SonicWall Global VPN

From Help
Jump to: navigation, search

This is for the NSA series of firewalls. There are XYZ steps involved to get a client to be able to log in, on both the SonicWall itself and the client machine. You will need to download the Global VPN software and install it on the client, set up the VPN user, enable the WAN GroupVPN settings, and test the connection before deploying into the field.

Most SonicWall NSA devices come with two GlobalVPN licenses by default. More can be purchased if needed from a variety of sources.

We will be using "Local Users", as opposed to LDAP since LDAP required additional steps that are not strictly needed to get VPN access working.


Return to Main Page

Prerequisites

Return to Top

Configure WAN Group VPN on the SonicWall

  • Login to the SonicWall Management GUI and navigate to VPN | Settings.
    • Make sure that the Enable VPN and WAN GroupVPN check boxes are Enabled.
  • Click the configure icon for the WAN GroupVPN entry. The VPN Policy popup window is displayed.
    • General tab: IKE using Preshared Secret is the default setting for Authentication Method. Enter a Shared Secret in the Shared Secret Field.
    • Proposals tab: use the default settings or choose the desired Encryption and Authentication options for Phase 1 and Phase 2 proposals.
    • Advanced tab: enable Accept Multiple Proposals for Clients
      • If you want the Remote users to manage the SonicWall security appliance, select the management method, either HTTP or HTTPS.
      • If you want to use NetBIOS file sharing, checkbox Enable Windows Networking (NetBIOS) Broadcast
    • Advanced tab
    • Depending on your Best Practices, you can always allow Cache XAUTH User Name and Password on Client
    • Change Virtual Adapter settings to DHCP Lease
    • Make sure Allow Connections to is set to Split Tunnels
  • Click OK to save.

Return to Top

Configure DHCP over VPN

This step will enable the VPN user's VPN adapter to get a DHCP lease for the network. There are two scenarios here, depending on your network's setup.

1. Internal DHCP Server: This option will use the SonicWall's internal DHCP server to assign an IP address

2. DHCP Server: This option will use an internal DHCP server to hand out addresses.

If you have an internal DHCP server already set up, you can still use either option.

  • Navigate to VPN | DHCP over VPN
  • Select Central Gateway from the menu
  • Click Configure. The DHCP over VPN Configuration window is displayed.
    • If your in scenario #1 (from above), checkbox both Use Internal DHCP Server and Global VPN Client
    • For scenario #2:
      • Checkbox Send DHCP requests to the server addresses listed below
      • Click Add, the Add DHCP Server window will popup
      • Input the internal IP of your network's DHCP server
      • Click OK
      • The IP you just inputed will show under the IP Address area
    • Click OK to close the DHCP over VPN Configuration window
  • Click Accept to apply

Return to Top

Creating VPN Local User

This outlines how to make a Trusted User. You will need a different user for each person that will be needing VPN access.

  • Log into your SonicWall Management GUI
  • Select Users from on the left
  • Select Local Users from the drop-down under Users.
  • From the middle pane (Local Users) click the Add User... button
  • A popup named Add User will come up
    • Setting tab: Give the account at least a Name and Password. If you want, you can also enter an E-mail address, change the Account Lifetime, give a Comment, and checkbox User must change password and Require one-time passwords if you want. Consult your Best Practices for these requirements.
    • Groups tab: by default, all new users are part of both Everyone and Trusted Users. Change these if needed
      • Use either Groups OR VPN Access
      • Select the group under the User Groups column
      • Click the -> to move the selected Group from the User Groups to the Member Of column
    • VPN Access tab: Change this if you don't want to use Groups above
    • Bookmarks: Outside this scope
  • Click OK to save this user.

Return to Top

Creating VPN Local Group

By default, the Trusted Users has no actual internal access. First we need to edit this group to give the correct access. You might also eventually wish to make various Local Groups for different access levels, server access, etc.

  • Log into your SonicWall admin interface
  • Select Users from on the left
  • Select Local Groups from the drop-down under Users.
  • From the middle pane (Local Groups), click the Edit icon (encircled pencil) on the Trusted Users line.
  • A popup named Edit Group will come up
    • Click on the Members tab
      • Select the user created earlier from the Non-Member Users and Groups column
      • Click the -> to move the selected user to the Member Users and Groups column
    • Click the VPN Access tab
      • In the Networks column, select a network you want to give access to
      • Click the -> to assign that network to the Access List
        • What you need will depend on the particular site. Usually you will need only Firewalled Subnets.
      • Repeat until you have all the networks you need added under Access List
    • Click OK to save your changes

Return to Top

References

Return to Top