SonicWall SSL VPN
Virtual Private Network (VPN) for Secure Remote Access

Overview:

Businesses large and small need to address the growing demands of more distributed work sites and an increasingly mobile workforce in order to compete in today’s global marketplace. Remote access has become a business imperative.

SonicWall VPN Clients offer a flexible easy-to-use, easy-to-manage Virtual Private Network (VPN) solution that provides distributed and mobile users with secure, reliable remote access to corporate assets via broadband, wireless and dial-up connections. For remote client-to-host secure access, SonicWall offers both SSL VPN and IPSec VPN connectivity options. For SSL VPN, SonicWall NetExtender provides thin client connectivity and clientless Web-based remote access for Windows, Windows Mobile, Mac and Linux-based systems. For IPSec VPN, SonicWall Global VPN Client enables the client system to download the VPN client for a more traditional client-based VPN experience.

• Enhanced layered security
• Easy VPN management
• Ease-to-follow wizards
• Extended user reach and productivity
• VPN session reliability
• Clientless connectivity
• NetExtender technology
• Mobile device support

Simple, policy-enforced secure access to mission-critical applications and data

Give your employees safe, easy access to the data and resources they need to be productive from a range of devices, including iOS, OS X, Android, Chrome OS, Kindle Fire and Windows. At the same time, ensure that your corporate network is protected from unauthorized access and mobile security threats.

Features and Benefits:

Enhanced layered security is enabled when a SonicWall Network Security Appliance uses powerful deep packet inspection technology to scan VPN traffic for malicious threats such as viruses, worms, Trojans and spyware. The combined solution is known as SonicWall Clean VPN*.

Easy VPN management SonicWall’s award-winning Global Management System (GMS) provides simplified management of SonicWall VPN Client connections.

SSL VPN for Network Security:

• NetExtender - Clientless connectivity removes the need for a pre-installed or “fat” VPN client, thus freeing administrators from the tedious and costly task of installing and updating a client on users’ Windows, Mac or Linux-based systems.
• NetExtender technology provides enhanced capabilities such as network level access to additional resources, services and applications on the corporate network.
• Mobile device support to access an entire intranet as well as Web-based applications provides greater flexibility for a remote workforce.

Global VPN Client:

• Easy-to-follow wizards help users install and configure a VPN connection quickly and easily. IPSec VPN users simply enter the domain name or IP address of the SonicWall VPN gateway and the Global VPN Client configuration policy is automatically downloaded.
• Extended user reach and productivity by connecting from any single or dualprocessor computer running one of a broad range of Microsoft® Windows® platforms. Further extending secure remote access, the Global VPN Client enables encapsulated VPN traffic to traverse any IP network using Network Address Translation (NAT).
• VPN session reliability provides simultaneous Global VPN Client connections that can be established to multiple SonicWall VPN gateways. The Global VPN Client supports redundant SonicWall VPN gateways to ensure mission-critical network access in the event the primary gateway fails.

*Clean VPN requires an active Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention subscription for the governing SonicWall network security appliance.

Mobile Connect:

Simple, policy-enforced secure access to mission-critical applications and data for iOS, OS X, Android, Chrome OS, Kindle Fire and Windows mobile devices.

Give your employees safe, easy access to the data and resources they need to be productive from a range of devices, including iOS, OS X, Android™, Chrome OS, Kindle Fire and Windows. At the same time, ensure that the corporate network is protected from mobile security threats.

The SonicWall™ Mobile Connect™ application works in combination with SonicWall Secure Mobile Access (SMA) or next-generation firewall appliances. Mobile workers simply install and launch the Mobile Connect application on their iOS, OS X, Android, Chrome OS or Windows mobile device to establish a secure connection to an SMA or next-generation firewall appliance. The encrypted SSL VPN connection will protect traffic from being intercepted and keep in-flight data secure. Contextaware authentication ensures only authorized users and trusted devices are granted access.

Behind the scenes, IT can easily provision and manage access policies via SonicWall appliances through a single management interface, including restricting VPN access to a set of trusted mobile apps allowed by the administrator. Plus, the SonicWall solution integrates easily with most back-end authentication systems, including two-factor authentication, so you can efficiently extend your preferred authentication practices to your mobile workers.

Features and Benefits

Ease of use
iOS, OS X, Windows 10, Android, Chrome OS and Kindle users can easily download and install the Mobile Connect app via the App Store™, Google Play, Chrome Web Store, Amazon App Store, or Windows Store. For Windows 8.1 mobile device users, Mobile Connect is embedded in the Windows 8.1 operating system so there is no need to download and install another VPN client app.

Centralized policy management
IT can provision and manage mobile device access via SonicWall appliances — including control of all web resources, file shares and client-server resources — through a single management interface. Unlike other VPN solutions, the SonicWall solution allows you to quickly set rolebased policy for mobile and laptop devices and users with a single rule across all objects; as a result, policy management can take only minutes instead of hours.

Verification of both user and device
A Mobile Connect user is granted access to the corporate network only after the user has been authenticated and mobile device integrity has been verified. End Point Control can determine whether an iOS device has been jailbroken or an Android device has been rooted, as well as whether a certificate is present or the OS version is current, and then reject or quarantine the connection as appropriate.

Easy access to appropriate resources
iOS, Android, Chrome OS, Kindle and Windows mobile devices can connect to all allowed network resources, including web-based, client/server, server-based, host-based and back-connect applications. Once a user and device are verified, Mobile Connect offers pre-configured bookmarks for one-click access to corporate applications and resources for which the user and device has privileges.

Malware protection
When deployed with a SonicWall nextgeneration firewall, Mobile Connect establishes a Clean VPN™, an extra layer of protection that decrypts and scans all SSL VPN traffic for malware before it enters the network.

Mobile device registration and authorization policy management
With Mobile Connect and Secure Mobile Access OS (versions 11.0 and above) for Secure Mobile Access 1000 Series appliances, prior to granting network access, if a mobile device has not previously registered with the SMA appliance, the user is presented with a device authorization policy for acceptance. The user must accept the terms of the policy to register the device and gain access to allowed corporate resources and data. The terms of the policy are customizable by the administrator.

Per-application VPN
Mobile Connect in combination with Secure Mobile Access OS (versions 11.0 and above) for Secure Mobile Access 1000 Series appliances, enables administrators to establish and enforce policies to designate which apps on a mobile device can be granted VPN access to the network. This ensures that only authorized mobile business apps utilize VPN access. Mobile Connect is the only solution that requires no modification of mobile apps for per app VPN access. Any mobile app or secure container can be supported with no modifications, app wrapping or SDK development.

One-click Secure Intranet File Browse and On-Device Data Protection
Protect company data at rest on mobile devices. Authenticated users can securely browse and view allowed intranet file shares and files from within the Mobile Connect app. Administrators can establish and enforce mobile application management policy for the Mobile Connect app to control whether files viewed can be opened in other apps, copied to the clipboard, printed or cached securely within the Mobile Connect app. For iOS devices, this allows administrators to isolate business data from personal data stored on the device and reduces the risk of data loss. In addition, if the user’s credentials are revoked, content stored in the Mobile Connect app is locked and can no longer be accessed or viewed.

Auto-launch VPN
URL control allows apps that require a VPN connection for business (including Safari) to create a VPN profile and automatically initiate or disconnect Mobile Connect on launch (requires compatible server firmware). In addition, for iOS or OS X devices, to simplify use when a secure connection is required, VPN on Demand automatically initiates a secure SSL VPN session when a user requests internal data, applications, websites or hosts.

Integration with existing authentication solutions
The SonicWall solution supports easy integration with most back-end authentication systems, such as LDAP, Active Directory and Radius, so you can efficiently extend your preferred authentication practices to your mobile workers. For increased security, you can enable one-time password generation and easily integrate with two-factor authentication technologies.

Application intelligence and control
When deployed with a next-generation firewall, IT can easily define and enforce how application and bandwidth assets are used.

Specifications Compatibility

SonicWall SMA and NextGeneration Firewall

• TZ, NSa, E-Class NSa or Super Massive 9000 Series appliances running SonicOS 5.9, 6.2 or higher
• SMA 100 Series/SRA appliances running 7.5 or higher
• SMA 1000 Series/E-Class SRA appliances running 10.7 or higher

SonicWall Mobile Connect

• Devices running iOS version 7.0 or higher
• Devices running OS X 10.9 or higher
• Devices running Android 4.1 or higher
• Kindle Fire devices based on Android 4.1 or higher
• Devices running ChromeOS 45 or higher
• Devices running Windows 8.1
• Devices running Windows Phone 8.1
• Devices running Windows 10

Netextender:

Deliver seamless, secure network layer access from anywhere.

Abstract

While pre-configured or “fat” client is preferential for most network users, many IT organizations are making the switch to a thin client or SSL VPN model in order to reduce costs and better protect their network from security risks. Unlike a fat clients or IPSec VPN, thin client enables remote users to access the network from any computer equipped with an Internet connection and standard web browser.

No longer are remote users limited to using speciallyconfigured laptops provided by the IT department, as is the case with more traditional VPN models. IPSec VPN may be especially useful in areas where the IT administrator tightly controls and manages only a small number of remote workstations, while with fat client VPN systems administrators can allow users to have a greater level of access. However, users now can have the best of both worlds with SonicWall™ Secure Remote Access (SRA) NetExtender thin client technology. The tech brief below explains how.

Introduction

With SonicWall NetExtender, users enjoy seamless and secure network layer access to the intranet, file, desktop and terminal resources, including Microsoft® Outlook® and Microsoft SharePoint. Pushed transparently onto the client’s desktop, laptop or smartphone, the thin client enhances users’ capabilities and significantly reduces the IT administrative costs and time required to maintain and manage remote access.

SonicWall NetExtender

Simplified and secure end user access for anywhere, NetExtender adds more power to the SonicWall SRA 4600 and 1600, adding capabilities such as seamless and secure access to any resource on the corporate network including servers or custom applications. Unlike a fat client, NetExtender extends thin client transparently to the client’s desktop or laptop, and installs it automatically to facilitate this broader level of access. It assigns remote users an IP address from a preset pool of IP addresses, enabling them to access any TCP/IP-based resource on the corporate network including a wide variety of legacy applications and services. Remote users gain Layer-3 level access to the protected internal network.

The user experience is similar to that of a traditional IPSec VPN client, except that manual client installation is not required. Additionally, users do not have to worry about Network Address Translation (NAT) devices and proxies, which are the bane of traditional IPSec-based VPNs.

NetExtender creates a virtual adapter for secure point-to-point access to any allowed host or subnet on the internal network. Unlike the stateless nature of the traditional SSL VPN, NetExtender stays resident on the client machine even after the connection is closed.

The advantage of running NetExtender as a resident application on the remote system is that it speeds up login times in subsequent uses. Of course, if a remote user chooses to deploy the standalone NetExtender client on their remote machine, but later logs in from a separate machine, he or she can still gain access with no problems at all.

Users can access NetExtender easily in the traditional way from any machine using the browser portal. They can also select the Uninstall on browser exit option to have NetExtender remove itself after the session ends.

Extend network access through native clients

With NetExtender technology, remote users will gain: Access to email through native clients residing on the user’s laptop, including everything from Microsoft Outlook and Lotus Notes Access to commercial or property applications and flexible network access.

Enforce granular access control policies

By deploying the SonicWall NetExtender, along with Enforced Client Anti-Virus and Anti-Spyware, on the remote workstations, administrators can enforce a policy that requires every remote workstation that accesses the network to have current versions of anti-virus and anti-spyware software up and running.

Multiple NetExtender IP range and route support, permits the administrator to impose granular access control policies by assigning specific IP addresses or ranges of IP addresses, and specific routes to individual users or groups. This feature also helps to provide control that is more granular over who can access which network resources through NetExtender.

Enhance firewall encryption and security

SonicWall Secure Remote Access (SRA) provides a high level of security on its own. Besides the encryption that is inherent to the SSL model, the personalized SonicWall web portal enforces a high level of granularity for each user that the administrator controls. The SRA Series appliance grants remote users access only to authorized areas through the portal. NetExtender also provides enhanced security benefits. With NetExtender, you can force all client traffic through the SSL VPN tunnel, and apply all security services that are running on your primary SonicWall Network Security Appliance (NSA) or SonicWall TZ Series firewall — including enforcement of the SonicWall hostbased, anti-virus solution.

Versatile, bidirectional support for remote PCs

While the application proxies support specific protocols such as FTP, HTTP, RDP or VNC, NetExtender is not protocol specific. Rather, it can support any TCP/IP-based application that is running on the local client. Besides extended access, this also means that communications are bidirectional. In other words, the remote client can initiate communications with a host on the internal network, and the reverse is also true — hosts on the internal network can also initiate communications with the remote PC. This functionality is particularly useful for management and administration of remote PCs.

Flexible support for multiple platforms

Available as a standalone application for all SRA Series appliances, the NetExtender client can be launched through the Virtual Office web portal, or as a native application on Windows, Mac OS and Linux PCs and laptops, to access any authorized resource on the corporate network.

NetExtender utilizes a standard interface across all SSL VPN clients, creating a unified look and feel. Support for multiple platforms provides users with greater flexibility to access remote resources from various endpoints. Initial distribution of NetExtender is either through the Virtual Office portal or via a standalone installer. After initial distribution, users can launch NetExtender independently as a standard application. The NetExtender client supports domain login scripts, and implements a custom dialer that allows launch from the Windows Network Connections menu.

For mobile devices and operating systems, SonicWall Mobile Connect™, a single unified client app for Apple iOS, OS X, Google Android™, Kindle Fire and Windows 8.1 or newer, provides smartphone, tablet, laptop and desktop users network-level access to corporate and academic resources over encrypted SSL VPN connections.

Connect Tunnel:

Enable simple, secure remote access through SonicWall E-Class SRA Connect

E-Class SRA Connect™ provides users of IT-managed Windows, Macintosh and Linux devices with unmatched ease-of-use and a complete “in-office” experience. E-Class SRA Connect delivers the easiest, most complete method of secure remote access available and is ideal for providing strong security for wireless LAN users and mobile employees who need full access away from the office.

“In-office” experience from any location

Connect provides remote users of IT-managed devices with full access to key business applications — including back- connect applications such as VoIP soft phones and remote help desk — as if they were in the office. E-Class SRA Smart Access™ technology automatically determines and deploys the right remote access method for the corporate resources that they need, based on policy. Connect also supports Single Sign-On (SSO), network auto-discovery and integration with third-party dialers.

Easy administration with robust control

The lightweight Connect client can be pre-installed on an IT-managed device, or downloaded from a Web portal. Administrators can update new versions and configuration changes easily and automatically without further intervention. Connect integrates directly with E-Class SRA Unified Policy™ and E-Class SRA End Point Control™ (EPC™ ) for centralized control of all users, groups, resources and devices. Additionally, split tunnel control enables IT to control a user’s ability to log on to multiple networks while on the VPN. In addition, features such as NAT traversal, proxy detection, and traversal and mitigation of address conflicts ensure universal application access.

Secure access to VoIP and remote help desk

Connect support for UDP, TCP and IP protocols, as well as granular bidirectional access control for any applications, including back-connect applications like VoIP and remote help desk. Connect can interrogate a VoIP device and authenticate the user before connection, preventing the threat of malware attacks. With Connect, you get the granular access control, split-tunneling capability and NAT and firewall traversal you need to provide users with truly secure everywhere access. In addition, its adaptive addressing and routing dynamically adapts to networks, eliminating addressing and routing conflicts common with other solutions.

Tunnel agent Web policy and SSO configuration

Administrators can define Web policy for E-Class SRA Smart Tunneling agents (E-class SRA Connect Tunnel and OnDemand Tunnel) as well as the E-Class SRA WorkPlace portal, providing more granular access control options for the tunnel agents, allowing for consistent policy enforcement across all access options.

Mobility solutions

SonicWall Mobile Connect™ , available as a mobile app for Apple iOS, Mac OSX, Kindle Fire and Google Android™ mobile devices and embedded with Windows 8.1 devices, provides users with simple, policy-enforced mobile access to corporate and academic resources over encrypted SSL VPN connections. The E-Class SRA Appliances also feature clientless Microsoft ActiveSync support for Apple iPhone, iPad™ and Android devices through the appliance. ActiveSync support allows an administrator to securely access email, contacts and calendar functions through the SSL VPN, without having to expose an Exchange server at the edge of the network. ActiveSync features the ability to require users to authenticate through the SSL VPN (username/password), as well as require device identification against information stored in the user’s Active Directory or LDAP account.

Application-to-application Connect Service Edition

The E-Class SRA Connect Service Edition offers policy-driven application-toapplication access, perfect for branch office applications that need dedicated or scheduled connections without human intervention.

License Bundles:

VPN CLient License Bundles:
Hardware:	SSL VPN Client Licenses Bundled/Max	Global VPN Client Licenses Bundled/Max
TZ 105/TZ 105W Series	1/5	0/5
TZ 205/TZ 205W Series	2/10	2/10
TZ 215/TZ 215W Series	2/10	2/25
NSa 220 Series	2/15	2/25
NSa 250M Series	2/15	2/25
NSa 2400	2/25	10/250
NSa 2600	2/25	10/250
NSa 3500	2/30	50/1,000
NSa 3600	2/30	50/1,000
NSa 4500	2/30	500/3,000
NSa 4600	2/30	500/3,000
NSa 5000	2/30	500/3,000
NSa 5600	2/50	2,000/4,000
NSa 6600	2/50	2,000/6,000
NSa E5500	2/50	2,000/4,000
NSa E6500	2/50	2,000/6,000
NSa E7500	2/50	2,000/10,000
NSa E8500	2/50	2,000/10,000
NSa E8510	2/50	2,000/10,000

System Requirements:

System Requirements for NetExtender
Hardware	TZ 105, 205, 215 Series, NSa or E-Class NSa Series Appliance
Firmware/OS	Requires firmware version 5.2 or higher Windows 2000, 2003, XP/Vista (32-bit and 64-bit) Win Mobile 5 (Pocket PC), Win Mobile 6 (Classic/Professional), MacOS 10.4+ (PowerPC and Intel), Linux Fedora Core 3+ / Ubuntu 7+ / OpenSUSE
System Requirements for Global VPN Client
Hardware	Requires third-, fourth- or fifthgeneration SonicWall network security appliance
Firmware/OS	Requires firmware version 6.4.2 or higher or SonicOS 3.0 or higher IBM-compatible computer with an Intel/AMD processor Not supported by XP Home SP2 64 Bit Edition
Available Hard Disk Space	28 MB
RAM	512 MB
Network Connection	Ethernet network interface card with NDIS compliant driver and/or dial-up adapter (internal or external modem, ISDN terminal adaptor) or wireless LAN
Technical Specifications for Global VPN Client
IPSec Modes	ESP (Encapsulated Security Payload)
Encryption Algorithms	DES (56-bit), 3DES (168-bit), AES (256-bit)
Data Integrity	MD5, SHA-1
Authentication and Key Management	IKE (Internet Key Eschange)
User Authentication	RADIUS with XAUTH, Local User, LDAP, Microsoft Active Directory, Novell eDirectory
Certificate Support	Microsoft, Verisign, Entrust
Standards and RFCs Supported	ESP Tunnel Mode, IKE (ISAKMP/Oakley): Internet RFCs Supported Key Exchange (RFC2407-2409), NAT-Traversal (IETF drafts), X.509 v3 certificates: (RFC2459), PKCS #7: Cryptographic Message Syntax Standard (RFC2315), PKCS #12: Personal Information Exchange Syntax Standard, FIPS Pub 46-1: Data Encryption Standard, FIPS Pub 180-1: Secure Hash Standard, Microsoft Vista 32-bit

Videos:

Setup SSL VPN on a SonicWall Firewall

Setup a Site to Site VPN

Configure WAN Group VPN on a SonicWall Firewall