Force All Traffic over a NetExtender SSL VPN Connection, but allow users to continue to access the Internet.

I have a client that is using a medical application whose access to the cloud based storage is locked down by Public IP address. This restricts access to the application to only folks who are in the office, Users who work from home, or take their laptop home with them on the weekend are unable to work from home. To solve this problem I’ve setup netextender and forced it to tunnel all traffic back into the main site, but users were then unable to connect to any resources on the internet.

Here is how to resolve this issue. First let’s configure the SSL VPN:

  1. Log into your Sonicwall, and expand “Network”
  2. Click on “Interfaces” and then click on the Configure link for your WAN connection.
  3. Make sure the box that says “User Login: Https” has a check mark, and then click “OK”
  4. Expand “SSL VPN” on the left, and then click “Server Settings”
  5. Click the red dot next to “WAN” and wait for it to turn green.
  6. Click “Client Settings” on the left, and then configure an IP address range for your SSL VPN Guests, also configure the User Domain, and DNS servers.
  7. Click “Client Routes” on the left pane, Enable “Tunnel All Mode”, this is done to ensure all traffic sent by the client appears to originates from the main office, and not the client’s home router.

Now let’s create a user and grant them access to the appropriate networks during an VPN connection.

  1. Expand “Users” on the left, and then click on “Local Users”.
  2. click “Add User…”
  3. On the “Settings” tab, give the user a username and password.
  4. On the “Groups” tab, Add the user to “Trusted Users”, “Everyone”, and “SSLVPN Services”. Click OK.
  5. Click “Local Groups” on the left.
  6. Click on the “Configure” button for the group “Trusted Users”
  7. Click on the “VPN Access” tab, add “LAN Subnets” and “WAN RemoteAccess Networks” to the list. Click OK.

Now have the user connect to the SSL VPN, open a command prompt and ping anything, the first hop should be the main office’s WAN connection’s Default gateway, this shows that you’re tunneling all traffic over the SSL VPN and still able to get online.

Leave a Reply

Your email address will not be published. Required fields are marked *