Page 1 COMPREHENSIVE INTERNET SECURITY SonicWALL Secure Remote Access Appliances SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 2: Sonicwall Ssl Vpn 4.0 Administrator's Guide
SonicWALL SSL VPN 4.0 Administrator’s Guide SonicWALL, Inc. 2001 Logic Drive San Jose, CA 95124-3452 Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: info@sonicwall.com SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 3: Copyright Notice
Specifications and descriptions subject to change without notice. Trademarks SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows 2000, Windows NT, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Page 4: Sonicwall Gpl Source Code
SonicWALL GPL Source Code GNU General Public License (GPL) SonicWALL will provide a machine-readable copy of the GPL open source on a CD. To obtain a complete machine-readable copy, send your written request, along with a certified check or money order in the amount of US $25.00 payable to "SonicWALL, Inc."...
Page 5: Sonicwall Technical Support
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose.
Page 6: More Information On Sonicwall Products
More Information on SonicWALL Products Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300 Current Documentation Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation.
Page 7 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 8: About This Guide
Useful tips about features that may save you time Timesaver Indicates a feature that is supported only on the SSL-VPN 2000 and 4000 platforms. Indicates a client feature that is only supported on the Microsoft Windows platform. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 9: Table Of Contents
Indicates a client feature that is supported on Microsoft Windows, Apple MacOS, and Linux Organization of This Guide The SonicWALL SSL VPN Administrator’s Guide is organized in chapters that follow the SonicWALL SSL VPN Web-based management interface structure. This section contains a description of the following chapters and appendices: “SSL VPN Overview”...
Page 10: Network Configuration
Web Application Firewall Configuration “Web Application Firewall Configuration” on page 179 provides instructions for configuring SonicWALL SSL VPN options under Web Application Firewall in the navigation bar of the management interface, including Web Application Firewall status, settings, signatures, log, and licensing.
Page 11: Virtual Office Configuration
SonicWALL SSL VPN. The administrator can access the Virtual Office user portal using Virtual Office in the navigation bar of the SonicWALL SSL VPN Web-based management interface. Users access the Virtual Office using a Web browser. The SonicWALL SSL VPN User’s Guide provides detailed information about the Virtual Office.
Page 12: Appendix G: Sms Email Formats
About This Guide Appendix G: SMS Email Formats “SMS Email Formats” on page 339 provides a list of SMS email formats for selected worldwide cellular carriers. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 13 About This Guide SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 14: Table Of Contents
Overview of SonicWALL SSL VPN .........................8 SSL for Virtual Private Networking (VPN) .....................8 SSL VPN Software Components .......................9 SSL-VPN Hardware Components ......................9 Concepts for SonicWALL SSL VPN ......................12 Encryption Overview ..........................12 SSL Handshake Procedure ........................12 IPv6 Support Overview ..........................13 Browser Requirements for the SSL VPN Administrator ..............
Page 15 Typical Deployment ..........................57 System Configuration ....................59 System > Status ..............................60 System > Status Overview ........................60 Registering Your SonicWALL SSL-VPN from System Status ............62 Configuring Network Interfaces ......................64 System > Licenses ..............................64 System > Licenses Overview ........................64 Registering the SSL-VPN from System > Licenses ................67 Activating or Upgrading Licenses ......................69...
Page 16 Services > Settings ............................146 Services > Bookmarks ............................ 149 Services > Policies ............................156 NetExtender Configuration ..................159 NetExtender > Status ............................. 160 NetExtender > Status Overview ......................160 Viewing NetExtender Status ......................... 160 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 17 Users > Status ..............................202 Access Policies Concepts ........................203 Access Policy Hierarchy ..........................203 Users > Local Users ............................204 Users > Local Users Overview ......................204 Adding a Local User ..........................205 Removing a User ............................206 Editing User Settings ..........................206 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 18 NetGear FVS318 ............................. 281 Netgear Wireless Router MR814 SSL configuration ................. 283 Check Point AIR 55 ............................284 Setting up a SonicWALL SSL-VPN with Check Point AIR 55 ............284 Static Route .............................. 285 ARP ................................285 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 19 Microsoft ISA Server ............................287 Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server ..........287 Configuring ISA ............................287 Use Cases ......................291 Importing CA Certificates on Windows .......................291 Importing a goDaddy Certificate on Windows ...................291 Importing a Server Certificate on Windows ..................294 Creating Unique Access Policies for AD Groups ..................295...
Page 20: Ssl Vpn Overview
Chapter 1: SSL VPN Overview This chapter provides an overview of the SonicWALL SSL VPN technology, concepts, basic navigational elements and standard deployment guidelines. This chapter includes the following sections: “Overview of SonicWALL SSL VPN” section on page 8 •...
Page 21: Overview Of Sonicwall Ssl Vpn
Web and HTTPS proxy forwarding. The SonicWALL SSL VPN network extension client, NetExtender, is available through the SSL VPN Web portal via an ActiveX control on Windows or using Java on MacOS or Linux systems. It is also available through stand-alone applications for Windows, Linux, and MacOS platforms.
Page 22: Ssl Vpn Software Components
SonicWALL SSL VPN provides clientless identity-based secure remote access to the protected internal network. Using the Virtual Office environment, SonicWALL SSL VPN can provide users with secure remote access to your entire private network, or to individual components such as File Shares, Web servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers.
Page 23 Front Panel Feature Description Console Port Provides access to command-line interface. Power LED Indicates the SonicWALL SSL-VPN appliance is powered on. Test LED Indicates the SonicWALL SSL-VPN is in test mode. Alarm LED Indicates a critical error or failure. Default management port. Provides connectivity between the SonicWALL SSL-VPN and your gateway.
Page 24 SonicWALL SSL-VPN 2000/4000 Back Panel Features Back Panel Feature Description Exhaust fans Provides optimal cooling for the SonicWALL SSL-VPN appliance. Power plug Provides power connection using supplied power cord. Power switch Powers the SonicWALL SSL-VPN appliance on and off. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 25: Concepts For Sonicwall Ssl Vpn
SSL Handshake Procedure The following procedure is an example of the standard steps required to establish an SSL session between a user and an SSL VPN gateway using the SonicWALL SSL VPN Web-based management interface: When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web...
Page 26: Ipv6 Support Overview
IPv4 design issues. You can use IPv6 without affecting IPv4 communications. Supported on SonicWALL SSL-VPN models 2000 and higher, IPv6 supports stateful address configuration, which is used with a DHCPv6 server, and stateless address configuration, where hosts on a link automatically configure themselves with IPv6 addresses for the link, called link- local addresses.
Page 27 When a client connects to NetExtender, it can get an IPv6 address from the SSL-VPN appliance if the client machine supports IPv6 and an IPv6 address pool is configured on the SSL-VPN. NetExtender supports IPv6 client connections from Windows systems running Vista or newer, and from Linux clients. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 28: Browser Requirements For The Ssl Vpn Administrator
Browser Requirements for the SSL VPN Administrator The following Web browsers are supported for the SonicWALL SSL VPN Web-based management interface and the user portal, Virtual Office. Java is only required for various aspects of the SSL VPN Virtual Office, not the management interface.
Page 29: Browser Requirements For The Ssl Vpn End User
Custom Portals SonicWALL SSL VPN enables you to configure multiple portals, each with its own title, banner, login message, logo and set of available resources. Each portal also enables you to set individual Virtual Hosts/Domain Names (on SonicWALL SSL-VPN models 2000 and higher) to create a unique default portal URL.
Page 30: Domains Overview
106. Domains Overview A domain in the SonicWALL SSL VPN environment is a mechanism that enables authentication of users attempting to access the network being serviced by the SSL-VPN appliance. Domain types include the SSL VPN's internal LocalDomain, and the external platforms Microsoft Active Directory, NT Authentication, LDAP, and RADIUS.
Page 31 Gnome and KDE. Multiple Ranges and Routes Multiple range and route support for NetExtender on SonicWALL SSL-VPN models 2000 and higher enables network administrators to easily segment groups and users without the need to configure firewall rules to govern access. This user segmentation allows for granular control of access to the network—allowing users access to necessary resources while...
Page 32 Add Group NetExtender Client routes settings are enabled. Point to Point Server IP Address In SonicWALL SSL VPN, the PPP server IP address is 192.0.2.1 for all connecting clients. This IP address is transparent to both the remote users connecting to the internal network and to the internal network hosts communicating with remote NetExtender clients.
Page 33 Tunnel All mode can be configured at the global, group, and user levels. Proxy Configuration SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings.
Page 34: Network Resources Overview
The remote user communicates with the SonicWALL SSL-VPN appliance using HTTPS and requests a URL. The URL is then retrieved over HTTP by the SonicWALL SSL- VPN. The URL is transformed as needed, and returned encrypted to the remote user.
Page 35: Telnet (Java)" Section
A Java-based Telnet client delivered through the remote user’s Web browser. The remote user can specify the IP address of any accessible Telnet server and SonicWALL SSL VPN will make a connection to the server. Communication between the user over SSL and the server is proxied using native Telnet.
Page 36: Remote Desktop Protocols And Virtual Network Computing" Section
Java client. The RDP Java client runs on Windows, Linux, and Mac computers, and supports full-screen mode. On Windows clients, SonicWALL SSL VPN supports many advanced options. On Mac OS X 10.5 or above, RDP Java supports the Mac native RDC client.
Page 37: Microsoft Outlook Web Access" Section
Secure Web (HTTPS) File Shares (CIFS) Citrix Portal (Citrix) Microsoft Outlook Web Access SonicWALL SSL-VPN models 2000 and higher include reverse proxy application support for all versions of OWA 2003 and 2007. SonicWALL SSL-VPN 200 supports OWA 2007 light version only. Note Microsoft OWA Premium mode is a Web client for Microsoft Outlook 2003/2007 that simulates the Microsoft Outlook interface and provides more features than basic OWA.
Page 38: Windows Sharepoint Services (Version 3.0)" Section
Active Directory groups needing access to Outlook Web Access. Windows Sharepoint Services (version 3.0) SonicWALL SSL VPN reverse proxy application support for Windows Sharepoint Services 3.0 is supported on SonicWALL SSL-VPN models 2000 and higher, and includes the following features: Site Templates •...
Page 39: Lotus Domino Web Access 7" Section
Only forms-based authentication and basic authentication schemes are supported Lotus Domino Web Access 7 SonicWALL SSL VPN reverse proxy application support for Domino Web Access 7 is supported on SonicWALL SSL-VPN models 2000 and higher, and includes the following features: Email •...
Page 40: Snmp Overview
DNS Overview The administrator can configure DNS on the SonicWALL SSL-VPN appliance to enable it to resolve host names with IP addresses. The SonicWALL SSL VPN Web-based management interface allows the administrator to configure a hostname, DNS server addresses, and WINS server addresses.
Page 41: One Time Password Overview
VASCO is a public company that provides user authentication products. VASCO utilizes Digipass tokens to authenticate through a VACMAN Middleware server. VASCO is supported on all SonicWALL SSL-VPN platforms. One Time Password Overview This section provides an introduction to the One Time Password feature. This section contains the following topics: “What is One Time Password?”...
Page 42 Concepts for SonicWALL SSL VPN What is One Time Password? SonicWALL SSL VPN One Time Password feature adds a second layer of login security to the standard username and password. A one-time password is a randomly generated, single-use password. The SonicWALL SSL VPN One Time Password feature is a two-factor authentication scheme that utilizes one-time passwords in addition to standard user name and password credentials, providing additional security for SonicWALL SSL VPN users.
Page 43 Configuring One Time Passwords for SMS-Capable Phones SonicWALL SSL VPN One Time Passwords can be configured to be sent via email directly to SMS-capable phones. Contact your cell phone service provider for further information about enabling SMS (Short Message Service).
Page 44: Virtual Assist Overview
• What is Virtual Assist? Virtual Assist is an easy to use tool that allows SonicWALL SSL VPN users to remotely support customers by taking control of their computers while the customer observes. Providing support to customers is traditionally a costly and time consuming aspect of business. Virtual Assist creates a simple to deploy, easy to use remote support solution.
Page 45: How Does Virtual Assist Work
The technician monitors the Assistance Queue for customers requesting assistance. The customer requests assistance by one of the following methods: Logs into the SonicWALL SSL VPN Virtual Office and clicks on the Virtual Assist link. – Receives an email invitation from the technician and clicks on the link to launch Virtual –...
Page 46: Launching A Virtual Assist Technician Session
Launching a Virtual Assist Technician Session To launch a Virtual Assist session as a technician, perform the following steps. Log in to the SonicWALL SSL-VPN security appliance Virtual Office. If you are already logged Step 1 in to the SonicWALL SSL VPN customer interface, click on the Virtual Office button.
Page 47 A shortcut will be added to your desktop and a link to the application will be added to the program list on your Start Menu. Click No to launch Virtual Assist without saving the application for future use. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 48 If you clicked Yes to save the application, you will be prompted to select a location to save the Step 6 file. Select an appropriate location, such as C:\Program Files\SonicWALL. When Virtual Assist launches for the first time, you may see a security warning pop-up window.
Page 49: Performing Virtual Assist Technician Tasks
The technician is now ready to assist customers. Step 9 Performing Virtual Assist Technician Tasks To get started, the technician logs into the SonicWALL SSL-VPN appliance and launches the Virtual Assist application. Each technician can only assist one customer at a time.
Page 50 A pop-up window in the lower right task bar alerts the technician when a customer is in the Step 1 assistance queue. Double-click on a customer’s user name to begin assisting the customer. Step 2 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 51 Chat - Launches the chat window to communicate with the customer. The technician can • also use the dedicated chat window in the bottom left window of the Virtual Assist application. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 52 Select Request Full Control under the Commands menu to issue a request that will appear on the customer’s desktop. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 53 File Transfer supports the transfer of single or multiple files. It does not currently support the Note transfer of directories. To select multiple files, hold down the Ctrl button while clicking on the files. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 54: Enabling A System For Virtual Access
Portal: The name of the portal the technician would normally login to. • Computer Name: This is an identifier for the system to help differentiate between other • systems that may be waiting for support in the queue. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 55 An administrator can forcibly remove a system from the queue. If this occurs, the Virtual Access system should no longer attempt to connect to the support queue and should display an error message. For tasks and information on using Virtual Assist as an end-user, refer to the SonicWALL Note SSL VPN User’s Guide.
Page 56: Web Application Firewall Overview
Web Application Firewall Overview This section provides an introduction to the Web Application Firewall feature. Web Application Firewall is supported on SSL-VPN 2000 and SSL-VPN 4000 platforms only. This section contains the following topics: “What is Web Application Firewall?” section on page 43 •...
Page 57 Web application running on a server behind the SSL-VPN appliance. The portal must be configured as a virtual host. It is possible to disable authentication and access policy enforcement for such an offloaded host. If SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 58: Benefits Of Web Application Firewall
Application offloading avoids URL rewriting, which improves the proxy performance and functionality. There are several benefits of integrating Web Application Firewall with SonicWALL SSL-VPN appliances. Firstly, identity-based policy controls are core to Web Application Firewall and this is easily achievable using SSL VPN technology. Secondly, there are lower latencies due to the existing hardware-based SSL offloading.
Page 59 Reference vulnerabilities, the Web Application Firewall feature uses a black list of signatures that are known to make Web applications vulnerable. New updates to these signatures are periodically downloaded from a SonicWALL signature database server, providing protection from recently introduced attacks.
Page 60 Firewall feature rewrites all URLs contained in a Web page similarly to how they are rewritten by the Reverse Proxy for HTTP(S) Bookmarks feature. If CSRF protection is enabled, this is also performed for Application Offloading. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 61 How are Slowloris Attacks Prevented? Slowloris attacks can be prevented if there is an upstream device, such as a SonicWALL SSL- VPN security appliance, that limits, buffers, or proxies HTTP requests. Web Application Firewall uses a rate-limiter to thwart Slowloris HTTP Denial of Service attacks.
Page 62: Navigating The Ssl Vpn Management Interface
Connect one end of a CAT-5 cable into the X0 port of your SonicWALL SSL-VPN appliance. Step 1 Connect the other end of the cable into the computer you are using to manage the SonicWALL SSL-VPN appliance. SonicWALL SSL VPN Appliance...
Page 63 Navigating the SSL VPN Management Interface The number and duration of login attempts can be controlled by the use of the SonicWALL Note SSL VPN auto-lockout feature. For information on configuring the auto-lockout feature, refer to the “Configuring Login Security” section on page When you have successfully logged in, you will see the default page, System >...
Page 64: Navigating The Management Interface
Navigating the SSL VPN Management Interface Navigating the Management Interface The SonicWALL SSL VPN Web-based management interface allows the administrator to configure the SonicWALL SSL-VPN appliance. The management interface contains two main types of objects: Windows - Displays information in a read-only format.
Page 65: Status Bar
If the settings are contained in a secondary window or dialog box within the management interface, the settings are automatically applied to the SonicWALL SSL-VPN appliance when you click OK. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 66 Export Log Allows the administrator to export a log. Clear Log Allows the administrators clear the log entries. Restarting The System > Restart page provides a Restart button for restarting the SonicWALL SSL-VPN appliance. Restarting takes approximately 2 minutes and causes all users to be disconnected. Note...
Page 67: Navigation Bar
The Logout button in the upper right corner of the management interface terminates the management session. When you click the Logout button, you are logged out of the SonicWALL SSL VPN management interface and the Web browser is closed. Navigation Bar The SonicWALL navigation bar is located on the left side of the SonicWALL SSL VPN management interface and is comprised of a hierarchy of menu headings.
Page 68 Submenu Action System Status View status of the appliance. Licenses View, activate, and synchronize licenses with the SonicWALL licensing server for Nodes and Users, Virtual Assist, and ViewPoint. Time Configure time parameters. Settings Import, export, and store settings. Administration Configure login security and GMS settings.
Page 69: Deployment Guidelines
Virtual Office N/A Access the Virtual Office portal home page. Deployment Guidelines This sections provides information about deployment guidelines for the SonicWALL SSL-VPN appliance. This section contains the following subsections: “Support for Numbers of User Connections” section on page 56 •...
Page 70: Resource Type Support
For optimal performance, SonicWALL recommends that the number of concurrent tunnels be limited to fewer than, 50 for the SonicWALL SSL-VPN 2000 appliance and approximately 200 for the SonicWALL SSL-VPN 4000 appliance. Factors such as the complexity of applications in use and the sharing of large files can impact performance.
Page 71 SonicWALL does not recommend this type of deployment, because it introduces a number of potential security issues and creates an additional breakpoint in the network since the appliance is essentially a packet filter and is not stateful.
Page 72: System Configuration
This chapter provides information and configuration tasks specific to the System pages on the SonicWALL SSL VPN Web-based management interface, including registering your SonicWALL SSL-VPN appliance, setting the date and time, configuring system settings, system administration and system certificates. This chapter contains the following sections: “System >...
Page 73: System > Status
This section provides an overview of the System > Status page and a description of the configuration tasks available on this page. “System > Status Overview” section on page 60 • “Registering Your SonicWALL SSL-VPN from System Status” section on page 62 • “Configuring Network Interfaces” section on page 64 •...
Page 74: System Information
“Log messages and one-time passwords cannot be sent because you have not specified an outbound SMTP server address.” System Information The System Information section displays details about your specific SonicWALL SSL-VPN appliance. The following information is displayed in this section: Table 7...
Page 75: Registering Your Sonicwall Ssl-Vpn From System Status
Before You Register Verify that the time, DNS, and default route settings on your SonicWALL SSL VPN are correct before you register your appliance. These settings are generally configured during the initial SonicWALL SSL VPN setup process. To verify or configure the time settings, navigate to the System >...
Page 76 System > Status If you are not logged into the SonicWALL SSL VPN management interface, log in with the Step 1 username admin and the administrative password you set during initial setup of your SonicWALL SSL-VPN (the default is password). For information about configuring the administrative password, refer to the SonicWALL SSL VPN Getting Started Guide.
Page 77: Configuring Network Interfaces
VPN appliance administrator can configure the IP address of the primary (X0) interface, and also optionally configure additional interfaces for operation. For a port on your SonicWALL SSL-VPN appliance to communicate with a firewall or target device on the same network, you need to assign an IP address and a subnet mask to the interface.
Page 78 System > Licenses The System > Licenses page also provides a link to activate, upgrade, or renew SonicWALL Security Services licenses. From this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services licenses for your SonicWALL SSL-VPN appliance.
Page 79 Before You Register Verify that the time, DNS, and default route settings on your SonicWALL SSL VPN are correct before you register your appliance. These settings are generally configured during the initial SonicWALL SSL VPN setup process.
Page 80: Registering The Ssl-Vpn From System > Licenses
System > Licenses Registering the SSL-VPN from System > Licenses On a new SonicWALL SSL-VPN appliance or after upgrading to SonicWALL SSL VPN 3.0 firmware from an earlier release, you can register your appliance from the System > Licenses page.
Page 81 Enter your MySonicWALL user name and password into the fields and then click Submit. The Step 2 display changes. Enter a descriptive name for your SonicWALL SSL-VPN in the Friendly Name field. Step 3 Under Product Survey, fill in the requested information and then click Submit. The display Step 4 changes to inform you that your SonicWALL SSL VPN is registered.
Page 82: Activating Or Upgrading Licenses
After registration, some network environments require the SSL-VPN appliance to be offline Note so that it is unable to connect to the SonicWALL licensing server. In this mode, the appliance will still honor the valid licenses; however, timed-based licenses may not be valid.
Page 83 New License Key # field(s), and then click Submit. After completing the activation or upgrading process, click Synchronize to update the Step 6 appliance license status from the SonicWALL licensing server. Rebooting the appliance will also update the license status. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 84: System > Time
• System > Time Overview The System > Time page provides the administrator with controls to set the SonicWALL SSL- VPN system time, date and time zone, and to set the SonicWALL SSL-VPN appliance to synchronize with one or more NTP servers.
Page 85: Setting The Time
It is imperative that the system time be set accurately for optimal performance and proper registration. For optimal performance, the SonicWALL SSL-VPN appliance must have the correct time Note and date configured.
Page 86: System > Settings
“Managing Firmware” section on page 76 • System > Settings Overview The System > Settings page allows the administrator to manage the firmware and related settings of the SonicWALL SSL-VPN appliance: Figure 9 System > Settings Page Settings The Settings section allows the administrator to automatically store settings after changes and to encrypt the settings file.
Page 87: Managing Configuration Files
There is also an option to be notified when new firmware becomes available. Managing Configuration Files SonicWALL allows you to save and import file sets that hold the SSL VPN configuration settings. These file sets can be saved and uploaded through the System > Settings page in the SSL VPN management interface.
Page 88: Importing A Configuration File
Make sure you are ready to reconfigure your system. Once you import the file, the system Note overwrites the existing settings immediately. Once the file has been imported, restart the appliance to make the changes permanent. Step 5 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 89: Managing Firmware
To be notified when new firmware is available, select the Notify me when new firmware is available checkbox. Downloading Firmware To download firmware, click the download icon next to the Firmware Image version you want to download. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 90 The backup may take up to two minutes. When the backup is complete, the Status at the bottom of the screen will display the message “System Backup Successful.” The Create Backup button is only available on the SonicWALL SSL-VPN 2000 and 4000. Note...
Page 91: System > Administration
See the following sections: “Login Security” section on page 79 • “GMS Settings” section on page 79 • “Web Management Settings” section on page 79 • Figure 11 System > Administration Page SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 92: Configuring Login Security
The minimum for the Streaming Update Interval field is 1 second, the default is 10 seconds, and the maximum is 99,999. Configuring Login Security SonicWALL SSL VPN login security provides an auto lockout feature to protect against unauthorized login attempts on the user portal. Complete the following steps to enable the auto lockout feature: Navigate to System >...
Page 93: Enabling Gms Management
SonicWALL Internet security appliances, including global administration of multiple site-to-site VPNs from a central location. Complete the following steps to enable SonicWALL GMS management of your SonicWALL SSL-VPN appliance: Navigate to System > Administration.
Page 94: System > Certificates Overview
The Server Certificates section allows the administrator to import and configure a server certificate, and to generate a CSR (certificate signing request). A server certificate is used to verify the identity of the SonicWALL SSL-VPN appliance. The SSL-VPN presents its server certificate to the user’s browser when the user accesses the login page.
Page 95: Certificate Management
In order to get a valid certificate from a widely accepted CA such as RapidSSL, Verisign, or Thawte, you must generate a Certificate Signing Request (CSR) for your SonicWALL SSL-VPN appliance. To generate a certificate signing request, perform the following steps: Navigate to the System >...
Page 96: Viewing Certificate And Issuer Information
(no directories) and contain only server.key and server.crt files. To import a certificate, perform the following steps: Navigate to the System > Certificates page. Step 1 Click Import Certificate. The Import Certificate dialog box is displayed. Step 2 Click Browse. Step 3 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 97: Adding Additional Ca Certificates
To add the new CA certificate to the Web server’s active CA certificate list, the Web server must Step 6 be restarted. Restart the SonicWALL SSL-VPN appliance to restart the Web server. System > Monitoring This section provides an overview of the System > Monitoring page and a description of the configuration tasks available on this page.
Page 98: System > Monitoring Overview
System > Monitoring System > Monitoring Overview The SonicWALL SSL-VPN appliance provides configurable monitoring tools that enable you to view usage and capacity data for your appliance. The System > Monitoring page provides the administrator with four monitoring graphs: Active Concurrent Users •...
Page 99: Setting The Monitoring Period
Last 30 Minutes – Last 24 Hours – Last 30 Days – Refreshing the Monitors To refresh the monitors, click the Refresh button at the top right corner of the System > Monitoring page. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 100: System > Diagnostics
Tech Support Report Downloading a Tech Support Report records system information and settings that are useful to SonicWALL Technical Support when analyzing system behavior. To download the Tech Support report, click Download Report under Tech Support Report. For information about configuration tasks related to the Tech Support Report section, refer to the “Downloading the Tech Support...
Page 101: Downloading The Tech Support Report
SSL-VPN. Performing Diagnostic Tests You can perform standard network diagnostic tests on the SonicWALL SSL-VPN appliance in the System > Diagnostics page. To run a diagnostic test, perform the following steps: Navigate to the System > Diagnostics page.
Page 102: System > Restart
“System > Restart Overview” section on page 89 • “Restarting the SonicWALL SSL-VPN” section on page 89 • System > Restart Overview The System > Restart page allows the administrator to restart the SonicWALL SSL-VPN appliance. Figure 15 System > Restart Page Restarting the SonicWALL SSL-VPN To restart the SSL-VPN appliance: Navigate to System >...
Page 103 System > Restart SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 104: Network Configuration
Chapter 3: Network Configuration This chapter provides information and configuration tasks specific to the Network pages on the SonicWALL SSL VPN Web-based management interface. Network tasks for the SonicWALL SSL-VPN appliance include configuring network interfaces, DNS settings, routes, and host resolution.
Page 105: Network > Interfaces
X0, X1, X2, X3, and where available, the X4 and X5 interfaces on the SonicWALL SSL-VPN appliance. For a port on your SonicWALL SSL-VPN appliance to communicate with a firewall or target device on the same network, you need to assign an IP address and a subnet mask to the interface.
Page 106 Step 1 you want to configure. In the Edit Interfaces dialog box on the SonicWALL SSL-VPN appliance, type an unused static Step 2 IP address in the IP Address field. This IP address should reside within the local subnet to which your SonicWALL SSL-VPN appliance is connected.
Page 107: Network > Dns
Network > DNS For the Management options, if you want to enable remote management of the SonicWALL Step 6 SSL-VPN appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, and/or Ping. Click OK. Step 7 Network > DNS This section provides an overview of the Network >...
Page 108: Configuring Hostname Settings
To configure a hostname, perform the following steps: Navigate to the Network > DNS page. Step 1 In the Hostname region, type a hostname for the SonicWALL SSL-VPN appliance in the SSL Step 2 VPN Gateway Hostname field. Click Accept.
Page 109: Network > Routes
IPv4 gateway and interface, and/or default IPv6 (for SSL-VPN models 2000 and higher) gateway and interface. The number of interfaces differs among appliance models (X0, X1, X2, X3 for SSL-VPN 2000; X0, X1, X2, X3, X4, X5 for SSL-VPN 4000). A default network route is required for Internet access.
Page 110: Configuring A Default Route For The Ssl-Vpn Appliance
Configuring a Default Route for the SSL-VPN Appliance You must configure a default gateway on your SonicWALL SSL-VPN appliance for it to be able to communicate with remote networks. A remote network is any IP subnet different from its own.
Page 111 In the Default Gateway field, type the IP address of the gateway device that connects the Step 4 appliance to the network. On a SonicWALL SSL-VPN model 2000 or higher, you can enter an IPv6 address. In the Interface drop-down list, select the interface that connects the appliance to the desired Step 5 destination network.
Page 112: Network > Host Resolution
Note itself. Do not delete it. The SonicWALL SSL-VPN appliance can act as both a NetBIOS and WINS (Windows Internet Name Service) client to learn local network host names and corresponding IP addresses. To resolve a host name to an IP address, perform the following steps: Navigate to the Network >...
Page 113: Network > Network Objects
Click Add. The Host Resolution page now displays the new host name. Step 6 On a SonicWALL SSL-VPN model 2000 or higher, optionally select the Configure auto-added Step 7 hosts checkbox on the Network > Host Resolution page. If this option is selected, you can edit or delete automatically added Host entries (such as for IPv6).
Page 114: Configuring Network Objects
Network Objects list. If the object is not fully defined with at least one IP address or network range, the status Step 6 Incomplete will display. Policies cannot be created for incomplete network objects. Note SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 115 Step 9 dialog box is displayed. In the Define Object Address dialog box on the SonicWALL SSL-VPN model 2000 or higher, Step 10 click on the Object Type drop-down list and select an object type. The four object types are: IP Address - A single IP address.
Page 116 Prefix field. Click Add. Step 12 When finished adding addresses, click Close in the Edit Network Object dialog box. Step 13 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 117 Network > Network Objects SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 118: Portals Configuration
Chapter 4: Portals Configuration This chapter provides information and configuration tasks specific to the Portals pages on the SonicWALL SSL VPN Web-based management interface, including configuring portals, assigning portals, and defining authentication domains, such as RADIUS, NT Domain, LDAP, and Active Directory.
Page 119: Portals > Portals
Legacy portals are indicated in the Description column. These portals retain the classic interface from SonicOS SSL VPN releases prior to 3.5. The administrator may choose to keep a legacy portal rather than upgrade it if the portal has been customized or for other reasons. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 120: Adding Portals
Portals > Portals Additional Information About the Portal Home Page For most SonicWALL SSL VPN administrators, a plain text home page message and a list of links to network resources is sufficient. For administrators who want to display additional content on the user portal, review the following information.
Page 121 Virtual Host/Domain Name Used in environments where multiple portals are offered, allowing simple redirection to the portal URL using virtual hosts. This option is only available on SonicWALL SSL-VPN models 2000 and higher. Portal URL The URL that is used to access this specific portal.
Page 122: Configuring General Portal Settings
On the General tab, enter a descriptive name for the portal in the Portal Name field. This name Step 3 will be part of the path of the SonicWALL SSL-VPN appliance portal URL. For example, if your SonicWALL SSL-VPN portal is hosted at https://vpn.company.com, and you created a portal named “sales”, then users will be able to access the sub-site at https://vpn.company.com/...
Page 123: Configuring The Home Page
Select the Enable ActiveX Web cache cleaner checkbox to load an ActiveX cache control Step 10 when users log in to the SonicWALL SSL-VPN appliance. The Web cache cleaner will prompt the user to delete all session temporary Internet files, cookies and browser history when the user logs out or closes the Web browser window.
Page 124 113. Display File Shares Provide a link to the File Shares (Windows CIFS/SMB) Web interface so that authenticated SonicWALL SSL VPN users may use NT file shares according to their domain permissions. See “File Sharing Using “Applet as Default”” section on page 113...
Page 125 Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SonicWALL SSL-VPN is not a domain member and will not be able to connect to the DFS shares.
Page 126 Add Portal or Edit Portal screen displays. Click the Home Page tab. Step 3 Select the Display File Shares checkbox. Step 4 Select the Use Applet as Default checkbox. Step 5 Click the OK button to save changes. Step 6 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 127: Configuring Per-Portal Virtual Assist Settings
Portals > Portals Configuring Per-Portal Virtual Assist Settings (Virtual Assist is supported only on SonicWALL SSL-VPN models 2000 and higher.) The administrator can enable Virtual Assist on a per-portal basis. This option is only available on SonicWALL SSL-VPN models 2000 and higher.
Page 128: Configuring Virtual Host Settings
Step 12 Configuring Virtual Host Settings (Virtual Host is supported only on SonicWALL SSL-VPN models 2000 and higher.) Creating a virtual host allows users to log in using a different hostname than your default URL. For example, sales members can access https://sales.company.com instead of the default domain, https://vpn.company.com that you use for administration.
Page 129: Adding A Custom Portal Logo
On SonicWALL SSL-VPN models 2000 and higher, the Custom Logo Settings section allows the administrator to upload a custom portal logo and to toggle between the default SonicWALL logo and a custom uploaded logo. You must add the portal before you can upload a custom logo.
Page 130 Click the Update Logo button to transfer the logo to the SSL-VPN appliance. Step 6 Click the Default Logo button to revert to the default SonicWALL logo. Step 7 Click the OK button to save changes.
Page 131: Portals > Application Offloading
Portals > Application Offloading Portals > Application Offloading (Application Offloading is supported only on SonicWALL SSL-VPN models 2000 and higher.) The Portals > Application Offloading page in the management interface provides an overview of the Application Offloading functionality available from the Portals > Portals page.
Page 132: Configuring An Offloaded Application
Reverse Proxy feature module, available at: http://www.sonicwall.com/downloads/SSL_VPN_3.5_Reverse_Proxy.pdf Configuring an Offloaded Application On SonicWALL SSL-VPN models 2000 and higher, to offload a Web application, perform the following steps: Navigate to Portals > Portals and click the Offload Web Application button. The Add Portal Step 1 screen opens.
Page 133 <input type=text name=’userid’> Configure the Password Form Field to be the same as the ‘name’ or ‘id’ attribute of the • HTML element representing Password in the Login form, for example: <input type=password name=’PASSWORD’ id=’PASSWORD’ maxlength=128> SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 134 See the “Portals > Domains” section on page 122 for information about creating a domain. Update your DNS server for this virtual host domain name and alias (if any). Step 16 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 135: Portals > Domains
• Domain name • Portal name • Group (AD, RADIUS) or multiple Organizational Unit (LDAP) support (optional) • Require client digital certificates (optional) • One-time passwords (optional) • Figure 22 Portals > Domains Page SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 136: Adding A Domain With Local User Database Authentication
Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name users will select in order to log into the SonicWALL SSL VPN portal. Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the Step 4 Portals >...
Page 137: Adding A Domain With Radius Authentication
Adding a Domain with RADIUS Authentication To create a domain with RADIUS authentication, perform the following steps: On the Portals > Domains page, click Add Domain to display the Add Domain dialog box. Step 1 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 138 Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name users will select in order to log into the SonicWALL SSL-VPN appliance portal. Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, Step 4 MSCHAP, or MSCHAPV2.
Page 139 Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password Step 21 field. Click Test. SonicWALL SSL VPN will connect to your RADIUS server. Step 22 If you receive the message Server not responding, check your user ID and password and click Step 23 the General tab to verify your RADIUS settings.
Page 140: Adding A Domain With Nt Domain Authentication
Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name selected by users when they authenticate to the SonicWALL SSL-VPN appliance portal. It may be the same value as the NT Domain Name.
Page 141: Adding A Domain With Ldap Authentication
Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name users will select in order to log into the SonicWALL SSL-VPN appliance user portal. It can be the same value as the Server Address field.
Page 142 One Time Password email address configured will not be allowed to login. using domain name - Users in the domain will use the One Time Password feature. One • Time Password emails for all users in the domain will be sent to username@domain.com. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 143: Adding A Domain With Active Directory Authentication
Of all types of authentication, Active Directory authentication is most sensitive to clock skew, Note or variances in time between the SonicWALL SSL-VPN appliance and the Active Directory server against which it is authenticating. If you are unable to authenticate using Active Directory, refer to ““Active Directory Troubleshooting”...
Page 144 Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name users will select in order to log into the SonicWALL SSL-VPN appliance portal. It can be the same value as the Server Address field or the Active Directory Domain field, depending on your network configuration.
Page 145: Viewing The Domain Settings Table
(the SonicWALL SSL-VPN appliance). The easiest way to solve this issue is to configure Network Time Protocol on the System > Time page of the SonicWALL SSL VPN Web-based management interface and check that the Active Directory server has the correct time settings.
Page 146: Configuring Two-Factor Authentication
“Configuring the VASCO VACMAN Middleware” section on page 138 • Configuring the RSA Authentication Manager (RSA is supported only on SonicWALL SSL-VPN models 2000 and higher.) The following sections describe how to configure the RSA Authentication Manager version 6.1 to perform two-factor authentication with your SonicWALL SSL-VPN appliance: “Adding an Agent Host Record for the SonicWALL SSL-VPN Appliance”...
Page 147 Step 7 Adding the SonicWALL SSL-VPN as a RADIUS Client After you have created the Agent Host record, you must add the SonicWALL SSL-VPN to the RSA Authentication Manager as a RADIUS client. To do so, perform the following steps: In RSA Authentication Manager, go to the RADIUS menu and select Manage RADIUS Server.
Page 148 Importing Tokens and Adding Users After you have configured the RSA Authentication Manager to communicate with the SonicWALL SSL-VPN appliance, you must import tokens and add users to the RSA Authentication Manager. To import tokens and add users, perform the following steps:...
Page 149 Navigate to the token XML file and click Open. The token file is imported. The Import Status window displays information on the number of tokens imported to the RSA Step 3 Authentication Manager. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 150 Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN Step 7 gives users the option of either creating their own PIN or having the system generate a random PIN. Required to Create a PIN requires the user to create a PIN. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 151 Give the user their RSA SecurID Authenticator and instructions on how to log in, create a PIN, Step 11 and user the RSA SecurID Authenticator. See the SonicWALL SSL VPN User Guide for more information. Configuring the VASCO VACMAN Middleware The following sections describe how to configure two-factor authentication using VASCO’s...
Page 152 Enter the RADIUS shared secret in the Shared Secret and Confirm Shared Secret fields. Step 6 Adding the SSL-VPN Appliance to VASCO To add the SonicWALL SSL-VPN appliance to VACMAN Middleware Administrator as a RADIUS client, perform the following steps. Expand the VACMAN Server tree.
Page 153 VACMAN middleware. To do this, perform the following steps. Right-click on the Digipass node under the VACMAN server tree. Step 1 Click Import Digipass. Step 2 Click Browse, navigate to the location of the Digipass import file, and click Open. Step 3 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 154 Step 6 Assigning Digipass Tokens to Users After you have imported the digipass tokens and created the users, you need to assign the Digipass tokens to the users. To do so, perform the following steps. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 155 Enter the username in the User ID field and click the Find button. Step 3 When the username is displayed in the Search Results window, select the username and click OK to assign the Digipass token. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 156: Portals > Custom Logo
Portals > Custom Logo Portals > Custom Logo On SonicWALL SSL-VPN 2000 and 4000 appliances, beginning with the SSL VPN 2.5 release, portal logos are no longer configured globally from the Portals > Custom Logo page. Custom logos are uploaded on a per-portal basis from the Logo tab in the Portal Logo Settings dialogue.
Page 157 Portals > Custom Logo SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 158: Services Configuration
Chapter 5: Services Configuration This chapter provides information and configuration tasks specific to the Services pages on the SonicWALL SSL VPN Web-based management interface, including configuring settings, bookmarks, and policies for various application layer services, such as HTTP/HTTPS, Citrix, RDP, and VNC.
Page 159: Services > Settings
In the Cache Size field, define the size of the desired content cache. 5 MB is the default setting, but administrators may set any size in the valid range from two to 20 MB. Select the Flush button to flush the content cache. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 160 In the Email Body field, type the desired text for the one-time password email message body. Step 2 The default message is simply the one-time password itself (represented here as %OneTimePassword%). Variables can be used in the subject or body of a one-time password email: SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 161 Click the Accept button in the upper right corner of the Services > Settings page to save your Step 5 changes. For more information about the One Time Passwords feature, refer to the “One Time Password Overview” section on page SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 162: Services > Bookmarks
Fill-in the Bookmark Name field with a friendly name for the service bookmark. Step 2 Fill-in the Name or IP Address field with hostname, IP address, or IPv6 address for the desired Step 3 bookmark. IPv6 addresses should begin with “[“ and end with “]”. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 163 IP Address 10.20.30.4 IPv6 Address 2008::1:2:3:4 IP:Port (non-standard) 10.20.30.4:6818 or [2008::1:2:3:4]:6818 FQDN JBJONES-PC.sv.us.sonicwall.com Host name JBJONES-PC SSHv1 IP Address 10.20.30.4 SSHv2 IPv6 Address 2008::1:2:3:4 IP:Port (non-standard) 10.20.30.4:6818 or [2008::1:2:3:4]:6818 FQDN JBJONES-PC.sv.us.sonicwall.com Host name JBJONES-PC SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 164 Name or IP Address field would be 192.168.2.2:5901:1. Use the Service drop-down menu to select the desired bookmark service. Use the following Step 4 information for the chosen service to complete the building of the bookmark. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 165 > Printers and Faxes), select Redirect Ports as well as Redirect Printers. Select the checkboxes for any of the following additional features for use in this bookmark session: Display connection bar, Auto reconnection, Desktop background, Window drag, Menu/window animation, Themes, or Bitmap caching. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 166 XenApp plugin (an ActiveX client) must be used with IE. This setting lets users avoid installing a Citrix ICA client or XenApp plugin specifically for IE browsers. Java is used with Citrix by default on other browsers and also works with IE. Enabling this checkbox leverages this portability. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 167 Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SonicWALL SSL-VPN is not a domain member and will not be able to connect to the DFS shares.
Page 168 “X” icon in the Configure column. A dialog box will open and ask if you are sure you want to delete the specified bookmark. Click OK to delete the bookmark. The bookmark will no longer appear in the Services > Bookmarks screen. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 169: Services > Policies
URL object. On SonicWALL SSL-VPN models 2000 and higher, you can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy dialog box changes depending on what type of object you select in the Apply Policy To drop-down list.
Page 170 Select the service type in the Service drop-down list. If you are applying a policy to a network Step 4 object, the service type is defined in the network object. Select ALLOW or DENY from the Status drop-down list to either allow or deny SonicWALL SSL Step 5 VPN connections for the specified service and host machine.
Page 171 Configure column. A dialog box will open and ask if you are sure you want to delete the specified policy. Click OK to delete the policy. The policy will no longer appear in the Services > Policies screen. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 172: Netextender Configuration
Point-to-Point Protocol (PPP). NetExtender allows remote clients to have seamless access to resources on your local network. Users can access NetExtender two ways: Using the Net Extender button on the SonicWALL SSL VPN user portal, or by using the NetExtender standalone client, which is installed by clicking on the NetExtender button in the SonicWALL SSL VPN Web-based management interface.
Page 173: Netextender > Status
SonicWALL SSL-VPN appliance expressed as day, date, and time (HH:MM:SS). Logged in The amount of time since the user first established connection with the SonicWALL SSL-VPN appliance expressed as number of days and time (HH:MM:SS). Logout Provides the administrator the ability to logout a NetExtender session.
Page 174: Netextender > Client Settings
The NetExtender > Client Settings page allows the administrator to specify the global client address range. The address range can be specified for both IPv4 and, on SonicWALL SSL-VPN models 2000 and higher, IPv6. An IPv6 address pool for NetExtender is optional, while an IPv4 address pool is required.
Page 175: Configuring Global Netextender Settings
Step 7 addresses. Configuring Global NetExtender Settings SonicWALL SSL VPN provides several settings to customize the behavior of NetExtender when users connect and disconnect. To configure global NetExtender client settings, perform the following steps: Navigate to the NetExtender > Client Settings page.
Page 176: Netextender > Client Routes
NetExtender > Client Routes Overview The NetExtender > Client Routes page allows the administrator to add and configure client routes. IPv6 client routes are supported only on SonicWALL SSL-VPN models 2000 and higher. Note Figure 25 NetExtender > Client Routes...
Page 177: Netextender User And Group Settings
DMZ with the network 192.168.50.0/24 and you want to provide access to your LAN network 192.168.168.0/24, you would enter 192.168.168.0. On SonicWALL SSL-VPN models 2000 and higher, you can enter an IPv6 route in the Destination Network field, in the form 2007::1:2:3:0.
Page 178 To give this user the same IP address every time the user connects, enter the IP address in Step 2 both fields. On SonicWALL SSL-VPN models 2000 and higher, to configure an IPv6 address range for this Step 3 user, enter the beginning of the range in the Client IPv6 Address Range Begin field and the end of the range in the Client IPv6 Address Range End field.
Page 179 Edit User Settings window. Add Client Route button. Step 2 Type the IPv4 or, on SonicWALL SSL-VPN models 2000 and higher, IPv6 address of the trusted Step 3 network to which you would like to provide access with NetExtender in the Destination Network field.
Page 180: Configuring Group-Level Netextender Settings
Step 1 Address Range Begin field and the end of the range in the Client Address Range End field. On SonicWALL SSL-VPN models 2000 and higher, to configure an IPv6 address range for this Step 2 group, enter the beginning of the range in the Client IPv6 Address Range Begin field and the end of the range in the Client IPv6 Address Range End field.
Page 181 To add a NetExtender client route that will only be added to users in this group, click the Add Step 2 Client Route button. Type the IPv4 or, on SonicWALL SSL-VPN models 2000 and higher, IPv6 address of the trusted Step 3 network to which you would like to provide access with NetExtender in the Destination Network field.
Page 182: Virtual Assist Configuration
This chapter provides information and configuration tasks specific to the Virtual Assist pages on the SonicWALL SSL VPN Web-based management interface. Supported on SonicWALL SSL-VPN models 2000 and higher, Virtual Assist is an easy to use tool that allows SonicWALL SSL VPN users to remotely support customers by taking control of their computers while the customer observes.
Page 183: Virtual Assist > Status
For information about using Virtual Assist as a technician, see the following sections: “Launching a Virtual Assist Technician Session” section on page 33 • “Performing Virtual Assist Technician Tasks” section on page 36 • SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 184: Virtual Assist > Settings
(Optional) To change the URL that customers use to access Virtual Assist, enter it in the Step 5 Customer Access Link field. This may be necessary if your SonicWALL SSL-VPN appliance requires a different access URL when outside the network.
Page 185: Request Settings
Enter a value in the Pending Request Expired field to have customers automatically removed Step 6 from the queue if they are not assisted within the specified number of minutes. The default 0 does not remove unassisted customers. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 186: Notification Settings
%EXPERTNAME% - The name of the technician sending the invitation email. • %CUSTOMERMSG% - The disclaimer configured on the General Settings tab. • %SUPPORTLINK% - The URL for accessing Virtual Assist. • %ACCESSLINK% - The URL for accessing the SSL VPN Virtual Office. • SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 187: Customer Portal Settings
To customize the appearance of the Virtual Assist customer portal, perform the following tasks: On the Virtual Assist > Settings page, click the Customer Portal Settings tab at the bottom Step 1 of the page. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 188: Restriction Settings
Enter the information to define the address or network and click Add. Step 6 To delete a configured restriction setting, select the desired address in the Addresses field and Step 7 click Delete. The address will be removed from the field. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 189: Virtual Assist > Log
Change the value in the Items per page field to display more or fewer log messages. Click the forward or backward arrows to scroll through the pages of the log messages. Click any of the headings to sort the log messages alphabetically by heading. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 190: Virtual Assist > Licensing
System > Licenses page. The same content from the Virtual Assist > Licensing page is also displayed when you navigate to Virtual Assist > Status on a SonicWALL SSL-VPN appliance that does not have a valid Virtual Assist license. Enabling Virtual Assist...
Page 191 Optionally, you can customize all of the Virtual Assist settings for this individual portal using the Step 5 tabs on this window. Virtual Assist is now enabled and ready to use. SSL VPN users will now see the Virtual Assist icon on the Virtual Office page. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 192: Web Application Firewall Configuration
This chapter provides information and configuration tasks specific to the Web Application Firewall pages on the SonicWALL SSL VPN Web-based management interface. Supported on SonicWALL SSL-VPN models 2000 and higher, Web Application Firewall is subscription-based software that runs on the SonicWALL SSL-VPN appliance and protects Web applications running on servers behind the SSL-VPN.
Page 193: Licensing Web Application Firewall
System > Licenses page of the management interface. To view license details and obtain a license on MySonicWALL for Web Application Firewall, perform the following steps: Log in to your SonicWALL SSL-VPN appliance and navigate to Web Application Firewall > Step 1 Licensing.
Page 194 Under Manage Security Services Online, click the Activate, Upgrade, or Renew services link. Step 3 The MySonicWALL Login page is displayed. Type your MySonicWALL credentials into the fields, and then click Submit. The Product Survey Step 4 page is displayed. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 195 Click Synchronize to view the license on the System > Licenses page. Step 7 Web Application Firewall is now licensed on your SonicWALL SSL-VPNappliance. Navigate to Web Application Firewall > Settings to enable it, and then restart your appliance to completely activate Web Application Firewall.
Page 196: Configuring Web Application Firewall
The Synchronize button allows you to download the latest signatures from the SonicWALL online database. You can view details about the threats, or clear the threat list. The Severity column of the threat list is color coded for quick reference, as follows: High severity threats –...
Page 197: Signature And License Status
Settings page. If this automatic update option is enabled, the Apply button disappears from the Web Application Firewall > Status screen as soon as the new signatures are automatically applied. To synchronize the signature database with the SonicWALL online database server, click Step 3 Synchronize. The timestamp is updated.
Page 198 • To collapse the threat details, click the threat link again. Step 3 To clear the threat list, click the Clear WAF Statistics button on the top right corner of the page. Step 4 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 199: Configuring Web Application Firewall Settings
The Web Application Firewall > Settings page allows you to enable and disable Web Application Firewall on your SonicWALL SSL-VPN appliance globally and by attack priority. You can individually specify detection or prevention for three attack classes: high, medium, and low priority attacks.
Page 200 “How is Cross-Site Request Forgery Prevented?” on page To configure global settings for Web Application Firewall, perform the following steps: Log in to your SonicWALL SSL-VPN appliance and navigate to Web Application Firewall > Step 1 Settings. Select the Enable Web Application Firewall checkbox.
Page 201 • To view the resulting page, click the Preview button. • To reset the current customized error page to the default SonicWALL error page, click the • Default Blocked Page button and then click OK in the confirmation dialog box.
Page 202 URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.sonicwall.com/exchange, then all files and folders under exchange are also excluded.
Page 203: Configuring Web Application Firewall Signature Actions
You can also revert back to using the global settings for the signature group to which this signature belongs without losing the configuration details of existing exclusions. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 204 Detect if the associated signature group is globally set to Prevent All. For signature based customization to take effect, the signature group of the modified Note signature must be globally enabled for either prevention or detection on the Web Application Firewall > Settings page. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 205 URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.sonicwall.com/exchange, then all files and folders under exchange are also excluded.
Page 206: Determining The Host Entry For Exclusions
For a description of how to determine the correct host name, see the following sections: “Viewing the Host Entry in a Bookmark” on page 194 • “Viewing the Host Entry in an Offloaded Application” on page 194 • SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 207 You can determine exactly what host name to enter in your exclusion by viewing the configuration details of the offloaded application. In an offloaded application, you will use the virtual host domain name. To view the virtual host domain name in an offloaded application, perform the following steps: SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 208 Step 1 application. In the Edit Portal screen, click the Virtual Host tab. Step 2 View the host entry for your exclusion in the Virtual Host Domain Name field. Step 3 Click Close. Step 4 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 209: Using Web Application Firewall Logs
To clear the Search field, set the drop-down list back to the default (Time), and display the • first page of log entries, click Reset. Controlling the Log Pagination To adjust the number of entries on the log page and display a different range of entries, perform the following steps: SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 210 SSL-VPN management interface. If no address is configured, the Status line at the bottom of the browser will display an error message when you click the E-Mail Log button on the Web Application Firewall > Log page. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 211 To clear the Web Application Firewall log, perform the following: On the top right corner of the Web Application Firewall > Log page, click Clear. Step 1 The page and log are immediately cleared without asking for confirmation. Note SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 212: Verifying And Troubleshooting Web Application Firewall
License Manager SSL connection failed - Restart appliance may be necessary • Test the connectivity to licensemanager.sonicwall.com from the System > Diagnostics page using the Ping and DNS Lookup diagnostic utilities to ensure that there is connectivity to the backend server.
Page 213 <num> rules Signature database download was successful. The new database contains <num> number of rules. A rule is an internal property which will be used by SonicWALL to determine how many signatures were downloaded. You can select the Apply Signature Updates Automatically option on the Web Application Note Firewall >...
Page 214: Users Configuration
SonicWALL SSL VPN Web-based management interface, including access policies and bookmarks for the users and groups. Policies provide you access to the different levels of objects defined on your SonicWALL SSL-VPN appliance. This chapter contains the following sections: “Users > Status” section on page 202 •...
Page 215: Users > Status
The Active User Sessions table displays the current users or administrators logged into SonicWALL SSL VPN. Each entry displays the name of the user, the group in which the user belongs, the IP address of the user, and a time stamp indicating when the user logged in. An administrator may terminate a user session and log the user out by clicking the Logout icon at the right of the user row.
Page 216: Access Policies Concepts
Access Policy Hierarchy An administrator can define user, group and global policies to predefined network objects, IP addresses, address ranges, or all IP addresses and to different SonicWALL SSL VPN services. Certain policies take precedence. The SonicWALL SSL VPN policy hierarchy is: User policies take precedence over group policies •...
Page 217: Users > Local Users
If you want to specify different policies for different user groups when using RADIUS or Active Directory, the administrator will need to create the user manually in the Local User database. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 218: Adding A Local User
In the Add Local User dialog box, enter the username for the user in the User Name field. This Step 2 will be the name the user will enter in order to log into the SonicWALL SSL VPN user portal. Select the name of the group to which the user belongs in the Group/Domain drop-down list.
Page 219: Removing A User
The user type is not configurable because the SonicWALL SSL-VPN appliance only allows users that authenticate to the internal user database to have administrative privileges. Also, the user type External will be used to identify the local user instances that are auto-created to correspond to externally authenticating users.
Page 220 File Transfer Protocol (FTP) Telnet Secure Shell (SSH) Web (HTTP) Secure Web (HTTPS) File Shares (CIFS) Citrix Portal (Citrix) Single sign-on (SSO) in SonicWALL SSL VPN supports the following applications: RDP - Active X • RDP - Java • • HTTP •...
Page 221 User-controlled: Select this option to allow users to enable or disable single sign-on – (SSO) for bookmarks. Enabled: Select this option to enable single sign-on for bookmarks. – Disabled: Select this option to disable single sign-on for bookmarks. – SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 222 Click OK. Step 2 Modifying User NetExtender Settings Group NetExtender settings are not supported on the SonicWALL SSL-VPN 200 appliance. Note The Nx Settings tab provides configuration options for NetExtender client address ranges and other client settings. For procedures on modifying NetExtender User settings, see the “NetExtender >...
Page 223 URL object. On SonicWALL SSL-VPN models 2000 and higher, you can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy dialog box changes depending on what type of object you select in the Apply Policy To drop-down list.
Page 224 “Adding a Policy for a URL Object” section on page 213. IPv6 Address - On SonicWALL SSL-VPN models 2000 and higher, if your policy applies to • a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field.
Page 225 Step 6 Select the Share radio button in the Resource field. Step 7 Type the server path in the Server Path field. Step 8 From the Status drop-down list, select PERMIT or DENY. Step 9 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 226 In the Apply Policy To drop-down menu, select the URL Object option. Step 5 Define a name for the policy in the Policy Name field. Step 6 In the Service drop-down list, choose either Web (HTTP) or Secure Web (HTTPS). Step 7 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 227 [<range>] – Matches any character falling within the specified ASCII range. Can be an alphanumeric character. E.g.) [a-d], [3-5], [H-X] Entries in the URL field can not contain (“http://”, “https://”) elements. Entries can also not Note contain fragment delimiters such as “#”. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 228 Step 3 In the Service drop-down list, click on a service option. Step 4 In the Status drop-down list, click on an access action, either PERMIT or DENY. Step 5 Click Add. Step 6 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 229 Type a descriptive name for the bookmark in the Bookmark Name field. Step 1 Enter the fully qualified domain name (FQDN) or the IPv4 or, on SonicWALL SSL-VPN models Step 2 2000 and higher, IPv6 address of a host machine on the LAN in the Name or IP Address field.
Page 230 JBJONES-PC HTTP www.sonicwall.com HTTPS IP Address of URL 204.212.170.11 IPv6 Address 2008::1:2:3:4 URL:Path or File www.sonicwall.com/index.html IP:Path or File 204.212.170.11/folder/ URL:Port www.sonicwall.com:8080 IP:Port 204.212.170.11:8080 or [2008::1:2:3:4]:8080 URL:Port:Path or File www.sonicwall.com:8080/folder/index.html IP:Port:Path or File 204.212.170.11:8080/index.html SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 231 For the specific service you select from the Service drop-down list, additional fields may Step 5 appear. Fill in the information for the service you selected. Select one of the following service types from the Service drop-down list: SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 232 To see local printers show up on your remote machine (Start > Settings > Control Panel > Printers and Faxes), select Redirect Ports as well as Redirect Printers. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 233 – Secure Shell version 2 (SSHv2) Optionally select the Automatically accept host key checkbox. – If using an SSHv2 server without authentication, such as a SonicWALL firewall, you can – select the Bypass username checkbox. Web (HTTP) Optionally select Automatically log in and select Use SSL VPN account credentials –...
Page 234 Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains. The SonicWALL SSL-VPN is not a domain member and will not be able to connect to the DFS shares.
Page 235 When using the Java applet, the local printers are available in the Citrix client. However, under some circumstances it might be necessary to change the Universal Printer Driver to PCL mode. Citrix is supported on SonicWALL SSL-VPN model 2000 and higher security appliances. Note To configure a Citrix bookmark for a user, perform the following tasks: Navigate to Users >...
Page 236 HTTP, RDP and FTP servers that need a domain prefix for SSO authentication. Users can log into SonicWALL SSL VPN as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or dynamic variables may be used for login credentials.
Page 237 The Login Policies tab provides configuration options for policies that allow or deny users with specific IP addresses from having login privileges to the SonicWALL SSL-VPN appliance. To allow or deny specific users from logging into the appliance, perform the following steps: Navigate to the Users >...
Page 238 – Network Address field and Subnet Mask field appear in the Define Address dialog box. IPv6 Address - On SonicWALL SSL-VPN models 2000 and higher, this enables you to – select a specific IPv6 address. IPv6 Network - On SonicWALL SSL-VPN models 2000 and higher, this enables you to –...
Page 239 Add. The browser name appears in the Defined Browsers list. The browser definition for Internet Explorer, Firefox, and Chrome is: Note javascript:document:writeln(navigator.userAgent) Click OK. The new login policy is saved. Step 14 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 240: Users > Local Groups
Global Policies - Contains access policies for all nodes in the organization. • LocalDomain - The LocalDomain group is automatically created to correspond to the default • LocalDomain authentication domain. This is the default group to which local users will be added, unless otherwise specified. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 241: Deleting A Group
The General tab provides configuration options for a group’s inactivity timeout value and bookmark control. To modify the general user settings, perform the following tasks: In the left-hand column, navigate to the Users > Local Groups. Step 1 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 242 User-controlled (enabled by default for new users): Select this option to allow users – to enable or disable single sign-on (SSO) for bookmarks. This setting enables SSO by default for new users. Single sign-on (SSO) in SonicWALL SSL VPN does not support two-factor authentication. Note SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 243 Enabled – Enable this portal feature for this user. • Disabled – Disable this portal feature for this user. • The Allow User to Edit/Delete Bookmarks setting applies to user-owned bookmarks only. Note Click OK. Step 3 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 244 Step 4 Enter an ending IPv4 address in the Client Address Range End field. Step 5 On SonicWALL SSL-VPN models 2000 and higher, enter a beginning IPv6 address in the Client Step 6 IPv6 Address Range Begin field. On SonicWALL SSL-VPN models 2000 and higher, enter an ending IPv6 address in the Client Step 7 IPv6 Address Range End field.
Page 245 Click OK. Step 12 Enabling NetExtender Routes for Groups Group NetExtender routes are not supported on the SonicWALL SSL-VPN 200 appliance. Note The Nx Routes tab allows the administrator to add and configure client routes. IPv6 client routes are supported on SonicWALL SSL-VPN model 2000 and higher appliances.
Page 246 This feature is for external users, who will inherit the settings from their assigned group upon login. Tunnel all mode ensures that all network communications are tunneled securely through the SonicWALL SSL VPN tunnel. To enable tunnel all mode, perform the following tasks: Navigate to Users > Local Groups.
Page 247 URL object. On SonicWALL SSL-VPN models 2000 and higher, you can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy dialog box changes depending on what type of object you select in the Apply Policy To drop-down list.
Page 248 Select the service type in the Service menu. If you are applying a policy to a network object, Step 4 the service type is defined in the network object. Select PERMIT or DENY from the Status drop-down list to either permit or deny SonicWALL Step 5 SSL VPN connections for the specified service and host machine.
Page 249 When group bookmarks are defined, all group members will see the defined bookmarks from Note the SonicWALL SSL VPN user portal. Individual group members will not be able to delete or modify group bookmarks. Enter a string that will be the name of the bookmark in the Bookmark Name field.
Page 250 Mac Addresses (separated by spaces) to indicate the machines to wake, and the desired Wait time for boot up before cancelling the WoL operation. To send the WoL packet to the hostname SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 251 – Secure Shell version 2 (SSHv2) Optionally select the Automatically accept host key checkbox. – If using an SSHv2 server without authentication, such as a SonicWALL firewall, you can – select the Bypass username checkbox. Web (HTTP) Optionally select Automatically log in and select Use SSL VPN account credentials –...
Page 252: Group Configuration For Ldap Authentication Domains
SonicWALL SSL VPN management interface), NTLM authentication (labeled NT Domain authentication in SonicWALL SSL VPN management interface), or using LDAP database queries. An LDAP domain configured in the SonicWALL SSL VPN management interface can authenticate to an Active Directory server.
Page 253 Enter a descriptive name for the authentication domain in the Domain Name field. This is the Step 3 domain name users will select in order to log into the SonicWALL SSL VPN user portal. It can be the same value as the Server address field.
Page 254 LDAP attributes. To see a full list of LDAP attributes, refer to the SonicWALL LDAP Attribute document. As a common example, fill out an attribute field with the memberOf= attribute which can bundle the following common variable types: CN= - the common name.
Page 255 If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the • SonicWALL SSL-VPN appliance, then the user will not be able to log into the portal. So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log into the portal.
Page 256: Group Configuration For Active Directory, Nt And Radius Domains
Then, when users login to the portal, policies, bookmarks and other user settings will apply to the users. If the AAA user does not exist in the SonicWALL SSL-VPN appliance, then only the global settings, policies and bookmarks will apply to the user.
Page 257 SonicWALL SSL-VPN, the moment jdoe adds a personal bookmark, a local user called jdoe will be created on the SonicWALL SSL-VPN appliance as type External, and can then be managed like any other local user by the administrator. The external local user will remain until deleted by the administrator.
Page 258: Creating A Citrix Bookmark For A Local Group
Before configuring and Active Directory group, ensure that you have already created an Note Active Directory domain. This option is configured in the Portals > Domains page. The AD Groups feature is only available on SonicWALL SSL-VPN models 2000 and higher. Note To add an AD group, perform the following steps: In the Users >...
Page 259: Global Configuration
Global Configuration Global Configuration SonicWALL SSL-VPN appliance global configuration is defined from the Local Users or Local Groups environment. To view either, click the Users option in the left navigation menu, then click either the Local Users or Local Groups option. This section contains the following configuration tasks: “Edit Global Settings”...
Page 260 Step 9 field and an ending address in the Client Address Range End field. On SonicWALL SSL-VPN models 2000 and higher, to set a client IPv6 address range, enter a Step 10 beginning IPv6 address in the Client IPv6 Address Range Begin field and an ending IPv6 address in the Client IPv6 Address Range End field.
Page 261 Terminal Services (RDP - ActiveX), you will need to select the desired screen size from the Screen Size drop-down list. Click Add. Step 35 Click OK to save the configuration changes. Step 36 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 262: Edit Global Policies
SonicWALL SSL-VPN appliance policies apply to the destination address(es) of the Note SonicWALL SSL VPN connection, not the source address. You cannot permit or block a specific IP address on the Internet from authenticating to the SonicWALL SSL-VPN appliance through the policy engine.
Page 263 Select the service type in the Service drop-down list. If you are applying a policy to a network Step 7 object, the service type is defined in the network object. Select ALLOW or DENY from the Status drop-down list to either permit or deny SonicWALL Step 8 SSL VPN connections for the specified service and host machine.
Page 264: Edit Global Bookmarks
When global bookmarks are defined, all users will see the defined bookmarks from the Note SonicWALL SSL VPN user portal. Individual users will not be able to delete or modify global bookmarks. To edit a bookmark, enter a descriptive name in the Bookmark Name field.
Page 265 Global Configuration SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 266: Log Configuration
Chapter 10: Log Configuration This chapter provides information and configuration tasks specific to the Log pages on the SonicWALL SSL VPN Web-based management interface. This chapter contains the following sections: “Log > View” section on page 254 • “Log > Settings” section on page 258 •...
Page 267: Log > View
“Emailing Logs” section on page 257 • Log > View Overview The Log > View page allows the administrator to view the SonicWALL SSL VPN event log. The event log can also be automatically sent to an email address for convenience and archiving. Figure 29 Log >...
Page 268 Fully Qualified Domain Name (FQDN) of the Web site accessed. User The name of the user who was logged into the appliance when the message was generated. Message The text of the log message. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 269: Viewing Logs
Viewing Logs The Log > View page allows the administrator to view the SonicWALL SSL VPN event log. The SonicWALL SSL-VPN appliance maintains an event log for tracking system events, for example, unsuccessful login attempts, NetExtender sessions, and logout events. This log can be viewed in the Log >...
Page 270: Emailing Logs
The E-mail Log button allows the administrator to immediately send and receive a copy of the SonicWALL SSL VPN event log. This feature is useful archiving email and in testing email configuration and email filters for multiple SSL-VPN units. To use the E-mail Log feature, perform the following tasks: Navigate to Log >...
Page 271: Log > Settings
UDP port 514. Figure 30 Log > Settings Page Log Settings The Log Settings section allows the administrator to specify the primary and secondary Syslog server. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 272: Configuring Log Settings
To use SMTP authentication when sending log files, select the Enable SMTP Authentication Step 9 checkbox. The display will change to expose related fields. Enter the user name, password, and the SMTP port to use. The default port is 25. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 273: Configuring The Mail Server
Step 4 Type the IP address for the mail server you will be using in the Mail Server field. Step 5 Type the email address for outgoing mail from your SonicWALL SSL-VPN appliance in the Mail Step 6 From Address field.
Page 274: Log > Categories
• NetExtender • System • Virtual Assist • Web Application Firewall • Once all selections have been made, click Accept in the upper right corner of the screen to finish configuring the desired categories. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 275: Log > Viewpoint
Note Log > ViewPoint page to set up the Analyzer connection (in addition to the configuration changes made on the Analyzer). In later versions of SonicWALL SRA SSL-VPN, the Log > ViewPoint page has been updated to Log > Analyzer.
Page 276 Enter the Port which your ViewPoint server communicates with managed devices. Step 4 Click the OK button to add this server. Step 5 To start ViewPoint report logging for the server you just added, select the Enable ViewPoint Step 6 checkbox. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 277 Log > ViewPoint SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 278: Virtual Office Configuration
Virtual Office Chapter 11: Virtual Office Configuration This chapter provides information and configuration tasks specific to the Virtual Office page on the SonicWALL SSL VPN Web-based management interface. This chapter contains the following section: “Virtual Office” section on page 265 •...
Page 279: Virtual Office Overview
Virtual Office Virtual Office Overview The Virtual Office option is located in the navigation bar of the SonicWALL SSL VPN management interface. The Virtual Office option launches the Virtual Office user portal in a separate Web browser window. The Virtual Office is a portal that users can access in order to create and access bookmarks, file shares, NetExtender sessions, and Virtual Assist.
Page 280 For detailed configuration information about the Virtual Office user portal and these tasks, Note refer to the SonicWALL SSL-VPN User’s Guide, available on the Secure Remote Access pages of the SonicWALL support Web site at http://www.sonicwall.com/us/Support.html. The Logout button will not appear in the Virtual Office when you are logged on as an administrator.
Page 281 Virtual Office SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 282: Online Help
Appendix A: Online Help This appendix describes how to use the Online Help on the SonicWALL SSL VPN Web-based management interface. This appendix also contains information about context-sensitive help. This appendix contains the following sections: “Online Help” section on page 270 •...
Page 283: Online Help
Click the context-sensitive help button in the top right corner of the page to get help that corresponds to the SonicWALL SSL VPN management page you are using. Clicking the context-sensitive help button launches a separate browser window to the corresponding documentation.
Page 284: Configuring Sonicwall Ssl Vpn With A Third-Party Gateway
This appendix shows methods for configuring various third-party firewalls for deployment with a SonicWALL SSL-VPN appliance. This appendix contains the following sections: “Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment” section on • page 272 “Linksys WRT54GS” section on page 278 •...
Page 285: Cisco Pix Configuration For Sonicwall Ssl-Vpn Appliance Deployment
SonicWALL recommends updating the PIX’s OS to the most recent version if your PIX can support it. This document was validated on a Cisco PIX 515e running PIX OS 6.3.5 and is the recommended version for interoperation with a SonicWALL SSL-VPN appliance.
Page 286 Navigate to the System > Restart page and click on the Restart… button. Step 7 Install the SonicWALL SSL-VPN appliance’s X0 interface on the LAN network of the PIX. Do Step 8 not hook any of the appliance’s other interfaces up.
Page 287 Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25...
Page 288: Method Two - Sonicwall Ssl-Vpn Appliance On Dmz Interface
Method Two – SonicWALL SSL-VPN Appliance on DMZ Interface This method is optional and requires that the PIX have an unused third interface, such as a PIX 515, PIX 525, or PIX 535. We will be using the default numbering scheme of the SonicWALL SSL-VPN appliance.
Page 289 Exit config mode and issue the command ‘wr mem’ to save and activate the changes. Step 23 From an external system, attempt to connect to the SonicWALL SSL-VPN appliance using both Step 24 HTTP and HTTPS. If you cannot access the SonicWALL SSL-VPN appliance, check all steps above and test again.
Page 290 Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 64.41.140.167 255.255.255.224 ip address inside 192.168.100.1 255.255.255.0 ip address dmz 192.168.200.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm...
Page 291: Linksys Wrt54Gs
Linksys WRT54GS Linksys WRT54GS The SonicWALL SSL-VPN should be configured on the LAN switch of the Linksys wireless router. This guide assumes that your Linksys is assigned a single WAN IP, via DHCP by the cable ISP and is using the default LAN IP address scheme of 192.168.1.0/24.
Page 292: Watchguard Firebox X Edge
If the WatchGuard’s management interface is already configured to accept HTTPS on port 443 Step 2 you will need to change the port in order to be able to manage both the SonicWALL SSL-VPN and WatchGuard appliances. Navigate to Administration > System Security.
Page 293 In the left-hand navigation menu, Navigate to Firewall > Incoming. Step 6 For the HTTPS Service, set Filter to Allow and enter the WAN IP of the SonicWALL SSL-VPN Step 7 appliance (192.168.100.2) in the Service Host field.
Page 294: Netgear Fvs318
Click Remote Management from the left-hand index of your Netgear management interface. Step 1 In order for the SonicWALL SSL-VPN to function with your Netgear gateway device, you must verify that the NetGear’s management port will not conflict with the management port used by the SonicWALL SSL-VPN appliance.
Page 295 Select HTTPS from the Service Name drop-down list. Step 9 Select ALLOW always in the Action drop-down list. Step 10 Enter the WAN IP address of the SonicWALL SSL-VPN appliance (ex.192.168.100.2) in the Step 11 Local Server Address field. Click Accept to save changes.
Page 296: Netgear Wireless Router Mr814 Ssl Configuration
Enter 443 in the Starting Port field. Step 4 Enter 443 in the Ending Port field. Step 5 Enter the WAN IP address of the SonicWALL SSL-VPN appliance (ex.192.168.100.2) in the Step 6 Local Server Address field. Click the Accept button...
Page 297: Check Point Air 55
The object is defined as existing on the internal network. Should you decide to locate the Note SonicWALL SSL-VPN on a secure segment (sometimes known as a demilitarized zone) then subsequent firewall rules will have to pass the necessary traffic from the secure segment to the internal network.
Page 298: Static Route
As a result, the ARP entry for the external IP address must be added manually within the Nokia Voyager interface. Finally, a traffic or policy rule is required for all traffic to flow from the Internet to the SonicWALL SSL-VPN.
Page 299 Check Point Policy Rule Window Again, should the SonicWALL SSL-VPN be located on a secure segment of the Check Point firewall, a second rule allowing the relevant traffic to flow from the SonicWALL SSL-VPN to the internal network will be necessary.
Page 300: Microsoft Isa Server
Server. This port forwarding task is beyond the scope of this section. Configuring ISA The SonicWALL SSL-VPN must be published as a Server (not a Web Server) within ISA to allow the inbound SSL connection through the ISA firewall. Configuration Tasks You will need to perform the following tasks to configure ISA: Configure an inbound Protocol Definition for port 443.
Page 301 On the General tab in the SonicWALL SSL-VPN Properties window, select the Enable check Step 3 box. Click the Action tab. Step 4 Enter the IP address of the SonicWALL SSL-VPN appliance in the IP address of internal Step 5 server field. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 302 The default behavior of ISA is to redirect all incoming Web requests on port 80 and 443 to the Web Proxy Service instead of allowing them to pass through to the SonicWALL SSL-VPN. In order to allow traffic arriving on port 443 to reach the SonicWALL, you must disable the Web requests listeners on the ISA server.
Page 303 Microsoft ISA Server SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 304: Use Cases
Importing a goDaddy Certificate on Windows In this use case, we format a goDaddy Root CA Certificate on a Windows system and then import it to our SonicWALL SSL-VPN. Double-click on the goDaddy.p7b file to open the Certificates window, and navigate to the Step 1 goDaddy certificate.
Page 305 In the Certificate Export Wizard, click Next. Step 4 Select Base-64 encoded X.509 (.CER) and then click Next. Step 5 In the File to Export screen, type the file name in as goDaddy.cer and then click Next. Step 6 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 306 Step 8 The certificate is exported in base-64 encoded format. You can view it in a text editor. In the SonicWALL SSL-VPN management interface, navigate to System > Certificates. Step 9 In the Additional CA Certificates section, click Import CA Certificate. The Import Certificate Step 10 window appears.
Page 307: Importing A Server Certificate On Windows
Windows system and double-click it. Click Upload. The certificate will be listed in the Additional CA Certificates table. Step 12 Navigate to System > Restart and restart the SonicWALL SSL-VPN for the CA certificate to Step 13 take effect. Importing a Server Certificate on Windows In this use case, we import a Microsoft CA server certificate to a Windows system.
Page 308: Creating Unique Access Policies For Ad Groups
Creating Unique Access Policies for AD Groups Creating Unique Access Policies for AD Groups In this use case, we add Outlook Web Access (OWA) resources to the SonicWALL SSL-VPN, and need to configure the access policies for users in multiple Active Directory (AD) groups.
Page 309: Creating The Active Directory Domain
This section describes how to create the SonicWALL SSL-VPN Local Domain, SNWL_AD. SNWL_AD is associated with the Active Directory domain of the OWA server. Log in to the SonicWALL SSL-VPN management interface and navigate to the Portals > Step 1 Domains page.
Page 310: Adding A Global Deny All Policy
Permit policy. The SonicWALL SSL-VPN default policy is Allow All. In order to have more granular control, we add a Deny All policy here. Later, we can add Permit policies for each group, one at a time.
Page 311: Creating Local Groups
On the Users > Local Groups page, click Add Group to add the second local group. Step 9 In the Add Local Group window, type IT_Group into the Group Name field. Step 10 Select SNWL_AD from the Domain drop-down list. Step 11 Click Add. Step 12 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 312 In the Edit Group Settings window, click the AD Groups tab. Step 2 On the AD Groups tab, click the Add Group button. Step 3 In the Edit Active Directory Group window, select Acme Group from the Active Directory Step 4 Group drop-down list. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 313: Adding The Sshv2 Permit Policy
In this section, we will add the SSHv2 PERMIT policy for both Acme_Group and IT_Group to access the 10.200.1.102 server using SSH. This procedure creates a policy for the SonicWALL SSL-VPN Local Group, Acme_Group, and results in SSH access for members of the Active Directory group, Acme Group.
Page 314: Adding The Owa Permit Policies
In this section, we will add two OWA PERMIT policies for both Mega_Group and IT_Group to access the OWA service using Secure Web (HTTPS). This procedure creates a policy for the SonicWALL SSL-VPN Local Group, Mega_Group, and results in OWA access for members of the Active Directory group, Mega Group.
Page 315 In the Edit Group Settings window, click OK. We are finished with the policies for Step 14 Mega_Group. Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group, IT Group. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 316: Verifying The Access Policy Configuration
IT_Groups users are allowed to access both SSH and OWA as defined above • The configuration can be verified by logging in as different AD group members to the SNWL_AD domain on the SonicWALL SSL-VPN, and attempting to access the resources. Test Result: Try Acmeuser Access Acmeuser logs into the SNWL_AD domain.
Page 317 Creating Unique Access Policies for AD Groups Acmeuser can access SSH, as expected. Acmeuser tries to access to other resources like OWA 10.200.1.10, but is denied, as expected. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 318 Test Result: Try Megauser Access Megauser logs into the SNWL_AD domain. The Users > Status page shows that megauser is a member of the local group, Mega_Group. Megauser can access OWA resources, as expected. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 319 Test Result: Try Ituser Access Ituser logs into the SNWL_AD domain. The Users > Status page shows that ituser is a member of the local group, IT_Group. Ituser can access SSH to 10.200.1.102, as expected. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 320 Creating Unique Access Policies for AD Groups Ituser can access OWA resources, as expected. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 321 Creating Unique Access Policies for AD Groups SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 322: Netextender Troubleshooting
Appendix D: NetExtender Troubleshooting This appendix contains a table with troubleshooting information for the SonicWALL SSL VPN NetExtender utility. Table 19 NetExtender Cannot Be Installed Problem Solution NetExtender cannot be Check your OS Version, NetExtender only supports installed. Win2000 or above, Mac OS X 10.5 or above with Apple Java 1.6.0_10 or above, and Linux OpenSUSE in addition...
Page 323 NetExtender Connection Entry Cannot Be Created Problem Solution NetExtender connection Navigate to Device Manager and check if the SonicWALL entry cannot be created. SSL VPN NetExtender Adapter has been installed successfully. If not, delete the adapter from the device list, reboot the machine and install NetExtender again.
Page 324 Table 21 Problem Solution NetExtender cannot connect. Navigate to Device Manager and check if the SonicWALL SSL VPN NetExtender Adapter has been installed successfully. If not, delete the adapter from the device list, reboot the machine and install NetExtender again.
Page 325 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 326: Faqs
“Digital Certificates and Certificate Authorities FAQ” on page 321 • – What do I do if when I log in to the SonicWALL SSL-VPN appliance my browser gives me an error, or if my Java components give me an error? –...
Page 327 (GVC)? – Is NetExtender encrypted? – Is there a way to secure clear text traffic between the SonicWALL SSL-VPN appliance and the server? – What is the PPP adapter that is installed when I use the NetExtender? – What are the advantages of using the NetExtender instead of a Proxy Application? –...
Page 328 – What authentication methods are supported? – I configured my SonicWALL SSL-VPN appliance to use Active Directory as the authentication method, but it fails with a very strange error message. Why? – My Windows XPSP2 system cannot use the RDP-based connectors. Why? –...
Page 329: Hardware Faq
SRA 4200: (4) 10/100/1000 Ethernet, (1) RJ-45 Serial port (115200 Baud) Processors SSL-VPN 200: SonicWALL security processor, cryptographic accelerator SSL-VPN 2000: 800 MHz x86 main processor, cryptographic accelerator SSL-VPN 4000: P4 Celeron main processor, cryptographic accelerator SRA 1200: 1.5 GHz Via C7 x86 processor SRA 4200: 1.8 GHz Via C7 x86 processor, cryptographic accelerator...
Page 330 SSL-VPN 200: 7.45 x 4.55 x 1.06 in (18.92 x 11.56 x 2.69 cm) SSL-VPN 2000: 17.00 x 10.00 x 1.75 in (43.18 x 25.40 x 4.45 cm) SSL-VPN 4000: 17.00 x 13.75 x 1.75 in (43.18 x 33.66 x 4.45 cm) SRA 1200: 17.00 x 10.125 x 1.75 in (43.18 x 25.70 x 4.45 cm)
Page 331 SSL-VPN 200 model. The SRA 1200 does not have a hardware-based SSL accelerator processor. What are the main differences between the discontinued SonicWALL SSL-RX Accelerator from that of the SSL-VPN 200, 2000 and 4000 appliances? Answer: The discontinued SSL-RX Accelerator was a purpose-built appliance used to offload cryptographic processes from burdened servers.
Page 332 RDP Java client Context-sensitive help Citrix (ICA) support NetExtender: Support for multiple IP ranges and routes Tokenless two-factor authentication RSA support Vasco support Optional client certificate support Graphical usage monitoring Option to create system backup SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 333 SRA 4200 OWA premium version and Lotus Domino Access Single Sign-on bookmark policy options Email log capability Multiple RADIUS server support RADIUS test function NetExtender domain suffix support SSHv2 support Virtual Host/Domain Name support SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 334: Digital Certificates And Certificate Authorities Faq
Digital Certificates and Certificate Authorities FAQ Digital Certificates and Certificate Authorities FAQ What do I do if when I log in to the SonicWALL SSL-VPN appliance my browser gives me an error, or if my Java components give me an error?
Page 335 Get Certificate button, ensure that Permanently store this exception is checked, and finally, click the Confirm Security Exception button. See below: To avoid this inconvenience, it is strongly recommended that all SonicWALL SSL-VPN appliances, going forward, have a trusted digital certificate installed.
Page 336 Permanently store this exception is checked, and finally, click the Confirm Security Exception button. See below: To avoid this inconvenience, it is strongly recommended that all SonicWALL SSL-VPN appliances, going forward, have a trusted digital certificate installed. SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 337 SSL handshake. However, SonicWALL tested digital certificates from www.rapidssl.com, which are inexpensive, work fine in the SonicWALL SSL-VPN appliance, and do not require the background check that other Certificate Authorities require during the purchase process. You can find a white paper on how to purchase and install a certificate online at: http://www.sonicwall.com/us/support/3165.html.
Page 338 Answer: Click the ‘configure’ icon next to the new certificate and enter the password you specified when creating the Certificate Signing Request (CSR) to finalize the import of the certificate. Once this is done, you can successfully activate the certificate on the SonicWALL SSL-VPN appliance.
Page 339 When client authentication is required my clients cannot connect even though a CA certificate has been loaded. Why? Answer: After a CA certificate has been loaded, the SonicWALL SSL-VPN must be rebooted before it is used for client authentication. Failures to validate the client certificate will also cause failures to logon.
Page 340: Netextender Faq
NetExtender clients actually appear as though they are on the internal network – much like the Virtual Adapter capability found in SonicWALL’s Global VPN Client. You will need to dedicate one IP address for each active NetExtender session, so if you expect 20 simultaneous NetExtender sessions to be the maximum, create a range of 20 open IP addresses.
Page 341 Answer: Yes, it uses whatever cipher the NetExtender client and SSL-VPN appliance negotiate during the SSL connection. Is there a way to secure clear text traffic between the SonicWALL SSL-VPN appliance and the server? SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 342 NetExtender to directly connect to file shares on a corporate network. Does performance change when using NetExtender instead of proxy? Answer: Yes. NetExtender connections put minimal load on the SonicWALL SSL-VPN appliances, whereas many proxy-based connections may put substantial strain on the SonicWALL SSL-VPN appliance.
Page 343: General Faq
VNC, RDP - ActiveX, RDP - Java, SSHv1 and Telnet use browser- delivered Java or ActiveX clients. NetExtender on Windows uses a browser-delivered client. What browser and version do I need to successfully connect to the SonicWALL SSL- VPN appliance? Answer: Microsoft Internet Explorer 8.0 or newer...
Page 344 Network pages. Can I create site-to-site VPN tunnels with the SonicWALL SSL-VPN appliance? Answer: No, it is only a client-access appliance. If you require this, you will need a SonicWALL TZ-series or NSA security appliance.
Page 345 Does the SonicWALL SSL-VPN appliance have a Command Line Interface (CLI)? Answer: No, it does not. The console ports on the SSL-VPN 2000 and SSL-VPN 4000 appliances are disabled and cannot be accessed. The SSL-VPN 200 appliance does not have a console port.
Page 346 Answer: This setting will encrypt the settings file so that if it is exported it cannot be read by unauthorized sources. Although it is encrypted, it can be loaded back onto the SonicWALL SSL- VPN appliance (or a replacement appliance) and decrypted. If this box is not selected, the exported settings file is clear-text and can be read by anyone.
Page 347 Are the SSL-VPN 200/2000/4000 appliances fully supported by GMS or ViewPoint? Answer: You need SonicOS SSL VPN 1.5.0.3 or higher for basic management by SonicWALL GMS; SonicOS SSL VPN 2.1 or higher is required for SSL VPN Reporting in SonicWALL GMS or ViewPoint.
Page 348 What port is the SSL-VPN appliance using for the Radius traffic? Answer: It uses port 1812. Do the SonicWALL SSL-VPN appliances support the ability for the same user account to login simultaneously? Answer: Yes, this is supported on 1.5 and newer firmware releases. On the portal layout, you can enable or disable ‘Enforce login uniqueness’...
Page 349 Servers: Citrix XenApp 5.0, XenApp 4.5, XenApp/Presentation Server 4.5, Presentation • Server 4.0 and MetaframeXP Feature Release 3 Clients: XenApp Plugin version 11.0 or earlier versions and Java client version 9.6 or earlier • versions SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 350: Glossary
Common Internet File System (CIFS) File Shares: SonicWALL's network file browsing feature on the SSL-VPN. This uses the Web browser to browse shared files on the network. Lightweight Directory Access Protocol (LDAP) - An Internet protocol that email and other programs use to retrieve data from a server.
Page 351 SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 352: Sms Email Formats
Bell Canada 4085551212@txt.bellmobility.ca Bell Canada 4085551212@bellmobility.ca Bell Atlantic 4085551212@message.bam.com Bell South 4085551212@sms.bellsouth.com Bell South 4085551212@wireless.bellsouth.com Bell South 4085551212@blsdcs.net Bite GSM (Lithuania) 4085551212@sms.bite.lt Bluegrass Cellular 4085551212@sms.bluecell.com BPL mobile 4085551212@bplmobile.com Celcom (Malaysia) 4085551212@sms.celcom.com.my Cellular One 4085551212@mobile.celloneusa.com SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 353 Escotel 4085551212@escotelmobile.com Estonia EMT 4085551212@sms-m.emt.ee Estonia RLE 4085551212@rle.ee Estonia Q GSM 4085551212@qgsm.ee Estonia Mobil Telephone 4085551212@sms.emt.ee Fido 4085551212@fido.ca Georgea geocell 4085551212@sms.ge Goa BPLMobil 4085551212@bplmobile.com Golden Telecom 4085551212@sms.goldentele.com Golden Telecom (Kiev, Ukraine only) 4085551212@sms.gt.kiev.ua 4085551212@messagealert.com SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 354 Maharashtra Idea Cellular 4085551212@ideacellular.net MCI Phone 408555121 @mci.com Meteor 4085551212@mymeteor.ie Metro PCS 4085551212@mymetropcs.com Metro PCS 4085551212@metorpcs.sms.us MiWorld 4085551212@m1.com.sg Mobileone 4085551212@m1.com.sg Mobilecomm 4085551212@mobilecomm.net Mobtel 4085551212@mobtel.co.yu Mobitel (Tanazania) 4085551212@sms.co.tz Mobistar Belgium 4085551212@mobistar.be Mobility Bermuda 4085551212@ml.bm Movistar (Spain) 4085551212@correo.movistar.net SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 355 Poland PLUS GSM 4085551212@text.plusgsm.pl Primco 4085551212@primeco@textmsg.com Primtel 4085551212@sms.primtel.ru Public Service Cellular 4085551212@sms.pscel.com Punjab Airtel 4085551212@airtelmail.com Qwest 4085551212@qwestmp.com Riga LMT 4085551212@smsmail.lmt.lv Rogers AT&T Wireless 4085551212@pcs.rogers.com Safaricom 4085551212@safaricomsms.com Satelindo GSM 4085551212@satelindogsm.com Simobile (Slovenia) 4085551212@simobil.net Sunrise Mobile 4085551212@mysunrise.ch SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 356 Uraltel 4085551212@sms.uraltel.ru US Cellular 4085551212@email.uscc.net US West 4085551212@uswestdatamail.com Uttar Pradesh (West) Escotel 4085551212@escotelmobile.com Verizon 4085551212@vtext.com Verizon PCS 4085551212@myvzw.com Virgin Mobile 4085551212@vmobl.com Vodafone Omnitel (Italy) 4085551212@vizzavi.it Vodafone Italy 4085551212@sms.vodafone.it Vodafone Japan 4085551212@pc.vodafone.ne.j Vodafone Japan 4085551212@h.vodafone.ne.jp SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 357 Carrier SMS Format Vodafone Japan 4085551212@t.vodafone.ne.jp Vodafone Spain 4085551212@vodafone.es Vodafone UK 4085551212@vodafone.net West Central Wireless 4085551212@sms.wcc.net Western Wireless 4085551212@cellularonewest.com SonicWALL SSL VPN 4.0 Administrator’s Guide...
Page 358 F +1 408.745.9300 www.sonicwall.com PN: 232-001840-00 Rev D 6/12 ©2012 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and registered trademarks of their respective companies. Speciﬁcations and descriptions subject to change without notice.

This manual is also suitable for:

Ssl-vpn 4000

SonicWALL SSL-VPN 2000 Administrator's Manual

Organization of this Guide

?System Configuration” on Page VIII

?Ssl VPN Overview” on Page VIII

Appendix A: Accessing Online Help

Appendix B: Configuring Sonicwall SSL VPN with a Third-Party Gateway

Appendix C: Use Cases

Appendix D: Netextender Troubleshooting

Appendix E: FAQ

Appendix F: Glossary

Appendix G: SMS Email Formats

Table of Contents

Network Resources Overview

Virtual Assist Overview

System Configuration

Network Configuration

Portals Configuration

Services Configuration

Netextender Configuration

Virtual Assist Configuration

Web Application Firewall Configuration

Configuring Web Application Firewall

Users Configuration

Log Configuration

Virtual Office Configuration

Online Help

Configuring Sonicwall SSL VPN with a Third-Party Gateway

Use Cases

Creating Unique Access Policies for Ad Groups

Netextender Troubleshooting

Faqs

Glossary

SMS Email Formats

Quick Links

Chapters

Troubleshooting

Related Manuals for SonicWALL SSL-VPN 2000

Summary of Contents for SonicWALL SSL-VPN 2000