Table of Contents Previous Next


Portal_Tab_Configuration_Task_List

Chapter 4: Portal Tab Configuration
Task List

This chapter provides configuration tasks specific to the Portal tab on the SonicWALL SSL VPN Web-based management interface, including configuring portals, assigning portals, and defining authentication domains, such as RADIUS, NT Domain, LDAP, and Active Directory.

This chapter contains the following sections:

 
“Portals > Portals” section
 
“Portal > Domains” section
 
“Portal > Custom Logo” section

Portals > Portals

This section provides information about the configuration tasks in the Portals > Portals page. The Portals > Portals page allows the administrator to add and configure portals by specifying the layout and home page. This section contains the following configuration tasks:

 
“Adding Portals” section
 
“Configuring General Portal Settings” section
 
“Enforcing Login Uniqueness” section
 
“Configuring the Home Page” section
 
“Configuring Virtual Host” section
 
“Adding a Custom Portal Logo” section
 
“Enabling NetExtender to Launch Automatically in the User Portal” section
 
“File Sharing Using Applet as Default” section
 
“Additional Information About the Portal Home Page” section

Adding Portals

The administrator can customize a portal that appears as a customized landing page to users when they are redirected to the SonicWALL SSL VPN for authentication.

The network administrator may define individual layouts for the portal. The layout configuration includes menu layout, portal pages to display, and portal application icons to display, and Web cache control options.

A default portal is the LocalDomain portal. Additional portals can be added and modified.

Step 1
To add a new portal, click the Add Portal button in the Portals > Portals window. The Portal Settings window is displayed.

Table 14 provides a description of the fields you may configure in the Portal - Layout tab. Refer to “Configuring General Portal Settings” section for the specific steps required to configure a custom portal.

 
Table 14
Portal > Layout Fields.

Portal Name

The title used to refer to this portal. It is for internal reference only, and is not displayed to users.

Portal Site Title

The title that will appear on the Web browser title bar of users access this portal.

Portal Banner Title

The welcome text that will appear on top of the portal screen.

Login Message

Optional text that appears on the portal login page above the authentication area.

Virtual Host/Domain Name

Used in environments where multiple portals are offered, allowing simple redirection to the portal URL using virtual hosts. This option is only available on the SonicWALL SSL VPN 2000 and 4000 platforms.

Portal URL

The URL that is used to access this specific portal.

Display custom login page

Displays the customized login page rather than the default (SonicWALL) login page for this portal.

Display login message on custom login page

Displays the text specified in the Login Message text box.

Enable HTTP meta tags for cache control

Enables HTTP meta tags in all HTTP/HTTPS pages served to remote users to prevent their browser from caching content.

Enable ActiveX Web cache cleaner

Loads an ActiveX control (browser support required) that cleans up all session content after the SonicWALL SSL VPN session is closed.

Enforce login uniqueness

If enforced, login uniqueness restricts on each account to one session at a time. If not enforced, each account can have multiple simultaneous sessions.

Configuring General Portal Settings

There are two main options for configuring a portal:

 
Modify an existing layout.
 
Configure a new portal.

To configure a new portal, perform the following steps:

Step 1
Enter a descriptive name for the portal in the Portal Name field. This name will be part of the path of the SonicWALL SSL VPN appliance portal URL. For example, if your SonicWALL SSL VPN portal is hosted at https://vpn.company.com, and you created a portal named sales, then users will be able to access the sub-site at https://vpn.company.com/portal/sales.
 
Note
Only alphanumeric characters, hyphen (-), and underscore (_) are accepted in the Portal Name field. If other types of characters or spaces are entered, the layout name will be truncated before the first non-alphanumeric character.
Step 2
Enter the title for the Web browser window in the Portal Site Title field.
Step 3
To display a banner message to users before they login to the portal, enter the banner title text in the Portal Banner Title field.
Step 4
Enter an HTML compliant message, or edit the default message in the Login Message field. This message is shown to users on the custom login page.
Step 5
The Portal URL field is automatically populated based on your SSL VPN network address and Portal Name.
Step 6
To enable visibility of your custom logo, message, and title information on the login page, click on the Display custom login page check box.
 
Note
Custom logos can only be added to existing portals. To add a custom logo to a new portal, first complete general portal configuration, then add a logo, following the procedures in the “Adding a Custom Portal Logo” section.
Step 7
Check the box next to Enable HTTP meta tags for cache control to apply HTTP meta tag cache control directives to the portal. Cache control directives include:

<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">

These directives help prevent clients browsers from caching SonicWALL SSL VPN portal pages and other Web content.

 
Note
Enabling HTTP meta tags is strongly recommended for security reasons and to prevent out-of-date Web pages, and data being stored in users’ Web browser cache.
Step 8
Check the box next to Enable ActiveX Web cache cleaner to load an ActiveX cache control when users log in to the SonicWALL SSL VPN appliance. The Web cache cleaner will prompt the user to delete all session temporary Internet files, cookies and browser history when the user logs out or closes the Web browser window. The ActiveX Web cache control is ignored by Web browsers that don’t support ActiveX.

Enforcing Login Uniqueness

Login uniqueness, when enforced, restricts each account to a single session at a time. When login uniqueness is not enforced, each account can have multiple, simultaneous, sessions. To enforce login uniqueness, perform the following steps:

Step 1
Navigate to Portals > Portals.
Step 2
For an existing portal, click the configure icon next to the portal you want to configure. Or, for a new portal, click the Add Portal button.
Step 3
Select the check box next to Enforce login uniqueness.
Step 4
Click OK.

Configuring the Home Page

The home page is an optional starting page for the SonicWALL SSL VPN appliance portal. The home page enables you to create a custom page that mobile users will see when they log into the portal. Because the home page can be customized, it provides the ideal way to communicate remote access instructions, support information, technical contact information or SSL VPN-related updates to remote users.

The home page is well-suited as a starting page for restricted users. If mobile users or business partners are only permitted to access a few files or Web URLs, the home page can be customized to show only those links.

You can edit the title of the page, create a home page message that is displayed at the top of the page, show all applicable bookmarks (user, group, and global) for each user, and optionally upload an HTML file.

To configure the home page, perform the following tasks:

Step 1
Navigate to the Portals > Portals page.
Step 2
Click on the configure icon for the layout you want to configure. The Portal configuration page is displayed.
Step 3
Click the Home Page tab.
Step 4
Table 15 provides a description of the configurable options in the Portal - Home Page tab.
 
Table 15
Portal - Home Page Fields

Display Home Page Message

Displays the customized home page message after a user successfully authenticates to the SonicWALL SSL VPN appliance.

Display NetExtender

Displays the link to NetExtender, allowing users to install and invoke the clientless NetExtender virtual adapter.

Launch NetExtender after Login

Launches NetExtender automatically after a user successfully authenticates to the SonicWALL SSL VPN appliance.

Display File Shares

Provide a link to the File Share (Windows SMB/CIFS) Web interface so that authenticated SonicWALL SSL VPN users may use NT file shares according to their domain permissions.

Use Applet as Default

Enables the Java File Shares Applet, giving users a simple yet powerful file browsing interface with drag-and-drop, multiple file selection and contextual click capabilities.

Display Bookmark Table

Displays the bookmark table containing administrator-provided bookmarks and allows users to define their own bookmarks to network resources.

Display Import Certificate Button

Displays a button that allows users to permanently import the SSL security certificate.

Enable Virtual Assist for this Portal

Displays the Virtual Assist button, allowing users to directly access Virtual Assist capability from the portal interface.

Home Page Message

Optional text that can be displayed on the home page after successful user authentication.

Bookmark Table Title

Optional text to describe the bookmark section on the portal’s home page.

 
Note
Some ActiveX applications, such as the ActiveX Terminal Services client, will only work when connecting to a server with a certificate from a trusted root authority. If you are using the test SSL certificate that is included with the SonicWALL SSL VPN appliance, then you can check the Display Import self-signed certificate links check box to allow Windows users to easily import a self-signed certificate.

It is strongly recommended that you upload a valid SSL certificate from a trusted root authority such as Verisign or Thawte. If you have a valid SSL certificate, don’t check the box next to Display Import self-signed certificate links.
Step 5
Click OK to update the home page content.

Configuring Virtual Host

Creating a virtual host allows users to log in using a different hostname than your default URL. For example, sales members can access https://sales.company.com instead of the default domain, https://vpn.company.com that you use for administration. The Portal URL (for example, https://vpn.company.com/portal/sales) will still exist even if you define a virtual host name. Virtual host names enable administrators to give separate and distinct login URLs to different groups of users. This option is only available on the SonicWALL SSL VPN 2000 and 4000 platforms.

To create a Virtual Host Domain Name, perform the following tasks:

Step 1
Navigate to Portals > Portals.
Step 2
Click the configure button next to the portal you want to configure. The Edit Portal screen displays.
Step 3
Click the Virtual Host tab.
Step 4
Enter a host name in the Virtual Host Domain Name field, for example, sales.company.com. This field is optional.
 
Note
Only alphanumeric characters, hyphen (-) and underscore (_) are accepted in the Virtual Host Name/Domain Name field.
Step 5
Select a specific Virtual Host Interface for this portal if using IP based virtual hosting.
 
Note
If your virtual host implementation uses name based virtual hosts — where more than one hostname resides behind a single IP address — choose All Interfaces from the Virtual Host interface.
Step 6
If you selected a specific Virtual Host Interface for this portal, enter the desired Virtual Host IP Address in the field provided. This is the IP address users will access in order to access the Virtual Office portal.
 
Note
Be sure to add an entry in your external DNS server to resolve the virtual hostname and domain name to the external IP address of your SonicWALL SSL VPN appliance.
Step 7
If you plan to use a unique security certificate for this sub-domain, select the corresponding port interface address from the Virtual Host Certificate list.
 
Note
Unless you have a certificate for each virtual host domain name, or if you have purchased a *.domain SSL certificate, your users may see a Certificate host name mismatch warning when they log into the SonicWALL SSL VPN appliance portal. The certificate hostname mismatch only affects the login page; SonicWALL SSL VPN client applications will not be affected by a hostname mismatch.

Adding a Custom Portal Logo

The Custom Logo Settings section allows the administrator to upload a custom portal logo and to toggle between the default SonicWALL logo and a custom uploaded logo.

To add a custom portal logo, perform the following steps:

Step 1
Navigate to Portals > Portals.
Step 2
Click the configure button next to the portal you want to configure. The Edit Portal screen displays.
Step 3
Click the Logo tab.
Step 4
Click the Browse... button next to the Upload Logo field. The file browser window displays.
Step 5
Select a proper sized .gif format logo in the file browser and click the Open button.
 
Note
The custom logo must be in GIF format. For the best aesthetic results, import a logo with a transparent or light-colored background. It is recommended, although not mandatory, that you choose a GIF file of size 155x36 pixels.
Step 6
Click the Upload button to transfer the logo to the SSL VPN appliance.
Step 7
Click the OK button to save changes.

Enabling NetExtender to Launch Automatically in the User Portal

NetExtender can be configured to start automatically when a user logs into the user portal. To enable NetExtender to launch automatically, perform the following tasks:

Step 1
Navigate to Portals > Portals
Step 2
Click the configure button next to the portal you want to configure.
Step 3
In the Portal page, select the Home Page tab.
Step 4
Check the box next to Launch NetExtender after login.
Step 5
Click OK.

File Sharing Using Applet as Default

The Java File Shares Applet option provides users with additional functionality not available in standard HTML-based file sharing, including:

 
Overwriting of existing files
 
Uploading directories
 
Drag-and-drop capability
 
Multiple file selection
 
Contextual click capability

To create a Virtual Host Domain Name, perform the following tasks:

Step 1
Navigate to Portals > Portals.
Step 2
Click the configure button next to the portal you want to configure. The Edit Portal screen displays.
Step 3
Click the Home Page tab.
Step 4
If it is not already enabled, check the box next to Display File Shares.
Step 5
Check the Use Applet as Default check box.
Step 6
Click the OK button to save changes.

Additional Information About the Portal Home Page

For most SonicWALL SSL VPN administrators, a plain text home page message and a list of links to network resources is sufficient. For administrators who want to display additional content on the user portal, review the following information:

 
The home page is displayed in an IFRAME--internal HTML frame.
 
The width of the iframe is 542 pixels, but since there is a 29 pixel buffer between the navigation menu and the content, the available workspace is 513 pixels.
 
You can upload a custom HTML file which will be displayed below all other content on the home page. You can also add HTML tags and JavaScript to the Home Page Message field.
 
Since the uploaded HTML file will be displayed after other content, do not include <head> or <body> tags in the file.

Portal > Domains

This section provides information about the configuration tasks in the Portal > Domains page. The Portal > Domains page allows the administrator to add and configure a domain by selecting:

 
Authentication type (local user database, Active Directory, LDAP, NT Domain, or RADIUS),
 
Domain name
 
Portal name
 
Group (AD, RADIUS) or multiple Organizational Unit (LDAP) support (optional)
 
Require client digital certificates (optional)
 
One-time passwords (optional)
 
Note
After adding a new portal domain, user group settings for that domain are configured on the Users > Local Groups page. Refer to the “Users > Local Groups” section for instructions on configuring groups.

This section contains the following configuration tasks:

 
“Configuring Internal User Database Authentication” section
 
“Configuring RADIUS Authentication” section
 
“Configuring NT Domain Authentication” section
 
“Configuring LDAP Authentication” section
 
“Configuring Active Directory Authentication” section
 
“Viewing the Domain Settings Table” section
 
“Removing a Domain” section
 
“Configuring Two-Factor Authentication” section

Configuring Internal User Database Authentication

In order to create access policies, you must first create authentication domains. By default, the LocalDomain authentication domain is already defined. The LocalDomain domain is the internal user database. Additional domains may be created that require authentication to remote authentication servers. SonicWALL SSL VPN supports RADIUS, LDAP, NT Domain, and Active Directory authentication in addition to internal user database authentication.

 
Note
To apply a portal to a domain, add a new domain and select the portal from the Portal Name pull-down menu in the Add Domain dialog box. The selected portal will be applied to all users in the new domain.Domain choices will only be displayed in the login page of the Portal that was selected.

You may create multiple domains that authenticate users with user names and passwords stored on the SonicWALL SSL VPN appliance to display different portals (such as a SonicWALL SSL VPN portal page) to different users.

To add a new authentication domain, perform the following steps:

Step 1
Navigate to Portals > Domains.
Step 2
Click Add Domain. The Add Domain dialog box displays.Select Local User Database from the Authentication Type pull-down menu.
Step 3
Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN portal.
Step 4
Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the Portals > Portals page.
Step 5
Optionally, check the Allow password changes checkbox. This allows users to change their own passwords after their account is set up.
Step 6
Optionally check the check box next to Require client digital certificates to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
Step 7
Optionally check the box next to One-time passwords to enable the One-time password feature. A pull-down menu will appear, in which you can select if configured, required for all users, or using domain name. For more information about the One-time password feature, refer to “Configuring One-time Passwords” section.
Step 8
Click Submit to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.

Configuring RADIUS Authentication

To create a domain with RADIUS authentication, perform the following steps:

Step 1
On the Portal > Domains page, click Add Domain to display the Add Domain dialog box.
Step 2
Select RADIUS from the Authentication Type menu. The RADIUS configuration field is displayed.Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance portal.
Step 3
Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, MSCHAP, or MSCHAPV2.
Step 4
Under Primary Radius Server, enter the IP address or domain name of the RADIUS server in the RADIUS Server Address field.
Step 5
Enter the RADIUS server port in the RADIUS server port field.
Step 6
If required by your RADIUS configuration, enter an authentication secret in the Secret Password field.
Step 7
Enter a number (in seconds) for RADIUS timeout in the RADIUS Timeout (Seconds) field.
Step 8
Enter the maximum number of retries in the Max Retries field.
Step 9
Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS server in the RADIUS Server Address field.
Step 10
Enter the backup RADIUS server port in the RADIUS server port field.
Step 11
If required by the backup RADIUS server, enter an authentication secret for the backup RADIUS server in the Secret Password field.
Step 12
Optionally, if using RADIUS for group-based access, check the Use Filter-ID for RADIUS Groups check box.
Step 13
Click the name of the layout in the Portal Name pull-down menu.
Step 14
Optionally check the box next to Require client digital certificates to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
Step 15
Optionally check the box next to One-time passwords to enable the One-time password feature. A pull-down menu will appear, in which you can select if configured, required for all users, or using domain name. For more information about the One-time password feature, refer to “Configuring One-time Passwords” section.
Step 16
Click Add to update the configuration. The domain will be added to the Domain Settings table.
Step 17
Click the configure button next to the RADIUS domain you added. The Test tab of the Edit Domain page displays.
Step 18
Enter your RADIUS user ID in the User ID field and your RADIUS password in the Password field.
Step 19
Click Test. SonicWALL SSL VPN will connect to your RADIUS server.
Step 20
If you receive the message Server not responding, check your user ID and password and click the General tab to verify your RADIUS settings. Try running the test again.
 
Note
The SonicWALL SSL VPN appliance will attempt to authenticate against the specified RADIUS server using PAP authentication. It is generally required that the RADIUS server be configured to accept RADIUS client connections from the SonicWALL SSL VPN appliance. Typically, these connections will appear to come from the SonicWALL SSL VPN’s X0 interface IP address. Refer to your RADIUS server documentation for configuration instructions.

Configuring NT Domain Authentication

To configure NT Domain authentication, perform the following steps:

Step 1
On the Portal > Domains page, click Add Domain to display the Add Domain dialog box.
Step 2
Select NT Domain from the Authentication Type menu. The NT Domain configuration fields will be displayed. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name selected by users when they authenticate to the SonicWALL SSL VPN appliance portal. It may be the same value as the NT Domain Name.
Step 3
Enter the NT authentication domain in the NT Domain Name field. This is the domain name configured on the Windows authentication server for network authentication.
Step 4
Enter the IP address or host and domain name of the server in the NT Server Address field.
Step 5
Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the Portals > Portals page.
Step 6
Click Add to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.

Configuring LDAP Authentication

To configure LDAP authentication, perform the following steps:

Step 1
Click Add Domain to display the Add New Domain dialog box.
Step 2
Select LDAP from the Authentication Type menu. The LDAP domain configuration fields is displayed.Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance user portal. It can be the same value as the Server Address field.
Step 3
Enter the IP address or domain name of the server in the Server Address field.
Step 4
Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.
 
Tip
It is possible for multiple OUs to be configured for a single domain by entering each OU on a separate line in the LDAP baseDN field. In addition, any sub-OUs will be automatically included when parents are added to this field.
 
Note
Do not include quotes (“”) in the LDAP BaseDN field.
Step 5
Enter the common name of a user that has been delegated control of the container that user will be in along with the corresponding password in the Login Username and Login Password fields.
 
Note
When entering Login Username and Login Password, remember that the SSL VPN appliance binds to the LDAP tree with these credentials and users can log in with their sAMAccountName.
Step 6
Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the Portals > Portals page.
Step 7
Optionally check the box next to Allow password changes (if allowed by LDAP server). This option, if allowed by your LDAP server, will enable users to change their LDAP password during an SSL VPN session.
Step 8
Optionally place a check in the box next to Require client digital certificates if you want to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
Step 9
Optionally check the box next to One-time passwords to enable the One-time password feature. A pull-down menu will appear, in which you can select if configured, required for all users, or using domain name. The LDAP e-mail attribute pull-down menu will appear, in which you can select mail, userPrincipalName, or custom. For more information about configuring the One-time password feature using LDAP, refer to “Configuring One-time Passwords” section.
Step 10
Click Submit to update the configuration and add the domain to the Domains Settings table.

Configuring Active Directory Authentication

To configure Windows Active Directory authentication, perform the following steps:

Step 1
Click Add Domain to display the Add Domain dialog box.
 
Note
Of all types of authentication, Active Directory authentication is most sensitive to clock skew, or variances in time between the SonicWALL SSL VPN appliance and the Active Directory server against which it is authenticating. If you are unable to authenticate using Active Directory, refer to “Active Directory Troubleshooting” section.
Step 2
Select Active Directory from the Authentication type pull-down menu. The Active Directory configuration fields will be displayed. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance portal. It can be the same value as the Server Address field or the Active Directory Domain field, depending on your network configuration.
Step 3
Enter the IP address or host and domain name of the Active Directory server in the Server Address field.
Step 4
Enter the Active Directory domain name in the Active Directory Domain field.
Step 5
Enter the name of the layout in the Portal Name field. Additional layouts may be defined in the Portals > Portals page.
Step 6
You may optionally check the box next to Require client digital certificates if you want to require the use of client certificates for login. By checking this check box, you require the client to present a client certificate for strong mutual authentication. The CNAME of the client certificate must match the user name that the user supplies to login and the certificate must be generated by a certificate authority (CA) that is trusted by the SonicWALL SSL VPN appliance.
Step 7
Optionally check the box next to One-time passwords to enable the One-time password feature. A pull-down menu will appear, in which you can select if configured, required for all users, or using domain name. For more information about configuring the One-time password feature, refer to “Configuring One-time Passwords” section.
Step 8
Click Apply to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.

Active Directory Troubleshooting

If your users are unable to connect using Active Directory, verify the following configurations:

 
The time settings on the Active Directory server and the SonicWALL SSL VPN appliance must be synchronized. Kerberos authentication, used by Active Directory to authenticate clients, permits a maximum 15-minute time difference between the Windows server and the client (the SonicWALL SSL VPN appliance). The easiest way to solve this issue is to configure Network Time Protocol on the System > Time page of the SonicWALL SSL VPN Web-based management interface and check that the Active Directory server has the correct time settings.
 
Confirm that your Windows server is configured for Active Directory authentication. If you are using Window NT4.0 server, then your server only supports NT Domain authentication. Typically, Windows 2000 and 2003 servers are also configured for NT Domain authentication to support legacy Windows clients.

Viewing the Domain Settings Table

All of the configured domains are listed in the Domain Settings table in the Portal > Domains window. The domains are listed in the order in which they were created.

Removing a Domain

To delete a domain, click the trash can icon next to the domain to delete from the Domain Settings table. Once the SonicWALL SSL VPN appliance has been updated, the deleted domain will no longer be displayed in the Domain Settings table.

 
Note
The default LocalDomain domain cannot be deleted.

Configuring Two-Factor Authentication

(Supported only on the SonicWALL SSL VPN 2000 and 4000 appliances.) Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).

For more information on how two-factor authentication works see “Two-Factor Authentication Overview” section.

SonicWALL’s implementation of two-factor authentication partners with two of the leaders in advanced user authentication: RSA and VASCO. If you are using RSA, you must have the RSA Authentication Manager and RSA SecurID tokens. If you are using VASCO, you must have the VASCO VACMAN Middleware and Digipass tokens.

To configure two-factor authentication, you must first configure a RADIUS domain. For information see “Configuring RADIUS Authentication” section.

The following sections describe how to configure the supported third-party authentication servers:

 
Configuring the RSA Authentication Manager
 
Configuring the VASCO VACMAN Middleware

Configuring the RSA Authentication Manager

The following sections describe how to configure the RSA Authentication Manager version 6.1 to perform two-factor authentication with your SonicWALL SSL VPN appliance:

 
Adding an Agent Host Record for the SonicWALL SSL VPN Appliance
 
Adding the SonicWALL SSL VPN as a RADIUS Client
 
Setting the Time and Date
 
Importing Tokens and Adding Users
 
Note
This configuration procedure is specific to RSA Authentication Manager version 6.1. If you are using a different version of RSA Authentication Manager, the procedure will be slightly different.

If you will be using VASCO instead of RSA, see Configuring the VASCO VACMAN Middleware.

Adding an Agent Host Record for the SonicWALL SSL VPN Appliance

To establish a connection between the SSL VPN appliance and the RSA Authentication Manager, an Agent Host record must be added to the RSA authentication Manger database. The Agent host record identifies the SSL VPN appliance within its database and contains information about communication and encryption.

To create the Agent Host record for the SSL VPN appliance, perform the following steps:

Step 1
Launch the RSA Authentication Manager.

Step 2
On the Agent Host menu, select Add Agent Host.

Step 3
Enter a hostname for the SSL VPN appliance in the Name field.
Step 4
Enter the IP address of the SSL VPN appliance in the Network address field.
Step 5
Select Communication Server in the Agent type window.
Step 6
By default, the Enable Offline Authentication and Enable Windows Password Integration options are enabled. SonicWALL recommends disabling all of these options except for Open to All Locally Known Users.
Step 7
Click OK.

Adding the SonicWALL SSL VPN as a RADIUS Client

After you have created the Agent Host record, you must add the SonicWALL SSL VPN to the RSA Authentication Manager as a RADIUS client. To do so, perform the following steps:

Step 1
In RSA Authentication Manager, go to the RADIUS menu and select Manage RADIUS Server. The RSA RADIUS Manager displays.
Step 2
Expand the RSA RADIUS Server Administration tree and select RADIUS Clients.

Step 3
Click Add. The Add RADIUS Client window displays.

Step 4
Enter a descriptive name for the SSL VPN appliance.
Step 5
Enter the IP address of the SSL VPN in the IP Address field.
Step 6
Enter the shared secret that is configured on the SSL VPN in the Shared secret field.
Step 7
Click OK and close the RSA RADIUS Manager.

Setting the Time and Date

Because two-factor authentication depends on time synchronization, it is import that the internal clocks for the RSA Authentication Manager and the SSL VPN appliance are set correctly.

Importing Tokens and Adding Users

After you have configured the RSA Authentication Manager to communicate with the SonicWALL SSL VPN appliance, you must import tokens and add users to the RSA Authentication Manager. To do so, perform the following steps.

Step 1
To import the token file, select Token > Import Tokens.

Step 2
When you purchase RSA SecurID tokens, they come with an XML file that contains information on the tokens. Navigate to the token XML file and click Open. The token file is imported.
Step 3
The Import Status window displays information on the number of tokens imported to the RSA Authentication Manager.

Step 4
To create a user on the RSA Authentication Manager, click on User > Add user.

Step 5
Enter the user’s First and Last Name.
Step 6
Enter the user’s username in the Default Login field.
Step 7
Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN gives users the option of either creating their own PIN or having the system generate a random PIN. Required to Create a PIN requires the user to create a PIN.
Step 8
To assign a token to the user, click on the Assign Token button. Click Yes on the confirmation window that displays. The Select Token window displays.

Step 9
You can either manually select the token or automatically assign the token:
 
To manually select the token for the user, click Select Token from List. In the window that displays, select the serial number for the token and click OK.
 
To automatically assign the token, you can optionally select the method by which to sort the token: the token’s import date, serial number, or expiration date. Then click the Unassigned Token button and the RSA Authentication Manager assigns a token to the user. Click OK.
Step 10
Click OK in the Edit User window. The user is added to the RSA Authentication Manager.
Step 11
Give the user their RSA SecurID Authenticator and instructions on how to log in, create a PIN, and user the RSA SecurID Authenticator. Seethe SonicWALL SSL VPN User Guide for more information.

Configuring the VASCO VACMAN Middleware

The following sections describe how to configure two-factor authentication using VASCO’s VACMAN Middleware Administration version 2.3:

 
Adding the RADIUS Server to VACMAN Middleware
 
Adding the SSL VPN Appliance to VASCO
 
Setting the Time and Date
 
Importing Digipass Token Secret
 
Creating Users
 
Assigning Digipass Tokens to Users
 
Note
This configuration procedure is specific to VACMAN Middleware Administration version 2.3. If you are using a different version of VACMAN Middleware Administration, the procedure will be slightly different.

If you will be using RSA instead of VASCO, see Configuring the RSA Authentication Manager.

Adding the RADIUS Server to VACMAN Middleware

To create a connection between the Sonic wall SSL VPN appliance and the VASCO server, you must create a component record for the external RADIUS server. VASCO servers do not have an internal RADIUS component, so they must use an external RADIUS server. To create a component record for the RADIUS server, perform the following steps:

Step 1
Launch the VACMAN Middleware Administration program.
Step 2
Expand the VACMAN Middleware Administration tree and the VACMAN Server tree.
Step 3
Right click on RADIUS Servers and click on New RADIUS Server.

Step 4
Enter the IP address of the RADIUS server in the Location field. Note that this is the IP address of the RADIUS server and not the SonicWALL SSL VPN appliance.
Step 5
Select the appropriate policy in the Policy pull down menu.
Step 6
Enter the RADIUS shared secret in the Shared Secret and Confirm Shared Secret fields.

Adding the SSL VPN Appliance to VASCO

To add the SonicWALL SSL VPN appliance to VACMAN Middleware Administrator as a RADIUS client, perform the following steps.

Step 1
Expand the VACMAN Server tree.
Step 2
Right-click on RADIUS Clients and click New RADIUS Client.

a

Step 3
Enter the IP Address of the SSL VPN appliance.
Step 4
Enter the Shared secret.
Step 5
Click Save.

Setting the Time and Date

The DIGIPASS token is based on time synchronization. All tokens are created with their internal real-time clocks set to GMT. As such, it is important to set the date and time zone of the server running the VACMAN middleware to correctly so the GMT can be local derived correctly.

Importing Digipass Token Secret

Before Digipass tokens can be assigned to a user, their application records must be imported to the VACMAN middleware. To do this, perform the following steps.

Step 1
Right-click on the Digipass node under the VACMAN server tree.
Step 2
Click Import Digipass.
Step 3
Click Browse, navigate to the location of the Digipass import file, and click Open.

Step 4
Enter the Digipass import key in the Key field. The key is a 32-character hexadecimal number.
Step 5
Click Import All Applications to import all records in the file. Or to select the records to import, click Show Applications, select the records to import, and click Import Selected Applications.
Step 6
The progress of the import procedure will be shown in the bottom Import Status section.

Creating Users

To add users to the VACMAN Middleware Administration, perform the following steps.

Step 1
Expand the VACMAN Server tree and right-click on Users.
Step 2
Click New User.

Step 3
Enter the username in the User ID field.
Step 4
Enter the user’s password in the New Password and Confirm Password fields.
Step 5
Select the appropriate Admin Privilege and Authenticator.
Step 6
Click Create.

Assigning Digipass Tokens to Users

After you have imported the digipass tokens and created the users, you need to assign the Digipass tokens to the users. To do so, perform the following steps.

Step 1
Expand the VACMAN Server tree and click on Digipass.

Step 2
Right-click on the serial number of the Digipass token you want to assign and click Assign.

Step 3
Enter the username in the User ID field and click the Find button.

When the username is displayed in the Search Results window, select the username and click OK to assign the Digipass token.

Portal > Custom Logo

Beginning with the SSL VPN 2.5 release, portal logos are no longer configured globally from the Portal > Custom Logos page. Custom logos are uploaded on a per-portal basis from the Logo tab in the Portal Logo Settings dialogue. For information related to Custom Portal Logos, refer to the “Portals > Portals” section.


Table of Contents Previous Next