• NetExtender for Secure Mobile Access 10.2
• NetExtender Overview
  • What is NetExtender
  • NetExtender Concepts
    • Stand-Alone Client
    • NetExtender Supports Network logon (PreLogon)
    • NetExtender Supports Always On VPN (AOV)
    • Multiple Ranges and Routes
    • IP Address User Segmentation
    • Client Routes
    • Tunnel All Mode
    • Proxy Configuration
  • Supported Platforms
    • NetExtender Client Versions
    • Supported Clients
    • Supported SonicWall Appliances
  • What's New in NetExtender
  • Feature Support in NetExtender
  • Deprecated Feature
• Configuring NetExtender for Windows Client
  • Prerequisites
  • Support Enhancement
  • Installing NetExtender on Windows
  • Enabling Network Logon (PreLogon) Feature on NetExtender
  • Enabling Always-On VPN Connection
  • Installing NetExtender through Microsoft Installer
  • Auto-Run NetExtender
• Configuring NetExtender for Linux Client
  • Prerequisites
  • Installing NetExtender on Linux
• Using NetExtender
  • Adding Connection Profile Management
  • Editing Connection Profile Management
  • Connect with Connection Profile
  • Connect with Specific Protocol
  • Multiple Factor Authentication
    • TOTP Authentication
    • Client Certificate Authentication
    • Smart Card Authentication
    • DUO Security Authentication Support for NetExtender
      • DUO Security Authentication with NetExtender Windows
      • DUO Security Authentication with NetExtender Linux
  • Configuring NetExtender Properties
    • NetExtender Properties for Windows Client
      • Configuring Settings
      • Configuring Connection Settings
      • Configuring Connection Script
      • Configuring Proxy
      • Configuring Packet Capture
    • NetExtender Properties for Linux Client
      • Configuring Proxy
      • Configuring Certificate Settings
      • Configuring Settings
  • Viewing the NetExtender Log
  • Disconnecting NetExtender
  • Upgrading NetExtender
  • Uninstalling NetExtender
• Using the NetExtender Command Line Interface
  • Launching the NetExtender CLI for Windows
  • Launching the NetExtender CLI for Linux
• NetExtender Troubleshooting
• NetExtender FAQ
• Use Case
  • Adding Connection Profile
  • Editing Connection Profile
  • OTP Authentication
  • Certificate Authentication
  • Authentication with Smart Card
• SonicWall Support
  • About This Document

NetExtender FAQ

1. Does NetExtender work on operating systems other than Windows?

   Answer: Yes. See the following supported platforms:

   Linux Requirements:

   • Ubuntu 18.04+
   • Debian 10+
   • Fedora 34+
   • OpenSUSE 15.5+

   Separate NetExtender installation packages are also downloadable from MySonicWall.com for each release.

2. Which versions of Windows does NetExtender support?

   Answer: NetExtender supports Windows 10/11.

3. Can I block communication between NetExtender clients?

   Answer: Yes, this can be achieved with the User/Group/Global Policies by adding a ‘deny’ policy for the NetExtender IP range.

4. Can NetExtender run as a Windows service?

   Answer: NetExtender can be installed and configured to run as a Windows service that allowing systems to log in to domains across the NetExtender client.

5. What range do I use for NetExtender IP client address range?

   Answer: This range is the pool that incoming NetExtender clients are assigned – NetExtender clients appear as though they are on the internal network – much like the Virtual Adapter capability found in SonicWall Inc.’s Global VPN Client. You should dedicate one IP address for each active NetExtender session, so if you expect 20 simultaneous NetExtender sessions to be the maximum, create a range of 20 open IP addresses. Ensure that these IP addresses are open and not used by other network appliances or contained within the scope of other DHCP servers.
   For example, if your SMA appliance is in one-port mode on the X0 interface using the default IP address 192.168.200.1, create a pool of addresses from 192.168.200.151 to 192.168.200.171. User can also assign NetExtender IPs dynamically using the DHCP option.

6. What do I enter for NetExtender client routes?

   Answer: These are the networks that are sent to remote NetExtender clients and should contain all networks that you wish to give your NetExtender clients access to. For example, if your SMA appliance was in one-port mode, attached to a SonicWall Inc. NSA 3500 appliance on a DMZ using 192.168.200.0/24 as the subnet for that DMZ, The SonicWall Inc. NSA 3500 had two LAN subnets of 192.168.168.0/24 and 192.168.170.0/24, you would enter those two LAN subnets as the client routes to provide NetExtender clients access to network resources on both of those LAN subnets.

7. What does the ‘Tunnel All Mode’ option do?

   Answer: Activating this feature causes the SMA appliance to push down two default routes that tell the active NetExtender client to send all traffic through the SMA appliance. This feature is useful in environments where the SMA appliance is deployed in tandem with a SonicWall Inc. security appliance running all UTM services, as it allows you to scan all incoming and outgoing NetExtender user traffic for viruses, spyware, intrusion attempts, and content filtering.

8. Is there any way to see what routes the SMA appliance is sending NetExtender?

   Answer: Yes, right-click the NetExtender icon in the taskbar and select route information. From this menu, you can also get status and connection information.

9. How do I get new versions of NetExtender?

   Answer: New versions of NetExtender are included in each SonicWall Inc. Secure Mobile Access firmware release and contain version control information. If the SMA appliance has been upgraded with new software, and a connection is made from a system using a previous, older version of NetExtender, it is automatically upgraded to the new version.

   There is one exception to the automatic upgrading feature: it is not supported for the MSI version of NetExtender. If NetExtender was installed with the MSI package, it must be upgraded with a new MSI package. The MSI package is designed for the administrator to deploy NetExtender through Active Directory, allowing full version control through Active Directory.

10. How does NetExtender differ from traditional IPSec VPN clients, such as SonicWall Inc.’s Global VPN Client (GVC)?

    Answer: NetExtender is designed as an extremely lightweight client that is installed through a Web browser connection. It utilizes the security transforms of the browser to create a secure, encrypted tunnel between the client and the SMA appliance.

11. Is NetExtender encrypted?

    Answer: Yes, it uses whatever cipher the NetExtender client and SMA appliance negotiate during the SSL connection.

12. What are the advantages of using the NetExtender instead of a Proxy Application?

    Answer: NetExtender allows full connectivity over an encrypted, connection allowing the user to directly connect to internal network resources. For example, a remote user could launch NetExtender to directly connect to file shares on a corporate network.

13. Does performance change when using NetExtender instead of proxy?

    Answer: Yes. NetExtender connections put minimal load on the SMA appliances, whereas many proxy-based connections might put substantial strain on the SMA appliance. Note that HTTP proxy connections use compression to reduce the load and increase performance. Content received by Secure Mobile Access from the local Web server is compressed using gzip before sending it over the Internet to the remote client. Compressing content sent from the SMA saves bandwidth and results in higher throughput. Furthermore, only compressed content is cached, saving nearly 40-50 percent of the required memory. Note that gzip compression is not available on the local (clear text side) of the SMA appliance, or for HTTPS requests from the remote client.

14. The SMA appliance is application-dependent; how can I address non-standard applications?

    Answer: You can use NetExtender to provide access for any application that cannot be accessed using internal proxy mechanisms - HTTP, HTTPS, FTP, RDP5, Telnet, and SSHv2. Application Offloading can also be used for Web applications. In this way, the SMA appliance functions like an SSL offloader and proxies Web application pages without the need for URL rewriting.

15. Does NetExtender support client-side certificates?

    Answer: Yes, Windows NetExtender client supports client certificate authentication from the stand-alone client. Users can also authenticate to the Secure Mobile Access portal and launch NetExtender.

16. My firewall is dropping NetExtender connections from my SonicWallSMA as being spoofs. Why?

    Answer: If the NetExtender addresses are on a different subnet than the X0 interface, a rule needs to be created for the firewall to know that these addresses are coming from the SMA appliance.