SonicWALL’s SSL VPN is a very useful tool for remotely connecting to your corporate network to access files and servers, or to allow users to work from home. The SSL VPN is not an included license with the purchase of the SonicWALL UTM Device, so you will need to purchase licenses in order for this to work. I find that this method of connecting remotely is much easier than the Global VPN Client. This article will step you through configuring the SSL VPN software and how to configure the SonicWALL to communicate with LDAP for access control.
SSL VPN Configuration:
1. Open a web browser (Google Chrome or Mozilla Firefox is recommended) and navigate to your SonicWALL UTM Device.
2. Log in using administrator credentials
3. On the Navigation menu, choose SSL VPN and Server Settings
4. Click WAN at the top to enable SSL VPN for that zone
5. Change the SSL VPN Port to 4433
Note: If you have no other services listening on the default HTTPS port, you may leave this option set at 443. However, I have noticed that most times either the SonicWALL management interface is listening on 443 or that there is another service behind the firewall already using that port. If you have multiple Static IP addresses, you may change your configuration to allow the SSL VPN to function on 443.
6. Click Accept to save the changes
7. On the Navigation menu, Choose SSL VPN and Portal Settings
8. Check the boxes for Launch NetExtender after login, Display Import Certificate Button and Enable HTTP meta tags for cache control.
9. Click Accept to save the changes
10. On the Navigation menu, Choose SSL VPN and Client Settings
11. Change Interface to X0
12. After verifying an open range of IP Addresses within your network, enter the range in the NetExtender Start IP and NetExtender End IP fields.
13. Change the DNS Server 1 to your domain controller’s IP address, or the address of a DNS Server within your network
14. Change the DNS Domain and User Domain to your local domain name (Example: YourITSource.local)
15. If WINS is in use, enter the IP address of the WINS Server in the WINS Server 1 field
16. Change Enable NetBIOS over SSL VPN to Enabled
17. Click Accept to save the changes
18. On the Navigation menu, Choose SSL VPN and Client Routes
19. In the Add Client Routes dropdown, Choose X0. You may also add any additional address objects you have here for other subnets within your organization
20. Click Accept to save the changes
At this point, the SSL VPN is configured. We now need to add the LDAP tie to allow LDAP Groups to access the VPN.
1. Log into an Active Directory Domain Controller using Administrative Credentials
2. Open Active Directory Users and Computers (DSA.msc)
3. Create a new administrative user with the first name and username of SonicWALL and assign a secure password.
4. Create a new Global Security Group called SSLVPN Users
5. Right Click on the SSL VPN Users group and choose Properties
6. Navigate to the Members tab and Add the users you wish to give access to the SSL VPN
7. Click OK and close the Active Directory Users and Computers management console
8. Open a web browser (Google Chrome or Mozilla Firefox is recommended) and navigate to your SonicWALL UTM Device.
9. Log in using administrator credentials
10. On the Navigation Menu, Choose Users and Settings
11. Change the Authentication method for login to LDAP + Local Users
12. Change the Single-sign-on method to Browser NTLM authentication only
13. Click Accept to save the changes
14. Choose Configure next to Authentication method for login
15. Navigate to the Settings tab
16. Enter the LDAP server address in Name or IP address
17. Change the Port Number to Default LDAP Port (Dropdown Menu)
18. Change the Login Method to Give bind distinguished name
19. In the Bind distinguished name field, type SonicWALL (or the name of the LDAP administrative user)
20. Enter the password for the user above
21. Set Protocol version to LDAP version 3
22. Uncheck the box for Use TLS (SSL)
23. Click Apply
24. Navigate to the Schema tab
25. For LDAP Schema, choose Microsoft Active Directory
26. Click Read from server at the bottom
27. Click Apply
28. Navigate to the Directory tab and enter the local domain name under Primary Domain
29. Click Auto-configure at the bottom
30. Click Apply
31. Navigate to the LDAP Users tab and choose Import user groups
32. Select the SSLVPN Users group you created in Active Directory and choose Save Selected
33. On the Navigation Menu, Choose Users and Local Groups
34. Click the Configure button next to SSLVPN Services
35. Choose the Members tab and add the SSLVPN Users group
36. Choose the VPN Access tab and add Firewalled Subnets to the Access List
37. Click OK
Now we have successfully configured the SonicWALL to communicate with LDAP.
Make sure that you add authorized users to the SSLVPN Users Group that you created within Active Directory. Only users belonging to this group will have access to the VPN.
Need a SonicWALL UTM Device?
Configuring SSL VPN Client and Connecting:
1. On the client computer, Open a web browser (Google Chrome or Mozilla Firefox is recommended)
2. Navigate to your outside web address on port 4433 (Example, https://remote.mycompany.com:4433)
3. Enter your domain username and password
4. Ensure that the domain is correct and click Login
5. Click the Here link under Windows Net Extended Client
6. Download and Install the NetExtender Client
7. Open the NetExtender Client
8. Enter your company’s NetExtender Address in the Server Field (Likely the same link as above, excluding the https://)
9. Enter your domain Username and Password
10. Enter your company’s local domain name in the Domain field
11. Click Connect
You are now connected to the SSL VPN and can work remotely.