User manual SONICWALL SONICWALL SSL VPN 4.0 ADMINISTRATORS GUIDE

[. . . ] COMPREHENSIVE INTERNET SECURITY SonicWALL Secure Remote Access Appliances SonicWALL SSL VPN 4. 0 Administrator's Guide SonicWALL SSL VPN 4. 0 Administrator's Guide SonicWALL, Inc. 2001 Logic Drive San Jose, CA 95124-3452 Phone: +1. 408. 745. 9600 Fax: +1. 408. 745. 9300 E-mail: info@sonicwall. com SonicWALL SSL VPN 4. 0 Administrator's Guide i Copyright Notice © 2010 SonicWALL, Inc. Under the copyright laws, this manual or the software described within, cannot be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. [. . . ] An IPv6 address pool for NetExtender is optional, while an IPv4 address pool is required. The global NetExtender IP range defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192. 168. 200. 100 to 192. 168. 200. 115). The range should fall within the same subnet as the interface to which the SSL-VPN appliance is connected, and in cases where there are other hosts on the same segment as the SSL-VPN appliance, it must not overlap or collide with any assigned addresses. You can determine the correct subnet in one of the following ways: · You may leave the NetExtender range at the default (192. 168. 200. 100 to 192. 168. 200. 200). SonicWALL SSL VPN 4. 0 Administrator's Guide 165 NetExtender > Client Settings · Select a range that falls within your existing DMZ subnet. For example, if your DMZ uses the 192. 168. 50. 0/24 subnet, and you want to support up to 30 concurrent NetExtender sessions, you could use 192. 168. 50. 220 to 192. 168. 50. 250, providing they are not already in use. For example, if your LAN uses the 192. 168. 168. 0/24 subnet, and you want to support up to 10 concurrent NetExtender sessions, you could use 192. 168. 168. 240 to 192. 168. 168. 250, providing they are not already in use. · To specify your global NetExtender address range, perform the following steps: Step 1 Step 2 Step 3 Step 4 Navigate to the NetExtender > Client Settings page. Under NetExtender Client Address Range, supply a beginning client IPv4 address in the Client Address Range Begin field. Supply an ending client IPv4 address in the Client Address Range End field. On SonicWALL SSL-VPN models 2000 and higher, under NetExtender Client IPv6 Address Range, optionally supply a beginning client IPv6 address in the Client Address Range Begin field. If using IPv6, supply an ending client IPv6 address in the Client Address Range End field. Restart for current clients to obtain new addresses. Step 5 Step 6 Step 7 Configuring Global NetExtender Settings SonicWALL SSL VPN provides several settings to customize the behavior of NetExtender when users connect and disconnect. To configure global NetExtender client settings, perform the following steps: Step 1 Step 2 Navigate to the NetExtender > Client Settings page. The following options can be enabled or disabled for all users: · Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender from their Programs menu. Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password. · · Step 3 The User Name & Password Caching options provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users. Click Accept. Step 4 166 SonicWALL SSL VPN 4. 0 Administrator's Guide NetExtender > Client Routes NetExtender > Client Routes This section provides an overview of the NetExtender > Client Routes page and a description of the configuration tasks available on this page. · · "NetExtender > Client Routes Overview" section on page 167 "Adding NetExtender Client Routes" section on page 167 NetExtender > Client Routes Overview The NetExtender > Client Routes page allows the administrator to add and configure client routes. Note IPv6 client routes are supported only on SonicWALL SSL-VPN models 2000 and higher. Figure 26 NetExtender > Client Routes Adding NetExtender Client Routes The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection. Note With group access policies, all traffic is allowed by default. This is the opposite of the default behavior of SonicWALL Unified Threat Management (UTM) appliances, where all inbound traffic is denied by default. If you do not create policies for your SSL-VPN appliance, then all NetExtender users may be able to access all resources on your internal network(s). [. . . ] Answer: Proxying of Java applets through the reverse proxy is not supported on the SSL-VPN 200 platform. 58. There is no port option for the service bookmarks ­ what if these are on a different port than the default?Answer: You can specify in the IP address box an `IPaddress:portid' pair for HTTP, HTTPS, Telnet, Java, and VNC. 59. What if I want a bookmark to point to a directory on a Web server? Answer: Add the path in the IP address box: IP/mydirectory/. [. . . ]