How to configure SonicWall client SSL VPN
Вставка
- Опубліковано 18 жов 2024
- This video covers the configuration, download, install and use of NetExtender to connect SSLVPN to a SonicWall firewall.
we are using local user as well as active directory group.
then we look at a few personal tips to increase security in your VPN.
for work from home setup, please consider the SonicWall SMA.
• SonicWall SMA
How to do active directory integration so you can use AD user to connect: • How to configure Sonic...
how to configure the different security services: www.sonicwall....
Thank you so much for creating all these videos about Sonicwall! I work for an MSP, which usually sells them to all our clients, and watching your videos has helped tremendously in configuring and setting them up.
Awesome! Thanks for taking a minute to share your feedback!
thanks. it has been on my list to convert from using my old pptp to the sslvpn on my sonicwall for years. first attempt failed but this walk through worked. thanks
Hi, JP. First of all congrats for the content, help a lot. Don't stop sharing this valuable knowledgment.
A question. Do you recommend to enable security services on SSLVPN Zone and VPN Zones too? For those GVC Users.
Thanks.
I would. Simply because those laptop on the road are spending time on many none corporate wifi. Like home, hotel… so they may bring viruses in.
Best I would advice is to look at sonicwall SMA with always on vpn. So laptops are always virtually no n your network
Thanks for all this video so i have a question when i can found the external ip ?????
Do you have a video tutorial on setting up 2FA? Additionally, could you recommend a program for macOS that supports 2FA?
How to allow ssl vpn user to access the remote network across site to site vpn between sonicwall and Azure? I have add address group of local subnet and ssl pool and allow policy as well. But still the home user machine are not able to add in azure domain.
Great video Jean-Pier and thanks for sharing. I’m testing this in the upcoming weeks. Quick question, is there any way to test SMA with just a Tz270 running the latest version of software or we need to have additional HW to make that work.
SMA is independent of the firewall. So you don’t need a sonicwall firewall. It can sit behind any firewall. Buy you know… a sonicwall firewall would be better :-)
Thank you for your videos they are a big help to us that are just starting... I need help, I followed the procedures in your video but I can't connect back to the firewall from outside. Is there any additional procedure if the firewall (TZ 270W) is connected to our ISP Router (ZTE F612) for internet? Thanks in advance for your help!
Hello md3me2ct2u :-)
Thanks for your feedback on the videos. Glad they are helpful!
If you followed what I did, I see 2 options:
1: check the firewall have a routable IP on its WAN. If you have a 192.168.x.x or a 10.x.x.x , it won’t work.
2: i don’t know if I covered that in the video, but ensure you have firewall management OFF from the wan. Or change management port as both ssl vpn and firewall management are both on 443.
Otherwise call support. They will be able to find what’s going on
Hope that helps!
Hi Jean-Pier, nice vide, but I have a question abut that, if I use the 443 port to connect to sonicwall by netextender, it'd be an security issue? I was searching information about this on official documentation but just has a note saying: If you would like to use 443 make sure that isn't the port administration, but what do you think about that? Regards.
Not a security issue. Just a small warning as firewall can be managed from the WAN (off by default) on port 443. If you try to enable SSLVPN on 443, it won’t work. Can’t have 2 services on 443 on the same ip.
I would personally suggest to disable management of firewall on the WAN. Then you can use SSVPN on its default port.
These are great guides/tools. I am learning so much and I've used SonicWall since the SOHO and TZ100 days. In this video you select a IoT zone. I went back to "SonicWall basic configuration step by step (part 1)" and "Network Segregation" to see if might have created it in another video. I might have missed but I didn't see it. Could you give guidance on how the IoT was set up and linked to the Lan zone.
IOT is a custom zone I created. And I created an interface and configured it to be in the IOT zone.
I cover that in the setup step by step part 1 video.
Hope that helps!
Hi Jean, this video was perfect for me, thanks a lot, !!! but i have problem to resolve my internal hostnames on sslvpn, is there any other config that i have to do, to resolve my internal hostnames? Tks.
Ensure the firewall gives your internal DNS server to vpn client.
Then ensure the hostname exist in the DNS server
Other than that, I don’t see what could be the issue. (Assuming you have an access rule to allow DNS from SSLVPN to the DNS server)
Dude, thank you.
Thank you 👍
Hey!
Can you please do the videos on gen6 device
I have been following your videos your doing amazing job, keep up this work going
I have clients using the Netextender solution for their VPN connectivity. It has been reported to me that when users connect from home and then come back onsite the find that the default printer has been changed to the Microsoft XPS printer. Do you know if there is a fix for this? Thanks for your very informative videos!
Might be a windows setting to change the default printer when it is no longer reachable. Definitely not a netextender setting :-)
Thank you for the amazing tutorials.
Is there a possibility to use WOL via VPN. I am trying to boot a Computer which is in the zone "LAN" via VPN with the SonicWall Global VPN Client. I activated IP helper. But it was not successful. If you would realease a guide regarding that would be great. I would appreciate it alot. Thank you
I recall playing with WOL when I was a teenager. From what I recall a WOL packet has a broadcast IP to a specific MAC and that was not working through VPN.
So I took Visual Basic and coded a server WOL app that was local on the LAN and a client WOL app that I used remotely to tell the local server app to launch the WOL.
That brings memory!
Would this configuration be considered "split tunnel?"
hi great video, question, you have to open port 443?
I don’t recall opening it. Assuming it opens the port automatically when you enable ssl VPN on your WAN
We are using NSA 3600 model, recently we enabled ssl vpn with MFA and disabled IPSec, post enabling ssl vpn the firewall ha is flipping, is there any issue with ssl vpn and firewall
Why don't we use the IPSec to access to the Remote maintenance?
What is the differences between the two?
awesome Jean-Pier thank you for this great video, but i have a question, where i could not find an answer.
Is it possible to have a Certificate based Authentication for the SSL-VPN Site, so that the site can only be accessed if the connecting Client has a valid Certificate installed?
if yes: could you provide me some information how to do or where i can find a manual for it?
regards
Manuel
Good one. I did a quick search and didn’t find it.
I would advice reaching out to support and ask for their guidance on how to do this.
@@JeanPierTalbot - got an answer from the tech-support, they told me that it doesn't work, which I can hardly imagine, but I'm not sure whether the engineer really understood what I wanted, since with certificate-checks, it appears to me that it is already possible to use cert based auth for https-management
I'm new to SonicWall. Is it possible to set up SSL VPN when our firewall is actually having a non-public IP? We are getting our internet connection from business housing compound where they are providing us raw internet access. However, we are getting a non-public IP address from our WAN facing interface.
Hi,
Unfortunately you cannot do client vpn with any firewall brand if you do not have a public IP.
@@JeanPierTalbot Thank you for your confirmation. Is there any work around?
nothing really simple and cost effective@@randymercado8466
I tried this on 3700 model but there is no option of IOT option and too office connection is on pppoe. Is there any other configuration in the said model?
I did exactly as you show here, but I cannot get my client setting to stick. After creating the IP Range, VPN access and DNS server and click OK and click OK to dismiss the warning banner, the client setting still show default and not the changes I made as per your video. What am I missing?
Very hard for me to find what it can be without seeing it. Best is to give a call to sonicwall tech support. They are great. If they don’t pickup live, they pretty much always pickup after less than 5 minutes wait time.
@@JeanPierTalbot it was the browser. I used Firefox instead of Chrome and my settings populated fine. I guess it depends on the version of the firewall's OS that determines what browser it will work best with, but going forward, I think I'll use Firefox for SonicWall Firewalls.
Can you do a video on enabling MFA for Local users with SSLVPN?
Good one. Yeah. I’ll add it to the list
@@JeanPierTalbot please cover both OTP by email and TOTP using authenticator. Thank you for these videos!
Following the steps I did not see IOT-Zone-subnets in the client route options, did it change in newer firmware ?
IOT- zone is a user specific zone I created in my config. You will need to use the zone for your specific needs.
Go in your interfaces, you will see in what zone are your different interfaces.
Please make a video on how to configure Global VPN on OS7. Thanks
Right…. I don’t have one on that. Thanks
What if my firewall is behind NAT? I have a ISP Router/modem connected to WAN interface of my firewall with dynamic private IP from the ISP router, is there an additional configuration?
I would call your ISP and ask for a fix IP available your your sonicwall (not their router)
@@JeanPierTalbot Thanks, do you think a DNAT from their router to the private IP in the sonicwall WAN interface will work?
Hi I notice that you use the same user that you create locally on the firewall to try the domain login, is it that I still need to create the local user after I have link active directory to the firewall for it to work? because I am getting an error that the username or password is incorrect when I attempt to login the only thing I did not do is to create the user locally on the firewall has you did.
Hi, you do not need to create a local user if using AD.
From what I recall, you will need to hit « mirror account » somewhere in AD settings to kind of import all AD users local (obviously hit the refresh every 5 minutes so that mirrored users are up to date)
@@JeanPierTalbot ok thanks that’s one think out of the way. I follow along your video of liking Active Directory to the firewall I see that it was done already done by the previous network admin but it look like they only implemented lldp not lldps, I tried to do the lldps implementation but I am not seeing the certificate option when I when went on the domain controller. If lldps is not implemented would it still work? Because when I tried to login I am getting invalid username or password.
I have an issue accessing the subnet for my servers (DCs and NAS) though I already added the subnet where the servers are included. Can you help me on this please?
Hi,
You can call sonicwall tech support. It’s free and they answer very quickly, if not live.
Otherwise send me an email, I can put you in touch with your local sonicwall team (if you don’t already know then) and they can put you in touch with a good sonicwall partner for professional services (not free)
Hope that help!
Hello @jean do I need to create a specific access rule for the site to site VPN to allow traffic? I have implemented 1 the client on the other side is running a service which is confirmed listening but on the VPN it can't be reached on that port although I can ping each host
So you are trying to have your SSLVPN user to reach ressource through a site to site tunnel?
I have done exactly that same n the last video I posted 3 days ago.
ua-cam.com/video/2YB5WXKQaUI/v-deo.html
Jean, is it possible to allow SSLVPN users to have access to a segment that is VPN to the firewall
Yes.
In short you need to add the subnet of the remote site as a subnet accessible to SSL-VPN users
Then, in your site to site vpn, you need to add the SSLVPN subnet to the subnets part of your vpn.
Excellent question BTW. Today I recorded a video on site to site. I’ll add that use case of ssl vpn.
Thanks
JP , please help me find info how assing computers do users in Sonicwall Virtual Office
Can’t be done with the firewall. I believe you can use AD attributes to aim people to their machines with the SMA product line
@@JeanPierTalbot Thank you :)
I configured a Virtual Office RDP bookmark on my TZ-270 for a Windows 10 machine. But when I launch it, it just shows a black screen with Sonicwall All rights reserved. The VNC bookmark works fine. Sonicwall support once showed me a workaround that involved accessing the RDP bookmark using a legacy URL. Does anyone know what that legacy url might be? Or how to correct this issue? Thank you
I’m not aware of that. I would suggest contacting support again or look through your old cases in your mysonicwall.com account
@@JeanPierTalbot Thank you
Hi i need a help i have sonicwall firewall of client and i need to configure ipsec vpn in ubuntu o.s with he pre- shared key kindly help please
Hi,
If you set it up and it does not work, please call support, they are there to help and find what you did wrong.
If you are looking for someone to do it for you (professional services) please reach out to me. I’ll put you in touch with people that can aim you in the right direction to get professional services.
Thanks
Hi.
Is the IP in the notepad your public IP address?
Maybe, probably changed 20 times since I recorded that video… :-)
@@JeanPierTalbot I got the ssl vpn to work thanks to you but sadly its so damn slow that its of no use. Can't believe such expensive licences and I can't use excel file on the vpn.
@@overlord4509 that's not supposed to be like that. give a call to support, they should be able to find out why and help you fix it
Vpn in bridge mode possible?
hey i need help on something im about to purchase
sure! send me an email and ill put you in touch with local sonicwall people. jptalbot at sonic.... com
Hi, Jean thanks consult VPN L2TP puedes administrar el tráfico para que no consuma todo el ancho de banda
Hola, no abla espagnol :-)
But it’s close enough to French. You are asking how to limit bandwidth for client vpn?
I don’t have a video on bandwidth management (BWM). But you can create a BWM that limits bandwidth to like 100mb and apply that BWM action to the access rule(s) for client vpn.
knife
Hi, im trying to connect to office lan using NetExtender, i manage to go in VPN but couldnt access to LAN. tried ping but all loss, what causes the issue?
Hi Muhd, it can be many things. if the steps in the video don't work, I would suggest giving a call to SonicWall tech support 1.888.793.2830. You should be able to speak to someone within a few minutes.