SonicWALL SSL-VPN 2000 Administrator's Manual

Troubleshooting


Select Create new address object to create a new address object. Note To configure Tunnel All Mode, you must also configure an address object for 0. If you want to specify different policies for different user groups when using RADIUS or Active Directory, the administrator will need to create the user manually in the Local User database. Step 4 Enter in the Ending Port field. Copyright Notice Specifications and descriptions subject to change without notice.


Administration Configure login security and GMS settings. This section contains the following subsections: Factors such as the complexity of applications in use and the sharing of large files can impact performance.

SonicWALL does not recommend this type of deployment, because it introduces a number of potential security issues and creates an additional breakpoint in the network since the appliance is essentially a packet filter and is not stateful. This chapter contains the following sections: The following information is displayed in this section: VPN appliance administrator can configure the IP address of the primary X0 interface, and also optionally configure additional interfaces for operation.

The Step 2 display changes. Step 3 Under Product Survey, fill in the requested information and then click Submit. In this mode, the appliance will still honor the valid licenses; however, timed-based licenses may not be valid. New License Key field s , and then click Submit. After completing the activation or upgrading process, click Synchronize to update the Step 6 appliance license status from the SonicWALL licensing server.

Rebooting the appliance will also update the license status. It is imperative that the system time be set accurately for optimal performance and proper registration. There is also an option to be notified when new firmware becomes available. Make sure you are ready to reconfigure your system.

Once you import the file, the system Note overwrites the existing settings immediately. Once the file has been imported, restart the appliance to make the changes permanent.

To be notified when new firmware is available, select the Notify me when new firmware is available checkbox. Downloading Firmware To download firmware, click the download icon next to the Firmware Image version you want to download. The backup may take up to two minutes. See the following sections: The minimum for the Streaming Update Interval field is 1 second, the default is 10 seconds, and the maximum is 99, Complete the following steps to enable the auto lockout feature: The Server Certificates section allows the administrator to import and configure a server certificate, and to generate a CSR certificate signing request.

To generate a certificate signing request, perform the following steps: To import a certificate, perform the following steps: Step 1 Click Import Certificate. The Import Certificate dialog box is displayed. Step 2 Click Browse. To run a diagnostic test, perform the following steps: Step 1 you want to configure.

To configure a hostname, perform the following steps: A default network route is required for Internet access. A remote network is any IP subnet different from its own. In the Default Gateway field, type the IP address of the gateway device that connects the Step 4 appliance to the network.

In the Interface drop-down list, select the interface that connects the appliance to the desired Step 5 destination network. Do not delete it. To resolve a host name to an IP address, perform the following steps: The Host Resolution page now displays the new host name. If this option is selected, you can edit or delete automatically added Host entries such as for IPv6. If the object is not fully defined with at least one IP address or network range, the status Step 6 Incomplete will display.

Policies cannot be created for incomplete network objects. Step 9 dialog box is displayed. The four object types are: Legacy portals are indicated in the Description column. The administrator may choose to keep a legacy portal rather than upgrade it if the portal has been customized or for other reasons. For administrators who want to display additional content on the user portal, review the following information.

On the General tab, enter a descriptive name for the portal in the Portal Name field. The Web cache cleaner will prompt the user to delete all session temporary Internet files, cookies and browser history when the user logs out or closes the Web browser window. Windows Domain Root system. Because the Domain Root allows access only to Windows computers in the domain, doing so will disable access to the DFS file shares from other domains.

Add Portal or Edit Portal screen displays. Click the Home Page tab. Step 3 Select the Display File Shares checkbox. Step 4 Select the Use Applet as Default checkbox. Step 5 Click the OK button to save changes. The administrator can enable Virtual Assist on a per-portal basis. Creating a virtual host allows users to log in using a different hostname than your default URL. For example, sales members can access https: You must add the portal before you can upload a custom logo. Step 7 Click the OK button to save changes.

Reverse Proxy feature module, available at: The Add Portal Step 1 screen opens. Update your DNS server for this virtual host domain name and alias if any. Enter a descriptive name for the authentication domain in the Domain Name field. Enter the name of the layout in the Portal Name field. It may be the same value as the NT Domain Name. It can be the same value as the Server Address field.

One Time Password email address configured will not be allowed to login. It can be the same value as the Server Address field or the Active Directory Domain field, depending on your network configuration. To do so, perform the following steps: To import tokens and add users, perform the following steps Navigate to the token XML file and click Open. The token file is imported. To do this, perform the following steps. Step 1 Click Import Digipass. Step 2 Click Browse, navigate to the location of the Digipass import file, and click Open.

Step 6 Assigning Digipass Tokens to Users After you have imported the digipass tokens and created the users, you need to assign the Digipass tokens to the users. To do so, perform the following steps. Enter the username in the User ID field and click the Find button. Step 3 When the username is displayed in the Search Results window, select the username and click OK to assign the Digipass token.

Custom logos are uploaded on a per-portal basis from the Logo tab in the Portal Logo Settings dialogue. In the Cache Size field, define the size of the desired content cache. Select the Flush button to flush the content cache. In the Email Body field, type the desired text for the one-time password email message body.

Variables can be used in the subject or body of a one-time password email: Fill-in the Bookmark Name field with a friendly name for the service bookmark. Name or IP Address field would be Use the Service drop-down menu to select the desired bookmark service. Use the following Step 4 information for the chosen service to complete the building of the bookmark.

Select the checkboxes for any of the following additional features for use in this bookmark session: Java is used with Citrix by default on other browsers and also works with IE. Enabling this checkbox leverages this portability. A dialog box will open and ask if you are sure you want to delete the specified bookmark. Click OK to delete the bookmark. The Add Policy dialog box changes depending on what type of object you select in the Apply Policy To drop-down list.

Select the service type in the Service drop-down list. If you are applying a policy to a network Step 4 object, the service type is defined in the network object.

A dialog box will open and ask if you are sure you want to delete the specified policy. Click OK to delete the policy. NetExtender allows remote clients to have seamless access to resources on your local network. Users can access NetExtender two ways: Logout Provides the administrator the ability to logout a NetExtender session.

To configure global NetExtender client settings, perform the following steps: DMZ with the network To give this user the same IP address every time the user connects, enter the IP address in Step 2 both fields. Edit User Settings window. Add Client Route button. To add a NetExtender client route that will only be added to users in this group, click the Add Step 2 Client Route button. For information about using Virtual Assist as a technician, see the following sections: Enter a value in the Pending Request Expired field to have customers automatically removed Step 6 from the queue if they are not assisted within the specified number of minutes.

The default 0 does not remove unassisted customers. To customize the appearance of the Virtual Assist customer portal, perform the following tasks: Enter the information to define the address or network and click Add. Step 6 To delete a configured restriction setting, select the desired address in the Addresses field and Step 7 click Delete.

The address will be removed from the field. Change the value in the Items per page field to display more or fewer log messages. Click the forward or backward arrows to scroll through the pages of the log messages.

Click any of the headings to sort the log messages alphabetically by heading. Optionally, you can customize all of the Virtual Assist settings for this individual portal using the Step 5 tabs on this window. Virtual Assist is now enabled and ready to use. The Product Survey Step 4 page is displayed. You can view details about the threats, or clear the threat list. The Severity column of the threat list is color coded for quick reference, as follows: High severity threats — The timestamp is updated.

You can individually specify detection or prevention for three attack classes: Select the Enable Web Application Firewall checkbox. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail. You can also revert back to using the global settings for the signature group to which this signature belongs without losing the configuration details of existing exclusions.

Detect if the associated signature group is globally set to Prevent All. For a description of how to determine the correct host name, see the following sections: You can determine exactly what host name to enter in your exclusion by viewing the configuration details of the offloaded application. In an offloaded application, you will use the virtual host domain name.

To view the virtual host domain name in an offloaded application, perform the following steps: In the Edit Portal screen, click the Virtual Host tab. Step 3 Click Close. Controlling the Log Pagination To adjust the number of entries on the log page and display a different range of entries, perform the following steps: To clear the Web Application Firewall log, perform the following: Step 1 The page and log are immediately cleared without asking for confirmation.

A rule is an internal property which will be used by SonicWALL to determine how many signatures were downloaded. Each entry displays the name of the user, the group in which the user belongs, the IP address of the user, and a time stamp indicating when the user logged in. An administrator may terminate a user session and log the user out by clicking the Logout icon at the right of the user row.

Certain policies take precedence. If you want to specify different policies for different user groups when using RADIUS or Active Directory, the administrator will need to create the user manually in the Local User database. Also, the user type External will be used to identify the local user instances that are auto-created to correspond to externally authenticating users. Select this option to allow users to enable or disable single sign-on — SSO for bookmarks.

Select this option to enable single sign-on for bookmarks. Select this option to disable single sign-on for bookmarks. Note The Nx Settings tab provides configuration options for NetExtender client address ranges and other client settings.

Step 6 Select the Share radio button in the Resource field. Step 7 Type the server path in the Server Path field. Step 5 Define a name for the policy in the Policy Name field. Can be an alphanumeric character. Step 3 In the Service drop-down list, click on a service option. Step 5 Click Add. Type a descriptive name for the bookmark in the Bookmark Name field. Path or File www. Path or File For the specific service you select from the Service drop-down list, additional fields may Step 5 appear.

Fill in the information for the service you selected. Select one of the following service types from the Service drop-down list: When using the Java applet, the local printers are available in the Citrix client. Note To configure a Citrix bookmark for a user, perform the following tasks: Either straight textual parameters or dynamic variables may be used for login credentials. To allow or deny specific users from logging into the appliance, perform the following steps: The browser name appears in the Defined Browsers list.

The browser definition for Internet Explorer, Firefox, and Chrome is: The new login policy is saved. Global Policies - Contains access policies for all nodes in the organization.

This is the default group to which local users will be added, unless otherwise specified. To modify the general user settings, perform the following tasks: User-controlled enabled by default for new users: Select this option to allow users — to enable or disable single sign-on SSO for bookmarks.

This setting enables SSO by default for new users. Enabled — Enable this portal feature for this user. Note The Nx Routes tab allows the administrator to add and configure client routes. This feature is for external users, who will inherit the settings from their assigned group upon login. To enable tunnel all mode, perform the following tasks: Select the service type in the Service menu.

If you are applying a policy to a network object, Step 4 the service type is defined in the network object. Individual group members will not be able to delete or modify group bookmarks. Enter a string that will be the name of the bookmark in the Bookmark Name field. Mac Addresses separated by spaces to indicate the machines to wake, and the desired Wait time for boot up before cancelling the WoL operation. It can be the same value as the Server address field.

So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log into the portal. Then, when users login to the portal, policies, bookmarks and other user settings will apply to the users.

The external local user will remain until deleted by the administrator. Before configuring and Active Directory group, ensure that you have already created an Note Active Directory domain. Note To add an AD group, perform the following steps: To view either, click the Users option in the left navigation menu, then click either the Local Users or Local Groups option.

This section contains the following configuration tasks: Step 9 field and an ending address in the Client Address Range End field. Step 35 Click OK to save the configuration changes. If you are applying a policy to a network Step 7 object, the service type is defined in the network object. Individual users will not be able to delete or modify global bookmarks. To edit a bookmark, enter a descriptive name in the Bookmark Name field. The event log can also be automatically sent to an email address for convenience and archiving.

User The name of the user who was logged into the appliance when the message was generated. Message The text of the log message.

This feature is useful archiving email and in testing email configuration and email filters for multiple SSL-VPN units. To use the E-mail Log feature, perform the following tasks: The display will change to expose related fields. Enter the user name, password, and the SMTP port to use. The default port is Enter the Port which your ViewPoint server communicates with managed devices.

Step 4 Click the OK button to add this server. Virtual Office Chapter This chapter contains the following section: The Virtual Office is a portal that users can access in order to create and access bookmarks, file shares, NetExtender sessions, and Virtual Assist. The Logout button will not appear in the Virtual Office when you are logged on as an administrator. This appendix also contains information about context-sensitive help.

This appendix contains the following sections: Clicking the context-sensitive help button launches a separate browser window to the corresponding documentation. Click Remote Management from the left-hand index of your Netgear management interface.

Click Accept to save changes. When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the firewall server directly. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

To do so, perform the following steps:. Click on the configure icon for the user you want to edit, or click the Add Use r button to create a new user.

The Edit User window is launched. Click on the Groups tab. Click on the VPN Access tab. Click the Configure button for Authentication Method for login. The default is Select this checkbox to configure a preferred cipher method. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style. SonicWALL recommends enabling this option.

The logo must be in GIF format of size x 36, and a transparent or light background is recommended. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one for example, the range for 15 users requires 16 addresses, such as Note The range must fall within the same subnet as the interface to which the SSL VPN appliance is connected, and in cases where there are other hosts on the same segment as the SSL VPN appliance, it must not overlap or collide with any assigned addresses.

In the User Domain field, enter the domain name for the users. The value of this field must match the domain field in the NetExtender client. The indicator should be green for the Zone you want to enable. Configuring NetExtender Client Settings. The following settings to customize the behavior of NetExtender when users connect and disconnect.

These options enable administrators to balance security needs against ease of use for users. Note To configure Tunnel All Mode, you must also configure an address object for 0. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access.

IP Address Subnet mask 0. Status Item Description User Name. The IP address assigned to the user from the client IP address.


the SonicWALL SSL VPN security appliance SonicWALL Internet Security Appliances for the SonicWALL SSL VPN security appliance. COMPREHENSIVE INTERNET SECURITY. SonicWALL SSL-VPN Administrator’s Guide iii of this manual and all other SonicWALL product documentation. SonicWALL SSL-VPN Getting Started Guide Page 1 SonicWALL SSL-VPN Appliance Getting Started Guide Thank you for your purchase of the SonicWALL SSL-VPN SonicWALL SSL-VPN Getting Started Guide Page 1 SonicWALL SSL-VPN Security Appliance This document addresses the most common use-case scenarios and network topologies in which the SonicWALL SSL-VPN can be deployed. The SonicWALL SSL-VPN security appliance provides organizations of all sizes