SonicWALL Secure Remote Access Appliances SECURE REMOTE ACCESS SRA 1200/4200 Getting Started Guide Getting Started Guide SonicWALL Anti-Virus Router 80 Getting Started Guide Page 1
SonicWALL SRA 1200/4200 Getting Started Guide This Getting Started Guide contains installation procedures and configuration guidelines for deploying a SonicWALL SRA 1200/4200 appliance into an existing or new network. This document addresses the most common use-case scenarios and network topologies in which the SonicWALL SRA 1200/4200 appliance can be deployed.
Page 2 Document Contents
Setting Up Your Network 1 In this Section: This section provides pre-configuration information. Review this section before setting up your SonicWALL SRA 1200/4200 appliance.
SRA 1200 System Requirements Before you begin the setup process, verify that your package contains the following parts: Package Contents for the SonicWALL SRA 1200 X1 CONSOLE X0 Secure Remote Access SRA 1200 PWR TEST ALARM • • • • • • • One SonicWALL SRA 1200 appliance One SonicWALL SRA 1200/4200 Getting Started Guide One straight-through Ethernet cable One serial CLI cable One rack-mount kit One power cord* A Web browser supporting Java Script and HTTP uploads.
SRA 4200 System Requirements Package Contents for the SonicWALL SRA 4200 Before you begin the setup process, verify that your package contains the following parts: Secure Remote Access • • • • • • • One SonicWALL SRA 4200 appliance One SonicWALL SRA 1200/4200 Getting Started Guide One straight-through Ethernet cable One serial CLI cable One rack-mount kit One power cord* A Web browser supporting Java Script and HTTP uploads.
What You Need to Begin • • • • Administrative access to the network gateway device A Windows, Linux, or MacOS computer to use as a management station for initial configuration of the SonicWALL SRA 1200/4200 A Web browser supporting Java Script and HTTP uploads (See previous pages for supported Web browsers) An Internet connection Recording Configuration Information Record the following setup information to use during the setup process and for future reference: Registration Information Serial Number: Rec
Selecting a Deployment Scenario Scenario Overviews Scenario A: SRA on a New DMZ The deployment scenarios described in this section are based on actual customer deployments and are SonicWALLrecommended deployment best practices for SRA appliances . SonicWALL UTM Appliance Network Security Appliance E7500 X1 A SonicWALL SRA appliance is commonly deployed in “onearm” mode over the DMZ or Opt interface on an accompanying gateway appliance, such as a SonicWALL NSA E7500.
Scenario B: SRA on an Existing DMZ SonicWALL SRA 1200/4200 Deployment Scenarios SonicWALL UTM Appliance Network Security Appliance E7500 X1 X0 OPT, X2, etc Switch Router Switch Remote Users Network Nodes X0 X1 CONSOLE X0 Secure Remote Access SRA 1200 PWR TEST ALARM Gateway Device Deployment Scenario SonicOS Enhanced 3.1 or higher: • TZ Series • PRO Series • NSA E-Class (SonicOS 5.0+) • NSA Series (SonicOS 5.
Applying Power to the SonicWALL SRA 1. 2. Plug one end of the power cord into the SonicWALL SRA 1200/4200 and the other into an appropriate power outlet. Turn on the power switch located on the rear of the appliance next to the power cord. The 'Pwr' LED on the front panel lights up blue when the appliance is turned on. The 'Test' LED lights up yellow and may blink for up to a minute while the appliance performs a series of diagnostic tests.
4. The ‘SonicWALL SRA Management Interface Login’ displays and prompts you to enter your user name and password. Enter “admin” in the User Name field, “password” in the Password field, select “LocalDomain” from the Domain drop-down list, and click the Login button.
Connecting Your Appliance 2 In this Section: This section provides procedures for connecting your SonicWALL SRA 1200/4200 appliance.
Configuring Your SRA 1200/4200 3. Enter a password for the “admin” account in the Password field. Re-enter the password in the Confirm Password field. 4. Click OK to apply changes. Once your SonicWALL SRA 1200/4200 is connected to a computer through the management port (X0), it can be configured through the Web-based management interface. Setting Your Administrator Password 1. From the management interface, select the Users > Local Users page. 2. Click the Configure button “admin” account.
Adding a Local User Setting the Time Zone 1. 2. 3. 4. 1. 2. Navigate to the System > Time page. Select the appropriate Time Zone from the drop-down menu. 3. Click Accept to save changes to the time settings. 5. 6. Navigate to Users > Local Users page. Click the Add User button. Enter a User Name. Select LocalDomain from the Group/Domain drop-down menu. Enter a Password for the user. Confirm the new password. Select User from the User Type drop-down menu.
Configuring SRA Network Settings 5. 6. You will now configure your SRA 1200/4200 network settings. Refer to the notes you took in the “Recording Configuration Information” on page 6 to complete this section. 7. (Optional) Enter your DNS Domain. (Optional) Enter your WINS servers in the Primary WINS Server and Secondary WINS Server fields. Click Accept. Configuring the X0 IP Address for Scenario B and Scenario C Configuring DNS / WINS 1. 2. 3. 4.
3. In the Interface Settings dialog box, set the IP address and subnet mask to: If you are using scenario: Set the X0 interface to: B - SRA on an Existing DMZ IP Address: An unused address within your DMZ subnet, for example: 10.1.1.240 Subnet Mask: Must match your DMZ subnet mask C - SRA on the LAN 4. 5. 6. IP Address: An unused address within your LAN subnet, for example: 192.168.168.200 Subnet Mask: Must match your LAN subnet mask Click OK. Note that you will lose connection to the SRA.
Adding a NetExtender Client Route 4. 5. Enter the IP address of the trusted network to which you would like to provide access with NetExtender in the Destination Network field. For example, if you are connecting to an existing DMZ with the network 192.168.50.0/24 and you want to provide access to your LAN network 192.168.168.0/24, you would enter 192.168.168.0. Enter your subnet mask in the Subnet Mask field. 6. Click Add to finish adding this client route.
Setting Your NetExtender Address Range The NetExtender IP range defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support.
Connecting Your SRA 1200/4200 Scenario A: Connecting Your Network Interfaces Scenario A: SRA on a New DMZ Before continuing, reference the diagrams on the following pages to connect the SonicWALL SRA 1200/4200 to your network.
Scenario B: Connecting Your Network Interfaces Scenario C: Connecting Your Network Interfaces Scenario B: SRA on an Existing DMZ Scenario C: SRA on the LAN Existing Gateway Device or Switch / Hub SonicWALL UTM Appliance Network Security Appliance E7500 X1 X0 OPT, X2, etc LAN Port Switch Router Switch Remote Users Network Nodes X0 X1 CONSOLE Secure Remote Access PWR TEST ALARM Internet Router Remote Users X0 X0 SRA 1200 X1 CONSOLE SRA Appliance Secure Remote Access PWR TEST ALARM X0
Page 20 Connecting Your SRA 1200/4200
Registering Your Appliance 3 In this Section: This section provides instructions for registering your SonicWALL SRA 1200/4200 appliance. • • • Creating a MySonicWALL Account - page 22 Registering Your SonicWALL SRA - page 22 Services and Licensing - page 23 Note: Registration is an important part of the setup process and is necessary to receive the benefits of SonicWALL services, user-licensing, firmware updates, and technical support.
Creating a MySonicWALL Account Registering Your SonicWALL SRA A MySonicWALL account is required for product registration. If you already have an account, continue to the following section. This section contains the following subsections: • Before You Register - page 22 • Product Registration - page 22 Perform the following steps to create a MySonicWALL account: 1. 2. In your browser, navigate to www.mysonicwall.com. In the login screen, click the Not a registered user? link.
Services and Licensing This section contains the following subsections: • Service Management - page 23 • Flexible Per-User Licensing - page 24 • Activating Services and Software - page 24 • Trying or Purchasing Services - page 25 Service Management The Service Management page in MySonicWALL lists services, support options, and software, such as Web Application Firewall and ViewPoint, that you can purchase or try with a free trial.
The following products and services are available for the SonicWALL SRA 1200/4200 appliance: • • • Gateway Service Bundles: • Per-user license upgrades in flexible block increments Desktop and Server Software: • Virtual Assist • Web Application Firewall • ViewPoint Support Services: • Dynamic Support 8x5 • Dynamic Support 24x7 • Software and Firmware Updates Flexible Per-User Licensing Your SonicWALL SRA comes standard with a set number of user licenses.
3. In the 'Activate Service' page, type or paste your key into the Activation Key field and then click Submit. Once the service is activated, you will see an expiration date or a license key string in the Status column on the Service Management page. Trying or Purchasing Services To try a free trial of a service, click Try in the 'Service Management' page. To purchase a product or service, click Buy Now in the 'Service Management' page to complete your purchase.
Page 26 Services and Licensing
Network Configuration In this Section: Scenario A: SRA on a New DMZ This section provides detailed overviews of deployment scenarios, as well as configuration instructions for connecting your SonicWALL SRA to various network devices, including gateway appliances. This section provides procedures to configure your gateway appliance based on Scenario A.
Adding a New SRA Custom Zone Connecting to a SonicWALL Security Appliance 1. 2. Using a computer connected to your LAN, launch your Web browser and enter the IP address of your existing SonicWALL security appliance in the Location or Address field. When the management interface displays, enter your user name and password in the appropriate fields and click Login. 1. 2. Navigate to the Network > Interfaces page, click Configure for the X2 interface (or any other available interface).
6. Select the Gateway AV, Intrusion Prevention Service and Anti-Spyware checkboxes. Click OK. 7. On the 'Edit Interface' window, enter the IP address for this interface in the IP Address field. (For example, “192.168.200.2”. This should be the same address you created in "Configuring the X0 IP Address for Scenario B and Scenario C" on page 14). 8. Enter your Subnet Mask. 9. On the 'Management' area, enable the desired management options. 10. Click OK to apply changes.
5. 6. On the 'Server Private Network Configuration' page, enter the following, and click Next: Allowing an SRA -> LAN Connection Server Name Name for the SonicWALL SRA When users have connected to the SRA, they need to be able to connect to resources on the LAN. To allow an SRA to LAN connection, perform the following steps: Server Private IP Address SonicWALL SRA’s 'X0' IP address, 192.168.200.1 by default 1. Server Comment Brief description of the server 2.
6. In the 'Add Address Object' dialog box, create an address object for the X0 interface IP address of the SonicWALL SRA: Name Name for NetExtender Zone Assignment SRA Type Range Starting IP Address Start of the NetExtender IP address range, 192.168.200.100 by default Ending IP Address End of the NetExtender IP address range, 192.168.200.200 by default 7. 8. Click Add to create the object. Once done, click Close. On the 'Network > Address Objects' page, in the ‘Address Groups’ section, click .
13. In the 'Add Rule' window, create a rule to allow access to the LAN for the address group you just created: Scenario B: SRA on an Existing DMZ This section provides procedures to configure your gateway appliance based on Scenario B. This section contains the following subsections: Action Allow From Zone SRA To Zone LAN Service Any Source The address group you just created, such as SonicWALL_SRA_Group Destination Any Connecting to a SonicWALL Security Appliance Users Allowed All 1.
Allowing WAN -> DMZ Connection 6. If you are already forwarding HTTP or HTTPS to an internal server, and you only have a single public IP address, you will need to select different (unique) ports of operation for either the existing servers or for the SonicWALL SRA appliance, because both cannot concurrently use the same IP address and port combinations.
5. Allowing DMZ -> LAN Connection When users have connected to the SRA, they need to be able to connect to resources on the LAN. In the 'Add Object' dialog box, create an address object for the X0 interface IP address of your SonicWALL SRA, then click OK. 1. Navigate to the Network > Address Objects page. Name Name for NetExtender 2. In the 'Address Objects' section, click Zone Assignment DMZ 3.
7. 8. 9. In the 'Add Address Object Group' dialog box, create a group for the X0 interface IP address of your SonicWALL SRA and the NetExtender IP range, then click OK. • Enter a name for the group. • In the left column, select the two groups you created and click the arrow button . Navigate to the Firewall > Access Rules page. On the 'Firewall > Access Rules' page in the matrix view, click the DMZ > LAN icon. 10. On the resulting 'Firewall > Access Rules' page, click . 11.
Scenario C: SRA on the LAN This section provides procedures to configure your gateway appliance based on Scenario C.
6. In the 'Add Object' dialog box, create an address object for the X0 interface IP address of your SonicWALL SRA, then click OK. Name Name for NetExtender Zone Assignment SRA Type Range Starting IP Address Start of the NetExtender IP address range, 192.168.200.100 by default Ending IP Address End of the NetExtender IP address range, 192.168.200.200 by default 7. On the 'Network > Address Objects' page, in the 'Address Groups' section, click . 8.
11. In the 'Add Rule' window, create a rule to allow access to the LAN for the address group you just created: Setting Public Server Access 1. Action Allow From Zone SRA To Zone LAN Service Any 2. 3. 4. 5. 6. Source Address group just created, such as SonicWALL_SRA_Group 7. Destination Any 8. Users Allowed All Schedule Always on Enable Logging Selected Allow Fragmented Packets Selected 9. 12. Click OK to finish creating the rule.
Testing Your Remote Connection You have now configured your SonicWALL security appliance and SonicWALL SRA for secure SSL-VPN remote access.This section provides instructions to verify your connection using a remote client on the WAN. 4. 5. 6. Click NetExtender to start the NetExtender client installation. If prompted, click Install to complete the client installation. Ping a host on your corporate LAN to verify your remote connection. You have now successfully set up your SonicWALL SRA.
Page 40 Testing Your Remote Connection
Upgrading Your Appliance 5 In this Section: This section provides procedures for upgrading an existing SRA SSL VPN image on a SonicWALL SRA 4200, 1200 to a newer version.
Obtaining the Latest SRA SSL VPN Image Note: Exporting and Importing system configuration settings is supported when upgrading from a SonicWALL SSLVPN 200/2000/4000 appliance to a SonicWALL SRA 1200/4200 appliance To obtain a new SRA SSL VPN image file for your SonicWALL security appliance, connect to your mysonicwall.com account at .
Uploading a New SRA SSL VPN Image On a SonicWALL SRA 4200/1200, you are ready to reboot your appliance with the new SRA SSL VPN image. Do one of the following: 1. Note: SonicWALL SRA 4200/1200 appliances do not support downgrading an image and using the configuration settings file from a higher version.
Resetting the Appliance Using SafeMode If you are unable to connect to the SonicWALL security appliance’s management interface, you can restart the SonicWALL security appliance in SafeMode. The SafeMode feature allows you to quickly recover from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page. To reset the SonicWALL security appliance, perform the following steps: 1.
Support and Training Options 6 In this Section: This section provides overviews of customer support and training options for SonicWALL SRA appliances.
Customer Support Knowledge Base SonicWALL’s customer support Web site is where you will find featured support topics, tutorials, and more. If you need further assistance, SonicWALL offers telephone, email, and Webbased support to customers with valid Warranty Support or a purchased support contract. Please review our Warranty Support Policy for product coverage.
User Forums The SonicWALL User Forums is a resource that provides users the ability to communicate and discuss a variety of security and appliance subject matters. Categories include: • SSL-VPN topics • VPN Client topics • Continuous Data Protection topics • Email Security topics • Network Anti-Virus topics • SonicPoint and Wireless topics For further information, visit:
Training SonicWALL offers an extensive sales and technical training curriculum for Network Administrators, Security Experts and SonicWALL Medallion Partners who need to enhance their knowledge and maximize their investment in SonicWALL Products and Security Applications. SonicWALL Training provides the following resources for its customers: • • • E-Training Instructor-Led Training Custom Training • • Technical Certification Authorized Training Partners For further information, visit:
Related Documentation See the following related documents for more information: • • • • • • • • • • • • • • SonicOS SSL-VPN Administrator’s Guide SonicOS SSL-VPN User’s Guide SonicOS SSL-VPN Release Notes SonicOS SSL-VPN Feature Modules SonicOS Administrator’s Guide SonicOS Feature Modules SonicWALL GMS Administrator’s Guide SonicWALL ViewPoint Administrator’s Guide SonicWALL GAV Administrator’s Guide SonicWALL IPS Administrator’s Guide SonicWALL Anti-Spyware Administrator’s Guide SonicWALL Comprehensive A
SonicWALL Live Product Demos Get the most out of your appliance with the complete line of SonicWALL products.
SonicWALL Secure Wireless Network Integrated Solutions Guide Looking to go wireless? Have questions about what it takes to build a truly “secure” wireless network? Check out the SonicWALL Secure Wireless Network Integrated Solutions Guide. This book is the official guide to SonicWALL’s marketleading wireless networking and security devices. This title is available in hardcopy at fine book retailers everywhere, or by ordering directly from Elsevier Publishing at:
Page 52 SonicWALL Secure Wireless Network Integrated Solutions Guide
Safety and Regulatory Information 6 In this Section: This section provides safety and regulatory information for the SonicWALL SRA 1200/4200 appliances.
SonicWALL SRA 1200/4200 Appliance Regulatory Statement and Safety Instructions • • • Regulatory Model/Type Product Name 1RK23-088 1RK23-07C SonicWALL SRA 1200 SonicWALL SRA 4200 This regulatory information can also be found in the electronic file, “SonicWALL_SRA_Regulatory_Statement.pdf,” located on the SonicWALL Web site: . The above SonicWALL appliances are designed to be mounted in a standard 19-inch rack mount cabinet.
Weitere Hinweise zur Montage • Das SonicWALL Modell ist für eine Montage in einem standardmäßigen 19-Zoll-Rack konzipiert. Für eine ordnungsgemäße Montage sollten die folgenden Hinweise beachtet werden: • • • • • • • Vergewissern Sie sich, dass das Rack für dieses Gerät geeignet ist und verwenden Sie das vom Rack-Hersteller empfohlene Montagezubehör. Verwenden Sie für eine sichere Montage vier passende Befestigungsschrauben, und ziehen Sie diese mit der Hand an.
FCC Part 15 Class A Notice Declaration of Conformity NOTE: This equipment was tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy.
BMSI Statement (Class A) Regulatory Information for Korea Ministry of Information and Telecommunication Certification Numbers SWL-1RK23-07C and SWL-1RK23-088 All products with country code “” (blank) and “A” are made in the USA. All products with country code “B” are made in China. All products with country code “C” or “D” are made in Taiwan R.O.C. All certificates held by Secuwide, Corp.
Copyright Notice Trademarks © 2010 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. All rights reserved. Microsoft Windows Vista, Windows XP, Windows 2000, Windows NT, Windows Server 200, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.
Notes SonicWALL SRA 1200/4200 Getting Started Guide Page 59
Notes Page 60 Notes
SonicWALL, Inc. 2001 Logic Drive San Jose, CA 95124-3452 www.sonicwall.com T +1 408.745.9600 F +1 408.745.9300 SonicWALL Anti-Virus Router 80 Getting Started Guide Page 1 P/N 232-000745-00 Rev A 7/2011 ©2010 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
