• SonicOS 7.0
• About SSL VPN
• Configuring SSL VPN Server Behavior
• Configuring SSL VPN Client
• Configuring the SSL VPN Web Portal
• Viewing SSL VPN Sessions
• Configuring Virtual Office
• LAN configuration through SSL VPN client
• SonicWall Support
  • About This Document

About SSL VPN

This section provides information on how to configure the SSL VPN features on the SonicWall network security appliance. SonicWall’s SSL VPN features provide secure remote access to the network using the NetExtender client.

NetExtender is an SSL VPN client for Windows, or Linux users that is downloaded transparently. It allows you to run any application securely on the network and uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:

• Logging in to the Virtual Office web portal provided by the SonicWall network security appliance
• Launching the standalone NetExtender client

Each SonicWall appliance supports a maximum number of concurrent remote users. Refer to the the Maximum number of concurrent SSL VPN users for details.

Maximum Concurrent Users (Hardware firewalls)

SonicWall appliance model	Maximum concurrent SSL VPN connections
NSa 9650	3000
NSa 9450	3000
NSa 9250	3000
NSa 6650	2000
NSa 5650	1500
NSa 4650	1000
NSa 3650	500
NSa 2650	350
SM 9600	3000
SM 9400	3000
SM 9200	3000
NSA 6600	1500
NSA 5600	1000
NSA 4600	500
NSA 3600	350
NSA 2600	250
TZ600/TZ600P	200
TZ500/TZ500 W	150
TZ400/TZ400 W	100
TZ350/TZ350 W	75
TZ300/TZ300 W/TZ300P	50
SOHO 250/SOHO 250W	25

Maximum Concurrent Users (VMware)

VMware ESXi appliance model	Maximum concurrent SSL VPN connections
10	10
25	25
50	25
100	25
200	50
300	50
400	50
800	50
1600	50

Maximum Concurrent Users (AZURE)

Azure appliance model	Maximum concurrent SSL VPN connections
10	10
25	25
50	25
100	25
200	100
400	100
800	100
1600	100

Maximum Concurrent Users (AWS)

AWS appliance model	Maximum concurrent SSL VPN connections
10	10
25	25
50	25
100	25
200	50
400	50
800	50
1600	50

Maximum Concurrent Users (AWS - PAYG)

AWS - PAYG appliance model	Maximum concurrent SSL VPN connections
200	50
400	50
800	50
1600	50

Maximum Concurrent Users (Linux kvm)

Linux KVM appliance model	Maximum concurrent SSL VPN connections
10	10
25	25
50	25
100	25
200	50
300	50
400	50
800	50
1600	50

Maximum Concurrent Users (Microsoft hyper-V)

Microsoft Hyper-V appliance model	Maximum concurrent SSL VPN connections
10	10
25	25
50	25
100	25
200	50
300	50
400	50
800	50
1600	50

SonicOS supports NetExtender connections for users with IPv6 addresses. The address objects drop-down menu includes all the predefined IPv6 address objects.

IPv6 Wins Server is not supported. IPv6 FQDN is supported.

SSL VPN connectivity is available when Wireless Controller Mode on the DEVICE | Settings > Administraton > Feature Visibility > Wireless Controller Mode, and is set to either Full-Feature-Gateway or Non-Wireless. If Wireless-Controller-Only is enabled for Wireless Controller Mode, SSL VPN interfaces are not available.

NETWORK|SSL VPN > Server Settings > SSL VPN SSL VPN Status on Zones displays inactive status for all zones, and SSL VPN zones are not editable.

• About NetExtender
• Configuring Users for SSL VPN Access
• Biometric Authentication

About NetExtender

SonicWall SSL VPN NetExtender is a transparent software application for Windows, and Linux users that enables remote users to securely connect to the company network. With NetExtender, remote users can securely run any application on the company network. Users can upload and download files, mount network drives, and access resources as if they were on the local network.

NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPsec VPN client. Linux systems can also install and use the NetExtender client. Windows users need to download the client from the portal, and those with mobile devices need to download Mobile Connect from the application store.

The NetExtender standalone client can be installed the first time the user launches NetExtender from the portal. Thereafter, it can be accessed directly from the Start menu on Windows systems, or by he path name or from the shortcut bar on Linux systems.

After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL VPN, point-to-point access to permitted hosts and subnets on the internal network.

• Creating an Address Object for the NetExtender Range
• Setting Up Access
• Configuring Proxies
• Installing the Stand-Alone Client

Creating an Address Object for the NetExtender Range

As a part of the NetExtender configuration, you need to create an address object for the NetExtender IP address range. This address object is then used when configuring the Device Profiles.

You can create address objects for both an IPv4 address range and an IPv6 address range to be used in the SSL VPN > Client Settings configuration. The address range configured in the address object defines the IP address pool from which addresses are assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you intend to support. You might want to allow for a few extra addresses for growth, but it is not required.

In cases where other hosts are on the same segment as the appliance, the address range must not overlap or collide with any assigned addresses.

To create an address object for the NetExtender IP address range

1. Navigate to OBJECTS > Address Objects.

2. Click Add.

   

3. Type a descriptive name in the Name field.
4. For Zone Assignment, select SSLVPN.
5. For Type, select Range.

6. In the Starting IP Address field, type in the lowest IP address in the range you want to use.

   NOTE:The IP address range must be on the same subnet as the interface used for SSL VPN services. Ensure that IP address range does not collide with other assigned ranges.

7. In the Ending IP Address field, type in the highest IP address in the range you want to use.

   

8. Click Save.

Setting Up Access

NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources. Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is done by adding the following routes to the remote client’s route table:

Routes to be Added to Remote Client’s Route Table

IP Address	Subnet mask
0.0.0.0	0.0.0.0
0.0.0.0	128.0.0.0
128.0.0.0	128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

To configure Tunnel All mode, you must also configure an address object for 0.0.0.0, and assign SSL VPN NetExtender users and groups to have access to this address object.

Administrators also have the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

Configuring Proxies

SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.

NetExtender provides three options for configuring proxy settings:

• Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol), which can push the proxy settings script to the client automatically.
• Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
• Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window prompts you to enter them when you first connect.

When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the firewall server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

Installing the Stand-Alone Client

The first time a user launches NetExtender, the installer can be downloaded and run on the user's system. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer uninstalls or requests the user to uninstall the old NetExtender first and then can install the new version.

After the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu or system tray and can configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.

Complete instructions for installing NetExtender on a SonicWall appliance can be found in How to setup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above (SW10657) in the Knowledge Base.

The video, How to configure SSL VPN, also explains the procedure for configuring NetExtender.

Configuring Users for SSL VPN Access

For users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users attempting to login through the Virtual Office and who do not belong to the SSLVPN Services group are denied access.

Topics:

• For Local Users
• For RADIUS and LDAP Users
• For Tunnel All Mode Access

For Local Users

The following is a quick reference, listing the User settings needed to enable SSLVPN Services.

To configure SSL VPN access for local users

1. Navigate to Device | Users > Local Users & Groups.

   

2. Click the Edit icon for the user you want to set up, or click Add User to create a new user.
3. Select Groups.
4. In the User Groups column, select SSLVPN Services and click the Right Arrow to move it to the Member Of column.

5. Select VPN Access and move the appropriate network resources VPN users (GVC, NetExtender, or Virtual Office bookmarks) to the Access List.

   The VPN Access settings affect the ability of remote clients using GVC, NetExtender, or SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the Access List on VPN Access.

6. Click OK.

For RADIUS, LDAP and TACACS+ Users

The procedure for configuring RADIUS, LDAP and TACACS+ users is similar. You need to add the users to the SSL VPN Services user group.

To configure SSL VPN access for RADIUS, LDAP and TACACS+ users

1. Select the Device|Users > Settings view and click on the Authentication tab.

   

2. In the User authentication method field, select RADIUS or RADIUS + Local Users.
   1. Select CONFIGURE RADIUS.
   2. Select the RADIUS Users tab.
   3. In Default user group to which all RADIUS users belong drop-down list select SSLVPN Services.
3. In the User authentication method field,select LDAP or LDAP + Local Users.
   1. Select CONFIGURE LDAP.
   2. Select the Users & Groups tab.
   3. In Default LDAP user group select drop-down list select SSLVPN Services.
4. Click OK.

For Tunnel All Mode Access

The detailed process for adding and configuring local users and groups is described in SonicOS Users. The following is a quick reference, listing the User settings needed to set up users and groups for Tunnel All mode.

To configure SSL VPN NetExtender users and groups for Tunnel All Mode

1. Navigate to Device | User | Local Users & Groups.

   

2. Click on Add icon and define SSLVPN as a selected group.
3. Select VPN Access.

4. Select the WAN RemoteAccess Networks address object and click Right Arrow to move it to the Access List.

   

5. 5 Repeat the processes for all local users and groups that use SSL VPN NetExtender.

Biometric Authentication

To use biometric authentication, Mobile Connect 4.0 or higher must be installed on the mobile device and configured to connect with the firewall.

SonicOS supports biometric authentication in conjunction with SonicWall Mobile Connect. Mobile Connect is an application that allows users to securely access private networks from a mobile device. With Mobile Connect 4.0 you can use finger-touch for authentication as a substitute for username and password.

The configuration settings to allow this method of authentication are on the NETWORKS | SSL VPN > Client Settings page. These options only show when Mobile Connect is used to connect to the firewall.

After configuring biometric authentication on the SSL VPN > Client Settings page, Touch ID (iOS) or Fingerprint Authentication (Android) need to be enabled on the user’s smart phone or other mobile device.