How can I allow SSLVPN users access to the Internet when using tunnel all mode?

Description

NetExtender or Mobile Connect in tunnel all mode forces all traffic to be routed over the SSL-VPN adapter. To allow your end users access to Internet over the UTM-SSLVPN, we will need to allow WAN Remote Access Networks (a network address object whose value 0.0.0.0 acts like a default route), and the Tunnel All option must be selected on the Client Routes page 

The method below is appropriate when the administrator wants all of their NetExtender | Mobile Connect users to have their Internet access provided through the SSLVPN. Be sure that you are not overwhelming the Internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network.

NOTE: when WAN Remote Access Networks object is included in a user VPN Access List (VPN Access tab) it goes update the traffic priority.
For example: if a user accesses specific local resources and not an entire local subnet, when the object is placed in the VPN Acces tab that user will access all local resources.
WAN Remote Access Networks will have priority over the most stringent ACLs. This is by design and there are no configurations that allow the user to access the Internet in Tunnell All Mode and restrict them at the same time for access to local resources. 
 

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


  1. Navigate to NETWORK | SSL VPN | Client Settings screen, configure Default Device Profile.

    Image


  2. Click on Client routes.

    Image

  3. On the Device| Local Users and Groups, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN Remote Access Networks.

    Image

    NOTE: No custom rules are needed on the Policy | Access Rules screen for this to work. You can see auto-added rules in the section SSLVPN to WAN. 





Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


  1. Login to SonicWall management page.
  2. Navigate to SSL-VPN | Client Settings screen, configure Default Device Profile and click Client Routes tab.Image

  3. Select Enabled in Tunnel All Mode option.

    Image

  4. On the Users | Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN Remote Access Networks.
    Image

    NOTE: No custom rules are needed on the Firewall | Access Rules screen for this to work.  You can see auto-added rules in the section SSLVPN to WAN.

Related Articles

  • SonicWall UTM throws an error : " Invalid Authentication " Error: SN and EPAID Do Not Match
    Read More
  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More

Categories

Firewalls
NSa Series
SSLVPN
Firewalls
TZ Series
SSLVPN
Firewalls
NSv Series
SSLVPN
not finding your answers?
Ask the Community
was this article helpful?
YesNo