There are several great tutorials out there on how to setup a SonicWall SSLVPN. Each one is somewhat different as the SonicOS changes and the steps and location of items changes from release to release. So, while they are all similar, this tutorial was done using a SonicWall NSA 3500 running SonicOS Enhanced 184.108.40.206-91o. And since verions 220.127.116.11 is recent in my memory, I have notes for that version here too. You will see just between these two releases (18.104.22.168 and 22.214.171.124) there are a few differences.
Create a SonicWall SSLVPN Setup Tasks
There are 3 basic tasks to create a SonicWall SSLVPN.
- Create the SSLVPN. This includes setting up proper routes.
- Create your users and give them proper access to the right devices on your network.
- Install the NetExtender SSLVPN clients
Step 1 – Create the SSLVPN
Login and browse to the SSL VPN / Server Settings page. Populate the form like I did below. Don’t forget to to do the following:
- Be certain that the WAN interface is clicked so that it is green. No reason to have a VPN setup if you can’t connect to it from the WAN. I also turn on LAN so that I can test it internally.
- Choose a port. I always the default 4433.
- If you need to use a signed certificate go to system / certificates and manage that there.
- Tell it the domain that you want to use. The only thing that this matches to is the domain name that they will need to enter on the NetExtender client side.
- If you need to manage this SonicWall over this VPN directly you will want to Enable Web Management and likewise if you use SSH for SonicWall management, turn that on too.
- The Inactivity Timeout will disconnect clients if they are inactive longer than this time period.
- Setup the Radius settings if you use Radius. I am not for my VPN, so I ignored that.
- Setup the URL for downloading the NetExtender clients if you wish to enable the client to download them from a site that you completely control. This has been good for me because sometimes there are specific versions of the NetExtender client that I want my clients using due to bugs or other.
Next, we go into SSL VPN / Client Settings.
This is where things are a bit different between 5.8 and 5.9. In SonicOS 126.96.36.199, one configures the whole DHCP setup completely in this area by setting the interface where the addresses are routed that you want to use–like X0 for example, Then setup the range using the start ip and end ip and then all of the other network stuff that you would normally expect such as WINS if needed, DNS, etc… You would then to to SSL VPN / Client Routes to set that up like we will describe later for 5.9.
In SonicOS 188.8.131.52, it appears that they are adding a feature to allow you to have more than one profile. Hopefully that comes in a new release. At the moment, you edit the Default Device Profile. On the Settings tab, you currently only can setup the SSLVPN IP Pool that you define in the Network / Address Objects page.
To the right is how I defined my SSLVPN DHCP pool Network Object on my 5.9 SonicOS.
This is different than the 184.108.40.206 SonicOS and therefore, give you more flexibility as it doesn’t have to draw addresses from a current network that you have assigned to an interface.
On the Client routes tab you need to choose from the address objects defined in Network / Address Objects which ones you want to allow the clients to connect to. In SonicOS 220.127.116.11, this is defined in SSL VPN / Client Routes. In the example to the right, you see that I have added a list of routes for the clients to use through the NetExtender client when they connect. Note that these routes are the superset of the routes that you want people to be able to connect to. Later on as we configure users, you can specify specific routes for individual users.
Finally, in SonicOS 18.104.22.168 you need to go to the Client Settings tab to setup your WINS, DNS, etc… for the client to use. In 22.214.171.124, you will have already done this.
Finally, you will want to go into your Firewall settings and be certain that a rule was automatically created on your WAN interface to allow SSLVPN connections. If not, add one as shown below:
I should also mention that there is also a Portal Settings page where you can setup a portal for your users to browse to, download their client, etc… As this option is cool, but unnecessary to getting it working, I have left that out for a potential tutorial later on someday.
Step 2 – Create the Users
Navigate to Users / Local Users and then click the button to “Add User”. This will give you the screen below:
Populate the fields:
- Name – This is actually the username, this is what they will use to login with using the NetExtender client.
- Password / Confirm Password – Obviously type in the password for the user in both of these fields.
- Check Boxes – You can force them to change their password or make their password expire after each use if desired.
- Email address – Enter their email address.
- Account Lifetime – Set to Never Expire if you do not know how long the user will need this account, or set it to the proper timeframe if known.
- Comment – This is where I typically put the user’s actual name as the name field is for their login. I also put other comments to remind me why this user has access, if it is a vendor, who in the company they are reporting to, etc…
On the groups tab be sure to give the user access to the SSLVPN Services Group membership as shown in the example below:
There are two more tabs that we won’t display but will discuss:
- VPN Access – This is where you specify the exact routes that you want the client to be able to use when they connect to the NetExtender VPN. This gives you complete control over which machines they can connect directly to. But remember, once you give access to an outside individual to a machine inside your network, they now have access to anything that machine has access to.
- Bookmark – This allows you to define shortcuts for directly connecting to Terminal Services, VNC, Telnet or SSH. We may cover this in a separate post someday.
With that, you should be done configuring your user for SSLVPN access.
Step 3 – Install and Configure the SSLVPN NetExtender Client
This requires that you have registered your SonicWall and have setup your access to their support portal at https://www.mysonicwall.com/Login.aspx. You will then login to their support site and download the NetExtender clients that your users will need: Mac, Windows, Linux, etc…
Once the NetExtender client is installed and launched, you connect by entering the either the IPADDRESS:Port or if you have setup DNS, the FQDN:port for your sonicwall’s WAN interface. For example: x.y.q.z:4433 or sslvpn.mydomain.com:4433.
The user will enter their username and password defined in step 2 above and the Domain as defined in Step 1 above and then connect.
Once connected, there are 3 tabs in your
- Status – Allows you to see how long you have been connected, etc…
- Routes – Shows you the routes that are being routed through the SSLVPN client. This is great for troubleshooting why you can’t get places.
- DNS – shows you the DNS servers and their priority for your client.
That should be it. Choose the Disconnect button when you are done and you will be disconnected.