SonicOS 7.1 SSL VPN
About SSL VPN
Remove this note.
This section provides information on how to configure the SSL VPN features on the SonicWall network security appliance. SonicWall’s SSL VPN features provide secure remote access to the network using the NetExtender client.
NetExtender is an SSL VPN client for Windows, or Linux users that is downloaded transparently. It allows you to run any application securely on the network and uses Point-to-Point Protocol (PPP). NetExtender allows remote clients seamless access to resources on your local network. Users can access NetExtender two ways:
- Logging in to the Virtual Office web portal provided by the SonicWall network security appliance
- Launching the standalone NetExtender client
Each SonicWall appliance supports a maximum number of concurrent remote users. Refer to the the Maximum number of concurrent SSL VPN users for details.
SonicWall appliance model | Maximum concurrent SSL VPN connections |
---|---|
NSa 9650 | 3000 |
NSa 9450 | 3000 |
NSa 9250 | 3000 |
NSa 6650 | 2000 |
NSa 5650 | 1500 |
NSa 4650 | 1000 |
NSa 3650 | 500 |
NSa 2650 | 350 |
SM 9600 | 3000 |
SM 9400 | 3000 |
SM 9200 | 3000 |
NSA 6600 | 1500 |
NSA 5600 | 1000 |
NSA 4600 | 500 |
NSA 3600 | 350 |
NSA 2600 | 250 |
TZ600/TZ600P | 200 |
TZ500/TZ500 W | 150 |
TZ400/TZ400 W | 100 |
TZ350/TZ350 W | 75 |
TZ300/TZ300 W/TZ300P | 50 |
SOHO 250/SOHO 250W | 25 |
VMware ESXi appliance model | Maximum concurrent SSL VPN connections |
---|---|
10 | 10 |
25 | 25 |
50 | 25 |
100 | 25 |
200 | 50 |
300 | 50 |
400 | 50 |
800 | 50 |
1600 | 50 |
Azure appliance model | Maximum concurrent SSL VPN connections |
---|---|
10 | 10 |
25 | 25 |
50 | 25 |
100 | 25 |
200 | 100 |
400 | 100 |
800 | 100 |
1600 | 100 |
AWS appliance model | Maximum concurrent SSL VPN connections |
---|---|
10 | 10 |
25 | 25 |
50 | 25 |
100 | 25 |
200 | 50 |
400 | 50 |
800 | 50 |
1600 | 50 |
AWS - PAYG appliance model | Maximum concurrent SSL VPN connections |
---|---|
200 | 50 |
400 | 50 |
800 | 50 |
1600 | 50 |
Linux KVM appliance model | Maximum concurrent SSL VPN connections |
---|---|
10 | 10 |
25 | 25 |
50 | 25 |
100 | 25 |
200 | 50 |
300 | 50 |
400 | 50 |
800 | 50 |
1600 | 50 |
Microsoft Hyper-V appliance model | Maximum concurrent SSL VPN connections |
---|---|
10 | 10 |
25 | 25 |
50 | 25 |
100 | 25 |
200 | 50 |
300 | 50 |
400 | 50 |
800 | 50 |
1600 | 50 |
SonicOS supports NetExtender connections for users with IPv6 addresses. The address objects drop-down menu includes all the predefined IPv6 address objects.
IPv6 Wins Server is not supported. IPv6 FQDN is supported.
SSL VPN connectivity is available when Wireless Controller Mode on the DEVICE | System > Administraton page in Wireless Controller, and is set to either Full-Feature-Gateway or Non-Wireless. If Wireless-Controller-Only is enabled for Wireless Controller Mode, SSL VPN interfaces are not available.
NETWORK|SSL VPN > Server Settings > SSL VPN SSL VPN Status on Zones displays inactive status for all zones, and SSL VPN zones are not editable.
About NetExtender
SonicWall SSL VPN NetExtender is a transparent software application for Windows, and Linux users that enables remote users to securely connect to the company network. With NetExtender, remote users can securely run any application on the company network. Users can upload and download files, mount network drives, and access resources as if they were on the local network.
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPsec VPN client. Linux systems can also install and use the NetExtender client. Windows users need to download the client from the portal, and those with mobile devices need to download Mobile Connect from the application store.
The NetExtender standalone client can be installed the first time the user launches NetExtender from the portal. Thereafter, it can be accessed directly from the Start menu on Windows systems, or by he path name or from the shortcut bar on Linux systems.
After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL VPN, point-to-point access to permitted hosts and subnets on the internal network.
- Creating an Address Object for the NetExtender Range
- Setting Up Access
- Configuring Proxies
- Installing the Stand-Alone Client
Creating an Address Object for the NetExtender Range
As a part of the NetExtender configuration, you need to create an address object for the NetExtender IP address range. This address object is then used when configuring the Device Profiles.
You can create address objects for both an IPv4 address range and an IPv6 address range to be used in the SSL VPN > Client Settings configuration. The address range configured in the address object defines the IP address pool from which addresses are assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you intend to support. You might want to allow for a few extra addresses for growth, but it is not required.
In cases where other hosts are on the same segment as the appliance, the address range must not overlap or collide with any assigned addresses.
To create an address object for the NetExtender IP address range
- Navigate to OBJECTS > Address Objects.
-
Click Add.
- Type a descriptive name in the Name field.
- For Zone Assignment, select SSLVPN.
- For Type, select Range.
-
In the Starting IP Address field, type in the lowest IP address in the range you want to use.
NOTE:The IP address range must be on the same subnet as the interface used for SSL VPN services. Ensure that IP address range does not collide with other assigned ranges.
- In the Ending IP Address field, type in the highest IP address in the range you want to use.
- Click ADD.
- Click CLOSE.
Setting Up Access
NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources. Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is done by adding the following routes to the remote client’s route table:
IP Address | Subnet mask |
---|---|
0.0.0.0
|
0.0.0.0
|
0.0.0.0
|
128.0.0.0
|
128.0.0.0
|
128.0.0.0
|
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
To configure Tunnel All mode, you must also configure an address object for 0.0.0.0, and assign SSL VPN NetExtender users and groups to have access to this address object.
Administrators also have the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Configuring Proxies
SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
- Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol), which can push the proxy settings script to the client automatically.
- Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
- Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window prompts you to enter them when you first connect.
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the firewall server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.
Installing the Stand-Alone Client
The first time a user launches NetExtender, the installer can be downloaded and run on the user's system. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer uninstalls or requests the user to uninstall the old NetExtender first and then can install the new version.
After the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu or system tray and can configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.
Complete instructions for installing NetExtender on a SonicWall appliance can be found in How to setup SSL-VPN feature (NetExtender Access) on SonicOS 5.9 & above (SW10657) in the Knowledge Base.
The video, How to configure SSL VPN, also explains the procedure for configuring NetExtender.
Configuring Users for SSL VPN Access
For users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users attempting to login through the Virtual Office and who do not belong to the SSLVPN Services group are denied access.
Topics:
- For Local Users
- For RADIUS and LDAP Users
- For Tunnel All Mode Access
For Local Users
The following is a quick reference, listing the User settings needed to enable SSLVPN Services.
To configure SSL VPN access for local users
- Navigate to MANAGE | System Setup | Users > Local Users & Groups.
- Click the Edit icon for the user you want to set up, or click Add User to create a new user.
- Select Groups.
- In the User Groups column, select SSLVPN Services and click the Right Arrow to move it to the Member Of column.
-
Select VPN Access and move the appropriate network resources VPN users (GVC, NetExtender, or Virtual Office bookmarks) to the Access List.
The VPN Access settings affect the ability of remote clients using GVC, NetExtender, or SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the Access List on VPN Access.
- Click OK.
For RADIUS, LDAP and TACACS+ Users
The procedure for configuring RADIUS, LDAP and TACACS+ users is similar. You need to add the users to the SSL VPN Services user group.
To configure SSL VPN access for RADIUS, LDAP and TACACS+ users
-
Select the OBJECT|User Object > Settings view and click on the Authentication tab.
- In the User authentication method field: Select RADIUS or RADIUS + Local Users. Select LDAP or LDAP + Local Users.
- Select: CONFIGURE RADIUS CONFIGURE LDAP
- Select: RADIUS Users > Users & Groups.
-
Select SSLVPN Services in the appropriate field: Default user group to which all RADIUS users belong Default LDAP User Group
- Click OK.
For Tunnel All Mode Access
The detailed process for adding and configuring local users and groups is described in SonicOS Users. The following is a quick reference, listing the User settings needed to set up users and groups for Tunnel All mode.
To configure SSL VPN NetExtender users and groups for Tunnel All Mode
-
Navigate to OBJECTS | User Objects | Users > Local Users & Groups.
- Click on Add icon and define SSLVPN as a selected group.
- Select VPN Access.
-
Select the WAN RemoteAccess Networks address object and click Right Arrow to move it to the Access List.
- 5 Repeat the processes for all local users and groups that use SSL VPN NetExtender.
Biometric Authentication
To use biometric authentication, Mobile Connect 4.0 or higher must be installed on the mobile device and configured to connect with the firewall.
SonicOS supports biometric authentication in conjunction with SonicWall Mobile Connect. Mobile Connect is an application that allows users to securely access private networks from a mobile device. With Mobile Connect 4.0 you can use finger-touch for authentication as a substitute for username and password.
The configuration settings to allow this method of authentication are on the NETWORKS | SSL VPN > Client Settings page. These options only show when Mobile Connect is used to connect to the firewall.
After configuring biometric authentication on the SSL VPN > Client Settings page, Touch ID (iOS) or Fingerprint Authentication (Android) need to be enabled on the user’s smart phone or other mobile device.
Was This Article Helpful?
Help us to improve our support portal