How to configure a VPN to access in secure mode to my intranet remote network

SSL VPN is one of the most used methods of allowing Remote Users to connect to the SonicWall (or other firewalls)  and access internal network resources. Today I am going to show you how to setup and use a SSL VPN Connection and how to connect using NetExtender, the SSL VPN client.

Sonicwall VPN firewalls come by default licensed for a maximum of 2 users connecting remotely over a SSL VPN and you can buy more licenses ,should you need more users connecting to your intranet resources.

First, login to your Sonicwall VPN firewall using your admin credentials

Click on “Manage” at the top menu

 

You can check your existing licenses for SSL-VPN users by clicking on Licenses and scrolling down to SSL VPN, as you can see I have 2 users available of the 102 maximum

 

When a SSL VPN  client connects , it is assigned an IP address on the network, lets define an address object to indicate what IP addresses will be available for this purpose

 

ON screen title “Creating an Address Object for the SSLVPN IPv4 Address Range”

Click Manage in the top navigation menu

Click on Objects on the left menu and then

Click on Address Objects 

Now, lets “+Add” at the top on the right pane

Image001

In the pop-up window, enter the information for your SSL VPN Range.

Name: SSL VPN Pool

Type a Friendly Name for the IP address pool.

Zone Assignment select  SSLVPN

On the field “Type” you can define if you want to make available a single IP, a range of IP addresses or an entire subnet, I am going to use a range

On the Range field

  • Starting IP Address for the range: 168.1.180
  • Ending IP Address: 168.1.190

Click the “Add” button to complete adding the SSL-VPN IP allocation address object

ON screen title “SSLVPN Configuration”

Now, let’s configure the SSL VPN, to do so,

Navigate to the “SSL-VPN” option on the left menu

Click on “Server Settings

Click on the Red Bubble for “WAN” to enable VPN connections from the internet, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.

Set the “SSL VPN Port”, and “Domain” as desired. I will leave the defaults

Image002

Now let’s configure the client settings,

Navigate to the “SSL VPN” option on the left

 

Then click on  “Client Settings”,

 

The SSL VPN | Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL-VPN will terminate

 

 

Click on the “Configure” button for the Default Device Profile.

Image003 1024x254

 

Set the “Zone IP V4” as SSLVPN. 

Set “Network Address IP V4” as the Address Object you created earlier (SSL-VPN-IP Range).

Image004

 

 

Click on the “Client Routes here you can control what network access SSL VPN Users are allowed.

Click on the left pane the object or object you will like to create routes and grant access over the VPN connection

 

Click the Right pointing arrow to add the object to the allowed client routes

 

I am just going to add a single host named “192.168.1.16” since that’s all I need for my client’s

 

 

The “Client Settings” tab allows the Administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.

 

Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.

 

I am just going to change the DNS server

 

Enable “Create Client Connection Profile”  to allow the NetExtender client software to save the connection-

 

The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.

Image005

Image006

ON screen title “Adding Users to SSLVPN Services Group”

NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. I will use manually defined  “Local Users” , however you could use a domain

 

Navigate to “Users” on the left menu

Click on “Local Users & Groups”

 

Click the “Add” button on the “Local Users” tab

Image007

On the “Add User” dialog

 

Type the user name that will be used for login

Type the user password and confirm it

Type the user email should you want to allow users to reset their passwords

Optionally you could set an expiration time

 

Click on the “Groups” tab

 

Add SSLVPN Services to the Member Of: field by clicking on the right pointing arrow

Image008

Click on the “VPN Access” tab to  add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.

Image009 300x281

 

In my case I am going to add a single host IP address object

 

Click “OK” to save these settings and close the dialog.

 

 

 ON screen title “Checking Access rule Information for SSLVPN Zone”

 

Navigate to “Rules”  on the left menu

Click on “Access Rules”

Image010 1024x369

 

You will need to create Access Rules allowing SSLVPN IPs to access your intended server or devices

 

On SCREEN NOTE: This does not grant access to all users, individual access is still granted to users based on their VPN access and SSLVPN routes.  Access rules are needed for the firewall to allow this traffic through.

Image011 1024x295

Click on the “Add” button at the top

On the field “From” select SSLVPN”

On the field  “To” select “LAN”

On the field “Source Port” select “any”

On the field “Service”select “any”

On the field “Source” select “Any”

On the field “Destination” select “X0 Subnet”

 

In my case I could have limited even further the Source to “SSL-VPN-IP-Range” and the destination to the single server address object “192.168.1.16”

 

Click “Ok” to save the new access rule.

 

On SCREEN NOTE: “Testing the Connection”

 

Download and install either SonicWall NetExtender

 

NetExtender is available via MySonicWall.com or the Virtual Office page on the SonicWall. SonicWall Mobile Connect is available via the App Store, Windows Store, or Apple Store depending on your Operating System. I will leave alink below on the video description

 

Download and install NetExtender

Once NetExtender is installed, you might need to reboot your computer

 

On the NetExtender window

 

input the following:

 

  • IP Address or URL of the SonicWall WAN Interface, followed by the Port Number
  • User Name
  • Password
  • Domain

 

You can select to save the user name down below if allowed on the sonicwall device

 

Click “Connect”

 

On the Certificate notification click “Always Trust” to avoid receiving that message every time you connect

 

Now that we are connected, you can test pinging the destination server “192.168.1.16” that we wanted to access, and also test if the remote desktop connection works over the VPN