Does NetExtender work on other operating systems than Windows?
Answer: Yes. See the following supported platforms:
- Mac OS X 10.6.8+
- Apple Java 1.6.0_10+ (can be installed/upgraded by going to Apple Menu > Software Update; should be pre-installed on OS X 10.6.8+)
- i386-compatible distribution of Linux
- Sun Java 1.6.0_10+
- Fedora 14+
- Suse: Tested successfully on 10.3
- Ubuntu 11.04+
Separate NetExtender installation packages are also downloadable from MySonicWall.com for each release.
Which versions of Windows does NetExtender support?
Answer: NetExtender supports Windows 10.
Can I block communication between NetExtender clients?
Answer: Yes, this can be achieved with the User/Group/Global Policies by adding a ‘deny’ policy for the NetExtender IP range.
Can NetExtender run as a Windows service?
Answer: NetExtender can be installed and configured to run as a Windows service that allows systems to log in to domains across the NetExtender client.
What range do I use for NetExtender IP client address range?
Answer: This range is the pool that incoming NetExtender clients are assigned – NetExtender clients actually appear as though they are on the internal network – much like the Virtual Adapter capability found in SonicWall Inc.’s Global VPN Client. You should dedicate one IP address for each active NetExtender session, so if you expect 20 simultaneous NetExtender sessions to be the maximum, create a range of 20 open IP addresses. Make sure that these IP addresses are open and are not used by other network appliances or contained within the scope of other DHCP servers. For example, if your SMA appliance is in one-port mode on the X0 interface using the default IP address of
192.168.200.1, create a pool of addresses from
192.168.200.171. You can also assign NetExtender IPs dynamically using the DHCP option.
What do I enter for NetExtender client routes?
Answer: These are the networks that are sent to remote NetExtender clients and should contain all networks that you wish to give your NetExtender clients access to. For example, if your SMA appliance was in one-port mode, attached to a SonicWall Inc. NSA 3500 appliance on a DMZ using
192.168.200.0/24 as the subnet for that DMZ, and the SonicWall Inc. NSA 3500 had two LAN subnets of
192.168.170.0/24, you would enter those two LAN subnets as the client routes to provide NetExtender clients access to network resources on both of those LAN subnets.
What does the ‘Tunnel All Mode’ option do?
Answer: Activating this feature causes the SMA appliance to push down two default routes that tell the active NetExtender client to send all traffic through the SMA appliance. This feature is useful in environments where the SMA appliance is deployed in tandem with a SonicWall Inc. security appliance running all UTM services, as it allows you to scan all incoming and outgoing NetExtender user traffic for viruses, spyware, intrusion attempts, and content filtering.
Is there any way to see what routes the SMA appliance is sending NetExtender?
Answer: Yes, right-click on the NetExtender icon in the taskbar and select route information. You can also get status and connection information from this same menu.
After I install the NetExtender is it uninstalled when I leave my session?
Answer: By default, when NetExtender is installed for the first time it stays resident on the system, although this can be controlled by selecting the Uninstall On Browser Exit > Yes option from the NetExtender icon in the taskbar while it is running. If this option is checked, NetExtender removes itself when it is closed. It can also be uninstalled from the “Add/Remove Program Files” in Control Panel. NetExtender remains on the system by default to speed up subsequent login times.
How do I get new versions of NetExtender?
Answer: New versions of NetExtender are included in each SonicWall Inc. Secure Mobile Access firmware release and have version control information contained within. If the SMA appliance has been upgraded with new software, and a connection is made from a system using a previous, older version of NetExtender, it is automatically upgraded to the new version.
There is one exception to the automatic upgrading feature: it is not supported for the MSI version of NetExtender. If NetExtender was installed with the MSI package, it must be upgraded with a new MSI package. The MSI package is designed for the administrator to deploy NetExtender through Active Directory, allowing full version control through Active Directory.
How is NetExtender different from a traditional IPSec VPN client, such as SonicWall Inc.’s Global VPN Client (GVC)?
Answer: NetExtender is designed as an extremely lightweight client that is installed through a Web browser connection and utilizes the security transforms of the browser to create a secure, encrypted tunnel between the client and the SMA appliance.
Is NetExtender encrypted?
Answer: Yes, it uses whatever cipher the NetExtender client and SMA appliance negotiate during the SSL connection.
Is there a way to secure clear text traffic between the SMA appliance and the server?
Answer: Yes, you can configure the Microsoft Terminal Server to use encrypted RDP-based sessions and use HTTPS reverse proxy.
What is the PPP adapter that is installed when I use the NetExtender?
Answer: This is the transport method NetExtender uses. It also uses compression (MPPC). You can elect to have it removed during disconnection by selecting this from the NetExtender menu.
What are the advantages of using the NetExtender instead of a Proxy Application?
Answer: NetExtender allows full connectivity over an encrypted, compressed PPP connection allowing the user to directly to connect to internal network resources. For example, a remote user could launch NetExtender to directly connect to file shares on a corporate network.
Does performance change when using NetExtender instead of proxy?
Answer: Yes. NetExtender connections put minimal load on the SMA appliances, whereas many proxy-based connections might put substantial strain on the SMA appliance. Note that HTTP proxy connections use compression to reduce the load and increase performance. Content received by Secure Mobile Access from the local Web server is compressed using gzip before sending it over the Internet to the remote client. Compressing content sent from the SMA saves bandwidth and results in higher throughput. Furthermore, only compressed content is cached, saving nearly 40-50 percent of the required memory. Note that gzip compression is not available on the local (clear text side) of the SMA appliance, or for HTTPS requests from the remote client.
The SMA appliance is application dependent; how can I address non-standard applications?
Answer: You can use NetExtender to provide access for any application that cannot be accessed using internal proxy mechanisms - HTTP, HTTPS, FTP, RDP5, Telnet, and SSHv2. Application Offloading can also be used for Web applications. In this way, the SMA appliance functions like an SSL off loader and proxies Web applications pages without the need for URL rewriting.
Why is it required that an ActiveX component be installed?
Answer: NetExtender is installed through an ActiveX-based plug-in from Internet Explorer. Users using Firefox browsers can install NetExtender through an XPI installer. NetExtender can also be installed through an MSI installer. Download the NetExtender MSI installer from MySonicWall.com.
Does NetExtender support desktop security enforcement, such as AV signature file checking, or Windows registry checking?
Answer: Not at present, although these sorts of features are planned for future releases of NetExtender.
Does NetExtender work with the 64-bit version of Microsoft Windows?
Answer: Yes, NetExtender supports 64-bit Windows 10 and Vista.
Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?
Answer: Yes, NetExtender supports 32-bit and 64-bit Windows 7, but it is best to upgrade to Windows 10.
Does NetExtender support client-side certificates?
Answer: Yes, Windows NetExtender client supports client certificate authentication from the stand-alone client. Users can also authenticate to the Secure Mobile Access portal and then launch NetExtender.
My firewall is dropping NetExtender connections from my SonicWall SMA as being spoofs. Why?
Answer: If the NetExtender addresses are on a different subnet than the X0 interface, a rule needs to be created for the firewall to know that these addresses are coming from the SMA appliance.