How do I configure the SSL-VPN feature for use with NetExtender or Mobile Connect?

11/29/2023 10,095 People found this article helpful 513,057 Views

Description

SSL VPN is one method of allowing remote users to connect to the SonicWall and access the internal network resources. SSL VPN connections can be setup with one of three methods:

The SonicWall NetExtender client
The SonicWall Mobile Connect client
SSL VPN bookmarks via the SonicWall Virtual Office

This article details how to setup the SSL VPN Feature for NetExtender and Mobile Connect users, both of which are software based solutions.

NetExtender is available for the following Operating Systems:

Microsoft Windows
Linux Distributions

Mobile Connect is available for the following Operating Systems:

OS X
iOS
Android
NOTE: Please note that Mobile Connect is no longer supported on Microsoft Windows: Mobile Connect Software - SonicWall Product Life Cycle Tables | SonicWall

Don't want to read? Watch instead!

Resolution

Resolution for SonicOS 7.X

This release includes significantuser interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Creating an Address Object for the SSL VPN IPv4 Address Range

Login to the firewall management UI.
ClickObjectin the top navigation menu.
Navigate toMatch Objects |AddressesandclickAdd.

In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
- Name:SSL VPN Pool
  TIP:This is only a Friendly Name used for Administration.
- Zone:SSL VPN
- Type:Range
  NOTE:This does not have to be a range and can be configured as aHostorNetworkas well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall.

SSL VPN Configuration

Navigate to the Network |SSL VPN |Server Settings.
Navigate toSSL VPN STATUS ON ZONES which representsSSL VPN Access status on each Zone.
Enable or disable SSL-VPN access by toggling the zone below. The Green indicates active SSL VPN status.
Navigate to SSL VPN SERVER SETTINGS,SelecttheSSL VPN Port, andDomainas desired.
NOTE:The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.

Navigate to theNetwork|SSL VPN|Client Settingsand Select configureDefault Device Profile.

Set theZone IP V4asSSL VPN andNetwork Address IP V4as theAddress Object you created earlier.

TheClient Routestab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.

TheClient Settingstab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client to access domain resources by name.
EnableCreate Client Connection Profile -The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.

Adding Users to SSL VPN Services Group

NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you're interested in using LDAP please referenceHow to Configure LDAP Authentication for SSL VPN Users.

Navigate toDevice|Users|Local Users & Groups.Add a new User if necessary by clickingAdd.

On theGroupstab addSSL VPN Servicesto theMember Of:field.

On theVPN Accesstab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.
NOTE:SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.

Click on Saveand close the window.

Checking Access rule Information for SSL VPN Zone

Navigate to Policy |Rules and Policies |Access Rules.
Select the SSL VPN to LANrules via the highlighted matrix button below.
If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules.

Resolution for SonicOS 6.5

This release includes significantuser interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Creating an Address Object for the SSL VPN IPv4 Address Range

Login to the SonicWall management GUI.
Click Manage in the top navigation menu
Navigate to Objects|Address Objects andclick Addat the topof the pane.
In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:
- Name: SSL VPN Pool
  TIP: This is only a Friendly Name used for Administration.
- Zone: SSL VPN
- Type : Range
  NOTE: This does not have to be a range and can be configured as aHostorNetworkas well. To avoid IP Spoof errors and routing issues, we recommend to use a subnet which is not configured anywhere else on the SonicWall.
- Starting IP Address: 192.168.168.100
- Ending IP Address: 192.168.168.110

SSL VPN Configuration

Navigate to theSSL VPN |Server Settings page.
Click on the Red Bubble forWAN, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.
Set the SSL VPN Port, and Domain as desired.
NOTE: The SSL VPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443. The Domain is used during the user login process. If you want to be able to manage the firewall via GUI or SSH over SSL VPN these features can be enabled separately here as well.
Navigate to the SSL VPN | Client Settings page.
The SSL VPN |Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients.
CAUTION: NetExtender cannot be terminated on an Interface that is paired to another Interface using Layer 2 Bridge Mode. This includes Interfaces bridged with a WLAN Interface. Interfaces that are configured with Layer 2 Bridge Mode are not listed in the "SSL VPN Client Address Range" Interface drop-down menu. For NetExtender termination, an Interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".
Click on the Configurebutton for theDefault Device Profile.
Set the Zone IP V4as SSL VPN.Set Network Address IP V4 as theAddress Object you created earlier (SSL VPN Range).
TheClient Routestab allows the administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.
CAUTION:All SSL VPN Users can see these routes but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Please make sure to set VPN Access appropriately.
The Client Settings tab allows the administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.
Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.
EnableCreate Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.

Adding Users to SSL VPN Services Group

Navigate toUsers |Local Users & Groups. Add a new User if necessary by clicking Add.
On theGroupstab addSSL VPN Servicesto theMember Of:field.
On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.
CAUTION: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.
Click OK to save these settings and close the window.

Checking Access rule Information for SSL VPN Zone

Navigate toRules|Access Rules.
Access the SSL VPN to LAN rules via the Zone drop-down options or the highlighted matrix button below.
You will need to createAccess Rules similar to the image below allowing SSL VPN IPs to access your intended end devices.
NOTE: This does not grant access to all users, individual access is still granted to users based on their VPN access and SSL VPN routes. Access rules are needed for the firewall to allow this traffic through.
If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules. If you're unsure how to create an Access Rule please referenceHow to Enable Port Forwarding and Allow Access to a Server Through the SonicWall.

Testing the Connection with NeNetextender

Download and install SonicWall NetExtender that is available via SonicWall.com. You can follow this link for the instructions:

https://www.sonicwall.com/support/knowledge-base/how-can-i-download-and-install-NetExtender-for-windows/170503561905844/

Configure NetExtender like the following example.

Server: specify the Ip Address of the SonicWall WAN (by default SSL VPN is enabled on every WAN Interface of the SonicWall) followed by the port (specified in Server Settings of SSL VPN)

You can also specify a DNS name if you have a DNS published for your organization, e.g.sslvpn.mycompany.com:4433

Username: insert the user that you want to connect with

Password:specify the password for that user

Domain:insert the Domain Name (case sensitive) specified in Server Settings of SSL VPN.

Click Connect.

Once reached the SSL VPN Server on the SonicWall NetExder will prompt for a Security Alert, click Acceptto establish the connection.

Testing the Connection with Mobile Connect

Mobile Connect is available to download fromSonicwall.com. You can select the desired option amoong iOS, macOS, Android and Chrome OS.

Mobile Connect on Mac OS

Start the program and click onAdd Connection,fill the forms like the example below and click Next

Click Continue

Fill the forms like the example below and click

Click Connect

When prompted click Allow to establish the VPN Connetion

TIP: Ping is a great tool to test access to resources once the VPN Connection has established. If Pings are Timing Out it's advisable to perform a Packet Monitor on the SonicWall to determine what is happening to the traffic. Keep in mind, pings to the SonicWall are considered management traffic and require specific access rules to allow this traffic..

How do I update SonicWall access point firmware?
How to enable HTTPS management over SSL-VPN
SHA-2 (SHA-256, SHA-384 SHA-512) support in SonicOS 6.5 and above

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

As an expert in networking and cybersecurity with extensive experience in VPN technologies, particularly SonicWall SSL VPN solutions, I'll delve into the concepts and terminologies highlighted in the provided article.

SSL VPN (Secure Socket Layer Virtual Private Network): SSL VPN is a method that allows remote users to securely connect to a private network from a remote location using the internet. It employs the SSL/TLS protocol to create a secure encrypted connection between the user's device and the corporate network, enabling access to internal resources securely.

SonicWall: SonicWall is a well-known provider of hardware and software security solutions. It offers various firewall and VPN appliances designed to safeguard networks from cyber threats and allows secure remote access through SSL VPN solutions.

NetExtender and Mobile Connect: These are software-based SSL VPN clients provided by SonicWall for different operating systems. NetExtender supports Microsoft Windows and various Linux distributions, while Mobile Connect is available for iOS, macOS, Android, and Chrome OS. These clients facilitate secure connections for remote users to access the internal network resources.

VPN Configuration: Configuring SSL VPN involves several steps, such as creating address objects, setting up SSL VPN server settings (including port and domain configurations), defining client settings (like client address range, DNS, WINS, suffix information), creating client connection profiles, and adding users to SSL VPN service groups. These configurations are essential to ensure proper access control and security for remote users connecting via SSL VPN.

Access Rules and Policies: Access rules are crucial in controlling and managing the traffic flow within the network. For SSL VPN, specific access rules need to be defined, allowing or denying access to resources based on SSL VPN zone, user VPN access, and client routes. These rules ensure that only authorized users can access intended resources.

Testing and Troubleshooting: After setting up SSL VPN, testing the connections via NetExtender or Mobile Connect is essential. This involves configuring the client software with necessary server details, such as IP addresses, ports, usernames, and passwords. Additionally, troubleshooting steps might include using tools like ping or packet monitoring on the SonicWall to identify and resolve connectivity issues.

Related Articles: The article also mentions related topics such as firmware updates for SonicWall access points, enabling HTTPS management over SSL-VPN, and support for SHA-2 encryption in SonicOS.

Understanding these concepts and configurations is vital for implementing and maintaining a secure and efficient SSL VPN solution using SonicWall devices. If you have specific questions or need further details about any aspect of SSL VPN or network security, feel free to ask!

How do I configure the SSL-VPN feature for use with NetExtender or Mobile Connect? | SonicWall (2024)