access the SonicWall SSL-VPN appliance, enter the following in a Web browser.
http://200.1.1.2
https://200.1.1.2
Perform the following steps in the SonicWall SSL-VPN appliance to finalize the configuration.
a) Create a Local User in Local Domain
Go to the Users | Local Users and click Add User.
Click Add.
b) Add a Range for the NetExtender
Go to the NetExtender | Client Address and configure the following accordingly:
Click Apply.
c) Add Routes for NetExtender
Go to NetExtender | Client Routes and click Add Client Route.
Click Add.
Note: Above configuration is equivalent to “Route All” where a remote client will be sending all of its traffic to the SSL-VPN appliance.


Setting up an FTP Server on the LAN segment of the SonicWall.
In our case, set up the FTP Server on 192.168.168.100.
Either built-in or a third party FTP server, for example, 3COM, can be installed on this PC.
Once service is installed, do a Local FTP for verification.


Remote Connection to FTP Server using NetExtender

1. Forward the following info to a remote user:
• https://200.1.1.2
• Username : testuser
• Password : abc
• Domain: LocalDomain
• Enter https://200.1.1.2 in a browser window
2. The remote user is prompted for a username/password and once the user enters the correct credentials, he will be able to log in, in the default Portal.
   
3. Click on NetExtender. An SSL-VPN session will be established and the user will be able get into the remote network.
4. Upload/download files for verification.