{"id":982,"date":"2013-07-01T16:12:00","date_gmt":"2013-07-01T23:12:00","guid":{"rendered":"https:\/\/thebeagle.itgroove.net\/?p=982"},"modified":"2023-02-24T21:48:42","modified_gmt":"2023-02-24T21:48:42","slug":"a-bunch-of-sonicwall-goodies-part-1-ssl-vpn","status":"publish","type":"post","link":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/","title":{"rendered":"A bunch of Sonicwall goodies — Part 1, SSL-VPN"},"content":{"rendered":"

We tend to lose sight of some of the \u201cbasics\u201d when all of the \u201csexiness\u201d of the Cloud and other things get all of the attention.  But it is important to remember that your on-premise kit needs some love and affection, too!  And, most importantly, you need to be mindful of your gateway security.<\/p>\n

I am an unabashed fan of Dell Sonicwall gear as Sonicwall offers a wide range of capabilities in their UTM (Unified Threat Management) platforms that is affordable for most small, midsize and enterprise businesses.  We (itgroove) never perform a customer on-premise build without a Sonicwall in place at the gateway.<\/p>\n

There are three features I want to reference in this and the following two blog posts that I think are of particular relevance to a number of small and medium sized businesses.<\/p>\n

The first is SSL-VPN<\/strong>.  SSL-VPN<\/strong> in simplistic terms is a method to create a secure, encrypted \u201ctunnel\u201d between two devices using SSL (https) as the encryption\/connection mechanism.  SSL-VPN is usually much easier to manage than older, more traditional \u201cfat client\u201d VPN solutions.  Sonicwall offers multiple ways to implement SSL-VPN but the two that most come to mind with SMB\u2019s are the SSL-VPN \u201cVirtual Office\u201d capabilities that are baked into all Sonicwall UTM appliances and the expanded SSL-VPN capabilities that ship with the Sonicwall SRA products.  (There are much bigger SSL VPN products in the Sonicwall stable but we\u2019ll stick to the ones listed as they are the most affordable.)  The UTM appliances all provide SSL-VPN based \u201cVirtual Office\u201d capability as well as the NetExtender SSL-VPN client.  <\/p>\n

Virtual Office<\/strong> is essentially web-published, proxied links to internal RDP, VNC, Telnet or SSH resources.  Links are presented on a webpage hosted on the Sonicwall UTM which is accessed after the user logs in and authenticates (various authentication methods are supported including LDAP\/Active Directory).  The links on the page may be global or may be specific to the user but all operate in the same fashion; the UTM appliance creates a proxied session between the authenticated user on the WAN and the desired target\/service on the LAN.  All the user requires is a modern browser (IE, Chrome, FireFox, Safari and others) and Java installed along with the browser.  When a user connects to a Sonicwall with SSL VPN enabled they will see something similar to the following:<\/p>\n

\"image\"<\/a><\/p>\n

The user supplies the appropriate login and password (the domain piece does not actually refer to a Windows domain, it is an internal designation that can be set to anything) and, if authenticated, they\u2019ll then be presented with a screen like the following:<\/p>\n

\"image\"<\/a><\/p>\n

(Note that in the address bar you can see that the site is secured (the padlock is displayed).  In this particular case the Sonicwall has a third-party SSL cert installed but the whole process also works with a self-signed cert.)<\/p>\n

In this case there are two choices available to this user; the user can connect to the Server using the published Virtual Office bookmark OR the user can initiate a VPN tunnel connection using NetExtender<\/strong> (more about that in a bit).  As can be seen, the bookmark for Server is set as RDP5\/ActiveX which means this bookmark should be used with IE.  The Sonicwall administrator could also create a bookmark using RDP5\/JAVA which will work with any browser including those on non-Microsoft machines such as Mac\u2019s or Unix\/Linux machines.  The user also has the ability to create their own bookmark (proxied connections) using the Add bookmark<\/strong> button (this ability can be turned on or off, per user, by the Sonicwall administrator).<\/p>\n

Here is the process to create a bookmark, the user will create an RDP5\/JAVA connection by clicking Add bookmark<\/strong>:<\/p>\n

This is the screen that is displayed:<\/p>\n

\"SNAGHTML18e885b5\"<\/a><\/p>\n

Most of the information is self explanatory and you\u2019ll see it in the next screen shot but some needs to be explained.<\/p>\n

The \u201cShow Windows Advanced options\u201d will display different options depending on the service you select.  In all cases the options pertain to abilities of the service that can be enabled or disabled, such as redirecting client printers and disk drives, enabling the clipboard, and so forth.<\/p>\n

The \u201cLogin as console screen\u201d setting allows the service to attempt to connect to the machine console, if possible.<\/p>\n

The \u201cAutomatically log in\u201d settings allows you to pas through credentials used to login to the SSL VPN (useful if you have the Sonicwall authenticate to the internal AD) or set custom credentials.  NOT setting this means the user will have to authenticate to the local system once the connection is made.<\/p>\n

Here is the filled-in screen for an RDP5\/Java connection to the Server:<\/p>\n

\"SNAGHTML18efb7ec\"<\/a><\/p>\n

And here is the Virtual Office screen with the additional bookmark:<\/p>\n

\"image\"<\/a><\/p>\n

Clicking on the bookmark starts the connection process:<\/p>\n

\"image\"<\/a><\/p>\n

\"SNAGHTML18f95746\"<\/a><\/p>\n

\"SNAGHTML18f9d809\"<\/a><\/p>\n

\"SNAGHTML18fac093\"<\/a><\/p>\n

Note how the emote computer address is listed as 127.0.0.2<\/strong>; the \u201creal\u201d address is hidden because the Sonicwall has created a proxied connection.<\/p>\n

\"SNAGHTML18fcd442\"<\/a><\/p>\n

\"SNAGHTML18fd4ba2\"<\/a><\/p>\n

At this point the connection is made and the user can login to the machine on the LAN behind the Sonicwall.  This RDP connection has been secured on a number of levels AND there is no port open through the firewall to allow the connection; all of the connection work is done \u201cbehind the scenes\u201d using SSL-VPN and the connection proxy.  <\/p>\n

One really nice feature of this method of publishing connections is that you can have many connections created and still have no holes punched through the firewall.  This is a much better method of securing RDP access to LAN-based systems using redirected RDP ports through the firewall (eg:  machine one is at port 3389, machine two is at 3390, machine three is at 3391, etc).  <\/p>\n

Virtual Office connections are great for direct access to specific machines on the LAN but what about situations where you need access to the LAN itself because you need to access multiple LAN resources at once?  NetExtender<\/strong> provides this functionality (I did <\/em>say I would circle back to NetExtender).<\/p>\n

NetExtender<\/strong> provides many of the same features of a traditional \u201cfat\u201d VPN client but in a much simpler (for the user) package.  To install NetExtender the user only has to login to the Virtual Office webpage once, click on the NetExender button to install NetExtender, then for all future sessions the user can simply fire up the local NetExtender client.  NetExtender works with may different systems including iPhone\/iPad and Android devices as well as the usual PC\u2019s.  I won\u2019t detail the installation process as it is literally click the button and then click OK to launch installation via your web-browser.<\/p>\n

Assuming the client has been installed the user only has to start up NetExtender, provide credentials and connect, is is as simple as that.  Here is a sample NetExtender connection session (connecting to the same Sonicwall as used for the Virtual Office):<\/p>\n

\"SNAGHTML190cb435\"<\/a><\/p>\n

\"SNAGHTML190e58fb\"<\/a><\/p>\n

The user is connected, has received an IP on the LAN, and has routes assigned as well as DNS servers.  At this point the user had the same access to LAN resources as they would if sitting in the office.  When finished the user clicks Disconnect <\/strong>and the connection is dropped.<\/p>\n

As I said at the beginning of this post, this is not terribly sexy stuff; but it is<\/em> critical<\/strong> stuff if you are interested in securing your systems.  Too many small organizations (and large ones, too, for that matter) don;t sweat the small stuff.  Yes, you can poke holes in your firewall and publish RDP connections directly to the \u2018Net and you can also rely on Microsoft (or other) VPN technologies that also rely on holes poked in the firewall.  But, if you\u2019re like me (and many other IT pro\u2019s) you want to protect your internal resources as much as possible and one way to do this is to NOT punch any more hole sin your firewall than you absolutely have to.  Using SSL-VPN technologies from Sonicwall (and others) is a simple, easy way to eliminate one source of security headaches.<\/p>\n","protected":false},"excerpt":{"rendered":"

We tend to lose sight of some of the \u201cbasics\u201d when all of the \u201csexiness\u201d of the Cloud and other things get all of the attention.  But it is important to remember that your on-premise kit needs some love and affection, too!  And, most importantly, you need to be mindful of your gateway security. I … <\/a><\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[49,266],"tags":[391,468,474,150,574,579,612,635],"acf":[],"yoast_head":"\nA bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive\" \/>\n<meta property=\"og:description\" content=\"We tend to lose sight of some of the \u201cbasics\u201d when all of the \u201csexiness\u201d of the Cloud and other things get all of the attention.  But it is important to remember that your on-premise kit needs some love and affection, too!  And, most importantly, you need to be mindful of your gateway security. I …\" \/>\n<meta property=\"og:url\" content=\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/\" \/>\n<meta property=\"og:site_name\" content=\"Archive\" \/>\n<meta property=\"article:published_time\" content=\"2013-07-01T23:12:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-24T21:48:42+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png\" \/>\n<meta name=\"author\" content=\"Sean Wallbridge\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sean Wallbridge\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/\",\"url\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/\",\"name\":\"A bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive\",\"isPartOf\":{\"@id\":\"https:\/\/regroove.ca\/archive\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png\",\"datePublished\":\"2013-07-01T23:12:00+00:00\",\"dateModified\":\"2023-02-24T21:48:42+00:00\",\"author\":{\"@id\":\"https:\/\/regroove.ca\/archive\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77\"},\"breadcrumb\":{\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage\",\"url\":\"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png\",\"contentUrl\":\"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog Archive\",\"item\":\"https:\/\/regroove.ca\/archive\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A bunch of Sonicwall goodies — Part 1, SSL-VPN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/regroove.ca\/archive\/#website\",\"url\":\"https:\/\/regroove.ca\/archive\/\",\"name\":\"Archive\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/regroove.ca\/archive\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/regroove.ca\/archive\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77\",\"name\":\"Sean Wallbridge\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/regroove.ca\/archive\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g\",\"caption\":\"Sean Wallbridge\"},\"url\":\"https:\/\/regroove.ca\/archive\/author\/swallbridge\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/","og_locale":"en_US","og_type":"article","og_title":"A bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive","og_description":"We tend to lose sight of some of the \u201cbasics\u201d when all of the \u201csexiness\u201d of the Cloud and other things get all of the attention.  But it is important to remember that your on-premise kit needs some love and affection, too!  And, most importantly, you need to be mindful of your gateway security. I …","og_url":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/","og_site_name":"Archive","article_published_time":"2013-07-01T23:12:00+00:00","article_modified_time":"2023-02-24T21:48:42+00:00","og_image":[{"url":"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png"}],"author":"Sean Wallbridge","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sean Wallbridge","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/","url":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/","name":"A bunch of Sonicwall goodies - Part 1, SSL-VPN - Archive","isPartOf":{"@id":"https:\/\/regroove.ca\/archive\/#website"},"primaryImageOfPage":{"@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage"},"image":{"@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage"},"thumbnailUrl":"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png","datePublished":"2013-07-01T23:12:00+00:00","dateModified":"2023-02-24T21:48:42+00:00","author":{"@id":"https:\/\/regroove.ca\/archive\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77"},"breadcrumb":{"@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#primaryimage","url":"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png","contentUrl":"http:\/\/thebeagle.itgroove.net\/wp-content\/uploads\/thebeagle\/2013\/07\/image_thumb.png"},{"@type":"BreadcrumbList","@id":"https:\/\/regroove.ca\/archive\/2013\/07\/01\/a-bunch-of-sonicwall-goodies-part-1-ssl-vpn\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog Archive","item":"https:\/\/regroove.ca\/archive\/"},{"@type":"ListItem","position":2,"name":"A bunch of Sonicwall goodies — Part 1, SSL-VPN"}]},{"@type":"WebSite","@id":"https:\/\/regroove.ca\/archive\/#website","url":"https:\/\/regroove.ca\/archive\/","name":"Archive","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/regroove.ca\/archive\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/regroove.ca\/archive\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77","name":"Sean Wallbridge","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/regroove.ca\/archive\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g","caption":"Sean Wallbridge"},"url":"https:\/\/regroove.ca\/archive\/author\/swallbridge\/"}]}},"_links":{"self":[{"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/posts\/982"}],"collection":[{"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/comments?post=982"}],"version-history":[{"count":1,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/posts\/982\/revisions"}],"predecessor-version":[{"id":3003,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/posts\/982\/revisions\/3003"}],"wp:attachment":[{"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/media?parent=982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/categories?post=982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regroove.ca\/archive\/wp-json\/wp\/v2\/tags?post=982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}