- NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on you company’s network. Using Point-to-Point Protocol (PPP), NetExtender allows remote clients seamless, secure access to resources on your local network.
- Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched. Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender.
- SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network.
In my case, the version of NetExtender for Mac, 6.0.719, on my company SonicWall works on 10.8 Mountain Lion, but fails on OS X 10.9 Mavericks. One solution is to upgrade all the company SonicWalls. I may as well pack my snowboard for a lovely eternity riding the frozen volcanoes in hell. Download netextender windows client for free.
SSLVPNvirtualOffice
SSL VPN > Virtual Office
The SSL VPN > Virtual Office page displays the Virtual Office web portal inside of the SonicOS UI.
Topics:
• Accessing the SonicWALL SSL VPN Portal
• Using NetExtender
• Managing SSL VPN Bookmarks
Accessing the SonicWALL SSL VPN Portal
To view the SonicWALL SSL VPN Virtual Office web portal, navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
Using NetExtender
Topics:
• User Prerequisites
• User Configuration Tasks
User Prerequisites
NetExtender is compatible with Dell SonicWALL SRA and SSL-VPN Series products as well as Windows, Mac OS, and Linux platforms. To use NetExtender, clients must meet the prerequisites described in the most recent version of the Dell SonicWALL SRA User Guide, available on http://www.sonicwall.com/us/en/support/3893.html
User Configuration Tasks
SonicWALL NetExtender is a software application that enables remote users to securely connect to the remote network. With NetExtender, remote users can virtually join the remote network. Users can mount network drives, upload and download files, and access resources in the same way as if they were on the local network. Both GUI and CLI interfaces are supported; for CLI commands, see Appendix A: CLI Guide.
How to install NetExtender on a Windows platform topics:
• Installing NetExtender Using the Mozilla Firefox Browser
• Installing NetExtender Using the Internet Explorer Browser
• Installing NetExtender Using the Chrome Browser
How to use NetExtender on a Windows platform topics:
• Launching NetExtender Directly from Your Computer
• Configuring NetExtender Properties
• Configuring NetExtender Connection Scripts
• Configuring Batch File Commands
• Configuring Proxy Settings
• Configuring NetExtender Advanced Properties
• Configuring NetExtender Packet Capture Properties
• Viewing the NetExtender Log
• Disconnecting NetExtender
• Upgrading NetExtender
• Changing Passwords
• Authentication Methods
• Uninstalling NetExtender
• Verifying NetExtender Operation from the System Tray
• Using the NetExtender Command Line Interface
How to install and use NetExtender on a MacOS platform topics:
• Installing NetExtender on MacOS
• Using NetExtender on MacOS
How to install and use NetExtender on a Linux platform topic:
• Installing NetExtender on Linux
• Using NetExtender on Linux
Installing NetExtender Using the Mozilla Firefox Browser
To use NetExtender for the first time using the Mozilla Firefox browser, perform the following:
1. Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.” The Welcome to the SonicWALL Virtual Office login page displays.
2. Click the NetExtender button.
3. The first time you launch NetExtender, it will automatically install the NetExtender stand-alone application on your computer.
• If the Software Installation window is displayed, go to Step 5.
• If a warning message is displayed in a yellow banner at the top of your Firefox banner, click the Edit Options... button.
4. The Allowed Sites - Software Installation window is displayed, with the address of the Virtual Office server in the address window. Click Allow to allow Virtual Office to install NetExtender, and click Close.
5. Return to the Virtual Office window and click NetExtender again. The Software Installation window is displayed.
After a five second countdown, the Install button will become active.
6. Click the Install button.
The portal will automatically install the NetExtender stand-alone application on your computer. If an older version of NetExtender is installed on the computer, the NetExtender launcher removes the old version and installs the new version.
7. Once the NetExtender application is installed, a message appears instructing you to restart Firefox. Click the Restart Now button.
8. When Firefox restarts, the NetExtender Status window displays, indicating that NetExtender successfully connected.
The Status tab indicates what operating state the NetExtender client is in:
|
The NetExtender icon is displayed in the task bar. A balloon icon in the system tray appears, indicating NetExtender has successfully installed.
Note Closing the windows (clicking on the x icon in the upper right corner of the window) will not close the NetExtender session, but will minimize it to the system tray for continued operation.
Installing NetExtender Using the Internet Explorer Browser
SonicWALL SSL VPN NetExtender is fully compatible with Microsoft Windows operating systems and supports the same functionality as with other Windows operating systems. NetExtender is also compatible with the Mac OS X Lion 10.7.
Note It may be necessary to restart your computer when installing NetExtender on Windows Vista and Windows 7.
Internet Explorer Prerequisites
It is recommended that you add the URL or domain name of your SonicWALL security appliance to Internet Explorer’s trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.
To add a site to Internet Explorer’s trusted sites list, complete the following procedure:
1. In Internet Explorer, go to Tools > Internet Options.
2. Click on the Security tab.
3. Click on the Trusted Sites icon and click on the Sites button to open the Trusted sites window.
4. Enter the URL or domain name of your SonicWALL security appliance in the Add this Web site to the zone field and click Add.
5. Click Close in the Trusted Sites window.
6. Click OK in the Internet Options window.
Installing NetExtender from Internet Explorer
To install and launch NetExtender for the first time using the Internet Explorer browser, perform the following:
1. Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2. Click the NetExtender button.
3. A User Account Control window may appear asking “Do you want to allow this program to make changes to this computer?” Click Yes.
4. The first time you launch NetExtender, you must first add the SSL VPN portal to your list of trusted sites as described in To add a site to Internet Explorer’s trusted sites list, complete the following procedure:. If you have not done so, the follow message will display.
Note Click Instructions to add SSL VPN server address into trusted sites for help.
5. Add the SSL VPN portal to your list of trusted sites as described in To add a site to Internet Explorer’s trusted sites list, complete the following procedure:
6. Return to the SSL VPN portal and click on the NetExtender button. The portal will automatically install the NetExtender stand-alone application on your computer. The NetExtender installer window opens.
If an older version of NetExtender is installed on the computer, the NetExtender launcher will remove the old version and then install the new version.
7. If a warning message that NetExtender has not passed Windows Logo testing is displayed, click Continue Anyway. SonicWALL testing has verified that NetExtender is fully compatible with Windows Vista, XP, and above.
8. When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected.
Note The information provided in the NetExtender Status window is described in the table on Installing NetExtender Using the Mozilla Firefox Browser
Installing NetExtender Using the Chrome Browser
To install and launch NetExtender for the first time using the Chrome browser, perform the following:
1. Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2. Click the NetExtender button.
3. Pull the NetExtender plug-in to Chrome Extensions.
4. Return to the SRA portal and click the NetExtender button. The portal will automatically install the NetExtender stand-alone application on your computer. The NetExtender installer window opens.
If an older version of NetExtender is installed on the computer, the NetExtender launcher will remove the old version and then install the new version.
5. When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected.
Note The information provided in the NetExtender Status window is described in the table on Installing NetExtender Using the Mozilla Firefox Browser.
Launching NetExtender Directly from Your Computer
After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the SSL VPN portal.
To launch NetExtender, complete the following procedure:
1. Navigate to Start > All Programs.
2. Select the SonicWALL SSL VPN NetExtender folder, and then click on SonicWALL SSL VPN NetExtender. The NetExtender login window is displayed.
3. The IP address of the last server you connected to is displayed in the Server field. To display a list of recent servers you have connected to, click on the arrow next to the field.
4. Enter your username and password.
5. The last domain you connected to is displayed in the Domain field. To connect to a different domain, enter it in the Domain field.
Note The NetExtender client will report an error message if the provided domain is invalid when you attempt to connect. Please keep in mind that domain names are case-sensitive.
6. The pull-down menu at the bottom of the window provides three options for remembering your username and password:
– Save user name & password if server allows
– Save user name only if server allows
– Always ask for user name & password
Tip Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
Select one of the options.
7. Click Connect to launch NetExtender.
Configuring NetExtender Properties
Complete the following procedure to configure NetExtender properties:
1. Right click on the NetExtender icon in the system tray and click on Properties... The NetExtender Properties window is displayed.
Connection Profiles in the left menu pane displays the SSL VPN connection profiles you have used, including the IP address of the server, the domain, and the username.
2. To create a shortcut on your desktop that will launch NetExtender with the specified profile, highlight the profile and click Create Shortcut.
3. To delete a profile, highlight it by clicking on it and then click the Remove button. Click the Remove All button to delete all connection profiles.
4. Clicking Settings in the left menu pane allows you to customize the behavior of NetExtender.
5. To have NetExtender automatically connect when you start your computer, check the Automatically connect with Connection Profile checkbox and select the appropriate connection profile from the pull-down menu.
Note Only connection profiles that allow you to save your username and password can be set to automatically connect.
6. To have NetExtender launch when you log in to your computer, check the Automatically start NetExtender UI. NetExtender will start, but will only be displayed in the system tray.
To have the NetExtender also display the log-in window, also check the Display NetExtender UI checkbox.
7. Select Minimize to the tray icon when NetExtender window is closed to have the NetExtender icon display in the system tray. If this option is not checked, you will only be able to access the NetExtender UI through Window’s program menu.
8. Select Display Connect/Disconnect Tips from the System Tray to have NetExtender display tips when you mouse over the NetExtender icon.
9. Select Automatically reconnect when the connection is terminated to have NetExtender attempt to reconnect when it loses connection.
10. Select Display precise number in connection status to display precise byte value information in the connection status.
11. Select the Enable UI animations check box to enable the sliding animation effects in the UI.
12. Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
13. Select Disconnect an active connection to have NetExtender log out of all of your SSL VPN sessions when you exit a NetExtender session
14. Click OK to save your changes.
Configuring NetExtender Connection Scripts
SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or websites.
To configure NetExtender Connection Scripts, perform the following tasks.
1. Right click on the NetExtender icon in the system tray and click on Properties... The NetExtender Properties window is displayed.
2. Click Connection Scripts.
3. To enable the domain login script, select the Attempt to execute domain login script checkbox. When enabled, NetExtender will attempt to contact the domain controller and execute the login script.
Optionally, you may now also select to Hide the console window.If this check box is not selected, the DOS console window will remain open while the script runs.
Note Enabling this feature may cause connection delays while remote client’s printers and drives are mapped. Make sure the domain controller and any machines in the logon script are accessible via NetExtender routes.
4. To enable the script that runs when NetExtender connects, select the Automatically execute the batch file “NxConnect.bat” checkbox.
Optionally, you may now also select to Hide the console window. If this check box is not selected, the DOS console window will remain open while the script runs.
5. To enable the script that runs when NetExtender disconnects, select the Automatically execute the batch file “NxDisconnect.bat” checkbox.
6. Click OK to save your changes.
Configuring Batch File Commands
NetExtender Connection Scripts can support any valid batch file commands. For more information on batch files, see the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat. The following tasks provide an introduction to some commonly used batch file commands.
To configure the script that runs when NetExtender connects, follow these steps:
1. Right click on the NetExtender icon in the system tray and click on Properties... The NetExtender Properties window is displayed.
2. Click Connection Scripts.
3. To configure the script that runs when NetExtender disconnects, click the Edit “NxDisconnect.bat” button. The NxConnect.bat file is displayed.
By default, the NxConnect.bat file contains examples of commands that can be configured, but no actual commands.
4. To add commands, scroll to the bottom of the file.
5. To map a network drive, enter a command in the following format:
net use drive-letterservershare password /user:Domainname
For example, if the drive letter is z, the server name is engineering, the share is docs, the password is 1234, the user’s domain is eng and the username is admin, the command would be the following:
net use zengineeringdocs 1234 /user:engadmin
6. To disconnect a network drive, enter a command in the following format:
net usedrive-letter: /delete
For example, to disconnect network drive z, enter the following command:
net use z: /delete
7. To map a network printer, enter a command in the following format:
net use LPT1 ServerNamePrinterName /user:Domainname
For example, if the server name is engineering, the printer name is color-print1, the domain name is eng, and the username is admin, the command would be the following:
net use LPT1 engineeringcolor-print1 /user:engadmin
8. To disconnect a network printer, enter a command in the following format:
net use LPT1 /delete
9. To launch an application enter a command in the following format:
C:Path-to-ApplicationApplication.exe
For example, to launch Microsoft Outlook, enter the following command:
C:Program FilesMicrosoft OfficeOFFICE11outlook.exe
10. To open a website in your default browser, enter a command in the following format:
starthttp://www.website.com
11. To open a file on your computer, enter a command in the following format:
C:Path-to-filemyFile.doc
12. When you have finished editing the scripts, save the file and close it.
Configuring Proxy Settings
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings.
To manually configure NetExtender proxy settings, perform the following tasks.
1. Right click on the NetExtender icon in the system tray and click on Properties... The NetExtender Properties window is displayed.
2. Click on Proxy.
3. Select the Enable proxy settings checkbox.
4. NetExtender provides three options for configuring proxy settings:
• Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD), which can push the proxy settings script to the client automatically.
• Use automatic configuration script - If you know the location of the proxy settings script, select this option and enter the URL of the scrip in the Address field.
• Use proxy server - Select this option to enter the Address and Port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses that bypass the proxy server. If required, enter a User name and Password for the proxy server. If the proxy server requires a username and password, but you do not specify them in the Properties window, a NetExtender pop-up window will prompt you to enter them when you first connect.
5. Click the Internet Explorer proxy settings button to open Internet Explorer’s proxy settings.
6. Make changes as appropriate.
7. Click OK to save your changes.
Configuring NetExtender Log Properties
1. Within the NetExtender Properties dialog box, click Log. The available options provide basic control over the NetExtender Log and Debug Log.
2. To establish the size of the NetExtender Log, select either the Unlimited log file size radio button or the Set maximum log file size to radio button. If you choose to set a maximum size in MB, use the adjoining up and down arrows. The current size of the log file is displayed.
3. To clear the NetExtender Log, select the Clear NetExtender Log button.
4. To Enable the NetExtender Debug Log, select the corresponding check box. The current size of the log file is displayed.
To clear the debug log, select the Clear Debug Log button.
5. Click the Log Viewer... button to view the current NetExtender log.
Note An example of the NetExtender log is detailed in Viewing the NetExtender Log.
6. Click OK to save your changes.
Configuring NetExtender Advanced Properties
NetExtender allows you to customize the link speed that the NetExtender adapter reports to the operating system.
1. Within the NetExtender Properties dialog box, click Advanced. The available options allow you to adjust advanced settings on NetExtender network properties and protocols.
2. To select a virtual link speed to report, select either the Report the underlying network speed to OS radio button, or select the Report a fixed speed at bps to OS radio button and designate a speed.
Note You can click the Advanced Network Properties button to make adjustments. However, modifying these settings may impact NetExtender performance and/or functionality. It is recommended to only make changes here if advised to do so by Dell SonicWALL support.
3. Click OK to save your changes.
Configuring NetExtender Packet Capture Properties
Note You must have Administrator privileges to change packet capture settings.
1. Within the NetExtender Properties dialog box, click Packet Capture. The available options allow you to enable and disable packet capture and data compression on NetExtender.
2. To enable packet capture, check the Enable NetExtender packet capture check box. To disable packet capture, uncheck this check box.
3. If packet capture is enabled, clear all captured packet data when NetExtender exits by checking the Clear the capture when NetExtender exits check box. To retain packet data, uncheck this check box.
4. If you need to troubleshoot the SSL-encrypted traffic between NetExtender and the UTM box, select the Enable capture cache checkbox. When this option is enabled, NetExtender will write down all traffic over SSL into a pcap file, under the NetExtender installation directory. The packet captured will be removed automatically if you enable Clear the capture when NetExtender exits; otherwise, the file remains on the hard drive.
5. To enable data compression of captured packets, check the Enable data compression check box. To disable data compression the next time NetExtender is connected, uncheck this box.
6. If packet capture is enabled when NetExtender connects and you want to disable data compression immediately (instead of waiting until the next time NetExtender is connected), check the Attempt to disable data compression during packet capture check box.
7. Click OK to save your changes.
Viewing the NetExtender Log
The NetExtender log displays information on NetExtender session events. The log is a file named NetExtender.dbg. It is stored in the directory: C:Program FilesSonicWALLSSL VPNNetExtender. To view the NetExtender log, right click on the NetExtender icon in the system tray, and then click View Log.
To view details of a log message, double-click on a log entry, or go to View > Log Detail to open the Log Detail pane.
To save the log, either click the Export iconor go to Log > Export.
To filter the log to display entries from a specific duration of time, go to the Filter menu and select the cutoff threshold.
To filter the log by type of entry, go to Filter > Level and select one of the level categories. The available options are Fatal, Error, Warning, and Info, in descending order of severity. The log displays all entries that match or exceed the severity level. For example, when selecting the Error level, the log displays all Error and Fatal entries, but not Warning or Info entries.
To view the Debug Log, either click the Debug Log icon or go to Log > Debug Log.
Note It may take several minutes for the Debug Log to load. During this time, the Log window will not be accessible, although you can open a new Log window while the Debug Log is loading.
To clear the log, click on Log > Clear Log.
Disconnecting NetExtender
To disconnect NetExtender, perform the following steps:
1. Right click on the NetExtender icon in the system tray to display the NetExtender icon menu and click Disconnect.
2. Wait several seconds. The NetExtender session disconnects.
You can also disconnect by double clicking on the NetExtender icon to open the NetExtender window and then clicking the Disconnect button.
When NetExtender becomes disconnected, the NetExtender window displays and gives you the option to either Reconnect or Close NetExtender.
Upgrading NetExtender
You can configure NetExtender to automatically notify users when an updated version of NetExtender is available. Users are prompted to click OK, and NetExtender downloads and installs the update from the SonicWALL security appliance.
If auto-update notification is not configured, users should periodically launch NetExtender from the Virtual Office to ensure they have the latest version.
Changing Passwords
Before connecting to the new version of NetExtender, you may be required to reset your password by suppling your old password, along with providing and re-verifying a new one.
Authentication Methods
NetExtender supports various two-factor authentication methods, including one-time password and those that combine the pin/password and passcode/tokencode, such as RSA’s pin-mode authentication.
Topics:
• One-Time Password
• Combined Password/Passcode Authentication
One-Time Password
If you have configured one-time passwords to be required to connect through NetExtender, users will be asked to provide this information before connecting.
For more information about one-time passwords, see One-Time Password.
Combined Password/Passcode Authentication
If you have configured a combined pin/password and passcode/tokencode authentication mode, such as RSA pin-mode authentication, to be required to connect through NetExtender, users will be asked whether they want to create their own pin, or receive one that is system-generated.
Once the pin has been accepted, you must wait for the token to change before logging in to NetExtender with the new passcode.
Uninstalling NetExtender
The NetExtender utility is automatically installed on your computer. To remove NetExtender, click on Start > All Programs, click on SonicWALL SSL VPN NetExtender, and then click on Uninstall.
You can also configure NetExtender to automatically uninstall when your session is disconnected. To do so, perform the following steps:
1. Right click on the NetExtender icon in the system tray and click on Preferences... The NetExtender Preferences window is displayed.
2. Click on the Settings tab.
3. Select Uninstall NetExtender automatically to have NetExtender uninstall every time you end a session.
Verifying NetExtender Operation from the System Tray
To view options in the NetExtender system tray, right click on the NetExtender icon in the system tray. The following are some tasks you can perform with the system tray.
Displaying Route Information
To display the routes that NetExtender has installed on your system, click the Route Information option in the system tray menu. The system tray menu displays the default route and the associated subnet mask.
Displaying Connection Information
You can display connection information by mousing over the NetExtender icon in the system tray.
Using the NetExtender Command Line Interface
To launch the NetExtender CLI, perform the following tasks:
1. Launch the Windows Command Prompt by going to the Start menu, select Run, enter cmd, and click OK.
2. Change directory to where NetExtender is installed. To do this, you first must move up to the root drive by entering the cd .. command. Repeat this command until you are at the root drive. Then enter cd Program FilesSonicWALLSSL-VPNNetExtender.
Note The specific command directory may be different on your computer. Use Windows Explorer to find the directory path where NetExtender is located.
The commands available in the NetExtender CLI and their options can be found in Appendix A: CLI Guide.
Installing NetExtender on MacOS
SonicWALL SSL VPN supports NetExtender on MacOS. To use NetExtender, clients must meet the prerequisites described in the most recent version of the Dell SonicWALL SRA User Guide, available on
http://www.sonicwall.com/us/en/support/3893.html
To install NetExtender on your MacOS system, perform the following tasks:
1. Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2. Click the NetExtender button.
3. The Virtual Office displays the status of NetExtender installation. A pop-up window may appear, prompting you to accept a certificate. Click Trust.
4. A second pop-up window may appear, prompting you to accept a certificate. Click Allow.
5. When NetExtender is successfully installed and connected, the NetExtender status window displays.
Using NetExtender on MacOS
1. To launch NetExtender, go the Applications folder in the Finder and double click on NetExtender.app.
2. The first time you connect, you must enter the server name or IP address in the SSL VPN Server field.
3. Enter your username and password.
4. The first time you connect, you must enter the domain name. The domain name is case-sensitive.
5. Click Connect.
6. You can instruct NetExtender to remember your profile server name in the future. In the Save profile pull-down menu, you can select the following:
• Save name and password (if allowed)
• Save username only (if allowed)
• Do not save profile.
Tip Having NetExtender save your user name and password can be a security risk and should not be enabled if there is a chance that other people could use your computer to access sensitive information on the network.
7. When NetExtender is connected, the NetExtender icon is displayed in the status bar at the top right of your display. Click on the icon to display NetExtender options.
8. To display a summary of your NetExtender session, click Connection Status.
9. To view the routes that NetExtender has installed, select the Routes tab in the main NetExtender window.
10. To view the NetExtender Log, go to Window > Log.
11. To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.
12. Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
Installing NetExtender on Linux
SonicWALL SSL VPN supports NetExtender on Linux. To use NetExtender, clients must meet the prerequisites described in the most recent version of the Dell SonicWALL SRA User Guide, available on
http://www.sonicwall.com/us/en/support/3893.html
Note Open source Java Virtual Machines (VMs) are not currently supported. If you do not have the recommended Java release, you can use the command-line interface version of NetExtender.
Note You must be logged in as root to install NetExtender, although many Linux systems will allow the sudo ./install command to be used if you are not logged in as root.
To install NetExtender on your Linux system, perform the following tasks:
1. Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.”
2. Click the NetExtender button. A pop-up window indicates that you have chosen to open a .tgz file. Click OK to save it to your default download directory.
3. To install NetExtender from the CLI, navigate to the directory where you saved the .tgz and enter the tar -zxf NetExtender.tgz command.
4. Enter the cd netExtenderClient command.
5. Enter su -C “ ./install” to install NetExtender.
6. Enter your username and password.
7. The installer will ask if you want non-root users to be able to run NetExtender. Enter either y for yes or n for no.
Note To allow non-root users to run NetExtender, the installer will set PPPD to run as root. This may be considered a security risk.
Using NetExtender on Linux
To use NetExtender on a Linux computer, perform the following tasks:
1. After NetExtender is installed, there are two methods to launch it:
– Click the NetExtender icon in the Applications menu, under either the Internet or Network category.
– Enter the netExtenderGui command.
2. The first time you connect, you must enter the Dell SonicWALL SRA server name in the Server field. NetExtender will remember the server name in the future.
3. Enter your username and password.
4. The first time you connect, you must enter the domain name. The domain name is case-sensitive. NetExtender will remember the domain name in the future.
5. To view the NetExtender routes, select the Routes tab in the main NetExtender window.
6. To view the NetExtender DNS server information, select the DNS tab in the main NetExtender window.
7. To configure NetExtender Preferences, select NetExtender > Preferences.
8. The following NetExtender settings can be configured:
• Automatically reconnect when the connection is terminated
• Uninstall NetExtender automatically when exiting the application
• DNS server options:
– Try remote DNS servers first, then try local DNS servers
– Only use remote DNS servers
– Only use local DNS servers
9. Clicking Advanced in the NetExtender Preferences window provides two additional options:
• MTU - Sets the Maximum Transmission Unit (MTU) size, which is the largest packet size that a router can forward without needing to fragment the packet.
• PPP Sync Mode - Specifies synchronous PPP. By default, this option is disabled and asynchronous PPP is used.
10. To view the NetExtender Log, go to NetExtender > Log.
11. To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.
12. Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
SSLVPN_EPC
SSL VPN > Remote Access EPC
The following sections describe the Remote Access End Point Control (EPC) feature:
Remote Access EPC Overview
This section provides an introduction to the Remote Access EPC feature. This section contains the following subsections:
What is Remote Access EPC?
Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. These VPNs are primarily designed to prevent unauthorized network access, and they typically are not designed to verify that the user’s computer is secure. Corporate IT departments configure computers under their control with antivirus software, firewalls, and other safeguards designed to protect them from malicious software.
Because SSL VPN solutions can provide network access from any web-enabled device—such as public computers at cafes, airports, or hotels—extra care must be taken to verify that the user’s environment is secure. These unmanaged computers can easily be infected by keystroke recorders, viruses, Trojan horses, and other hazards that can compromise your network.
Remote Access End Point Control (EPC) verifies that remote users’s computers are secure before allowing network access.
How Does Remote Access EPC Work?
Remote Access EPC guards against threats when your network is accessed from remote, insecure environments. Remote Access EPC is a two-part process:
Evaluates the Security Attributes of a user’s computer.
Assigns the user session to a Device Profile that grants an appropriate level of network access over SSL VPN, depending on the security of the user’s computer.
The user’s computer is checked against a number of configurable Security Attributes, such as antivirus, anti-spyware, or personal firewall programs, client certificates, registry entry, or Windows version.
The user session is assigned to a Device Profile that will either allow or block network access. If the computer does not meet the security requirements, a message can be displayed to instruct the user on how to secure the computer. Multiple Device Profiles can be configured to provide different levels of network access,
Device Profiles
There are three categories of Device Profiles that you can customize, plus a built-in default Device Profile.
Deny – Deny Device Profiles are evaluated first. The appliance tries to find a match in the list of Deny Device Profiles, starting with the one at the top. If the device matches a Deny Device Profile (for example, when a specified file is found on the device), the user is denied access to the network. A message is displayed informing the user and optionally providing direction on how to secure their device.
Allow – If the device does not match the criteria for a Deny Device Profile, the appliance tries to find a match in the list of Allow Device Profiles, starting with the one at the top. If no match is found, the device is placed in the Default Device Profile, or in a Quarantine zone (if one is defined).
Quarantine – If the device does not match any of the configured Deny or Allow profiles, it is placed in either the Quarantine Device Profile or Default Device Profile. The Quarantine profile does not allow the user access to the network. A customizable message is displayed. The message can be used to explain what is required to bring the user’s system into compliance with your security policies and to provide links to download security components. There can be only one Quarantine Device Profile.
Default – The Default Device Profile is global and implicitly present in every OS type configured in UTM. When a device does not match any other profile, the device can either be assigned to the Quarantine profile or to the Default Profile. There are three separate Default Device Profiles for Windows, Linux, and MacOS platform devices.
NoteWhen Remote Access EPC is disabled, the Default Device Profile is used to configure SSL VPN access. With Remote Access EPC disabled, only the Settings, Client Routes, and Client Settings options can be configured. The Security Attributes settings are not available when EPC is disabled.
Figure 71:26 illustrates the order in which the device profiles are evaluated when a user initiates an SSL VPN session.
Figure 71:26Remote Access End Point Control Process
Security Attributes
Security Attributes are the critical component of Remote Access EPC. Each Device Profile can contain multiple Security Attributes. In order for the client to match the Device Profile, it must satisfy all of the configured Security Attributes.
SonicWALL Remote Access EPC currently supports the following eleven types of Security Attributes:
Antivirus program
Antispyware program
Application
Client certificate
Directory name
Equipment ID
File name
Personal firewall program
Windows domain
Windows registry entry
Windows version
Supported Platforms
SonicWALL platform support:
Remote Access EPC is available on all SonicWALL security appliances running SonicOS release 5.9 and above that are licensed for the SSL VPN feature.
NetExtender client support:
Windows NetExtender client: Remote Access EPC is fully supported.
Linux and MacOS NetExtender clients: Remote Access EPC supports a configurable default Device Profile. Currently, custom profiles cannot be created for Linux and MacOS.
Configuring Remote Access EPC
To configure Remote Access EPC, perform the following steps:
Navigate to the SSL VPN > Remote Access EPC page of the SonicWALL GUI.
Select the Enable Remote Access EPC checkbox. When EPC is disabled, only the Default Device Profile can be configured, but without the Security Attribute settings. The Remote Access EPC page is divided into the following sections:
Device Profiles OS Type
Deny Device Profiles
Allow Devices Profiles
Device Profile failback options
Quarantine Device Profile
Default Device Profile
SonicWALL recommends beginning by configuring the Default Device Profile. Scroll to the bottom of the Remote Access EPC page and click the Configure icon. See Configuring Remote Access EPC Device Profiles for full instructions on configuring the Device Profile.
Click the Add button to configure additional Device Profiles. See Configuring Remote Access EPC Device Profiles for full instructions.
If you will support SSL VPN sessions from Linux or MacOS devices, click the appropriate button in the OS Type menu.
Click the Configure icon to configure the Default Device Profile for Linux and/or MacOS.
In the Device Profile Fallback options section, select how you want to treat users who do not match any of the Deny or Allow Device profiles:
Place into default device profile – Users are granted network access as defined in the Default Device Profile.
Place into quarantine device profile – Users are not granted network access. A pop-up window displays a administrator-configurable message that
To configure the message that is displayed to quarantined users, click the configure icon for the Quarantine Device Profile.
Click the Example Template to auto-populate the Quarantine Message with formatted HTML text. The quarantine pop-up message is displayed in a window that is 500 pixels wide. Edit the text of the message and click Preview to view how it will be displayed to quarantined users.
NoteSonicOS currently does not support Remote Access EPC Security Attributes for Linux or MacOS; but in order to support Linux and MacOS users, you must configure the network address and client routes for the Linux and MacOS Default Device Profile.
Configuring Remote Access EPC Device Profiles
Configuring a Remote Access EPC Device Profile is a four-part process:
Configuring Device Profile Settings (for all Device Profiles)
Configuring Security Attributes (for all Device Profiles)
Configuring Client Routes (only for Allow Device Profiles)
Configuring Client Settings (only for Allow Device Profiles)
Configuring Device Profile Settings
On the SSL VPN > Remote Access EPC page, click the Add button. The Edit Device Profile window displays.
Enter the following information on the Settings tab:
Name – A brief name for the Device Profile.
Description – (Optional) A description of the Device Profile.
Action – Select whether it is an Allow Device Profile or Deny Device Profile.
Zone – (Only for Allow Device Profiles) Select the zone that clients will be assigned to when matching this Device Profile. Only zones with type “SSL VPN” can be selected.
Network Address – (Only for Allow Device Profiles) Select the Address Object for the IP address pool for this device profile. Clients that match this profile will be assigned an IP address from the pool. Only Address Objects for the zone selected above can be used for the Device Profile. Each Device Profile must use a unique Address Object.
Select Create net network to create a new Address Object. For the Zone Assignment, select the same zone you selected above. For Type, select Range.
Deny Message – (Only for Deny Device Profiles) Enter the HTML text for the message that is displayed to users who are denied access. Click the Example Template to auto-populate the Quarantine Message with formatted HTML text. The pop-up message is displayed in a window that is 500 pixels wide. Edit the text of the message and click Preview to view how it will be displayed to users.
Configuring Security Attributes
Click on the Security Attributes tab.
In the Select Attribute(s) pulldown menu, select the appropriate type of attribute. The following sections describe how to configure the Security Attributes:
Windows version
Complete the attribute-specific configuration (described below) and click Add to current attributes.
Repeat as needed to configure multiple attributes. When more than one Security Attribute is configured, the device must match all of them in order for it to match the Device Profile.
When finished click the Client Routes tab and continue to Configuring Client Routes.
Antivirus Program
Netextender Download Mac Os X
The Device Profile checks that the specified Antivirus program is installed.
The following information is used to define the Antivirus program attribute:
Vendor – Select the vendor for the Antivirus program.
Product name – Select the supported Antivirus programs.
Product version – After you select an Antivirus program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
TipFor all of these numeric searches in Security Attributes, you can specify one of five types of comparison operators in the pulldown menu: greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
Signature updated – Enter a value in days for how recently the client device has updated its Antivirus signature and select a comparison operator type.
File system scanned – Enter a value in days for how recently the client device has been scanned by the Antivirus program and select a comparison operator type
Realtime protection required – Select this checkbox to require that realtime protection be enabled on the Antivirus program.
Antispyware program
The Device Profile checks that the specified Antispyware program is installed.
The following information is used to define the Antispyware program attribute:
Vendor – Select the vendor for the Antispyware program.
Product name – Select the supported Antispyware programs.
Product version – After you select an Antispyware program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
Signature updated – Enter a value in days for how recently the client device has updated its Antispyware signature and select a comparison operator.
File system scanned – Enter a value in days for how recently the client device has been scanned by the Antispyware program and select a comparison operator.
Realtime protection required – Select this checkbox to require that realtime protection be enabled on the Antivirus program.
Application
The Device Profile checks that the specified application is installed.
Enter the file name of the application. Wildcard characters (* and ?) can be used, and the entry is not case sensitive.
Client certificate
The Device Profile checks that a Certificate Authority (CA) certificate is installed.
Select the certificate from the CA certificate pulldown menu. All of the certificates installed on the SonicWALL security appliance are displayed in the pulldown menu. In order for a client device to match this profile, the appliance must be configured with the root certificate for the CA that issued the client certificate to your users (intermediate certificates do not work).
Select the certificate store(s) you want searched:
System store only – Searches HKLMSOFTWAREMicrosoftSystemCertificates.
System store and user store – The system store directory is searched first, followed by the user store: HKCUSoftwareMicrosoftSystemCertificates.
Directory name
The Device Profile checks that a specific directory is present on the device’s file system.
Enter the Directory name that must be present on the hard disk of the device. Directory names are not case-sensitive.
Equipment ID
The Device Profile verifies the Equipment ID, a unique hardware identifier, of the device.
Enter the Device identifier for the user’s device. Only one device will be able to match this Device Profile. The device identifier is usually an attribute in the authentication directory represented by a variable; for example, {unique_id}.
A hard disk utility program such as HD Tune can be used to determine the Device Identifier. In the following screenshot of HD Tune, the Device Identifier is listed as “Serial number.”
File name
The Device Profile checks that a specific file is installed.
The following information is used to define the file name attribute:
File name – Enter the name of the file, including its extension and full path. File names are not case-sensitive. You can use wildcard characters (* and ?) or environment variables (such as %windir% or %userprofile%).
File size – Enter the file size in bytes and select a comparison operator.
Last modified – You can either select an absolute time by entering a date (in mm/dd/yyyy) format, or a relative time by entering the number of days (and optionally hours, minutes and seconds), since the file was modified.
Validate file integrity – Select this checkbox to validate the file using either an MD5 or SHA-1 has, or a Windows catalog file.
Personal firewall program
The Device Profile checks that a personal firewall program is installed.
The following information is used to define the Personal firewall program attribute:
Vendor – Select the vendor for the Personal firewall program.
Product name – Select the supported Personal firewall programs.
Product version – After you select an Personal firewall program, the supported product version numbers are displayed. Select the appropriate version number and a comparison operator.
Windows domain
The Device Profile checks that the specified Windows domain is present.
In the Computer is a member of domain field, enter one or more domain names, without a DNS suffix. Multiple entries can be separated with semicolons. The domain can contain wildcard characters (* and ?).
Windows registry entry
The Device Profile checks that the specified Windows registry entry is present.
The following information is used to define the Windows registry entry attribute:
Key name – Enter the Windows registry entry.
Value name – (Optional) Enter a specific value for registry entry.
Registry entry – (Optional) Enter a numeric value for the registry entry and select a comparison operator.
Wildcards can be used for the Value name and Registry entry fields, but not for the key. To enter a special character (such as a wildcard or backslash), you must precede it with a backslash.
Windows version
The Device Profile checks the version of Windows that the device is running.
The following information is used to define the Windows version search:
Operator – Select greater than (>), greater than or equal to (>=), equal to (=), less than (<), or less than or equal to (<=).
Major – Enter the Windows major version number.
Minor – Enter the Windows minor version number.
Build – (Optional) Enter the Windows build version number.
The recent Windows versions are defined with the following Major and Minor release numbers:
Windows 2000 – Major: 5, Minor: 0
Windows XP – Major: 5, Minor: 1
Windows Vista – Major: 6, Minor: 0
Windows 7 – Major: 6, Minor: 1
The comparison Operator applies to all three values.
When you have completed the Security Attributes configuration, click on the Client Routes tab.
Configuring Client Routes
The Client Routes tab is used to govern the network access that is granted to SSL VPN users.
Sonicwall Netextender Download Mac
Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table:
|
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
NoteIn addition to configuring Tunnel All Mode, you must also configure the individual SSL VPN user accounts. See Configuring Users and Groups for Client Routes and Tunnel All Mode.
To configure client routes to grant SSL VPN users network access, perform the following steps:
Select the appropriate Address Object in the Networks list.
Click the -> button to add it to the Client Routes list.
Repeat for any additional Address Objects.
When finished, click on the Client Settings tab. When you are finished with configuring the Device Profile, see the following section on how to configure SSL VPN users and groups for SSL VPN access.
Configuring Users and Groups for Client Routes and Tunnel All Mode
NoteAfter completing the Client Routes configuration in the Device Profile, you must also assign all SSL VPN users and groups access to these routes on the Users > Local Users or Users > Local Groups pages.
To configure SSL VPN NetEextender users and groups to access Client Routes, perform the following steps.
Navigate to the Users > Local Users or Users > Local Groups page.
Click on the Configure button for the SSL VPN NetExtender user or group.
Click on the VPN Access tab.
Select the address object for the Client Route, and click the right arrow (->) button.
Click OK.
Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender.
Download Netextender For Mac
To configure SSL VPN users and groups for Tunnel All Mode, perform the following steps.
Navigate to the Users > Local Users or Users > Local Groups page.
Click on the Configure button for an SSL VPN NetExtender user or group.
Click on the VPN Access tab.
Select the WAN RemoteAccess Networks address object and click the right arrow (->) button.
Click OK.
Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender.
Configuring Client Settings
The Client Settings tab is used to configure the DNS settings for SSL VPN clients as well as several options for the NetExtender client.
To configure Client Settings, perform the following tasks:
Click the Default DNS Settings to use the default DNS settings of the SonicWALL security appliance. The DNS and WINS configuration is auto-propagated.
Or you can manually configure the DNS information. In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings.
(Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
DNS Search List
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
Configure the following NetExtender client settings to customize the behavior of NetExtender when users connect and disconnect:
Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users will have to return to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.
User Name & Password Caching - Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users.
Click OK to complete the Device Profile configuration process.