Category Archives: SSL VPN

Force All Traffic over a NetExtender SSL VPN Connection, but allow users to continue to access the Internet.

I have a client that is using a medical application whose access to the cloud based storage is locked down by Public IP address. This restricts access to the application to only folks who are in the office, Users who work from home, or take their laptop home with them on the weekend are unable to work from home. To solve this problem I’ve setup netextender and forced it to tunnel all traffic back into the main site, but users were then unable to connect to any resources on the internet.

Here is how to resolve this issue. First let’s configure the SSL VPN:

  1. Log into your Sonicwall, and expand “Network”
  2. Click on “Interfaces” and then click on the Configure link for your WAN connection.
  3. Make sure the box that says “User Login: Https” has a check mark, and then click “OK”
  4. Expand “SSL VPN” on the left, and then click “Server Settings”
  5. Click the red dot next to “WAN” and wait for it to turn green.
  6. Click “Client Settings” on the left, and then configure an IP address range for your SSL VPN Guests, also configure the User Domain, and DNS servers.
  7. Click “Client Routes” on the left pane, Enable “Tunnel All Mode”, this is done to ensure all traffic sent by the client appears to originates from the main office, and not the client’s home router.

Now let’s create a user and grant them access to the appropriate networks during an VPN connection.

  1. Expand “Users” on the left, and then click on “Local Users”.
  2. click “Add User…”
  3. On the “Settings” tab, give the user a username and password.
  4. On the “Groups” tab, Add the user to “Trusted Users”, “Everyone”, and “SSLVPN Services”. Click OK.
  5. Click “Local Groups” on the left.
  6. Click on the “Configure” button for the group “Trusted Users”
  7. Click on the “VPN Access” tab, add “LAN Subnets” and “WAN RemoteAccess Networks” to the list. Click OK.

Now have the user connect to the SSL VPN, open a command prompt and ping anything, the first hop should be the main office’s WAN connection’s Default gateway, this shows that you’re tunneling all traffic over the SSL VPN and still able to get online.

OSX 10.6.7 Update Breaks Sonicwall Net Extender (Again)

More Sonicwall NetExtender fun. This time it’s 10.6.7 changing permissions on the /usr/sbin/pppd folder.

I had users over the weekend update Mac OS X 10.6 to version 10.6.7, after the update they were unable to connect to thier Net Extender . When they tried to connect, it failed and then displayed the connetion log. The log contained the following entries:

[general warn 28598] NetExtender 881 closed unexpectedly; attempting to cleanup pppd 28566
[dns info 28608] Restarting mDNSResponder

I’ve only tested this fix for Net Extender version 5.0.680, but I’ve confirmed that it’s working with that version. We’ll need to adjust the permissions on the folder /usr/sbin/pppd:

Open terminal, and enter the following command:

sudo chmod u+s /usr/sbin/pppd

Enter your password at the prompt, allow the command to complete. Once that’s been entered, close and reopen the Net Extender, and then you should be able to connect.

Mac OS 10.6 Clients unable to resolve DNS on Net Extender SSL VPN

Over the last few days I’ve been running into a problem with Mac OS 10.6 clients and the SonicWall SSL VPN client, NetExtender. The client computers were able to resolve DNS properly prior to installation. The problem didn’t appear until after the software was connected to a endpoint, and then disconnected. Once the connection was ended, boom, no DNS resolution.

I had already updated the endpoint device, a SRA 1200, and the NetExtender was whatever version came with SRA 1200 firmware SonicOS SSL-VPN 4.0.0.3-20sv, which was the most recent firmware available at the time of writing.

I started with a review of the release notes of the SonicWall firmware, which mention a problem with Mac OS prior to version 10.6.5 and NetExtender. I updated one of the client Macs to 10.6.5, but still no luck.

A call to SonicWall ended up with them giving me a new version of the NetExtender software for the Mac, version 5.0.680. I updated the first client and Success! I was able to connect, disconnect, and then continue to resolve DNS.

I thought my problems were over until I re-connected to test that the VPN was still working. Now on version 5.0.680 I was unable to resolve DNS on the other end of the VPN tunnel when connected. I could resolve DNS on my local subnet, and on the internet, but I was unable to resolve anything on the internal DNS servers at the main office that I was connecting to. I verified that I could telnet to port 53 across the tunnel, a NSlookup test proved that I the records I was looking for did exist.

I flushed the dns cache, I verified the /etc/resolv.conf file had the two DNS servers that the NetExtender had placed in there when I connected, and I verified with telnet that a firewall was not blocking DNS to the DNS servers.

I called SonicWall back and after much discussion they recommended that we roll back to version 5.0.679. I downloaded the file, removed the current NetExtender and then attempted to re-install the version 5.0.679. It would not allow me to re-install, stating that a more current version was already installed.

I was able to bypass this error by performing the following:

Drop to Command line and enter the following commands:

sudo rm /private/var/db/receipts/com.sonicwall.NetExtender.bom
sudo rm /private/var/db/receipts/com.sonicwall.NetExtender.plist
sudo rm /etc/ppp/sslvpn.*

I then rebooted the Mac and was able to install NetExtender version 5.0.679. Once installed I tested again. I was able to connect and resolve DNS, good. I was able to disconnect and continue to resolve DNS, even better. And Finally I was able to connect again and continue to resolve DNS still.  Version 5.0.679 on Mac OS 10.6.5 was what ended up working for me.

I’ve attached version 5.0.679 for download if you’re experiencing the same problem. NetExtender.MacOSX.5.0.679

Update 1: Upon further review, it appears that NetExtender version 5.0.679 breaks the bonjour protocol on the Macs that it is installed on. To circumvent this problem we actually went back to version 5.0.680, and statically configured a hosts file for all of the major resources on the other end of the VPN tunnel. Click Here to see how to manually edit a hosts file on a Mac. You can download version 5.0.680 here: NetExtender.MacOSX.5.0.680

Update 2: Thomas (see below) pointed out that it doesn’t matter what’s in the resolv.conf file as Mac OS 10.6 and higher no longer uses this file to determine DNS servers. My writing about about double checking this file will have no impact on this particular problem. The rest of the article will still help you work around the problem though, so good luck!