Configuring SonicWALL SSL VPN with LDAP

dell-sonicwall-logoConfiguring SonicWALL SSL VPN with LDAP

SonicWALL’s SSL VPN is a very useful tool for remotely connecting to your corporate network to access files and servers, or to allow users to work from home. The SSL VPN is not an included license with the purchase of the SonicWALL UTM Device, so you will need to purchase licenses in order for this to work. I find that this method of connecting remotely is much easier than the Global VPN Client. This article will step you through configuring the SSL VPN software and how to configure the SonicWALL to communicate with LDAP for access control.

SSL VPN Configuration:

1. Open a web browser (Google Chrome or Mozilla Firefox is recommended) and navigate to your SonicWALL UTM Device.

2. Log in using administrator credentials

3. On the Navigation menu, choose SSL VPN and Server Settings

4. Click WAN at the top to enable SSL VPN for that zone

5. Change the SSL VPN Port to 4433

 Note: If you have no other services listening on the default HTTPS port, you may leave this option set at 443. However, I have noticed that most times either the SonicWALL management interface is listening on 443 or that there is another service behind the firewall already using that port. If you have multiple Static IP addresses, you may change your configuration to allow the SSL VPN to function on 443.

6. Click Accept to save the changes

7. On the Navigation menu, Choose SSL VPN and Portal Settings

8. Check the boxes for Launch NetExtender after login, Display Import Certificate Button and Enable HTTP meta tags for cache control.

9. Click Accept to save the changes

10. On the Navigation menu, Choose SSL VPN  and Client Settings

11. Change Interface to X0

12. After verifying an open range of IP Addresses within your network, enter the range in the NetExtender Start IP and NetExtender End IP fields.

13. Change the DNS Server 1 to your domain controller’s IP address, or the address of a DNS Server within your network

14. Change the DNS Domain and User Domain to your local domain name (Example: YourITSource.local)

15. If WINS is in use, enter the IP address of the WINS Server in the WINS Server 1 field

16. Change Enable NetBIOS over SSL VPN to Enabled

17. Click Accept to save the changes

18. On the Navigation menu, Choose SSL VPN and Client Routes

19. In the Add Client Routes dropdown, Choose X0. You may also add any additional address objects you have here for other subnets within your organization

20. Click Accept to save the changes

 

At this point, the SSL VPN is configured. We now need to add the LDAP tie to allow LDAP Groups to access the VPN.

 

LDAP Configuration:

1. Log into an Active Directory Domain Controller using Administrative Credentials

2. Open Active Directory Users and Computers (DSA.msc)

3. Create a new administrative user with the first name and username of SonicWALL and assign a secure password.

4. Create a new Global Security Group called SSLVPN Users

5. Right Click on the SSL VPN Users group and choose Properties

6. Navigate to the Members tab and Add the users you wish to give access to the SSL VPN

7. Click OK and close the Active Directory Users and Computers management console

8. Open a web browser (Google Chrome or Mozilla Firefox is recommended) and navigate to your SonicWALL UTM Device.

9. Log in using administrator credentials

10. On the Navigation Menu, Choose Users and Settings

11. Change the Authentication method for login to LDAP + Local Users

12. Change the Single-sign-on method to Browser NTLM authentication only

13. Click Accept to save the changes

14. Choose Configure next to Authentication method for login

15. Navigate to the Settings tab

16. Enter the LDAP server address in Name or IP address

17. Change the Port Number to Default LDAP Port (Dropdown Menu)

18. Change the Login Method to Give bind distinguished name

19. In the Bind distinguished name field, type SonicWALL (or the name of the LDAP administrative user)

20. Enter the password for the user above

21. Set Protocol version to LDAP version 3

22. Uncheck the box for Use TLS (SSL)

23. Click Apply

24. Navigate to the Schema tab

25. For LDAP Schema, choose Microsoft Active Directory

26. Click Read from server at the bottom

27. Click Apply

28. Navigate to the Directory tab and enter the local domain name under Primary Domain

29. Click Auto-configure at the bottom

30. Click Apply

31. Navigate to the LDAP Users tab and choose Import user groups

32. Select the SSLVPN Users group you created in Active Directory and choose Save Selected

33. On the Navigation Menu, Choose Users and Local Groups

34. Click the Configure button next to SSLVPN Services

35. Choose the Members tab and add the SSLVPN Users group

36. Choose the VPN Access tab and add Firewalled Subnets to the Access List

37. Click OK

 

Now we have successfully configured the SonicWALL to communicate with LDAP.

 Make sure that you add authorized users to the SSLVPN Users Group that you created within Active Directory. Only users belonging to this group will have access to the VPN.

 

Need a SonicWALL UTM Device?

Configuring SSL VPN Client and Connecting:

1. On the client computer, Open a web browser (Google Chrome or Mozilla Firefox is recommended)

2. Navigate to your outside web address on port 4433 (Example, https://remote.mycompany.com:4433)

3. Enter your domain username and password

4. Ensure that the domain is correct and click Login

5. Click the Here link under Windows Net Extended Client

6. Download and Install the NetExtender Client

7. Open the NetExtender Client

8. Enter your company’s NetExtender Address in the Server Field (Likely the same link as above, excluding the https://)

9. Enter your domain Username and Password

10. Enter your company’s local domain name in the Domain field

11. Click Connect

You are now connected to the SSL VPN and can work remotely.

SSLVPNClient

Comments

comments

Leave a Reply