Sonicwall NetExtender SSLVPN and Windows 8

***UPDATE
After an email exchange with James Hiscott and some hard work on his behalf, James has an update and Sonicwall have release an update version of the NetExtender available at mysonicwall.com. Read James’ post here http://www.jameshiscott.com/wordpress/?p=10
_______________________

Like most people we’re keenly testing the pre RTM releases of Windows 8 and evaluating new hardware from HP to workout what we’d like to use for staff and students next year. Currently I have Windows 8 CP on a HP Folio13 and really like how it’s working for me. The only problem has been getting the Sonicwall SSLVPN client to work on Windows 8, which for the last week has stopped me from ditching my 2740p tablet and making the Folio13 my sole mobile device

After a few attempts at the NetExtender install it completed successfully after I installed *all* the drivers for the Folio13 from the HP site.

That got me excited and I thought I was all set, I tested the SSLVPN client and it authenticated and connected and looked like it was working. It wasn’t until later that evening when I went to use the VPN that I realised it wasn’t working at all, and even though the connection looked fine there was no network traffic being received by the VPN client.

image

A little digging this morning at the log and debug log files indicated an issue with the routes being added when connecting the vpn

image
Log File

image
Debug Log File

By running route print I could see that the Sonicwall Netextender was interface 38
image

Open the Properties window for the NetExtender

image

Add the required routes to the bottom of the NxConnect.bat

route ADD 172.16.0.0 MASK 255.255.0.0 172.16.72.1 METRIC 5 IF 38
route ADD 172.16.1.3 MASK 255.255.255.255 172.16.72.1 METRIC 5 IF 38
route ADD 172.16.1.2 MASK 255.255.255.255 172.16.72.1 METRIC 5 IF 38

Funnily enough, you don’t seem to need the route delete commands in the NxDisconnect.bat?

route DELETE 172.16.0.0
route DELETE 172.16.1.3
route DELETE 172.16.1.2

And finally you need to change the privileges for NetExtender shortcut to run with administrator privileges. If you have the NetExtender as a startup program, go to

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu

Right-click on the shortcut and tick box for run this program as an administrator

image

After all of that my NetExtender settings seemed to be reliable and working the same as my Windows 7 devices

Sonicwall’s Application Firewall and blocking BitTorrent

BitTorrent
We’ve just updated the firmware on our NSA 4500 to 5.5.2.0-3o and have started playing with the Application Firewall and DPISSL (Deep Packet Inspection). The 4500 is a Layer 7 firewall and the application firewall feature lets you do some pretty tricky filtering. We’ve noticed that some of the student machines coming in for repair have bittorrent clients installed. At the moment that sort of traffic is blocked by our ISA firewall/proxy which is the gateway for the Student Netbook VLAN, but we want to remove that over the next few months because it causes a bottleneck for heavy traffic, like heavy ClickView use. When we remove ISA we can either use the Sonicwall or ACL rules on the ProCurve 5400 (or both) to filter the traffic between the netbooks and the rest of the world. After the firmware update with the addition of the DPISSL it seemed like a good chance to see how good the filtering was on the NSA4500.

Before creating the new application firewall policy, I had to create an object for the bittorrent traffic. The Sonicwall has an IDP category for all P2P traffic which has signatures for many P2P applications. You can block traffic for particular applications, eg only block Azureus and allow other bittorrent clients

 applicationobject

With the Application object defined, we can create the policy. In this case we wanted to stop all bittorrent traffic, however, its possible to excluded addresses and or users, which would be handy with the SSO. The rule will look for any traffic deemed to be P2P going through the sonicwall and will drop the packets. nice and easy

policysettingse

Any requests that match the rule are blocked and can be checked in the log view, which can be filtered by application firewall

LogFilter

Setting up uTorrent on a test machine and queuing up some files showed that the rule was working properly and not allowing any traffic to get through. The sonicwall not only blocked the file transfer but also the attempts to look for other peers etc
Capture4

The combination of the application firewall and the DPISSL would also prevent this traffic from running over secure ports or ssl vpn type setups.

Application firewall rules can also be configured to shape traffic to/from any site on the web. At the moment we’ve configured a rule to shape traffic to megaupload and other download sites that work over port 80, and depending on Facebook traffic that could be a contender too. Another type of rule that was described in some sonicwall promotional guff was a rule to catch IE6 traffic and redirect it to a warning page to upgrade your version of IE. That rule sounds like a good idea, I think that might be my next one