Professional Documents
Culture Documents
Step 4 Enter the host name or private IP address of the backend host into the Application Server
Host field.
Step 5 Optionally enter the IPv6 address of the backend host into the Application Server IPv6
Address field.
Step 6 In the Port Number (optional) field, optionally enter a custom port number to use for accessing
the application.
Step 7 In the Homepage URI (optional) field, optionally enter a URI to a specific resource on the Web
server to which the user will be forwarded after logging in. This is a string in the form of:
/exch/test.cgi?key1=value1&key2=value2
Step 8 Select the Enable URL Rewriting for self-referenced URLs checkbox if you want absolute
URLs that refer to this application server in HTML, Javascript, or CSS content to be rewritten.
Step 9 Under Security Settings, select the Disable Authentication Controls, Access Policies, and
CSRF Protection (if enabled) checkbox if you need no authentication, access policies, or
CSRF protection enforced. This is useful for publicly hosted Web sites.
Step 10 Select the Automatically Login checkbox to configure Single Sign-On settings.
Step 11 For automatic login, select one of the following radio buttons:
Use SSL-VPN account credentials allow login to the offloaded application using the
credentials configured on the SSL-VPN appliance
Use custom credentials displays Username, Password, and Domain fields where you
can enter the custom credentials for the application or use dynamic variables such as those
shown below:
Step 12 If you selected Automatically Login, select the Forms-based Authentication checkbox to
configure Single Sign-On for forms-based authentication.
Configure the User Form Field to be the same as the name and id attribute of the HTML
element representing User Name in the Login form, for example:
<input type=text name=userid>
Configure the Password Form Field to be the same as the name or id attribute of the
HTML element representing Password in the Login form, for example:
<input type=password name=PASSWORD id=PASSWORD maxlength=128>
Step 13 On the Virtual Host tab, set a host name for the application in the Virtual Host Domain Name
field, and optionally enter a descriptive alias in the Virtual Host Alias field.
Text Usage Variable Example Usage
Login Name %USERNAME% US\%USERNAME%
Domain Name %USERDOMAIN% %USERDOMAIN\%USERNAME%
Group Name %USERGROUP% %USERGROUP%\%USERNAME%
Password %PASSWORD% %PASSWORD% or leave the field blank
Portals > Application Offloading
121
SonicWALL SSL VPN 5.0 Administrators Guide
If you need to associate a certificate to this host, you should additionally set a virtual interface
and import the relevant SSL certificate. You could avoid creating a virtual interface by importing
a wildcard certificate for all virtual hosts on the SSL-VPN.
See the Configuring Virtual Host Settings section on page 115 for more instructions on
configuring the fields on this tab.
Step 14 If authenticaiton is disabled for this portal, you have the option to Enable HTTP access for this
Application Offloaded Portal. This feature is useful for setting up offloading in trial deployments.
Step 15 Click OK. You are returned to the Portals > Portals page where you will see the Web application
listed as an Offloaded Web Application under Description.
Step 16 If you have not disabled authentication, navigate to the Portals > Domains page and create a
domain for this portal. See the Portals > Domains section on page 124 for information about
creating a domain.
Step 17 Update your DNS server for this virtual host domain name and alias (if any).
Portals > Application Offloading
122
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring Generic SSL Offloading
SSL Offloading portals extends the Application Offloading feature to support protocol
independent SSL requests and forward them to the backend server. This feature is needed for
customer client/server applications that use SSL for security.
The Generic (SSL Offloading) scheme is intended for deployments that require SSL offloading
for custom SSL applications, i.e., non-HTTP(S). Layer 7 controls such as load balancing, Web
Application Firewall, URL rewriting, authentication controls and access policies are not
applicable when using this offloading method.
Note This feature is available on the SonicWALL SSL-VPN SRA 4200 only.
Step 1 Navigate to Portals > Portals and click the Offload Web Application button. The Add Portal
screen opens. The screen contains the Offloading tab, used specifically for application
offloading configuration.
Step 2 On the Offloading tab, select Generic (SSL Offloading) as the Scheme.
Step 3 Enter the IP address of the portal which will listen for incoming SSL requests in the Local IP
Address field.
Step 4 In the Local Port field, enter the port on which to listen for incoming SSL requests. This is often
set to 443.
Step 5 In the Application Server IP Address field, enter the IP Address of the backend server where
SSL offloaded requests are to be proxied.
Step 6 In the Application Server Port field, enter the port of the backend server where SSL offloaded
requests are to be proxied. This is often set to 80 for internal HTTP communication.
Step 7 Select the Enable SSL for Backend Connections checkbox to enable SSL encapsulation of
all traffic destined for the backend application server.
Step 8 Select the SSL Certificate to use for SSL connection to the portal. This list of certificates
mirrors the list of sever certificates on the System > Certificates page.
Step 9 On the General tab, enter a descriptive Portal Name name for this portal.
Portals > Application Offloading
123
SonicWALL SSL VPN 5.0 Administrators Guide
Note Other portal options such as Virtual Host and Logo are not available when using the Generic
(SSL Offloading) scheme.
Step 10 Click the Accept button to add this portal.
When completed, SSL Offloading portals are displayed in the list of portals on the Portals >
Portals page. Note that the Virtual Host Settings column shows the Local IP:port --> Application
Server IP:port as well as (SSL) if Enable SSL for Backend Connections is enabled.
Verification and Considerations for Generic SSL Offloading
To view the SSL Offloading portal in action, point it to a backend web server and use a current
Internet browser to view the SSL offloaded site, using the format <Local IP:port>
Generic (SSL Offloading) scheme is not meant for HTTP/HTTPS, and should not be used in
deployments as such. Since there is no layer 7 analysis, issues such as insecure HTTP 30X
redirects can occur and this is not recommended.
Portals > Domains
124
SonicWALL SSL VPN 5.0 Administrators Guide
Portals > Domains
This section provides an overview of the Portals > Domains page and a description of the
configuration tasks available on this page.
Portals > Domains Overview section on page 124
Viewing the Domains Table section on page 125
Removing a Domain section on page 125
Adding or Editing a Domain section on page 125
Adding or Editing a Domain with Local User Authentication section on page 127
Adding or Editing a Domain with Active Directory Authentication section on page 128
Adding or Editing a Domain with LDAP Authentication section on page 130
Adding or Editing a Domain with NT Domain Authentication section on page 132
Adding or Editing a Domain with RADIUS Authentication section on page 133
Configuring Two-Factor Authentication section on page 136
Portals > Domains Overview
The Portals > Domains page allows the administrator to add and configure a domain, including
settings for:
Authentication type (local user database, Active Directory, LDAP, NT Domain, or RADIUS),
Domain name
Portal name
Group (AD, RADIUS) or multiple Organizational Unit (LDAP) support (optional)
Client digital certificate requirements (optional)
One-time passwords (optional)
Figure 21 Portals > Domains Page
Portals > Domains
125
SonicWALL SSL VPN 5.0 Administrators Guide
Viewing the Domains Table
All of the configured domains are listed in the table in the Portals > Domains window. The
domains are listed in the order in which they were created. You can reverse the order by clicking
the up/down arrow next to the Domain Name column heading.
Removing a Domain
To delete a domain, perform the following steps:
Step 1 Navigate to Portals > Domains.
Step 2 In the table, click the delete icon in the same row as the domain that you wish to delete.
Step 3 Click OK in the confirmation dialog box.
Once the SonicWALL SSL-VPN appliance has been updated, the deleted domain will no longer
be displayed in the table.
Note The default LocalDomain domain cannot be deleted.
Adding or Editing a Domain
You can add a new domain or edit an existing one from the Portals > Domains page. To add
a domain, click the Add Domain button to display the Add Domain window.
To edit an existing domain, click the Configure icon to the right of the domain you wish to edit.
Portals > Domains
126
SonicWALL SSL VPN 5.0 Administrators Guide
The interface provides the same fields for both adding and editing a domain, but the
Authentication Type and Domain Name fields cannot be changed when editing an existing
domain.
Note After adding a new portal domain, user group settings for that domain are configured on the
Users > Local Groups page. Refer to the Users > Local Groups section on page 263 for
instructions on configuring groups.
In order to create access policies, you must first create authentication domains. By default, the
LocalDomain authentication domain is already defined. The LocalDomain domain is the internal
user database. Additional domains may be created that require authentication to remote
authentication servers. SonicWALL SSL VPN supports RADIUS, LDAP, NT Domain, and Active
Directory authentication in addition to internal user database authentication.
Note To apply a portal to a domain, add a new domain and select the portal from the Portal Name
drop-down list in the Add Domain window. The selected portal will be applied to all users in
the new domain. Domain choices will be displayed in the login page of the Portal that was
selected. Domains are case-sensitive when logging in.
You may create multiple domains that authenticate users with user names and passwords
stored on the SonicWALL SSL-VPN appliance to display different portals (such as a
SonicWALL SSL VPN portal page) to different users.
Portals > Domains
127
SonicWALL SSL VPN 5.0 Administrators Guide
Adding or Editing a Domain with Local User Authentication
To add or edit a domain for local database authentication, perform the following steps:
Step 1 Navigate to the Portals > Domains window and click the Add Domain button or the Configure
icon for the domain to edit. The Add Domain or Edit Domain window is displayed.
Step 2 If adding the domain, select Local User Database from the Authentication Type drop-down
list.
Step 3 If adding the domain, enter a descriptive name for the authentication domain in the Domain
Name field. This is the domain name users will select to log into the SonicWALL SSL VPN
portal.
Step 4 Select the name of the layout in the Portal Name field. Additional layouts may be defined in the
Portals > Portals page.
Step 5 Optionally, select the Allow password changes checkbox. This allows users to change their
own passwords after their account is set up.
Step 6 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 7 Optionally select the One-time passwords checkbox to enable the One-time password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Portals > Domains
128
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 If you select using domain name, an E-mail domain field appears below the drop-down list.
Type in the domain name where one-time password emails will be sent (for example, abc.com).
Step 9 Click Accept to update the configuration. Once the domain has been added, the domain will be
added to the table on the Portals > Domains page.
Adding or Editing a Domain with Active Directory Authentication
To configure Windows Active Directory authentication, perform the following steps:
Step 1 Click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit
Domain window is displayed.
Note Of all types of authentication, Active Directory authentication is most sensitive to clock skew,
or variances in time between the SonicWALL SSL-VPN appliance and the Active Directory
server against which it is authenticating. If you are unable to authenticate using Active
Directory, refer to Active Directory Troubleshooting section on page 130.
Step 2 If adding the domain, select Active Directory from the Authentication type drop-down list.
The Active Directory configuration fields will be displayed.
Step 3 If adding the domain, enter a descriptive name for the authentication domain in the Domain
Name field. This is the domain name users will select in order to log into the SonicWALL SSL-
VPN appliance portal. It can be the same value as the Server Address field or the Active
Directory Domain field, depending on your network configuration.
Step 4 Enter the Active Directory domain name in the Active Directory Domain field.
Step 5 Enter the IP address or host and domain name of the Active Directory server in the Server
Address field.
Step 6 Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the
Portals > Portals page.
Portals > Domains
129
SonicWALL SSL VPN 5.0 Administrators Guide
Step 7 Optionally select the Allow Password Changes Checkbox. Enabling this feature allows a user
to change their password through the Virtual Office portal by selecting the Options button on
the top of the portal page. User must submit their old password, along with a new password and
a re-verification of the newly selected password.
Step 8 Optionally select the Use SSL/TLS checkbox. This option allows for the needed SSL/TLS
encryption to be used for Active Directory password exchanges. This checkbox should be
enabled when setting up a domain using Active Directory authentication.
Step 9 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 10 Select the Delete external user accounts on logout checkbox to delete users who are not
logged into a domain account after they log out.
Step 11 Optionally, select the One-time passwords checkbox to enable the One Time Password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Step 12 If you selected if configured or required for all users in the One-time passwords drop-down
list, the Active Directory AD e-mail attribute drop-down list will appear, in which you can select
mail, mobile, pager, userPrincipalName, or custom. These are defined as:
mail - If your AD server is configured to store email addresses using the mail attribute,
select mail.
mobile or pager - If your AD server is configured to store mobile or pager numbers using
either of these attributes, select mobile or pager, respectively. Raw numbers cannot be
used, however, SMS addresses can.
userPrincipalName - If your AD server is configured to store email addresses using the
userPrincipalName attribute, select userPrincipalName.
custom - If your AD server is configured to store email addresses using a custom attribute,
select custom. If the specified attribute cannot be found for a user, the email address
assigned in the individual user policy settings will be used. If you select custom, the
Custom attribute field will appear. Type the custom attribute that your AD server uses to
store email addresses. If the specified attribute cannot be found for a user, the email
address will be taken from their individual policy settings.
If you select using domain name, an E-mail domain field appears below the drop-down list.
Type in the domain name where one-time password emails will be sent (for example, abc.com).
Step 13 Click Accept to update the configuration. Once the domain has been added, the domain will be
added to the table on the Portals > Domains page.
Portals > Domains
130
SonicWALL SSL VPN 5.0 Administrators Guide
Active Directory Troubleshooting
If your users are unable to connect using Active Directory, verify the following configurations:
The time settings on the Active Directory server and the SonicWALL SSL-VPN appliance
must be synchronized. Kerberos authentication, used by Active Directory to authenticate
clients, permits a maximum 15-minute time difference between the Windows server and the
client (the SonicWALL SSL-VPN appliance). The easiest way to solve this issue is to
configure Network Time Protocol on the System > Time page of the SonicWALL SSL VPN
Web-based management interface and check that the Active Directory server has the
correct time settings.
Confirm that your Windows server is configured for Active Directory authentication. If you
are using Window NT4.0 server, then your server only supports NT Domain authentication.
Typically, Windows 2000 and 2003 servers are also configured for NT Domain
authentication to support legacy Windows clients.
Adding or Editing a Domain with LDAP Authentication
To configure a domain with LDAP authentication, perform the following steps:
Step 1 Click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit
Domain window is displayed.
Step 2 If adding the domain, select LDAP from the Authentication Type menu. The LDAP domain
configuration fields are displayed.
Step 3 If adding the domain, enter a descriptive name for the authentication domain in the Domain
Name field. This is the domain name users will select in order to log into the SonicWALL SSL-
VPN appliance user portal. It can be the same value as the Server Address field.
Portals > Domains
131
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 Enter the IP address or domain name of the server in the Server Address field.
Step 5 Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search
base string is CN=Users,DC=yourdomain,DC=com.
Tip It is possible for multiple OUs to be configured for a single domain by entering each OU on
a separate line in the LDAP baseDN field. In addition, any sub-OUs will be automatically
included when parents are added to this field.
Note Do not include quotes () in the LDAP BaseDN field.
Step 6 Enter the common name of a user that has been delegated control of the container that user
will be in along with the corresponding password in the Login Username and Login Password
fields.
Note When entering Login Username and Login Password, remember that the SSL-VPN
appliance binds to the LDAP tree with these credentials and users can log in with their
sAMAccountName.
Step 7 Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the
Portals > Portals page.
Step 8 Optionally select the Allow password changes (if allowed by LDAP server) checkbox. This
option, if allowed by your LDAP server, will enable users to change their LDAP password during
an SSL VPN session.
Step 9 Optionally select the Use SSL/TLS checkbox. This option allows for the SSL/TLS encryption to
be used for LDAP password exchanges. This option is disabled by default as not all LDAP
servers are configured for SSL/TLS.
Step 10 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 11 Optionally select the One-time passwords checkbox to enable the One Time Password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Portals > Domains
132
SonicWALL SSL VPN 5.0 Administrators Guide
If you selected if configured or required for all users in the One-time passwords drop-down
list, the LDAP e-mail attribute drop-down list will appear, in which you can select mail,
userPrincipalName, or custom. These are defined as:
mail - If your LDAP server is configured to store email addresses using the mail attribute,
select mail.
mobile or pager - If your AD server is configured to store mobile or pager numbers using
either of these attributes, select mobile or pager, respectively. Raw numbers cannot be
used, however, SMS addresses can.
userPrincipalName - If your LDAP server is configured to store email addresses using the
userPrincipalName attribute, select userPrincipalName.
custom - If your LDAP server is configured to store email addresses using a custom
attribute, select custom. If the specified attribute cannot be found for a user, the email
address assigned in the individual user policy settings will be used. If you select custom,
the Custom attribute field will appear. Type the custom attribute that your LDAP server
uses to store email addresses. If the specified attribute cannot be found for a user, the email
address will be taken from their individual policy settings.
If using domain name is selected in the One-time passwords drop-down list, the E-mail
domain field will appear instead of the LDAP e-mail attribute drop-down list. Type in the
domain name where one-time password emails will be sent (for example, abc.com).
Step 12 Click Accept to update the configuration. Once the domain has been added, the domain will be
added to the table on the Portals > Domains page.
Adding or Editing a Domain with NT Domain Authentication
To configure a domain with NT Domain authentication, perform the following steps:
Step 1 On the Portals > Domains page, click Add Domain or the Configure icon for the domain to edit.
The Add Domain or Edit Domain window is displayed.
Step 2 If adding the domain, select NT Domain from the Authentication Type menu. The NT Domain
configuration fields will be displayed.
Step 3 If adding the domain, enter a descriptive name for the authentication domain in the Domain
Name field. This is the domain name selected by users when they authenticate to the
SonicWALL SSL-VPN appliance portal. It may be the same value as the NT Domain Name.
Step 4 Enter the IP address or host and domain name of the server in the NT Server Address field.
Step 5 Enter the NT authentication domain in the NT Domain Name field. This is the domain name
configured on the Windows authentication server for network authentication.
Portals > Domains
133
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the
Portals > Portals page.
Step 7 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 8 Select the Delete external user accounts on logout checkbox to delete users who are not
logged into a domain account after they log out.
Step 9 Optionally select the One-time passwords checkbox to enable the One-time password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Step 10 If you select using domain name, an E-mail domain field appears below the drop-down list.
Type in the domain name where one-time password emails will be sent (for example, abc.com).
Step 11 Click Accept to update the configuration. Once the domain has been added, the domain will be
added to the table on the Portals > Domains page.
Adding or Editing a Domain with RADIUS Authentication
To configure a domain with RADIUS authentication, perform the following steps:
Step 1 On the Portals > Domains page, click Add Domain or the Configure icon for the domain to edit.
The Add Domain or Edit Domain window is displayed.
Portals > Domains
134
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 If adding the domain, select RADIUS from the Authentication Type menu. The RADIUS
configuration field is displayed.
Step 3 If adding the domain, enter a descriptive name for the authentication domain in the Domain
Name field. This is the domain name users will select in order to log into the SonicWALL SSL-
VPN appliance portal.
Step 4 Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP,
MSCHAP, or MSCHAPV2.
Step 5 Under Primary Radius Server, enter the IP address or domain name of the RADIUS server in
the RADIUS Server Address field.
Step 6 Enter the RADIUS server port in the RADIUS server port field.
Step 7 If required by your RADIUS configuration, enter an authentication secret in the Secret
Password field.
Step 8 Enter a number (in seconds) for RADIUS timeout in the RADIUS Timeout (Seconds) field.
Step 9 Enter the maximum number of retries in the Max Retries field.
Step 10 Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS
server in the RADIUS Server Address field.
Step 11 Enter the backup RADIUS server port in the RADIUS server port field.
Step 12 If required by the backup RADIUS server, enter an authentication secret for the backup
RADIUS server in the Secret Password field.
Step 13 Optionally, if using RADIUS for group-based access, select the Use Filter-ID for RADIUS
Groups checkbox.
Portals > Domains
135
SonicWALL SSL VPN 5.0 Administrators Guide
Step 14 Click the name of the layout in the Portal Name drop-down list.
Step 15 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 16 Select the Delete external user accounts on logout checkbox to delete users who are not
logged into a domain account after they log out.
Step 17 Optionally select the One-time passwords checkbox to enable the One-time password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Step 18 If you select using domain name, an E-mail domain field appears below the drop-down list.
Type in the domain name where one-time password emails will be sent (for example, abc.com).
Step 19 Click Accept to update the configuration. Once the domain has been added, the domain will be
added to the table on the Portals > Domains page.
Step 20 Click the configure button next to the RADIUS domain you added. The Test tab of the Edit
Domain page displays.
Step 21 Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password
field.
Step 22 Click Test. SonicWALL SSL VPN will connect to your RADIUS server.
Step 23 If you receive the message Server not responding, check your user ID and password and click
the General tab to verify your RADIUS settings. Try running the test again.
Portals > Domains
136
SonicWALL SSL VPN 5.0 Administrators Guide
Note The SonicWALL SSL-VPN appliance will attempt to authenticate against the specified
RADIUS server using PAP authentication. It is generally required that the RADIUS server
be configured to accept RADIUS client connections from the SonicWALL SSL-VPN
appliance. Typically, these connections will appear to come from the SonicWALL SSL-VPNs
X0 interface IP address. Refer to your RADIUS server documentation for configuration
instructions.
Configuring Two-Factor Authentication
Two-factor authentication is an authentication method that requires two independent pieces of
information to establish identity and privileges. Two-factor authentication is stronger and more
rigorous than traditional password authentication that only requires one factor (the users
password).
For more information on how two-factor authentication works see Two-Factor Authentication
Overview section on page 26.
SonicWALLs implementation of two-factor authentication partners with two of the leaders in
advanced user authentication: RSA and VASCO. If you are using RSA, you must have the RSA
Authentication Manager and RSA SecurID tokens. If you are using VASCO, you must have the
VASCO VACMAN Middleware and Digipass tokens.
To configure two-factor authentication, you must first configure a RADIUS domain. For
information see Adding or Editing a Domain with NT Domain Authentication section on
page 132.
The following sections describe how to configure the supported third-party authentication
servers:
Configuring the RSA Authentication Manager section on page 136
Configuring the VASCO VACMAN Middleware section on page 141
Configuring the RSA Authentication Manager
The following sections describe how to configure the RSA Authentication Manager version 6.1
to perform two-factor authentication with your SonicWALL SSL-VPN appliance:
Adding an Agent Host Record for the SonicWALL SSL-VPN Appliance section on
page 137
Adding the SonicWALL SSL-VPN as a RADIUS Client section on page 137
Setting the Time and Date section on page 138
Importing Tokens and Adding Users section on page 138
Note This configuration procedure is specific to RSA Authentication Manager version 6.1. If you
are using a different version of RSA Authentication Manager, the procedure will be slightly
different.
If you will be using VASCO instead of RSA, see Configuring the VASCO VACMAN Middleware
on page 141.
Portals > Domains
137
SonicWALL SSL VPN 5.0 Administrators Guide
Adding an Agent Host Record for the SonicWALL SSL-VPN Appliance
To establish a connection between the SSL-VPN appliance and the RSA Authentication
Manager, an Agent Host record must be added to the RSA Authentication Manager database.
The Agent host record identifies the SSL-VPN appliance within its database and contains
information about communication and encryption.
To create the Agent Host record for the SSL-VPN appliance, perform the following steps:
Step 1 Launch the RSA Authentication Manager.
Step 2 On the Agent Host menu, select Add Agent Host. The Add Agent Host window displays.
Step 3 Enter a hostname for the SSL-VPN appliance in the Name field.
Step 4 Enter the IP address of the SSL-VPN appliance in the Network address field.
Step 5 Select Communication Server in the Agent type window.
Step 6 By default, the Enable Offline Authentication and Enable Windows Password Integration
options are enabled. SonicWALL recommends disabling all of these options except for Open
to All Locally Known Users.
Step 7 Click OK.
Adding the SonicWALL SSL-VPN as a RADIUS Client
After you have created the Agent Host record, you must add the SonicWALL SSL-VPN to the
RSA Authentication Manager as a RADIUS client. To do so, perform the following steps:
Step 1 In RSA Authentication Manager, go to the RADIUS menu and select Manage RADIUS Server.
The RSA RADIUS Manager displays.
Portals > Domains
138
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Expand the RSA RADIUS Server Administration tree and select RADIUS Clients.
Step 3 Click Add. The Add RADIUS Client window displays.
Step 4 Enter a descriptive name for the SSL-VPN appliance.
Step 5 Enter the IP address of the SSL-VPN in the IP Address field.
Step 6 Enter the shared secret that is configured on the SSL-VPN in the Shared secret field.
Step 7 Click OK and close the RSA RADIUS Manager.
Setting the Time and Date
Because two-factor authentication depends on time synchronization, it is important that the
internal clocks for the RSA Authentication Manager and the SSL-VPN appliance are set
correctly.
Importing Tokens and Adding Users
After you have configured the RSA Authentication Manager to communicate with the
SonicWALL SSL-VPN appliance, you must import tokens and add users to the RSA
Authentication Manager.
Portals > Domains
139
SonicWALL SSL VPN 5.0 Administrators Guide
To import tokens and add users, perform the following steps:
Step 1 To import the token file, select Token > Import Tokens.
Step 2 When you purchase RSA SecurID tokens, they come with an XML file that contains information
on the tokens. Navigate to the token XML file and click Open. The token file is imported.
Step 3 The Import Status window displays information on the number of tokens imported to the RSA
Authentication Manager.
Portals > Domains
140
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 To create a user on the RSA Authentication Manager, click on User > Add user.
Step 5 Enter the users First and Last Name.
Step 6 Enter the users username in the Default Login field.
Step 7 Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN
gives users the option of either creating their own PIN or having the system generate a random
PIN. Required to Create a PIN requires the user to create a PIN.
Portals > Domains
141
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 To assign a token to the user, click on the Assign Token button. Click Yes on the confirmation
window that displays. The Select Token window displays.
Step 9 You can either manually select the token or automatically assign the token:
To manually select the token for the user, click Select Token from List. In the window
that displays, select the serial number for the token and click OK.
To automatically assign the token, you can optionally select the method by which to sort
the token: the tokens import date, serial number, or expiration date. Then click the
Unassigned Token button and the RSA Authentication Manager assigns a token to the
user. Click OK.
Step 10 Click OK in the Edit User window. The user is added to the RSA Authentication Manager.
Step 11 Give the user their RSA SecurID Authenticator and instructions on how to log in, create a PIN,
and user the RSA SecurID Authenticator. See the SonicWALL SSL VPN User Guide for more
information.
Configuring the VASCO VACMAN Middleware
The following sections describe how to configure two-factor authentication using VASCOs
VACMAN Middleware Administration version 2.3:
Adding the RADIUS Server to VACMAN Middleware on page 142
Adding the SSL-VPN Appliance to VASCO on page 142
Setting the Time and Date on page 143
Importing Digipass Token Secret on page 143
Creating Users on page 144
Assigning Digipass Tokens to Users on page 145
Portals > Domains
142
SonicWALL SSL VPN 5.0 Administrators Guide
Note This configuration procedure is specific to VACMAN Middleware Administration version 2.3.
If you are using a different version of VACMAN Middleware Administration, the procedure
will be slightly different.
If you will be using RSA instead of VASCO, see Configuring the RSA Authentication Manager
on page 136.
Adding the RADIUS Server to VACMAN Middleware
To create a connection between the Sonic wall SSL-VPN appliance and the VASCO server, you
must create a component record for the external RADIUS server. VASCO servers do not have
an internal RADIUS component, so they must use an external RADIUS server. To create a
component record for the RADIUS server, perform the following steps:
Step 1 Launch the VACMAN Middleware Administration program.
Step 2 Expand the VACMAN Middleware Administration tree and the VACMAN Server tree.
Step 3 Right click on RADIUS Servers and click on New RADIUS Server.
Step 4 Enter the IP address of the RADIUS server in the Location field. Note that this is the IP address
of the RADIUS server and not the SonicWALL SSL-VPN appliance.
Step 5 Select the appropriate policy in the Policy pull down menu.
Step 6 Enter the RADIUS shared secret in the Shared Secret and Confirm Shared Secret fields.
Adding the SSL-VPN Appliance to VASCO
To add the SonicWALL SSL-VPN appliance to VACMAN Middleware Administrator as a
RADIUS client, perform the following steps.
Step 1 Expand the VACMAN Server tree.
Portals > Domains
143
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Right-click on RADIUS Clients and click New RADIUS Client.
a
Step 3 Enter the IP Address of the SSL-VPN appliance.
Step 4 Enter the Shared secret.
Step 5 Click Save.
Setting the Time and Date
The DIGIPASS token is based on time synchronization. All tokens are created with their internal
real-time clocks set to GMT. As such, it is important to set the date and time zone of the server
running the VACMAN middleware to correctly so the GMT can be local derived correctly.
Importing Digipass Token Secret
Before Digipass tokens can be assigned to a user, their application records must be imported
to the VACMAN middleware. To do this, perform the following steps.
Step 1 Right-click on the Digipass node under the VACMAN server tree.
Step 2 Click Import Digipass.
Step 3 Click Browse, navigate to the location of the Digipass import file, and click Open.
Portals > Domains
144
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 Enter the Digipass import key in the Key field. The key is a 32-character hexadecimal number.
Step 5 Click Import All Applications to import all records in the file. Or to select the records to import,
click Show Applications, select the records to import, and click Import Selected
Applications.
Step 6 The progress of the import procedure will be shown in the bottom Import Status section.
Creating Users
To add users to the VACMAN Middleware Administration, perform the following steps.
Step 1 Expand the VACMAN Server tree and right-click on Users.
Step 2 Click New User.
Step 3 Enter the username in the User ID field.
Step 4 Enter the users password in the New Password and Confirm Password fields.
Step 5 Select the appropriate Admin Privilege and Authenticator.
Step 6 Click Create.
Portals > Domains
145
SonicWALL SSL VPN 5.0 Administrators Guide
Assigning Digipass Tokens to Users
After you have imported the digipass tokens and created the users, you need to assign the
Digipass tokens to the users. To do so, perform the following steps.
Step 1 Expand the VACMAN Server tree and click on Digipass.
Step 2 Right-click on the serial number of the Digipass token you want to assign and click Assign.
Step 3 Enter the username in the User ID field and click the Find button.
When the username is displayed in the Search Results window, select the username and click
OK to assign the Digipass token.
Portals > Custom Logo
146
SonicWALL SSL VPN 5.0 Administrators Guide
Portals > Custom Logo
Beginning with the SSL VPN 2.5 release, portal logos are no longer configured globally from
the Portals > Custom Logo page. Custom logos are uploaded on a per-portal basis from the
Logo tab in the Portal Logo Settings dialogue. For information related to Custom Portal Logos
on models 2000 and higher, refer to the Adding a Custom Portal Logo section on page 116.
Portals > Load Balancing
147
SonicWALL SSL VPN 5.0 Administrators Guide
Portals > Load Balancing
This section provides an overview of the Portals > Load Balancing page and a description of
the configuration tasks available on this page.
Portals > Load Balancing Overview section on page 147
Configuring a Load Balancing Group section on page 148
Portals > Load Balancing Overview
The Portals > Load Balancing page allows the administrator to configure back end Web
servers for a load balanced deployment. This default landing page for the load balancing
feature allows the administrator to configure load balancing groups, and lists general properties
of any existing load balancing groups.
Note This feature also requires a Load Balanced Portal with virtual host to be configured in the
Portals > Portals page.
Figure 22 Portals > Load Balancing Page
Configuration Scenarios
Load Balancing for SSL VPN SRA is a robust feature that has multiple uses, including:
Balancing a Farm of Web Servers This is useful when the SRA appliance with a higher
horse power is offering protection and balancing the load of a relatively low powered farm of
Web servers. In this case, Web Application Firewall, URL rewriting and other CPU intensive
operations are enabled on the Load Balancer.
Balancing a Low-Powered Cluster A relatively low powered SRA cluster can be balanced
for improved scalability. In this case, Web Application Firewall, URL rewriting, and other
scalable features are enabled on the low powered SRA appliances.
Load Balanced Pair In this scenario, the Load Balancer may have one portal configured for
the front-end, and another Application Offloading portal configured to act as a Virtual Backend
Server. This Virtual Backend Server and the second SRA device are configured as the Load
Portals > Load Balancing
148
SonicWALL SSL VPN 5.0 Administrators Guide
Balancing Members and also take up the load of the Security Services. The Load Balancer in
the previous two scenarios is essentially a dummy proxy without the load of any Security
Services to burden it.
Load Balancing Settings
The following table lists Portals > Load Balancing configuration options. Additional per-group
configuration options are described in the Configuring a Load Balancing Group section on
page 148.
Configuring a Load Balancing Group
This section provides configuration details for creating a new load balancing group and consists
of the following sections:
Adding a New Load Balancing Group on page 149
Configuring Probe Settings on page 150
Adding New Members to a Load Balancing Group on page 150
Option Description
Enable Load Balancing Enables the load balancing feature across all currently active
groups.
Enable Failover Enables/disables all probing, monitoring, and failover features.
Probe Interval Determines the frequency (in seconds) at which the load balancing
feature will check the status of backend nodes.
Portals > Load Balancing
149
SonicWALL SSL VPN 5.0 Administrators Guide
Adding a New Load Balancing Group
Step 1 In the Portals > Load Balancing page, click the Add Group button. The New Load Balancing
Group configuration information displays.
Step 2 Enter a friendly LB Group Name for this load balancing group.
Step 3 Select a load balancing method from the LB Method drop-down list. Options include:
Weighted Requests Keeps track of the number of incoming requests (including
successfully completed requests) to decide which member should handle the next incoming
request. The LB Ratio will decide the percentage distribution.
Weighted Traffic Keeps track of the number of bytes of inbound/outbound data to decide
which member should handle the next incoming request.
Least Requests Keeps track of the number of incoming requests (excluding successfully
completed requests) that are currently being serviced to decide which Member should
handle the next incoming request.
Step 4 Select Enable Load Balancing to enable this group for load balancing.
Step 5 The Enable Session Persistence option is automatically selected when the group is enabled.
This option allows the administrator to enable continuous user sessions by forwarding the
requests part of the same session to the same backend member.
Portals > Load Balancing
150
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 Select Enable Failover to enable probing, monitoring, and failover features.
Note It is important to ensure that the same member receives all cookies to keep the user
authenticated. However, for improved performance in certain situations, all backend
members may be able to accept the session cookies of all users. In this case, the
administrator may decide to turn off Session persistence. The Load Balancer will then
strictly adhere to the LB method and LB factors in distributing the load.
Configuring Probe Settings
To configure probe settings for this load balancing group in the Probe Settings section of the
Portals > Load Balancing screen:
Step 1 Select a Probe Method from the drop-down list. Options include:
HTTP/HTTPS GET The Load Balancer sends a HTTP(S) GET request periodically (based
on the configured Probe interval) to see if the HTTP response status code is not greater
than or equal to 500 to ensure there are no Web server errors. This is the most reliable
method to determine if a Web server is alive. This method ignores SSL Certificate warnings
while probing.
TCP Connect The Load Balancer completes a 3-way TCP handshake periodically to
monitor the health of a backend node.
ICMP Ping The Load Balancer sends a simple ICMP Ping request to monitor if a backend
node is alive.
Step 2 In the Deactivate Member after field, enter the number of missed intervals required to fail the
node. The default value is 2.
Step 3 In the Reactivate Member after field, enter the number of successful intervals required to
reinstate the node as functional. The default value is 2.
Step 4 In the Display error page when there is no resource available to fail over text box, enter a
custom message or Web page to display in the event that all of the configured backend nodes
have failed. HTML formatting is allowed in this field.
Adding New Members to a Load Balancing Group
To add members to a new or existing load balancing group:
Step 1 When editing or adding a group from the Portals > Load Balancing page, click the Add
Member button. The Load Balancing Member screen displays.
Portals > Load Balancing
151
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Enter a Member Name to uniquely identify this member within the Load Balancing Group.
Step 3 Enter a friendly name or description in the Comment field to identify this group by mouseover
on the groups page.
Step 4 Select a Scheme to determine HTTP or HTTPS access. The default value is HTTPS.
Step 5 Enter the back end HTTP(S) server IP address in the IPv4/IPv6 Address field.
Step 6 Enter the Port for the back end server. The default value for an HTTPS connection is 443.
Step 7 Click the Apply button to add this member to the group.
Portals > Load Balancing
152
SonicWALL SSL VPN 5.0 Administrators Guide
153
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 5: Services Configuration
This chapter provides information and configuration tasks specific to the Services pages on the
SonicWALL SSL VPN Web-based management interface, including configuring settings,
bookmarks, and policies for various application layer services, such as HTTP/HTTPS, Citrix,
RDP, and VNC.
This chapter contains the following sections:
Services > Settings section on page 154
Services > Bookmarks section on page 157
Services > Policies section on page 164
Services > Settings
154
SonicWALL SSL VPN 5.0 Administrators Guide
Services > Settings
This section provides an overview of the Services > Settings page and a description of the
configuration tasks available on this page.
HTTP/HTTPS Service Settings section on page 154
Citrix Service Settings section on page 155
Global Portal Settings section on page 155
One Time Password Settings section on page 155
The Services > Settings page allows the administrator to configure various settings related to
HTTP/HTTPS, Citrix, Global Portal character sets, and one-time passwords.
HTTP/HTTPS Service Settings
Administrators can take the following steps to configure HTTP/HTTPS Service Settings:
Step 1 The Enable Content Caching checkbox is selected by default. Administrators may disable the
checkbox if they choose to do so. However, changing the Enable Content Cache setting will
restart SSL VPN Services, including the web server.
In the Cache Size field, define the size of the desired content cache. 5 MB is the default setting,
but administrators may set any size in the valid range from two to 20 MB. Select the Flush
button to flush the content cache.
Services > Settings
155
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Select the Enable Custom HTTP/HTTPS Response Buffer Size checkbox, if you wish to
establish a response buffer. Enabling this checkbox. Set the desired buffer size using the
Buffer size drop-down menu. This limit is enforced for HTTP and HTTPS responses from the
backend Web server for plain text, Flash, and Java applets. The default size of the buffer is
1024 KB.
Step 3 Enable the Insert Proxy Request Headers checkbox to insert these types of headers into the
HTTP/HTTPS requests to the backend Web server. The following headers will be inserted:
X-Forwarded-For: Specifies the client IP address of the original HTTP/HTTPS request.
X-Forwarded-Host: Specifies the Host in the HTTP/HTTPS request from the client.
X-Forwarded-Server: Specifies the host name of the SSL VPN proxy server.
Citrix Service Settings
Administrators can take the following steps to configure Citrix Service Settings:
Step 1 Select the Enable custom URL for Citrix Java client downloads checkbox if you want to use
your own HTTP URL to download the Citrix Java client. Fill-in the custom URL in the URL field.
If this option is not enabled, the default URL will be used.
Step 2 Select the Enable custom URL for Citrix ActiveX client downloads checkbox if you want to
use your own HTTP URL to download the Citrix ActiveX client. Fill-in the custom URL in the
URL field. If this option is not enabled, the default URL will be used.
Global Portal Settings
Step 1 Use the Default Character Set drop-down menu to set the language compatibility character
set to be used with standard and non-standard FTP servers. The character set only applies to
FTP sessions and bookmarks. Standard encoding (UTF-8), the default setting, should work for
most FTP servers.
One Time Password Settings
The One Time Password Settings section allows administrators to configure settings relating
to the creation and communication of one-time passwords. One-time passwords are
dynamically generated strings of characters, numbers or a combination of both. For
compatibility with mail services that allow a limited number of characters in the email subject
(such as SMS), the administrator can customize the email subject to either include or exclude
the one-time password. The email message body can also be configured in the same way. The
administrator can also select the format (such as characters and numbers) for the password.
To configure the One Time Password email subject format, email body format, and change the
default character types used when generating one time passwords, perform the following tasks:
Step 1 In the Email Subject field, type the desired text for the one-time password email subject. The
default subject consists of OTP plus the actual one-time password (represented here with the
parameter placeholder %OneTimePassword%).
Step 2 In the Email Body field, type the desired text for the one-time password email message body.
The default message is simply the one-time password itself (represented here as
%OneTimePassword%).
Variables can be used in the subject or body of a one-time password email:
Services > Settings
156
SonicWALL SSL VPN 5.0 Administrators Guide
%OneTimePassword% - The users one-time password. This should appear at least once
in either the email subject or body.
%AD:mobile% - The users mobile phone as configured in Active Directory (AD).
%AD:________% - Any other Active Directory (AD) user attribute. See the Microsoft
documentation link below the Email Body field for additional attributes.
Step 3 In the One Time Password Format drop-down list, select one of the following three options:
Characters Only alphabetic characters will be used when generating the one-time
password.
Characters and Numbers Alphabetic characters and numbers will be used when
generating the one-time password.
Numbers Only numbers will be used when generating the one-time password.
Step 4 Use the One Time Password Length fields to adjust the range of characters allowed for one-
time passwords.
Step 5 Click the Accept button in the upper right corner of the Services > Settings page to save your
changes.
For more information about the One Time Passwords feature, refer to the One Time Password
Overview section on page 28.
Services > Bookmarks
157
SonicWALL SSL VPN 5.0 Administrators Guide
Services > Bookmarks
The Services > Bookmarks page within the Web-based management interface provides a
single interface for viewing bookmarks and access to configure bookmarks for users and
groups.
Adding or Editing a Bookmark
To add a bookmark, navigate to the Services > Bookmarks screen within the management
interface and select the Add Bookmark... button. The Add Bookmark dialog box opens in a
separate window.
Complete the following steps to add a service bookmark:
Step 1 Use the Bookmark Owner drop-down menu to select whether the bookmark is owned as a
Global Bookmark, a Local Domain group bookmark, or a bookmark assigned to an individual
User.
Step 2 Fill-in the Bookmark Name field with a friendly name for the service bookmark.
Step 3 Fill-in the Name or IP Address field with hostname, IP address, or IPv6 address for the desired
bookmark. IPv6 addresses should begin with [ and end with ].
Services > Bookmarks
158
SonicWALL SSL VPN 5.0 Administrators Guide
Note IPv6 is not supported by File Shares.
Some services can run on non-standard ports, and some expect a path when connecting.
Depending on the choice in the Service field, format the Name or IP Address field like one of
the examples shown in the following table.
Service Type Format Example for Name or IP Address Field
RDP - ActiveX
RDP - Java
IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
VNC IP Address
IPv6 Address
IP:Port (mapped to session)
FQDN
Host name
Note: Do not use session or
display number instead of
port.
10.20.30.4
2008::1:2:3:4
10.20.30.4:5901 (mapped to session 1)
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
Note: Do not use 10.20.30.4:1
Tip: For a bookmark to a Linux server, see the
Tip below this table.
FTP IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
Telnet IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
SSHv1
SSHv2
IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
Services > Bookmarks
159
SonicWALL SSL VPN 5.0 Administrators Guide
Tip When creating a Virtual Network Computing (VNC) bookmark to a Linux server, you must
specify the port number and server number in addition to the Linux server IP the Name or
IP Address field in the form of ipaddress:port:server. For example, if the Linux server IP
address is 192.168.2.2, the port number is 5901, and the server number is 1, the value for
the Name or IP Address field would be 192.168.2.2:5901:1.
Step 4 Use the Service drop-down menu to select the desired bookmark service. Use the following
information for the chosen service to complete the building of the bookmark.
HTTP
HTTPS
URL
IP Address of URL
IPv6 Address
URL:Path or File
IP:Path or File
URL:Port
IP:Port
URL:Port:Path or File
IP:Port:Path or File
www.sonicwall.com
204.212.170.11
2008::1:2:3:4
www.sonicwall.com/index.html
204.212.170.11/folder/
www.sonicwall.com:8080
204.212.170.11:8080 or [2008::1:2:3:4]:8080
www.sonicwall.com:8080/folder/index.html
204.212.170.11:8080/index.html
File Shares Host\Folder\
Host\File
FQDN\Folder
FQDN\File
IP\Folder\
IP\File
server-3\sharedfolder\
server-3\inventory.xls
server-3.company.net\sharedfolder\
server-3company.net\inventory.xls
10.20.30.4\sharedfolder\
10.20.30.4\status.doc
Note: Use backslashes even on Linux or Mac
computers; these use the Windows API for file
sharing.
Citrix
(Citrix Web
Interface)
IP Address
IPv6 Address
IP:Port
IP:Path or File
IP:Port:Path or File
FQDN
URL:Path or File
URL:Port
URL:Port:Path or File
Note: Port refers to the
HTTP(S) port of Citrix Web
Interface, not to the Citrix
ICA client port.
172.55.44.3
2008::1:2:3:4
172.55.44.3:8080 or [2008::1:2:3:4]:8080
172.55.44.3/folder/file.html
172.55.44.3:8080/report.pdf
www.citrixhost.company.net
www.citrixhost.net/folder/
www.citrixhost.company.com:8080
www.citrixhost.com:8080/folder/index.html
Service Type Format Example for Name or IP Address Field
Services > Bookmarks
160
SonicWALL SSL VPN 5.0 Administrators Guide
Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java)
Note If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet
Explorer, the selection is automatically switched to Terminal Services (RDP - Java). A
popup dialog box notifies you of the switch.
In the Screen Size drop-down list, select the default terminal services screen size to
be used when users execute this bookmark.
Because different computers support different screen sizes, when you use a remote
desktop application, you should select the size of the screen on the computer from
which you are running a remote desktop session.
In the Colors drop-down list, select the default color depth for the terminal service
screen when users execute this bookmark.
Optionally, enter the local path for this application in the Application and Path field.
In the Start in the following folder field, optionally enter the local folder in which to
execute application commands.
Select the Login as console/admin session checkbox to allow login as console or
admin. Login as admin replaces login as console in RDC 6.1 and newer.
Select the Enable wake-on-LAN checkbox to enable waking up a computer over the
network connection. Selecting this checkbox causes the following new fields to be
displayed:
MAC/Ethernet Address Enter one or more MAC addresses, separated by
spaces, of target hosts to wake.
Wait time for boot-up (seconds) Enter the number of seconds to wait for the
target host to fully boot up before cancelling the WOL operation.
Send WOL packet to host name or IP address To send the WOL packet to the
hostname or IP of this bookmark, select the Send WOL packet to host name or
IP address checkbox, which can be applied in tandem with a MAC address of
another machine to wake.
For RDP - ActiveX on Windows clients, expand Show client redirect options and
select any of the redirect checkboxes Redirect Printers, Redirect Drives, Redirect
Ports, or Redirect SmartCards to redirect those devices on the local network for use
in this bookmark session. You can hover your mouse pointer over these options to
display tooltips that indicate requirements for certain actions.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
For RDP - Java on Windows clients, or on Mac clients running Mac OS X 10.5 or above
with RDC installed, expand Show advance Windows options and select the
checkboxes for any of the following redirect options: Redirect Printers, Redirect
Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug
and play devices to redirect those devices or features on the local network for use in
this bookmark session. You can hover your mouse pointer over the Help icon next
to certain options to display tooltips that indicate requirements.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
Select the checkboxes for any of the following additional features for use in this
bookmark session: Display connection bar, Auto reconnection, Desktop
background, Window drag, Menu/window animation, Themes, or Bitmap caching.
Services > Bookmarks
161
SonicWALL SSL VPN 5.0 Administrators Guide
If the client application will be RDP 6 (Java), you can select any of the following options
as well: Dual monitors, Font smoothing, Desktop composition, or Remote
Application.
Remote Application monitors server and client connection activity; to use it, you need
to register remote applications in the Windows 2008 RemoteApp list. If Remote
Application is selected, the Java Console will display messages regarding connectivity
with the Terminal Server.
For RDP - ActiveX on Windows clients, optionally select Enable plugin DLLs and
enter the name(s) of client DLLs which need to be accessed by the remote desktop or
terminal service. Multiple entries are separated by a comma with no spaces. Note that
the RDP Java client on Windows is a native RDP client that supports Plugin DLLs by
default. The Enable plugin DLLs option is not available for RDP - Java. See Enabling
Plugin DLLs section on page 257.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Virtual Network Computing (VNC)
In the Encoding drop-down menu, select the desired encoding transfer format.
Optionally, if available, use the Compression Level drop-down menu to select the
desired compression level for data.
Optionally, if available, select the JPEG image file quality level using the JPEG Image
Quality drop-down menu.
In the Cursor Shape Updates drop-down menu, select to either Enable, Disable, or
Ignore these updates.
Enable or disable the CopyRect function using the associated checkbox.
Enable or disable the use of only Restricted Colors by using the associated checkbox.
Enable or disable the ability to reverse control of mouse buttons two and three using
the associated checkbox.
Enable the View Only checkbox to control to prevent taking control over VNC.
Enable the Share Desktop checkbox to allow desktop view to be shared over VNC.
Citrix Portal (Citrix)
Optionally, select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
HTTPS mode is used to encrypt communication between the SSL VPN device and the
Citrix server using the SSL protocol.
Optionally, select Always use Java in Internet Explorer to use Java to access the
Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or
XenApp plugin (an ActiveX client) must be used with IE. This setting lets users avoid
installing a Citrix ICA client or XenApp plugin specifically for IE browsers. Java is used
with Citrix by default on other browsers and also works with IE. Enabling this checkbox
leverages this portability.
Services > Bookmarks
162
SonicWALL SSL VPN 5.0 Administrators Guide
Web (HTTP)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the Web server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Secure Web (HTTPS)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the secure Web
server. Select Use custom credentials to enter a custom username, password, and
domain for this bookmark. For more information about custom credentials, see
Creating Bookmarks with Custom SSO Credentials section on page 259.
File Shares (CIFS)
To allow users to use a Java Applet for File Shares that mimics Windows functionality,
select the Use File Shares Java Applet checkbox.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
When creating a File Share, do not configure a Distributed File System (DFS) server on
a Windows Domain Root system. Because the Domain Root allows access only to
Windows computers in the domain, doing so will disable access to the DFS file shares
from other domains. The SonicWALL SSL-VPN is not a domain member and will not be
able to connect to the DFS shares.
DFS file shares on a stand-alone root are not affected by this Microsoft restriction.
File Transfer Protocol (FTP)
Expand Show advanced server configuration to select an alternate value in the
Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the FTP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Telnet
No additional fields
Secure Shell version 1 (SSHv1)
No additional fields
Secure Shell version 2 (SSHv2)
Optionally select the Automatically accept host key checkbox.
If using an SSHv2 server without authentication, such as a SonicWALL firewall, you can
select the Bypass username checkbox.
Step 5 Click OK to update the configuration. Once the configuration has been updated, the new user
bookmark will be displayed in the Services >Bookmarks window.
Services > Bookmarks
163
SonicWALL SSL VPN 5.0 Administrators Guide
Editing a Bookmark
To edit a service bookmark, navigate to the Services > Bookmarks screen. Click on the pencil
icon in the Configure column. A new Edit Bookmark window will open with the bookmarks
current configuration. Make all desired adjustments and select OK. The edited bookmark will
still display in the Services > Bookmarks window.
Deleting a Bookmark
To delete a configured bookmark, navigate to the Services > Bookmarks screen. Click on the
X icon in the Configure column. A dialog box will open and ask if you are sure you want to
delete the specified bookmark. Click OK to delete the bookmark. The bookmark will no longer
appear in the Services > Bookmarks screen.
Services > Policies
164
SonicWALL SSL VPN 5.0 Administrators Guide
Services > Policies
The Services > Policies page within the Web-based management interface provides a single
interface for viewing service policies and access to configure policies for users and groups.
Adding or Editing a Policy
To add a policy, navigate to the Services > Policies screen within the management interface
and select the Add Policy... button. The Add Policy dialog box opens in a separate window.
Administrators can follow the following steps to add a service policy:
Step 1 Use the Policy Owner drop-down menu to select whether the policy is owned as a Global
Policy, a Local Domain group policy, or a policy assigned to an individual User.
Step 2 In the Apply Policy To drop-down menu, select whether the policy will be applied to an
individual host, a range of addresses, all addresses, a network object, a server path, or a URL
object. You can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6
addresses. The Add Policy dialog box changes depending on what type of object you select
in the Apply Policy To drop-down list.
Note These SonicWALL SSL VPN policies apply to the destination address(es) of the SonicWALL
SSL VPN connection, not the source address. You cannot permit or block a specific IP
address on the Internet from authenticating to the SonicWALL SSL VPN gateway with a
policy created on the Policies tab. However, it is possible to control source logins by IP
address with a login policy created on the user's Login Policies tab. For more information, refer
to Configuring Login Policies section on page 260.
Step 3 Follow the appropriate step below depending on your selection in the Apply Policy To menu.
IP Address - If your policy applies to a specific host, enter the IP address of the local host
machine in the IP Address field. Optionally enter a port range (for example, 4100-4200) or
a single port number into the Port Range/Port Number field. See Adding a Policy for an
IP Address section on page 247.
Services > Policies
165
SonicWALL SSL VPN 5.0 Administrators Guide
IP Address Range - If your policy applies to a range of addresses, enter the beginning IP
address in the IP Network Address field and the subnet mask that defines the IP address
range in the Subnet Mask field. Optionally, enter a port range (for example, 4100-4200) or
a single port number into the Port Range/Port Number field. See Adding a Policy for an
IP Address Range section on page 247.
All Addresses - If your policy applies to all IPv4 addresses, you do not need to enter any
IP address information. See Adding a Policy for All Addresses section on page 248.
Network Object - If your policy applies to a predefined network object, select the name of
the object from the Network Object drop-down list. A port or port range can be specified
when defining a Network Object. See Adding Network Objects section on page 101
Server Path - If your policy applies to a server path, select one of the following radio
buttons in the Resource field:
Share (Server path) - When you select this option, type the path into the Server Path
field.
Network (Domain list)
Servers (Computer list)
See Setting File Shares Access Policies section on page 248.
URL Object - If your policy applies to a predefined URL object, type the URL into the URL
field. See Adding a Policy for a URL Object section on page 249.
IPv6 Address - If your policy applies to a specific host, enter the IPv6 address of the local
host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-
4200) or a single port number into the Port Range/Port Number field. See Adding a Policy
for an IPv6 Address section on page 250.
IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning
IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6
address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-
4200) or a single port number into the Port Range/Port Number field. See Adding a Policy
for an IPv6 Address section on page 250.
All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter
any IP address information. See Adding a Policy for All IPv6 Addresses section on
page 251.
Step 4 Select the service type in the Service drop-down list. If you are applying a policy to a network
object, the service type is defined in the network object.
Step 5 Select ALLOW or DENY from the Status drop-down list to either allow or deny SonicWALL SSL
VPN connections for the specified service and host machine.
Tip When using Citrix bookmarks, in order to restrict proxy access to a host, a DENY rule must
be configured for both Citrix and HTTP services.
Step 6 Click Add to update the configuration. Once the configuration has been updated, the new policy
will be displayed in the Services > Policies window.
Editing a Policy
To edit a service-related policy, navigate to the Services > Policies screen. Click on the pencil
icon in the Configure column. A new Edit Policy window will open with the bookmarks current
configuration. Make all desired adjustments and select OK. The edited bookmark will still
display in the Services > Policies window.
Services > Policies
166
SonicWALL SSL VPN 5.0 Administrators Guide
Deleting a Policy
To delete a configured policy, navigate to the Services > Policies screen. Click on the X icon
in the Configure column. A dialog box will open and ask if you are sure you want to delete the
specified policy. Click OK to delete the policy. The policy will no longer appear in the Services
> Policies screen.
167
SonicWALL SSL VPN 5.0 Administrators Guide
F
Chapter 6: NetExtender Configuration
This chapter provides information and configuration tasks specific to the NetExtender pages on
the SonicWALL SSL VPN Web-based management interface.
NetExtender is an SSL VPN client for Windows, Mac, Linux, or Android smartphone users that
is downloaded transparently and allows you to run any application securely on the companys
network. It uses Point-to-Point Protocol (PPP). NetExtender allows remote clients to have
seamless access to resources on your local network.
Users can access NetExtender two ways: Using the Net Extender button on the SonicWALL
SSL VPN user portal, or by using the NetExtender standalone client, which is installed by
clicking on the NetExtender button in the SonicWALL SSL VPN Web-based management
interface. The NetExtender standalone client application can be accessed directly from the
Windows Start menu, from the Application folder or dock on Mac systems, by pathname or from
the shortcut bar on Linux systems, and with the icon on Android smartphones.
The standalone NetExtender Mobile client is available for devices running Windows Mobile 5
PocketPC and Windows Mobile 6 Professional/Classic.
SonicWALL SSL-VPN supports client certificates in both the standalone Windows NetExtender
client and the NetExtender Mobile client.
NetExtender supports IPv6 client connections from Windows systems running Vista or newer,
and from Linux clients. An IPv6 address pool for NetExtender is optional, while an IPv4 address
pool is necessary.
For more information on NetExtender concepts, see NetExtender Overview section on
page 16. For information about using or installing the NetExtender, NetExtender Mobile, or
NetExtender Android clients, see the latest SonicOS SSL-VPN Users Guide, available on the
Secure Remote Access pages of the SonicWALL Support Web site at:
http://www.sonicwall.com/us/Support.html
This chapter contains the following sections:
NetExtender > Status section on page 168
NetExtender > Client Settings section on page 169
NetExtender > Client Routes section on page 171
NetExtender > Status
168
SonicWALL SSL VPN 5.0 Administrators Guide
NetExtender > Status
This section provides an overview of the NetExtender > Status page and a description of the
configuration tasks available on this page.
NetExtender > Status Overview section on page 168
Viewing NetExtender Status section on page 168
NetExtender > Status Overview
The NetExtender > Status page allows the administrator to view active NetExtender sessions,
including the name, IP address, login time, length of time logged in and logout time.
Figure 23 NetExtender > Status
Viewing NetExtender Status
The NetExtender > Status page allows the administrator to view active NetExtender sessions,
including the name, IP address, login time, length of time logged in and administrative logout
control. Table 11 provides a description of the status items.
Table 11 NetExtender Status
Status Item Description
Name The user name.
IP Address The IP address of the workstation on which the user is logged into.
Login Time The time when the user first established connection with the
SonicWALL SSL-VPN appliance expressed as day, date, and time
(HH:MM:SS).
Logged in The amount of time since the user first established connection with the
SonicWALL SSL-VPN appliance expressed as number of days and time
(HH:MM:SS).
Logout Provides the administrator the ability to logout a NetExtender session.
NetExtender > Client Settings
169
SonicWALL SSL VPN 5.0 Administrators Guide
NetExtender > Client Settings
This section provides an overview of the NetExtender > Client Settings page and a
description of the configuration tasks available on this page.
NetExtender > Client Settings Overview section on page 169
Configuring the Global NetExtender IP Address Range section on page 169
Configuring Global NetExtender Settings section on page 170
NetExtender > Client Settings Overview
The NetExtender > Client Settings page allows the administrator to specify the client address
range.
Figure 24 NetExtender > Client Settings
Configuring the Global NetExtender IP Address Range
The NetExtender > Client Settings page allows the administrator to specify the global client
address range. The address range can be specified for both IPv4 and IPv6. An IPv6 address
pool for NetExtender is optional, while an IPv4 address pool is required. The global
NetExtender IP range defines the IP address pool from which addresses will be assigned to
remote users during NetExtender sessions. The range needs to be large enough to
accommodate the maximum number of concurrent NetExtender users you wish to support plus
one (for example, the range for 15 users requires 16 addresses, such as 192.168.200.100 to
192.168.200.115).
The range should fall within the same subnet as the interface to which the SSL-VPN appliance
is connected, and in cases where there are other hosts on the same segment as the SSL-VPN
appliance, it must not overlap or collide with any assigned addresses. You can determine the
correct subnet in one of the following ways:
You may leave the NetExtender range at the default (192.168.200.100 to
192.168.200.200).
NetExtender > Client Settings
170
SonicWALL SSL VPN 5.0 Administrators Guide
Select a range that falls within your existing DMZ subnet. For example, if your DMZ uses
the 192.168.50.0/24 subnet, and you want to support up to 30 concurrent NetExtender
sessions, you could use 192.168.50.220 to 192.168.50.250, providing they are not already
in use.
Select a range that falls within your existing LAN subnet. For example, if your LAN uses the
192.168.168.0/24 subnet, and you want to support up to 10 concurrent NetExtender
sessions, you could use 192.168.168.240 to 192.168.168.250, providing they are not
already in use.
To specify your global NetExtender address range, perform the following steps:
Step 1 Navigate to the NetExtender > Client Settings page.
Step 2 Under NetExtender Client Address Range, supply a beginning client IPv4 address in the
Client Address Range Begin field.
Step 3 Supply an ending client IPv4 address in the Client Address Range End field.
Step 4 Under NetExtender Client IPv6 Address Range, optionally supply a beginning client IPv6
address in the Client Address Range Begin field.
Step 5 If using IPv6, supply an ending client IPv6 address in the Client Address Range End field.
Step 6 Click Accept.
Step 7 The Status message displays Update Successful. Restart for current clients to obtain new
addresses.
Configuring Global NetExtender Settings
SonicWALL SSL VPN provides several settings to customize the behavior of NetExtender when
users connect and disconnect. To configure global NetExtender client settings, perform the
following steps:
Step 1 Navigate to the NetExtender > Client Settings page.
Step 2 The following options can be enabled or disabled for all users:
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected
from the SSL-VPN server. To reconnect, users will have to either return to the SSL-VPN
portal or launch NetExtender from their Programs menu. This option applies to all
supported platforms except Android smartphones.
Uninstall Client After Exit - The NetExtender client automatically uninstalls when the user
exits the client user interface. This occurs when the user right-clicks the NetExtender tray
icon and selects Exit. To reconnect, users will have to return to the SSL-VPN portal. This
option only applies to Windows clients. It does not apply to Windows Mobile, Android, Mac,
or Linux clients.
Create Client Connection Profile - The NetExtender client will create a connection profile
recording the SSL VPN Server name, the Domain name and optionally the username and
password.
Step 3 The User Name & Password Caching options provide flexibility in allowing users to cache
their usernames and passwords in the NetExtender client. The three options are Allow saving
of user name only, Allow saving of user name & password, and Prohibit saving of user
name & password. These options enable administrators to balance security needs against
ease of use for users.
Step 4 Click Accept.
NetExtender > Client Routes
171
SonicWALL SSL VPN 5.0 Administrators Guide
NetExtender > Client Routes
This section provides an overview of the NetExtender > Client Routes page and a description
of the configuration tasks available on this page.
NetExtender > Client Routes Overview section on page 171
Adding NetExtender Client Routes section on page 171
NetExtender > Client Routes Overview
The NetExtender > Client Routes page allows the administrator to add and configure client
routes.
Figure 25 NetExtender > Client Routes
Adding NetExtender Client Routes
The NetExtender client routes are passed to all NetExtender clients and are used to govern
which private networks and resources remote user can access via the SSL VPN connection.
Group-level NetExtender routes should be assigned from both primary and additional groups if
the user-level option to Add Group NetExtender Client Routes is enabled. User-level NX
routes must always be pushed to the NX client, and global routes must still depend on the Add
Global NetExtender Client Routes option as they did before. IPv4 and IPv6 routes both follow
these rules.
Note With group access policies, all traffic is allowed by default. This is the opposite of the default
behavior of SonicWALL Unified Threat Management (UTM) appliances, where all inbound
traffic is denied by default. If you do not create policies for your SSL-VPN appliance, then
all NetExtender users may be able to access all resources on your internal network(s).
Additional allow and deny policies may be created by destination address or address range and
by service type.
Note The most specific policy will take precedence over less specific policies. For example, a
policy that applies to only one IP address will have priority over a policy that applies to a
range of IP addresses. If there are two policies that apply to a single IP address, then a
NetExtender User and Group Settings
172
SonicWALL SSL VPN 5.0 Administrators Guide
policy for a specific service (for example RDP) will take precedence over a policy that
applies to all services.
User policies take precedence over group policies and group policies take precedence over
global policies, regardless of the policy definition. A user policy that allows access to all IP
addresses will take precedence over a group policy that denies access to a single IP
address.
To add NetExtender client routes, perform the following steps:
Step 1 Navigate to the NetExtender > Client Routes page.
Step 1 Select Enabled from the Tunnel All Mode drop-down list to force all traffic for this user
including traffic destined to the remote users local networkover the SSL VPN NetExtender
tunnel.
Step 2 Click the Add Client Route button. The Add Client Route dialog box displays.
Step 3 In the Add Client Route dialog box, in the Destination Network field, type the IP address of
the trusted network to which you would like to provide access with NetExtender. For example,
if you are connecting to an existing DMZ with the network 192.168.50.0/24 and you want to
provide access to your LAN network 192.168.168.0/24, you would enter 192.168.168.0.
You can enter an IPv6 route in the Destination Network field, in the form 2007::1:2:3:0.
Step 4 For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using
decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network,
type the prefix, such as 112.
Step 5 Click Add.
Step 6 Repeat this procedure for all necessary routes.
NetExtender User and Group Settings
Multiple range and route support for NetExtender enables network administrators to easily
segment groups and users without the need of configuring firewall rules to govern access. This
user segmentation allows for granular control of access to the networkallowing users access
to necessary resources while restricting access to sensitive resources to only those who
require it. This section contains the following subsections:
Configuring User-Level NetExtender Settings section on page 172
Configuring Group-Level NetExtender Settings section on page 175
Configuring User-Level NetExtender Settings
Note User-level NetExtender settings are not supported on SSL-VPN 200 appliance.
All of the global settings for NetExtender (IP address ranges, client routes, and client
connection settings) can be configured at the user and group levels. Multiple range and route
support for NetExtender enables network administrators to easily segment groups and users
without the need of configuring firewall rules to govern access. This user segmentation allows
NetExtender User and Group Settings
173
SonicWALL SSL VPN 5.0 Administrators Guide
for granular control of access to the networkallowing users access to necessary resources
while restricting access to sensitive resources to only those who require it. To configure custom
settings for individual users, perform the following steps:
Step 1 Navigate to the Users > Local Users page.
Step 2 Click on the configure icon for the user you want to edit. The Edit User window is
launched.
Step 3 Click on the Nx Settings tab.
]
Configuring User Client IP Address Range
Note User-level NetExtender address ranges are not supported on SSL-VPN 200 appliance.
Step 1 To configure an IPv4 address range for this user, enter the beginning of the range in the Client
Address Range Begin field and the end of the range in the Client Address Range End field.
Step 2 To give this user the same IP address every time the user connects, enter the IP address in
both fields.
Step 3 To configure an IPv6 address range for this user, enter the beginning of the range in the Client
IPv6 Address Range Begin field and the end of the range in the Client IPv6 Address Range
End field. IPv6 configuration is optional.
Step 4 To give this user the same IPv6 address every time the user connects, enter the IP address in
both fields.
Tip Unless more than one user will be using the same username, which is not recommended,
there is no need to configure more than one IP address for the user client IP address range.
Step 5 Click OK.
NetExtender User and Group Settings
174
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring User NetExtender Settings
Note User-level NetExtender settings are not supported on SSL-VPN 200 appliance.
The following NetExtender settings can be configured for the user:
Exit Client After Disconnect - The NetExtender client exit when it becomes disconnected
from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN
portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when
it becomes disconnected from the SSL-VPN server. To reconnect, users will have to return
to the SSL-VPN portal. This option only applies to Windows clients. It does not apply to
Windows Mobile, Android, Mac, or Linux clients.
Create Client Connection Profile - The NetExtender client will create a connection profile
recording the SSL VPN Server name, the Domain name and optionally the username and
password.
The User Name & Password Caching options provide flexibility in allowing users to cache
their usernames and passwords in the NetExtender client. The three options are Allow
saving of user name only, Allow saving of user name & password, and Prohibit saving
of user name & password. These options enable administrators to balance security needs
against ease of use for users.
To have the user inherit the NetExtender settings from the group it belongs to (or from the global
NetExtender settings if the user does not belong to a group), select Use Group Settings for
any of the above options.
Configuring User NetExtender Routes
Note User-level NetExtender routes are not supported on SSL-VPN 200 appliance.
Step 1 To add a NetExtender client route that will only be added to this user, click the Nx Routes tab
in the Edit User Settings window.
Step 2 Add Client Route button.
Step 3 Type the IPv4 or IPv6 address of the trusted network to which you would like to provide access
with NetExtender in the Destination Network field.
Step 4 For an IPv4 client route, type the subnet mask in the Subnet Mask/Prefix field. For an IPv6
client route, type the prefix in this field.
NetExtender User and Group Settings
175
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Click Add.
Step 6 Repeat steps 1 through 5 for all necessary routes.
Step 7 Select Enabled from the Tunnel All Mode drop-down list to force all traffic for this user
including traffic destined to the remote users local networkover the SSL VPN NetExtender
tunnel.
Step 8 To also add the global NetExtender client routes (which are configured on NetExtender >
Client Routes page) to the user, select the Add Global NetExtender Client Routes checkbox.
Step 9 To also add the group NetExtender client routes for the group the user belongs to, select the
Add Group NetExtender Client Routes checkbox. Group NetExtender routes are configured
on the NetExtender tab of the Edit Group window, which is accessed through the Users >
Local Groups page.
Step 10 Click OK.
Note When using an external authentication server, local usernames are not typically configured
on the SonicWALL SSL-VPN appliance. In such cases, when a user is successfully
authenticated, a local user account is created with the Add Global NetExtender Client
routes and Add Group NetExtender Client routes settings enabled.
Configuring Group-Level NetExtender Settings
Note Group-level NetExtender settings are not supported on the SonicWALL SSL-VPN 200
appliance.
Multiple range and route support for NetExtender enables network administrators to easily
segment groups and users without the need of configuring firewall rules to govern access. This
user segmentation allows for granular control of access to the networkallowing users access
to necessary resources while restricting access to sensitive resources to only those who
require it. To configure custom settings for groups, perform the following steps:
Step 1 Navigate to the Users > Local Groups page.
Step 2 Click on the configure icon for the group you want to edit. The Edit Group Settings
window is launched.
Step 3 Click on the Nx Settings tab.
Configuring Group Client IP Address Range
Note Group-level NetExtender address ranges are not supported on SSL-VPN 200 appliance.
Step 1 To configure an IPv4 address range for this group, enter the beginning of the range in the Client
Address Range Begin field and the end of the range in the Client Address Range End field.
Step 2 To configure an IPv6 address range for this group, enter the beginning of the range in the Client
IPv6 Address Range Begin field and the end of the range in the Client IPv6 Address Range
End field. IPv6 configuration is optional.
Step 3 Click OK.
NetExtender User and Group Settings
176
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring Group NetExtender Settings
Note Group-level NetExtender settings are not supported on the SonicWALL SSL-VPN 200
appliance.
The following NetExtender settings can be configured for the user:
Exit Client After Disconnect - The NetExtender client exit when it becomes dicsonnected
from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN
portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when
it becomes disconnected from the SSL VPN server. To reconnect, users will have to return
to the SSL VPN portal. This option only applies to Windows clients. It does not apply to
Windows Mobile, Android, Mac, or Linux clients.
Create Client Connection Profile - The NetExtender client will create a connection profile
recording the SSL VPN Server name, the Domain name and optionally the username and
password.
The User Name & Password Caching options provide flexibility in allowing users to cache
their usernames and passwords in the NetExtender client. The three options are Allow
saving of user name only, Allow saving of user name & password, and Prohibit saving
of user name & password. These options enable administrators to balance security needs
against ease of use for users.
To have the user inherent the NetExtender settings from the global NetExtender settings, select
Use Global Settings for any of the above options.
Configuring Group NetExtender Routes
Note Group-level NetExtender routes are not supported on the SonicWALL SSL-VPN 200
appliance.
Step 1 To add a NetExtender client route that will only be added to this user, click the Nx Routes tab
in the Edit User Settings window.
Step 2 To add a NetExtender client route that will only be added to users in this group, click the Add
Client Route button.
Step 3 Type the IPv4 or IPv6 address of the trusted network to which you would like to provide access
with NetExtender in the Destination Network field.
Step 4 For an IPv4 route, type the subnet mask in the Subnet Mask/Prefix field. For an IPv6 route,
type the prefix in the Subnet Mask/Prefix field.
Step 5 Click Add.
Step 6 Repeat this procedure for all necessary routes.
Step 7 Select Enabled from the Tunnel All Mode drop-down list to force all traffic for this user
including traffic destined to the remote users local networkover the SSL VPN NetExtender
tunnel.
Step 8 To also add the global NetExtender client routes (which are configured on NetExtender >
Client Routes page) to users in this group, select the Add Global NetExtender Client Routes
checkbox.
Step 9 Click OK.
177
SonicWALL SSL VPN 4.0 Administrators Guide
Chapter 7: Virtual Assist Configuration
This chapter provides information and configuration tasks specific to the Virtual Assist
pages on the SonicWALL SSL VPN Web-based management interface.
Virtual Assist is an easy to use tool that allows SonicWALL SSL VPN users to remotely support
customers by taking control of their computers while the customer observes. Providing support
to customers is traditionally a costly and time consuming aspect of business. Virtual Assist
creates a simple to deploy, easy to use remote support solution.
For more information on Virtual Assist concepts, see the Virtual Assist Overview section on
page 30.
This chapter contains the following sections:
Virtual Assist > Status section on page 178
Virtual Assist > Settings section on page 179
Virtual Assist > Log section on page 184
Virtual Assist > Licensing section on page 186
Virtual Assist > Status
178
SonicWALL SSL VPN 4.0 Administrators Guide
Virtual Assist > Status
This section provides an overview of the Virtual Assist > Status page and a description of the
configuration tasks available on this page.
Virtual Assist > Status
The Virtual Assist > Status page displays a summary of current active requests, including the
customer name, the summary of their issue they provided, the status of the Virtual Assist
session, and which technician is assisting the customer.
On the right side of the screen, Streaming Updates indicates that changes to the status of
customers will be dynamically updated. Click ON/OFF to enable/disable Streaming Updates,
respectively.
Click the Logout button to remove a customer from the queue. If the customer is currently in a
session, both the customer and technician are disconnected.
For information about using Virtual Assist as a technician, see the following sections:
Launching a Virtual Assist Technician Session section on page 33
Performing Virtual Assist Technician Tasks section on page 35
Virtual Assist > Settings
179
SonicWALL SSL VPN 4.0 Administrators Guide
Virtual Assist > Settings
This section describes the Virtual Assist > Settings page and the configuration tasks available
on this page. The Virtual Assist options are divided into the following tabs:
General Settings on page 179
Request Settings on page 180
Notification Settings on page 181
Customer Portal Settings on page 182
Restriction Settings on page 183
General Settings
To configure Virtual Assist general settings, perform the following tasks:
Step 1 Navigate to the Virtual Assist > Settings page.
Step 2 To require customers to enter a password before being allowed to access Virtual Assist, enter
the password in the Assistance Code window.
Step 3 (Optional) Select Enable Support without Invitation to allow customers who have not
received an email invitation to request assistance. If this is disabled, customers can receive
assistance only if they are explicitly invited by a technician.
Step 4 (Optional) Select Show Customer Login by Default to have the default landing page be the
customer login screen instead of the standard user login page.
Step 5 (Optional) To present customers with a legal disclaimer, instructions, or any other additional
information, enter the text in the Disclaimer field. HTML code is allowed in this field. Customers
will be presented with the disclaimer and required to click Accept before beginning a Virtual
Assist session.
Step 6 (Optional) To change the URL that customers use to access Virtual Assist, enter it in the
Customer Access Link field. This may be necessary if your SonicWALL SSL-VPN appliance
requires a different access URL when outside the network.
Virtual Assist > Settings
180
SonicWALL SSL VPN 4.0 Administrators Guide
The default URL is https://server-namecgi-bin/supportLogin. When entering a URL, the
https:// will be automatically prepended to your entry, and /cgi-bin/supportLogin will be
automatically appended.
For example, if you enter test.com/virtual_assist in the Customer Access Link field, the URL
will be https://test.com/virtual_assist/cgi-bin/supportLogin.
Step 7 To include a link to Virtual Assist on the portal login page, select the Display Virtual Assist
link from Portal Login checkbox. Customers can then click on a link to go directly to the Virtual
Assist portal login page without having to login to the Virtual Office.
Request Settings
To configure Virtual Assist request settings, perform the following tasks:
Step 1 On the Virtual Assist > Settings page, click the Request Settings tab at the bottom of the
page.
Step 2 To have Virtual Assist requests timeout after a certain amount of time, enter a value in the
Expire Ticket field. The default is 0, which means there is no expiration. After the timeout
duration has passed, customers will have to reinitiate their Virtual Assist request.
Step 3 To limit the number of customers allowed in the Virtual Assist queue, enter a value in the
Maximum Request field.
Step 4 Optionally you can customize the message that is displayed to customers when the queue is
full in the Limit Message field. The message is limited to 256 characters.
Step 5 Entering a value in the Maximum requests From One IP field can be useful if individual
customers are repeatedly requesting help. However, this may cause problems for customers
using DHCP behind a single IP address. The default 0 does not limit request from individual IP
addresses.
Step 6 Enter a value in the Pending Request Expired field to have customers automatically removed
from the queue if they are not assisted within the specified number of minutes. The default 0
does not remove unassisted customers.
Virtual Assist > Settings
181
SonicWALL SSL VPN 4.0 Administrators Guide
Notification Settings
To configure Virtual Assist notification settings, perform the following tasks:
Step 1 On the Virtual Assist > Settings page, click the Notification Settings tab at the bottom of the
page.
Step 2 To automatically email support technicians when a customer logs in to the Virtual Assist queue,
enter the technicians emails in the Technician Email List. Separate multiple emails with semi-
colons (the ; symbol).
Step 3 The next three fields allow you to customize the email invitation:
Subject of Invitation - The email subject line.
Support Link Text in Invitation - Text that introduces the link to the URL for accessing
Virtual Assist.
Invitation Message - The body of the invitation email message.
Default Email Address for Invitation - The default source email.
These three fields support the following variables to customize and personalize the invitation:
%EXPERTNAME% - The name of the technician sending the invitation email.
%CUSTOMERMSG% - The disclaimer configured on the General Settings tab.
%SUPPORTLINK% - The URL for accessing Virtual Assist.
%ACCESSLINK% - The URL for accessing the SSL VPN Virtual Office.
Virtual Assist > Settings
182
SonicWALL SSL VPN 4.0 Administrators Guide
Note The currently configured mail server and email return address are listed at the bottom of the
Virtual Assist > Settings page. To enable technicians to receive notification emails and to
email Virtual Assist invitations to customers, a mail server must be configured on the Log >
Settings page. An accurate technician email address will also allow blocked email
notification to the technician in deployments where a third-party email filter may block emails
sent to the customer without providing an error to the Virtual Assist client.
Customer Portal Settings
To customize the appearance of the Virtual Assist customer portal, perform the following tasks:
Step 1 On the Virtual Assist > Settings page, click the Customer Portal Settings tab at the bottom
of the page.
Virtual Assist > Settings
183
SonicWALL SSL VPN 4.0 Administrators Guide
Step 2 Configure the following options to customize the appearance of the customer portal
Show Company Logo - Displays the company logo that is configured on the Logo tab of
the Edit Portal window.
Show Company Copyright - Displays the copyright at the bottom of the page.
Show FAQ and Tour - Displays links to the Virtual Assist FAQ and tour on the customer
request page.
Tip Message On Top - Customizes the text that is displayed above the Virtual Assist link.
Tip Message On Bottom - Customizes the text that is displayed below the Virtual Assist
link.
Tour Help Text - Customizes the text that is displayed above the link for the Virtual Assist
tour.
Customer Help Text - Customizes the text that is displayed after the customer clicks the
Virtual Assist link.
Restriction Settings
To configure Virtual Assist restriction settings, perform the following tasks:
Step 1 On the Virtual Assist > Settings page, click the Restriction Settings tab at the bottom of the
page.
Step 2 To deny Virtual Assist requests from specific IP addresses or networks, select Deny from the
Request From Defined Addresses pulldown menu.
Step 3 To allow Virtual Assist requests only from specific IP addresses or networks, select Allow from
the Request From Defined Addresses pulldown menu.
Step 4 To add an IP address or network to the Deny or Allow list, click the Add ... button. The Admin
Addresses window displays. See Adding an Address to Restriction Settings on page 184.
Step 5 To delete a configured restriction setting, select the desired address in the Addresses field and
click Delete. The address will be removed from the field.
Virtual Assist > Log
184
SonicWALL SSL VPN 4.0 Administrators Guide
Adding an Address to Restriction Settings
To add an IP address or network to the Deny or Allow list for Virtual Assist restriction settings,
perform the following tasks:
Step 1 On the Virtual Assist > Settings page, click the Restriction Settings tab at the bottom of the
page.
Step 2 Click the Add ... button. The Admin Addresses window displays.
Step 3 In the Source Address Type pulldown menu, select which of the following you want to specify:
IP Address
IP Network
IPv6 Address
IPv6 Network
Step 4 Enter the information to define the address or network and click Add.
Virtual Assist > Log
The Virtual Assist > Log page provides access to detailed information about previous Virtual
Assist sessions. The Log page displays a summary of recent sessions.
The Technician's activities while servicing the customer are now fully logged, including the
Technician ID, the time of service, information about the customers and Technicians
computers, the chat dialog, the customer request login, if the customer exit prior to servicing,
and Technician input after the end of the session.
Click on the Ticket Number to view details about a session, or ticket. The Virtual Assist > Log
> <ticket number> page is displayed. Click Save Log to save the information on the page. To
return to the Virtual Assist > Log summary page, click Back.
Click Export Log to save a zip file containing the full text of all logged sessions. The log
contains a summary file and a detail file for each session. The files can be viewed in Microsoft
Word.
Click Clear Log to erase all log messages.
Virtual Assist > Log
185
SonicWALL SSL VPN 4.0 Administrators Guide
Click Email Log to send the log to the email address configured on the Log > Settings page.
The Search options allow you to filter the log messages. Note that the search is case sensitive.
In the pulldown menu, select the field you want to search in. Click Search to only display
messages that match the search string. Click Exclude to hide messages that match the search
string. Click Reset to display all messages.
Change the value in the Items per page field to display more or fewer log messages. Click the
forward or backward arrows to scroll through the pages of the log messages.
Click any of the headings to sort the log messages alphabetically by heading.
Virtual Assist > Licensing
186
SonicWALL SSL VPN 4.0 Administrators Guide
Virtual Assist > Licensing
This section provides an overview of the Virtual Assist > Licensing page and a description of
the configuration tasks available on this page.
Virtual Assist > Licensing Overview section on page 186
Enabling Virtual Assist section on page 186
Virtual Assist > Licensing Overview
Virtual Assist is a licensed service. The Virtual Assist > Licensing page allows the
administrator to view the license status for Virtual Assist. You can purchase licenses for one
Technician, two Technicians, or more. At the bottom of the Virtual Assist > Licensing page,
you can see the number of Technicians that are licensed, or if the feature is not licensed.
The page directs the administrator to activate or upgrade the license for this feature on the
System > Licenses page.
The same content from the Virtual Assist > Licensing page is also displayed when you
navigate to Virtual Assist > Status on a SonicWALL SSL-VPN appliance that does not have a
valid Virtual Assist license.
Enabling Virtual Assist
To configure Virtual Assist, perform the following tasks:
Step 1 To purchase and activate a Virtual Assist license, navigate to System > Licensing and click on
the link to Activate, Upgrade, or Renew services.
For more information, see the System > Licenses section on page 64.
Step 2 By default, Virtual Assist is disabled on all portals that were created before the Virtual Assist
license is purchased. Virtual Assist is enabled by default on portals that are created after Virtual
Assist is licensed. To enable Virtual Assist on a portal, go to the Portals > Portals page and
click the Configure icon for the desired portal. To create a new portal, go to the Portals >
Portals page and click the Add Portal button. See the Portals > Portals section on page 106.
Virtual Assist > Licensing
187
SonicWALL SSL VPN 4.0 Administrators Guide
Step 3 In the Edit Portal window that displays, click the Virtual Assist tab.
Step 4 Click on the Enable Virtual Assist for this Portal checkbox and click OK. Virtual Assist is now
enabled and ready to use. SSL VPN users will now see the Virtual Assist icon on the Virtual
Office page.
Step 5 Uncheck the Display Technician Button checkbox to hide the technician button on the Virtual
Office window and require technicians to login directly through the client.
Step 6 Check the Display Request Help Button checkbox to display the help button on the Virtual
Office for users to launch Virtual Assist.
Step 7 Check the Enable Virtual Access Mode checkbox to allow Virtual Access connections to be
made to this portal. This must be enabled for Virtual Assist to function on this portal.
Step 8 Check the Display Virtual Access Setup Link checkbox to display the Virtual Access Setup
link on the Virtual Office.
Step 9 Optionally, you can customize all of the Virtual Assist settings for this individual portal using the
tabs on this window.
Virtual Assist is now enabled and ready to use. SSL VPN users will now see the Virtual Assist
icon on the Virtual Office page.
Virtual Assist > Licensing
188
SonicWALL SSL VPN 4.0 Administrators Guide
189
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 8: High Availability Configuration
This chapter provides information and configuration tasks specific to the High Availability
page on the SonicWALL SSL VPN management interface.
High Availability allows two identical SonicWALL SRA 4200 appliances to provide a reliable,
continuous connection to the public Internet. The two SonicWALL SRA 4200 appliances are
deployed at the same time and connected together, and are called a High Availability Pair
(HA Pair).
This chapter contains the following sections:
High Availability Overview section on page 190
Configuring High Availability section on page 191
Technical FAQ section on page 193
High Availability Overview
190
SonicWALL SSL VPN 5.0 Administrators Guide
High Availability Overview
High Availability requires one SonicWALL SRA 4200 appliance configured as the primary
device, and an identical SRA 4200 configured as the backup device.
During normal operation, the primary device is in an active state, and services all connections.
The backup device is in an idle state. When the primary device loses connectivity, the backup
transitions to the active state and begins to service outside connections. The necessary data is
synchronized between primary and backup devices, including settings data and session data.
The failover applies to loss of functionality or network-layer connectivity on the primary
appliance. The failover to the backup unit occurs when critical services are affected, physical
(or logical) link failure is detected, or when the primary unit loses power.
Stateful High Availability Support
The HA pair provides stateful user authentication failover, as authentication credentials are
continuously synchronized in real time between the members of the HA pair. This allows
connections initiated by the active device to failover to the backup without requiring the user to
authenticate again.
The HA pair does not provide stateful application session failover for sessions such as
NetExtender or Virtual Assist. Disruption to users depends on the TCP/IP disconnect tolerance
of the applications that they are using at the time the failover occurs.
Supported Platforms
High Availability is supported in SonicWALL SSL VPN 5.0 or higher on the SonicWALL SRA
4200.
Configuring High Availability
191
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring High Availability
High Availability (HA) requires one SRA 4200 configured as a primary device and an identical
SRA 4200 configured as a backup device as illustrated in the network diagram below. HA
connection between two SRA 4200 is in an Active/Passive state. The session information is
synchronized between the HA pair to help avoid re-authentication of users in the event of a
failover to the backup device.No additional licensing is required.
Physical Connectivity
The X3 interface is the default port used for HA control traffic. The HA link should connect the
X3 ports of the SRA 4200 HA Pair.
During normal operation, the primary device is in an active state and services all connections,
while the backup device is in an idle state. When the primary device loses connectivity, the
backup transitions to the active state and begins to service outside connections.
The HA Pair provides stateful user authentication failover. Authentication credentials are
synchronized in real time between the devices in the HA Pair and can handle the failover of
connections initiated by the active device without requiring the user to re-authenticate.
Stateful application session failover is not guaranteed, such as for NetExtender or Virtual Assist
sessions. Disruption to users depends on the TCP/IP disconnect tolerance of the applications
that they are using at the time the failover occurs.
Configuring a High Availability Pair
SonicWALL SSL VPN 5.0 provides the High Availability > Settings page for configuring High
Availability.
Configuring High Availability
192
SonicWALL SSL VPN 5.0 Administrators Guide
To configure a High Availability Pair, perform the following steps:
Step 1 Configure both SonicWALL SRA 4200 appliances (in the interim) as separate devices with
independent IP addresses on your subnet.
Step 2 Upload the latest SRA 4200 firmware to both devices. High Availability will not work unless both
devices have the same firmware version installed.
Step 3 Connect the X3 interfaces of the two appliances together with a CAT 5E cable to ensure that
the connection is gigabit.
Note SonicWALL recommends that you backup and download the settings for both SRA devices
at this stage.
Step 4 In a browser, log in to the primary unit and navigate to the Network > Interfaces page. Confirm
that the X3 port is active by checking the Status, which should show 1000 Mbps Full Duplex.
Step 5 Navigate to the High Availability > Settings page and select the Enable High Availability
checkbox.
Step 6 Enter a number of milliseconds for the Heartbeat Interval. The heartbeat is used to test the
connectivity between the primary and backup devices. The heartbeat interval controls how
often the two units communicate. The minimum is 500 milliseconds (a half second), and the
maximum is 300,000 milliseconds (5 minutes).
Step 7 Enter a value for the Failover Trigger Level. This is the number of heartbeats that must be
missed before failover occurs. The minimum is 4, and the maximum is 99.
Step 8 In the Primary Serial Number field, type in the serial number of the primary device. The
maximum length is 12 characters.
Step 9 In the Backup Serial Number field, type in the serial number of the backup device. The
maximum length is 12 characters.
Step 10 Click Accept.
Step 11 In the browser, open a new tab and point it to the IP address of the backup unit. Log in to the
backup.
Step 12 Repeat Step 5 through Step 10.
When you click the Accept button, the backup device will become IDLE and you will no longer
be able to access it with its IP address. The primary device is now Active with the same settings
it had before the HA configuration.
The appliances in the HA Pair immediately begin to synchronize data from the primary to the
backup unit. When failover occurs and the primary is down, the backup unit will become Active
with the same settings as the primary.
Technical FAQ
193
SonicWALL SSL VPN 5.0 Administrators Guide
Technical FAQ
1. Once HA is enabled, can the idle device be used separately?
No. Once HA is configured, only one device can be in use at any one time. During failover
the Idle device will become Active. Two devices in HA mode cannot be used as separate
SRAs.
2. What will happen if we remove the X3 interface cable from the devices?
If you remove the X3 (HA) cable then the IDLE device can be re-configured to work as a
standalone. However, this will cause an IP conflict, as both the primary and backup devices
have the same IP configuration.
3. Can the X3 interface settings be amended, once HA is enabled?
When HA is configured, the Edit button for the X3 interface is grayed out and disabled. So
the interface setting for X3 cannot be changed once the devices are in HA mode.
4. Can the X0, X1 and X2 interface settings be amended once HA mode is set up?
Yes, the X0, X1 and X2 interface settings can be amended on the primary device and these
new settings will be copied to the backup device.
5. Can the synchronization status between the devices be viewed in the management
interface?
Yes. These can be viewed on the Active SRA in the Log > View page. The log message:
Finish synchronizing all data, will appear.
6. Is there any provision to make sure that the backup device is working correctly?
Yes. There will be many messages on the Log > View page regarding Active and Idle device
transitions.
You can check the High Availability page for the device status; one should be ACTIVE and
the other will be IDLE, as indicated in the image below:
You can also check the Network > Interfaces page for the X3 interface status, this should
be HA Link-Connected.
7. Are firmware and settings synchronized to the Idle unit?
Only settings are synchronized between Active and Idle nodes. There is no provision to
synchronize firmware.
8. Does the HA configuration for SRA 4200 devices differ from the HA configuration of
SonicWALL firewall devices?
Yes. HA configuration on a firewall is very different. Along with other items, firewall HA is
also available in Active/Active state and can be assigned a virtual IP address. HA with SRA
4200 devices is currently available only in Active/Passive mode.
9. How are settings applied to the Idle device?
Settings from the Active device are copied over to the Idle device as soon as HA
configuration is complete. You can check the success of this in the active device logs.
Technical FAQ
194
SonicWALL SSL VPN 5.0 Administrators Guide
10. What happens to the backup device settings?
The backup device settings are deleted and replaced with the primary device settings. If
you wish to keep any settings from the backup device, it is recommended that you
download a backup of the settings before switching to HA.
195
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 9: Web Application Firewall
Configuration
This chapter provides information and configuration tasks specific to the Web Application
Firewall pages on the SonicWALL SSL VPN Web-based management interface.
Web Application Firewall is subscription-based software that runs on the SonicWALL SSL-VPN
appliance and protects Web applications running on servers behind the SSL-VPN. Web
Application Firewall also provides real-time protection for resources such as HTTP(S)
bookmarks, Citrix bookmarks, offloaded Web applications, and the SSL-VPN management
interface and user portal that run on the SonicWALL SSL-VPN appliance itself.
For more information on Web Application Firewall concepts, see the Web Application Firewall
Overview section on page 42.
This chapter contains the following sections:
Licensing Web Application Firewall section on page 196
Configuring Web Application Firewall section on page 199
Verifying and Troubleshooting Web Application Firewall section on page 234
Licensing Web Application Firewall
196
SonicWALL SSL VPN 5.0 Administrators Guide
Licensing Web Application Firewall
SonicOS SSL VPN Web Application Firewall must be licensed before you can begin using it.
You can access the MySonicWALL Web site directly from the SSL-VPN management interface
to obtain a license.
The Web Application Firewall > Licensing page in the SonicOS SSL VPN management
interface provides a link to the System > Licenses page, where you can connect to
MySonicWALL and purchase the license or start a free trial. You can view all system licenses
on the System > Licenses page of the management interface.
To view license details and obtain a license on MySonicWALL for Web Application Firewall,
perform the following steps:
Step 1 Log in to your SonicWALL SSL-VPN appliance and navigate to Web Application Firewall >
Licensing.
Step 2 If Web Application Firewall is not licensed, click the System > Licenses link. The System >
Licenses page is displayed.
Licensing Web Application Firewall
197
SonicWALL SSL VPN 5.0 Administrators Guide
Step 3 Under Manage Security Services Online, click the Activate, Upgrade, or Renew services link.
The MySonicWALL Login page is displayed.
Step 4 Type your MySonicWALL credentials into the fields, and then click Submit. The Product Survey
page is displayed.
Licensing Web Application Firewall
198
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Fill out the survey and then click Submit. The System > Licenses page is displayed.
Step 6 Click Try to start a 30 day free trial, or click Activate to subscribe to the service for 1 year. The
screen below is displayed after selecting the free trial.
Step 7 Click Synchronize to view the license on the System > Licenses page.
Web Application Firewall is now licensed on your SonicWALL SRA or SSL-VPN appliance.
Navigate to Web Application Firewall > Settings to enable it, and then restart your appliance to
completely activate Web Application Firewall.
Configuring Web Application Firewall
199
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring Web Application Firewall
Note Web Application Firewall requires the purchase of an additional license.
To configure the Web Application Firewall feature, see the following sections:
Viewing and Updating Web Application Firewall Status on page 199
Configuring Web Application Firewall Settings on page 200
Configuring Web Application Firewall Signature Actions on page 205
Determining the Host Entry for Exclusions on page 209
Configuring Web Application Firewall Custom Rules on page 212
Using Web Application Firewall Monitoring on page 226
Using Web Application Firewall Logs on page 231
Viewing and Updating Web Application Firewall Status
The Web Application Firewall > Status page provides status information about the Web
Application Firewall service and signature database, and displays the license status and
expiration date. The Synchronize button allows you to download the latest signatures from the
SonicWALL online database.
Configuring Web Application Firewall
200
SonicWALL SSL VPN 5.0 Administrators Guide
Signature and License Status
To view the status of the signature database and Web Application Firewall service license, and
synchronize the signature database, perform the following steps in the appliance management
interface:
Step 1 Navigate to Web Application Firewall > Status. The WAF Status section displays the following
information:
Status of updates to the signature database
Timestamp of the signature database
Time that the system last checked for available updates to the signature database
Expiration date of the Web Application Firewall subscription service
Status of the Web Application Firewall license
Step 2 If updates are available for the signature database, the Apply button is displayed. Click Apply
to download the updates.
You can update and apply new signatures automatically on the Web Application Firewall >
Settings page. If this automatic update option is enabled, the Apply button disappears from the
Web Application Firewall > Status screen as soon as the new signatures are automatically
applied.
Step 3 To synchronize the signature database with the SonicWALL online database server, click
Synchronize. The timestamp is updated.
Configuring Web Application Firewall Settings
The Web Application Firewall > Settings page allows you to enable and disable Web Application
Firewall on your SonicWALL SRA or SSL-VPN appliance globally and by attack priority. You can
individually specify detection or prevention for three attack classes: high, medium, and low
Configuring Web Application Firewall
201
SonicWALL SSL VPN 5.0 Administrators Guide
priority attacks. This page also provides configuration options for globally excluding certain
hosts from inspection by Web Application Firewall.
The following sections describe the procedures for enabling and configuring Web Application
Firewall globally and by attack priority:
Enabling Web Application Firewall and Configuring Settings on page 202
Configuring Global Exclusions on page 204
Configuring Web Application Firewall
202
SonicWALL SSL VPN 5.0 Administrators Guide
Enabling Web Application Firewall and Configuring Settings
To enable and activate Web Application Firewall, you must select the checkbox to globally
enable it and select at least one of the checkboxes in the Signature Groups table. The settings
on this page allow you to globally manage your network protection against attacks by selecting
the level of protection for high, medium, or low priority attacks. You can also clear the global
Enable Web Application Firewall checkbox to temporarily disable Web Application Firewall
without losing any of your custom configuration settings.
You can enable automatic signature updates on this page, so that new signatures are
automatically downloaded and applied when available. A log entry is generated for each
automatic signature update. If a signature is deleted during automatic updating, its associated
Exclusion List is also removed. A log entry is generated to record the removal. You can view
the log entries on the Web Application Firewall > Log page.
Cross-Site Request Forgery protection settings are also available on this page. When a CSRF
attack is detected, log entries are created in both the WAF > Logs and Logs > View pages. For
more information about CSRF/XSRF attacks, see How is Cross-Site Request Forgery
Prevented? on page 47.
To configure global settings for Web Application Firewall, perform the following steps:
Step 1 Log in to your SonicWALL SSL-VPN appliance and navigate to Web Application Firewall >
Settings.
Step 2 Select the Enable Web Application Firewall checkbox.
Step 3 A warning dialog box is displayed if none of the signature groups have Prevent All already
selected. Click OK in the dialog box to set all signature groups to Prevent All, or click Cancel
to leave the settings as they are or to manually continue the configuration.
Step 4 Select the Apply Signature Updates Automatically checkbox to enable new signatures to be
automatically downloaded and applied when available. You do not have to click the Apply
button on the Web Application Firewall > Status page to apply the new signatures.
Step 5 Select the desired level of protection for High Priority Attacks in the Signature Groups table.
Select one of the following options:
Select the Prevent All checkbox to block access to a resource when an attack is detected.
Selecting Prevent All automatically selects Detect All, turning on logging.
Clear the Prevent All checkbox and select the Detect All checkbox to log attacks while
allowing access to the resource.
To globally disable all logging and prevention for this attack priority level, clear both
checkboxes.
Step 6 Select the desired level of protection for Medium Priority Attacks in the Signature Groups
table.
Step 7 Select the desired level of protection for Low Priority Attacks in the Signature Groups table.
Step 8 To configure exclusions, refer to the procedures described in the following sections:
Configuring Global Exclusions on page 204
Configuring Signature Based Custom Handling and Exclusions on page 207
Configuring Web Application Firewall
203
SonicWALL SSL VPN 5.0 Administrators Guide
Step 9 Select the desired level of protection against CSRF attacks from the Cross-Site Request
Forgery Protection drop-down list. You can select Detect Only to log these attacks, or Prevent
to log and block them. Select Disabled to disable CSRF protection.
Step 10 Under WAF Intrusion Prevention Settings, use the WAF Intrusion Prevention Response
drop-down list to select the type of error page to be displayed when blocking an intrusion
attempt.
To create a custom page, modify the sample HTML in the text box.
To view the resulting page, click the Preview button.
To reset the current customized error page to the default SonicWALL error page, click the
Default Blocked Page button and then click OK in the confirmation dialog box.
Step 11 Under WAF Session Management, select the Launch Logout Dialog Window after Login
checkbox to display the session logout popup dialog box when the user portal is launched or
when a user logs into an application offloaded portal. This feature is enabled by default when
Web Application Firewall is licensed.
Step 12 In the Global Inactivity Timeout field, type the number of inactive minutes allowed before the
user is logged out.
Note To mitigate CSRF attacks, it is important to keep a low idle timeout value for user sessions,
such as 10 minutes.
Step 13 Under Web Site Cloaking, you can filter out headers in response messages that could provide
information to clients about the backend Web server, which could possibly be used to find a
vulnerability. In the Block Response Header fields, type the server host name into the first field
and type the header name into the second field, then click Add.
Configuring Web Application Firewall
204
SonicWALL SSL VPN 5.0 Administrators Guide
For example, if you set the host name to webmail.xyz.com and the header name to X-OWA-
version, headers with the name X-OWA-version from host webmail.xyz.com will be blocked.
In general, listed headers will not be sent to the client if an HTTP/HTTPS bookmark or offloaded
application is used to access a listed Web server.
To block a certain header from all hosts, set the host name to an asterisk (*). You can add up
to 64 host/header pairs. In the HTTP prototol, response headers are not case-sensitive.
Note Blocking will not occur for headers such as Content-Type that are critical to the HTTP
prototol.
To remove a host/header pair from the list to be blocked, select the pair in the text box and then
click the Remove button.
Step 14 Under Information Disclosure Protection, type confidential text strings that should not be
revealed on any Web site protected by Web Application Firewall into the text box. This text is
case insensitive, can include any number of spaces between the words, and cannot include
wildcard characters. Add new phrases on separate lines. Each line is pattern matched within
any HTML response.
Step 15 Click Accept. A dialog box indicates that the SSL-VPN appliance must be restarted to apply
the settings. Click OK to restart the services or click Cancel to leave the previous settings in
place.
Configuring Global Exclusions
There are two ways that you can exclude certain hosts from currently configured global Web
Application Firewall settings. You can completely disable Web Application Firewall for certain
hosts, or you can lower the action level from Prevent to Detect for certain hosts.
The affected hosts must match the host names used in your HTTP(S) bookmarks and Citrix
bookmarks, and the Virtual Host Domain Name configured for an offloaded Web application.
To configure global exclusions, perform the following steps:
Step 1 On the Web Application Firewall > Settings page, click the Global Exclusions button.
Configuring Web Application Firewall
205
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 In the Edit Global Exclusions page, select one of the following from the Actions drop-down list:
Disable Disables Web Application Firewall inspection for the host
Detect Lowers the action level from prevention to detection and logging only for the host
Step 3 In the Host field, type in the host entry as it appears in the bookmark or offloaded application.
This can be a host name or an IP address. To determine the correct host entry for this exclusion,
see Determining the Host Entry for Exclusions on page 209.
You can configure a path to a particular folder or file along with the host. The protocol, port, and
the request parameters are simply ignored in the URL. If a path is configured, then the
exclusion is recursively applied to all subfolders and files. For instance, if Host is set to
webmail.sonicwall.com/exchange, then all files and folders under exchange are also
excluded.
Step 4 Click Add to move the host name into the list box.
Step 5 Repeat Step 3 and Step 4 to add more hosts to this exclusion.
Step 6 Click Accept. SonicOS SSL VPN verifies that the host entry is valid and prompts you to restart
the SSL-VPN appliance.
Step 7 Click OK in the confirmation dialog box to restart the appliance and apply the updated settings.
Configuring Web Application Firewall Signature Actions
The Web Application Firewall > Signatures page allows you to configure custom handling or
exclusion of certain hosts on a per-signature basis. You can use signature-based exclusions to
apply exclusions for all hosts for each signature.
Configuring Web Application Firewall
206
SonicWALL SSL VPN 5.0 Administrators Guide
You can also revert back to using the global settings for the signature group to which this
signature belongs without losing the configuration details of existing exclusions.
On the Web Application Firewall > Settings page, global settings must be set to either Prevent
All or
Detect All for the Signature Group to which the specific signature belongs. If neither is set, that
Signature Group is globally disabled and cannot be modified on a per-signature basis. See
Enabling Web Application Firewall and Configuring Settings on page 202.
See the following sections:
Enabling Performance Optimization on page 207
Configuring Signature Based Custom Handling and Exclusions on page 207
Reverting a Signature to Global Settings on page 209
Removing a Host from a Per-Signature Exclusion on page 209
Configuring Web Application Firewall
207
SonicWALL SSL VPN 5.0 Administrators Guide
Enabling Performance Optimization
The Performance Optimization option allows you to disable some relatively less severe
signatures that significantly affect the performance of certain Web applications. These
signatures are identified by the SonicWALL signature team and the list is pushed out to
SonicWALL SRA and SSL-VPN appliances. When you select the Enable Performance
Optimization checkbox, these signatures are disabled for Web Application Firewall.
The Web Application Firewall > Signatures page indicates the disabled signatures by displaying
them in gray, as shown in Figure 26.
Figure 26 Enabling Performance Optimization
Configuring Signature Based Custom Handling and Exclusions
You can disable inspection for a signature in traffic to an individual host, or for all hosts. You
can also change the handling of detected threats for an individual host or for all hosts. If the
signature group to which the signature belongs is set globally to Detect All, you can raise the
level of protection to Prevent for the configured hosts. If no hosts are configured, the action is
applied to the signature itself and acts as a global setting for all hosts. This change will block
access to a host when the attack signature is detected. Similarly, you can lower the level of
protection to Detect if the associated signature group is globally set to Prevent All.
Note For signature based customization to take effect, the signature group of the modified
signature must be globally enabled for either prevention or detection on the Web Application
Firewall > Settings page.
Configuring Web Application Firewall
208
SonicWALL SSL VPN 5.0 Administrators Guide
To configure one or more hosts with an exclusion from inspection for a signature, or to configure
custom handling when Web Application Firewall detects a specific signature for one or more
hosts, perform the following steps:
Step 1 On the Web Application Firewall > Signatures page, click the Configure button for the
signature that you wish to change. The Edit WAF Signature-based Exclusions screen
displays.
Step 2 In the Edit WAF Signature-based Exclusions screen, select one of the following actions from
the Action drop-down list:
DISABLE Disable Web Application Firewall inspections for this signature in traffic from
hosts listed in this exclusion
DETECT Detect and log threats matching this signature from hosts listed in this exclusion,
but do not block access to the host
PREVENT Log and block host access for threats matching this signature from hosts listed
in this exclusion
Step 3 To apply this action globally to all hosts, leave the Host field blank. To apply this action to an
individual host, type the host entry as it appears in the bookmark or offloaded application into
the Host field. This can be a host name or an IP address. To determine the correct host entry
for this exclusion, see Determining the Host Entry for Exclusions on page 209.
You can configure a path to a particular folder or file along with the host. The protocol, port, and
the request parameters are simply ignored in the URL. If a path is configured, then the
exclusion is recursively applied to all subfolders and files. For instance, if Host is set to
webmail.sonicwall.com/exchange, then all files and folders under exchange are also
excluded.
Step 4 If you specified a host, click Add to move the host name into the list box.
Step 5 If you want to apply this action to additional individual hosts, repeat Step 3 and Step 4 to add
more hosts to this exclusion.
Step 6 Click Accept. If the Host list contains host entries, SonicOS SSL VPN verifies that each host
entry is valid. If no hosts were specified, a dialog box confirms that this is a global action to be
applied to the signature itself.
Step 7 Click OK in the confirmation dialog box.
Step 8 Click Accept on the Web Application Firewall > Signatures page to apply the updated settings.
New settings are applied to any new HTTP connections and requests. The existing HTTP
connections and requests will continue to use the old settings until they are terminated.
Configuring Web Application Firewall
209
SonicWALL SSL VPN 5.0 Administrators Guide
Reverting a Signature to Global Settings
You can revert to using global signature group settings for a signature that was previously
configured with an exclusion, without losing the configuration. This allows you to leave the host
names in place in case you need to re-enable the exclusion.
To revert to using global signature group settings for a signature, perform the following steps:
Step 1 On the Web Applicatin Firewall > Signatures page, click the Configure button for the
signature that you wish to change.
Step 2 In the Edit WAF Signature-based Exclusions screen, select INHERIT GLOBAL from the Action
drop-down list.
Step 3 The Host field may be blank if global settings were previously applied to this signature. To
revert to global signature settings for all hosts, leave the Host field blank. To apply this action
to one or more individual hosts, leave these host entries in the Host field and remove any host
entries that are not to be reverted.
Step 4 Click Accept. SonicOS SSL VPN verifies that each host entry is valid.
Step 5 Click OK in the confirmation dialog box.
Step 6 Click Accept on the Web Application Firewall > Signatures page to apply the updated settings.
New settings are applied to any new HTTP connections and requests. The existing HTTP
connections and requests will continue to use the old settings until they are terminated.
Removing a Host from a Per-Signature Exclusion
To remove a host from a configured exclusion for a signature, perform the following steps:
Step 1 On the Web Application Firewall > Signatures page, click the Configure button for the
signature that you wish to change.
Step 2 Select the host entry in the list box under the Host field, and then click Remove.
Step 3 Repeat Step 2 to remove other listed hosts, if desired.
Step 4 Click Accept. SonicOS SSL VPN verifies that each host entry is valid.
Step 5 Click OK in the confirmation dialog box.
Step 6 Click Accept on the Web Application Firewall > Signatures page to apply the updated settings.
New settings are applied to any new HTTP connections and requests. The existing HTTP
connections and requests will continue to use the old settings until they are terminated.
Determining the Host Entry for Exclusions
When configuring an exclusion, either globally or per-signature, you must provide the host
name or IP address. The affected hosts must match the host names used in your HTTP(S)
bookmarks and Citrix bookmarks, and the virtual host domain name configured for an offloaded
Web application.
For a description of how to determine the correct host name, see the following sections:
Viewing the Host Entry in a Bookmark on page 210
Viewing the Host Entry in an Offloaded Application on page 210
Configuring Web Application Firewall
210
SonicWALL SSL VPN 5.0 Administrators Guide
Viewing the Host Entry in a Bookmark
You can determine exactly what host name to enter in your exclusion by viewing the
configuration details of the bookmark.
To view the host entry in a bookmark, perform the following steps:
Step 1 Navigate to the Virtual Office page, and click Show Edit Controls above the list of bookmarks.
Step 2 Click the Edit button for the bookmark.
Step 3 In the Edit Bookmark screen, view the host entry in the Name or IP Address field.
Step 4 Click Cancel.
Viewing the Host Entry in an Offloaded Application
You can determine exactly what host name to enter in your exclusion by viewing the
configuration details of the offloaded application. In an offloaded application, you will use the
virtual host domain name.
To view the virtual host domain name in an offloaded application, perform the following steps:
Configuring Web Application Firewall
211
SonicWALL SSL VPN 5.0 Administrators Guide
Step 1 Navigate to the Portals > Portals page and click the Configure button next to the offloaded
application.
Step 2 In the Edit Portal screen, click the Virtual Host tab.
Step 3 View the host entry for your exclusion in the Virtual Host Domain Name field.
Step 4 Click Cancel.
Configuring Web Application Firewall
212
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring Web Application Firewall Custom Rules
The Web Application Firewall > Rules page allows you to configure custom rules. These rules
have all the same properties as the signatures that SonicWALL pushes out to Web Application
Firewall-enabled appliances. Figure 27 shows the Rules page.
Figure 27 Web Application Firewall > Rules Page
To add a rule, you create a Rule Chain. A Rule Chain is a collection of rules with additional
attributes, such as the severity of the rule, name, description, and the action to take when the
rule collection matches some traffic.
For example, custom rules and rule chains can be used to distinguish between legitimate and
illegitimate traffic as defined by a Web application that is using a certain URI or running on a
certain portal. One rule in the chain is configured to match the URI or portal host name, while
another rule is created that matches an undesirable value for another element of the HTTP(S)
traffic. When the rule chain (both rules) matches some traffic, the configured action is
performed to block or log the bad traffic from that URI or portal. When the request is blocked,
the user sees a custom block page such as that in Figure 28.
Figure 28 Block Page
Configuring Web Application Firewall
213
SonicWALL SSL VPN 5.0 Administrators Guide
The Web Application Firewall > Monitoring page also shows the activity in the graphs. Figure 29
shows several detected and prevented threats during a 2 hour period. For more information
about the Monitoring page, see Using Web Application Firewall Monitoring on page 226.
Figure 29 Monitoring Page After Blocking
Rules are matched against both inbound and outbound HTTP(S) traffic. When all rules in a rule
chain find a match, the action defined in the rule chain is performed. You can configure the
action to block the traffic and log the match, or to simply log it. You can also set the action to
Disabled to remove the rule chain from active status and stop comparing traffic against those
rules.
The Custom Rules feature can be enabled or disabled using the Enable Custom Rules global
setting.
Note Rule chains are enforced in the order that the rule chains were added. This order can be
changed by deleting and re-creating rule chains.
Similarly, rules within rule chains are enforced in the order that the rules were added. This
order can be changed by deleting and re-creating rules.
Misconfigured Rule Chains
Misconfigured rule chains are not automatically detected at the time of configuration. When a
misconfiguration occurs, the administrator must log in and fix or delete the bad rules.
Note If any rules or rule chains are misconfigured, the appliance will not enforce any custom rules
or rule chains.
It is difficult to detect a false positive from a misconfigured rule chain unless a user runs into it
and reports it to the administrator. If the rule chain has been set to PREVENT, then the user will
see the Web Application Firewall block page (as configured on the Web Application Firewall >
Settings page). If not, there will be a log message indicating that the threat has been detected.
Consider a scenario in which the administrator inadvertently creates a custom rule chain that
blocks access to all portals of the SSL-VPN appliance. For example, the admin may have
wanted to enforce a rule for an Application Offloading portal. However, he or she forgot to add
another rule to narrow the criteria for the match to requests for that portal, host or URL. If the
first rule was too broad, then this will mean a denial of service for the appliance. Specifically,
the administrator creates a rule chain to deny using the GET HTTP method for a specific URL,
which expects a POST request.
Configuring Web Application Firewall
214
SonicWALL SSL VPN 5.0 Administrators Guide
For this, the administrator needs to create two rules:
1. The first rule is to match GET requests.
2. The second rule is to match a specific URL.
If the administrator forgets to create the second rule, then access to the SSL-VPN appliance
will be denied, because the Web management interface depends on the GET method.
To fix a misconfigured rule chain, perform the following tasks:
Step 1 Point your browser to https://<SSL-VPN IP>/cgi-bin/welcome.
If you try to reach the welcome page by simply using the URL https://<SSL-VPN IP>/, the usual
redirect to https://<SSL-VPN IP>/cgi-bin/welcome may not work. To repair misconfigured rules,
you need to explicitly go to https://<SSL-VPN IP>/cgi-bin/welcome, where <SSL-VPN IP> is the
host name or IP address of your SonicWALL SSL-VPN appliance.
Step 2 Log in as admin.
Step 3 Navigate to the Web Application Firewall > Rules page.
Step 4 Edit or delete the bad rules.
Step 5 Click Accept.
Configuring Rule Chains
You can add, edit, delete and clone rule chains. Example rule chains (with Rule Chain ID
greater than 15000) are available in the management interface for administrators to use as
reference. These cannot be edited or deleted. You can view the rules associated with the rule
chain by clicking its Edit Rule Chain icon under Configure.
For ease of configuration, you can clone example rule chains or regular rule chains. Cloning a
rule chain clones all rules associated with the chain. After cloning the rule chain, you can edit
it by clicking its Edit Rule Chain icon under Configure.
Deleting a Rule Chain
Note Deleting a rule chain also deletes all the associated rules.
To delete a rule chain:
Step 1 On the Two-Factor Authentication > Rules page, click the Delete Rule Chain icon under
Configure for the rule chain you want to delete.
Step 2 Click OK in the confirmation dialog box.
Step 3 Click Accept.
Cloning a Rule Chain
To clone a rule chain:
Step 1 On the Two-Factor Authentication > Rules page, click its Clone Rule Chain icon under
Configure.
Step 2 Click OK in the confirmation dialog box.
Configuring Web Application Firewall
215
SonicWALL SSL VPN 5.0 Administrators Guide
You can now edit the rule chain to customize it. See Adding or Editing a Rule Chain on
page 215.
Adding or Editing a Rule Chain
To add or edit a rule chain, perform the following steps:
Step 1 On the Two-Factor Authentication > Rules page, click the Add Rule Chain button to add a new
rule chain.
To edit an existing rule chain, click its Edit Rule Chain icon under Configure.
The New Rule Chain screen or the screen for the existing rule chain displays. Both screens
have the same configurable fields in the Rule Chain section.
Step 2 On the New Rule Chain page, type a descriptive name for the rule chain in the Name field.
Step 3 Select a threat level from the Severity drop-down list. You can select HIGH, MEDIUM, or LOW.
Step 4 Select Prevent, Detect Only, or Disabled from the Action drop-down list.
Prevent Block traffic that matches the rule and log it.
Detect Allow the traffic, but log it.
Disabled The rule chain should not take effect.
The Disabled option allows you to temporarily deactivate a rule chain without deleting its
configuration.
Step 5 In the Description field, type a short description of what the rule chain will match or other
information.
Step 6 Select a category for this threat type from the Category drop-down list. This field is for
informational purposes, and does not change the way the rule chain is applied.
Step 7 Click Accept to save the rule chain. A Rule Chain ID is automatically generated.
Step 8 Next, add one or more rules to the rule chain. See Configuring Rules in a Rule Chain on
page 216 for detailed information.
Configuring Web Application Firewall
216
SonicWALL SSL VPN 5.0 Administrators Guide
Configuring Rules in a Rule Chain
You can add, edit, delete and clone rules. A rule is a condition that is checked against inbound
or outbound HTTP(S) traffic. Each rule chain can have one or more rules configured, and must
have at least one rule before it can be used. Figure 30 shows the Add Rule page.
Figure 30 Add Rule Page
Rules allow the administrator to employ both a positive security model and a negative security
model. In a positive security model, policies are written only to allow known traffic and block
everything else.
A rule has several components:
Variables These are HTTP protocol entities that are scanned by Web Application Firewall
to help identify legitimate or illegitimate traffic. Multiple variables can be matched against
the configured value in the Value field. The + and - buttons allow you to add variables
from the Variables drop-down list or delete them from the list of selected variables. You can
combine multiple variables as required to match the specified value. If multiple variables
are configured, then the rule is matched if any one of the configured variables matches the
target value. See the About Variables section on page 217 for more information about
variables.
Operators These are arithmetic and string operators. The Not checkbox is an inversion
operator used to match any value except the configured condition. See the About
Operators section on page 219 for more information about the operators.
Value This entity can be a number, literal string, or a regular expression, which is
compared with the scanned target. It is compared with the value of the configured
variable(s) according to the specified operator.
To compare the variable(s) to more than one value, you can enter multiple values separated
by spaces into the Value field, and select the Matches Keyword operator. Delimiting by
spaces only works if the Matches Keyword operator is selected.
Advanced Operations This field allows you to apply operations beyond those supported
by the Operators field, especially to enforce Anti-Evasive protection. See the About
Advanced Operations section on page 220 for more information about these operations.
Configuring Web Application Firewall
217
SonicWALL SSL VPN 5.0 Administrators Guide
The following sections provide detailed information about rules:
About the Tips/Help Sidebar on page 217
About Variables on page 217
About Operators on page 219
About Advanced Operations on page 220
Example Use Cases for Rules on page 222
Deleting a Rule on page 225
Cloning a Rule on page 225
Adding or Editing a Rule on page 225
About the Tips/Help Sidebar
You can select a variable in the Variables drop-down list to display more information about that
variable in the Tips/Help sidebar. The sidebar explains when each variable would be used and
where it is found in the HTTP protocol. An example use case is provided for each variable.
You can also select an entry in the Advanced Operations drop-down list to display more
information about it in the Tips/Help sidebar.
The sidebar also provides context-sensitive search. When you click on a variable and then
search for a particular keyword, the search results are only related to variables.
About Variables
Variables are HTTP protocol entities that are scanned by Web Application Firewall to help
identify legitimate or illegitimate traffic. Multiple variables can be matched against the
configured value in the Value field. The + and - buttons allow you to add variables from the
Variables drop-down list or delete them from the list of selected variables.
You can combine multiple variables as required to match the specified value. If multiple
variables are configured, then the rule is matched if any one of the configured variables
matches the target value.
A variable can represent a single value or a collection. If a variable represents a collection, such
as Parameter Values, then a specific variable within the collection can be configured by
entering its name in the selection textbox to the right of the colon (:). For example, the value
for the URI or Host variable is unique in each HTTP(S) request. For such variables, the
selection textbox is not displayed. Other variables, such as Request Header Values and
Response Header Names, represent a collection.
If you need to test the collection itself against an input, then you would leave the selection
textbox empty. However, if you need to retrieve the value of a specific item in the collection, you
would specify that item in the selection textbox. For example, if you need to test if the parameter
password exists in the HTTP(S) request, then you would configure the variable Parameter
Names and leave the selection textbox empty. You would set the Operator to String equals
and the Value to password. But, if you want to check whether the value of the password
parameter matches a particular string, such as foo, then you would select the Parameter
Values variable and specify password in the selection text box. In the Value field, you would
enter foo.
Configuring Web Application Firewall
218
SonicWALL SSL VPN 5.0 Administrators Guide
Table 12 describes the available variables.
Table 12 Variables for Use in Rules
Variable Name Collection Description
Host No Refers to the host name or the IP address in the Host header
of an HTTP request. This typically refers to the host part of
the URL in the address bar of your browser.
URI No Refers to the combination of path and the query arguments
in a URL.
HTTP Method No Refers to the method, such as GET and POST, used by the
browser to request a resource on the Web server.
HTTP Status
Code
No Refers to the response status from the Web server. You can
use this to configure actions for various error codes from the
Web server.
Parameter
Values
Yes Refers to the collection of all request parameter values,
including the values of all query arguments and form
parameters that are part of the current request.
To match against some aspect of the entire list of parameter
values, such as the number of parameter values, leave the
selection field empty.
To match against the value of a particular parameter, specify
the name of the parameter in the selection field to the right
of the colon.
Parameter
Names
Yes Refers to the collection of all request parameter names,
including the names of all query arguments and form
parameters that are part of the current request.
To match against some aspect of the entire list of parameter
names, leave the selection field empty.
To match against the name of a particular parameter, specify
the parameter name in the selection field to the right of the
colon.
Remote Address No Refers to the client's IP address. This variable allows you to
allow or block access from certain IP addresses.
Request Header
Values
Yes Refers to the collection of all HTTP(S) request header
values for the current request.
To match against some aspect of the entire list of request
header values, leave the selection field empty.
To match against a particular header value, specify the
name of the header in the selection field to the right of the
colon.
For example, to block Ajax requests, select Request
Header Values as the Variable, specify X-Request-With in
the selection textbox, and specify ajax in the Value field.
Configuring Web Application Firewall
219
SonicWALL SSL VPN 5.0 Administrators Guide
About Operators
There are a number of arithmetic and string operators. The Not checkbox is an inversion
operator, which results in a match for any value except the configured condition.
These operators can be used in conjunction with Advanced Operations. For example, you
might use the Equals String operator with Convert to Lowercase or Normalize URI Path in
Advanced Operations.
Request Header
Names
Yes Refers to the collection of all HTTP(S) request header
names for the current request.
To match against some aspect of the entire list of request
header names, leave the selection field empty.
To match against a particular header name, specify the
name of the header in the selection field to the right of the
colon.
For example, to block requests that are not referred by a
trusted host, select Request Header Names as the
Variable, specify Referer in the selection textbox, enter the
host names or IP addresses of the trusted hosts in the Value
field, select the Not checkbox and select the Matches
Keyword operator.
Response
Header Values
Yes Refers to the collection of all HTTP(S) response header
values for the current request.
To match against some aspect of the entire list of response
header values, leave the selection field empty.
To match against a particular header value, specify the
name of the header in the selection field to the right of the
colon.
Response
Header Names
Yes Refers to the collection of all HTTP(S) response header
names for the current request.
To match against some aspect of the entire list of response
header names, leave the selection field empty.
To match against a particular header name, specify the
name of the header in the selection field to the right of the
colon.
Response
Content Length
No Refers to the size of the response payload.
Response
Payload
No Refers to the Web page content that is displayed to the user.
Portal Hostname No Refers to the virtual host name of the SonicWALL SSL VPN
portal which accepts the request from the client.
To create a rule chain that applies to a particular virtual host,
one rule would match the host and another would specify
other criteria for the match.
Portal Address No Refers to the IP address or virtual IP address of the
SonicWALL SSL VPN portal which accepts the request from
the client.
Variable Name Collection Description
Configuring Web Application Firewall
220
SonicWALL SSL VPN 5.0 Administrators Guide
Table 13 describes the available operators for use with rules.
Table 13 Rule Operators
About Advanced Operations
Advanced operations are applied to input identified by the selected variables before the input
is matched against the specified value. For instance, the String Length operation is used to
compute the length of the matched input and use it for comparison. Some of the advanced
operations are used to thwart attempts by hackers to encode inputs to bypass Web Application
Firewall rules. You can click on an advanced operation in the list to read more information on it
in the Tips/Help sidebar.
The advanced operations can be used in conjunction with regular operators. There are ten
operations to choose from in the Advanced Operations field, including the None operation
which leaves the input alone.
Operator Type Description
Contains String One or more of the scanned variables
contains the content of the Value field.
Equals String String The scanned variable(s) match the
alphanumeric string in the Value field
exactly.
= Arithmetic The scanned variable is equal to the content
of the Value field.
> Arithmetic The scanned variable is greater than the
content of the Value field.
>= Arithmetic The scanned variable is greater than or
equal to the content of the Value field.
< Arithmetic The scanned variable is less than the
content of the Value field.
<= Arithmetic The scanned variable is less than or equal to
the content of the Value field.
Matches Keyword String One or more of the scanned variables
matches one of the keywords in the Value
field. If multiple keywords are specified, they
should be separated by spaces.
Matches Regex String One or more of the scanned variables
matches the regular expression in the Value
field. An example of a regular expression
that matches any four decimal numbers is
\d{4}.
Configuring Web Application Firewall
221
SonicWALL SSL VPN 5.0 Administrators Guide
Multiple advanced operations can be selected together and individually enforced. You can
select multiple operations by holding the Ctrl key while clicking an additional operation. When
the None operation is selected along with other operations in your rule, the input is compared
as is and also compared after decoding it or converting it with another operation. Table 14
describes the advanced operations available for use with rules.
Table 14 Advanced Operations for Rules
Operation Description
None Use the None operation when you want to compare the scanned
input to the configured variable(s) and value(s) without changing the
input.
String Length Use the String Length operation when the selected variable is a
string and you want to compute the length of the string before
applying the selected operator.
Convert to Lowercase Use the Convert to Lowercase operation when you want to make
case-insensitive comparisons by converting the input to all
lowercase before the comparison. When you use this operation,
make sure that strings entered in the Value field are all in
lowercase.
This is an anti-evasive operation to prevent hackers from changing
case to bypass the rule.
Normalise URI Path Use the Normalise URI Path operation to remove invalid
references, such as back-references (except at the beginning of the
URI), consecutive slashes, and self-references in the URI. For
example, the URI www.eshop.com/././//login.aspx is converted to
www.eshop.com/login.aspx.
This is an anti-evasive operation to prevent hackers from adding
invalid references in the URI to bypass the rule.
Remove Spaces Use the Remove Spaces operation to remove spaces within strings
in the input before the comparison. Extra spaces can cause a rule
to not match the input, but are interpreted by the backend Web
application.
This is an anti-evasive operation to prevent hackers from adding
spaces within strings to bypass the rule.
Base64 Decode Use the Base64 Decode operation to decode base64 encoded data
before the comparison is made according to the rule.
Some applications encode binary data in a manner convenient for
inclusion in URLs and in form fields. Base64 encoding is done to this
type of data to keep the data compact. The backend application
decodes the data.
This is an anti-evasive operation to prevent hackers from using
base64 encoding of their input to bypass the rule.
Hexadecimal Decode Use the Hexadecimal Decode operation to decode hexadecimal
encoded data before the comparison is made according to the rule.
This is an anti-evasive operation to prevent hackers from using
hexadecimal encoding of their input to bypass the rule.
Configuring Web Application Firewall
222
SonicWALL SSL VPN 5.0 Administrators Guide
Example Use Cases for Rules
This section provides examples of positive and negative security models, as well as several
examples showing the use of advanced operations to provide a deeper understanding of these
anti-evasive techniques.
Example Positive Security Model: Blocking Bad Logins
To prevent login to an Application Offloaded Web site if the length of the password is less than
8 characters, you would create a rule chain containing the following two rules:
1. Select Host as the Variable and click + to add it, set the Operator to Equals String, and
set Value to the Virtual Host name of the portal. This checks that the Host header of the
login request matches the site you are trying to protect. In this case, the rule chain is only
being applied to one site.
2. Select Parameter Value as the Variable and type password into the selection field, then
click + to add the variable and selected item to the rule, set the Operator to < (less than),
and set Value to 8. Select String Length in the Advanced Operations list to compute the
length of the password form parameter.
URL Decode
URL Decode
(Unicode)
Use the URL Decode operation to decode URL encoded strings in
the input. Use the URL Decode (Unicode) operation to handle
%uXXXX encoding. URL encoding is used to safely transmit data
over the Internet when URLs contain characters outside the ASCII
character set.
Note Do not use these operations against an input that has
been decoded already.
This is an anti-evasive operation to prevent hackers from using URL
encoding to bypass rules, knowing that the backend Web server can
interpret their malicious input after decoding it.
For example, the URI www.eshop.com/hack+URL%3B is converted
to www.eshop.com/hack URL by this operator before the
comparison is made.
Trim Use the Trim operation to remove spaces before and after the input
data before the comparison. Extra spaces can cause a rule to not
match the input, but are interpreted by the backend Web
application.
This is an anti-evasive operation to prevent hackers from adding
spaces before and after the input data to bypass the rule.
Operation Description
Configuring Web Application Firewall
223
SonicWALL SSL VPN 5.0 Administrators Guide
The action for the rule chain would be set to Prevent. Figure 31 shows the rule chain for this
example.
Figure 31 Example Rule Chain Blocking Bad Logins
Example Positive Security Model: Blocking a Form Submission with Unwanted Parameters
This rule chain blocks a form submission if the form has a request parameter other than formId
or if the value of formId contains more than 4 digits. To accomplish this, you would need two
rule chains:
1. The first rule chain contains two rules:
The first rule identifies the URL where the form is submitted.
The second rule checks if Parameter Names does not match the name of the valid
parameter, formId. It uses the Equals String operator with the Not inversion checkbox
selected.
2. The second rule chain contains two rules:
The first rule identifies the URL where the form is submitted.
Configuring Web Application Firewall
224
SonicWALL SSL VPN 5.0 Administrators Guide
The second rule checks if the value contained by the Parameter Value: formId variable
matches the regular expression ^\d{1,4}$ which matches anything that consists of 1 to
4 digits. The Not inversion checkbox is selected to change the rule to match anything
that does not consist of 1 to 4 digits.
Example Negative Security Model: Blocking Malicious Input to a Form
To block malicious input to a form, you would create a rule chain containing the following two
rules:
1. The first rule identifies the URL for the form.
2. The second rule identifies the form parameter, shell_cmd and the bad input, traceroute.
Example Using URL Decode and None
If a hacker perceives that a Request URI is being scanned for CR and LF characters (carriage
return and line feed), the hacker may attempt to sneak those characters into the request by
performing URL encoding on the characters before adding them to the request. The URI will
then contain %0D and %0A characters, which could be used to launch an HTTP response
splitting attack. The URL Decode and/or URL Decode (Unicode) operations can be used to
thwart this type of attack by decoding the scanned input before comparing it against the
configured value(s) to check for a match.
Specifically, if a request is made to the URI http://www.host.com/foo%20bar/ and the URL
Decode operation is selected, the scanned URI becomes http://www.host.com/foo bar/ after
decoding, which can now be safely matched. To thwart a hacker who sends a non-encoded
request in addition to the encoded one, the administrator can select the None and the URL
Decode options in the rule.
Example Using Convert to Lowercase and URL Decode with Parameter Values
An administrator wants to check whether the content of the variable Parameter Values
matches the value foo bar in order to block such a request. Because the backend application
accepts case-insensitive inputs (foo bar and FOO BAR), the hacker can pass foo BAR in the
request and evade the rule. To prevent this evasion, the administrator specifies Convert to
Lowercase as an anti-evasive operation and configures the value as foo bar in all lower case.
This causes all request parameter values to be converted to lower case and compared against
the value for a case-insensitive check.
Similarly, the hacker could pass foo%20BAR, which is the URL encoded version typically used
by browsers. To prevent this evasion, the administrator specifies URL Decode as the anti-
evasive operation to apply to the request entity. The input foo%20BAR is URL decoded to foo
BAR. If the input is already foo BAR, then URL decoding is not applied.
Configuring Web Application Firewall
225
SonicWALL SSL VPN 5.0 Administrators Guide
Example Using String Length and URL Decode with Parameter Values:ID
Comparing against a decoded input allows the administrator to use the String Length
operation to check the length of the input against the matching variable. For example, if a Web
application ID parameter should not be more than four characters, the administrator could
select Parameter Values in the Variable field, enter ID in the selection field, click + to add the
variable and selected item to the rule, enter 4 in the Value field, select > in the Operator list,
and select both URL Decode and String Length in the Advanced Operations list.
Deleting a Rule
To delete a rule from a rule chain:
Step 1 On the Two-Factor Authentication > Rules page, click the Edit Rule Chain icon under
Configure for the rule chain from which you want to delete a rule. The page for that rule chain
opens.
Step 2 Click the Delete icon under Configure for the rule you want to delete.
Step 3 Click OK in the confirmation dialog box.
Step 4 Click Accept.
Cloning a Rule
To clone a rule:
Step 1 On the Two-Factor Authentication > Rules page, click the Edit Rule Chain icon under
Configure for the rule chain which contains the rule you want to clone. The page for that rule
chain opens.
Step 2 Click the Clone icon under Configure for the rule you want to clone.
Step 3 Click OK in the confirmation dialog box.
You can now edit the rule to customize it. See Adding or Editing a Rule on page 225.
Adding or Editing a Rule
To add or edit a rule in a rule chain, perform the following steps:
Step 1 Click the Edit Rule Chain icon under Configure for the rule chain on which you want to add
or edit a rule. The page for that rule chain opens.
Step 2 Click the Add Rule button to add a new rule, or click the Edit icon under Configure for the rule
you want to edit.
Step 3 In the Add Rule page or the page for the edited rule, select a variable from the Variables drop-
down list. See About Variables on page 217 for information about the available variables.
Step 4 If the chosen variable is a collection of variables, a selection field is displayed to the right of the
Variables field, after the colon. If you wish to make a comparison against a particular member
of the collection, type the name of that item into the selection field.
To test the collection itself against an input, leave the selection field blank. For example, to test
whether a certain parameter exists in the request, you could select the Parameter Names
variable and then type the specific parameter name into the Value field (but not into the variable
selection field).
Step 5 Click the the Plus button to add the variable to the rule. Repeat Step 2 through Step 5 to
add more variables.
Configuring Web Application Firewall
226
SonicWALL SSL VPN 5.0 Administrators Guide
To delete a variable, select it in the large text box and click the Minus button .
Step 6 Select a string or arithmetic operator from the Operators drop-down list. To perform the inverse
operation, select the Not checkbox.
Step 7 In the Value field, type in the value to be compared with the selected variable(s) in the scanned
HTTP(S) input. If you selected the Matches Keyword operator, you can compare the input
against multiple values by typing in each value separated by a space. Each value will be
compared individually.
Step 8 Select one or more operations from the Advanced Operations list. Hold the Ctrl button on your
keyboard while clicking to select multiple operations.
Step 9 Click the Accept button when finished.
Using Web Application Firewall Monitoring
The Web Application Firewall > Monitoring page provides global controls, Web server status
graphs, and graphs or a detailed list of detected and prevented threats.
Using the Global Controls
The global controls are displayed at the top of the page. They control the statistics that are
displayed on this page. You can use the global controls to turn streaming updates on or off,
refresh the data on the page, and clear the graphs. If streaming is turned on, Web Application
Firewall statistics information is fetched periodically, and displayed in the graphs and threat list.
If streaming is turned off, no new information can be displayed.
To use the global controls:
Step 1 To turn streaming on or off, click the ON or OFF indicator next to Streaming Updates.
Step 2 To refresh the display, click the Refresh button.
Step 3 To clear all Web Application Firewall statistics from the graphs and list, click the Clear Graphs
button.
Monitoring Web Server Status
Below the global controls, this page displays graphs for Web server status. One graph shows
the number of Web requests detected over time, and another graph shows the amount of traffic
in kilobytes (KB).
The Web servers tracked are those servers within the local network of the SonicWALL SRA or
SSL-VPN appliance that provide HTTP/HTTPS bookmarks, offloaded applications, and other
Web services. The Traffic graph indicates the amount of HTTP/HTTPS payload data that is
received from or sent to client browsers.
You can view Web server activity over different time periods by selecting one of the following
options from the Monitoring Period drop-down list:
Last 60 Seconds
Last 60 Minutes
Last 24 Hours
Configuring Web Application Firewall
227
SonicWALL SSL VPN 5.0 Administrators Guide
Last 30 Days
Figure 32 shows a 24 hour period and Figure 33 shows a 60 minute period of activity.
Figure 32 Web Server Status For Last 24 Hours
Figure 33 Web Server Status For Last 60 Minutes
Monitoring Detected and Prevented Threats
Below the Web server status graphs, the Web Application Firewall > Monitoring page displays
graphs indicating the number of detected and prevented threats. Two graphs are presented,
one showing the number of threats over time, and the other showing the top ten threats that
were detected and prevented during that time frame.
You can change the time frame displayed in both graphs by selecting one of the following
options from the Monitoring Period drop-down list:
Last 12 Hours
Last 14 Days
Last 21 Days
Last 6 Months
Configuring Web Application Firewall
228
SonicWALL SSL VPN 5.0 Administrators Guide
Figure 34 shows threats detected and prevented over the last 21 days.
Figure 34 Threats Over Last 21 Days
Viewing Threats in List Format
To see the threats in list format rather than as a graph, select All in Lists from the Monitoring
Period drop-down list. Figure 35 shows the list format.
The Severity column of the threat list is color coded for quick reference, as follows:
High severity threats Red
Medium severity threats Orange
Low severity threats Black
Figure 35 Threats in List Format
Configuring Web Application Firewall
229
SonicWALL SSL VPN 5.0 Administrators Guide
To view and hide threat details, perform the following steps:
Step 1 On the Web Application Firewall > Monitoring page, select All in Lists from the Monitoring
Period drop-down list. The list of detected or prevented threats is displayed in the WAF Threats
Detected & Prevented table.
Step 2 To display details about a threat, click on the threat. The details include the following:
URL The URL to the SonicWALL knowledge base for this threat
Category The category of the threat
Severity The severity of the threat, either high, medium, or low
Summary A short description of how the threat behaves
Step 3 To collapse the threat details, click the threat link again.
Changing Perspective
For the Top 10 Threats graph, you can select the following display options from the
Perspective drop-down list:
Signature The signature number of each threat shown is listed at the left side of the
graph.
Configuring Web Application Firewall
230
SonicWALL SSL VPN 5.0 Administrators Guide
Severity High, medium, and low severity threats are displayed using color coding.
Server The server names are listed at the left side of the graph.
Configuring Web Application Firewall
231
SonicWALL SSL VPN 5.0 Administrators Guide
Using Web Application Firewall Logs
The Web Application Firewall > Log page provides a number of functions, including a flexible
search mechanism, and the ability to export the log to a file or email it. The page also provides
a way to clear the log. Clicking on a log entry displays more information about the event.
See the following sections:
Searching the Log on page 231
Controlling the Log Pagination on page 232
Viewing Log Entry Details on page 232
Exporting and Emailing Log Files on page 232
Clearing the Log on page 233
Searching the Log
You can search for a value contained in a certain column of the log table, and can also search
for log entries that do not contain the specified value.
To view and search Web Application Firewall log files, perform the following steps:
Step 1 On the Web Application Firewall > Log page, type the value to search for into the Search field.
Step 2 Select the column in which to search from the drop-down list to the right of the Search field.
Step 3 Do one of the following:
To start searching for log entries containing the search value, click Find.
To start searching for log entries that do not contain the search value, click Exclude.
To clear the Search field, set the drop-down list back to the default (Time), and display the
first page of log entries, click Reset.
Configuring Web Application Firewall
232
SonicWALL SSL VPN 5.0 Administrators Guide
Controlling the Log Pagination
To adjust the number of entries on the log page and display a different range of entries, perform
the following steps:
Step 1 On the Web Application Firewall > Log page, enter the number of log entries that you want on
each page into the Items per Page field. The Log page display changes to show the new
number of entries.
Step 2 To view the log entries beginning at a certain number, type the starting number into the Item
field and press Enter on your keyboard.
Step 3 To view the first page of log entries, click the left-most button in the arrow control pad.
Step 4 To view the previous page of log entries, click the left arrow in the arrow control pad.
Step 5 To view the next page of log entries, click the right arrow in the arrow control pad.
Step 6 To view the last page of log entries, click the right-most button in the arrow control pad.
Viewing Log Entry Details
The log entry details vary with the type of log entry. The URI (Uniform Resource Indicator) is
provided along with the command for detected threats. Information about the agent that caused
the event is also displayed. For an explanation of the rather cryptic Agent string, the following
Wikipedia page provides a description and links to external sites that can analyze any user
agent string: http://en.wikipedia.org/wiki/User_agent
To view more details about an individual log entry, perform the following steps:
Step 1 On the Web Application Firewall > Log page, click anywhere on the log entry that you want to
view. The details are displayed directly beneath the entry.
Step 2 To collapse the details for a log entry, click again on the entry.
Exporting and Emailing Log Files
You can export the current contents of the Web Application Firewall log to a file, or email the
log contents by using the buttons in the top right corner of the Web Application Firewall > Log
page.
Exported files are saved with a .wri file name extension, and open with Wordpad, by default.
Emailed files are automatically sent to the address configured on the Log > Settings page of
the SSL-VPN management interface. If no address is configured, the Status line at the bottom
of the browser will display an error message when you click the E-Mail Log button on the Web
Application Firewall > Log page.
Configuring Web Application Firewall
233
SonicWALL SSL VPN 5.0 Administrators Guide
To export or email the log, perform the following steps:
Step 1 To export the log contents, click the Export button in the top right corner of the
Web Application Firewall > Log page. The File Download dialog box is displayed.
Step 2 In the File Download dialog box, do one of the following:
To open the file, click Open.
To save the file, click Save, then browse to the folder where you want to save the file and
click Save.
Step 3 To email the log contents, click the E-Mail Log button in the top right corner of the
Web Application Firewall > Log page. The log contents are emailed to the address specified in
the
Log > Settings page.
Clearing the Log
You can remove all entries from the Web Application Firewall log on the Web Application
Firewall > Log page. The entries on the page are removed, and any attempt to export or email
the log file while it is still empty will cause a confirmation dialog box to display.
To clear the Web Application Firewall log, perform the following:
Step 1 On the top right corner of the Web Application Firewall > Log page, click Clear.
Note The page and log are immediately cleared without asking for confirmation.
Verifying and Troubleshooting Web Application Firewall
234
SonicWALL SSL VPN 5.0 Administrators Guide
Verifying and Troubleshooting Web Application
Firewall
You can verify the correct configuration of Web Application Firewall by viewing the Web
Application Firewall > Status page. This page displays statistics on all threats detected since
Web Application Firewall was activated. With normal use and exposure to the Internet, you
should begin to see statistics within a day of activation.
You can also find helpful information in both the Log > View page and Web Application Firewall
> Log page. This section lists some of the relevant log messages and provides an explanation
or suggestions for actions in those cases.
Log > View Messages
The following messages can be viewed from the Log > View page:
License Manager SSL connection failed - Restart appliance may be necessary
Test the connectivity to licensemanager.sonicwall.com from the System > Diagnostics
page using the Ping and DNS Lookup diagnostic utilities to ensure that there is
connectivity to the backend server.
License Manager Failed to resolve host. Check DNS.
Test the connectivity to licensemanager.sonicwall.com from the System > Diagnostics
page using the Ping and DNS Lookup diagnostic utilities to ensure that there is
connectivity to the backend server.
License Manager Peer Identity failed - Check certs and time
The License Manager server or the signature database server may not have a valid SSL
Certificate.
License Manager Reset called
The device licenses have been reset. Navigate to the System > Licenses page to activate,
upgrade or renew licenses.
Web Application Firewall > Log and Log > View Messages
The following messages can be viewed from the Web Application Firewall > Log page and the
Log > View page:
WAF signature database update failed: No signatures were found in the update
The download for the database update completed, but no suitable signatures were found in
the database.
WAF signature database update failed: Old signature timestamp found in the update
The timestamp found in the database update from the License Manager is older than what
was originally advertised before the download for the update started.
WAF signature database update failed: Error occurred while processing the update
There was a general error in downloading and processing the database update. This is
possible if the data in the update does not conform to the signature parser schema.
WAF signature database update failed: Error occurred while downloading the WAF
signature database update
There was a general error in downloading and processing the database update. This is
possible if the data in the update does not conform to the signature parser schema.
Verifying and Troubleshooting Web Application Firewall
235
SonicWALL SSL VPN 5.0 Administrators Guide
WAF signature database update was downloaded successfully. The new database contains
<num> rules
Signature database download was successful. The new database contains <num> number
of rules. A rule is an internal property which will be used by SonicWALL to determine how
many signatures were downloaded.
Note You can select the Apply Signature Updates Automatically option on the Web Application
Firewall > Settings page to apply new signatures automatically. If this option is not selected,
you must click the Apply button that appears on the Web Application Firewall > Status page
after a successful download. After the database has been successfully applied, all of the
signatures within the new database can be found on the Web Application Firewall >
Signatures page.
WAF signature database has been updated
The signature database update was applied after the administrator clicked on the Apply
button on the Web Application Firewall > Status page.
WAF engine is being started with the factory default signature database
The Web Application Firewall engine will be using the factory default signature database
for traffic inspection. This may imply that no new signatures were found since the firmware
update. If an attempt to download is revealed in the logs earlier, then this message could
also imply that the update could not be processed successfully due to database errors and
as a precautionary measure the factory default database has been used.
Verifying and Troubleshooting Web Application Firewall
236
SonicWALL SSL VPN 5.0 Administrators Guide
237
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 10: Users Configuration
This chapter provides information and configuration tasks specific to the Users pages on the
SonicWALL SSL VPN Web-based management interface, including access policies and
bookmarks for the users and groups. Policies provide you access to the different levels of
objects defined on your SonicWALL SSL-VPN appliance. This chapter contains the following
sections:
Users > Status section on page 238
Users > Local Users section on page 240
Users > Local Groups section on page 263
Global Configuration section on page 284
Users > Status
238
SonicWALL SSL VPN 5.0 Administrators Guide
Users > Status
The Users > Status page provides information about users and administrators who are
currently logged into the SonicWALL SSL-VPN appliance. This section provides general
information about how SonicWALL SSL VPN manages users through a set of hierarchical
policies.
This section contains the following sub-sections:
Access Policies Concepts section on page 239
Access Policy Hierarchy section on page 239
Figure 36 Users > Status Page
When Streaming Updates is set to ON, the Users > Status page content is automatically
refreshed so that the page always displays current information. Toggle to OFF by clicking ON.
The Active User Sessions table displays the current users or administrators logged into
SonicWALL SSL VPN. Each entry displays the name of the user, the group in which the user
belongs, the IP address of the user, and a time stamp indicating when the user logged in. An
administrator may terminate a user session and log the user out by clicking the Logout icon at
the right of the user row. The Active User Session table includes the following information:
Table 15 Active User Information
Column Description
Name A text string that indicates the ID of the user.
Group The group to which the user belongs.
IP Address The IP address of the workstation on which the user is logged into.
Login Time The time when the user first established connection with the SonicWALL
SSL-VPN appliance expressed as day, date, and time (HH:MM:SS).
Logged In The amount of time since the user first established a connection with the
SonicWALL SSL-VPN appliance expressed as number of days and time
(HH:MM:SS).
Idle Time The amount of time the user has been in an inactive or idle state with the
SonicWALL SSL-VPN appliance.
Logout Displays an icon that enables you to log the user out of the appliance.
Users > Status
239
SonicWALL SSL VPN 5.0 Administrators Guide
Access Policies Concepts
The SonicWALL SSL VPN Web-based management interface provides granular control of
access to the SonicWALL SSL-VPN appliance. Access policies provide different levels of
access to the various network resources that are accessible using the SonicWALL SSL-VPN
appliance. There are three levels of access policies: global, groups, and users. You can block
and permit access by creating access policies for an IP address, an IP address range, all
addresses, or a network object.
Access Policy Hierarchy
An administrator can define user, group and global policies to predefined network objects, IP
addresses, address ranges, or all IP addresses and to different SonicWALL SSL VPN services.
Certain policies take precedence.
The SonicWALL SSL VPN policy hierarchy is:
User policies take precedence over group policies
Group policies take precedence over global policies
If two or more user, group or global policies are configured, the most specific policy takes
precedence
For example, a policy configured for a single IP address takes precedence over a policy
configured for a range of addresses. A policy that applies to a range of IP addresses takes
precedence over a policy applied to all IP addresses. If two or more IP address ranges are
configured, then the smallest address range takes precedence. Hostnames are treated the
same as individual IP addresses.
Network objects are prioritized just like other address ranges. However, the prioritization is
based on the individual address or address range, not the entire network object.
For example:
Policy 1: A Deny rule has been configured to block all services to the IP address range
10.0.0.0 - 10.0.0.255
Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 - 10.0.1.10
Policy 3: A Permit rule has been configured to allow FTP access to the predefined network
object, FTP Servers. The FTP Servers network object includes the following addresses:
10.0.0.5 - 10.0.0.20. and ftp.company.com, which resolves to 10.0.1.3.
Assuming that no conflicting user or group policies have been configured, if a user attempted
to access:
An FTP server at 10.0.0.1, the user would be blocked by Policy 1
An FTP server at 10.0.1.5, the user would be blocked by Policy 2
An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address
range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1.
An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single
host name is more specific than the IP address range configured in Policy 2.
Note In this example, the user would not be able to access ftp.company.com using its IP address
10.0.1.3. The SSL VPN policy engine does not perform reverse DNS lookups.
Tip When using Citrix bookmarks, in order to restrict proxy access to a host, a Deny rule must
be configured for both Citrix and HTTP services.
Users > Local Users
240
SonicWALL SSL VPN 5.0 Administrators Guide
Users > Local Users
This section provides an overview of the Users > Local Users page and a description of the
configuration tasks available on this page.
Users > Local Users Overview section on page 240
Removing a User section on page 241
Adding a Local User section on page 241
Editing User Settings section on page 242
For global configuration settings, see the Global Configuration section on page 284.
Users > Local Users Overview
The Users > Local Users page allows the administrator to add and configure users.
Figure 37 Users > Local Users Page
Local Users
The Local Users section allows the administrator to add and configure users by specifying a
user name, selecting a group/domain, creating and confirming password, and selecting user
type (user or administrator).
Note Users configured to use RADIUS, LDAP, NT Domain or Active Directory authentication do
not require passwords because the external authentication server will validate user names
and passwords.
Tip When a user is authenticated using RADIUS and Active Directory, an External User within
the Local User database is created, however, the administrator will not be able to change
the group for this user. If you want to specify different policies for different user groups when
using RADIUS or Active Directory, the administrator will need to create the user manually in
the Local User database.
Users > Local Users
241
SonicWALL SSL VPN 5.0 Administrators Guide
Removing a User
To remove a user, navigate to Users > Local Users and click the delete icon next to the name
of the user that you wish to remove. Once deleted, the user will be removed from the Local
Users window.
Adding a Local User
To create a new local user, perform the following steps:
Step 1 Navigate to the Users > Local Users page and click Add User. The Add Local User window
is displayed.
Step 2 In the Add Local User window, enter the username for the user in the User Name field. This
will be the name the user will enter in order to log into the SonicWALL SSL VPN user portal.
Step 3 Select the name of the group to which the user belongs in the Group/Domain drop-down list.
Step 4 Type the user password in the Password field.
Step 5 Retype the password in the Confirm Password field to verify the password.
Note When logging into the portal, the user name is not case-sensitive, but the password and
domain are case-sensitive.
Step 6 From the User Type drop-down list, select a user type option. The available user types are
User or Administrator.
Tip If the selected group is in a domain that uses external authentication, such as Active
Directory, RADIUS, NT Domain or LDAP, then the Add User window will close and the new
user will be added to the Local Users list.
Step 7 Click Add to update the configuration. Once the user has been added, the new user will be
added to the Local Users window.
Note Entering RADIUS, LDAP, NT and Active Directory user names is only necessary if you wish
to define specific policies or bookmarks per user. If users are not defined in the SonicWALL
SSL-VPN appliance, then global policies and bookmarks will apply to users authenticating
to an external authentication server. When working with external (non-LocalDomain) users,
a local user entity must exist so that any user-created (personal) bookmarks can be stored
Users > Local Users
242
SonicWALL SSL VPN 5.0 Administrators Guide
within the SonicWALL SSL-VPN configuration files. Bookmarks must be stored on the
SonicWALL SSL-VPN because LDAP, RADIUS, and NT Authentication external domains do
not provide a direct facility to store such information as bookmarks. Rather than requiring
administrators to manually create local users for external domain users wishing to use
personal bookmarks, SonicWALL SSL VPN will automatically create a corresponding local
user entity when an external domain user creates a personal bookmark so that it may store
the bookmark information.
Editing User Settings
To edit a users attributes, navigate to the Users > Local Users window and click the Configure
icon next to the user whose settings you want to configure. The Edit User Settings window
displays.
The Edit User Settings window has six tabs as described in the following table:
If the user authenticates to an external authentication server, then the User Type and
Password fields will not be shown. The password field is not configurable because the
authentication server validates the password. The user type is not configurable because the
SonicWALL SSL-VPN appliance only allows users that authenticate to the internal user
database to have administrative privileges. Also, the user type External will be used to identify
the local user instances that are auto-created to correspond to externally authenticating users.
See the following sections for a description of the configuration options on each tab of the Edit
User Settings window:
Modifying General User Settings section on page 243
Modifying Portal Settings section on page 244
Modifying User NetExtender Settings section on page 245
Modifying NetExtender Client Routes section on page 245
Tab Description
General Enables you to create a password and an inactivity timeout,
and specify Single Sign-On settings for automatic login to
bookmarks for this user.
Portal Enables you to enable, disable, or use group settings on this
portal for NetExtender, File Shares, Virtual Assist, and
Bookmark settings.
Nx Settings Enables you to specify a NetExtender client address range,
including for IPv6, and to configure client settings. (Not
supported on the SSL-VPN 200 appliance.)
Nx Routes Enables you to specify Tunnel All mode and NetExtender
client routes. (Not supported on the SSL-VPN 200 appliance.)
Policies Enables you to create access policies that control access to
resources from user sessions on the appliance.
Bookmarks Enables you to create user-level bookmarks for quick access
to services.
Login Policies Enables you to create user login policies, including policies for
specific source IP addresses and policies for specific client
browsers. You can disable the users login, require One Time
Passwords, and specify client certificate enforcement.
Users > Local Users
243
SonicWALL SSL VPN 5.0 Administrators Guide
Adding User Policies section on page 245
Adding or Editing User Bookmarks section on page 251
Configuring Login Policies section on page 260
Modifying General User Settings
The General tab provides configuration options for a users password, inactivity timeout value,
and bookmark single sign-on (SSO) control. Table 16 provides detailed information about
application-specific support of SSO, global/group/user policies and bookmark policies.
Table 16 Application Support
Single sign-on (SSO) in SonicWALL SSL VPN supports the following applications:
RDP - Active X
RDP - Java
FTP
HTTP
HTTPS
CIFS
Note SSO cannot be used in tandem with two-factor authentication methods.
To modify general user settings, perform the following tasks:
Step 1 In the left-hand column, navigate to the Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure. The General tab of the Edit
User Settings window displays. The General tab displays the following non-configurable
fields: User Name, In Group, and In Domain. If information supplied in these fields need to be
modified, then remove the user as described in Removing a User section on page 241 and
add the user again.
Step 3 To set or change the user password, type the password in the Password field. Re-type it in the
Confirm Password field.
Application Supports SSO
Global/Group/User
Policies
Bookmark
Policies
Terminal Services (RDP - Active X) Yes Yes Yes
Terminal Services (RDP - Java) Yes Yes Yes
Virtual Network Computing (VNC) No No No
File Transfer Protocol (FTP) Yes Yes Yes
Telnet No No No
Secure Shell (SSH) No No No
Web (HTTP) Yes No No
Secure Web (HTTPS) Yes No No
File Shares (CIFS) Yes Yes Yes
Citrix Portal (Citrix) No Yes No
Users > Local Users
244
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 To set the inactivity timeout for the user, meaning that they will be signed out of the Virtual Office
after the specified time period, enter the number of minutes of inactivity to allow in the Inactivity
Timeout field. The timeout value also controls the number of minutes that a one-time password
remains valid, when One Time Passwords are configured for a user.
Note The inactivity timeout can be set at the user, group and global level. If one or more timeouts
are configured for an individual user, the user timeout setting will take precedence over the
group timeout and the group timeout will take precedence over the global timeout. Setting
the global settings timeout to 0 disables the inactivity timeout for users that do not have a
group or user timeout configured.
Step 5 To allow users to edit or delete user-owned bookmarks, select Allow from the Allow user to
edit/delete bookmarks drop-down menu. To prevent users from editing or deleting user-owned
bookmarks, select Deny. To use the group policy, select Use group policy.
Note Users cannot edit or delete group and global bookmarks.
Step 6 To allow users to add new bookmarks, select Allow from the Allow user to add bookmarks
drop-down menu. To prevent users from adding new bookmarks, select Deny. To use the group
policy, select Use group policy.
Note Bookmark modification controls provide custom access to predetermined sources, and can
prevent users from needing support.
Step 7 Under Single Sign-On Settings, select one of the following options from the Use SSL VPN
account credentials to log into bookmarks drop-down menu:
Use Group Policy: Select this option to use the group policy settings to control single
sign-on (SSO) for bookmarks.
User-controlled: Select this option to allow users to enable or disable single sign-on
(SSO) for bookmarks.
Enabled: Select this option to enable single sign-on for bookmarks.
Disabled: Select this option to disable single sign-on for bookmarks.
Note SSO modification controls provide enhanced security and can prevent or allow users to
utilize different login credentials. With SSO enabled, the users login name and password
are supplied to the backend server for many of the services. For Fileshares, the domain
name that the user belongs to on the device is passed to the server. For other services, the
server may be expecting the username to be prefixed by the domain name. In this instance,
SSO will fail and the user will have to login with the domain-prefixed username. In some
instances, a default domain name can be configured at the server to allow SSO to succeed.
Step 8 Click OK to save the configuration changes
Modifying Portal Settings
The Portal tab provides configuration options for portal settings for this user.
To configure portal settings for this user, perform the following steps:
Users > Local Users
245
SonicWALL SSL VPN 5.0 Administrators Guide
Step 1 On the Portal tab under Portal Settings, select one of the following portal settings for this user:
Use group setting The setting defined in the group to which this user belongs will be
used to determine if the portal feature is enabled or disabled. Group settings are defined
by configuring the group in the Users > Local Groups page.
Enabled Enable this portal feature for this user.
Disabled Disable this portal feature for this user.
You can configure one of the above settings for each of the following portal features:
NetExtender
Launch NetExtender after login
File Shares
Virtual Assist
Allow User to Add Bookmarks
Allow User to Edit/Delete Bookmarks Applies to user-owned bookmarks only.
Step 2 Click OK.
Modifying User NetExtender Settings
Note Group NetExtender settings are not supported on the SonicWALL SSL-VPN 200 appliance.
The Nx Settings tab provides configuration options for NetExtender client address ranges and
other client settings. For procedures on modifying NetExtender User settings, see the
NetExtender > Client Settings section on page 169.
Modifying NetExtender Client Routes
Note Group NetExtender routes are not supported on the SonicWALL SSL-VPN 200 appliance.
The Nx Routes tab provides configuration options for NetExtender client routes. For
procedures on modifying NetExtender client route settings, see the NetExtender > Client
Routes section on page 171.
Adding User Policies
The Policies tab provides policy configuration options.
Note User policies are the highest priority-type of policy, and are enforced before group policies
or global policies.
Users > Local Users
246
SonicWALL SSL VPN 5.0 Administrators Guide
To add a user access policy, perform the following steps:
Step 1 On the Policies tab, click Add Policy. The Add Policy window is displayed.
Step 2 In the Apply Policy To drop-down list, select whether the policy will be applied to an individual
host, a range of addresses, all addresses, a network object, a server path, or a URL object. On
SonicWALL SSL-VPN models 2000 and higher, you can also select an individual IPv6 host, a
range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending
on what type of object you select in the Apply Policy To drop-down list.
Note These SonicWALL SSL VPN policies apply to the destination address(es) of the SonicWALL
SSL VPN connection, not the source address. You cannot permit or block a specific IP
address on the Internet from authenticating to the SonicWALL SSL VPN gateway with a
policy created on the Policies tab. However, it is possible to control source logins by IP
address with a login policy created on the user's Login Policies tab. For more information, refer
to Configuring Login Policies section on page 260.
IP Address - If your policy applies to a specific host, enter the IP address of the local host
machine in the IP Address field. Optionally enter a port range (for example, 4100-4200) or
a single port number into the Port Range/Port Number field. See Adding a Policy for an
IP Address section on page 247.
IP Address Range - If your policy applies to a range of addresses, enter the beginning IP
address in the IP Network Address field and the subnet mask that defines the IP address
range in the Subnet Mask field. Optionally enter a port range (for example, 4100-4200) or
a single port number into the Port Range/Port Number field. See Adding a Policy for an
IP Address Range section on page 247.
All Addresses - If your policy applies to all IPv4 addresses, you do not need to enter any
IP address information. See Adding a Policy for All Addresses section on page 248.
Network Object - If your policy applies to a predefined network object, select the name of
the object from the Network Object drop-down list. A port or port range can be specified
when defining a Network Object. See Adding Network Objects section on page 101
Server Path - If your policy applies to a server path, select one of the following radio
buttons in the Resource field:
Share (Server path) - When you select this option, type the path into the Server Path
field.
Network (Domain list)
Servers (Computer list)
See Setting File Shares Access Policies section on page 248.
URL Object - If your policy applies to a predefined URL object, type the URL into the URL
field. See Adding a Policy for a URL Object section on page 249.
Users > Local Users
247
SonicWALL SSL VPN 5.0 Administrators Guide
IPv6 Address - On SonicWALL SSL-VPN models 2000 and higher, if your policy applies to
a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field.
Optionally enter a port range (for example, 4100-4200) or a single port number into the
Port Range/Port Number field. See Adding a Policy for an IPv6 Address section on
page 250.
IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning
IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6
address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-
4200) or a single port number into the Port Range/Port Number field. See Adding a
Policy for an IPv6 Address Range section on page 251.
All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter
any IP address information. See Adding a Policy for All IPv6 Addresses section on
page 251.
Step 3 Select the service type in the Service drop-down list. If you are applying a policy to a network
object, the service type is defined in the network object.
Step 4 Select PERMIT or DENY from the Status drop-down list to either permit or deny SonicWALL
SSL VPN connections for the specified service and host machine.
Tip When using Citrix bookmarks, in order to restrict proxy access to a host, a DENY rule must
be configured for both Citrix and HTTP services.
Step 5 Click Add to update the configuration. Once the configuration has been updated, the new policy
will be displayed in the Edit User Settings window.
The user policies are displayed in the Current User Policies table in the order of priority, from
the highest priority policy to the lowest priority policy.
Adding a Policy for an IP Address
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy...
Step 5 In the Apply Policy to field, click the IP Address option.
Step 6 Define a name for the policy in the Policy Name field.
Step 7 Type an IP address in the IP Address field.
Step 8 In the Port Range/Port Number field, optionally enter a port range or an individual port.
Step 9 In the Service drop-down list, click on a service object.
Step 10 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 11 Click Add.
Adding a Policy for an IP Address Range
Step 1 In the Apply Policy to field, click the IP Address Range option.
Step 2 Define a name for the policy in the Policy Name field.
Step 3 Type a starting IP address in the IP Network Address field.
Step 4 Type a subnet mask value in the Subnet Mask field in the form 255.255.255.0.
Step 5 In the Port Range/Port Number field, optionally enter a port range or an individual port.
Users > Local Users
248
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 In the Service drop-down list, click on a service option.
Step 7 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 8 Click Add.
Adding a Policy for All Addresses
Step 1 In the Apply Policy to field, select the All Addresses option.
Step 2 Define a name for the policy in the Policy Name field.
Step 3 The IP Address Range field is read-only, specifying All IP Addresses.
Step 4 In the Service drop-down list, click on a service option.
Step 5 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 6 Click Add.
Setting File Shares Access Policies
To set file share access policies, perform the following steps:
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy.
Step 5 Select Server Path from the Apply Policy To drop-down list.
Step 6 Type a name for the policy in the Policy Name field.
Step 7 Select the Share radio button in the Resource field.
Step 8 Type the server path in the Server Path field.
Step 9 From the Status drop-down list, select PERMIT or DENY.
Note For information about editing policies for file shares, for example, to restrict server path
access, refer to Adding a Policy for a File Share on page 249.
Step 10 Click Add.
Users > Local Users
249
SonicWALL SSL VPN 5.0 Administrators Guide
Adding a Policy for a File Share
To add a file share access policy, perform the following steps:
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy...
Step 5 Select Server Path from the Apply Policy To drop-down list.
Step 6 Type a name for the policy in the Policy Name field.
Step 7 In the Server Path field, enter the server path in the format servername/share/path or
servername\share\path. The prefixes \\, //, \ and / are acceptable.
Note Share and path provide more granular control over a policy. Both are optional.
Step 8 Select PERMIT or DENY from the Status drop-down list.
Step 9 Click Add.
Adding a Policy for a URL Object
To create object-based HTTP or HTTPS user policies, perform the following steps:
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy.
Step 5 In the Apply Policy To drop-down menu, select the URL Object option.
Step 6 Define a name for the policy in the Policy Name field.
Step 7 In the Service drop-down list, choose either Web (HTTP) or Secure Web (HTTPS).
Users > Local Users
250
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 In the URL field, add the URL string to be enforced in this policy.
Note In addition to standard URL elements, the administrator may enter port, path and wildcard
elements to the URL field. For more information on using these additional elements, see
Policy URL Object Field Elements section on page 250.
If a path is specified, the URL policy is recursive and applies to all subdirectories. If, for
example www.mycompany.com/users/* is specified, the user is permitted access to any
folder or file under the www.mycompany.com/users/ folder.
Step 9 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 10 Click Add.
Policy URL Object Field Elements
When creating an HTTP/HTTPS policy, the administrator must enter a valid host URL in theURL
field. In addition, the administrator may enter port, path and wildcard elements to this field.The
following chart provides an overview of standard URL field elements:
Note Entries in the URL field can not contain (http://, https://) elements. Entries can also not
contain fragment delimiters such as #.
Adding a Policy for an IPv6 Address
To add a policy for an IPv6 address, perform the following steps:
Element Usage
Host Can be a hostname that should be resolved or an IP address. Host
information has to be present.
Port If port is not mentioned, then all ports for that host are matched. Specify
a specific port or port range using digits [0-9], and/or wildcard elements.
Zero 0 must not be used as the first digit in this field. The least possible
number matching the wildcard expression should fall within the range of
valid port numbers i.e. [1-65535].
Path This is the file path of the URL along with the query string. A URL Path
is made of parts delimited by the file path separator /. Each part may
contain wildcard characters. The scope of the wildcard characters is
limited only to the specific part contained between file path separators.
Usernames %USERNAME% is a variable that matches the username appearing in a
URL requested by a user with a valid session. Especially useful if the
policy is a group or a global policy.
Wildcard
Characters
The following wildcard characters are used to match one or more
characters within a port or path specification.
* Matches one or more characters in that position.
^ Matches exactly one character in the position.
[!<character set>] Matches any character in that position not listed in
character set. E.g. [!acd], [!8a0]
[<range>] Matches any character falling within the specified ASCII
range. Can be an alphanumeric character. E.g.) [a-d], [3-5], [H-X]
Users > Local Users
251
SonicWALL SSL VPN 5.0 Administrators Guide
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon next to the user you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy...
Step 5 In the Apply Policy To field, click the IPv6 Address option.
Step 6 Define a name for the policy in the Policy Name field.
Step 7 Type an IPv6 address in the IPv6 Address field in the form 2001::1:2:3:4.
Step 8 In the Port Range/Port Number field, optionally enter a port range or an individual port.
Step 9 In the Service drop-down list, click on a service object.
Step 10 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 11 Click Add.
Adding a Policy for an IPv6 Address Range
To add a policy for an IPv6 address range, perform the following steps:
Step 1 In the Apply Policy To field, click the IPv6 Address Range option.
Step 2 Define a name for the policy in the Policy Name field.
Step 3 Type a starting IPv6 address in the IPv6 Network Address field.
Step 4 Type a prefix value in the IPv6 Prefix field, such as 64 or 112.
Step 5 In the Port Range/Port Number field, optionally enter a port range or an individual port.
Step 6 In the Service drop-down list, click on a service option.
Step 7 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 8 Click Add.
Adding a Policy for All IPv6 Addresses
To add a policy for all IPv6 addresses, perform the following steps:
Step 1 In the Apply Policy To field, select the All IPv6 Address option.
Step 2 Define a name for the policy in the Policy Name field.
Step 3 The IPv6 Address Range field is read-only, specifying All IPv6 Addresses.
Step 4 In the Service drop-down list, click on a service option.
Step 5 In the Status drop-down list, click on an access action, either PERMIT or DENY.
Step 6 Click Add.
Adding or Editing User Bookmarks
The Bookmarks tab provides configuration options to add and edit user bookmarks. In addition
to the main procedure below, see the following:
Enabling Plugin DLLs section on page 257
Creating a Citrix Bookmark for a Local User on page 258
Creating Bookmarks with Custom SSO Credentials section on page 259
Users > Local Users
252
SonicWALL SSL VPN 5.0 Administrators Guide
To define user bookmarks, perform the following steps:
Step 1 In the Edit User Settings window, click the Bookmarks tab.
Step 2 Click Add Bookmark. The Add Bookmark window displays.
When user bookmarks are defined, the user will see the defined bookmarks from the
SonicWALL SSL VPN Virtual Office home page.
Step 1 Type a descriptive name for the bookmark in the Bookmark Name field.
Step 2 Enter the fully qualified domain name (FQDN) or the IPv4 or, on SonicWALL SSL-VPN models
2000 and higher, IPv6 address of a host machine on the LAN in the Name or IP Address field.
In some environments you can enter the host name only, such as when creating a VNC
bookmark in a Windows local network.
Note If a Port number is included with an IPv6 address in the Name or IP Address field, the IPv6
address must be enclosed in square brackets, for example: [2008::1:2:3:4]:6818.
Note IPv6 is not supported by ActiveX or File Shares.
Some services can run on non-standard ports, and some expect a path when connecting.
Depending on the choice in the Service field, format the Name or IP Address field like one of
the examples shown in Table 17.
Users > Local Users
253
SonicWALL SSL VPN 5.0 Administrators Guide
Table 17 Bookmark Name or IP Address Formats by Service Type
Service Type Format Example for Name or IP Address Field
RDP - ActiveX
RDP - Java
IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
VNC IP Address
IPv6 Address
IP:Port (mapped to session)
FQDN
Host name
Note: Do not use session or
display number instead of
port.
10.20.30.4
2008::1:2:3:4
10.20.30.4:5901 (mapped to session 1)
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
Note: Do not use 10.20.30.4:1
Tip: For a bookmark to a Linux server, see the
Tip below this table.
FTP IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
Telnet IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
SSHv1
SSHv2
IP Address
IPv6 Address
IP:Port (non-standard)
FQDN
Host name
10.20.30.4
2008::1:2:3:4
10.20.30.4:6818 or [2008::1:2:3:4]:6818
JBJONES-PC.sv.us.sonicwall.com
JBJONES-PC
HTTP
HTTPS
URL
IP Address of URL
IPv6 Address
URL:Path or File
IP:Path or File
URL:Port
IP:Port
URL:Port:Path or File
IP:Port:Path or File
www.sonicwall.com
204.212.170.11
2008::1:2:3:4
www.sonicwall.com/index.html
204.212.170.11/folder/
www.sonicwall.com:8080
204.212.170.11:8080 or [2008::1:2:3:4]:8080
www.sonicwall.com:8080/folder/index.html
204.212.170.11:8080/index.html
Users > Local Users
254
SonicWALL SSL VPN 5.0 Administrators Guide
Tip When creating a Virtual Network Computing (VNC) bookmark to a Linux server, you must
specify the port number and server number in addition to the Linux server IP the Name or
IP Address field in the form of ipaddress:port:server. For example, if the Linux server IP
address is 192.168.2.2, the port number is 5901, and the server number is 1, the value for
the Name or IP Address field would be 192.168.2.2:5901:1.
Step 3 Optionally, you can enter a friendly description to be displayed in the bookmark table by filling
in the Description field.
Step 4 Set whether users are can edit or delete bookmarks from the Virtual Office portal by making a
selection for Allow user to edit/delete. You can select to Allow, Deny, or to Use the user
policy setting.
Step 5 For the specific service you select from the Service drop-down list, additional fields may
appear. Fill in the information for the service you selected. Select one of the following service
types from the Service drop-down list:
File Shares Host\Folder\
Host\File
FQDN\Folder
FQDN\File
IP\Folder\
IP\File
server-3\sharedfolder\
server-3\inventory.xls
server-3.company.net\sharedfolder\
server-3company.net\inventory.xls
10.20.30.4\sharedfolder\
10.20.30.4\status.doc
Note: Use backslashes even on Linux or Mac
computers; these use the Windows API for file
sharing.
Citrix
(Citrix Web
Interface)
IP Address
IPv6 Address
IP:Port
IP:Path or File
IP:Port:Path or File
FQDN
URL:Path or File
URL:Port
URL:Port:Path or File
Note: Port refers to the
HTTP(S) port of Citrix Web
Interface, not to the Citrix
ICA client port.
172.55.44.3
2008::1:2:3:4
172.55.44.3:8080 or [2008::1:2:3:4]:8080
172.55.44.3/folder/file.html
172.55.44.3:8080/report.pdf
www.citrixhost.company.net
www.citrixhost.net/folder/
www.citrixhost.company.com:8080
www.citrixhost.com:8080/folder/index.html
Service Type Format Example for Name or IP Address Field
Users > Local Users
255
SonicWALL SSL VPN 5.0 Administrators Guide
Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java)
Note If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet
Explorer, the selection is automatically switched to Terminal Services (RDP - Java). A
popup window notifies you of the switch.
In the Screen Size drop-down list, select the default terminal services screen size to
be used when users execute this bookmark.
Because different computers support different screen sizes, when you use a remote
desktop application, you should select the size of the screen on the computer from
which you are running a remote desktop session. Additionally, you may want to provide
a path to where your application resides on your remote computer by typing the path in
the Application Path field.
In the Colors drop-down list, select the default color depth for the terminal service
screen when users execute this bookmark.
Optionally enter the local path for this application in the Application and Path
(optional) field.
In the Start in the following folder field, optionally enter the local folder in which to
execute application commands.
Select the Login as console/admin session checkbox to allow login as console or
admin. Login as admin replaces login as console in RDC 6.1 and newer.
Select the Enable wake-on-LAN checkbox to enable waking up a computer over the
network connection. Selecting this checkbox causes the following new fields to be
displayed:
MAC/Ethernet Address Enter one or more MAC addresses, separated by
spaces, of target hosts to wake.
Wait time for boot-up (seconds) Enter the number of seconds to wait for the
target host to fully boot up before cancelling the WoL operation.
Send WOL packet to host name or IP address To send the WoL packet to the
hostname or IP of this bookmark, select the Send WOL packet to host name or
IP address checkbox, which can be applied in tandem with a MAC address of
another machine to wake.
For RDP - ActiveX on Windows clients, expand Show client redirect options and
select any of the redirect checkboxes Redirect Printers, Redirect Drives, Redirect
Ports, or Redirect SmartCards to redirect those devices on the local network for use
in this bookmark session. You can hover your mouse pointer over these options to
display tooltips that indicate requirements for certain actions.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
For RDP - Java on Windows clients, or on Mac clients running Mac OS X 10.5 or above
with RDC installed, expand Show advance Windows options and select the
checkboxes for any of the following redirect options: Redirect Printers, Redirect
Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug
and play devices to redirect those devices or features on the local network for use in
this bookmark session. You can hover your mouse pointer over the Help icon next
to certain options to display tooltips that indicate requirements.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
Users > Local Users
256
SonicWALL SSL VPN 5.0 Administrators Guide
Select the checkboxes for any of the following additional features for use in this
bookmark session: Display connection bar, Auto reconnection, Desktop
background, Window drag, Menu/window animation, Themes, or Bitmap caching.
If the client application will be RDP 6 (Java), you can select any of the following options
as well: Dual monitors, Font smoothing, Desktop composition, or Remote
Application.
Remote Application monitors server and client connection activity; to use it, you need
to register remote applications in the Windows 2008 RemoteApp list. If Remote
Application is selected, the Java Console will display messages regarding connectivity
with the Terminal Server.
For Terminal Server Farm or Load Balancing support, select the Server is TS Farm
checkbox to enable a proper connection. Note that ActiveX bookmarks are not
supported in this mode.
For RDP - ActiveX on Windows clients, optionally select Enable plugin DLLs and
enter the name(s) of client DLLs which need to be accessed by the remote desktop or
terminal service. Multiple entries are separated by a comma with no spaces. Note that
the RDP Java client on Windows is a native RDP client that supports Plugin DLLs by
default. The Enable plugin DLLs option is not available for RDP - Java. See Enabling
Plugin DLLs section on page 257.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Virtual Network Computing (VNC)
No additional fields
File Transfer Protocol (FTP)
Expand Show advanced server configuration to select an alternate value in the
Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the FTP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Telnet
No additional fields
Secure Shell version 1 (SSHv1)
No additional fields
Secure Shell version 2 (SSHv2)
Optionally select the Automatically accept host key checkbox.
If using an SSHv2 server without authentication, such as a SonicWALL firewall, you can
select the Bypass username checkbox.
Users > Local Users
257
SonicWALL SSL VPN 5.0 Administrators Guide
Web (HTTP)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the Web server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Secure Web (HTTPS)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the secure Web
server. Select Use custom credentials to enter a custom username, password, and
domain for this bookmark. For more information about custom credentials, see
Creating Bookmarks with Custom SSO Credentials section on page 259.
File Shares (CIFS)
To allow users to use a Java Applet for File Shares that mimics Windows functionality,
select the Use File Shares Java Applet checkbox.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
When creating a File Share, do not configure a Distributed File System (DFS) server on
a Windows Domain Root system. Because the Domain Root allows access only to
Windows computers in the domain, doing so will disable access to the DFS file shares
from other domains. The SonicWALL SSL-VPN is not a domain member and will not be
able to connect to the DFS shares.
DFS file shares on a stand-alone root are not affected by this Microsoft restriction.
Citrix Portal (Citrix)
Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
Optionally, select Always use Java in Internet Explorer to use Java to access the
Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or
XenApp plugin (an ActiveX client) must be used with IE. This setting lets users avoid
installing a Citrix ICA client or XenApp plugin specifically for IE browsers. Java is used
with Citrix by default on other browsers and also works with IE. Enabling this checkbox
leverages this portability.
Step 6 Click Add to update the configuration. Once the configuration has been updated, the new user
bookmark will be displayed in the Edit User Settings window
Enabling Plugin DLLs
The plugin DLLs feature is available for RDP (ActiveX or Java), and allows for the use of
certain third party programs such as print drivers, on a remote machine. This feature
requires RDP Client Control version 5 or higher.
Note The RDP Java client on Windows is a native RDP client that supports Plugin DLLs by
default. No action (or checkbox) is needed.
Users > Local Users
258
SonicWALL SSL VPN 5.0 Administrators Guide
To enable plugin DLLs for the RDP ActiveX client:
Step 1 Navigate to Users > Local Users.
Step 2 Click the configure icon corresponding to the user bookmark you wish to edit.
Step 3 In the Bookmarks tab, click Add Bookmark.
Step 4 Select Terminal Services (RDP - ActiveX) as the Service and configure as described in the
section Adding or Editing User Bookmarks section on page 251.
Step 5 Enter the name(s) of client DLLs which need to be accessed by the remote desktop or terminal
service. Multiple entries are separated by a comma with no spaces.
Step 6 Ensure that any necessary DLLs are located on the individual client systems in
%SYSTEMROOT% (for example: C:\Windows\system32 ).
Note Ensure that your Windows system and RDP client are up to date prior to using the Plugin
DLLs feature. This feature requires RDP 5 Client Control or higher.
Creating a Citrix Bookmark for a Local User
Citrix support requires Internet connectivity in order to download the ActiveX or Java client
from the Citrix Web site. Citrix is accessed from Internet Explorer using ActiveX by default,
or from other browsers using Java. Java can be used with IE by selecting an option in the
Bookmark configuration. The server will automatically decide which Citrix client version to
use. For browsers requiring Java to run Citrix, you must have Sun Java 1.6.0_10 or above.
When using the Java applet, the local printers are available in the Citrix client. However, under
some circumstances it might be necessary to change the Universal Printer Driver to PCL mode.
Note Citrix is supported on SonicWALL SSL-VPN model 2000 and higher security appliances.
To configure a Citrix bookmark for a user, perform the following tasks:
Step 1 Navigate to Users > Local Users and click the configure icon next to the user.
Step 2 In the Edit User Settings window, select the Bookmarks tab.
Step 3 Click Add Bookmark...
Step 4 Enter a name for the bookmark in the Bookmark Name field.
Step 5 Enter the name or IP address of the bookmark in the Name or IP Address field.
Note HTTPS, HTTP, Citrix, SSHv2, SSHv1, Telnet, and VNC will all take a port option :portnum.
HTTP, HTTPS, and Fileshares can also have the path specified to a directory or file.
Step 6 From the Service drop-down list, select Citrix Portal (Citrix). The display will change.
Step 7 Select the box next to HTTPS Mode to enable HTTPS mode.
Users > Local Users
259
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 Optionally select the Always use Java in Internet Explorer checkbox to use Java to access
the Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or XenApp
plugin (an ActiveX client) must be used with IE. This setting lets users avoid installing a Citrix
ICA client or XenApp plugin specifically for IE browsers. Java is used with Citrix by default on
other browsers and also works with IE. Enabling this checkbox leverages this portability.
Step 9 Click Add.
Creating Bookmarks with Custom SSO Credentials
The administrator can configure custom Single Sign On (SSO) credentials for each user, group,
or globally in HTTP(S), RDP (Java or ActiveX), File Shares (CIFS), and FTP bookmarks. This
feature is used to access resources such as HTTP, RDP and FTP servers that need a domain prefix
for SSO authentication. Users can log into SonicWALL SSL VPN as username, and click a
customized bookmark to access a server with domain\username. Either straight textual
parameters or dynamic variables may be used for login credentials.
To configure custom SSO credentials, and to configure Single Sign-On for Forms-based
Authentication (FBA), perform the following steps:
Step 1 Create or edit a HTTP(S), RDP, File Shares (CIFS), or FTP bookmark as described in Adding
or Editing User Bookmarks section on page 251.
Step 2 In the Bookmarks tab, select the Use Custom Credentials option
Step 3 Enter the appropriate username and password, or use dynamic variables as follows:
Step 4 Enter the appropriate domain information in the Domain field.
Step 5 Select the Forms-based Authentication checkbox to configure Single Sign-On for Forms-based
authentication.
User Form Field - This should be the same as the name and ID attribute of the HTML
element representing the User Name in the login form, for example:
<input type=text name=userid>
Text Usage Variable Example Usage
Login Name %USERNAME% US\%USERNAME%
Domain Name %USERDOMAIN% %USERDOMAIN\%USERNAME%
Group Name %USERGROUP% %USERGROUP%\%USERNAME%
Password %PASSWORD% %PASSWORD% or leave the field blank
Users > Local Users
260
SonicWALL SSL VPN 5.0 Administrators Guide
Password Form Field - This should be the same as the name or the ID attribute of the
HTML element representing Password in the login form, for example:
<input type=password name=PASSWORD id=PASSWORD maxlength=128>
Step 6 Click OK.
Configuring Login Policies
The Login Policies tab provides configuration options for policies that allow or deny users with
specific IP addresses from having login privileges to the SonicWALL SSL-VPN appliance. To
allow or deny specific users from logging into the appliance, perform the following steps:
Step 1 Navigate to the Users > Local Users page.
Step 2 Click the configure icon for the user you want to configure. The Edit User Settings window is
displayed.
Step 3 Click the Login Policies tab. The Edit User Settings - Login Policies tab is displayed.
Step 4 To block the specified user or users from logging into the appliance, select the Disable login
checkbox.
Users > Local Users
261
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Optionally select the Enable client certificate enforcement checkbox to require the use of
client certificates for login. By checking this box, you require the client to present a client
certificate for strong mutual authentication. Two additional fields will appear:
Verify user name matches Common Name (CN) of client certificate - Select this
checkbox to require that the users account name match their client certificate.
Verify partial DN in subject - Use the following variables to configure a partial DN that will
match the client certificate:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Step 6 To require the use of one-time passwords for the specified user to log into the appliance, select
the Require one-time passwords checkbox.
Step 7 Enter the users email address into the E-mail address field to override any address provided
by the domain. For more information about one-time passwords, see the One Time Password
Overview section on page 28.
Note To configure email to external domains (for example, SMS addresses or external webmail
addresses), you need to configure the SMTP server to allow relaying between the SSL-VPN
and that domain.
Step 8 To apply the policy you selected to a source IP address, select an access policy (Allow or
Deny) in the Login From Defined Addresses drop-down list under Login Policies by Source
IP Address, and then click Add under the list box. The Define Address window is displayed.
Step 9 In the Define Address window, select one of the source address type options from the Source
Address Type drop-down list.
IP Address - Enables you to select a specific IP address.
IP Network - Enables you to select a range of IP addresses. If you select this option, a
Network Address field and Subnet Mask field appear in the Define Address window.
IPv6 Address - On SonicWALL SSL-VPN models 2000 and higher, this enables you to
select a specific IPv6 address.
IPv6 Network - On SonicWALL SSL-VPN models 2000 and higher, this enables you to
select a range of IPv6 addresses. If you select this option, a IPv6 Network field and
Prefix field appear in the Define Address window.
Step 10 Provide appropriate IP address(es) for the source address type you selected.
IP Address - Type a single IP address in the IP Address field.
IP Network - Type an IP address in the Network Address field and then supply a
subnet mask value that specifies a range of addresses in the Subnet Mask field.
IPv6 Address - On SonicWALL SSL-VPN models 2000 and higher, type an IPv6
address, such as 2007::1:2:3:4.
IPv6 Network - On SonicWALL SSL-VPN models 2000 and higher, type the IPv6
network address into the IPv6 Network field, in the form 2007:1:2::. Type a prefix into
the Prefix field, such as 64.
Step 11 Click Add. The address or address range is displayed in the Defined Addresses list in the Edit
User Settings window. As an example, if you selected a range of addresses with 10.202.4.32
as the network address and 255.255.255.240 (28 bits) as the subnet mask value, the Defined
Users > Local Users
262
SonicWALL SSL VPN 5.0 Administrators Guide
Addresses list displays 10.202.4.3210.202.4.47. In this case, 10.202.4.47 would be the
broadcast address. Whatever login policy you selected will now be applied to addresses in this
range.
Step 12 To apply the policy you selected to a client browser, select an access policy (Allow or Deny) in
the Login From Defined Browsers drop-down list under Login Policies by Client Browser,
and then click Add under the list. The Define Browser window is displayed.
Step 13 In the Define Browser window, type a browser definition in the Client Browser field and then
click Add. The browser name appears in the Defined Browsers list.
Note The browser definition for Firefox, Internet Explorer and Netscape is:
javascript:document:writeln(navigator.userAgent)
Step 14 Click OK. The new login policy is saved.
Users > Local Groups
263
SonicWALL SSL VPN 5.0 Administrators Guide
Users > Local Groups
This section provides an overview of the Users > Local Groups page and a description of the
configuration tasks available on this page.
Users > Local Groups Overview section on page 263
Deleting a Group section on page 264
Adding a New Group section on page 264
Editing Group Settings section on page 264
Group Configuration for LDAP Authentication Domains section on page 276
Group Configuration for Active Directory, NT and RADIUS Domains section on page 280
Creating a Citrix Bookmark for a Local Group on page 282
For a description of global settings for local groups, see the Global Configuration section on
page 284.
Users > Local Groups Overview
The Users > Local Groups page allows the administrator to add and configure groups for
granular control of user access by specifying a group name and domain.
Note that a group is automatically created when you create a domain. You can create domains
in the Portals > Domains page. You can also create a group directly from the Users > Local
Groups page.
Figure 38 Users > Local Groups Page
group memberships are split into two groups, primary and additional.
Primary groups - Used to assign simple policies, such as timeouts and the ability to add/edit
bookmarks. Advanced policies, such as URL or network object policies, may come from
primary or additional groups.
Additional Groups - Multiple additional groups may be assigned, but in the case of conflicting
policies, the primary group will take precedence over any additional groups.
Keep in mind that users can only belong to groups within a single domain.
Users > Local Groups
264
SonicWALL SSL VPN 5.0 Administrators Guide
Deleting a Group
To delete a group, click the delete icon in the row for the group that you wish to remove in
the Local Groups table on the Users > Local Groups page. The deleted group will no longer
appear in the list of defined groups.
Note A group cannot be deleted if users have been added to the group or if the group is the default
group created for an authentication domain. To delete a group that is the default group for
an authentication domain, delete the corresponding domain (you cannot delete the group in
the Edit Group Settings window). If the group is not the default group for an authentication
domain, first delete all users in the group. Then you will be able to delete the group on the
Edit Group Settings page.
Adding a New Group
Note that a group is automatically created when you create a domain. You can create domains
in the Portals > Domains page. You can also create a group directly from the Users > Local
Groups page.
The Users > Local Groups window contains two default objects:
Global Policies - Contains access policies for all nodes in the organization.
LocalDomain - The LocalDomain group is automatically created to correspond to the default
LocalDomain authentication domain. This is the default group to which local users will be
added, unless otherwise specified.
To create a new group, perform the following steps:
Step 1 Click Add Group. The Add Local Group window is displayed.
Step 2 In the Add Local Group window, enter a descriptive name for the group in the Group Name
field.
Step 3 Select the appropriate domain from the Domain drop-down list. The domain is mapped to the
group.
Step 4 Click Add to update the configuration. Once the group has been added, the new group will be
added to the Local Groups window.
All of the configured groups are displayed in the Users > Local Groups page, listed in
alphabetical order.
Editing Group Settings
To edit the settings for a group, click the configure icon in the row for the group that you
wish to edit in the Local Groups table on the Users > Local Groups page. The Edit Group
Settings window contains six tabs: General, Portal, NxSettings, NxRoutes, Policies, and
Bookmarks.
See the following sections for information about configuring settings:
Editing General Group Settings section on page 265
Setting a Primary Group section on page 266
Modifying Group Portal Settings section on page 266
Enabling Group NetExtender Settings section on page 267
Users > Local Groups
265
SonicWALL SSL VPN 5.0 Administrators Guide
Enabling NetExtender Routes for Groups section on page 269
Adding Group Policies section on page 270
Editing a Policy for a File Share section on page 272
Configuring Group Bookmarks section on page 272
Editing General Group Settings
The General tab provides configuration options for a groups inactivity timeout value and
bookmark control. To modify the general user settings, perform the following tasks:
Step 1 In the left-hand column, navigate to the Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure. The General tab of the Edit
Group Settings window displays. The General tab displays the following non-configurable
fields: Group Name and Domain Name.
Step 3 To set the inactivity timeout for the group, meaning that users will be signed out of the Virtual
Office after the specified time period, enter the number of minutes of inactivity to allow in the
Inactivity Timeout field.
Note The inactivity timeout can be set at the user, group and global level. If one or more timeouts
are configured for an individual user, the user timeout setting will take precedence over the
group timeout and the group timeout will take precedence over the global timeout. Setting
the global settings timeout to 0 disables the inactivity timeout for users that do not have a
group or user timeout configured.
Step 4 To allow users to edit or delete user-owned bookmarks, select Allow from the Allow user to
edit/delete bookmarks drop-down menu. To prevent users from editing or deleting user-owned
bookmarks, select Deny. To use the group policy, select Use group policy.
Note Users cannot edit or delete group and global bookmarks.
Step 5 To allow users to add new bookmarks, select Allow from the Allow user to add bookmarks
drop-down menu. To prevent users from adding new bookmarks, select Deny. To use the group
policy, select Use group policy.
Users > Local Groups
266
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 Under Single Sign-On Settings, select one of the following options from the Use SSL VPN
account credentials to log into bookmarks drop-down menu:
Use Global Policy: Select this option to use the global policy settings to control single
sign-on (SSO) for bookmarks.
User-controlled (enabled by default for new users): Select this option to allow users
to enable or disable single sign-on (SSO) for bookmarks. This setting enables SSO by
default for new users.
Note Single sign-on (SSO) in SonicWALL SSL VPN does not support two-factor authentication.
User-controlled (disabled by default for new users): Select this option to allow users
to enable or disable single sign-on (SSO) for bookmarks. This setting disables SSO by
default for new users.
Enabled: Select this option to enable single sign-on for bookmarks.
Disabled: Select this option to disable single sign-on for bookmarks.
Step 7 Click OK to save the configuration changes.
Setting a Primary Group
Users logging into AD, LDAP, and RADIUS domains are automatically assigned in realtime to
SSL VPN groups based on their external AD group memberships, LDAP attributes, or RADIUS
filter-IDs.
Note If a users external group membership has changed, their SSLVPN group membership
automatically changes to match the external group membership.
Primary Groups with Active Directory - These users are assigned at login time to correspond
to their primary group membership in AD.
Primary groups for LDAP/RADIUS users - These users are determined at login time using
the existing pre-5.0 best-match algorithm.
Primary groups for NT domain and Local Database - These users are manually controlled
by the admin, as there is no information to use as a basis for automatic assignment.
To set a group as the primary group, click the Set Primary Group star corresponding to the
group you wish to set at the primary.
Modifying Group Portal Settings
The Portal tab provides configuration options for portal settings for this group.
Users > Local Groups
267
SonicWALL SSL VPN 5.0 Administrators Guide
To configure portal settings for this group, perform the following steps:
Step 1 On the Portal tab under Portal Settings, for NetExtender, Launch NetExtender after login,
FileShares, and VirtualAssist, select one of the following portal settings for this group:
Use portal setting The setting defined in the main portal settings will be used to
determine if the portal feature is enabled or disabled. The main portal settings are defined
by configuring the portal in the Portals > Portals page, on the Home tab of the Edit Portal
screen.
Enabled Enable this portal feature for this user.
Disabled Disable this portal feature for this user.
Step 2 For Allow User to Add Bookmarks and Allow User to Edit/Delete Bookmarks select one of
the following portal settings for this group:
Use global setting The setting defined globally will be used to determine if the portal
feature is enabled or disabled. See Edit Global Settings section on page 284 for
information about global settings.
Enabled Enable this portal feature for this user.
Disabled Disable this portal feature for this user.
Note The Allow User to Edit/Delete Bookmarks setting applies to user-owned bookmarks only.
Step 3 Click OK.
Enabling Group NetExtender Settings
Note Group NetExtender settings are not supported on the SonicWALL SSL-VPN 200 appliance.
This feature is for external users, who will inherit the settings from their assigned group upon
login. NetExtender client settings can be specified for the group, or use the global settings. For
information about configuring global settings, see Edit Global Settings section on page 284.
To enable NetExtender ranges and configure client settings for a group, perform the following
steps:
Users > Local Groups
268
SonicWALL SSL VPN 5.0 Administrators Guide
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 In the Edit Group Settings page, select the NxSettings tab.
Step 4 Enter a beginning IPv4 address in the Client Address Range Begin field.
Step 5 Enter an ending IPv4 address in the Client Address Range End field.
Step 6 On SonicWALL SSL-VPN models 2000 and higher, enter a beginning IPv6 address in the Client
IPv6 Address Range Begin field.
Step 7 On SonicWALL SSL-VPN models 2000 and higher, enter an ending IPv6 address in the Client
IPv6 Address Range End field.
Step 8 In the Exit Client After Disconnect drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global
Settings section on page 284.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global
setting.
Step 9 In the Uninstall Client After Exit drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global
Settings section on page 284.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global
setting.
Step 10 In the Create Client Connection Profile drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global
Settings section on page 284.
Enabled - Enable this action for all members of the group. Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global
setting.
Step 11 In the User Name & Password Caching drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global
Settings section on page 284.
Allow saving of user name only - Allow caching of the user name for members of the
group. Group members will only need to enter their password when starting
NetExtender. Overrides the global setting.
Allow saving of user name & password - Allow caching of the user name and
password for members of the group. Group members will be automatically logged in
when starting NetExtender. Overrides the global setting.
Prohibit saving of user name & password - Do not allow caching of the user name
and password for members of the group. Group members will be required to enter both
user name and password when starting NetExtender. Overrides the global setting.
Step 12 Click OK.
Users > Local Groups
269
SonicWALL SSL VPN 5.0 Administrators Guide
Enabling NetExtender Routes for Groups
Note Group NetExtender routes are not supported on the SonicWALL SSL-VPN 200 appliance.
The Nx Routes tab allows the administrator to add and configure client routes. IPv6 client
routes are supported on SonicWALL SSL-VPN model 2000 and higher appliances.
To enable multiple NetExtender routes for a group, perform the following steps:
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 In the Edit Group Settings page, select the Nx Routes tab.
Step 4 In the Tunnel All Mode drop-down list, select one of the following:
Use global setting - Take the action specified by the global setting. See Edit Global
Settings section on page 284.
Enabled - Force all traffic for this user, including traffic destined to the remote users
local network, over the SSL VPN NetExtender tunnel. Affects all members of the group.
Overrides the global setting.
Disabled - Disable this action for all members of the group. Overrides the global
setting.
Step 5 To add globally defined NetExtender client routes for members of this group, select the Add
Global NetExtender Client Routes checkbox.
Step 6 Click Add Client Route.
Step 7 In the Add Client Route window, enter a destination network in the Destination Network field.
For example, enter the IPv4 network address 10.202.0.0. For IPv6, enter the IPv6 network
address in the form 2007::1:2:3:0.
IPv6 is supported on SonicWALL SSL-VPN models 2000 and higher.
Step 8 For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using
decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network,
type the prefix, such as 112.
Step 9 Click Add.
Step 10 Click OK.
Enabling Group NetExtender Client Routes
To enable group NetExtender client routes for groups that are already created, perform the
following steps:
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 In the Edit Group Settings page, select the Nx Routes tab.
Step 4 Select the Add Global NetExtender Client Routes checkbox.
Step 5 Click OK.
Users > Local Groups
270
SonicWALL SSL VPN 5.0 Administrators Guide
Enabling Tunnel All Mode for Local Groups
This feature is for external users, who will inherit the settings from their assigned group upon
login. Tunnel all mode ensures that all network communications are tunneled securely through
the SonicWALL SSL VPN tunnel. To enable tunnel all mode, perform the following tasks:
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 In the Edit Group Settings page, select the Nx Routes tab.
Step 4 Select Enable from the Tunnel All Mode drop-down list.
Step 5 Click OK.
Note You can optionally tunnel-all SSL VPN client traffic through the NetExtender connection by
entering 0.0.0.0 for the Destination Network and Subnet Mask/Prefix in the Add Client
Routes window.
Adding Group Policies
With group access policies, all traffic is allowed by default. Additional allow and deny policies
may be created by destination address or address range and by service type.
The most specific policy will take precedence over less specific policies. For example, a policy
that applies to only one IP address will have priority over a policy that applies to a range of IP
addresses. If there are two policies that apply to a single IP address, then a policy for a specific
service (for example RDP) will take precedence over a policy that applies to all services.
User policies take precedence over group policies and group policies take precedence over
global policies, regardless of the policy definition. A user policy that allows access to all IP
addresses will take precedence over a group policy that denies access to a single IP address.
Note Within the group policy scheme, the primary group policy is always enforced over any
additional group policies.
To define group access policies, perform the following steps:
Step 1 In the Policies tab, click Add Policy. The Add Policy window will be displayed.
Step 2 Define a name for the policy in the Policy Name field.
Users > Local Groups
271
SonicWALL SSL VPN 5.0 Administrators Guide
Step 3 In the Apply Policy To drop-down list, select whether the policy will be applied to an individual
host, a range of addresses, all addresses, a network object, a server path, or a URL object. On
SonicWALL SSL-VPN models 2000 and higher, you can also select an individual IPv6 host, a
range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending
on what type of object you select in the Apply Policy To drop-down list.
Note The SonicWALL SSL VPN policies apply to the destination address(es) of the SonicWALL
SSL VPN connection, not the source address. You cannot permit or block a specific IP
address on the Internet from authenticating to the SonicWALL SSL VPN gateway through
the policy engine. It is also possible to control source logins by IP address from the user's Login
Policies page. For more information, refer to Configuring Login Policies section on page 260.
IP Address - If your policy applies to a specific host, enter the IP address of the local host
machine in the IP Address field. Optionally enter a port range (80-443) or a single port
number into the Port Range/Port Number field.
IP Address Range - If your policy applies to a range of addresses, enter the beginning IP
address in the IP Network Address field and the subnet mask that defines the IP address
range in the Subnet Mask field. Optionally enter a port range (4100-4200) or a single port
number into the Port Range/Port Number field.
Network Object - If your policy applies to a predefined network object, select the name of
the object from the Network Object drop-down list. A port or port range can be specified
when defining a Network Object. See Adding Network Objects section on page 101.
Server Path - If your policy applies to a server path, select one of the following radio
buttons in the Resource field:
Share (Server path) - When you select this option, type the path into the Server Path
field.
Network (Domain list)
Servers (Computer list)
See Editing a Policy for a File Share section on page 272.
URL Object - If your policy applies to a predefined URL object, type the URL into the URL
field.
IPv6 Address - If your policy applies to a specific host, enter the IPv6 address of the local
host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-
4200) or a single port number into the Port Range/Port Number field.
IPv6 is supported on SonicWALL SSL-VPN models 2000 and higher.
IPv6 Address Range - If your policy applies to a range of addresses, enter the beginning
IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6
address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-
4200) or a single port number into the Port Range/Port Number field.
All IPv6 Address - If your policy applies to all IPv6 addresses, you do not need to enter
any IP address information.
Step 4 Select the service type in the Service menu. If you are applying a policy to a network object,
the service type is defined in the network object.
Step 5 Select PERMIT or DENY from the Status drop-down list to either permit or deny SonicWALL
SSL VPN connections for the specified service and host machine.
Step 6 Click Add to update the configuration. Once the configuration has been updated, the new group
policy will be displayed in the Edit Group Settings window. The group policies are displayed
in the Group Policies list in the order of priority, from the highest priority policy to the lowest
priority policy.
Users > Local Groups
272
SonicWALL SSL VPN 5.0 Administrators Guide
Editing a Policy for a File Share
To edit file share access policies, perform the following steps:
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 Select the Policies tab.
Step 4 Click Add Policy...
Step 5 Select Server Path from the Apply Policy To drop-down list.
Step 6 Type a name for the policy in the Policy Name field.
Step 7 In the Server Path field, enter the server path in the format servername/share/path or
servername\share\path. The prefixes \\, //, \ and / are acceptable.
Note Share and path provide more granular control over a policy. Both are optional.
Step 8 Select PERMIT or DENY from the Status drop-down list.
Step 9 Click Add.
Configuring Group Bookmarks
SonicWALL SSL VPN bookmarks provide a convenient way for SonicWALL SSL VPN users to
access computers on the local area network that they will connect to frequently. Group
bookmarks will apply to all members of a specific group. To define group bookmarks, perform
the following steps:
Step 1 Navigate to the Users > Local Groups window.
Step 2 Click the configure icon for the group for which you want to create a bookmark. The Edit Group
Settings window is displayed.
Step 3 Navigate to the Bookmarks tab and click Add Bookmark. The Add Bookmark window is
displayed.
Note When group bookmarks are defined, all group members will see the defined bookmarks from
the SonicWALL SSL VPN user portal. Individual group members will not be able to delete or
modify group bookmarks.
Step 4 Enter a string that will be the name of the bookmark in the Bookmark Name field.
Enter the fully qualified domain name (FQDN) or the IPv4 or, on SonicWALL SSL-VPN models
2000 and higher, IPv6 address of a host machine on the LAN in the Name or IP Address field.
In some environments you can enter the host name only, such as when creating a VNC
bootmark in a Windows local network.
Note If a Port number is included with an IPv6 address in the Name or IP Address field, the IPv6
address must be enclosed in square brackets, for example: [2008::1:2:3:4]:6818. IPv6 is
not supported for RDP - ActiveX, RDP - Java, File Shares, or VNC bookmarks.
Users > Local Groups
273
SonicWALL SSL VPN 5.0 Administrators Guide
Note For HTTP and HTTPS, you can add a custom port and path, for example, servername:port/
path. For VNC, Telnet, and SSH, you can add a custom port, for example, servername:port.
Step 5 For the specific service you select from the Service drop-down list, additional fields may
appear. Fill in the information for the service you selected.
Note Because different computers support different screen sizes, when you use a remote desktop
application, you should select the size of the screen on the computer from which you are
running a remote desktop session. Additionally, you may want to provide a path to where
your application resides on your remote computer by typing the path in the Application Path
field.
Select one of the following service types from the Service drop-down list:
Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java)
Note If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet
Explorer, the selection is automatically switched to Terminal Services (RDP - Java). A
popup window notifies you of the switch.
In the Screen Size drop-down menu, select the default terminal services screen size
to be used when users execute this bookmark.
In the Colors drop-down list, select the default color depth for the terminal service
screen when users execute this bookmark.
Optionally enter the local path for this application in the Application and Path
(optional) field.
In the Start in the following folder field, optionally enter the local folder in which to
execute application commands.
Select the Login as console/admin session checkbox to allow login as console or
admin. Login as admin replaces login as console in RDC 6.1 and newer.
Select the Enable wake-on-LAN checkbox to enable waking up a computer over the
network connection. Selecting this checkbox causes the following new fields to be
displayed:
MAC/Ethernet Address Enter one or more MAC addresses, separated by
spaces, of target hosts to wake.
Wait time for boot-up (seconds) Enter the number of seconds to wait for the
target host to fully boot up before cancelling the WoL operation.
Send WOL packet to host name or IP address To send the WoL packet to the
hostname or IP of this bookmark, select the Send WOL packet to host name or
IP address checkbox, which can be applied in tandem with a MAC address of
another machine to wake.
For RDP - ActiveX on Windows clients, expand Show client redirect options and
select any of the redirect checkboxes Redirect Printers, Redirect Drives, Redirect
Ports, or Redirect SmartCards to redirect those devices on the local network for use
in this bookmark session. You can hover your mouse pointer over these options to
display tooltips that indicate requirements for certain actions.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
Users > Local Groups
274
SonicWALL SSL VPN 5.0 Administrators Guide
For RDP - Java on Windows clients, or on Mac clients running Mac OS X 10.5 or above
with RDC installed, expand Show advanced Windows options and select the
checkboxes for any of the following redirect options: Redirect Printers, Redirect
Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug
and play devices to redirect those devices or features on the local network for use in
this bookmark session. You can hover your mouse pointer over the Help icon next
to certain options to display tooltips that indicate requirements.
To see local printers show up on your remote machine (Start > Settings > Control Panel
> Printers and Faxes), select Redirect Ports as well as Redirect Printers.
Select the checkboxes for any of the following additional features for use in this
bookmark session: Display connection bar, Auto reconnection, Desktop
background, Window drag, Menu/window animation, Themes, or Bitmap caching.
If the client application will be RDP 6 (Java), you can select any of the following options
as well: Dual monitors, Font smoothing, Desktop composition, or Remote
Application.
Remote Application monitors server and client connection activity; to use it, you need
to register remote applications in the Windows 2008 RemoteApp list. If Remote
Application is selected, the Java Console will display messages regarding connectivity
with the Terminal Server.
For RDP - ActiveX on Windows clients, optionally select Enable plugin DLLs and
enter the name(s) of client DLLs which need to be accessed by the remote desktop or
terminal service. Multiple entries are separated by a comma with no spaces. Note that
the RDP Java client on Windows is a native RDP client that supports Plugin DLLs by
default. This option is not available for RDP - Java.
Select the Enable wake on LAN checkbox to send WoL packets to the host. Selecting
this option displays additional fields for entering one or more Mac Addresses
(separated by spaces) to indicate the machines to wake, and the desired Wait time for
boot up before cancelling the WoL operation. To send the WoL packet to the hostname
or IP of this bookmark, select the Send WOL packet to bookmark host Name or IP
address checkbox, which can be applied in tandem with a Mac address of another
machine to wake.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Virtual Network Computing (VNC)
No additional fields
File Transfer Protocol (FTP)
Expand Show advanced server configuration to select an alternate value in the
Character Encoding drop-down list. The default is Standard (UTF-8).
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the FTP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Users > Local Groups
275
SonicWALL SSL VPN 5.0 Administrators Guide
Telnet
No additional fields
Secure Shell version 1 (SSHv1)
No additional fields
Secure Shell version 2 (SSHv2)
Optionally select the Automatically accept host key checkbox.
If using an SSHv2 server without authentication, such as a SonicWALL firewall, you can
select the Bypass username checkbox.
Web (HTTP)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the Web server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Secure Web (HTTPS)
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the secure Web
server. Select Use custom credentials to enter a custom username, password, and
domain for this bookmark. For more information about custom credentials, see
Creating Bookmarks with Custom SSO Credentials section on page 259.
File Shares (CIFS)
To allow users to use a Java Applet for File Shares that mimics Windows functionality,
select the Use File Shares Java Applet checkbox.
Optionally select Automatically log in and select Use SSL VPN account credentials
to forward credentials from the current SSL VPN session for login to the RDP server.
Select Use custom credentials to enter a custom username, password, and domain
for this bookmark. For more information about custom credentials, see Creating
Bookmarks with Custom SSO Credentials section on page 259.
Citrix Portal (Citrix)
Optionally select HTTPS Mode to use HTTPS to securely access the Citrix Portal.
Optionally, select Always use Java in Internet Explorer to use Java to access the
Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or
XenApp plugin (an ActiveX client) must be used with IE. This setting lets users avoid
installing a Citrix ICA client or XenApp plugin specifically for IE browsers. Java is used
with Citrix by default on other browsers and also works with IE. Enabling this checkbox
leverages this portability.
Step 6 Click Add to update the configuration. Once the configuration has been updated, the new group
bookmark will display in the Edit Group Settings window.
Users > Local Groups
276
SonicWALL SSL VPN 5.0 Administrators Guide
Group Configuration for LDAP Authentication Domains
Note The Microsoft Active Directory database uses an LDAP organization schema. The Active
Directory database may be queried using Kerberos authentication (the standard
authentication type; this is labeled Active Directory domain authentication in the
SonicWALL SSL VPN management interface), NTLM authentication (labeled NT Domain
authentication in SonicWALL SSL VPN management interface), or using LDAP database
queries. An LDAP domain configured in the SonicWALL SSL VPN management interface
can authenticate to an Active Directory server.
LDAP (Lightweight Directory Access Protocol) is a standard for querying and updating a
directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational
units), the SonicWALL SSL-VPN appliance can query this information and provide specific
group policies or bookmarks based on LDAP attributes. By configuring LDAP attributes, the
SonicWALL SSL-VPN appliance administrator can leverage the groups that have already been
configured in an LDAP or Active Directory database, rather than needing to manually recreate
the same groups in the SonicWALL SSL-VPN appliance.
Once an LDAP authentication domain is created, a default LDAP group will be created with the
same name as the LDAP domain name. Although additional groups may be added or deleted
from this domain, the default LDAP group may not be deleted. If the user for which you created
LDAP attributes enters the Virtual Office home page, the bookmark you created for the group
the user is in will display in the Bookmarks Table.
For an LDAP group, you may define LDAP attributes. For example, you can specify that users
in an LDAP group must be members of a certain group or organizational unit defined on the
LDAP server. Or you can specify a unique LDAP distinguished name.
To add an LDAP attribute for a group so that a user will have a bookmark assigned when
entering the Virtual Office environment, perform the following steps:
Step 1 Navigate to the Portals > Domains page and click Add Domain to display the Add New
Domain window.
Users > Local Groups
277
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Select LDAP from the Authentication Type menu. The LDAP domain configuration fields will
be displayed.
Step 3 Enter a descriptive name for the authentication domain in the Domain Name field. This is the
domain name users will select in order to log into the SonicWALL SSL VPN user portal. It can
be the same value as the Server address field.
Step 4 Enter the IP address or domain name of the server in the Server address field.
Step 5 Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search
base string is CN=Users,DC=yourdomain,DC=com.
Tip It is possible for multiple OUs to be configured for a single domain by entering each OU on
a separate line in the LDAP baseDN field. In addition, any sub-OUs will be automatically
included when parents are added to this field.
Note Do not include quotes () in the LDAP BaseDN field.
Step 6 Enter the common name of a user that has been delegated control of the container that user
will be in along with the corresponding password in the Login user name and Login password
fields.
Note When entering Login user name and Login password, remember that the SSL-VPN
appliance binds to the LDAP tree with these credentials and users can log in with their
sAMAccountName.
Step 7 Enter the name of the portal in the Portal name field. Additional layouts may be defined in the
Portals > Portals page.
Users > Local Groups
278
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 Select the Allow password changes (if allowed by LDAP server) checkbox if you want to be
able to change users passwords. The admin account must be used when changing user
passwords.
Step 9 Select the Delete external user accounts on logout checkbox to delete users who are not
logged into a domain account after they log out.
Step 10 Optionally select the One-time passwords checkbox to enable the One-time password
feature. A drop-down list will appear, in which you can select if configured, required for all
users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will
use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do
not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One
Time Password emails for all users in the domain will be sent to username@domain.com.
Step 11 If you select One-time passwords, an LDAP e-mail attribute drop-down list appears. Select
one of the following:
mail - Select mail if this is the name of your LDAP email attribute.
userPrincipalName - Select userPrincipalName if this is the name of your LDAP email
attribute.
custom - Select custom to enter any other LDAP email attribute. Enter the attribute name
into the Custom attribute field that appears.
Step 12 Navigate to the Users > Local Groups page and click the configure icon. The Edit Group
Settings page is displayed, with fields for LDAP attributes on the General tab.
Step 13 On the General tab, you may optionally fill out one or multiple LDAP Attribute fields with the
appropriate names where name=value is the convention for adding a series of LDAP attributes.
To see a full list of LDAP attributes, refer to the SonicWALL LDAP Attribute document.
As a common example, fill out an attribute field with the memberOf= attribute which can
bundle the following common variable types:
CN= - the common name. DN= - the distinguished name. DC= - the domain component.
You need to provide quote delimiters around the variables you bundle in the memberOf line. You
separate the variables by commas. An example of the syntax using the CN and DC variables would
be:
memberOf=CN=<string>, DC=<string>
Users > Local Groups
279
SonicWALL SSL VPN 5.0 Administrators Guide
An example of a line you might enter into the LDAP Attribute field, using the CN and DC variables
would be:
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
Step 14 Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to
use the global inactivity timeout setting.
Step 15 Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of
the following:
Use global policy Use the global policy for using SSO to login to bookmarks.
User-controlled (enabled by default for new users) Enable SSO to login to bookmarks
for new users, and allow users to change this setting.
User-controlled (disabled by default for new users) Disable SSO to login to
bookmarks for new users, and allow users to change this setting.
Enabled Enable SSO to login to bookmarks
Disabled Disable SSO to login to bookmarks
Step 16 Click OK when done.
LDAP Attribute Information
When configuring LDAP attributes, the following information may be helpful:
If multiple attributes are defined for a group, all attributes must be met by LDAP users.
LDAP authentication binds to the LDAP tree using the same credentials as are supplied for
authentication. When used against Active Directory, this requires that the login credentials
provided match the CN (common name) attribute of the user rather than samAccountName
(login name). For example, if your NT/Active Directory login name is gkam and your full
name is guitar kam, when logging into SonicWALL SSL VPN with LDAP authentication, the
username should be provided in the following ways: If a login name is supplied, that name
is used to bind to the tree. If the field is blank, you need to login with the full name. If the
field is filled in with a full login name, users will login with the sAMAccountName.
If no attributes are defined, then any user authorized by the LDAP server can be a member
of the group.
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then
the user will be considered part of the group with the most LDAP attributes defined. If the
matching LDAP groups have an equal number of attributes, then the user will be considered
a member of the group based on the alphabetical order of the groups.
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the
SonicWALL SSL-VPN appliance, then the user will not be able to log into the portal. So the
LDAP attributes feature not only allows the administrator to create individual rules based
on the LDAP group or organization, it also allows the administrator to only allow certain
LDAP users to log into the portal.
Example of LDAP Users and Attributes
If a user is manually added to a LDAP group, then the user setting will take precedence over
LDAP attributes.
For example, an LDAP attribute objectClass=Person is defined for group Group1 and an
LDAP attribute memberOf=CN=WINS Users,DC=sonicwall,DC=net is defined for Group2.
If user Jane is defined by an LDAP server as a member of the Person object class, but is not a
member of the WINS Users group, Jane will be a member of SonicWALL SSL-VPN appliance
Group1.
But if the administrator manually adds the user Jane to SonicWALL SSL-VPN appliance
Group2, then the LDAP attributes will be ignored and Jane will be a member of Group2.
Users > Local Groups
280
SonicWALL SSL VPN 5.0 Administrators Guide
Sample LDAP Attributes
You may enter up to four LDAP attributes per group. The following are some example LDAP
attributes of Active Directory LDAP users:
name="Administrator"
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
objectClass="user"
msNPAllowDialin="FALSE"
Querying an LDAP Server
If you would like to query your LDAP or Active Directory server to find out the LDAP attributes
of your users, there are several different methods. From a machine with ldapsearch tools (for
example a Linux machine with OpenLDAP installed) run the following command:
ldapsearch -h 10.0.0.5 -x -D
"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 b
"dc=sonicwall,dc=net" > /tmp/file
Where:
10.0.0.5 is the IP address of the LDAP or Active Directory server
cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user
demo123 is the password for the user demo
dc=sonicwall,dc=net is the base domain that you are querying
> /tmp/file is optional and defines the file where the LDAP query results will be saved.
For instructions on querying an LDAP server from a Window server, refer to:
www.microsoft.com/Resources/Documentation/ windowsserv/2003/all/techref/en-us/
w2k3tr_adsrh_what.asp
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/
w2k3tr_adsrh_how.asp?frame=true
Group Configuration for Active Directory, NT and RADIUS Domains
For authentication to RADIUS, Microsoft NT domain or Active Directory servers (using
Kerberos), you can individually define AAA users and groups. This is not required, but it
enables you to create separate policies or bookmarks for individual AAA users.
When a user logs in, the SonicWALL SSL-VPN appliance will validate with the appropriate
Active Directory, RADIUS, or NT server that the user is authorized to login. If the user is
authorized, the SonicWALL SSL-VPN appliance will check to see if a user exists in the
SonicWALL SSL-VPN appliance database for users and groups. If the user is defined, then the
policies and bookmarks defined for the user will apply.
For example, if you create a RADIUS domain in the SonicWALL SSL-VPN appliance called
Miami RADIUS server, you can add users to groups that are members of the Miami RADIUS
server domain. These user names must match the names configured in the RADIUS server.
Then, when users login to the portal, policies, bookmarks and other user settings will apply to
the users. If the AAA user does not exist in the SonicWALL SSL-VPN appliance, then only the
global settings, policies and bookmarks will apply to the user.
This section contains the following subsections:
Bookmark Support for External (Non-Local) Users section on page 281
Adding a RADIUS Group section on page 281
Users > Local Groups
281
SonicWALL SSL VPN 5.0 Administrators Guide
Adding an Active Directory Group section on page 282
Bookmark Support for External (Non-Local) Users
The Virtual Office bookmark system allows bookmarks to be created at both the group and user
levels. The administrator can create both group and user bookmarks which will be propagated
to applicable users, while individual users can create only personal bookmarks.
Since bookmarks are stored within the SonicWALL SSL-VPNs local configuration files, it is
necessary for group and user bookmarks to be correlated to defined group and user entities.
When working with local (LocalDomain) groups and users, this is automated since the
administrator must manually define the groups and users on the appliance. Similarly, when
working with external (non-LocalDomain, for example, RADIUS, NT, LDAP) groups, the
correlation is automated since creating an external domain creates a corresponding local
group.
However, when working with external (non-LocalDomain) users, a local user entity must exist
so that any user-created (personal) bookmarks can be stored within the SonicWALL SSL-VPNs
configuration files. The need to store bookmarks on the SonicWALL SSL-VPN itself is because
LDAP, RADIUS, and NT Authentication external domains do not provide a direct facility to store
such information as bookmarks.
Rather than requiring administrators to manually create local users for external domain users
to use personal bookmarks, SonicWALL SSL VPN automatically creates a corresponding local
user entity upon user login. Bookmarks can be added to the locally-created user.
For example, if a RADIUS domain called myRADIUS is created, and RADIUS user jdoe logs on
to the SonicWALL SSL-VPN, the moment jdoe adds a personal bookmark, a local user called
jdoe will be created on the SonicWALL SSL-VPN appliance as type External, and can then be
managed like any other local user by the administrator. The external local user will remain until
deleted by the administrator.
Adding a RADIUS Group
Note Before configuring RADIUS groups, ensure that the RADIUS Filter-Id option is enabled for
the RADIUS Domain to which your group is associated. This option is configured in the
Portals > Domains page.
The RADIUS Groups tab allows the administrator to enable user access to the SSL-VPN based
on existing RADIUS group memberships. By adding one or more RADIUS groups to an SSL
VPN group, only users associated with specified RADIUS group(s) are allowed to login. To add
a RADIUS group, perform the following steps:
Step 1 In the Users > Local Groups page, click the configure button for the RADIUS group you want
to configure.
Step 2 In the RADIUS Groups tab and click the Add Group... button. The Add RADIUS Group page
displays.
Step 3 Enter the RADIUS Group name in the corresponding field. The group name must match the
RADIUS Filter-Id exactly.
Step 4 Click the Add button. The group displays in the RADIUS Groups section.
Users > Local Groups
282
SonicWALL SSL VPN 5.0 Administrators Guide
Adding an Active Directory Group
On SSL-VPN models 2000 and higher, the AD Groups tab allows the administrator to enable
user access to the SSL-VPN based on existing AD group memberships. By adding one or more
AD groups to an SSL VPN group, only users associated with specified AD group(s) are allowed
to login.
Note Before configuring and Active Directory group, ensure that you have already created an
Active Directory domain. This option is configured in the Portals > Domains page.
Note The AD Groups feature is only available on SonicWALL SSL-VPN models 2000 and higher.
To add an AD group, perform the following steps:
Step 1 In the Users > Local Groups page, click the configure button for the AD group you want to
configure.
Step 2 In the AD Groups tab and click the Add Group... button. The Add Active Directory Group page
displays.
Step 3 Enter the Active Directory Group name in the corresponding field.
Step 4 Optionally, check the Associate with AD group checkbox if you wish to associate the SSL
VPN group with your AD group. This step can also be completed at a later time in the Edit
Group page under the AD Groups tab.
Step 5 Click the Add button. The group displays in the Active Directory Groups section. The process
of adding a group may take several moments. Do not click the Add button more than once
during this process.
Creating a Citrix Bookmark for a Local Group
(Supported on Windows, MacOS, and Linux.) The Citrix support feature is supported on
SonicWALL SSL-VPN model 2000 and higher security appliances. To configure a Citrix
bookmark for a user, perform the following tasks:
Step 1 Navigate to Users > Local Groups.
Step 2 Click the configure icon next to the group you want to configure.
Step 3 In the Edit Group Settings window, select the Bookmarks tab.
Step 4 Click Add Bookmark...
Step 5 Enter a name for the bookmark in the Bookmark Name field.
Step 6 Enter the name or IP address of the bookmark in the Name or IP Address field.
Step 7 From the Service drop-down list, select Citrix Portal (Citrix). A checkbox for HTTPS Mode
displays.
Step 8 Optionally select the HTTPS Mode checkbox to enable HTTPS mode.
Users > Local Groups
283
SonicWALL SSL VPN 5.0 Administrators Guide
Step 9 Optionally, select Always use Java in Internet Explorer to use Java to access the Citrix Portal
when using Internet Explorer. Without this setting, a Citrix ICA client or XenApp plugin (an
ActiveX client) must be used with IE.
Step 10 Click OK.
Global Configuration
284
SonicWALL SSL VPN 5.0 Administrators Guide
Global Configuration
SonicWALL SSL-VPN appliance global configuration is defined from the Local Users or Local
Groups environment. To view either, click the Users option in the left navigation menu, then
click either the Local Users or Local Groups option. This section contains the following
configuration tasks:
Edit Global Settings section on page 284
Edit Global Policies section on page 286
Edit Global Bookmarks section on page 288
Edit Global Settings
To edit global settings, perform the following steps:
Step 1 Navigate to either the Users > Local Users or Users > Local Groups window.
Step 2 Click the configure icon next to Global Policies. The Edit Global Settings window is
displayed.
Step 3 On the General tab, to set the inactivity timeout for all users or groups, meaning that users will
be signed out of the Virtual Office after the specified time period, enter the number of minutes
of inactivity to allow in the Inactivity Timeout field.
Note The inactivity timeout can be set at the user, group and global level. If one or more timeouts
are configured for an individual user, the user timeout setting will take precedence over the
group timeout and the group timeout will take precedence over the global timeout. Setting
the global settings timeout to 0 disables the inactivity timeout for users that do not have a
group or user timeout configured.
Step 4 To allow users to add new bookmarks, select Allow from the Allow User to Add Bookmarks
drop-down menu. To prevent users from adding new bookmarks, select Deny.
Step 5 To allow users to edit or delete user-owned bookmarks, select Allow from the Allow User to
Edit/Delete Bookmarks drop-down menu. To prevent users from editing or deleting user-
owned bookmarks, select Deny.
Note Users cannot edit or delete group and global bookmarks.
Global Configuration
285
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 In the Automatically log into bookmarks drop-down list, select one of the following options:
User-controlled (enabled by default for new users): Select this option to allow users
to enable or disable single sign-on (SSO) automatic login for bookmarks. This setting
enables automatic login by default for new users.
User-controlled (disabled by default for new users): Select this option to allow users
to enable or disable single sign-on (SSO) automatic login for bookmarks. This setting
disables automatic login by default for new users.
Enabled: Select this option to enable automatic login for bookmarks.
Disabled: Select this option to disable automatic login for bookmarks.
Step 7 Click OK to save the configuration changes.
Step 8 Navigate to the Nx Settings tab.
Step 9 To set a client address range, enter a beginning address in the Client Address Range Begin
field and an ending address in the Client Address Range End field.
Step 10 On SonicWALL SSL-VPN models 2000 and higher, to set a client IPv6 address range, enter a
beginning IPv6 address in the Client IPv6 Address Range Begin field and an ending IPv6
address in the Client IPv6 Address Range End field.
Step 11 In the Exit Client After Disconnect drop-down list, select Enabled or Disabled.
Step 12 In the Uninstall Client After Exit drop-down list, select Enabled or Disabled.
Step 13 In the Create Client Connection Profile drop-down list, select Enabled or Disabled.
Step 14 In the User Name & Password Caching drop-down list, select one of the following:
Allow saving of user name only - Allow caching of the user name on the client. Users
will only need to enter their password when starting NetExtender.
Allow saving of user name & password - Allow caching of the user name and
password on the client. Users will be automatically logged in when starting
NetExtender, after the first login.
Prohibit saving of user name & password - Do not allow caching of the user name
and password on the client. Users will be required to enter both user name and
password when starting NetExtender.
Step 15 Navigate to the Nx Routes tab.
Step 16 In the Tunnel All Mode drop-down list, select Enabled to force all traffic for the user, including
traffic destined to the remote users local network, over the SSL VPN NetExtender tunnel.
Tunnel All Mode is disabled by default.
Step 17 To add a client route, click Add Client Route...
Step 18 In the Add Client Route window, enter a destination network in the Destination Network field.
For example, enter the IPv4 network address 10.202.0.0. For IPv6, enter the IPv6 network
address in the form 2007::1:2:3:0.
IPv6 is supported on SonicWALL SSL-VPN models 2000 and higher.
Step 19 For an IPv4 destination network, type the subnet mask in the Subnet Mask/Prefix field using
decimal format (255.0.0.0, 255.255.0.0, or 255.255.255.0). For an IPv6 destination network,
type the prefix, such as 112.
Step 20 Click Add.
Step 21 Click OK to save the configuration changes.
Step 22 Navigate to the Policies tab.
Step 23 To add a policy, click Add Policy...
Global Configuration
286
SonicWALL SSL VPN 5.0 Administrators Guide
Step 24 In the Apply Policy To drop-down list, select one of the following: IP Address, IP Address
Range, All Addresses, Network Object, Server Path, URL Object, All IPv6 Address, IPv6
Address, or IPv6 Address Range.
Step 25 Enter a name for the policy in the Policy Name field.
Step 26 In the fields that appear based on your Apply Policy To settings, fill in the appropriate
information. For example, if you select IP Address in the Apply Policy To drop-down list, you
will need to supply the IP Address in the IP Address field and the service in the Service drop-
down list. If you select IPv6 Address Range, enter the beginning IPv6 address in the IPv6
Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix
field. Optionally enter a port range (80-443) or a single port number into the Port Range/Port
Number field. This field is available when you select IP Address, IP Address Range, IPv6
Address, or IPv6 Address Range in the Apply Policy To drop-down list.
Step 27 Click Add.
Step 28 Click OK to save the configuration changes.
Step 29 Click the Bookmarks tab.
Step 30 To add a bookmark, click Add Bookmark...
Step 31 Enter a bookmark name in the Bookmark Name field.
Step 32 Enter the bookmark name or IP address in the Name or IP Address field.
Step 33 Select one of the following services from the Service drop-down list: Terminal Services (RDP
- ActiveX), Terminal Services (RDP - Java), Virtual Network Computing (VNC), Citrix
Portal (Citrix), Web (HTTP), Secure Web (HTTPS), File Shares (CIFS), File Transfer
Protocol (FTP), Telnet, Secure Shell Version 1 (SSHv1), or Secure Shell Version 2(SSHv2).
Note IPv6 is not supported on File Shares bookmarks.
Step 34 In the fields that appear based on your Service settings, fill in the appropriate information. For
example, if you select Terminal Services (RDP - ActiveX), you will need to select the desired
screen size from the Screen Size drop-down list.
Step 35 Click Add.
Step 36 Click OK to save the configuration changes.
Edit Global Policies
To define global access policies, perform the following steps:
Step 1 Navigate to either the Users > Local Users or Users > Local Groups window.
Global Configuration
287
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Click the configure icon next to Global Policies. The Edit Global Settings window is
displayed.
Step 3 On the Policies tab, click Add Policy. The Add Policy window is displayed.
Note User and group access policies will take precedence over global policies.
Step 4 In the Apply Policy To drop-down list, select one of the following: IP Address, IP Address
Range, All Addresses, Network Object, Server Path, URL Object, All IPv6 Address, IPv6
Address, or IPv6 Address Range.
IPv6 is supported only on SonicWALL SSL-VPN models 2000 and higher.
Step 5 Type a name for the policy in the Policy Name field.
Note SonicWALL SSL-VPN appliance policies apply to the destination address(es) of the
SonicWALL SSL VPN connection, not the source address. You cannot permit or block a
specific IP address on the Internet from authenticating to the SonicWALL SSL-VPN
appliance through the policy engine.
If your policy applies to a specific IPv4 host, select the IP Address option from the
Apply Policy To drop-down list and enter the IPv4 address of the local host machine
in the IP Address field.
If your policy applies to a range of IPv4 addresses, select the IP Address Range option
from the Apply Policy To drop-down list and enter the IPv4 network address in the IP
Network Address field and the subnet mask in the Subnet Mask field.
If your policy applies to a specific IPv6 host, select the IPv6 Address option from the
Apply Policy To drop-down list and enter the IPv6 address of the local host machine
in the IPv6 Address field.
If your policy applies to a range of IPv6 addresses, select the IPv6 Address Range
option from the Apply Policy To drop-down list and enter the IPv6 network address in
the IPv6 Network Address field and the IPv6 prefix in the IPv6 Prefix field.
Step 6 Optionally enter a port range (80-443) or a single port number into the Port Range/Port
Number field. This field is available when you select IP Address, IP Address Range, IPv6
Address, or IPv6 Address Range in the Apply Policy To drop-down list.
Step 7 Select the service type in the Service drop-down list. If you are applying a policy to a network
object, the service type is defined in the network object.
Global Configuration
288
SonicWALL SSL VPN 5.0 Administrators Guide
Step 8 Select ALLOW or DENY from the Status drop-down list to either permit or deny SonicWALL
SSL VPN connections for the specified service and host machine.
Step 9 Click Add to update the configuration. Once the configuration has been updated, the new policy
will be displayed in the Edit Global Settings window. The global policies will be displayed in
the policy list in the Edit Global Settings window in the order of priority, from the highest
priority policy to the lowest priority policy.
Edit a Policy for a File Share
To edit file share access policies, perform the following steps:
Step 1 Navigate to either the Users > Local Users or Users > Local Groups window.
Step 2 Click the configure icon next to Global Policies. The Edit Global Settings window will be
displayed.
Step 3 Select the Policies tab.
Step 4 Click Add Policy.
Step 5 Select Server Path from the Apply Policy To drop-down list.
Step 6 Type a name for the policy in the Policy Name field.
Step 7 In the Resource field, select one of the following radio buttons for the type of resource:
Share (Server path)
Network (Domain list)
Servers (Computer list)
Step 8 In the Server Path field, enter the server path in the format servername/share/path or
servername\share\path. The prefixes \\, //, \ and / are acceptable.
Note Share and path provide more granular control over a policy. Both are optional.
Step 9 Select PERMIT or DENY from the Status drop-down list.
Step 10 Click Add.
Edit Global Bookmarks
To edit global bookmarks, perform the following steps:
Step 1 Navigate to either the Users > Local Users or Users > Local Groups page.
Step 2 Click the configure icon next to Global Policies. The Edit Global Policies window is displayed.
Step 3 Click Add Bookmark. An Add Bookmark window will be displayed.
Note When global bookmarks are defined, all users will see the defined bookmarks from the
SonicWALL SSL VPN user portal. Individual users will not be able to delete or modify global
bookmarks.
Step 4 To edit a bookmark, enter a descriptive name in the Bookmark Name field.
Global Configuration
289
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Enter the domain name or the IP address of a host machine on the LAN in the Name or IP
Address field.
Step 6 Select the service type in the Service drop-down list.
Note Depending on the service you select from the Service drop-down list, additional fields may
appear. Fill in the information based on the service you select. For example, if you select
RDP - ActiveX or RDP - Java, a Screen Size drop-down list and other additional fields are
displayed.
Step 7 Click Add to update the configuration. Once the configuration has been updated, the new
global bookmark will be displayed in the bookmarks list in the Edit Global Settings window.
Global Configuration
290
SonicWALL SSL VPN 5.0 Administrators Guide
291
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 11: Log Configuration
This chapter provides information and configuration tasks specific to the Log pages on the
SonicWALL SSL VPN Web-based management interface.
This chapter contains the following sections:
Log > View section on page 292
Log > Settings section on page 296
Log > Categories section on page 299
Log > ViewPoint section on page 300
Log > View
292
SonicWALL SSL VPN 5.0 Administrators Guide
Log > View
SonicWALL SSL VPN supports Web-based logging, syslog logging and email alert messages.
In addition, SonicWALL SSL VPN may be configured to email the event log file to the
SonicWALL SSL VPN administrator before the log file is cleared.
This section provides an overview of the Log > View page and a description of the configuration
tasks available on this page.
Log > View Overview section on page 292
Viewing Logs section on page 294
Emailing Logs section on page 295
Log > View Overview
The Log > View page allows the administrator to view the SonicWALL SSL VPN event log. The
event log can also be automatically sent to an email address for convenience and archiving.
Figure 39 Log > View
The Log > View page displays log messages in a sortable, searchable table. The SonicWALL
SSL-VPN appliance can store 250 Kilobytes of log data or approximately 1,000 log messages.
Each log entry contains the date and time of the event and a brief message describing the
event. Once the log file reaches the log size limit, the log entry is cleared and optionally emailed
to the SonicWALL SSL VPN administrator.
The log table size can be specified on the System > Administration page under Default Table
Size.
Log > View
293
SonicWALL SSL VPN 5.0 Administrators Guide
Column Views
Each log entry displays the following information:
Table 18 Log View Columns
Column Description
Time The time stamp displays the date and time of log events in the
format YY/MM/DD/HH/MM/SS (Year/Month/Day/Hour/Minute/
Second). Hours are displayed in 24-hour clock format. The
date and time are based on the local time of the SSL VPN
gateway which is configured in the System > Time page.
Priority The level of severity associated with the event. Severity levels
can be Emergency, Alert, Critical, Error, Warning, Notice,
Information, and Debug.
Category The category of the event message. Categories include
Authentication, Authorization & Access, GMS, NetExtender,
System, Virtual Assist, and Web Application Firewall.
Source The Source IP address shows the IP address of the appliance
of the user or administrator that generated the log event. The
source IP address may not be displayed for certain events,
such as system errors.
Destination The Destination IP address shows the name or IP address of
the server or service associated with the event. For example,
if a user accessed an intranet Web site through the SSL VPN
portal, the corresponding log entry would display the IP
address or Fully Qualified Domain Name (FQDN) of the Web
site accessed.
User The name of the user who was logged into the appliance when
the message was generated.
Message The text of the log message.
Log > View
294
SonicWALL SSL VPN 5.0 Administrators Guide
Navigating and Sorting Log View Table Entries
The Log View page provides easy pagination for viewing large numbers of log events. You can
navigate these log events by using the facilities described in the following table:
Table 19 Log Table Navigation Facilities
Log > View Buttons
The Log > View page also contains options that allow the administrator to send, save log files
for external viewing or processing.
Table 20 Log rendering options
Viewing Logs
The Log > View page allows the administrator to view the SonicWALL SSL VPN event log. The
SonicWALL SSL-VPN appliance maintains an event log for tracking system events, for
example, unsuccessful login attempts, NetExtender sessions, and logout events. This log can
be viewed in the Log > View page, or it can be automatically sent to an email address for
convenience and archiving.
The SonicWALL SSL-VPN appliance can store 250 Kilobytes of log data or approximately 1,000
log messages. Logs are displayed in a sortable, searchable table. The SonicWALL appliance
can alert you of events, such as a successful login or an exported configuration. Alerts can be
immediately emailed, either to an email address or to an email pager. Each log entry contains
the date and time of the event and a brief message describing the event. Once the log file
reaches the log size limit, the log entry is cleared and optionally emailed to the SonicWALL SSL
VPN administrator.
Navigation Button Description
Find Enables you to search for a log containing a specified
setting based on a criteria type you select in the criteria
list. Criteria includes Time, Priority, Source, Destination,
and User. Search results list out the results in various
orders depending upon the criteria type.
Exclude Enables you to display all log entries but the type
specified in the criteria list.
Reset Resets the listing of log entries to their default sequence
after you have displayed them in an alternate way, using
search buttons.
Button Action
Export Log Exports the current log contents to a text-based file. Local log
contents are cleared after an export log command.
Clear Log Clears the current log contents.
E-Mail Log Emails the current log contents to the address specified in the
Log > Settings screen. Local log contents are cleared after an
email log command.
Log > View
295
SonicWALL SSL VPN 5.0 Administrators Guide
Each log entry displays the following information:
Table 21 Log View Columns
Emailing Logs
The E-mail Log button allows the administrator to immediately send and receive a copy of the
SonicWALL SSL VPN event log. This feature is useful archiving email and in testing email
configuration and email filters for multiple SSL-VPN units. To use the E-mail Log feature,
perform the following tasks:
Step 1 Navigate to Log > View.
Step 2 Click the E-mail Log button.
Step 3 You will see the message Log has been successfully sent.
Note If you receive an error message, verify that the administrator email and mail server
information has been specified in the Email Logging and Alerts section of the Log >
Settings page. For instructions on configuring the administrator email, refer to Configuring
Log Settings on page 297.
Column Description
Time Displays the date and time of log events in the format YY/MM/
DD/HH/MM/SS (Year/Month/Day/Hour/Minute/Second).
Hours are displayed in 24-hour clock format. The date and
time are based on the local time of the SonicWALL SSL VPN
gateway which is configured in the System > Time page.
Priority Displays the level of severity associated with the event.
Severity levels can be Emergency, Alert, Critical, Error,
Warning, Notice, Information, and Debug.
Category The category of the event message.
Source Displays the IP address of the appliance of the user or
administrator that generated the log event. The source IP
address may not be displayed for certain events, such as
system errors.
Destination Displays the name or IP address of the server or service
associated with the event. For example, if a user accessed an
Internet Web site through the SonicWALL SSL VPN portal, the
corresponding log entry would display the IP address or Fully
Qualified Domain Name (FQDN) of the Web site accessed.
User The name of the user who was logged into the appliance when
the message was generated.
Message The text of the log message.
Log > Settings
296
SonicWALL SSL VPN 5.0 Administrators Guide
Log > Settings
This section provides an overview of the Log > Settings page and a description of the
configuration tasks available on this page.
Log > Settings Overview section on page 296
Configuring Log Settings section on page 297
Configuring the Mail Server section on page 298
Log > Settings Overview
The Log > Settings page allows the administrator to configure log alert and syslog server
settings. Syslog is an industry-standard logging protocol that records system and networking
activity. The syslog messages are sent in WELF (WebTrends Enhanced Log Format), so most
standard firewalls and networking reporting products can accept and interpret the log files. The
syslog service transmits syslog messages to external syslog server(s) listening on UDP port
514.
Figure 40 Log > Settings Page
Log Settings
The Log Settings section allows the administrator to specify the primary and secondary Syslog
server.
Log > Settings
297
SonicWALL SSL VPN 5.0 Administrators Guide
Event Logging and Alerts
The Event Logging and Alerts section allows the administrator to configure email alerts by
specifying the email address for logs to be sent to, the mail server, mail from address, and the
frequency to send alert emails. You can schedule a day and hour at which to email the event
log, or schedule a weekly email, or send the email when the log is full. You can enable SMTP
authentication and configure the user name and password along with the SMTP port.
Log & Alert Categories
The Log & Alert Categories section allows the administrator to select categories for Syslog,
Event log, and Alerts. The categories are: emergency, alert, critical, error, warning, notice, info,
and debug.
Configuring Log Settings
To configure log and alert settings, complete the following steps:
Step 1 To begin configuring event log, syslog and alert settings, navigate to the Log > Settings page.
Step 2 Enter the IP address or fully qualified domain name (FQDN) of your syslog server in the
Primary Syslog Server field. Leave this field blank if you do not require syslog logging.
Step 3 If you have a backup or second syslog server, enter the servers IP address or domain name
in the Secondary Syslog Server field.
Step 4 Designate when log files will be cleared and emailed to an administrator in the Send Event
Logs field. If the option When Full is selected, the event log will be emailed and then cleared
from when the log file is full. If Daily is selected, select the hour at which to email the event log.
If Weekly is selected, select the day of the week and the hour. If Daily or Weekly are chosen,
the log file will still be sent if the log file is full before the end of the period. In the Log > View
page, you can click the Clear Log button to delete the current event log. The event log will not
be emailed in this case.
Step 5 To receive event log files via email, enter your full email address (username@domain.com) in
the Email Event Logs to field in the Event Logging and Alerts region. The event log file will be
emailed to the specified email address before the event log is cleared. If this field is left blank,
log files will not be emailed.
Step 6 To receive alert messages via email, enter your full email address (username@domain.com) or
an email pager address in the Email Alerts to field. An email will be sent to the email address
specified if an alert event occurs. If this field is left blank, alert messages will not be emailed.
Note Define the type of events that will generate alert messages in the Log and Alert Categories
region of the Log > Settings page.
Step 7 To email log files or alert messages, enter the domain name or IP address of your mail server
in the Mail Server field. If this field is left blank, log files and alert messages will not be emailed.
Step 8 Specify a Mail From Address in the corresponding field. This address appears in the from field
of all log and alerts emails.
Step 9 To use SMTP authentication when sending log files, select the Enable SMTP Authentication
checkbox. The display will change to expose related fields. Enter the user name, password, and
the SMTP port to use. The default port is 25.
Log > Settings
298
SonicWALL SSL VPN 5.0 Administrators Guide
Step 10 Define the severity level of log messages that will be identified as syslog, event log or alert
messages in the Log & Alert Categories region of the Log > Settings page. Log categories
are organized from most to least critical. If a category is selected for a specific logging service,
then that log category and more critical events will be logged. For example, if the Error radio
button is selected for the Event Log service, then all Emergency, Alert, Critical, and Error events
will be stored in the internal log file.
Step 11 Click Accept to update your configuration settings.
Configuring the Mail Server
In order to receive notification email and to enable to the One Time Password feature, it is
imperative that you configure the mail server from the Log > Settings page. If you fail to
configure your mail server prior to using the One Time Password feature, you will receive an
error message:
For information about configuring the One Time Password feature, refer to One Time
Password Overview section on page 28.
To configure the mail server, perform the following steps:
Step 1 Log in to the SonicWALL SSL VPN management interface using administrator credentials.
Step 2 Navigate to Log > Settings.
Step 3 Type the email address where you want logs sent to in the Email Events Logs to field.
Step 4 Type the email address where you want alerts sent to in the Email Alerts to field.
Step 5 Type the IP address for the mail server you will be using in the Mail Server field.
Step 6 Type the email address for outgoing mail from your SonicWALL SSL-VPN appliance in the Mail
From Address field.
Step 7 Click Accept in the upper right-hand corner.
Log > Categories
299
SonicWALL SSL VPN 5.0 Administrators Guide
Log > Categories
This section provides an overview of the Log > Categories page and a description of the
various categories of event messages that can be viewed in the log. This page allows for each
category to be enabled or disabled by the administrator. This capability can be particularly
helpful when used to filter the log during the debug process.
Administrators can enable or disable checkboxes for each of the following log categories:
Authentication
Authorization & Access
GMS
NeExtender
System
Virtual Assist
Web Application Firewall
Once all selections have been made, click Accept in the upper right corner of the screen to
finish configuring the desired categories.
Log > ViewPoint
300
SonicWALL SSL VPN 5.0 Administrators Guide
Log > ViewPoint
This section provides an overview of the Log > ViewPoint page and a description of the
configuration tasks available on this page.
Log > ViewPoint Overview section on page 300
Adding a ViewPoint Server section on page 300
Log > ViewPoint Overview
The Log > ViewPoint page allows the administrator to add the SonicWALL SSL-VPN appliance
to a ViewPoint server for installations that have SonicWALL ViewPoint available, or are
managed by the SonicWALL Global Management System (GMS) appliance management
software. This feature requires a ViewPoint license key.
ViewPoint is an integrated appliance management solution that:
Creates dynamic, web-based reports of SSL-VPN appliance and remote access activity
Generates both real-time and historical reports to provide a complete view of activity
through your SonicWALL SSL-VPN Appliance
Enables remote access monitoring
Enhances network security
Helps you to anticipate future bandwidth needs
Tip For more information about monitoring your SonicWALL appliances with ViewPoint, visit
<http://www.sonicwall.com/us/Centralized_Management_and_Reporting.html>
Adding a ViewPoint Server
This feature requires a ViewPoint license key. To add the SonicWALL SSL-VPN appliance to a
ViewPoint server and enable ViewPoint reporting on your SSL-VPN appliance, complete the
following steps:
Step 1 Navigate to the Log > ViewPoint page in the SonicWALL SSL VPN Web management
interface.
Note If you are using ViewPoint for the first time on this appliance or if you do not have a valid
license, the page directs you to the System > Licenses page to activate your license.
Step 2 In the ViewPoint Settings section, click the Add button. The Add ViewPoint Server screen
displays.
Step 3 In the Add ViewPoint Server screen, enter the Hostname or IP Address of your ViewPoint
server.
Step 4 Enter the Port which your ViewPoint server communicates with managed devices.
Step 5 Click the OK button to add this server.
Step 6 To start ViewPoint report logging for the server you just added, select the Enable ViewPoint
checkbox.
Virtual Office
301
SonicWALL SSL VPN 5.0 Administrators Guide
Chapter 12: Virtual Office Configuration
This chapter provides information and configuration tasks specific to the Virtual Office page
on the SonicWALL SSL VPN Web-based management interface.
This chapter contains the following section:
Virtual Office section on page 301
Virtual Office
This section provides an overview of the Virtual Office page and a description of the
configuration tasks available on this page.
Virtual Office Overview section on page 302
Using the Virtual Office section on page 302
Virtual Office
302
SonicWALL SSL VPN 5.0 Administrators Guide
Virtual Office Overview
The Virtual Office option is located in the navigation bar of the SonicWALL SSL VPN
management interface.
The Virtual Office option launches the Virtual Office user portal in a separate Web browser
window. The Virtual Office is a portal that users can access in order to create and access
bookmarks, file shares, NetExtender sessions, and Virtual Assist.
Using the Virtual Office
To use the Virtual Office, perform the following tasks:
Step 1 From the SonicWALL SSL VPN Web-based management interface, click Virtual Office in the
navigation bar.
Step 2 A new browser window opens to the Virtual Office home page.
Note When you launch the Virtual Office from the Web-based management interface, you will be
automatically logged in with your administrator credentials.
Virtual Office
303
SonicWALL SSL VPN 5.0 Administrators Guide
Step 3 From the Virtual Office home page, you can:
Launch and install NetExtender
Use File Shares
Launch a Virtual Assist session
Add and configure bookmarks
Add and configure bookmarks for offloaded portals
Follow bookmark links
Import certificates
Get Virtual Office help
Configure a system for Virtual Access mode, if allowed by administrator
Configure passwords
Configure single sign-on options
Note For detailed configuration information about the Virtual Office user portal and these tasks,
refer to the SonicWALL SSL-VPN Users Guide, available on the Secure Remote Access
pages of the SonicWALL support Web site at http://www.sonicwall.com/us/Support.html.
Tip The Logout button will not appear in the Virtual Office when you are logged on as an
administrator. To log out, you must close the browser window.
Virtual Office
304
SonicWALL SSL VPN 5.0 Administrators Guide
305
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix A: Online Help
This appendix describes how to use the Online Help on the SonicWALL SSL VPN Web-based
management interface. This appendix also contains information about context-sensitive help.
This appendix contains the following sections:
Online Help section on page 306
Online Help
306
SonicWALL SSL VPN 5.0 Administrators Guide
Online Help
The Online Help button is located in upper right corner of the SonicWALL SSL VPN
management interface.
The Online Help button launches the online help in a separate Web browser. The Online Help
button links to the main page of the online help document.
Using Context Sensitive Help
Context-sensitive help is available on most pages of the SonicWALL SSL VPN Web-based
management interface. Click the context-sensitive help button in the top right corner of
the page to get help that corresponds to the SonicWALL SSL VPN management page you are
using. Clicking the context-sensitive help button launches a separate browser window to the
corresponding documentation.
The same help icon appears next to certain fields and checkboxes throughout the management
interface. When you hover your mouse cursor over one of these help icons, a tooltip is
displayed containing important information about configuring the associated option.
307
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix B: Configuring SonicWALL
SSL VPN with a Third-Party Gateway
This appendix shows methods for configuring various third-party firewalls for deployment with
a SonicWALL SSL-VPN appliance.
This appendix contains the following sections:
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment section on
page 308
Linksys WRT54GS section on page 315
WatchGuard Firebox X Edge section on page 316
NetGear FVS318 section on page 318
Netgear Wireless Router MR814 SSL configuration section on page 320
Check Point AIR 55 section on page 321
Microsoft ISA Server section on page 324
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
308
SonicWALL SSL VPN 5.0 Administrators Guide
Cisco PIX Configuration for SonicWALL SSL-VPN
Appliance Deployment
Before you Begin
Make sure you have a management connection to the PIXs console port, or the ability to Telnet/
SSH into one of the PIXs interfaces. You will need to know the PIXs global and enable-level
passwords in order to access the device and issue changes to the configuration. If you do not
have these, contact your network administrator before continuing.
SonicWALL recommends updating the PIXs OS to the most recent version if your PIX can
support it. This document was validated on a Cisco PIX 515e running PIX OS 6.3.5 and is the
recommended version for interoperation with a SonicWALL SSL-VPN appliance. You will need
a valid Cisco SmartNET maintenance contract for your Cisco PIX and a CCO login to obtain
newer versions of the PIX OS.
Note The WAN/DMZ/LAN IP addresses used in the deployment method examples below are not
valid and will need to be modified to reflect your networking environment.
Note Recommended Version: PIX OS 6.3.5 or newer
Management Considerations for the Cisco Pix
Both deployment methods described below use the PIXs WAN interface IP address as the
means of external connectivity to the internal SonicWALL SSL-VPN appliance. The PIX has the
ability to be managed via HTTP/S, but cannot have their default management ports (80,443)
reassigned in the recommended PIX OS version. Because of this, the HTTP/S management
interface must be deactivated. To deactivate the HTTP/S management interface, issue the
command clear http.
Note If you have a separate static WAN IP address to assign to the SonicWALL SSL-VPN
appliance, you do not have to deactivate the HTTP/S management interface on the PIX.
Method One SonicWALL SSL-VPN Appliance on LAN Interface
Step 1 From a management system, log into the SonicWALL SSL-VPN appliances management
interface. By default the management interface is X0 and the default IP address is
192.168.200.1.
Step 2 Navigate to the Network > Interfaces page and click on the configure icon for the X0 interface.
On the pop-up that appears, change the X0 address to 192.168.100.2 with a mask of
255.255.255.0. When done, click on the OK button to save and activate the change.
Step 3 Navigate to the Network > Routes page and change the Default Gateway to 192.168.100.1
When done, click on the Accept button in the upper-right-hand corner to save and activate the
change.
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
309
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 Navigate to the NetExtender > Client Addresses page. You will need to enter a range of IP
addresses for the 192.168.100.0/24 network that are not in use on your internal LAN network;
if your network has an existing DHCP server or the PIX is running a DHCP server on its internal
interface, you will need to make sure not to conflict with these addresses. For example: enter
192.168.100.201 in the field next to Client Address Range Begin:, and enter 192.168.100.249
in the field next to Client Address Range End:. When done, click on the Accept button in the
upper-right-hand corner to save and activate the change.
Step 5 Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0. If
there is an entry for 192.168.200.0, delete it.
Step 6 Navigate to the Network > DNS page and enter your internal networks DNS addresses,
internal domain name, and WINS server addresses. These are critical for NetExtender to
function correctly. When done, click on the Accept button in the upper-right-hand corner to
save and activate the change.
Step 7 Navigate to the System > Restart page and click on the Restart button.
Step 8 Install the SonicWALL SSL-VPN appliances X0 interface on the LAN network of the PIX. Do
not hook any of the appliances other interfaces up.
Step 9 Connect to the PIXs management CLI via console port, telnet, or SSH and enter configure
mode.
Step 10 Issue the command clear http to shut off the PIXs HTTP/S management interface.
Step 11 Issue the command access-list sslvpn permit tcp any host x.x.x.x eq www (replace x.x.x.x
with the WAN IP address of your PIX)
Step 12 Issue the command access-list sslvpn permit tcp any host x.x.x.x eq https (replace x.x.x.x
with the WAN IP address of your PIX)
Step 13 Issue the command static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask
255.255.255.255 0 0 (replace x.x.x.x with the WAN IP address of your PIX)
Step 14 Issue the command static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask
255.255.255.255 0 0 (replace x.x.x.x with the WAN IP address of your PIX)
Step 15 Issue the command access-group sslvpn in interface outside
Step 16 Exit config mode and issue the command wr mem to save and activate the changes.
Step 17 From an external system, attempt to connect to the SonicWALL SSL-VPN appliance using both
HTTP and HTTPS. If you cannot access the SonicWALL SSL-VPN appliance, check all steps
above and test again.
Final Config Sample Relevant Programming in Bold:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted
passwd SqjOo0II7Q4T90ap encrypted
hostname tenaya
domain-name vpntestlab.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
310
SonicWALL SSL VPN 5.0 Administrators Guide
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www
access-list sslvpn permit tcp any host 64.41.140.167 eq https
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging history warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp 64.41.140.167 www 192.168.100.2 www netmask
255.255.255.255 0 0
static (inside,outside) tcp 64.41.140.167 https 192.168.100.2 https netmask
255.255.255.255 0 0
access-group sslvpn in interface outside
route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community SF*&^SDG
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
311
SonicWALL SSL VPN 5.0 Administrators Guide
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside
dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750
dhcpd domain vpntestlab.com
dhcpd enable inside
terminal width 80
banner motd Restricted Access. Please log in to continue.
Cryptochecksum:422aa5f321418858125b4896d1e51b89
: end
tenaya#
Method Two SonicWALL SSL-VPN Appliance on DMZ Interface
This method is optional and requires that the PIX have an unused third interface, such as a PIX
515, PIX 525, or PIX 535. We will be using the default numbering scheme of the SonicWALL
SSL-VPN appliance.
Step 1 From a management system, log into the SonicWALL SSL-VPN appliances management
interface. By default the management interface is X0 and the default IP address is
192.168.200.1.
Step 2 Navigate to the Network > Routes page and make sure the Default Gateway is set to
192.168.200.2 When done, click on the Accept button in the upper-right-hand corner to save
and activate the change.
Step 3 Navigate to the NetExtender > Client Addresses page. Enter 192.168.200.201 in the field
next to Client Address Range Begin:, and enter 192.168.200.249 in the field next to Client
Address Range End:. When done, click on the Accept button in the upper-right-hand corner
to save and activate the change.
Step 4 Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0 and
192.168.200.0.
Step 5 Navigate to the Network > DNS page and enter your internal networks DNS addresses,
internal domain name, and WINS server addresses. These are critical for NetExtender to
function correctly. When done, click on the Accept button in the upper-right-hand corner to
save and activate the change.
Step 6 Navigate to the System > Restart page and click on the Restart button.
Step 7 Install the SonicWALL SSL-VPN appliances X0 interface on the unused DMZ network of the
PIX. Do not hook any of the appliances other interfaces up.
Step 8 Connect to the PIXs management CLI via console port, telnet, or SSH and enter configure
mode.
Step 9 Issue the command clear http to shut off the PIXs HTTP/S management interface.
Step 10 Issue the command interface ethernet2 auto (or whatever interface you will be using)
Step 11 Issue the command nameif ethernet2 dmz security4 (or whatever interface you will be using)
Step 12 Issue the command ip address dmz 192.168.200.2 255.255.255.0
Step 13 Issue the command nat (dmz) 1 192.168.200.0 255.255.255.0 0 0
Step 14 Issue the command access-list sslvpn permit tcp any host x.x.x.x eq www (replace x.x.x.x
with the WAN IP address of your PIX)
Step 15 Issue the command access-list sslvpn permit tcp any host x.x.x.x eq https (replace x.x.x.x
with the WAN IP address of your PIX)
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
312
SonicWALL SSL VPN 5.0 Administrators Guide
Step 16 Issue the command access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0
192.168.100.0 255.255.255.0
Step 17 Issue the command access-list dmz-to-inside permit ip host 192.168.200.1 any
Step 18 Issue the command static (dmz,outside) tcp x.x.x.x www 192.168.200.1 www netmask
255.255.255.255 0 0 (replace x.x.x.x with the WAN IP address of your PIX)
Step 19 Issue the command static (dmz,outside) tcp x.x.x.x https 192.168.200.1 https netmask
255.255.255.255 0 0 (replace x.x.x.x with the WAN IP address of your PIX)
Step 20 Issue the command static (inside,dmz) 192.168.100.0 192.168.100.0 netmask
255.255.255.0 0 0
Step 21 Issue the command access-group sslvpn in interface outside
Step 22 Issue the command access-group dmz-to-inside in interface dmz
Step 23 Exit config mode and issue the command wr mem to save and activate the changes.
Step 24 From an external system, attempt to connect to the SonicWALL SSL-VPN appliance using both
HTTP and HTTPS. If you cannot access the SonicWALL SSL-VPN appliance, check all steps
above and test again.
Final Config Sample Relevant Programming in Bold:
PIX Version 6.3(5)
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
313
SonicWALL SSL VPN 5.0 Administrators Guide
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted
passwd SqjOo0II7Q4T90ap encrypted
hostname tenaya
domain-name vpntestlab.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www
access-list sslvpn permit tcp any host 64.41.140.167 eq https
access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0
192.168.100.0 255.255.255.0
access-list dmz-to-inside permit ip host 192.168.200.1 any
pager lines 24
logging on
logging timestamp
logging buffered warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.200.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (dmz) 1 192.168.200.0 255.255.255.0 0 0
static (dmz,outside) tcp 64.41.140.167 www 192.168.200.1 www netmask
255.255.255.255 0 0
static (dmz,outside) tcp 64.41.140.167 https 192.168.200.1 https netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0
access-group sslvpn in interface outside
access-group dmz-to-inside in interface dmz
route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment
314
SonicWALL SSL VPN 5.0 Administrators Guide
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside
dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750
dhcpd domain vpntestlab.com
dhcpd enable inside
terminal width 80
banner motd Restricted Access. Please log in to continue.
Cryptochecksum:81330e717bdbfdc16a140402cb503a77
: end
Linksys WRT54GS
315
SonicWALL SSL VPN 5.0 Administrators Guide
Linksys WRT54GS
The SonicWALL SSL-VPN should be configured on the LAN switch of the Linksys wireless
router.
This guide assumes that your Linksys is assigned a single WAN IP, via DHCP by the cable ISP
and is using the default LAN IP address scheme of 192.168.1.0/24.
Note Version 2.07.1 Firmware or newer is recommended for this setup.
To configure your Linksys for operation with the SonicWALL SSL-VPN appliance, you must
forward the SSL (443) port to the IP address of the SonicWALL SSL-VPN appliance.
Step 1 Login to the Linksys device.
Step 2 Navigate to the Applications & Gaming tab.
3. Enter the following information:
Step 3 With the configuration complete, click the Save Settings button on the bottom of the page.
The Linksys is now ready for operations with the SonicWALL SSL-VPN appliance.
Application SSL VPN The name for the port forwarded application.
Port Range Start 443 The starting port number used by the
application
Port Range End 443 The ending port number used by the
application
Protocol TCP The SonicWALL SSL VPN application uses
TCP
IP Address 192.168.1.10 The IP address assigned to the SonicWALL
SSL-VPN appliance.
Enable Checked Select the checkbox to enable the SSL port
forwarding
WatchGuard Firebox X Edge
316
SonicWALL SSL VPN 5.0 Administrators Guide
WatchGuard Firebox X Edge
This guide assumes that your WatchGuard Firebox X Gateway is configured with an IP of
192.168.100.1 and your SonicWALL SSL-VPN is configured with an IP of 192.168.100.2.
Note The steps below are similar for WatchGuard SOHO6 series firewall.
Before you get started, take note of which port the WatchGuard is using for management. If the
WatchGuard is not being managed on HTTPS (443), perform the following steps. If the
WatchGuard is being managed on HTTPS (443) youll need to first review the notes within this
guide.
Step 1 Open browser and enter the IP address of the WatchGuard Firebox X Edge appliance (i.e.
192.168.100.1). Once successful, youll be brought to the System Status page (below).
Step 2 If the WatchGuards management interface is already configured to accept HTTPS on port 443
you will need to change the port in order to be able to manage both the SonicWALL SSL-VPN
and WatchGuard appliances.
Step 3 Navigate to Administration > System Security.
Figure 41 WatchGuard Administration > System Security Dialog Box
Step 4 Uncheck Use non-secure HTTP instead of secure HTTPS for administrative Web site.
Step 5 Change the HTTP Server Port to 444 and click the Submit button.
WatchGuard Firebox X Edge
317
SonicWALL SSL VPN 5.0 Administrators Guide
The WatchGuard will now be managed from the WAN on port 444. It should be accessed as
follows: https://<watchguard wan ip>:444
Step 6 In the left-hand navigation menu, Navigate to Firewall > Incoming.
Step 7 For the HTTPS Service, set Filter to Allow and enter the WAN IP of the SonicWALL SSL-VPN
appliance (192.168.100.2) in the Service Host field.
Step 8 Click the Submit button at the bottom of the page.
Your Watchguard Firebox X Edge is now ready for operations with the SonicWALL SSL-VPN
appliance.
NetGear FVS318
318
SonicWALL SSL VPN 5.0 Administrators Guide
NetGear FVS318
This guide assumes that your NetGear FVS318 Gateway is configured with an IP of
192.168.100.1 and your SonicWALL SSL-VPN is configured with an IP of 192.168.100.2.
Step 1 Click Remote Management from the left-hand index of your Netgear management interface.
In order for the SonicWALL SSL-VPN to function with your Netgear gateway device, you must
verify that the NetGears management port will not conflict with the management port used by
the SonicWALL SSL-VPN appliance.
Step 2 Uncheck the Allow Remote Management box.
Step 3 Click the Accept button to save changes.
Note If Remote Management of the NetGear is desired, you must leave the box checked and
change the default port (8080 is recommended)
Step 4 Navigate to Add Service in the left-hand navigation.
Step 5 Click the Add Custom Service button.
Step 6 To create a service definition, enter the following information:
Name HTTPS
Type TCP/UDP
Start Port 443
Finish Port 443
NetGear FVS318
319
SonicWALL SSL VPN 5.0 Administrators Guide
Step 7 Navigate to Ports in the left-hand navigation.
Step 8 Click the Add button.
Step 9 Select HTTPS from the Service Name drop-down list.
Step 10 Select ALLOW always in the Action drop-down list.
Step 11 Enter the WAN IP address of the SonicWALL SSL-VPN appliance (ex.192.168.100.2) in the
Local Server Address field.
Step 12 Click Accept to save changes.
Your Netgear gateway device is now ready for operations with the SonicWALL SSL-VPN
appliance.
Netgear Wireless Router MR814 SSL configuration
320
SonicWALL SSL VPN 5.0 Administrators Guide
Netgear Wireless Router MR814 SSL configuration
This guide assumes that your NetGear Wireless Router is configured with an IP of
192.168.100.1 and your SonicWALL SSL-VPN is configured with an IP of 192.168.100.2.
Step 1 Navigate to Advanced > Port Management in the left-hand index of your Netgear
management interface.
Step 2 Click the Add Custom Service button in the middle of the page.
Step 3 Enter a service name in the Service Name field (ex. SSL VPN)
Step 4 Enter 443 in the Starting Port field.
Step 5 Enter 443 in the Ending Port field.
Step 6 Enter the WAN IP address of the SonicWALL SSL-VPN appliance (ex.192.168.100.2) in the
Local Server Address field.
Step 7 Click the Accept button
Your Netgear wireless router is now ready for operations with the SonicWALL SSL-VPN
appliance.
Check Point AIR 55
321
SonicWALL SSL VPN 5.0 Administrators Guide
Check Point AIR 55
Setting up a SonicWALL SSL-VPN with Check Point AIR 55
The first thing necessary to do is define a host-based network object. This is done under the
file menu Manage and Network Objects.
Figure 42 Check Point Host Node Object Dialog Box
Note The object is defined as existing on the internal network. Should you decide to locate the
SonicWALL SSL-VPN on a secure segment (sometimes known as a demilitarized zone)
then subsequent firewall rules will have to pass the necessary traffic from the secure
segment to the internal network.
Next, select the NAT tab for the object you have created.
Check Point AIR 55
322
SonicWALL SSL VPN 5.0 Administrators Guide
Figure 43 Check Point NAT Properties Dialog Box
Here you will enter the external IP address (if it is not the existing external IP address of the
firewall). The translation method to be selected is static. Clicking OK will automatically create
the necessary NAT rule shown below.
Figure 44 Check Point NAT Rule Window
Static Route
Most installations of Check Point AIR55 require a static route. This route will send all traffic from
the public IP address for the SonicWALL SSL-VPN to the internal IP address.
#route add 64.41.140.167 netmask 255.255.255.255 192.168.100.2
ARP
Check Point AIR55 contains a feature called auto-ARP creation. This feature will automatically
add an ARP entry for a secondary external IP address (the public IP address of the SonicWALL
SSL-VPN). If running Check Point on a Nokia security platform, Nokia recommends that users
disable this feature. As a result, the ARP entry for the external IP address must be added
manually within the Nokia Voyager interface.
Finally, a traffic or policy rule is required for all traffic to flow from the Internet to the SonicWALL
SSL-VPN.
Check Point AIR 55
323
SonicWALL SSL VPN 5.0 Administrators Guide
Figure 45 Check Point Policy Rule Window
Again, should the SonicWALL SSL-VPN be located on a secure segment of the Check Point
firewall, a second rule allowing the relevant traffic to flow from the SonicWALL SSL-VPN to the
internal network will be necessary.
Microsoft ISA Server
324
SonicWALL SSL VPN 5.0 Administrators Guide
Microsoft ISA Server
Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server
This section describes how to set up a SonicWALL SSL-VPN appliance behind a Microsoft ISA
Server on a Windows Small Business Server (SBS) network. The SBS has an external and an
internal network card and ISA is configured in integrated mode. The procedures described in
this section have been tested on ISA 2004, but are similar for ISA 2000 and 2006.
Because the SSL-VPN uses the HTTPS protocol on port 443, inbound traffic addressed to port
443 needs to arrive at the SSL-VPN unchanged after traversing the ISA server. However, the
ISA server acts as a proxy when you deploy the SSL-VPN as a Web server behind it and it
does not support HTTPS CONNECT methods.
When ISA intercepts the SSL traffic, it interprets the external HTTP CONNECT method as SSL-
TUNNEL traffic with a CONNECT request (a CERN Proxy request), which is an outbound
request, and ISA will drop it. When this happens, remote users will not be able to access
various client applications including Telnet, SSH, VNC, NetExtender, RDP, and Virtual Assist
when connecting through the SonicWall SSL VPN Web portal.
If the SBS is connected to a gateway device or router, the gateway or router must be configured
to forward incoming SSL traffic on port 443 to the external network card of the Small Business
Server. This port forwarding task is beyond the scope of this section.
Configuring ISA
The SonicWALL SSL-VPN must be published as a Server (not a Web Server) within ISA to
allow the inbound SSL connection through the ISA firewall.
Configuration Tasks
You will need to perform the following tasks to configure ISA:
Configure an inbound Protocol Definition for port 443.
Configure a Server Publishing Rule for the SonicWALL SSL-VPN to make the server
available to external users.
Configure the incoming Web requests listener to ignore inbound SSL traffic.
Configuring a Protocol Definition
To configure an inbound Protocol Definition, perform the following steps on your ISA:
Step 1 In the management interface, create a Protocol Definition.
Step 2 Name it SSL.
Step 3 Set the Port number to 443.
Step 4 Set the Protocol type to TCP.
Microsoft ISA Server
325
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Set the Direction to Inbound.
Step 6 Click OK.
Configuring a Server Publishing Rule
As a prerequisite to configuring a Server Publishing Rule, you only need the Protocol Definition
configured above. You do not need any of the following configurations:
Protocol Rule Although the SonicWALL SSL-VPN is configured as a SecureNAT client, it
will not require a protocol rule for outbound traffic. This is because the SSL-VPN does not
initiate outbound connections, but only responds to requests made by remote clients.
Packet Filter The Server Publishing Rule will open or close ports without the need for a
packet filter.
Site and Content Rule Responses to inbound requests by a published server are
automatically allowed. A site and content rule is not required to allow responses.
To configure a Server Publishing Rule for the SonicWALL SSL-VPN, perform the following
steps in the ISA management interface:
Step 1 Start the Server Publishing Wizard.
Step 2 Enter a descriptive name for the server, such as SonicWALL SSL-VPN.
Step 3 On the General tab in the SonicWALL SSL-VPN Properties window, select the Enable check
box.
Step 4 Click the Action tab.
Step 5 Enter the IP address of the SonicWALL SSL-VPN appliance in the IP address of internal
server field.
Microsoft ISA Server
326
SonicWALL SSL VPN 5.0 Administrators Guide
Step 6 Enter SSL as the Mapped server protocol. This is the SSL Protocol Definition created
previously.
Step 7 Click OK.
Disabling the Incoming Web Requests Listeners
The default behavior of ISA is to redirect all incoming Web requests on port 80 and 443 to the
Web Proxy Service instead of allowing them to pass through to the SonicWALL SSL-VPN. In
order to allow traffic arriving on port 443 to reach the SonicWALL, you must disable the Web
requests listeners on the ISA server.
To disable the incoming Web requests listeners, perform the following steps:
Step 1 In the ISA server Properties window, click the Web Proxy tab (Incoming Web Requests tab
on ISA 2000).
Step 2 In the SSL section, clear the Enable SSL check box. (On ISA 2000, in the Identification
section, clear the Enable SSL listeners check box.)
Step 3 Click OK.
327
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix C: Use Cases
This appendix provides the following use cases:
Importing CA Certificates on Windows on page 327
Creating Unique Access Policies for AD Groups on page 331
Importing CA Certificates on Windows
Two certificates are imported in this use case, a goDaddy certificate and a server certificate.
See the following sections:
Importing a goDaddy Certificate on Windows on page 327
Importing a Server Certificate on Windows on page 330
Importing a goDaddy Certificate on Windows
In this use case, we format a goDaddy Root CA Certificate on a Windows system and then
import it to our SonicWALL SSL-VPN.
Step 1 Double-click on the goDaddy.p7b file to open the Certificates window, and navigate to the
goDaddy certificate.
The .p7b format is a PKCS#7 format certificate file, a very common certificate format.
Importing CA Certificates on Windows
328
SonicWALL SSL VPN 5.0 Administrators Guide
Step 2 Double-click the certificate file and select the Details tab.
Step 3 Click Copy to File. The Certificate Export Wizard launches.
Step 4 In the Certificate Export Wizard, click Next.
Step 5 Select Base-64 encoded X.509 (.CER) and then click Next.
Step 6 In the File to Export screen, type the file name in as goDaddy.cer and then click Next.
Importing CA Certificates on Windows
329
SonicWALL SSL VPN 5.0 Administrators Guide
Step 7 In the Completing the Certificate Export Wizard screen, verify the path and format and then click
Finish.
Step 8 Click OK in the confirmation dialog box.
The certificate is exported in base-64 encoded format. You can view it in a text editor.
Step 9 In the SonicWALL SSL-VPN management interface, navigate to System > Certificates.
Step 10 In the Additional CA Certificates section, click Import CA Certificate. The Import Certificate
window appears.
Importing CA Certificates on Windows
330
SonicWALL SSL VPN 5.0 Administrators Guide
Step 11 In the Import Certificate window, click Browse and navigate to the goDaddy.cer file on your
Windows system and double-click it.
Step 12 Click Upload. The certificate will be listed in the Additional CA Certificates table.
Step 13 Navigate to System > Restart and restart the SonicWALL SSL-VPN for the CA certificate to
take effect.
Importing a Server Certificate on Windows
In this use case, we import a Microsoft CA server certificate to a Windows system. In this case,
the purpose is to use an SSL certificate for application offloading to a mail server.
The server certificate is mail.chaoslabs.nl. This certificate needs to be exported in base-64
format as the server.crt file that is put in a .zip file and uploaded as a Server Certificate.
The private key is not included in the .p7b file. The private key needs to be exported from
wherever it is and saved in a base-64 format and included in a server.key file in the .zip file.
Step 1 Double-click on the mail.chaoslabs.nl.pb7 file and navigate to the certificate.
Step 2 Double-click the certificate file and select the Details tab.
Step 3 Click Copy to File.
Step 4 In the Certificate Export Wizard, select Base-64 encoded X.509 (.CER).
Step 5 Click Next and save the file as server.crt on your Windows system.
The certificate is exported in base-64 encoded format.
Step 6 Add the server.crt file to a .zip file.
Step 7 Separately save the private key in base-64 format as server.key.
Step 8 Add the server.key file to the .zip file that contains server.crt.
Step 9 Upload the .zip file to the server as a Server Certificate.
Creating Unique Access Policies for AD Groups
331
SonicWALL SSL VPN 5.0 Administrators Guide
Creating Unique Access Policies for AD Groups
In this use case, we add Outlook Web Access (OWA) resources to the SonicWALL SSL-VPN,
and need to configure the access policies for users in multiple Active Directory (AD) groups.
We will create a local group for each AD group and apply separate access policies to each local
group.
Note The AD Groups feature is only available on SonicWALL SSL-VPN models 2000 and higher.
While Active Directory allows users to be members in multiple groups, the SonicWALL
SSL-VPN only allows each user to belong to a single group. It is this group that determines the
access policies assigned to the user.
When importing a user from AD, the user will be placed into the local SSL-VPN group with
which they have the most AD groups in common. For example: Bob belongs to the Users,
Administrators, and Engineering AD groups. If one SSL-VPN group is associated with Users,
and another is associated with both Administrators and Engineering, Bob will be assigned to
the SSL-VPN group with both Administrators and Engineering because it matches more of his
own AD groups.
The goal of this use case is to show that SonicWALL SSL-VPN firmware supports group-based
access policies by configuring the following:
Allow Acme Group in Active Directory to access the 10.200.1.102 server using SSH
Allow Mega Group in Active Directory to access Outlook Web Access (OWA) at 10.200.1.10
Allow IT Group in Active Directory to access both SSH and OWA resources defined above
Deny access to these resources to all other groups
This example configuration is provided courtesy of Vincent Cai, June 2008.
Figure 46 Network Topology
Perform the tasks in order of the following sections:
Creating the Active Directory Domain on page 332
Adding a Global Deny All Policy on page 333
Creating Local Groups on page 334
Adding the SSHv2 PERMIT Policy on page 336
Adding the OWA PERMIT Policies on page 337
Verifying the Access Policy Configuration on page 339
Creating Unique Access Policies for AD Groups
332
SonicWALL SSL VPN 5.0 Administrators Guide
Creating the Active Directory Domain
This section describes how to create the SonicWALL SSL-VPN Local Domain, SNWL_AD.
SNWL_AD is associated with the Active Directory domain of the OWA server.
Step 1 Log in to the SonicWALL SSL-VPN management interface and navigate to the Portals >
Domains page.
Step 2 Click Add Domain. The Add Domain window appears.
Step 3 In the Authentication type drop-down list, select Active Directory.
Step 4 In the Domain name field, type SNWL_AD.
Step 5 In the Active Directory domain field, type the AD domain name, in.loraxmfg.com.
Step 6 In the Server address field, type the IP address of the OWA server, 10.200.1.10.
Step 7 Click Add.
Step 8 View the new domain in the Portals > Domains page.
Creating Unique Access Policies for AD Groups
333
SonicWALL SSL VPN 5.0 Administrators Guide
Adding a Global Deny All Policy
This procedure creates a policy that denies access to the OWA resources to all groups, except
groups configured with an explicit Permit policy.
The SonicWALL SSL-VPN default policy is Allow All. In order to have more granular control,
we add a Deny All policy here. Later, we can add Permit policies for each group, one at a time.
Step 1 Navigate to the Users > Local Users page.
Step 2 Click the Configure button in the Global Policies row. The Edit Global Policies window
appears.
Step 3 In the Edit Global Policies window, click the Policies tab.
Step 4 Click Add Policy. The Add Policy window appears.
Step 5 Select IP Address Range from the Apply Policy To drop-down list.
Step 6 In the Policy Name field, type the descriptive name Deny All.
Step 7 In the IP Network Address field, type the network address, 10.200.1.0.
Step 8 In the Subnet Mask field, type the mask in decimal format, 255.255.255.0.
Step 9 In the Service drop-down list, select All Services.
Step 10 In the Status drop-down list, select DENY.
Step 11 Click Add.
Creating Unique Access Policies for AD Groups
334
SonicWALL SSL VPN 5.0 Administrators Guide
Step 12 In the Edit Global Policies window, verify the Deny All policy settings and then click OK.
Creating Local Groups
This procedure creates Local Groups that belong to the SNWL_AD domain on the SSL-VPN.
We create one local group for each Active Directory group.
Adding the Local Groups
Step 1 Navigate to the Users > Local Groups page and click Add Group. The Add Local Group
window appears. We will add three local groups, corresponding to our Active Directory groups.
Step 2 In the Add Local Group window, type Acme_Group into the Group Name field.
Step 3 Select SNWL_AD from the Domain drop-down list.
Step 4 Click Add.
Step 5 On the Users > Local Groups page, click Add Group to add the second local group.
Step 6 In the Add Local Group window, type Mega_Group into the Group Name field.
Step 7 Select SNWL_AD from the Domain drop-down list.
Step 8 Click Add.
Step 9 On the Users > Local Groups page, click Add Group to add the second local group.
Step 10 In the Add Local Group window, type IT_Group into the Group Name field.
Step 11 Select SNWL_AD from the Domain drop-down list.
Step 12 Click Add.
Creating Unique Access Policies for AD Groups
335
SonicWALL SSL VPN 5.0 Administrators Guide
Step 13 View the added groups on the Users > Local Groups page.
Configuring the Local Groups
In this procedure we will edit each new local group and associate it with the corresponding
Active Directory Group.
Step 1 Click the Configure button in the Acme_Group row. The Edit Group Settings window
appears.
Step 2 In the Edit Group Settings window, click the AD Groups tab.
Step 3 On the AD Groups tab, click the Add Group button.
Step 4 In the Edit Active Directory Group window, select Acme Group from the Active Directory
Group drop-down list.
Creating Unique Access Policies for AD Groups
336
SonicWALL SSL VPN 5.0 Administrators Guide
Step 5 Click Edit.
Acme Group is listed in the Active Directory Groups table on the AD Groups tab.
Step 6 In the Edit Group Settings window, click OK.
Step 7 On the Users > Local Groups page, click the Configure button in the Mega_Group row. The
Edit Group Settings window appears.
Step 8 In the Edit Group Settings window, click the AD Groups tab and then click the Add Group
button.
Step 9 In the Edit Active Directory Group window, select Mega Group from the Active Directory
Group drop-down list and then click Edit.
Mega Group is listed in the Active Directory Groups table on the AD Groups tab.
Step 10 In the Edit Group Settings window, click OK.
Step 11 On the Users > Local Groups page, click the Configure button in the IT_Group row. The Edit
Group Settings window appears.
Step 12 In the Edit Group Settings window, click the AD Groups tab and then click the Add Group
button.
Step 13 In the Edit Active Directory Group window, select IT Group from the Active Directory Group
drop-down list and then click Edit.
IT Group is listed in the Active Directory Groups table on the AD Groups tab.
Step 14 In the Edit Group Settings window, click OK.
At this point, we have created the three Local Groups and associated each with its Active
Directory Group.
Adding the SSHv2 PERMIT Policy
In this section, we will add the SSHv2 PERMIT policy for both Acme_Group and IT_Group to
access the 10.200.1.102 server using SSH.
This procedure creates a policy for the SonicWALL SSL-VPN Local Group, Acme_Group, and
results in SSH access for members of the Active Directory group, Acme Group.
Repeat this procedure for IT_Group to provide SSH access to the server for members of the
Active Directory group, IT Group.
Step 1 On the Users > Local Groups page, click the Configure button in the Acme_Group row. The
Edit Group Settings window appears.
Step 2 In the Edit Group Settings window, click the Policies tab.
Step 3 On the Policies tab, click Add Policy.
Creating Unique Access Policies for AD Groups
337
SonicWALL SSL VPN 5.0 Administrators Guide
Step 4 In the Add Policy window, select IP Address in the Apply Policy To drop-down list.
Step 5 In the Policy Name field, enter the descriptive name, Allow SSH.
Step 6 In the IP Address field, enter the IP address of the target server, 10.202.1.102.
Step 7 In the Services drop-down list, select Secure Shell Version 2 (SSHv2).
Step 8 In the Status drop-down list, select PERMIT, and then click Add.
Step 9 In the Edit Group Settings window, click OK.
Adding the OWA PERMIT Policies
In this section, we will add two OWA PERMIT policies for both Mega_Group and IT_Group to
access the OWA service using Secure Web (HTTPS).
This procedure creates a policy for the SonicWALL SSL-VPN Local Group, Mega_Group, and
results in OWA access for members of the Active Directory group, Mega Group.
To access the Exchange server, adding a PERMIT policy to the 10.200.1.10/exchange URL
Object itself is not enough. Another URL Object policy is needed that permits access to
10.200.1.10/exchweb, because some OWA Web contents are located in the exchweb
directory.
Repeat this procedure for IT_Group to provide OWA access for members of the Active
Directory group, IT Group.
Note In this configuration, members of IT_Group and Mega_Group are denied access to the
https://owa-server/public folder, because these groups have access only to the /exchange
and /exchweb subfolders.
The OWA policies are applied to Exchange server URL Objects rather than server IP addresses
since OWA is a Web service.
Step 1 In the Users > Local Groups page, click the Configure button in the Mega_Group row. We
will create two PERMIT policies for Mega_Group to allow access to the OWA Exchange server.
Step 2 In the Edit Group Settings window, click the Policies tab, and then click Add Policy.
Creating Unique Access Policies for AD Groups
338
SonicWALL SSL VPN 5.0 Administrators Guide
Step 3 In the Add Policy window, select URL Object in the Apply Policy To drop-down list.
Step 4 In the Policy Name field, enter the descriptive name, OWA.
Step 5 In the Service drop-down list, select Secure Web (HTTPS).
Step 6 In the URL field, enter the URL of the target application, 10.200.1.10/exchange.
Step 7 In the Status drop-down list, select PERMIT, and then click Add.
Step 8 In the Edit Group Settings window on the Policies tab, click Add Policy.
Step 9 In the Add Policy window, select URL Object in the Apply Policy To drop-down list.
Step 10 In the Policy Name field, enter the descriptive name, OWA exchweb.
Step 11 In the Service drop-down list, select Secure Web (HTTPS).
Step 12 In the URL field, enter the URL of the target application, 10.200.1.10/exchweb.
Step 13 In the Status drop-down list, select PERMIT, and then click Add.
Step 14 In the Edit Group Settings window, click OK. We are finished with the policies for
Mega_Group. Repeat this procedure for IT_Group to provide OWA access for members of the
Active Directory group, IT Group.
Creating Unique Access Policies for AD Groups
339
SonicWALL SSL VPN 5.0 Administrators Guide
Verifying the Access Policy Configuration
At this point:
Acme_Group users are allowed to access SSH to 10.200.1.102
Mega_Group users are allowed to access OWA at 10.200.1.10
IT_Groups users are allowed to access both SSH and OWA as defined above
The configuration can be verified by logging in as different AD group members to the SNWL_AD
domain on the SonicWALL SSL-VPN, and attempting to access the resources.
Test Result: Try Acmeuser Access
Acmeuser logs into the SNWL_AD domain.
The Users > Status page shows that acmeuser is a member of the local group, Acme_Group.
Creating Unique Access Policies for AD Groups
340
SonicWALL SSL VPN 5.0 Administrators Guide
Acmeuser can access SSH, as expected.
Acmeuser tries to access to other resources like OWA 10.200.1.10, but is denied, as expected.
Creating Unique Access Policies for AD Groups
341
SonicWALL SSL VPN 5.0 Administrators Guide
Test Result: Try Megauser Access
Megauser logs into the SNWL_AD domain.
The Users > Status page shows that megauser is a member of the local group, Mega_Group.
Megauser can access OWA resources, as expected.
Creating Unique Access Policies for AD Groups
342
SonicWALL SSL VPN 5.0 Administrators Guide
Megauser tries to access SSH, but is denied, as expected.
Test Result: Try Ituser Access
Ituser logs into the SNWL_AD domain. The Users > Status page shows that ituser is a
member of the local group, IT_Group.
Ituser can access SSH to 10.200.1.102, as expected.
Creating Unique Access Policies for AD Groups
343
SonicWALL SSL VPN 5.0 Administrators Guide
Ituser can access OWA resources, as expected.
Creating Unique Access Policies for AD Groups
344
SonicWALL SSL VPN 5.0 Administrators Guide
345
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix D: NetExtender
Troubleshooting
This appendix contains a table with troubleshooting information for the SonicWALL SSL VPN
NetExtender utility.
Table 22 NetExtender Cannot Be Installed
Problem Solution
NetExtender cannot be
installed.
1. Check your OS Version, NetExtender only supports
Win2000 or above, Mac OS X 10.5 or above with Apple
Java 1.6.0_10 or above, and Linux OpenSUSE in addition
to Fedora Core and Ubuntu. An i386-compatible Linux
distribution is required, along with Sun Java 1.6.0_10+
2. Check that the user has administrator privilege,
NetExtender can only install/work under the user account
with administrator privileges.
3. Check if ActiveX has been blocked by Internet Explorer or
third-party blockers.
4. If the problem still exists, obtain the following information
and send to support:
The version of SonicWALL SSL VPN NetExtender
Adapter from Device Manager.
The log file located at C:\Program
files\SonicWALL\SSL VPN\NetExtender.dbg.
The event logs in the Event Viewer found under the
Windows Control Panel Administrator Tools folder.
Select Applications and System events and use the
Action /Save Log File as menu to save the events
in a log file.
346
SonicWALL SSL VPN 5.0 Administrators Guide
Table 23 NetExtender Connection Entry Cannot Be Created
Problem Solution
NetExtender connection
entry cannot be created.
1. Navigate to Device Manager and check if the SonicWALL
SSL VPN NetExtender Adapter has been installed
successfully. If not, delete the adapter from the device list,
reboot the machine and install NetExtender again.
2. Navigate to Windows Service manager under Control
Panel > Administrator Tools > Services. Look for the
Remote Access Auto Connection Manager and
Remote Access Connection Manager to see if those two
services have been started. If not, set them to automatic
start, reboot the machine, and install NetExtender again.
3. Check if there is another dial-up connection in use. If so,
disconnect the connection, reboot the machine and install
NetExtender again.
4. If problem still exists, obtain the following information and
send them to support:
The version of SonicWALL SSL VPN NetExtender
Adapter from Device Manager.
The log file located at C:\Program
files\SonicWALL\SSL VPN\NetExtender.dbg.
The event logs in Control Panel > Administrator
Tools > Event Viewer. Select Applications and
System events and use the Action /Save Log File
as menu to save the events in a log file.
347
SonicWALL SSL VPN 5.0 Administrators Guide
Table 24 NetExtender Cannot Connect
Table 25 NetExtender BSOD After Connected
Problem Solution
NetExtender cannot connect. 1. Navigate to Device Manager and check if the SonicWALL
SSL VPN NetExtender Adapter has been installed
successfully. If not, delete the adapter from the device list,
reboot the machine and install NetExtender again.
2. Navigate to Network connections to check if the
SonicWALL SSL VPN NetExtender Dialup entry has been
created. If not, reboot the machine and install NetExtender
again.
3. Check if there is another dial-up connection in use, if so,
disconnect the connection and reboot the machine and
connect NetExtender again.
4. If problem still exists, obtain the following information and
send them to support:
The version of SonicWALL SSL VPN NetExtender
Adapter from Device Manager.
The log file located at C:\Program
files\SonicWALL\SSL VPN\NetExtender.dbg.
The event logs in Control Panel > Administrator
Tools > Event Viewer. Select Applications and
System events and use the Action /Save Log File
as menu to save the events in a log file.
Problem Solution
NetExtender BSOD after
connected.
1. Uninstall NetExtender, reboot machine, reinstall the latest
version NetExtender.
2. Obtain the following information and send them to support:
The version of SonicWALL SSL VPN NetExtender
Adapter from Device Manager.
The log file located at C:\Program
files\SonicWALL\SSL VPN\NetExtender.dbg.
Windows memory dump file located at
C:\Windows\MEMORY.DMP. If you can not find this
file, then you will need to open System Properties,
click the Startup and Recovery Settings button
under the Advanced tab. Select Complete Memory
Dump, Kernel Memory Dump or Small Memory
Dump in the Write Debugging Information drop-
down list. Of course, you will also need to reproduce
the BSOD to get the dump file.
The event logs in Control Panel > Administrator
Tools > Event Viewer. Select Applications and
System Events and use the Action /Save Log File
as menu to save the events in a log file.
348
SonicWALL SSL VPN 5.0 Administrators Guide
349
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix E: FAQs
This appendix contains FAQs about SonicWALL SSL VPN.
This appendix contains the following sections:
Hardware FAQ on page 352
What are the hardware specs for the SSL-VPN 200/2000/4000, SRA 1200 and SRA 4200?
Do the SSL-VPN appliances have hardware-based SSL acceleration onboard?
What are the main differences between the discontinued SonicWALL SSL-RX Accelerator from that of the
SSL-VPN 200, 2000 and 4000 appliances?
What operating system do the SonicWALL SSL-VPN appliances run?
Can I put multiple SonicWALL SSL-VPN appliances behind a load-balancer?
Digital Certificates and Certificate Authorities FAQ on page 357
What do I do if when I log in to the SonicWALL SSL-VPN appliance my browser gives me an error, or if my
Java components give me an error?
I get this message below when I log into my SSL-VPN appliance what do I do?
I get this message below when I log into my SSL-VPN appliance using Firefox 3.0 what do I do?
I get the warning below when I log into my SSL-VPN using Firefox 3.5 what do I do?
When I launch any of the Java components it gives me an error what should I do?
Do I have to purchase a SSL certificate?
What format is used for the digital certificates?
Are wild card certificates supported?
What CAs certificates can I use with the SonicWALL SSL-VPN appliance?
Does the SSL-VPN appliance support chained certificates?
Any other tips when I purchase the certificate for the SSL-VPN appliance?
Can I use certificates generated from a Microsoft Certificate Server?
Why cant I import my new certificate and private key?
Why do I see the status pending after importing a new certificate and private key?
Can I have more than one certificate active if I have multiple virtual hosts?
I imported the CSR into my CAs online registration site but its asking me to tell them what kind of Webserver
its for. What do I do?
Can I store the key and certificate?
Are PKCS#7 (chained certs) or PKCS#12 (key and cert PFX container) supported on the SSL-VPN
appliance?
Does the SonicWALL SSL-VPN appliance support client-side digital certificates?
When client authentication is required my clients cannot connect even though a CA certificate has been
loaded. Why?
350
SonicWALL SSL VPN 5.0 Administrators Guide
NetExtender FAQ on page 363
Does NetExtender work on other operating systems than Windows?
Which versions of Windows does NetExtender support?
I tried to run NetExtender but it says I must have admin rights why?
Can I block communication between NetExtender clients?
Can NetExtender run as a Windows service?
What range do I use for NetExtender IP client address range?
What do I enter for NetExtender client routes?
What does the Tunnel All Mode option do?
Is there any way to see what routes the SonicWALL SSL-VPN is sending NetExtender?
Once I install the NetExtender is it uninstalled when I leave my session?
How do I get new versions of NetExtender?
How is NetExtender different from a traditional IPSec VPN client, such as SonicWALLs Global VPN Client
(GVC)?
Is NetExtender encrypted?
Is there a way to secure clear text traffic between the SonicWALL SSL-VPN appliance and the server?
What is the PPP adapter that is installed when I use the NetExtender?
What are the advantages of using the NetExtender instead of a Proxy Application?
Does performance change when using NetExtender instead of proxy?
SonicWALL SSL VPN is application dependent; how can I address non-standard applications?
Speaking of SSH, is SSHv2 supported?
Why is it required that an ActiveX component be installed?
Does NetExtender support desktop security enforcement, such as AV signature file checking, or Windows
registry checking?
Does NetExtender work with the 64-bit version of Microsoft Windows?
Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?
Does NetExtender support client-side certificates?
My firewall is dropping NetExtender connections from my SonicWALL SSL-VPN as being spoofs. Why?
General FAQ section on page 366
Is the SonicWALL SSL-VPN appliance a true reverse proxy?
What browser and version do I need to successfully connect to the SonicWALL SSL-VPN appliance?
What needs to be activated on the browser for me to successfully connect to the SonicWALL SSL-VPN
appliance?
What version of Java do I need?
What operating systems are supported?
Why does the File Shares component not recognize my server names?
Does the SonicWALL SSL-VPN appliance have a SPI firewall?
Can I access the SonicWALL SSL-VPN appliance using HTTP?
What is the most common deployment of the SonicWALL SSL-VPN appliances?
Why is it recommended to install the SonicWALL SSL-VPN appliance in one-port mode with a SonicWALL
security appliance?
Is there an installation scenario where you would use more than one interface or install the appliance in two-
port mode?
Can I cascade multiple SonicWALL SSL-VPN appliances to support more concurrent connections?
Why cant I log into the management interface of the SonicWALL SSL-VPN?
Can I create site-to-site VPN tunnels with the SonicWALL SSL-VPN appliance?
Can the SonicWALL Global VPN Client (or any other third-party VPN client) connect to the SonicWALL SSL-
VPN appliance?
Can I connect to the SonicWALL SSL-VPN appliance over a modem connection?
What SSL ciphers are supported by the SSL-VPN appliance?
Is AES supported in SonicWALL SSL VPN?
Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?
351
SonicWALL SSL VPN 5.0 Administrators Guide
Is 2-factor authentication (RSA SecurID, etc) supported?
Does the SonicWALL SSL-VPN appliance support VoIP?
Is Syslog supported?
Does NetExtender support multicast?
Are SNMP and Syslog supported?
Does the SonicWALL SSL-VPN appliance have a Command Line Interface (CLI)?
Can I Telnet or SSH into the SSL-VPN appliance?
When controlling user access, can I apply permissions on both a domain as well as a Forest basis?
What does the Web cache cleaner do?
Why didnt the Web cache cleaner work when I exited the Web browser?
What does the encrypt settings file checkbox do?
What does the store settings button do?
What does the create backup button do?
What is SafeMode?
How do I access the SafeMode menu?
Can I change the colors of the portal pages?
What authentication methods are supported?
I configured my SonicWALL SSL-VPN appliance to use Active Directory as the authentication method, but it
fails with a very strange error message. Why?
My Windows XPSP2 system cannot use the RDP-based connectors. Why?
I created a FTP bookmark, but when I access it, the filenames are garbled why?
Where can I get a VNC client?
Are the SSL-VPN 200/2000/4000 and SRA 1200/4200 appliances fully supported by GMS or ViewPoint?
Does the SonicWALL SSL-VPN appliance support printer mapping?
Can I integrate SonicWALL SSL VPN with wireless?
Can I manage the appliance on any interface IP address of the SonicWALL SSL-VPN appliance?
Can I allow only certain Active Directory users access to log into the SonicWALL SSL-VPN appliance?
Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA Premium)?
Why are my RDP sessions dropping frequently?
Can I create my own services for bookmarks rather than the services provided in the bookmarks section?
Why cant I see all the servers on my network with the File Shares component?
What port is the SSL-VPN appliance using for the Radius traffic?
Do the SonicWALL SSL-VPN appliances support the ability for the same user account to login
simultaneously?
Does the SSL-VPN appliance support NT LAN Manager (NTLM) Authentication?
I cannot connect to a web server when Windows Authentication is enabled. I get the following error message
when I try that: It appears that the target web server is using an unsupported HTTP(S) authentication scheme
through the SSL VPN, which currently supports only basic and digest authentication schemes. Please contact
the administrator for further assistance. - why?
Why do Java Services, such as Telnet or SSH, not work through a proxy server?
Why wont the SSH client connect to my SSH server?
How are the F1-F12 keys handled in the Java-based SSHv1 and Telnet proxies?
When I try to access a site that has Java applets using the SSL-VPN 200 all I see is a box with an x in it --
why?
There is no port option for the service bookmarks what if these are on a different port than the default?
What if I want a bookmark to point to a directory on a Web server?
What versions of Citrix are supported?
Hardware FAQ
352
SonicWALL SSL VPN 5.0 Administrators Guide
Hardware FAQ
1. What are the hardware specs for the SSL-VPN 200/2000/4000, SRA 1200 and
SRA 4200?
Answer:
Interfaces
SSL-VPN 200: (5) 10/100 Ethernet (WAN, 4-port LAN)
SSL-VPN 2000: (4) 10/100 Ethernet, (1) Serial port
SSL-VPN 4000: (6) 10/100 Ethernet, (1) Serial port
SRA 1200: (2) 10/100/1000 Ethernet, (1) RJ-45 Serial port (115200 Baud)
SRA 4200: (4) 10/100/1000 Ethernet, (1) RJ-45 Serial port (115200 Baud)
Processors
SSL-VPN 200: SonicWALL security processor, cryptographic accelerator
SSL-VPN 2000: 800 MHz x86 main processor, cryptographic accelerator
SSL-VPN 4000: P4 Celeron main processor, cryptographic accelerator
SRA 1200: 1.5 GHz Via C7 x86 processor
SRA 4200: 1.8 GHz Via C7 x86 processor, cryptographic accelerator
Memory (RAM)
SSL-VPN 200: 128 MB
SSL-VPN 2000: 512 MB
SSL-VPN 4000: 1 GB
SRA 1200: 1 GB
SRA 4200: 2 GB
Flash Memory
SSL-VPN 200: 16 MB
SSL-VPN 2000: 128 MB
SSL-VPN 4000: 128 MB
SRA 1200: 1 GB
SRA 4200: 1 GB
Power Supply
SSL-VPN 200: External 20W, 12VDC, 1.66A
SSL-VPN 2000: Internal
SSL-VPN 4000: Internal
SRA 1200: Internal
SRA 4200: Internal
Hardware FAQ
353
SonicWALL SSL VPN 5.0 Administrators Guide
Max Power Consumption
SSL-VPN 200: 10.4 W
SSL-VPN 2000: 48 W
SSL-VPN 4000: 108 W
SRA 1200: 53 W
SRA 4200: 75 W
Total Heat Dissipation
SSL-VPN 200: 35.6 BTU
SSL-VPN 2000: 163.7 BTU
SSL-VPN 4000: 368.3 BTU
SRA 1200: 181 BTU
SRA 4200: 256 BTU
Dimensions
SSL-VPN 200: 7.45 x 4.55 x 1.06 in (18.92 x 11.56 x 2.69 cm)
SSL-VPN 2000: 17.00 x 10.00 x 1.75 in (43.18 x 25.40 x 4.45 cm)
SSL-VPN 4000: 17.00 x 13.75 x 1.75 in (43.18 x 33.66 x 4.45 cm)
SRA 1200: 17.00 x 10.125 x 1.75 in (43.18 x 25.70 x 4.45 cm)
SRA 4200: 17.00 x 10.125 x 1.75 in (43.18 x 25.70 x 4.45 cm)
Weight
SSL-VPN 200: 1.25 lbs (0.57 kg)
SSL-VPN 2000: 8.50 lbs (3.86 kg)
SSL-VPN 4000: 13 lbs (8.39 kg)
SRA 1200: 9.5 lbs (4.31 kg)
SRA 4200: 8.70 lbs (3.95 kg)
Major Regulatory Compliance (all models)
SSL-VPN 200/2000/4000:
FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, MIC, NOM, UL, cUL, TUV/GS, CB
SRA 1200/4200:
FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, MIC, NOM, UL, cUL, TUV/GS, CB
WEEE, RoHS (Europe), RoHS (China)
FIPS: Mechanically Designed for FIPS 140-2 Level 2
Environment
Temperature:
SSL-VPN 200/2000/4000: 40-105 F, 5-40 C
SRA 1200/4200: 32-105 F, 0-40 C
Relative Humidity:
SSL-VPN 200/2000/4000: 10-90% non-condensing
SRA 1200/4200: 5-95% non-condensing
Hardware FAQ
354
SonicWALL SSL VPN 5.0 Administrators Guide
MTBF
SSL-VPN 200: 9.0 years
SSL-VPN 2000: 11.2 years
SSL-VPN 4000: 9.2 years
SRA 1200: 13 years
SRA 4200: 8.3 years
2. Do the SSL-VPN appliances have hardware-based SSL acceleration onboard?
Answer: All models except the SRA 1200 have hardware-based SSL accelerators
onboardeven the SSL-VPN 200 model. The SRA 1200 does not have a hardware-based SSL
accelerator processor.
3. What are the main differences between the discontinued SonicWALL SSL-RX
Accelerator from that of the SSL-VPN 200, 2000 and 4000 appliances?
Answer: The discontinued SSL-RX Accelerator was a purpose-built appliance used to offload
cryptographic processes from burdened servers. The SSL-VPN 200, 2000 & 4000 are designed
to provide easy-to-use, lightweight, clientless access to internal network resources using a Web
browser. The SSL-VPN 200 appliances cannot be used as an SSL Accelerator. The SSL-VPN
2000 & 4000, using Web Application Offloading in 3.5 can now function as an SSL Accelerator.
4. What operating system do the SonicWALL SSL-VPN appliances run?
Answer: The SonicWALL SSL-VPN appliance runs SonicWALLs own hardened Linux
distribution.
5. Can I put multiple SonicWALL SSL-VPN appliances behind a load-balancer?
Answer: Yes, this should work fine as long as the load-balancer or content-switch is capable
of tracking sessions based upon SSL Session ID persistence, or cookie-based persistence.
Table 26 SSL-VPN 200/2000/4000, SRA 1200/4200 Max Count Table
Type
Max
Supported
on 200
Max
Supported
on 2000
Max
Supported
on 4000
Max
Supported
on 1200
Max
Supported
on 4200
Portal entries 16 32 32 32 32
Domain entries 10 32 32 32 32
Group entries 32 64 64 64 64
User entries 100 1,000 2,000 1,000 1,000
NetExtender global client
routes
32 32 32 50 50
NetExtender group client
routes
N/A 12 12 50 50
NetExtender user client
routes
N/A 12 12 50 50
Recommended concurrent
users
10 50 200 25 50
Maximum concurrent users 50 512 1,024 50 512
Maximum concurrent Nx
connections
30 125 300 50 125
Route entries 32 32 32 32 32
Hardware FAQ
355
SonicWALL SSL VPN 5.0 Administrators Guide
Table 27 Feature Support by Model, Firmware 2.1 and Newer
Host entries 32 32 32 32 32
Bookmark entries 32 32 32 300 300
Policy entries 12 12 12 32 32
Policy address entries 32 32 32 32 32
Network Objects 64 64 64 64 64
Address Network Objects 16 16 16 16 16
Network Network Objects 32 32 32 32 32
Service Network Objects 32 32 32 32 32
SMB shares 1,024 1,024 1,024 1,024 1,024
SMB nodes 1,024 1,024 1,024 1,024 1,024
SMB workgroups 8 8 8 8 8
Concurrent FTP sessions 8 8 8 8 8
Log size 250 KB 250 KB 250 KB 250 KB 250 KB
Type
Max
Supported
on 200
Max
Supported
on 2000
Max
Supported
on 4000
Max
Supported
on 1200
Max
Supported
on 4200
Feature SSL-VPN 200
SSL-VPN 2000
SSL-VPN 4000
SRA 1200
SRA 4200
Seamless integration behind any firewall X X
Clientless connectivity X X
Unrestricted concurrent user tunnels X X
Enhanced layered security X X
NetExtender technology X X
Granular policy configuration controls X X
Personalized portal X X
File shares access policies X X
Standalone NetExtender client X X
RDP Java client X X
Context-sensitive help X X
Citrix (ICA) support X
NetExtender: Support for multiple IP ranges and
routes
X
Tokenless two-factor authentication X X
RSA support X
Vasco support X X
Optional client certificate support X
Graphical usage monitoring X X
Option to create system backup X
Hardware FAQ
356
SonicWALL SSL VPN 5.0 Administrators Guide
OWA premium version and Lotus Domino Access X
Single Sign-on bookmark policy options X X
Email log capability X X
Multiple RADIUS server support X X
RADIUS test function X
NetExtender domain suffix support X X
SSHv2 support X X
Virtual Host/Domain Name support X
Feature SSL-VPN 200
SSL-VPN 2000
SSL-VPN 4000
SRA 1200
SRA 4200
Digital Certificates and Certificate Authorities FAQ
357
SonicWALL SSL VPN 5.0 Administrators Guide
Digital Certificates and Certificate Authorities FAQ
1. What do I do if when I log in to the SonicWALL SSL-VPN appliance my browser gives me
an error, or if my Java components give me an error?
Answer: These errors can be caused by any combination of the following three factors:
The certificate in the SonicWALL SSL-VPN appliance is not trusted by the browser
The certificate in the SonicWALL SSL-VPN appliance may be expired.
The site requested by the client Web browser does not match the site name embedded
in the certificate.
Web browsers are programmed to issue a warning if the above three conditions are not met
precisely. This security mechanism is intended to ensure end-to-end security, but often
confuses people into thinking something is broken. If you are using the default self-signed
certificate, this error will appear every time a Web browser connects to the SonicWALL SSL-
VPN appliance. However, it is just a warning and can be safely ignored, as it does not affect
the security negotiated during the SSL handshake. If you do not want this error to happen, you
will need to purchase and install a trusted SSL certificate onto the SonicWALL SSL-VPN
appliance.
2. I get this message below when I log into my SSL-VPN appliance what do I do?
Answer: Its the same problem as noted in the previous topic, but this is the new improved
security warning screen in Microsoft Internet Explorer 7.0, which was released in late October
2006 to the Microsoft Update Website. Whereas before IE5.x and IE6.x presented a pop-up that
listed the reasons why the certificate is not trusted, IE7.0 simply returns a generic error page
which recommends that the user close the page. The user is not presented with a direct Yes
option to proceed, and instead has to click on the embedded Continue to this Website (not
recommended) link. For these reasons, it is strongly recommended that all SonicWALL
SSL-VPN appliances, going forward, have a trusted digital certificate installed.
Digital Certificates and Certificate Authorities FAQ
358
SonicWALL SSL VPN 5.0 Administrators Guide
3. I get this message below when I log into my SSL-VPN appliance using Firefox 3.0
what do I do?
Answer: Much like the errors shown above for Internet Explorer, Firefox 3.0 has a unique error
message when any certificate problem is detected. The conditions for this error are the same
as for the above Internet Explorer errors.
To get past this screen, click the Or you can add an exception link at the bottom, then click
the Add Exception button that appears. In the Add Security Exception window that opens,
click the Get Certificate button, ensure that Permanently store this exception is checked,
and finally, click the Confirm Security Exception button. See below:
To avoid this inconvenience, it is strongly recommended that all SonicWALL SSL-VPN
appliances, going forward, have a trusted digital certificate installed.
4. I get the warning below when I log into my SSL-VPN using Firefox 3.5 what do I do?
Answer: This is the Firefox 3.5 warning message when any certificate problem is detected.
The conditions for this error are the same as for the above Internet Explorer errors.
Digital Certificates and Certificate Authorities FAQ
359
SonicWALL SSL VPN 5.0 Administrators Guide
To get past this screen, click the arrow next to I Understand the Risks to expand the section,
then click the Add Exception button that appears.
In the Add Security Exception window that opens, click the Get Certificate button, ensure that
Permanently store this exception is checked, and finally, click the Confirm Security
Exception button. See below:
To avoid this inconvenience, it is strongly recommended that all SonicWALL SSL-VPN
appliances, going forward, have a trusted digital certificate installed.
Digital Certificates and Certificate Authorities FAQ
360
SonicWALL SSL VPN 5.0 Administrators Guide
5. When I launch any of the Java components it gives me an error what should I do?
Answer: See the previous section. This occurs when the certificate is not trusted by the Web
browser, or the site name requested by the browser does not match the name embedded in the
site certificate presented by the SSL-VPN appliance during the SSL handshake process. This
error can be safely ignored.
6. Do I have to purchase a SSL certificate?
Answer: No, you can simply ignore the security warnings, which are a message to users that
the certificate is not trusted or contains mismatched information. Accepting a non-trusted
certificate does not have anything to do with the level of encryption negotiated during the SSL
handshake. However, SonicWALL tested digital certificates from www.rapidssl.com, which are
inexpensive, work fine in the SonicWALL SSL-VPN appliance, and do not require the
background check that other Certificate Authorities require during the purchase process. You
can find a whitepaper on how to purchase and install a certificate online at:
http://www.sonicwall.com/us/support/3165.html.
7. What format is used for the digital certificates?
Answer: X509v3.
8. Are wild card certificates supported?
Answer: Yes.
9. What CAs certificates can I use with the SonicWALL SSL-VPN appliance?
Answer: Any CA certificate should work if the certificate is in X509v3 format, including Verisign,
Thawte, Baltimore, RSA, etc To use Thawte certificates with the SSL-VPN appliances, you
will need to upgrade to firmware 1.0.0.9 or newer.
10. Does the SSL-VPN appliance support chained certificates?
Answer: Yes, it does. On the System > Certificates page, do the following:
Under Server Certificates, click Import Certificate and upload the SSL server
certificate and key together in a .zip file. The certificate should be named server.crt.
The private key should be named server.key.
Under Additional CA Certificates, click Import Certificate button and upload the
intermediate CA certificate(s). The certificate should be PEM encoded in a text file.
After uploading any intermediate CA certificates, the system should be restarted. The web
server needs to be restarted with the new certificate included in the CA certificate bundle.
Digital Certificates and Certificate Authorities FAQ
361
SonicWALL SSL VPN 5.0 Administrators Guide
11. Any other tips when I purchase the certificate for the SSL-VPN appliance?
Answer: We recommend you purchase a multi-year certificate to avoid the hassle of renewing
each year (most people forget and when the certificate expires it can create an administrative
nightmare). It is also good practice to have all users that will connect to the SSL-VPN appliance
run Windows Update (also known as Microsoft Update) and install the Root Certificates
update.
12. Can I use certificates generated from a Microsoft Certificate Server?
Answer: Yes, but to avoid a browser warning, you will need to install the Microsoft CAs root
certificate into all Web browsers that will connect to the appliance.
13. Why cant I import my new certificate and private key?
Answer: Be sure that you upload a .zip file containing the PEM formatted private key file named
"server.key" and the PEM formatted certificate file named "server.crt". The .zip file must have a flat
file structure (no directories) and contain only "server.key" and "server.crt" files. The key and the
certificate must also match, otherwise the import will fail.
14. Why do I see the status pending after importing a new certificate and private key?
Answer: Click the configure icon next to the new certificate and enter the password you
specified when creating the Certificate Signing Request (CSR) to finalize the import of the
certificate. Once this is done, you can successfully activate the certificate on the SonicWALL
SSL-VPN appliance.
15. Can I have more than one certificate active if I have multiple virtual hosts?
Answer: Prior to 2.5 firmware: No, only one can be active, other virtual sites with names that
do not match the name embedded on the SSL-VPN appliances certificate will show security
warnings to any Web browser connecting to them.
With 2.5 firmware or later, it is possible to select a certificate for each Portal under the Portals
> Portals: Edit Portal - Virtual Host tab. The portal Virtual Host Settings fields allow you to
specify separate IP address, and certificate per portal. If the administrator has configured
multiple portals, it is possible to associate a different certificate with each portal. For example,
sslvpn.test.sonicwall.com might also be reached by pointing the browser to
virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate.
This is useful to prevent the browser from displaying a certificate mismatch warning, such as
This server is abc, but the certificate is xyz, are you sure you want to continue?.
16. I imported the CSR into my CAs online registration site but its asking me to tell them
what kind of Webserver its for. What do I do?
Answer: Select Apache.
17. Can I store the key and certificate?
Answer: Yes, the key is exported with the CSR during the CSR generation process. Its strongly
recommended that you can keep this in a safe place with the certificate you receive from the
CA. This way, if the SonicWALL SSL-VPN appliance ever needs replacement or suffers a
failure, you can reload the key and cert. You can also always export your settings from the
System > Settings page.
18. Are PKCS#7 (chained certs) or PKCS#12 (key and cert PFX container) supported on
the SSL-VPN appliance?
Answer: No, neither one is currently supported. SonicWALL is investigating supporting these
in a future release.
Digital Certificates and Certificate Authorities FAQ
362
SonicWALL SSL VPN 5.0 Administrators Guide
19. Does the SonicWALL SSL-VPN appliance support client-side digital certificates?
Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local
Users: Edit User Login Policies tab.
Per Domain/Per User client certificate enforcement settings:
Option to Verify the user name matches the Common Name (CN) of the client certificate
Option to Verify partial DN in the client certificate subject (optional). The following
variables are supported:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
Note Firmware prior to 3.5 required the client certificate CN field to be the username
(CN=username) entered to login to the appliance.
Support for Microsoft CA Subject Names where CN=<Full user name>, e.g. CN=John Doe.
Client certificate authentication attempts for users in Active Directory domains will have the
CN compared against the users full name in AD.
Detailed client certificate authentication failure messages and log messages are available
in the Log > View page.
Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional
CRL via file import or periodic import via URL.
The client certificate must be loaded into the clients browser. Also, remember that any
certificates in the trust chain of the client certificates must be installed onto the SSL-VPN
appliance.
20. When client authentication is required my clients cannot connect even though a CA
certificate has been loaded. Why?
Answer: After a CA certificate has been loaded, the SonicWALL SSL-VPN must be rebooted
before it is used for client authentication. Failures to validate the client certificate will also cause
failures to logon. Among the most common are certificate is not yet valid, certificate has
expired, login name does not match common name of the certificate, certificate not sent.
NetExtender FAQ
363
SonicWALL SSL VPN 5.0 Administrators Guide
NetExtender FAQ
1. Does NetExtender work on other operating systems than Windows?
Answer: Yes. Version 2.5 firmware added support for Mac and Linux platforms.
Mac Requirements:
Mac OS X 10.5+
Apple Java 1.6.0_10+ (can be installed/upgraded by going to Apple Menu > Software
Update; should be pre-installed on OS X 10.5+)
Linux Requirements:
i386-compatible distribution of Linux
Sun Java 1.6.0_10+
Fedora: FC3-FC10 have been tested successfully
Suse: Tested successfully on 10.3
Ubuntu: 8.04 works; 8.10 requires a NX 3.5.621 or higher
Separate NetExtender installation packages are also downloadable from mysonicwall.com for
each release.
2. Which versions of Windows does NetExtender support?
Answer: NetExtender supports:
Windows XP Service Pack 3 (SP3)
Vista SP1
Windows 7
3. I tried to run NetExtender but it says I must have admin rights why?
Answer: If your SSL-VPN appliance is running 1.0 firmware, then on Windows 2000, XP, 2003,
Vista, and Windows 7 systems the logged-in user must have administrative rights to be able to
install ActiveX-based components such as NetExtender, and it will not be possible to run
NetExtender on systems where you do not have administrative rights (this often is seen in kiosk
or public computer environments, where the OS is locked down to prevent this sort of behavior).
If your SSL-VPN appliance is running firmware 1.5 firmware or newer, a user can run
NetExtender provided that a user with administrative rights previously installed NetExtender
onto the system.
4. Can I block communication between NetExtender clients?
Answer: Yes, this can be achieved with the User/Group/Global Policies by adding a deny
policy for the NetExtender IP range.
5. Can NetExtender run as a Windows service?
Answer: The Windows version of NetExtender found in the 1.5 firmware release and newer can
be installed and configured to run as a Windows service, which will allow systems to login to
domains across the NetExtender client.
6. What range do I use for NetExtender IP client address range?
Answer: This range is the pool that incoming NetExtender clients will be assigned
NetExtender clients actually appear as though they are on the internal network much like the
Virtual Adapter capability found in SonicWALLs Global VPN Client. You will need to dedicate
one IP address for each active NetExtender session, so if you expect 20 simultaneous
NetExtender sessions to be the maximum, create a range of 20 open IP addresses. Make sure
that these IP addresses are open and are not used by other network appliances or contained
within the scope of other DHCP servers. For example, if your SSL-VPN appliance is in one-port
NetExtender FAQ
364
SonicWALL SSL VPN 5.0 Administrators Guide
mode on the X0 interface using the default IP address of 192.168.200.1, create a pool of
addresses from 192.168.200.151 to 192.168.200.171. In the 1.5 firmware release, you can
create multiple unique pools on a per-group or per-user basis.
7. What do I enter for NetExtender client routes?
Answer: These are the networks that will be sent to remote NetExtender clients and should
contain all networks that you wish to give your NetExtender clients access to. For example, if
your SonicWALL SSL-VPN appliance was in one-port mode, attached to a SonicWALL NSA
3500 appliance on a DMZ using 192.168.200.0/24 as the subnet for that DMZ, and the
SonicWALL NSA 3500 had two LAN subnets of 192.168.168.0/24 and 192.168.170.0/24, you
would enter those two LAN subnets as the client routes to provide NetExtender clients access
to network resources on both of those LAN subnets.
8. What does the Tunnel All Mode option do?
Answer: Activating this feature will cause the SonicWALL SSL-VPN appliance to push down
two default routes that tell the active NetExtender client to send all traffic through the
SonicWALL SSL-VPN appliance. This feature is useful in environments where the SonicWALL
SSL-VPN appliance is deployed in tandem with a SonicWALL security appliance running all
UTM services, as it will allow you to scan all incoming and outgoing NetExtender user traffic for
viruses, spyware, intrusion attempts, and content filtering.
9. Is there any way to see what routes the SonicWALL SSL-VPN is sending
NetExtender?
Answer: Yes, right-click on the NetExtender icon in the taskbar and select route information.
You can also get status and connection information from this same menu.
10. Once I install the NetExtender is it uninstalled when I leave my session?
Answer: By default, when NetExtender is installed for the first time it stays resident on the
system, although this can be controlled by selecting the Uninstall On Browser Exit > Yes
option from the NetExtender icon in the taskbar while it is running. If this option is checked,
NetExtender will remove itself when it is closed. It can also be uninstalled from the Add/
Remove Program Files in Control Panel. NetExtender remains on the system by default to
speed up subsequent login times.
11. How do I get new versions of NetExtender?
Answer: New versions of NetExtender are included in each firmware release of the SSL-VPN
software and have version control information contained within. If the SSL-VPN appliance has
been upgraded with new software, and a connection is made from a system using a previous,
older version of NetExtender, it will automatically be upgraded to the new version.
There is one exception to the automatic upgrading feature: it is not supported for the MSI
version of NetExtender. If NetExtender was installed with the MSI package, it must be upgraded
with a new MSI package. The MSI package is designed for the administrator to deploy
NetExtender through Active Directory, allowing full version control through Active Directory.
12. How is NetExtender different from a traditional IPSec VPN client, such as
SonicWALLs Global VPN Client (GVC)?
Answer: NetExtender is designed as an extremely lightweight client that is installed via a Web
browser connection, and utilizes the security transforms of the browser to create a secure,
encrypted tunnel between the client and the SonicWALL SSL-VPN appliance.
13. Is NetExtender encrypted?
Answer: Yes, it uses whatever cipher the NetExtender client and SSL-VPN appliance negotiate
during the SSL connection.
14. Is there a way to secure clear text traffic between the SonicWALL SSL-VPN appliance
and the server?
NetExtender FAQ
365
SonicWALL SSL VPN 5.0 Administrators Guide
Answer: Yes, you can configure the Microsoft Terminal Server to use encrypted RDP-based
sessions, and use HTTPS reverse proxy.
15. What is the PPP adapter that is installed when I use the NetExtender?
Answer: This is the transport method NetExtender uses. It also uses compression (MPPC).
You can elect to have it removed during disconnection by selecting this from the NetExtender
menu.
16. What are the advantages of using the NetExtender instead of a Proxy Application?
Answer: NetExtender allows full connectivity over an encrypted, compressed PPP connection
allowing the user to directly to connect to internal network resources. For example, a remote
user could launch NetExtender to directly connect to file shares on a corporate network.
17. Does performance change when using NetExtender instead of proxy?
Answer: Yes. NetExtender connections put minimal load on the SonicWALL SSL-VPN
appliances, whereas many proxy-based connections may put substantial strain on the
SonicWALL SSL-VPN appliance. Note that HTTP proxy connections use compression to
reduce the load and increase performance. Content received by the SSL-VPN from the local
Web server is compressed using gzip before sending it over the Internet to the remote client.
Compressing content sent from the SSL-VPN saves bandwidth and results in higher
throughput. Furthermore, only compressed content is cached, saving nearly 40-50% of the
required memory. Note that gzip compression is not available on the local (clear text side) of
the SSL-VPN appliance, or for HTTPS requests from the remote client.
18. SonicWALL SSL VPN is application dependent; how can I address non-standard
applications?
Answer: You can use NetExtender to provide access for any application that cannot be
accessed using internal proxy mechanisms - HTTP, HTTPS, FTP, RDP4 (firmware 1.0 only),
ActiveX-based RDP, Java-based RDP (firmware 1.5 and newer),Telnet, and SSHv1. With 3.5
firmware and later, Application Offloading can be used for web applications. In this way, the
SSL-VPN functions similar to an SSL offloader and will proxy web applications pages without
the need for URL rewriting.
19. Speaking of SSH, is SSHv2 supported?
Answer: Yes, this is supported in firmware 2.0 and newer.
20. Why is it required that an ActiveX component be installed?
Answer: NetExtender is installed via an ActiveX-based plug-in from Internet Explorer. Users
using Firefox browsers may install NetExtender via an XPI installer. NetExtender may also be
installed via an MSI installer. Download the NetExtender MSI installer from mysonicwall.com.
21. Does NetExtender support desktop security enforcement, such as AV signature file
checking, or Windows registry checking?
Answer: Not at present, although these sorts of features are planned for future releases of
NetExtender.
22. Does NetExtender work with the 64-bit version of Microsoft Windows?
Answer: Yes, starting with 3.0 firmware, NetExtender supports 64-bit Windows 7, Vista and XP.
23. Does NetExtender work 32-bit and 64-bit version of Microsoft Windows 7?
Answer: Yes, starting with 3.0.0.9-20sv and later firmware, NetExtender supports 32-bit and
64-bit Windows 7.
24. Does NetExtender support client-side certificates?
Answer: Yes, in 3.5 and up the Windows NetExtender client supports client certificate
authentication from the stand-alone client. Users can also authenticate to the SSL-VPN portal
and then launch NetExtender.
General FAQ
366
SonicWALL SSL VPN 5.0 Administrators Guide
25. My firewall is dropping NetExtender connections from my SonicWALL SSL-VPN as
being spoofs. Why?
Answer: If the NetExtender addresses are on a different subnet than the X0 interface, a rule
needs to be created for the firewall to know that these addresses are coming from the
SonicWALL SSL-VPN.
General FAQ
1. Is the SonicWALL SSL-VPN appliance a true reverse proxy?
Answer: Yes, the HTTP, HTTPS, CIFS, FTP are Web-based proxies, where the native Web
browser is the client. VNC, RDP - ActiveX, RDP - Java, SSHv1 and Telnet use browser-
delivered Java or ActiveX clients. NetExtender on Windows uses a browser-delivered client.
2. What browser and version do I need to successfully connect to the SonicWALL SSL-
VPN appliance?
Answer:
Microsoft Internet Explorer 6.0 and newer
Mozilla 1.7.1 and newer
Firefox 2.0 and newer
Safari 2.0 and newer
Google Chrome 4 and newer
3. What needs to be activated on the browser for me to successfully connect to the
SonicWALL SSL-VPN appliance?
Answer:
SSLv2, SSLv3, or TLS recommend disabling SSLv2 if possible
Enable cookies
Enable pop-ups for the site
Enable Java
Enable Javascript
Enable ActiveX
4. What version of Java do I need?
Answer: You will need to install SUNs JRE 1.6.0_10 or higher (available at http://
www.java.com) to use some of the features on the SonicWALL SSL-VPN appliance. On Google
Chrome, you will need Java 1.6.0 update 10 or higher.
5. What operating systems are supported?
Answer:
Microsoft Windows 2000 Professional SP4 and newer
Microsoft XP, SP2 and newer
Microsoft Vista
Microsoft Windows 7
Apple OSX 10.5 and newer
Linux kernel 2.4.x and newer
General FAQ
367
SonicWALL SSL VPN 5.0 Administrators Guide
6. Why does the File Shares component not recognize my server names?
Answer: If you cannot reach your server by its NetBIOS name, there might be a problem with
name resolution. Check your DNS and WINS settings on the SonicWALL SSL-VPN appliance.
You might also try manually specifying the NetBIOS name to IP mapping in the Network > Host
Resolution section, or you could manually specify the IP address in the UNC path, e.g.
\\192.168.100.100\sharefolder.
Also, if you get an authentication loop or an error, is this File Share a DFS server on a Windows
domain root? When creating a File Share, do not configure a Distributed File System (DFS)
server on a Windows Domain Root system. Because the Domain Root allows access only to
Windows computers in the domain, doing so will disable access to the DFS file shares from
other domains. The SonicWALL SSL-VPN is not a domain member and will not be able to
connect to the DFS shares.DFS file shares on a stand-alone root are not affected by this
Microsoft restriction.
7. Does the SonicWALL SSL-VPN appliance have a SPI firewall?
Answer: No. It must be combined with a SonicWALL security appliance or other third-party
firewall/VPN device.
8. Can I access the SonicWALL SSL-VPN appliance using HTTP?
Answer: No, it requires HTTPS. HTTP connections are immediately redirected to HTTPS. You
may wish to open both 80 and 443, as many people forget to type https: and instead type
http://. If you block 80, it will not get redirected.
9. What is the most common deployment of the SonicWALL SSL-VPN appliances?
Answer: One-port mode, where only the X0 interface is utilized, and the appliance is placed in
a separated, protected DMZ network/interface of a SonicWALL security appliance, such as
the SonicWALL TZ 180, or the SonicWALL NSA appliance.
10. Why is it recommended to install the SonicWALL SSL-VPN appliance in one-port
mode with a SonicWALL security appliance?
Answer: This method of deployment offers additional layers of security control plus the ability
to use SonicWALLs Unified Threat Management (UTM) services, including Gateway Anti-Virus,
Anti-Spyware, Content Filtering and Intrusion Prevention, to scan all incoming and outgoing
NetExtender traffic.
11. Is there an installation scenario where you would use more than one interface or
install the appliance in two-port mode?
Answer: Yes, when it would be necessary to bypass a firewall/VPN device that may not have
an available third interface, or a device where integrating the SonicWALL SSL-VPN appliance
may be difficult or impossible.
12. Can I cascade multiple SonicWALL SSL-VPN appliances to support more concurrent
connections?
Answer: No, this is not supported.
13. Why cant I log into the management interface of the SonicWALL SSL-VPN?
Answer: The default IP address of the appliance is 192.168.200.1 on the X0 interface. If you
cannot reach the appliance, try cross-connecting a system to the X0 port, assigning it a
temporary IP address of 192.168.200.100, and attempt to log into the SonicWALL SSL-VPN
appliance at https://192.168.200.1. Then verify that you have correctly configured the DNS and
default route settings on the Network pages.
14. Can I create site-to-site VPN tunnels with the SonicWALL SSL-VPN appliance?
Answer: No, it is only a client-access appliance. If you require this, you will need a SonicWALL
TZ-series or NSA security appliance.
General FAQ
368
SonicWALL SSL VPN 5.0 Administrators Guide
15. Can the SonicWALL Global VPN Client (or any other third-party VPN client) connect
to the SonicWALL SSL-VPN appliance?
Answer: No, only NetExtender and proxy sessions are supported.
16. Can I connect to the SonicWALL SSL-VPN appliance over a modem connection?
Answer: Yes, although performance will be slow, even over a 56K connection it is usable.
17. What SSL ciphers are supported by the SSL-VPN appliance?
Answer: Starting with 3.5 firmware, SonicWALL only uses HIGH security ciphers with SSLv3
and TLSv1:
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
18. Is AES supported in SonicWALL SSL VPN?
Answer: Yes, if your browser supports it.
19. Can I expect similar performance (speed, latency, and throughput) as my IPSec VPN?
Answer: Yes, actually you may see better performance as NetExtender uses multiplexed PPP
connections and runs compression over the connections to improve performance.
20. Is 2-factor authentication (RSA SecurID, etc) supported?
Answer: Yes, this is supported in the 2.0 firmware release and newer. This feature is only
supported on the 2000 and 4000 platforms. It will not be supported on the 200 platform.
21. Does the SonicWALL SSL-VPN appliance support VoIP?
Answer: Yes, over NetExtender connections.
22. Is Syslog supported?
Answer: Yes.
23. Does NetExtender support multicast?
Answer: Not at this time. Look for this in a future firmware release.
24. Are SNMP and Syslog supported?
Answer: Syslog forwarding to up to two external servers is supported in the current software
release. SNMP is not currently supported but may be planned for a future software release.
25. Does the SonicWALL SSL-VPN appliance have a Command Line Interface (CLI)?
Answer: No, it does not. The console ports on the SSL-VPN 2000 and SSL-VPN 4000
appliances are disabled and cannot be accessed. The SSL-VPN 200 appliance does not have
a console port. On the SRA 4200, you can connect to the console and you will see boot
messages, but there is no CLI to log in to and manage the device.
26. Can I Telnet or SSH into the SSL-VPN appliance?
Answer: No, neither Telnet or SSH are supported in the current release of the SSL-VPN
appliance software as a means of management (this is not to be confused with the Telnet and
SSH proxies, which the appliance does support).
27. When controlling user access, can I apply permissions on both a domain as well as
a Forest basis?
General FAQ
369
SonicWALL SSL VPN 5.0 Administrators Guide
Answer: Yes, using the LDAP connector.
28. What does the Web cache cleaner do?
Answer: The Web cache cleaner is an ActiveX-based applet that removes all temporary files
generated during the session, removes any history bookmarks, and removes all cookies
generated during the session. It will only run on Internet Explorer 5.0.1 or newer.
29. Why didnt the Web cache cleaner work when I exited the Web browser?
Answer: In order for the Web cache cleaner to run, you must click on the Logout button. If you
close the Web browser using any other means, the Web cache cleaner cannot run.
30. What does the encrypt settings file checkbox do?
Answer: This setting will encrypt the settings file so that if it is exported it cannot be read by
unauthorized sources. Although it is encrypted, it can be loaded back onto the SonicWALL SSL-
VPN appliance (or a replacement appliance) and decrypted. If this box is not selected, the
exported settings file is clear-text and can be read by anyone.
31. What does the store settings button do?
Answer: By default, the settings are automatically stored on a SonicWALL SSL-VPN appliance
any time a change to programming is made, but this can be shut off if desired. If this is disabled,
all unsaved changes to the appliance will be lost. This feature is most useful when you are
unsure of making a change that may result in the box locking up or dropping off the network. If
the setting is not immediately saved, you can power-cycle the box and it will return to the
previous state before the change was made.
32. What does the create backup button do?
Answer: This feature allows you to create a backup snapshot of the firmware and settings into
a special file that can be reverted to from the management interface or from SafeMode.
SonicWALL strongly recommends creating system backup right before loading new software,
or making significant changes to the programming of the appliance. This feature is available
only on the SonicWALL SSL-VPN 2000, SSL-VPN 4000, and SRA 4200 appliances.
33. What is SafeMode?
Answer: SafeMode is a feature of the SonicWALL SSL-VPN appliance that allows
administrators to switch between software image builds and revert to older versions in case a
new software image turns out to cause issues. In cases of software image corruption, the
appliance will boot into a special interface mode that allows the administrator to choose which
version to boot, or load a new version of the software image.
34. How do I access the SafeMode menu?
Answer: In emergency situations, you can access the SafeMode menu by holding in the Reset
button on the SSL-VPN appliance (the small pinhole button located on the front of the SSL-VPN
2000, SSL-VPN 4000, or SRA 4200, and on the back of the SSL-VPN 200) for 12-14 seconds
until the Test LED begins quickly flashing yellow. Once the SonicWALL has booted into the
SafeMode menu, assign a workstation a temporary IP address in the 192.168.200.x subnet,
such as 192.168.200.100, and attach it to the X0 interface on the SSL-VPN appliance. Then,
using a modern Web browser (Microsoft IE6.x+, Mozilla 1.4+), access the special SafeMode
GUI using the appliances default IP address of 192.168.200.1. You will be able to boot the
appliance using a previously saved backup snapshot, or you can upload a new version of
software with the Upload New Software image button.
35. Can I change the colors of the portal pages?
Answer: This is not supported in the current releases, but is planned for a future software
release.
36. What authentication methods are supported?
Answer: Local database, RADIUS, Active Directory, NT4, and LDAP.
General FAQ
370
SonicWALL SSL VPN 5.0 Administrators Guide
37. I configured my SonicWALL SSL-VPN appliance to use Active Directory as the
authentication method, but it fails with a very strange error message. Why?
Answer: The appliances must be precisely time-synchronized with each other or the
authentication process will fail. Ensure that the SonicWALL SSL-VPN appliance and the Active
Directory server are both using NTP to keep their internal clocks synchronized.
38. My Windows XPSP2 system cannot use the RDP-based connectors. Why?
Answer: You will need to download and install a patch from Microsoft for this to work correctly.
The patch can be found at the following site: http://www.microsoft.com/downloads/
details.aspx?FamilyID=17d997d2-5034-4bbb-b74dad8430a1f7c8&DisplayLang=en. You will
need to reboot your system after installing the patch.
39. I created a FTP bookmark, but when I access it, the filenames are garbled why?
Answer: If you are using a Windows-based FTP server, you will need to change the directory
listing style to UNIX instead of MS-DOS.
40. Where can I get a VNC client?
Answer: SonicWALL has done extensive testing with RealVNC. It can be downloaded at:
http://www.realvnc.com/download.html
41. Are the SSL-VPN 200/2000/4000 and SRA 1200/4200 appliances fully supported by
GMS or ViewPoint?
Answer: You need SonicOS SSL VPN 1.5.0.3 or higher for basic management by SonicWALL
GMS; SonicOS SSL VPN 2.1 or higher is required for SSL VPN Reporting in SonicWALL GMS
or ViewPoint.
42. Does the SonicWALL SSL-VPN appliance support printer mapping?
Answer: Yes, this is supported with the ActiveX-based RDP client only. The Microsoft Terminal
Server RDP connector must be enabled first for this to work. You may need to install the correct
printer driver software on the Terminal Server you are accessing.
43. Can I integrate SonicWALL SSL VPN with wireless?
Answer: Yes, refer to: http://www.sonicwall.com/support/pdfs/swisg.pdf
44. Can I manage the appliance on any interface IP address of the SonicWALL SSL-VPN
appliance?
Answer: Prior to 2.5 firmware: No, the appliance can only by managed using the X0s IP
address. With 2.5 firmware and later, yes, you can manage on any of the interface IP
addresses.
45. Can I allow only certain Active Directory users access to log into the SonicWALL
SSL-VPN appliance?
Answer: Yes. On the Users > Local Groups page, edit a group belonging to the Active Directory
domain used for authentication and add one or more AD Groups under the AD Groups tab.
46. Does the HTTP(S) proxy support the full version of Outlook Web Access (OWA
Premium)?
Answer: Yes, but this only is supported on the SSL-VPN 2000, SSL-VPN 4000, and SRA 4200
appliances running firmware 2.0 or newer.
47. Why are my RDP sessions dropping frequently?
Answer: Try adjusting the session and connection timeouts on both the SSL-VPN appliance
and any appliance that sits between the endpoint client and the destination server. If the SSL-
VPN appliance is behind a firewall, adjust the TCP timeout upwards and enable fragmentation.
General FAQ
371
SonicWALL SSL VPN 5.0 Administrators Guide
48. Can I create my own services for bookmarks rather than the services provided in the
bookmarks section?
Answer: This is not supported in the current release of software but may be supported in a
future software release.
49. Why cant I see all the servers on my network with the File Shares component?
Answer: The CIFS browsing protocol is limited by the server's buffer size for browse lists.
These browse lists contain the names of the hosts in a workgroup or the shares exported by a
host. The buffer size depends on the server software. Windows personal firewall has been
known to cause some issues with file sharing even when it is stated to allow such access. If
possible, try disabling such software on either side and then test again.
50. What port is the SSL-VPN appliance using for the Radius traffic?
Answer: It uses port 1812.
51. Do the SonicWALL SSL-VPN appliances support the ability for the same user account
to login simultaneously?
Answer: Yes, this is supported on 1.5 and newer firmware releases. On the portal layout, you
can enable or disable Enforce login uniqueness option. If this box is unchecked, users can log
in simultaneously with the same username and password.
52. Does the SSL-VPN appliance support NT LAN Manager (NTLM) Authentication?
Answer: Yes, in SSL VPN 5.0 and later releases, backend Web servers using NTLM or
Windows Integrated Authentication are supported. Single Sign-On with NTLM is also
supported. NTLM support is specific to Application Offloading and/or reverse-proxy bookmarks.
SSL VPN 3.5 and earlier do not support NTLM authentication. As a work around, the
administrator can turn on basic or digest authentication. Basic authentication specifies the
username and password in clear text, but the security outside the intranet is not compromised
because the SSL-VPN uses HTTPS. However, the intranet is required to be trusted. Digest
authentication works better in this case, because the password is not sent in clear text and only
a MD5 checksum that incorporates the password is sent.
53. I cannot connect to a web server when Windows Authentication is enabled. I get the
following error message when I try that: It appears that the target web server is using
an unsupported HTTP(S) authentication scheme through the SSL VPN, which
currently supports only basic and digest authentication schemes. Please contact the
administrator for further assistance. - why?
Answer: In SSL VPN 3.5 and earlier releases, the HTTP proxy does not support Windows
Authentication (formerly called NTLM). Only anonymous or basic authentication is supported.
54. Why do Java Services, such as Telnet or SSH, not work through a proxy server?
Answer: When the Java Service is started it does not use the proxy server. Transactions are
done directly to the SSL-VPN.
55. Why wont the SSH client connect to my SSH server?
Answer: Check the version of SSH you have enabled on your server, and check the firmware
release on the SSL-VPN appliance. SSHv2 support was not added until firmware 2.0 and
newer. Its possible that there is a mismatch between the two.
56. How are the F1-F12 keys handled in the Java-based SSHv1 and Telnet proxies?
Answer: The Telnet server must support function keys. If it does, the keyboard used is relevant.
Currently, the Telnet proxy uses vt320 and the SSHv1 proxy uses vt100 key codes. This is the
default and the SSL-VPN appliance does not support other types such as SCO-ANSI yet. This
may be supported in a future firmware release.
General FAQ
372
SonicWALL SSL VPN 5.0 Administrators Guide
57. When I try to access a site that has Java applets using the SSL-VPN 200 all I see is a
box with an x in it -- why?
Answer: Proxying of Java applets through the reverse proxy is not supported on the SSL-VPN
200 platform.
58. There is no port option for the service bookmarks what if these are on a different
port than the default?
Answer: You can specify in the IP address box an IPaddress:portid pair for HTTP, HTTPS,
Telnet, Java, and VNC.
59. What if I want a bookmark to point to a directory on a Web server?
Answer: Add the path in the IP address box: IP/mydirectory/.
When I access Microsoft Telnet Server using a telnet bookmark it does not allow me to
enter a user name -- why?
Answer: This is not currently supported on the appliance.
60. What versions of Citrix are supported?
Answer: Citrix Portal Bookmarks have been tested and verified to support the following Citrix
Application Virtualization platforms through the Citrix Web Interface:
Servers: Citrix XenApp 5.0, XenApp 4.5, XenApp/Presentation Server 4.5, Presentation
Server 4.0 and MetaframeXP Feature Release 3
Clients: XenApp Plugin version 11.0 or earlier versions and Java client version 9.6 or earlier
versions
373
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix F: Glossary
Active Directory (AD) -. A centralized directory service system produced by Microsoft that
automates network management of user data, security and resources, and enables
interoperation with other directories. Active Directory is designed especially for distributed
networking environments.
Common Internet File System (CIFS)
File Shares: SonicWALL's network file browsing feature on the SSL-VPN. This uses the Web
browser to browse shared files on the network.
Lightweight Directory Access Protocol (LDAP) - An Internet protocol that email and other
programs use to retrieve data from a server.
One-time Password (One-time Password) - A randomly-generated, single-use password.
One-time Password may be used to refer to a particular instance of a password, or to the
feature as a whole.
Simple Mail Transfer Protocol (SMTP) - A protocol for sending email messages between
servers.
Secure Socket Layer Virtual Private Network (SSL VPN) - A remote access tool that utilizes
a Web browser to provide clientless access to private applications.
Virtual Office - The user interface of SonicWALL SSL-VPN.
Windows Internet Naming Service (WINS) - A system that determines the IP address
associated with a network computer.
374
SonicWALL SSL VPN 5.0 Administrators Guide
375
SonicWALL SSL VPN 5.0 Administrators Guide
Appendix G: SMS Email Formats
This section provides a list of SMS (Short Message Service) formats for worldwide cellular
carriers. Find the correct format for your carrier from the list below, using your own phone
number before the @ sign.
Note These SMS email formats are for reference only. These email formats are subject to change
and may vary. You may need additional service or information from your provider before
using SMS. Contact the SMS provider directly to verify these formats and for further
information on SMS services, options, and capabilities.
Carrier SMS Format
3River Wireless 4085551212@sms.3rivers.net
AirTel 4085551212@@airtelmail.com
AT&T Wireless 4085551212@mobile.att.net
Andhra Pradesh Airtel 4085551212@airtelap.com
Andhra Pradesh Idea Cellular 4085551212@ideacellular.net
Alltel PC 4085551212@message.alltel.com
Alltel 4085551212@alltelmessage.com
Arch Wireless 4085551212@archwireless.net
BeeLine GSM 4085551212@sms.beemail.ru
BeeLine (Moscow) 4085551212@sms.gate.ru
Bell Canada 4085551212@txt.bellmobility.ca
Bell Canada 4085551212@bellmobility.ca
Bell Atlantic 4085551212@message.bam.com
Bell South 4085551212@sms.bellsouth.com
Bell South 4085551212@wireless.bellsouth.com
Bell South 4085551212@blsdcs.net
Bite GSM (Lithuania) 4085551212@sms.bite.lt
Bluegrass Cellular 4085551212@sms.bluecell.com
BPL mobile 4085551212@bplmobile.com
Celcom (Malaysia) 4085551212@sms.celcom.com.my
Cellular One 4085551212@mobile.celloneusa.com
376
SonicWALL SSL VPN 5.0 Administrators Guide
Cellular One East Cost 4085551212@phone.cellone.net
Cellular One South West 4085551212@swmsg.com
Cellular One 4085551212@mobile.celloneusa.com
Cellular One 4085551212@cellularone.txtmsg.com
Cellular One 4085551212@cellularone.textmsg.com
Cellular South 4085551212@csouth1.com
CenturyTel 4085551212@messaging.centurytel.net
Cingular 4085551212@mobile.mycingular.net
Cingular Wireless 4085551212@mycingular.textmsg.com
Comcast 4085551212@comcastpcs.textmsg.com
CZECH EuroTel 4085551212@sms.eurotel.cz
CZECH Paegas 4085551212@sms.paegas.cz
Chennai Skycell / Airtel 4085551212@airtelchennai.com
Chennai RPG Cellular 4085551212@rpgmail.net
Comviq GSM Sweden 4085551212@sms.comviq.se
Corr Wireless Communications 4085551212@corrwireless.net
D1 De TeMobil 4085551212@t-d1-sms.de
D2 Mannesmann Mobilefunk 4085551212@d2-message.de
DT T-Mobile 4085551212@t-mobile-sms.de
Delhi Airtel 4085551212@airtelmail.com
Delhi Hutch 4085551212@delhi.hutch.co.in
Dobson-Cellular One 4085551212@mobile.cellularone.com
Dobson Cellular Systems 4085551212@mobile.dobson.net
Edge Wireless 4085551212@sms.edgewireless.com
E-Plus (Germany) 4085551212 @eplus.de
EMT 4085551212@sms.emt.ee
Eurotel (Czech Republic) 4085551212@sms.eurotel.cz
Europolitan Sweden 4085551212@europolitan.se
Escotel 4085551212@escotelmobile.com
Estonia EMT 4085551212@sms-m.emt.ee
Estonia RLE 4085551212@rle.ee
Estonia Q GSM 4085551212@qgsm.ee
Estonia Mobil Telephone 4085551212@sms.emt.ee
Fido 4085551212@fido.ca
Georgea geocell 4085551212@sms.ge
Goa BPLMobil 4085551212@bplmobile.com
Golden Telecom 4085551212@sms.goldentele.com
Golden Telecom (Kiev, Ukraine only) 4085551212@sms.gt.kiev.ua
GTE 4085551212@messagealert.com
Carrier SMS Format
377
SonicWALL SSL VPN 5.0 Administrators Guide
GTE 4085551212@airmessage.net
Gujarat Idea 4085551212@ideacellular.net
Gujarat Airtel 4085551212@airtelmail.com
Gujarat Celforce / Fascel 4085551212@celforce.com
Goa Airtel 4085551212@airtelmail.com
Goa BPLMobil 4085551212@bplmobile.com
Goa Idea Cellular 4085551212@ideacellular.net
Haryana Airtel 4085551212@airtelmail.com
Haryana Escotel 4085551212@escotelmobile.com
Himachal Pradesh Airtel 4085551212@airtelmail.com
Houston Cellular 4085551212@text.houstoncellular.net
Hungary Pannon GSM 4085551212@sms.pgsm.hu
Idea Cellular 4085551212@ideacellular.net
Inland Cellular Telephone 4085551212@inlandlink.com
Israel Orange IL 4085551212- @shiny.co.il
Karnataka Airtel 4085551212@airtelkk.com
Kerala Airtel 4085551212@airtelmail.com
Kerala Escotel 4085551212@escotelmobile.com
Kerala BPL Mobile 4085551212@bplmobile.com
Kyivstar (Kiev Ukraine only) 4085551212@sms.kyivstar.net
Kyivstar 4085551212@smsmail.lmt.lv
Kolkata Airtel 4085551212@airtelkol.com
Latvia Baltcom GSM 4085551212@sms.baltcom.lv
Latvia TELE2 4085551212@sms.tele2.lv
LMT 4085551212@smsmail.lmt.lv
Madhya Pradesh Airtel 4085551212@airtelmail.com
Maharashtra Idea Cellular 4085551212@ideacellular.net
MCI Phone 408555121 @mci.com
Meteor 4085551212@mymeteor.ie
Metro PCS 4085551212@mymetropcs.com
Metro PCS 4085551212@metorpcs.sms.us
MiWorld 4085551212@m1.com.sg
Mobileone 4085551212@m1.com.sg
Mobilecomm 4085551212@mobilecomm.net
Mobtel 4085551212@mobtel.co.yu
Mobitel (Tanazania) 4085551212@sms.co.tz
Mobistar Belgium 4085551212@mobistar.be
Mobility Bermuda 4085551212@ml.bm
Movistar (Spain) 4085551212@correo.movistar.net
Carrier SMS Format
378
SonicWALL SSL VPN 5.0 Administrators Guide
Maharashtra Airtel 4085551212@airtelmail.com
Maharashtra BPL Mobile 4085551212@bplmobile.com
Manitoba Telecom Systems 4085551212@text.mtsmobility.
Mumbai Orange 4085551212@orangemail.co.in
MTS (Russia) 4085551212@sms.mts.ru
MTC 4085551212@sms.mts.ru
Mumbai BPL Mobile 4085551212@bplmobile.com
MTN (South Africa only) 4085551212@sms.co.za
MiWorld (Singapore) 4085551212@m1.com.sg
NBTel 4085551212@wirefree.informe.ca
Netcom GSM (Norway) 4085551212@sms.netcom.no
Nextel 4085551212@messaging.nextel.com
Nextel 4085551212@nextel.com.br
NPI Wireless 4085551212@npiwireless.com
Ntelos 4085551212number@pcs.ntelos.com
One Connect Austria 4085551212@onemail.at
OnlineBeep 4085551212@onlinebeep.net
Omnipoint 4085551212@omnipointpcs.com
Optimus (Portugal) 4085551212@sms.optimus.pt
Orange - NL / Dutchtone 4085551212@sms.orange.nl
Orange 4085551212@orange.net
Oskar 4085551212@mujoskar.cz
Pacific Bell 4085551212@pacbellpcs.net
PCS One 4085551212@pcsone.net
Pioneer / Enid Cellular 4085551212@msg.pioneerenidcellular.com
PlusGSM (Poland only) 4085551212@text.plusgsm.pl
P&T Luxembourg 4085551212@sms.luxgsm.lu
Poland PLUS GSM 4085551212@text.plusgsm.pl
Primco 4085551212@primeco@textmsg.com
Primtel 4085551212@sms.primtel.ru
Public Service Cellular 4085551212@sms.pscel.com
Punjab Airtel 4085551212@airtelmail.com
Qwest 4085551212@qwestmp.com
Riga LMT 4085551212@smsmail.lmt.lv
Rogers AT&T Wireless 4085551212@pcs.rogers.com
Safaricom 4085551212@safaricomsms.com
Satelindo GSM 4085551212@satelindogsm.com
Simobile (Slovenia) 4085551212@simobil.net
Sunrise Mobile 4085551212@mysunrise.ch
Carrier SMS Format
379
SonicWALL SSL VPN 5.0 Administrators Guide
Sunrise Mobile 4085551212@freesurf.ch
SFR France 4085551212@sfr.fr
SCS-900 4085551212@scs-900.ru
Southwestern Bell 4085551212@email.swbw.com
Sonofon Denmark 4085551212@note.sonofon.dk
Sprint PCS 4085551212@messaging.sprintpcs.com
Sprint 4085551212@sprintpaging.com
Swisscom 4085551212@bluewin.ch
Swisscom 4085551212@bluemail.ch
Telecom Italia Mobile (Italy) 4085551212@posta.tim.it
Telenor Mobil Norway 4085551212@mobilpost.com
Telecel (Portugal) 4085551212@sms.telecel.pt
Tele2 4085551212@sms.tele2.lv
Tele Danmark Mobil 4085551212@sms.tdk.dk
Telus 4085551212@msg.telus.com
Telenor 4085551212@mobilpost.no
Telia Denmark 4085551212@gsm1800.telia.dk
TIM 4085551212 @timnet.com
TMN (Portugal) 4085551212@mail.tmn.pt
T-Mobile Austria 4085551212@sms.t-mobile.at
T-Mobile Germany 4085551212@t-d1-sms.de
T-Mobile UK 4085551212@t-mobile.uk.net
T-Mobile USA 4085551212@tmomail.net
Triton 4085551212@tms.suncom.com
Tamil Nadu Aircel 4085551212@airsms.com
Tamil Nadu BPL Mobile 4085551212 @bplmobile.com
UMC GSM 4085551212@sms.umc.com.ua
Unicel 4085551212@utext.com
Uraltel 4085551212@sms.uraltel.ru
US Cellular 4085551212@email.uscc.net
US West 4085551212@uswestdatamail.com
Uttar Pradesh (West) Escotel 4085551212@escotelmobile.com
Verizon 4085551212@vtext.com
Verizon PCS 4085551212@myvzw.com
Virgin Mobile 4085551212@vmobl.com
Vodafone Omnitel (Italy) 4085551212@vizzavi.it
Vodafone Italy 4085551212@sms.vodafone.it
Vodafone Japan 4085551212@pc.vodafone.ne.j
Vodafone Japan 4085551212@h.vodafone.ne.jp
Carrier SMS Format
380
SonicWALL SSL VPN 5.0 Administrators Guide
Vodafone Japan 4085551212@t.vodafone.ne.jp
Vodafone Spain 4085551212@vodafone.es
Vodafone UK 4085551212@vodafone.net
West Central Wireless 4085551212@sms.wcc.net
Western Wireless 4085551212@cellularonewest.com
Carrier SMS Format
2010 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
Specifcations and descriptions subject to change without notice.
T +1 408.745.9600
SonicWALL, Inc.
2001 Logic Drive
San Jose, CA 95124-3452 F +1 408.745.9300
PN: 232-001960-00
Rev A 11/2010
www.sonicwall.com