SSL-VPN: How to configure LDAP authentication for SSL-VPN Users.

Angelo A Vitale
2018-12-11 01:56

Description

This article outlines all necessary steps to configure LDAP authentication for SSL-VPN users.

Resolution

SSL-VPN Settings

  1. Login to the SonicWall Management GUI
  2. Navigate to the SSL-VPN | Server Settings page.
  3. WAN to enable SSL-VPN on the WAN zone.
    image
  4. Navigate to the SSL VPN | Client Settings page and enter the following information:
    image
  5. Navigate to the Client Routes page and enter the following information:
    image

LDAP Settings

  1. Navigate to the Users | Settings page.
  2. Select LDAP (or LDAP + Local Users) as authentication method and click on Configure.
  3. Enter the following information to configure LDAP authentication: image

    image
  4. In the following screenshot, a group called SSL-VPN Users is being imported. This or a similar group needs to have been created in the AD before performing this action.

    image

User Settings

  1. Navigate to the Users Local Groups page.
  2. Click on configure on the newly imported SSL-VPN Users group.
  3. Under VPN Access tab select LAN Subnets or any other subnets that you wish to allow for this user group.
  4. Click OK to save the settings. image
  5. To make SSL-VPN Users group a member of the SSLVPN Services group, click on Configure on SSLVPN Services and add SSL-VPN Users group as a member.
  6. Click on OKimage
  7. As per the above configuration, only members of the group SSL-VPN Users will be able to connect to SSL-VPN.

Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

Creating an Address Object for the SSLVPN IPv4 Address Range


  1. Login to the SonicWall Management GUI.
  2. Click Manage in the top navigation menu
  3. Navigate to Objects | Address Objects and click +Add at the top of the pane.

image

3. In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:

  • Name: SSL VPN Range TIP: This is only a Friendly Name used for Administration.
  • Zone: SSLVPN
  • Type : RangeNOTE: This does not have to be a range and can be configured as a Host or Network as well
  • Starting IP Address: 192.168.168.100
  • Ending IP Address: 192.168.168.110

image
SSLVPN Configuration

1. Navigate to the SSL-VPN | Server Settings page.

2. Click on the Red Bubble for WAN, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.

3. Set the SSL VPN Port, and Domain as desired.

NOTE: The SSLVPN port will be needed when connecting using Mobile Connect and NetExtender unless the port number is 443. Port 443 can only be used if the management port of the firewall is not 443.

NOTE: The Domain is used during the user login process'

TIP: If you want to be able to manage the firewall via GUI or SSH over SSLVPN these features can be enabled separately here as well.

image

4. Navigate to the SSL VPN | Client Settings page.


The SSL VPN | Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL-VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients.


CAUTION: NetExtender cannot be terminated on an Interface that is paired to another Interface using Layer 2 Bridge Mode. This includes Interfaces bridged with a WLAN Interface. Interfaces that are configured with Layer 2 Bridge Mode are not listed in the "SSLVPN Client Address Range" Interface drop-down menu. For NetExtender termination, an Interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".

5. Click on the Configure button for the Default Device Profile.



image

5. Set the Zone IP V4 as SSLVPN. Set Network Address IP V4 as the Address Object you created earlier (SSLVPN Range).

image
6. The Client Routes tab allows the Administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.

CAUTION: All SSL VPN Users can see these routes but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Please make sure to set VPN Access appropriately.

image
7. The Client Settings tab allows the Administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.

8. Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.

9. Enable Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.image

image

LDAP Settings

  1. Navigate to the Users | Settings page.
  2. Select LDAP (or LDAP + Local Users) as authentication method and click on Configure LDAP.
  3. Click Add to add a new LDAP server.
  4. Enter the Name or IP addressPort Number, and indicate if you wish to Use TLS (SSL). Additionally, you will need to choose if this is the Primary, Secondary or a Backup/replica server. image
  5. On the Login/Bind tab, Select the login type (Anonymous, login name in tree or bind distinguished name) and enter the Login user nameUser tree for login to server and Password if applicable.

    image
  6. On the Directory tab, Make the necessary adjustments to the Trees containing users and the Trees containing user groups or use the AUTO-CONFIGURE button as appropriate.
    image
  7. Click SAVE to save these settings and close the window.
  8. In the LDAP configuration window, access the Users & Groups Tab and Click Import Users.
    image
  9. Select the appropriate LDAP server to import from along with the appropriate domain(s) to include.
    image
  10. Choose the way in which you prefer user names to display.NOTE: This is a personal preference and does not affect 
    image


  11. Select the appropriate users you wish to import and Click Save Selected.NOTE: Make a note of which users or groups that are being imported as you will need to make adjustments to them in the next section of this article.

    image
  12. Click OK in the LDAP configuration window to save these settings and close the window


User Settings

  1. Navigate to the Users Local Users & Groups page.
  2. On the appropriate Local User or Local Groups Tab, Click on configure on the newly imported LDAP User or Group.NOTE: This is dependant on the User or Group you imported in the steps above. If you imported a user, you will configure the imported user, if you have imported a group, you will access the Local Groups tab and configure the imported group.
  3. Under VPN Access tab select the appropriate address objects/groups that your LDAP User or LDAP Group will need access to and click the right arrow to Add Network to Access List.
    image
  4. Click OK to save the settings and close the window.
  5. To make your User or Group a member of the SSLVPN Services group for access to SSLVPN, access the Local Groups tab and click Configure on SSLVPN Services.
  6. On the Members tab, Add your Imported user or group as to the Member Users and Groups.
    image
  7. Click on OK save the settings and close the window.
    https://www.sonicwall.com/en-us/support/knowledge-base/170503844059585
Tags: LDAP, SSL, SSL-VPN
Average rating: 0 (0 Votes)

You cannot comment on this entry