Your SlideShare is downloading. ×
COMPREHENSIVE INTERNET SECURITY ™




                        SSSSonicWALL Security Appliances
                          S...
Table of Contents

Index 125 4
 125 4
    SonicWALL Management Interface. . . . . . . . . . . . . . . . . . . . . . . . . ...
Applications Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
            ...
Access Policies Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Group Co...
Configuring Internal User Database Authentication . . . . . . . . . . . . . . . . . . . . . . .95
               Configuri...
Chapter :




              Using This Guide

About this Guide
              Welcome to the SonicWALL SSL-VPN Administrato...
Part 3 Configuring SSL-VPN Networks
                This chapter covers configuring the SonicWALL appliance for your netwo...
Icons Used in this Manual
              These special messages refer to noteworthy information, and include a symbol for q...
SonicWALL Management Interface




More Information on SonicWALL Products
                  Contact SonicWALL, Inc. for in...
SonicWALL Management Interface




The following provides an overview of the key management interface objects. The followi...
Navigating the Management Interface




Navigating the Management Interface
                    Navigating the SonicWALL m...
Navigating the Management Interface




Applying Changes
          Click the Apply button at the top right corner of the S...
Navigating the Management Interface




Navigating Tables
                    Navigate tables in the management interface ...
Navigating the Management Interface




           Note the criteria list drop-down list box for searching table pages bas...
Navigating the Management Interface




           SonicWALL SSL-VPN Administrator’s Guide
 x
Overview of SSL-VPN

The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and clientless
network a...
What is SSL-VPN?




What is SSL-VPN?
                    Organizations use Virtual Private Networks (VPNs) to establish s...
SSL for Virtual Private Networking (VPN)




         10. Once authenticated, the user can access the SSL-VPN portal.



S...
Concepts for the SonicWALL SSL-VPN




Concepts for the SonicWALL SSL-VPN
                  The following are key concepts...
Concepts for the SonicWALL SSL-VPN




Domains Overview
          A domain in the SonicWALL SSL-VPN environment is a mecha...
Concepts for the SonicWALL SSL-VPN




NetExtender Overview
                  NetExtender is an SSL-VPN client for Windows...
Deployment Guidelines




Deployment Guidelines
          The following sections detail deployment guidelines.


Support f...
SSL-VPN Components




SSL-VPN Components
                  The SonicWALL SSL-VPN provides clientless identity-based secur...
SSL-VPN Components




Network Resources
          Network Resources are the more finely granular components of a trusted ...
SSL-VPN Components




Remote Desktop Protocols
                 Most modern Microsoft workstations and severs have RDP se...
Configuring Basic System Entities

Before beginning to configure your SonicWALL SSL-VPN appliance, you will find it helpfu...
Browser Requirements




Browser Requirements
                  The following Web browsers are supported for the Web manag...
Web Management Interface Overview




Web Management Interface Overview
            The following is an overview of a basi...
Web Management Interface Overview




                  Figure 3     Security Warning During Access to the IP Address




...
Web Management Interface Overview




       The default page displayed is the System > Settings page. See the section Sta...
Web Management Interface Overview




Web Interface Layout
                   The following table details the SonicWALL SS...
Status Environment Overview




Status Environment Overview
        The System > Status page environment is the beginning ...
Status Environment Overview




                                         Table 3     System > Status Page Regions

       ...
Status Environment Overview




Latest Alerts
              Any messages relating to system events or errors are displayed...
Status Environment Overview




Creating a mySonicWALL.com Account
                    Creating a mySonicWALL.com account ...
Status Environment Overview




Registering Your SonicWALL Appliance
             If you already have a mySonicWALL.com ac...
Event Log Overview




Event Log Overview
                      The SonicWALL SSL-VPN appliance maintains an event log for...
Event Log Overview




Each log entry contains the date and time of the event and a brief message describing the event. Th...
Event Log Overview




Log Settings Overview
                      SonicWALL SSL-VPN supports Web based logging, syslog lo...
Event Log Overview




              5.   To receive alert messages via email, enter your full email address (username@dom...
Active Users Overview




Active Users Overview
                   The Users > Status page displays the active users and a...
Active Users Overview




Time and Date Settings
             Configure the time and date settings by navigating to the Sy...
Active Users Overview




                    4.   For redundancy, enter a backup NTP server address in the NTP Server Add...
Active Users Overview




Importing a Configuration File
           You may save the configuration settings to a backup fi...
Active Users Overview




Exporting a Backup Configuration File
                    You may save the configuration setting...
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
SonicWALL SSL-VPN Administrator's Guide
Upcoming SlideShare
Loading in...5
×

SonicWALL SSL-VPN Administrator's Guide

1,942

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,942
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SonicWALL SSL-VPN Administrator's Guide"

  1. 1. COMPREHENSIVE INTERNET SECURITY ™ SSSSonicWALL Security Appliances SonicWALL SSL-VPN Administrator's Guide
  2. 2. Table of Contents Index 125 4 125 4 SonicWALL Management Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Navigating the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Applying Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Navigating Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Common Icons in the Management Interface. . . . . . . . . . . . . . . . . . . . . . . . . ix Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix What is SSL-VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 SSL Handshake Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 SSL for Virtual Private Networking (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Concepts for the SonicWALL SSL-VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Portals Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Layouts Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Domains Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Typical Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 NetExtender Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Network Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Deployment Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Support for Numbers of User Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Resource Type Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Integration with SonicWALL Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 SSL-VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 NetExtender Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 File Shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Remote Desktop Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 SonicWALL SSL-VPN Administrator’s Guide 1
  3. 3. Applications Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Browser Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Web Management Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Web Interface Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Status Environment Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Latest Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Event Log Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Log Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Active Users Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Time and Date Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Enabling Network Time Protocol 27 Using Software and System Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Importing a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Exporting a Backup Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Storing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Automatically Storing Settings After Changes . . . . . . . . . . . . . . . . . . . . . . . .30 Encrypting the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Viewing Certificate and Issuer Information 32 Importing a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Adding Additional Certificates in PEM Format 34 Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Configuring a Custom Logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Configuring Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Configuring NetExtender. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Adding a NetExtender Client Route 40 Setting Your NetExtender Address Range 40 Configuring Web Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Configuring Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Configuring DNS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Configuring Default Routes for the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Configuring Static Routes for the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Configuring Host Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Configuring Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 SonicWALL SSL-VPN Administrator’s Guide 2
  4. 4. Access Policies Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Group Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Add a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Delete a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Edit a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Edit Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configuring Group Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Group Configuration for LDAP Authentication Domains . . . . . . . . . . . . . . . 62 Sample LDAP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 LDAP Attribute Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Example of LDAP Users and Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Querying an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Group Configuration for Active Directory, NT and RADIUS Domains . . . . 68 Bookmark Support for External (Non-Local) Users 68 User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Add a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Delete a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Edit a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Modifying a User Password and Inactivity Timeout 72 Edit User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Edit a Policy for a Network Object 74 Edit a Policy for an IP Address 75 Edit a Policy for an IP Address Range 75 Edit a Policy for All Addresses 76 Edit User Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Edit Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Edit Global Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Edit Global Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Access Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Portal Layouts88 Viewing the Portal Layout Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Configuring a Portal Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring the Home Page 91 Important Information About the Portal Home Page 93 Authentication Domain Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 SonicWALL SSL-VPN Administrator’s Guide 3
  5. 5. Configuring Internal User Database Authentication . . . . . . . . . . . . . . . . . . . . . . .95 Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Configuring NT Domain Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Configuring Active Directory Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Active Directory Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Domain Settings Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Delete a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Cisco PIX Configuration for SonicWALL SSL-VPN Appliance Deployment. .103 Before you Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Management Considerations for the Cisco Pix 104 Method One – SonicWALL SSL-VPN Appliance on LAN Interface . . . . .104 Final Config Sample – Relevant Programming in Bold: 105 Method Two – SonicWALL SSL-VPN Appliance on DMZ Interface . . . . .107 Final Config Sample – Relevant Programming in Bold: 108 Linksys WRT54GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Watchguard Firebox X Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Netgear FVS318 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Netgear Wireless Router MR814 SSL configuration . . . . . . . . . . . . . . . . . . . . .115 Check Point AIR 55. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Setting up a SonicWALL SSL-VPN with Check Point AIR 55 . . . . . . . . . .116 Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Index 125 125 SonicWALL SSL-VPN Administrator’s Guide 4
  6. 6. Chapter : Using This Guide About this Guide Welcome to the SonicWALL SSL-VPN Administrator’s Guide. This manual provides the information you need to successfully activate, configure, and administer SonicWALL SSL-VPN for the SonicWALL SSL-VPN appliance. Note: Always check <http//:www.sonicwall.com/support/documentation.html> for the latest version of this manual as well as other SonicWALL products and services documentation. Organization of this Guide The SonicWALL SSL-VPN Administrator’s Guide organization is structured into the following chapters that follow the SonicWALL SSL-VPN Web Management Interface structure. Part 1 Overview of SSL-VPN This chapter provides an overview of the SonicWALL SSL-VPN appliance features and SSL-VPN technology. Part 2 Configuring Basic System Entities This chapter covers SonicWALL SSL-VPN appliance controls for • managing system status information • registering the SonicWALL appliance • activating and managing SonicWALL Security Services licenses • configuring SonicWALL appliance local and remote management options • managing firmware versions and preferences • configuring a customized logo • importing certificates • setting client address ranges for use with NetExtender SonicWALL SSL-VPN Administrator’s Guide i
  7. 7. Part 3 Configuring SSL-VPN Networks This chapter covers configuring the SonicWALL appliance for your network environment. The SonicWALL SSL-VPN appliance interface includes: • Network Objects - Create reusable network objects representing network resources such as FTP, HTTP, RDP, SSH services, and File Shares. • Routes - Configure the default gateway and other static routes on the device. • Host Resolution - Configure hostname and IP address information for internal name resolution. • DNS Settings - Configure DNS settings to resolve a domain name with an IP address. Part 4 Configuring User and Group Access Policies This chapter covers the configuration of access policies for the SonicWALL SSL-VPN appliance. It also describes how to create bookmarks at the user, group, and global levels on the SSL-VPN appliance. Part 5 Configuring Portals, Layouts, and Domains This part covers the configuration of domains, portals, and layouts. Guide Conventions The following Conventions used in this guide are as follows: Convention Use Bold Highlights dialog box, window, and screen names. Also highlights buttons. Also used for file names and text or values you are being instructed to type into the inter- face. Italic Indicates the name of a technical manual. Also indi- cates emphasis on certain words in a sentence. Also, sometimes indicates the first instance of a significant term or concept. Menu Item > Menu Item Indicates a multiple step Management Interface menu choice. For example, System > Status means select the Status page under the System menu. SonicWALL SSL-VPN Administrator’s Guide ii
  8. 8. Icons Used in this Manual These special messages refer to noteworthy information, and include a symbol for quick identification: Alert: Important information that cautions about features affecting appliance performance, security features, or causing potential problems with your SonicWALL. Tip: Useful information about security features and configurations on your SonicWALL. Note: Important information on a feature that requires callout for special attention. Cross Reference: Provides a pointer to related information in a companion guide or other resources. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at <http://www.sonicwall.com/support/support.html>. Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below: North America Telephone Support U.S./Canada - 888.777.1476 or +1 408.752.7819 International Telephone Support Australia - + 1800.35.1642 Austria - + 43(0)820.400.105 EMEA - +31(0)411.617.810 France - + 33(0)1.4933.7414 Germany - + 49(0)1805.0800.22 Hong Kong - + 1.800.93.0997 India - + 8026556828 Italy - +39.02.7541.9803 Japan - + 81(0)3.5460.5356 New Zealand - + 0800.446489 Singapore - + 800.110.1441 Spain - + 34(0)9137.53035 Switzerland - +41.1.308.3.977 UK - +44(0)1344.668.484 Note: Please visit <http://www.sonicwall.com/support/contact.html> for the latest technical support telephone numbers. SonicWALL SSL-VPN Administrator’s Guide iii
  9. 9. SonicWALL Management Interface More Information on SonicWALL Products Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300 SonicWALL Management Interface The SonicWALL SSL-VPN appliance’s Web-based management interface provides an easy-to-use graphical interface for configuring your SonicWALL SSL-VPN appliance. The interface contains two types of windowing objects: • Windows which are primarily read-only and used mostly for obtaining information. • Dialog boxes which enable user interaction with them mostly to add and change values that characeterize objects, for example, IP addresses, names, and authentication types. Current Documentation Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation. http://www.sonicwall.com/support/documentation.html SonicWALL SSL-VPN Administrator’s Guide iv
  10. 10. SonicWALL Management Interface The following provides an overview of the key management interface objects. The following is a sample window in the Web-based management interface. Note the various elements of a standard SonicWALL interface window. Location Indicator Sub-Windows Button Main Window Area Navigation Bar Status Bar The following is a sample dialog box. Title Bar Region Name List Box Fill-In Fields Checkbox Buttons Status Bar SonicWALL SSL-VPN Administrator’s Guide v
  11. 11. Navigating the Management Interface Navigating the Management Interface Navigating the SonicWALL management interface includes a hierarchy of menu buttons on the navigation bar (left side of your browser window). When you click a menu button, related management functions are displayed as submenu items in the navigation bar. The folder icon to the left of the window name that is open is the current window. To navigate to a submenu page, click the link. When you click a menu button, the first submenu item page is displayed. The first submenu page is automatically displayed when you click the menu button. For example, when you click the Network button, the Network > Settings page is displayed. Status Bar The Status bar at the bottom of the management interface window displays the status of actions executed in the SonicWALL management interface. SonicWALL SSL-VPN Administrator’s Guide vi
  12. 12. Navigating the Management Interface Applying Changes Click the Apply button at the top right corner of the SonicWALL management interface to save any configuration changes you made on the page. If the settings are contained in a secondary window within the management interface, when you click OK, the settings are automatically applied to the SonicWALL SSL-VPN appliance. SonicWALL SSL-VPN Administrator’s Guide vii
  13. 13. Navigating the Management Interface Navigating Tables Navigate tables in the management interface with large number of entries by using various types of navigation buttons located on the upper right top corner of the table. The Log > View page contains an elaborate bank of navigation buttons. Clear Log Search Field Find Button Reset Button Button Criteria List Exclude Button View Page Button Navigation buttons in the Log View page include the following: Navigation Button Description Find Enables you to search for a log entry containing a specified setting based on a criteria type you select in the criteria list. Criteria includes Time, Priority, Source, Destination, and User. Search results list out the results in various orders depending upon the criteria type. Exclude Enables you to display all log entries but the type specified in the criteria list. View Page Enables you to display a specified page for log entries when there are enough entries so that multiple pages appear. If only one page of log entries appears, then this facility does not appear. Reset Resets the listing of log entries to their default sequence after you have displayed them in an alternate way, using search buttons. SonicWALL SSL-VPN Administrator’s Guide viii
  14. 14. Navigating the Management Interface Note the criteria list drop-down list box for searching table pages based on selected criteria types. Common Icons in the Management Interface The following describe the functions of common icons used in the SonicWALL management interface: Clicking on the edit icon displays a window for editing the settings. Clicking on the delete icon deletes a table entry Moving the pointer over the comment icon displays text from a Comment field entry. Getting Help Each SonicWALL appliance includes Web-based on-line help available from the management interface. Clicking the question mark ? button on the top-right corner of every page accesses the context-sensitive help for the page. Note: Accessing the SonicWALL SSL-VPN appliance online help requires an active Internet connection. Logging Out The Logout button at the bottom of the menu bar terminates the management interface session and collapses the browser session. SonicWALL SSL-VPN Administrator’s Guide ix
  15. 15. Navigating the Management Interface SonicWALL SSL-VPN Administrator’s Guide x
  16. 16. Overview of SSL-VPN The SonicWALL SSL-VPN appliance provides organizations with a simple, secure and clientless network and application access solution for remote and mobile employees. By being clientless, organizations can use the connection without the need of a pre-configured, large-installation host. Users can easily and securely access email files, intranet sites, applications, and other resources on the corporate Local Area Network (LAN) from any location simply by accessing a standard Web browser. This chapter contains the following sections: • “What is SSL-VPN?” section on page 2 • “Encryption Overview” section on page 2 • “SSL Handshake Procedure” section on page 2 • “SSL for Virtual Private Networking (VPN)” section on page 3 • “Concepts for the SonicWALL SSL-VPN” section on page 4 • “Deployment Guidelines” section on page 7 • “SSL-VPN Components” section on page 8 SonicWALL SSL-VPN Administrator’s Guide 1
  17. 17. What is SSL-VPN? What is SSL-VPN? Organizations use Virtual Private Networks (VPNs) to establish secure, end-to-end private network connections over a public networking infrastructure, allowing them to reduce their communications expenses and to provide private, secure connections between a user and a site in the organization. By offering Secure Sockets Layer (SSL) VPN—without the expense of special feature licensing—the SonicWALL SSL-VPN appliance provides customers with cost-effective alternatives to deploying parallel remote-access infrastructures. Encryption Overview Encryption enables users to encode or scramble data, making it secure from unauthorized viewers. Encryption provides a secure means for individuals to communicate privately over the Internet. A special type of encryption known as Public Key Encryption (PKE) comprises a public and a private key for encrypting and decrypting data. With public key encryption, an entity, such as a secure Web site, generates a public and a private key. A secure Web server sends a user accessing the Web site a public key. The public key allows the user’s Web browser to decrypt data that had been encrypted with the private key. The user’s Web browser can also transparently encrypt data using the public key and this data can only be decrypted by the secure Web server’s private key. Public key encryption allows the user to confirm the identity of the Web site through an SSL certificate. SSL Handshake Procedure The following example of the standard steps required for an SSL session to be established between a user and SSL-VPN gateway using SonicWALL SSL-VPN software. 1. When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user’s Web browser sends the appliance encryption information, such as the types of encryption the browser supports. 2. The appliance sends the user its own encryption information, including an SSL certificate with a public encryption key. 3. The Web browser validates the SSL certificate with the Certificate Authority identified by the SSL certificate. 4. The Web browser then generates a pre-master encryption key, encrypts the pre-master key using the public key included with the SSL certificate and sends the encrypted pre-master key to the SSL-VPN gateway. 5. The SSL-VPN gateway uses the pre-master key to create a master key and sends the new master key to the user’s Web browser. 6. The browser and the SSL-VPN gateway use the master key and the agreed upon encryption algorithm to establish an SSL connection. From this point on, the user and the SSL-VPN gateway will encrypt and decrypt data using the same encryption key. This is called symmetric encryption. 7. Once the SSL connection is established, the SSL-VPN gateway will encrypt and send the Web browser the SSL-VPN gateway Login page. 8. The user submits his user name, password, and domain name. 9. If the user’s domain name requires authentication through a RADIUS, LDAP, NT Domain, or Active Directory Server, the SSL-VPN gateway forwards the user’s information to the appropriate server for authentication. SonicWALL SSL-VPN Administrator’s Guide 2
  18. 18. SSL for Virtual Private Networking (VPN) 10. Once authenticated, the user can access the SSL-VPN portal. SSL for Virtual Private Networking (VPN) A Secure Socket Layer-based Virtual Private Network (SSL-VPN) allows applications and private network resources to be accessed remotely through a secure SSL connection. Using SSL-VPN, mobile workers, business partners, and customers can access files or applications on a company’s extranet or within a private local area network. Although SSL-VPN protocols are described as clientless, the typical SSL-VPN portal combines Web, Java, and ActiveX components that are downloaded from the SSL-VPN portal transparently, allowing users to connect to a remote network without needing to manually install and configure a VPN client application. In addition, SSL-VPN enables users to connect from a variety of devices, including Windows, Macintosh, and Linux PCs. ActiveX components are only supported on Windows platforms. The SonicWALL SSL-VPN appliance software provides an end-to-end SSL-VPN solution. It includes a Web-based management interface that can configure SSL-VPN users, access policies, authentication methods, user bookmarks for network resources, and system settings. SonicWALL SSL-VPN software enables users to access, update, upload, and download files and use remote applications installed on desktop machines or hosted on an application server. The platform also supports secure Web-based FTP access, network neighborhood-like interface for file sharing, SSH and Telnet emulation, VNC and RDP support, and Web and HTTPS proxy forwarding. The SonicWALL SSL-VPN NetExtender feature offers full network access to corporate resources. This ActiveX control enables end users to connect to the remote network without needing to install and configure complex software. The client provides a secure means to access any type of data on the remote network. SonicWALL SSL-VPN Administrator’s Guide 3
  19. 19. Concepts for the SonicWALL SSL-VPN Concepts for the SonicWALL SSL-VPN The following are key concepts to working with the SonicWALL SSL-VPN appliance. • “Portals Overview” section on page 4 • “Layouts Overview” section on page 4 • “Domains Overview” section on page 5 • “Typical Deployment” section on page 5 • “NetExtender Overview” section on page 6 • “DNS Overview” section on page 6 • “Network Routes Overview” section on page 6 Portals Overview The SonicWALL SSL-VPN appliance provides a mechanism called Virtual Office which is a portal in the system software that enables you to set a series of links to internal resources in your organization that provides a convenience for accessing different environments. A portal is the interface with which SSL-VPN users will interact. The components of your network to which you will be providing remote access through the SSL-VPN, such as NetExtender, File Shares, and Network Resources, will be presented to them through the portal. The components presented to users through the portal can be customized by defining a portal layout. Portals are customizable using special templates called layouts. For configuration information on Portals, see “Portal Layouts” on page 88. Layouts Overview A layout is a template that enables you to configure the presentation of your environment within your SonicWALL SSL-VPN session site. A layout enables you to configure your site title, portal title, banner title, and banner message. It also enables you to set a Virtual Host/Domain Name, and create a default portal URL. For configuration information on Layouts, see the “Portal > Portal Layouts Page” section on page 88. Additionally, a layout enables you to configure the following: • display a customized login page • display a banner message on a login page • enable HTTP meta tags for cache control • enable ActiveX cache cleaner • display Import Self-Signed Certificate link SonicWALL SSL-VPN Administrator’s Guide 4
  20. 20. Concepts for the SonicWALL SSL-VPN Domains Overview A domain in the SonicWALL SSL-VPN environment is a mechanism that enables authentication of users attempting to access the network being serviced by the SSL-VPN appliance. Domain types include the SSL-VPN's internal LocalDomain, and the external platform’s NT Authentication, LDAP, and RADIUS. Often, only one domain will suffice to provide authentication to your organization, although a larger organization may require distributed domains to handle multiple nodes or collections of users attempting to access applications through the portal. For configuration information on Domains, see the “Domains Overview” section on page 5. Typical Deployment The way the SonicWALL SSL-VPN is commonly deployed is in tandem in “one-arm” mode over the DMZ or Opt interface on an accompanying gateway appliance, for example, a SonicWALL PRO 2040. The primary interface (X0) on the SSL-VPN would connect to an available segment on the gateway device. The encrypted user session is passed through the gateway to the SSL-VPN appliance (step 1). The SSL-VPN decrypts the session and determines the requested resource. The SSL-VPN session traffic then traverses the gateway appliance (step 2) to reach the internal network resources. While traversing the gateway, security services, such as Intrusion Prevention, Gateway Anti-Virus and Anti-Spyware inspection can be applied by appropriately equipped gateway appliances. The internal network resource then returns the requested content to the SSL-VPN appliance through the gateway (step 3) where it is encrypted and returned to the client. Figure 1 Sequence of Events in Initial Connection 1. X0 interface connects to available segment on gateway. Encrypted session Router passes to SSL-VPN WAN appliance. Remote Users 1 SonicWALL SSL-VPN 2000 Internet Zone SonicWALL UTM Security Appliance 2 DMZ 3 Network Nodes LAN 3. The internal network 2. SSL-VPN traffic resource returns content to traverses the gateway to the SSL-VPN appliance reach internal network through the gateway. resources. SonicWALL SSL-VPN Administrator’s Guide 5
  21. 21. Concepts for the SonicWALL SSL-VPN NetExtender Overview NetExtender is an SSL-VPN client for Windows users that is downloaded transparently and that allows you to run any application securely on the company’s network. It uses a Point-to-Point Protocol (PPP) adapter instance to negotiate ActiveX. NetExtender first queries whether you have the ActiveX component present. After completing a download of ActiveX, NetExtender allows you to install it. You first create a NetExtender tunnel to the remote network and virtually join the remote network where users can mount drives, upload and download files, and access resources in the same way as if they were on the local network. NetExtender requirements for a Windows client are: • Windows 2000 Professional, Windows XP Home or Professional, Windows 2000 Server or Windows 2003 Server. • Internet Explorer 5.0.1 and greater. Downloading and running scripted ActiveX files require Internet Explorer to run. • Administrative privileges required for installation of NetExtender. For information on connecting to NetExtender, see the SonicWALL SSL-VPN User’s Guide. DNS Overview You can use the DNS configuration portion of the SonicWALL SSL-VPN software to configure a hostname, DNS server addresses, and WINS server addresses. This enables the device to resolve hostnames with IP addresses. Network Routes Overview Configuring a default route allows your SSL-VPN appliance to reach remote IP networks through the designated default gateway. The gateway will typically be the upstream firewall to which the SSL-VPN appliance is connected. In addition to default routes, it also possible to specify more-specific static routes to hosts and networks as a preferred path, rather than using the default gateway. SonicWALL SSL-VPN Administrator’s Guide 6
  22. 22. Deployment Guidelines Deployment Guidelines The following sections detail deployment guidelines. Support for Numbers of User Connections For optimal performance, SonicWALL recommends limiting the number of concurrent user connections to approximately 100 for typical usage scenarios (for example, downloading of large files), although, it can handle a high number of concurrent connections. Other factors such as the complexity of applications in use and the sharing of large files impacts performance. Resource Type Support The following table details different ways you can access the SonicWALL SSL-VPN appliance. Access Mechanism Access Types Standard Web browser • Files and file systems, including support for FTP and Windows Network File Sharing. • Web-based applications. • Microsoft Outlook Web Access and other Web-enabled applications. • HTTP and HTTPS intranets. SonicWALL NetExtender • Any TCP/IP based application including: (ActiveX client) – Email access through native clients residing on the user’s laptop (Microsoft Outlook, Lotus Notes, etc.). – Commercial and home-grown applications. • Flexible network access as granted by the network administrator. Downloadable ActiveX or • An application installed on desktop machines or hosted on an Java Client application server, remote control of remote desktop or server platforms. • Terminal services, VNC, Telnet, and SSH. Integration with SonicWALL Products The SonicWALL SSL-VPN appliance integrates with other SonicWALL products, complementing the SonicWALL PRO and TZ Series product lines. Incoming HTTPS traffic is redirected by a SonicWALL firewall appliance to the SonicWALL SSL-VPN appliance. The SSL-VPN appliance then decrypts and passes the traffic back to the firewall where it can be inspected on its way to internal network resources. SonicWALL SSL-VPN Administrator’s Guide 7
  23. 23. SSL-VPN Components SSL-VPN Components The SonicWALL SSL-VPN provides clientless identity-based secure remote access to your protected internal network. Using the Virtual Office environment, SonicWALL SSL-VPN can provide users with secure remote access to your entire private network, or to individual components such as file shares, Web servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers. These various methods of secure remote access are provided by the following components: • NetExtender • File Shares • Network Resources NetExtender Concepts NetExtender can provide remote users with full access to your protected internal network. The experience is virtually identical to that delivered by traditional IPSec VPN clients, but NetExtender does not require any manual client installation. Instead, the NetExtender client is automatically installed on a remote user’s PC as an ActiveX component which instantiates a virtual adapter for SSL-secure point-to-point access to permitted hosts and subnets on the internal network. File Shares File shares provide remote users with a secure Web interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web interface similar in style to Microsoft’s familiar Network Neighborhood or My Network Places, File Shares allow users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. SonicWALL SSL-VPN Administrator’s Guide 8
  24. 24. SSL-VPN Components Network Resources Network Resources are the more finely granular components of a trusted network which can be accessed through the SSL-VPN. Network Resources can be pre-defined by the administrator and assigned to users or groups as bookmarks, or users can define and bookmark their own Network Resources. Network Resources comprise the following remote access capabilities: Attribute Setting HTTP (Web) Proxy access to an HTTP server on the internal network, or any other network segment that can be reached by the SSL-VPN appliance, including the Internet. The remote user communicates with the SSL-VPN appliance by HTTPS and requests a URL which is then retrieved over HTTP by the SSL-VPN. It is then transformed as needed, and returned encrypted to the remote user. HTTPS (Web) Proxy access to an HTTPS server on the internal network, or any other network segment that can be reached by the SSL-VPN appliance, including the Internet. Telnet (Java) A Java-based Telnet client delivered through the remote user’s Web Browser. The remote user can specify the IP address of any accessible Telnet server, the SSL-VPN will make a connection to the server, and will then proxy the communications between the user over SSL and the server using native Telnet. SSH (Java) A Java-based SSH client delivered through the remote user’s Web browser. The remote user can specify the IP address of any accessible SSH server, the SSL-VPN will make a connection to the server, and will then proxy the communications between the user over SSL and the server using natively encrypted SSH. FTP (Web) Proxy access to an FTP server on the internal network, or any other network segment that can be reached by the SSL-VPN appliance, including the Internet. The remote user communicates with the SSL-VPN appliance by HTTPS and requests a URL which is then retrieved over HTTP by the SSL-VPN, transformed as needed, and returned encrypted to the remote user. Remote Desktop Remote Desktop provides remote users with access to RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing) capable workstations and servers on the internal network to approximate the experience of being at the computer. See the section below for details on Remote Desktop protocols. Applications Applications are RDP sessions to a specific application rather than to the entire desktop. This allows administrator and users to define access to an individual application, such as CRM or accounting software, without the need for the remote user to navigate the entire desktop. When the application is closed, the session closes. See the section below for details on Applications protocols. SonicWALL SSL-VPN Administrator’s Guide 9
  25. 25. SSL-VPN Components Remote Desktop Protocols Most modern Microsoft workstations and severs have RDP server capabilities which can easily be enabled for remote access, and there are a number of freely available VNC server options that can be easily obtained and installed on most operating systems. The RDP and VNC clients are automatically delivered to authorized remote users through their Web browser in the following formats: • RDP4 (Java) - RDP4 is an earlier version of Microsoft’s Remote Desktop Protocol, and has the advantage of broad platform compatibility because it can be provided in a Java client. RDP4 differs from RDP5 in that RDP4 cannot support full-screen modes, and does not support sound in the RDP session. • RDP5 (ActiveX) - RDP5 is the current version of Microsoft’s Remote Desktop Protocol, and because of its richer set of capabilities (such as session sound and full-screen mode), is only available in an ActiveX client. • VNC (Java) - VNC was originally developed by AT&T, but is today widely available as open source software. Any one of the many variants of VNC server available can be installed on most any workstation or server for remote access. The VNC client to connect to those servers is delivered to remote users through the Web browser as a Java client. Applications Protocols The following are Applications protocols: RDP (Java) - Uses the Java-based RDP4 client to connect to the terminal server, and to automatically invoke an application at the specified path (for example, C:programfilesmicrosoft officeoffice11winword.exe) RDP5 (ActiveX) - Uses the ActiveX-based RDP5 client to connect to the terminal server, and to automatically invoke an application at the specified path (for example, C:programfilesetherealethereal.exe). SonicWALL SSL-VPN Administrator’s Guide 10
  26. 26. Configuring Basic System Entities Before beginning to configure your SonicWALL SSL-VPN appliance, you will find it helpful to review several tools that are part of the SonicWALL SSL-VPN management interface environment. This chapter contains the following sections: • “Browser Requirements” section on page 12 • “Web Management Interface Overview” section on page 13 • “Status Environment Overview” section on page 17 • “Event Log Overview” section on page 22 • “Active Users Overview” section on page 26 • “Using Software and System Settings” section on page 28 • “Certificate Management ” section on page 31 • “Monitoring Overview” section on page 35 • “Configuring a Custom Logo” section on page 37 • “Configuring Diagnostics” section on page 38 • “Configuring NetExtender” section on page 39 SonicWALL SSL-VPN Administrator’s Guide 11
  27. 27. Browser Requirements Browser Requirements The following Web browsers are supported for the Web management interface and the SSL-VPN portal. Note that Java is only required for various aspects of the SSL-VPN portal, not the Web management interface. Table 1 Microsoft Windows Settings Attribute Setting Browser • Internet Explorer 5.0.1 or higher, Mozilla 1.x, or Netscape 7.0 or higher • Opera 7.0 or higher • FireFox 1.0 or higher Java • Sun JRE 1.3.1 or higher • Microsoft JVM 5 or higher Apple MacOS X • Browser: Safari 1.2 or higher • Java: Sun JRE 1.1 or higher Unix, Linux, or BSD Browser: Mozilla 1.x or Netscape 7.0 or higher Safari 1.2 or higher • Java: Sun JRE 1.1 or higher To configure SonicWALL SSL-VPN software, an administrator must use a Web browser with JavaScript, cookies, and SSL enabled. SonicWALL SSL-VPN Administrator’s Guide 12
  28. 28. Web Management Interface Overview Web Management Interface Overview The following is an overview of a basic session that connects you to the Web-based management interface of the SonicWALL SSL-VPN appliance. For more detailed information on establishing a management session and basic setup tasks, go to the SonicWALL SSL-VPN 2000 Getting Started Guide. To access the Web-based management interface of the SSL-VPN: 1. Connect one end of a cross-over cable into the X0 port of your SonicWALL SSL-VPN appliance. Connect the other end of the cable into the computer you are using to manage the SonicWALL SSL-VPN appliance. Figure 2 Cross-Over Cable Connecting X0 Port to Management Station SonicWALL SSL-VPN 2000 X0 Management Station 2. Set the computer you use to manage your SonicWALL SSL-VPN appliance to have a static IP address in the 192.168.200.x/24 subnet, such as 192.168.200.20. For help with setting up a static IP address on your computer, refer to the SonicWALL SSL-VPN 2000 Getting Started Guide. Note A Web browser supporting Java, and HTTP uploads, such as Internet Explorer 5.0.1 or higher, Netscape Navigator 4.7 or higher, Mozilla 1.7 or higher, or Firefox is recommended. 3. Open a Web browser and enter https://192.168.200.1 (the default LAN management IP address) in the Location or Address field. 4. A security warning may appear. Click the Yes button to continue. SonicWALL SSL-VPN Administrator’s Guide 13
  29. 29. Web Management Interface Overview Figure 3 Security Warning During Access to the IP Address Note While these browsers are acceptable for use in configuring your SonicWALL SSL-VPN appliance, end users will need to use IE 5.0.1 or higher, supporting JavaScript, Java, cookies, SSL and ActiveX in order to take advantage of the full suite of applications. 5. The SonicWALL SSL-VPN Management Interface displays and prompts you to enter your user name and password. Enter admin in the User Name field, password in the Password field, select LocalDomain from the Domain drop-down list and click the Login button. Figure 4 Login Screen SonicWALL SSL-VPN Administrator’s Guide 14
  30. 30. Web Management Interface Overview The default page displayed is the System > Settings page. See the section Status Environment Overview, page 17 for more details on this page. Note If you ever enter the Virtual Office portal home page as the default first page displayed in the environment, you have selected a domain with user-only privileges. Administration can only be performed from the LocalDomain authentication domain. If you wish to log in as an administrator, make sure you select LocalDomain from the Domain list box in the Login screen. The System, Network, Portal, NetExtender, Users, Log, and Virtual Office menus on the left side of the browser window configure administrative settings. When one of the navigation menus is clicked, new navigation links will be displayed. Click on the navigation links to view the corresponding management windows. The Online Help option in the navigation menu displays context sensitive online help. Refer to the online help for administrative information and instructions. A Logout option at the bottom of the navigation menu terminates the management session and redisplays the Authentication window. If you click Logout, you must re-authenticate in order to manage the system. SonicWALL SSL-VPN Administrator’s Guide 15
  31. 31. Web Management Interface Overview Web Interface Layout The following table details the SonicWALL SSL-VPN Web interface layout. Table 2 Web Interface Layout For the SSL-VPN Appliance Top Menu Menu Option System Status Displays status of the appliance. Time Configures time parameters. Settings Imports, exports, and stores settings. Certificates Imports or generates a certificate. Monitoring Displays graphs of bandwidth usage, active concurrent users, CPU utilization, and memory utilization. Diagnostics Runs diagnostics sessions. Restart Restarts the system. Network Interfaces Configures interfaces on the appliance. DNS Configures the appliance to resolve domain names. Routes Sets default and static routes. Host Resolution Resolve hostnames. Network Objects Creates reusable entities that bind IP addresses to services. Portal Portal Layouts Creates a customized landing page to your users when they are redirected to the SonicWALL SSL-VPN for authentication. Domains Creates authentication domains that enable you to create access policies. Custom Logo Creates a logo for your organization on your portal page. NetExtender Client Routes Creates client routes for use with the NetExtender application. Client Addresses Creates client addresses for use with the NetExtender application. Users Status Displays status of users and groups. Local Users Configures local users. Local Groups Configures local groups. Log View Displays syslog entries that have been generated by the device. Settings Configures settings for the log environment. Virtual Office Accesses the Virtual Office portal home page. Online Help Accesses online help. Logout Logs out of the appliance. SonicWALL SSL-VPN Administrator’s Guide 16
  32. 32. Status Environment Overview Status Environment Overview The System > Status page environment is the beginning point for working in the SonicWALL SSL-VPN environment. It provides details that enable you to understand what is occurring on your SonicWALL SSL-VPN appliance. The System > Status page provides a comprehensive collection of information and links to help you manage your SonicWALL SSL-VPN appliance and SonicWALL Security Services licenses. It includes status information about your SonicWALL appliance organized into six sections: System Messages, Latest Alerts, System Information, Licenses and Registration, and Network Interfaces. Figure 5 System > Status Page System Latest Alerts Information region region System Messages region Licenses & Registration region Network Interfaces region The following table details the regions in the System > Status page. SonicWALL SSL-VPN Administrator’s Guide 17
  33. 33. Status Environment Overview Table 3 System > Status Page Regions Region Description System Information Displays basic, standard details about the specific SSL-VPN appliance you have. Details include the model number, the serial number, the authentication code, the firmware version currently on the appliance, the ROM version, the CPU utilization and total memory usage on the appliance (both from the System > Monitor page), the system date and time, the amount of time elapsed since the system first booted (up time), and the number of active users. Latest Alerts Displays text about recent invasive events, mostly about irregular system behavior or errors. Includes information about the date and time of the event, the host of the user from where the event generated and a brief text message characterizing the event. System Messages Displays text about recent events on the SSL-VPN appliance, mostly system setting changes. Licenses & Registration Displays the appliance serial number and authentication code, a registration status, and user license. It also provides you a field to enter a registration code to manually register the appliance. Network Interfaces Displays a list of the interfaces on the appliance with IP addresses that have been configured to them and their curent link status. System Information The following information is displayed in this section: Table 4 System Information Field Description Model The type of SonicWALL SSL-VPN appliance. Serial Number The serial number or the MAC address of the SonicWALL appliance. Authentication Code The alphanumeric code used to authenticate the SonicWALL appliance on the registration database at <https://www.mysonicwall.com>. Firmware Version The firmware version loaded on the SonicWALL appliance. ROM Version Indicates the ROM version. CPU The average CPU usage over the last 5 minutes and the type of the SonicWALL appliance processor. System Time The actual time of day it is. Up Time The number of days, hours, minutes, and seconds, that the SonicWALL SSL-VPN appliance has been active since its initial bootup. Active Users The number of users who are currently logged into the SonicWALL SSL-VPN appliance. SonicWALL SSL-VPN Administrator’s Guide 18
  34. 34. Status Environment Overview Latest Alerts Any messages relating to system events or errors are displayed in this section. Attack messages include AV Alerts, forbidden e-mail attachments, fraudulent certificates, etc. Clicking the blue arrow displays the Log > Log View page. Fields in the Latest Alerts section are: • Date/Time - The date and time when the message was generated. • User - The name of the user who attempted to perform the task that generated the message. • Message - The actual message describing the error. Registering Your SonicWALL SSL-VPN Appliance Once you have established your Internet connection, it is recommended you register your SonicWALL SSL-VPN appliance. Registering your SonicWALL appliance provides the following benefits: • Access SonicOS firmware updates • Get SonicWALL technical support • (If you have a SonicWALL firewall you have purchased to accompany the SonicWALL SSL-VPN appliance) Try a FREE 30-day trial of SonicWALL Intrusion Prevention Service, SonicWALL Gateway Anti-Virus, Content Filtering Service, and Network Anti-Virus. Before You Register If your SonicWALL SSL-VPN appliance is not registered, the following message is displayed in the Licenses & Registration region on the System > Status page in the SonicWALL management interface: Your SonicWALL is not registered. Click here to Register your SonicWALL. You need a mySonicWALL.com account to register the SonicWALL appliance. If your SonicWALL appliance is connected to the Internet, you can create a mySonicWALL.com account and register your SonicWALL appliance directly from the SonicWALL management interface. If you already have a mySonicWALL.com account, you can register the SonicWALL appliance directly from the management interface. Your mySonicWALL.com account is accessible from any Internet connection by pointing your Web browser to <https://www.mysonicwall.com>. mySonicWALL.com uses the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information. Note: Make sure the Time and DNS settings on your SonicWALL appliance are correct when you register the device. You can view and set the time in the System > Time page and DNS settings in the Network > DNS page. Note: mySonicWALL.com registration information is not sold or shared with any other company. You can also register your appliance at the <https://www.mysonicwall.com> site by using the Serial Number and Authentication Code displayed in the Licenses & Registration region on the System > Status page. Click the SonicWALL link to access your mySonicWALL.com account. You will be given a registration code after you have registered your appliance. Enter the registration code in the field below the You will be given a registration code, which you should enter below heading, then click Update. SonicWALL SSL-VPN Administrator’s Guide 19
  35. 35. Status Environment Overview Creating a mySonicWALL.com Account Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL management interface. To create a mySonicWALL.com account from the SonicWALL management interface: 1. In the Licenses & Registration region on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. Figure 6 Licenses & Registration Region 2. Click the here link in If you do not have a mySonicWALL account, please click here to create one on the mySonicWALL Login page. Figure 7 mySonicWALL.com Login Form 3. In the MySonicWALL Account page, enter in your information in the Account Information, Personal Information and Preferences fields in the mySonicWALL.com account form. All fields marked with an * are required fields. Note Remember your username and password to access your mySonicWALL.com account. 4. Click Submit after completing the MySonicWALL Account form. 5. When the mySonicWALL.com server has finished processing your account, a page is displayed confirming your account has been created. Click Continue. 6. Congratulations! Your mySonicWALL.com account is activated. Now you need to log into mySonicWALL.com from the management appliance to register your SonicWALL appliance. SonicWALL SSL-VPN Administrator’s Guide 20
  36. 36. Status Environment Overview Registering Your SonicWALL Appliance If you already have a mySonicWALL.com account, follow these steps to register your appliance: 1. In the Security Services section on the System > Status page, click the Register link if Your SonicWALL is not registered. Click here to Register your SonicWALL. The mySonicWALL Login page is displayed. Figure 8 Security Services Region 2. In the mySonicWALL.com Login page, enter your mySonicWALL.com username and password in the User Name and Password fields and click Submit. 3. The next several pages inform you about free trials available to you for SonicWALL’s Security Services. Click Continue on each page. 4. At the top of the Product Survey page, enter a friendly name for your SonicWALL appliance in the Friendly name field, and complete the optional product survey. 5. Click Submit. 6. When the mySonicWALL.com server has finished processing your registration, a page is displayed confirming your SonicWALL appliance is registered. 7. Click Continue. The Manage Services Online table on the System > Licenses page is now displayed. SonicWALL SSL-VPN Administrator’s Guide 21
  37. 37. Event Log Overview Event Log Overview The SonicWALL SSL-VPN appliance maintains an event log for tracking system events, for example, unsuccessful login attempts, NetExtender sessions, and logout events. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. Figure 9 Log > View Page The log is displayed in a table and can be sorted by column. The SonicWALL appliance can alert you of events, such as a successful login or an exported configuration. Alerts can be immediately e-mailed, either to an e-mail address or to an e-mail pager. SonicWALL SSL-VPN Administrator’s Guide 22
  38. 38. Event Log Overview Each log entry contains the date and time of the event and a brief message describing the event. The Log View page displays log messages in a sortable, searchable table. The SonicWALL SSL-VPN appliance can store 250 Kbytes of log data or approximately 1,000 log messages. Once the log file reaches the log size limit, the log entry is cleared and optionally emailed to the SonicWALL SSL-VPN administrator. Each log entry displays the following information: Table 5 Log View Columns Column Description Time The time stamp displays the date and time of log events in the format YY/MM/DD/HH/MM/SS (Year/Month/Day/Hour/Minute/Second). Hours are displayed in 24-hour clock format. The date and time are based on the local time of the SSL-VPN gateway which is configured in the System > Time page. Priority The level of severity associated with the event. Severity levels can be Emergency, Alert, Critical, Error, Warning, Notice, Information, and Debug. Source The Source IP address shows the IP address of the device of the user or administrator that generated the log event. The source IP address may not be displayed for certain events, such as system errors. Destination The Destination IP address shows the name or IP address of the server or service associated with the event. For example, if a user accessed an Intranet Web site through the SSL-VPN portal, the corresponding log entry would display the IP address or Fully Qualified Domain Name (FQDN) of the Web site accessed. User The name of the user who was logged into the appliance when the message was generated. Message The text of the log message. SonicWALL SSL-VPN Administrator’s Guide 23
  39. 39. Event Log Overview Log Settings Overview SonicWALL SSL-VPN supports Web based logging, syslog logging and email alert messages. In addition, SonicWALL SSL-VPN may be configured to email the event log file to the SSL-VPN administrator before the log file is cleared. Syslog is an industry-standard logging protocol that records system and networking activity. The syslog messages are sent in WELF (WebTrends Enhanced Log Format), so most standard firewalls and networking reporting products can accept and interpret the log files. The syslog service transmits syslog messages to external syslog server(s) listening on UDP port 514. Figure 10 Log > Settings Page To configure log and alert settings, complete the following steps: 1. To begin configuring event log, syslog and alert settings, navigate to the Log > Settings page. 2. Enter the IP address or fully qualified domain name (FQDN) of your syslog server in the Primary Syslog Server field. Leave this field blank if you do not require syslog logging. 3. If you have a backup or second syslog server, enter the server’s IP address or domain name in the Secondary Syslog Server field. 4. To receive event log files via email, enter your full email address (username@domain.com) in the Email Event Logs to field in the Event Logging and Alerts region. The event log file will be emailed to the specified email address before the event log is cleared. If this field is left blank, log files will not be emailed. SonicWALL SSL-VPN Administrator’s Guide 24
  40. 40. Event Log Overview 5. To receive alert messages via email, enter your full email address (username@domain.com) or an email pager address in the Email Alerts to field. An email will be sent to the email address specified if an alert event occurs. Define the type of events that will generate alert messages in the Log and Alert Categories region of the Log > Settings page. If this field is left blank, alert messages will not be emailed. 6. To email log files or alert messages, enter the domain name or IP address of your mail server in the Mail Server field. If this field is left blank, log files and alert messages will not be emailed. 7. Designate when log files will be cleared and emailed to an administrator in the Send Event Logs field. If the option “When Full” is selected, the event log will be emailed and then cleared from when the log file is full. If “Daily” or “Weekly” options are selected, then the log file will be emailed and deleted on a daily or weekly basis. If “Daily” or “Weekly” are chosen, the log file will still be cleared if the log file is full before the end of the period. 8. In the Log > View page, you can click the Clear Log button to delete the current event log. The event log will not be emailed. 9. Define the severity level of log messages that will be identified as syslog, event log or alert messages in the Log and Alert Categories region of the Log > Settings page. Log categories are organized from most to least critical. If a category is selected for a specific logging service, then that log category and more critical events will be logged. For example, if the Error radio button is selected for the Event Log service, then all Emergency, Alert, Critical, and Error events will be stored in the internal log file. 10. Click Apply to update your configuration settings. Navigating and Sorting Log View Table Entries The Log View drop-down list provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the facilities described in the following table: Table 6 Log Table Navigation Facilities Navigation Button Description Find Enables you to search for a log containing a specified setting based on a criteria type you select in the the criteria list. Criteria includes Time, Priority, Source, Destination, and User. Search results list out the results in various orders depending upon the criteria type. Exclude Enables you to display all log entries but the type specified in the criteria list. View Page Enables you to display a specified page for log entries when there are enough entries so that multiple pages appear. If only one page of log entries appears, then this facility does not appear. Reset Resets the listing of log entries to their default sequence after you have displayed them in an alternate way, using search buttons. SonicWALL SSL-VPN Administrator’s Guide 25
  41. 41. Active Users Overview Active Users Overview The Users > Status page displays the active users and administrators logged into the SonicWALL SSL-VPN appliance. Figure 11 Users > Status Page The Active User Sessions window displays the current users or administrators logged into the SonicWALL SSL-VPN appliance portal or the administrative interface. It includes the following columns of information Table 7 Active User Information. Column Description Name A string that indicates the ID of the user. Group The group to which the user belongs. IP Address The IP address of the workstation on which the user is logged into. Login Time The time when the user first established connection with the SonicWALL SSL-VPN appliance expressed as day, date, and time (HH:MM:SS). Logged In The amount of time since the user first established connection with the SonicWALL SSL-VPN appliance expressed as number of days and time (HH:MM:SS). Idle Time The amount of time the user has been in an inactive or idle state with the SonicWALL SSL-VPN appliance. Logout Displays an icon that enables you to log the user out of the appliance. Each entry displays the name of the user, the group in which the user belongs, the IP address of the user and a time stamp indicating when the user logged in. An administrator may terminate a user session and log the user out by clicking the Trashcan icon at the right of the user row. For more detail on current users on the SSL-VPN appliance, see the “User Configuration” section on page 69 in Chapter 4. SonicWALL SSL-VPN Administrator’s Guide 26
  42. 42. Active Users Overview Time and Date Settings Configure the time and date settings by navigating to the System > Status page. The appliance uses the time and date settings to timestamp log events and for other internal purposes. To configure the time and date settings, perform the following steps: 1. Select your time zone in the Select Your Time Zone drop down menu. 2. To manually define the time and date settings, enter the desired time (in 24-hour time format) and the date. 3. Click Apply to update the configuration. Figure 12 System > Time Page Enabling Network Time Protocol If you enable Network Time Protocol (NTP), then the NTP time settings will override the manually configured time settings. The NTP time settings will be determined by the NTP server and the time zone that is selected in the Select Your Time Zone menu. To set the time of the appliance using the Network Time Protocol (NTP), perform the following steps. 1. Check the Automatically synchronize with an NTP server checkbox. 2. Enter the time interval in seconds to synchronize time settings with the NTP server in the Update Interval field. If no period is defined, the appliance will select the default update interval, 64 seconds. 3. Enter the NTP server IP address or fully qualified domain name (FQDN) in the NTP Server 1 field. SonicWALL SSL-VPN Administrator’s Guide 27
  43. 43. Active Users Overview 4. For redundancy, enter a backup NTP server address in the NTP Server Address 2 and 3 (Optional) fields. 5. Click Apply to update the configuration. Using Software and System Settings You can perform a number of tasks from the System > Settings page that enable you to perform tasks with your current system configuration on the SonicWALL SSL-VPN appliance. They are: • Importing a Configuration File • Exporting a Backup Configuration File • Storing Settings • Encrypting File Settings • Automatically Storing Settings After Making a Change Figure 13 System > Settings Page SonicWALL SSL-VPN Administrator’s Guide 28
  44. 44. Active Users Overview Importing a Configuration File You may save the configuration settings to a backup file and then import the settings from this saved configuration file later. The backup file is called sslvpnSettings.zip by default. To import a configuration file, perform the following steps: 1. Go to the System > Settings page. 2. To save a backup version of the configuration, click Import Settings. SonicWALL SSL-VPN displays the Import Settings dialog box. Figure 14 Import Settings Form 3. Click Browse to navigate to a location that contains the file (that includes settings) you want to import. The file can be any name. 4. Click Upload. SonicWALL SSL-VPN SonicOS imports the settings from the file and reconfigures the appliance with those settings. Note Make sure you are ready to reconfigure your system. Once you import the file, the system overwrites the existing settings immediately. 5. Once the file has been imported, restart the appliance to make the changes permanent. SonicWALL SSL-VPN Administrator’s Guide 29
  45. 45. Active Users Overview Exporting a Backup Configuration File You may save the configuration settings or export it to a backup file and then import the saved configuration file later. The backup file is called sslvpnSettings.zip by default. To export a backup configuration file, perform the following steps: 1. Go to the System > Settings page. 2. To save a backup version of the configuration, click Export Settings. The browser you are working in asks you if you want to open the configuration file. Figure 15 Opening sslvpnSettings.zip Dialog Box 3. Click the Save to Disk radio button and click Ok. 4. Choose the location to save the configuration file. The file is named sslvpnSettings.zip by default, but it can be renamed. 5. Click Save to save the configuration file. Storing Settings To store settings you created in your recent configuration session, simply click Store. Automatically Storing Settings After Changes The System > Settings page provides a way to save the current configuration to flash memory. Simply, click on the checkbox entitled Automatically store settings after changes and the system saves the configuration to a file in flash memory so that if is rebooted, the latest configuration will be reloaded. If you do not enable this checkbox, the system will prompt you to save setting every time you attempt to reboot the SonicWALL SSL-VPN appliance. Encrypting the Configuration File For security purposes, you can encrypt the configuration files in the System > Settings page. However, if the configuration files are encrypted, they cannot be edited or reviewed for troubleshooting purposes. To encrypt the configuration files, check the Encrypt settings file checkbox. SonicWALL SSL-VPN Administrator’s Guide 30

×