Secure Wireless Networks

Transcription

1 Version 2.2 INTEGRATED SOLUTIONS GUIDE Secure Wireless Networks Gateway Anti-Virus n Intrusion Prevention n Content Security Management n Secure Wireless n VoIP n Firewall/VPN

2 SonicWALL Secure Wireless Network Integrated Solutions Guide Version 2.2 SonicWALL, Inc Borregas Avenue Sunnyvale, CA Phone: Fax:

3 Copyright Notice 2005 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. Specifications and descriptions subject to change without notice. Trademarks SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers. Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's then-current Support Services policies. This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL. DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose. DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

4 Table of Contents Table of Contents Wireless LAN Overview What is a WLAN? How Does a WLAN Work? WLAN Design Considerations WLAN Design Top Ten Checklist SonicWALL Secure Wireless Architecture SonicWALL Secure Wireless Architecture Components SonicWALL Secure Wireless Network Deployment Solutions Solution #1: Securing WLANs with SonicWALL Security Services Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients Solution #3: Configuring Wireless Guest Services Solution #4: Configuring Wireless Intrusion Detection Services Solution #5: Configuring Microsoft IAS Server for WPA with PEAP Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP Solution #7: Configuring a Wireless Client for WPA with PEAP Solution #8: Configuring a Lightweight Hotspot Messaging Network Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network iii

5 Device Characteristics SonicWALL Secure Wireless Solution Enablers Device Characteristics SonicWALL PRO Series Device Characteristics SonicWALL TZ Series Wireless Device Characteristics Glossary Related Documents Product Datasheets User Guides TechNotes Contributors Index iv

6 SonicWALL Secure Wireless Network Integrated Solutions Guide Document Scope This solutions document describes how to plan, design, implement, and maintain a SonicWALL Secure Wireless network. The Secure Wireless Network solutions presented in this document are based on actual customer deployments and are SonicWALL-recommended deployment best practices. These solutions were tested and verified in a lab environment. This document contains the following sections: Wireless LAN Overview section on page 2 WLAN Design Considerations section on page 3 SonicWALL Secure Wireless Architecture section on page 5 SonicWALL Secure Wireless Network Deployment Solutions section on page 16 Solution #1: Securing WLANs with SonicWALL Security Services section on page 19 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients section on page 26 Solution #3: Configuring Wireless Guest Services section on page 55 Solution #4: Configuring Wireless Intrusion Detection Services section on page 67 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP section on page 71 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP section on page 84 Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Solution #8: Configuring a Lightweight Hotspot Messaging Network section on page 106 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions section on page 117 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint section on page 142 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network section on page 154 1

7 Wireless LAN Overview Wireless LAN Overview This section provides an introduction to Wireless Local Area Networks (WLANs). This section contains the following subsections: What is a WLAN? section on page 2 How Does a WLAN Work? section on page 2 After reading the Wireless LAN Overview section, you will be able to define the difference between a WLAN and a hard-wired LAN, obtain key design considerations for WLAN outdoor and indoor deployments, and learn the recent advancements in Wireless IPSec (WiFiSec) and WPA secure data transmission over traditional wireless deployments. What is a WLAN? A WLAN is a LAN that uses radio waves as the physical medium on which you are sending and receiving network data signals. In a conventional hard-wired LAN, client workstations are connected together with physical cables, such as shielded copper wire to fiber-optic cables. Hard-wired LANs are very expensive to implement due to the amount of effort required to install physical cabling. In addition to the high cost, you will face distance limitations depending on the type of cable you are using. Each type of physical cable has a length limitation or a maximum distance before the signal traveling on the wire deteriorates. In addition to high cost, cabling distance limitations, hard-wired LANs limit laptop client mobility, since you are leashed to your connection, to a modem, wall jack, or networking device, such as a hub, switch or routing device. Each time you want to move your laptop client from conference room to another conference room, you are required to disconnect and then reconnect once you have moved locations. How Does a WLAN Work? The standards used for WLAN communications are based on the Institute of Electrical and Electronic Engineers (IEEE) series of standards. The IEEE standards help to define and regulate the Physical and Media Access Control (MAC) layers of operation in a WLAN. For example, the IEEE b standard defines the use of the 2.4 Gigahertz (GHz) band in radio frequency (RF) for high-speed data communications, b supports data rates of 2 Mbps up to 11 Mbps. The IEEE g standard supports data rates up to 54 Mbps while also using the 2.4 GHz frequency band. 2

8 WLAN Design Considerations WLAN Design Considerations Designing wireless networks opens up the door to an unbelievable array of connectivity options and benefits anywhere from a shop owner wishing to provide free wireless Internet access to customers, to a large company wishing to free thousands of employees from their hard-wired workstations. Unfortunately, the current state of wireless networking is far less secure than it needs to be, and improper installation of wireless networking equipment can lead to unforeseen security risks. The interim standard WPA is an interim solution that will be replaced. SonicWALL security appliances provide a wide array of active and passive security features that can be enabled to deter attempts to gain unauthorized wireless access to your protected networks. The following is a top-ten checklist of SonicWALL-recommended deployment design considerations for your WLAN. WLAN Design Top Ten Checklist This section provides a top-ten checklist to securing your distributed wireless network with SonicWALL s Secure Wireless Solutions. Traditional Wireless Security Tips lists recommend such actions as Disabling SSID Broadcasts, Enabling MAC Filter, and Disabling DHCP Services for the sake of obscuring the wireless network. While this will likely minimize the chances wireless network trespassing, it will certainly make your wireless network more difficult to use for your authorized wireless users. SonicWALL recommends better methods of network defense than security through obscurity, and goes to great efforts to ensure not only a secure network, but a secure network that is effortless and uncomplicated to use. Although the three aforementioned tactics are possible with SonicWALL wireless equipment, SonicWALL instead recommends the following checklist for securing your wireless network: 1. Install a SonicWALL security appliance at your network gateway, and secure your network with Wireless IPSec (WiFiSec). Enabling WiFiSec causes the SonicWALL security appliance to pass only IPSec packets to and from its wireless interface. Enforcing WiFiSec ensures that wireless users are authenticated and that their wireless traffic is fully encrypted. Running SonicOS 2.5 Software and higher, WiFiSec is enabled by default to provide your network with end-to-end wireless traffic encryption using standard IPSec security mechanisms. This method of deployment ensures that only authorized users are connecting to the SonicWALL security appliance, and that the wireless traffic of authorized users is truly secure against interception and decoding from undesired third parties. 2. Install the SonicWALL Global VPN Client on your wireless clients. Note This will require your Wireless clients to connect to the SonicWALL security appliance using the SonicWALL Global VPN Client for remote access to policy-allowed LAN resources, policy-allowed WAN access, and to other wireless clients. Enable Gateway Anti-Virus (GAV), Intrusion Prevention Service (IPS), Content Filtering Service (CFS) security services on your WLAN zones. 3

9 WLAN Design Considerations 3. As an alternative to (or even in conjunction with) the use of the SonicWALL Global VPN client, use WiFi (WPA Protected Access) in either the WPA-PSK or the WPA-EAP variety, both of which are supported by SonicWALL wireless products. WPA-PSK allows for the use of a pre-shared key or password for associating and authenticating with the wireless network, while WPA-EAP uses an extensible authentication protocol scheme, typically with a back-end user database such as RADIUS. Since WPA-EAP requires an external authentication server, it can be fairly complicated to configure, and is generally used infrequently by smaller networks. Also, using WPA requires that your wireless clients are WPA capable this requires WPA compatible client cards (such as the SonicWALL Long-Range/Dual-Band wireless card) with current drivers, and a WPA supplicant or natively WPA-capable operating system. 4. Use the radio scheduling feature on your SonicWALL wireless equipment to disable the wireless radios when they are not in use. If your wireless network is only in use from 7am to 10pm, you can schedule the radio to disable itself entirely during off-hours, completely eliminating the possibility of unwanted or unauthorized detection or access without impeding regular use. 5. Enforce the use of Wireless Guest Services (WGS). By enabling this feature, all wireless clients must authenticate themselves to the SonicWALL security appliance using HTTP or HTTPS before they are allowed access to resources on the WAN. The user and password database can either be stored onboard the SonicWALL security appliance or, the SonicWALL security appliance can authenticate users from external RADIUS servers. A recent online review of WGS said Instead of having visitors and conference room attendees locked out of Wi-Fi goodness, [WGS] shunts them to a different place, the Internet. Using WGS, network administrators can configure their SonicWALL security appliances to allow wireless guests access to the Internet, but with blocked access to your corporate network. 6. Activate the SonicWALL security appliance s Wireless Intrusion Detection Services (IDS) features. This will allow your SonicWALL security appliance to perform active and passive scans of the b wireless channels to detect rogue access points, wireless access points that were installed on your internal network without your corporate IT network administrator s approval. It also allows the SonicWALL security appliance to protect itself against association flood attacks and to detect possible disassociation attacks launched against your wireless clients using sequence number analysis. 7. If you are not using WiFiSec, WEP, or WPA use applications that can be directly secured, such as HTTPS Web browser sessions, SSH, or SSL-enabled applications like SFTP. Make sure these applications are password-secured, use strong passwords, and have their passwords changed often. 8. Select an SSID that is recognizable by your authorized users, but which does not disclose any sensitive information. 9. Adjust the SonicWALL security appliance s wireless radio power settings and management frame settings. Tuning these settings properly can prevent your wireless signal from bleeding into unwanted areas (such as public areas with adjacent buildings occupied by other wireless users). Wardrivers often look for public spots into which a usable signal has leaked, so take this into account when adjusting your SonicWALL security appliance. 10. Do not advertise your wireless network unnecessarily. When possible, place your wireless radios away from the perimeters of your premises to avoid the radio signal bleeding beyond required boundaries. And finally, to reach the zenith of physical security for your wireless network, consider an elemental Faraday cage in a can: Tip Document a clearly defined network security policy. This will help you ensure your users have the information they need in order to connect using wireless clients. Make sure your users understand why these settings are required, and make sure that the security policy does not directly conflict with their network access needs. 4

10 SonicWALL Secure Wireless Architecture SonicWALL Secure Wireless Architecture SonicWALL s Secure Wireless solution provides a framework for the easy integration of all three IEEE a/b/g standards for WLANs. At the center of the SonicWALL Secure Wireless network is a SonicWALL PRO Series (platform class) Internet security appliance that integrates IEEE a/b/g wireless management and security enforcement capabilities into an enterprise class firewall/vpn gateway. Figure 1 provides a network diagram of a SonicWALL Global Management System (GMS)-managed deployment of a SonicWALL Secure Wireless network. Figure 1 SonicWALL Secure Wireless Architecture 5

11 SonicWALL Secure Wireless Architecture SonicWALL Secure Wireless Architecture Components SonicWALL s Secure Wireless Architecture incorporates the following product components that create the fully integrated wireless network and security infrastructure: SonicWALL PRO Series Security Appliances section on page 6 SonicWALL SonicPoints and SonicWALL PoE Injectors section on page 13 SonicWALL Long Range Dual Band Wireless Cards and the SonicWALL Global VPN Client section on page 14 SonicWALL PRO Series Security Appliances In addition to being an integrated firewall and VPN security appliance, a SonicWALL PRO Series appliance functions as a secure wireless switch and controller that automatically detects and configures SonicPoints as they are added to the network. Through the SonicWALL Discovery Protocol (SDP), the SonicWALL PRO Series security appliance and the SonicPoint automatically locate each other on the network. After this discovery, SonicWALL Simple Provisioning Protocol (SSPP) auto-provisions the SonicPoints with a predefined configuration through an encrypted tunnel between the SonicWALL PRO Series security appliance and the SonicPoint. Benefits For a list of SonicWALL PRO Series deployment benefits and latest platform features, refer to the SonicWALL PRO Series product data sheets located in Product Datasheets section on page 189. SonicWALL PRO Series Security Appliance Platforms The SonicWALL PRO Series security appliances running SonicOS Enhanced 2.5 or greater are the security appliances that provides central security management of both wired and wireless networks while also automatically detecting SonicPoint access points as they are added to the network. This section contains the following subsections: SonicWALL PRO 2040 section on page 7 SonicWALL PRO 3060 section on page 8 SonicWALL PRO 4060 section on page 9 SonicWALL PRO 4100 section on page 10 SonicWALL PRO 5060 section on page 12 6

12 SonicWALL Secure Wireless Architecture SonicWALL PRO 2040 The SonicWALL PRO 2040 utilizes a robust four-port architecture to deliver powerful firewall throughput and IPSec VPN in an affordable, rack-mounted appliance, making it an outstanding value for small to mid-sized networks. As a comprehensive network security, mobility and productivity solution targeting networks comprised of 200 or fewer nodes or 50 or fewer network locations, the SonicWALL PRO 2040 offers the configuration flexibility and redundancy features typically associated with more expensive appliances. In addition to firewall performance up to 200 Mbps, the PRO 2040 features the ability to run SonicOS Enhanced, enabling optional upgrades such as ISP failover, WAN redundancy and load balancing, and object and policy-based management. With the upgrade to SonicOS Enhanced, the WAN and LAN ports stay static while the other two ports are fully customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a hardware failover port. The SonicWALL PRO 2040 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 2040 deployment benefits and latest platform features, refer to the SonicWALL PRO 2040 product data sheet located in the Product Datasheets section on page 189. Figure 2 displays the front and back panel of the SonicWALL PRO Figure 2 SonicWALL PRO 2040 Supports up to 8 SonicPoints. Recommended number of SonicPoints per WLAN interface: 4 7

13 SonicWALL Secure Wireless Architecture SonicWALL PRO 3060 The SonicWALL PRO 3060 is a total security platform for complex networks featuring a deep packet inspection architecture and six fully configurable Ethernet ports that can be configured as multiple WANs, LANs, DMZs or user defined interfaces. This high performance ICSA-certified deep packet inspection firewall accommodates 128,000 simultaneous connections and comes standard with IPSec VPN, 25 concurrent VPN Client licenses and 1,000 site-to-site VPN policies. The SonicWALL PRO 3060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 3060 deployment benefits and latest platform features, refer to the SonicWALL PRO 3060/4060 product data sheet located in the Product Datasheets section on page 189. Figure 3 displays the front and back panel of the SonicWALL PRO Figure 3 SonicWALL PRO 3060 Supports up to 32 SonicPoints. Recommended number of SonicPoints per WLAN interface: 8 8

14 SonicWALL Secure Wireless Architecture SonicWALL PRO 4060 The SonicWALL PRO 4060 is a total security platform for complex networks, utilizing a deep packet inspection architecture and six fully configurable Ethernet ports that can be configured as multiple WANs, LANs, DMZs or user defined interfaces. This high performance ICSA-certified deep packet inspection firewall accommodates 500,000 simultaneous connections and comes standard with IPSec VPN, 1,000 concurrent VPN Client sessions, 3,000 site-to-site VPN policies, and Hardware Failover. The SonicWALL PRO 4060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 4060 deployment benefits and latest platform features, refer to the SonicWALL PRO 3060/4060 product data sheet located in the Product Datasheets section on page 189. Figure 4 displays the front and back panel of the SonicWALL PRO Figure 4 SonicWALL PRO 4060 Supports up to 64 SonicPoints. Recommended number of SonicPoints per WLAN interface: 16 9

15 SonicWALL Secure Wireless Architecture SonicWALL PRO 4100 The SonicWALL PRO 4100 is a real-time unified threat management firewall appliance utilizing 10 gigabit interfaces to deliver internal and external network protection for corporate central sites, distributed environments and data centers. The PRO 4100 combines high-speed gateway anti-virus, anti-spyware, intrusion prevention and powerful deep packet inspection capabilities with an extensive array of advanced networking and configuration features in an affordable platform that is flexible to deploy and manage in a wide variety of environments. With 10 configurable gigabit Ethernet interfaces and built-in secure wireless LAN functionality, the PRO 4100 is an ideal solution for a host of wired and wireless applications requiring high-speed access and heavy workgroup segmentation. Using the innovative SonicWALL Clean VPN, the PRO 4100 ensures mobile user connections and branch office traffic are decontaminated to prevent vulnerabilities and malicious code from being propagated. Robust trusted network protection is achieved across all Ethernet ports, virtual LANs and connected wireless LANs to eliminate threats originating inside corporate networks, between networked departments or data center zones. To extend flexibility and performance throughout the network, the PRO 4100 also supports virtual local area networks (VLANs), enterprise class-routing and QoS features as standard offerings. The PRO 4100 s dynamic security platform incorporates real-time gateway anti-virus, anti-spyware, intrusion prevention and anti-spam technologies for application-level attack prevention against viruses, worms, Trojans, spyware, phishing schemes, spam and other malicious threats. The dynamically updatable architecture ensures around-the-clock security updates without any administrator intervention. In addition to security and performance optimizations, the PRO 4100 ships with powerful SonicWALL SonicOS Enhanced firmware, enabling business continuity and flexibility features including onboard Quality of Service (QoS) features, advanced routing services such as Open Shortest Path First (OSPF) and Router Information Protocol (RIP), ISP failover, WAN redundancy, zone management and more. With SonicOS Enhanced, the ports are customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a hardware failover port for continuous network uptime. SonicOS Enhanced also features standards-based Voice over IP (VoIP) capabilities, enabling organizations to inexpensively transport audio and video media such as telephone calls and streaming video over wired and wireless IP-based networks. The PRO 4100 integrates support for SonicWALL s portfolio of advanced security services and can be managed by the award-winning SonicWALL Global Management System. Bundled with 1,500 Global VPN Client licenses, the PRO 4100 allows easy network access from any location, using any Internet connection, over any IP network. Every SonicWALL PRO 4100 comes standard with one year of Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service, 30 days of Content Filtering Service (Premium Edition), 30 days of 50-user McAfee gateway-enforced Network Anti-Virus, ViewPoint reporting software and 90-day and telephone support. Extended 8x5 and 24x7 hardware replacement and software upgrade support contracts are available. (Note: 8x5 support available in US, Canada, Europe and Japan. 24x7 support available in the US, Canada and EMEA only.) Benefits For a list of SonicWALL PRO 4100 deployment benefits and latest platform features, refer to the SonicWALL PRO 4100 product data sheet located in the Product Datasheets section on page

16 SonicWALL Secure Wireless Architecture Figure 5 displays the front and back panel of the SonicWALL PRO Figure 5 SonicWALL PRO 4100 Supports up to 128 SonicPoints. Recommended number of SonicPoints per WLAN interface: 32 11

17 SonicWALL Secure Wireless Architecture SonicWALL PRO 5060 The SonicWALL PRO 5060 is a high-performance, multi-service gigabit security appliance designed for medium-to-large networks. The SonicWALL PRO 5060 integrates high-speed intrusion prevention, content filtering, enforced anti-virus, stateful firewall and IPSec VPN into a single solution that is easy to deploy and manage. Available in both 10/100/1000 copper and copper/fiber interface configurations, the SonicWALL PRO 5060 incorporates a wide array of networking and security features, making it an ideal solution for a multitude of applications. In addition to gigabit stateful inspection performance, the SonicWALL PRO 5060 ships with SonicOS Enhanced, enabling business continuity and flexibility features such as ISP failover, WAN redundancy and load balancing, object and policy-based management and more. With SonicOS Enhanced, the ports are customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a Hardware Failover port. The SonicWALL PRO 5060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 5060 deployment benefits and latest platform features, refer to the SonicWALL PRO 5060 product data sheet located in the Product Datasheets section on page 189. Figure 6 displays the front and back panel of the SonicWALL PRO Figure 6 SonicWALL PRO 5060 Supports up to 128 SonicPoints. Recommended number of SonicPoints per WLAN interface: 32 12

18 SonicWALL Secure Wireless Architecture SonicWALL SonicPoints and SonicWALL PoE Injectors This section provides hardware and software specifications for the following SonicWALL Secure Wireless architecture components: SonicPoint Access Points section on page 13 SonicWALL PoE Injector section on page 14 SonicPoint Access Points The SonicWALL SonicPoint is a tri-mode, dual band, dual radio, IEEE a/b/g compliant, secure, satellite access point that is centrally managed and configured by any SonicWALL TZ 170 or SonicWALL PRO Series security appliance. As a SonicWALL Secure Wireless Solution Enabler, SonicPoints deliver a secure wireless solution that scales to meet the specific wireless needs of mid- to large-sized networks. Utilizing SonicPoints, SonicWALL Secure Wireless Solution delivers features such as Wireless Intrusion Detection Services, wireless firewalling, secure wireless roaming and Wireless Guest Services (WGS). The SonicPoint G provides b/g (2.4 GHz radio band) wireless connections, and provides detachable antennas. The SonicPoint G can be managed by a SonicWALL security appliance running SonicOS Enhanced , or higher. Figure 7 displays the front and back panel of the SonicPoint and SonicPoint G. Figure 7 SonicPoint and SonicPoint G SonicPoint SonicPoint G Benefits For a list of SonicPoint deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page

19 SonicWALL Secure Wireless Architecture SonicWALL PoE Injector The SonicWALL PoE Injector is an IEEE 802.3af compliant power injector featuring an advanced auto-sensing algorithm that automatically detects the presence of PoE-compatible devices and injects the appropriate power into the data cable. A plug-and-play device, the PoE Injector fits easily into wireless Ethernet infrastructures and requires no configuration or management. When deployed into a wireless network, the PoE Injector reduces costs, lowers downtime, and provides easier maintenance and greater flexibility than traditional cabling. Figure 8 displays the front panel of the SonicWALL PoE Injector. Figure 8 SonicWALL PoE Injector Benefits For a list of SonicWALL PoE Injector deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page 189. SonicWALL Long Range Dual Band Wireless Cards and the SonicWALL Global VPN Client SonicWALL s Secure Wireless Architecture incorporates the following products to enable long range wireless VPN networking and security for WLAN clients: SonicWALL Long Range Dual Band Wireless Card section on page 15 SonicWALL Global VPN Client section on page 15 14

20 SonicWALL Secure Wireless Architecture SonicWALL Long Range Dual Band Wireless Card The SonicWALL Long Range Dual Band Wireless Card is a tri-mode, dual band, IEEE a/b/g-compliant CardBus PC card that complements the high-power wireless capability of SonicWALL's Secure Wireless solutions. When combined with any SonicWALL secure wireless appliance, the SonicWALL Long Range Dual Band Wireless Card delivers superior throughput, range and bulletproof wireless IPSec security. Included with the SonicWALL Long Range Dual Band Wireless Card is SonicWALL's Global VPN Client software, creating a complete secure wireless solution. Figure 9 displays the SonicWALL Long Range Dual Band Wireless Card. Figure 9 SonicWALL Long Range Dual Band Wireless Card Benefits SonicWALL Global VPN Client For a list of SonicWALL Long Range Dual Band Wireless Card deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page 189. SonicWALL Global VPN Client (GVC) provides mobile users with secure, easy-to-use access to mission-critical network resources through broadband, wireless and dial-up connections. SonicWALL GVC software is supported on notebooks and desktop computers running Windows operating systems (Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000 Professional, Windows XP Professional, Windows XPE, and Windows XP Home Edition) and on handheld devices running Microsoft PocketPC SonicWALL GVC is not compatible with VPN gateways from other vendors. Benefits For a list of SonicWALL GVC deployment benefits and latest SonicWALL security upgrade software features, refer to the SonicWALL Global VPN Client product data sheet located in the Product Datasheets section on page

21 SonicWALL Secure Wireless Network Deployment Solutions This section provides multiple SonicWALL Secure Wireless network deployment solutions. For enterprise-class security for any size wireless network, the following are SonicWALL best-practice solutions that scale in network deployments from the small cafe hotspot to large enterprise and campus network deployments. The deployment solutions apply if you are adding WLANs to an existing network infrastructure or creating a new SonicWALL Secure Wireless network from the ground up. SonicWALL recommended Secure Wireless network best practice solutions are described in the following subsections: Solution #1: Securing WLANs with SonicWALL Security Services section on page 19 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients section on page 26 Solution #3: Configuring Wireless Guest Services section on page 55 Solution #4: Configuring Wireless Intrusion Detection Services section on page 67 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP section on page 71 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP section on page 84 Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Solution #8: Configuring a Lightweight Hotspot Messaging Network section on page 106 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions section on page 117 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint section on page

22 Using the SonicOS Software Management Console Interface The SonicOS Management Interface allows you to configure all aspects of the SonicWALL security appliance. Figure 10 SonicOS Management Interface 17

23 The SonicOS Web Management Interface provides an intuitive, easy-to-use graphical interface for configuring your SonicWALL security appliances and SonicPoints. Perform SonicOS management functions through a Web browser. The left-navigation panel on the SonicOS Web Management Interface includes a hierarchy of console settings. The management console on the SonicOS Enhanced software includes the console settings described in Table 1. Table 1 SonicOS Enhanced Management Console Settings Console Setting System Network Wireless Firewall VPN Users Hardware Failover Security Services Log Wizards Help Logout Functions From the System > Administration page, set the administrative username and password. From the Network > Interfaces page, configure the LAN, WAN, and Wireless (WLAN) interfaces. From the Network > Zones page, select a SonicPoint Profile for all SonicPoints on the Wireless (WLAN) zone. From the Network > Zones page, enable or disable security services for each network zone. From the Network > DHCP Server page, configure the DHCP server ranges for each network zone. From the Wireless > SonicPoints page, configure and manage your SonicPoints. From the Wireless > Station Status page, obtain reports on wireless clients connected to each SonicPoint. From the Wireless > IDS page, obtain reports and block rogue access points and other wireless intrusions. Configure and manage access policies. From the VPN > Settings page, configure and manage GroupVPN policies. GroupVPN is required on Wireless security zones for WiFiSec security. From the Users > Settings page, manage the user authentication with a RADIUS server or configure management of all users locally. From the Users > Local Users page, configure individual user access to resources with GroupVPN policies. From the Users > Local Groups page, configure user groups and group access to resources with GroupVPN policies. Manage failover to a backup SonicWALL security appliance. Manage subscription-based security services. From the Log > View page, obtain log event message reports on network activity and user configuration on your SonicWALL security appliance. Launch SonicOS Wizards to guide you through initial Setup, VPN configuration, and adding Public Servers to your network. Access online help documentation on using the SonicOS management console interface. Log out of the SonicOS management console interface. 18

24 Solution #1: Securing WLANs with SonicWALL Security Services This section provides an introduction to SonicWALL Security Services that provide unified threat management against objectionable and inappropriate Web content, viruses, worms, Trojans, and malicious code for your wired and wireless networks. This section contains the following subsections: SonicWALL Gateway Anti-Virus/Anti-Spyware/Intrusion Prevention Service section on page 19 SonicWALL Content Filtering Service section on page 24 After reading the Deploying SonicWALL Security Services section, you will understand how these security services protect your network, how to activate the service on your SonicWALL security appliance, and how to enable the service to provide layered security for your WLAN. SonicWALL Gateway Anti-Virus/Anti-Spyware/Intrusion Prevention Service SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware and Intrusion Prevention Service (IPS) is SonicWALL s unified threat management solution that integrates gateway anti-virus, anti-spyware and intrusion prevention to deliver intelligent, real-time network security protection against sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance deep packet inspection architecture, SonicWALL GAV, Anti-Spyware and IPS secures the network from the core to the perimeter against a comprehensive array of dynamic threats including viruses, spyware, worms, Trojans, and software vulnerabilities such as buffer overflows, as well as peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code. Because new threats emerge daily and are often unpredictable, the deep packet inspection architecture is constantly updated to deliver the highest protection possible against an ever-changing threat landscape. This unique solution features a powerful deep packet inspection engine that delivers threat protection directly on the security gateway by matching downloaded, ed and compressed files against an extensive signature database created by a combination of SonicWALL s SonicAlert Team and third-party sources. SonicWALL GAV, Anti-Spyware and IPS inspects over , Web, file transfer and a multitude of stream-based protocols as well as instant messaging and peer-to-peer applications, providing comprehensive network threat prevention and control. As an added layer of security, SonicWALL GAV, Anti-Spyware and IPS provides application layer attack protection not only against external threats, but also against those originating inside the network. Because files containing malicious code, viruses and worms can be compressed and therefore inaccessible to conventional solutions, SonicWALL GAV, Anti-Spyware and IPS integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis. Supported compression formats include ZIP, Deflate and GZIP. Unlike other threat management solutions, SonicWALL GAV, Anti-Spyware and IPS has the capacity to analyze files of any size in real-time without the need to add expensive hardware drives or extra memory. SonicWALL GAV, Anti-Spyware and IPS includes a pro-active alerting mechanism that notifies network administrators when a new threat is discovered. Granular policy tools and an intuitive user interface enable administrators to configure a custom set of detection or prevention policies tailored to their specific network environment. Available as a subscription-based security service for SonicWALL TZ and PRO Series security appliances, GAV, Anti-Spyware and IPS is a fundamental requirement for ultimate security protection and a key component of SonicWALL s strategy of providing scalable, multi-layered security to networks of all sizes. 19

25 This section contains the following subsections: SonicWALL IPS Protection for Your WLANs section on page 20 SonicWALL GAV Protection for Your WLANs section on page 20 SonicWALL Anti-Spyware Protection for Your WLANs section on page 21 Activating SonicWALL GAV/Anti-Spyware/IPS section on page 21 Enabling SonicWALL IPS section on page 22 Enabling SonicWALL GAV section on page 23 Enabling SonicWALL Anti-Spyware section on page 24 Note When you activate SonicWALL IPS, SonicWALL GAV and Anti-Spyware are also activated. SonicWALL GAV/Anti-Spyware/IPS security services are managed directly from the SonicWALL security appliance. SonicWALL IPS Protection for Your WLANs SonicWALL IPS delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, , file transfer, Windows services, and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, peer-to-peer, spyware, and back-door exploits. The extensible signature language used in SonicWALL s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALL s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. Alternatively, SonicWALL Global Management System provides global management capabilities that enable administrators to manage SonicWALL IPS across multiple SonicWALL security appliances from a central location. SonicWALL GMS solutions allow administrators to create detailed reports based on attack source, destination and type of intrusion, such as Top Intrusions, Destinations Over Time, and Intrusions Over Time. SonicWALL GAV Protection for Your WLANs SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or ed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL s SonicAlert Team, third-party virus analysts, open source developers and other sources. 20

26 SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, peer-to-peer, instant messenger applications, and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per-packet basis. SonicWALL Anti-Spyware Protection for Your WLANs The SonicWALL Anti-Spyware Service protects networks from intrusive spyware by cutting off spyware installations and delivery at the gateway and denying previously installed spyware from communicating collected information outbound. SonicWALL Anti-Spyware works with other anti-spyware programs, such as programs that remove existing spyware applications from hosts. You are encouraged to use or install host-based anti-spyware software as an added measure of defense against spyware. SonicWALL Anti-Spyware analyzes inbound connections for the most common method of spyware delivery, ActiveX-based component installations. It also examines inbound setup executables and cabinet files crossing the gateway, and resets the connections that are streaming spyware setup files to the LAN. These file packages may be freeware bundled with adware, keyloggers, or other spyware. If spyware has been installed on a LAN workstation prior to the SonicWALL Anti-Spyware solution install, the service will examine outbound traffic for streams originating at spyware infected clients and reset those connections. For example, when spyware has been profiling a user's browsing habits and attempts to send the profile information home, the SonicWALL security appliance identifies that traffic and resets the connection. Activating SonicWALL GAV/Anti-Spyware/IPS If you do not have a SonicWALL GAV/Anti-Spyware/IPS Activation Key, you must purchase a license from a SonicWALL reseller or through your mysonicwall.com account. Note Your SonicWALL security appliance must be registered at mysonicwall.com to activate any SonicWALL security service. You can create a mysonicwall.com account and register your SonicWALL security appliance via the management interface on the System > Status page. For more detailed instructions on registering a SonicWALL security appliance, refer to the SonicOS Enhanced Administrator s Guide located on the SonicWALL Web site: < You must activate the bundled SonicWALL GAV/Anti-Spyware/IPS license for SonicWALL IPS first. The Activation Key for SonicWALL IPS is a parent key for SonicWALL GAV. When you activate the SonicWALL IPS license, the SonicWALL GAV child key is automatically activated on the SonicWALL security appliance. To activate SonicWALL GAV/Anti-Spyware/IPS with an Activation Key: Step 1 Step 2 Select the Security Services > Intrusion Prevention page in the SonicWALL security appliance management interface. Click the SonicWALL IPS Subscription link. The mysonicwall.com Login page is displayed. 21

27 Step 3 Step 4 Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL IPS Subscription link. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL IPS subscription is activated on your SonicWALL security appliance. The Security Services > Intrusion Prevention page displays the configuration settings for tailoring the service to match your requirements. The Security Services > Gateway Anti-Virus page displays the configuration settings for tailoring the service to match your requirements. The Security Services > Anti-Spyware page displays the configuration settings for tailoring the service to match your requirements. Enabling SonicWALL IPS SonicWALL IPS must be enabled on the Security Services > Intrusion Prevention page. You must also specify the signature groups for which you want to globally prevent and detect attacks. Note For detailed instructions on configuring SonicWALL GAV/Anti-Spyware/IPS on SonicWALL security appliance, refer to the SonicWALL Gateway Anti-Virus Administrator s Guide, SonicWALL Anti-Spyware Administrator s Guide and SonicWALL Intrusion Prevention Service Administrator s Guide located on the SonicWALL Web site: < To enable SonicWALL IPS: Step 1 Step 2 Check the Enable IPS check box in the IPS Global Settings section. Check Prevent All and Detect All for High Priority Attacks in the IPS Global Settings table. High Priority Attacks are the most dangerous to your network. They can take down your entire network or disable servers. With Prevent All enabled, the SonicWALL security appliance automatically drops and resets the connection, to prevent the traffic to reach its destination. With Detect All enabled, the SonicWALL security appliance logs and alerts any traffic that matches any signature in the group. 22

28 Step 3 Step 4 Check Prevent All for Medium Priority Attacks in the IPS Global Settings table. Medium Priority Attacks can cause disruption to your network, such as increased network traffic that slows down performance. With Prevent All enabled, the SonicWALL security appliance automatically drops and resets the connection, to prevent the traffic from reaching its destination. Click Apply to save your changes. Note You apply SonicWALL IPS protection to Zones on the Network > Zones page. Refer to Configuring the WLAN Zone on page 36 for applying SonicWALL IPS protection to the WLAN Zone. Enabling SonicWALL GAV SonicWALL GAV must be globally enabled on the Security Services > Gateway Anti-Virus page. Check the Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section. Note Apply SonicWALL GAV protection to the WLAN Zone on the Network > Zones page. Refer to the Configuring the WLAN Zone section on page 36 for applying SonicWALL GAV protection to the WLAN Zone. 23

29 Enabling SonicWALL Anti-Spyware SonicWALL Anti-Spyware must be globally enabled on your SonicWALL security appliance. Select the the Enable Anti-Spyware check box (a checkmark is displayed), and then click Apply. Note Checking the Enable Anti-Spyware check box does not automatically start SonicWALL Anti-Spyware protection. You must also select a Prevent All action in the Signature Groups table to activate anti-spyware prevention at the global level on the SonicWALL security appliance, and then specify the interfaces or zones you want to protect. You can also select Detect All for spyware event logging and alerting. SonicWALL Content Filtering Service Activating SonicWALL CFS SonicWALL Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries by employing an innovative rating architecture that utilizes a dynamic database to block objectionable and inappropriate Web content such as porn, hate, nudity and violence. At the core of SonicWALL CFS is an innovative architecture that cross-references all Web sites against a database of URLs, IP addresses and domains located at worldwide SonicWALL co-location facilities. A rating is returned to the SonicWALL appliance and then compared to the Content Filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL appliance informing the user that the site has been blocked according to policy. SonicWALL CFS is available in 5, 10, 25, 50 and Unlimited node counts and is offered in one-year subscriptions. This section include the following subsections: Activating SonicWALL CFS section on page 24 Enabling CFS section on page 25 If you do not have a SonicWALL CFS Activation Key, you must purchase a license from a SonicWALL reseller or through your mysonicwall.com account. Note Your SonicWALL security appliance must be registered at mysonicwall.com to activate any SonicWALL security service. You can create a mysonicwall.com account and register your SonicWALL security appliance via the management interface on the System > Status page. For more 24

30 detailed instructions on registering a SonicWALL security appliance, refer to the SonicOS Enhanced Administrator s Guide located on the SonicWALL Web site: < To activate SonicWALL CFS with an Activation Key: Step 1 Step 2 Step 3 Step 4 Select the Security Services > Content Filter screen in the SonicOS management interface. Click the SonicWALL Content Filtering Subscription link. The mysonicwall.com Login page is displayed. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL CFS subscription is activated on your SonicWALL security appliance. The Security Services > Content Filter page displays the configuration settings for tailoring the service to match your requirements. Enabling CFS To enable SonicWALL CFS: Step 1 Step 2 Select the Security Services > Content Filter page in the SonicOS management interface. To apply the filter to all computers on your LAN interface, select the LAN checkbox. Step 3 Step 4 Click Configure, select the categories to block in the URL List tab, and click OK. Click the Apply button in the top-right corner of the page. Note Apply SonicWALL CFS protection to the WLAN Zone on the <Network > Zones page. Refer to the Configuring the WLAN Zone section on page 36 for applying SonicWALL CFS protection to the WLAN Zone. For detailed instructions on configuring SonicWALL CFS on the SonicWALL security appliance, refer to the SonicWALL Content Filtering Service Administrator s Guide located on the SonicWALL Web site: < 25

31 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients This section provides deployment procedures to configure a SonicWALL PRO Series security appliance for distributed wireless management. The core of the SonicWALL Secure Wireless Solution consists of secure wireless access points, SonicWALL SonicPoints, managed by a SonicWALL PRO Series security appliance, such as a SonicWALL PRO 5060 security appliance. To manage a SonicWALL Secure Wireless network, you need to configure the SonicWALL PRO Series security appliance. Basic Concepts This section provides basic configuration procedures to manage a group of SonicPoints in a WLAN network zone managed by your SonicWALL PRO Series security appliance. Configuring the SonicWALL Security Appliance for SonicPoint WLAN Management section on page 27 Configuring a SonicPoint Profile section on page 28 Configuring the WLAN Zone section on page 36 Deploying SonicPoints section on page 41 Enabling Secure Wireless Connections section on page 43 Connecting SonicWALL Long Range Dual Band Wireless Clients to SonicPoints section on page 47 Advanced Concepts This section provides advanced configuration procedures to maintain SonicPoint profiles, provide SonicPoint automatic provisioning, and to add multiple wireless network zones with separate GroupVPN policies to your SonicWALL Secure Wireless network. Managing SonicPoints After Initial Configuration section on page 50 Adding a Wireless Zone section on page 54 26

32 Configuring the SonicWALL Security Appliance for SonicPoint WLAN Management Before you can manage a SonicWALL Secure Wireless deployment with a SonicWALL PRO Series security appliance, you must configure the SonicWALL PRO Series security appliance for initial network connectivity. To do this, you must configure: Administrative Password LAN WAN WLAN (Optional) DHCP server Using the SonicOS Setup Wizard Management access policies Registration of the security appliance You can perform all of these configurations in the SonicOS management interface, or you can use the Setup Wizard to configure the Administrative Password, the LAN and WAN interfaces, the DHCP server, and registration. You must configure the Wireless security zone (WLAN by default) with the SonicOS management interface. For more detailed instructions on configuring a SonicWALL PRO Series security appliance, refer to the SonicOS Enhanced Administrator s Guide located on the SonicWALL Web site: < The SonicWALL Setup Wizard provides a guided setup configuration of your SonicWALL security appliance. Use the SonicWALL Setup Wizard, as depicted in Figure 11, when you need to perform the following routine setup configurations: Perform initial setup configuration for a new SonicWALL security appliance. Modify LAN or WAN network settings. Change the administrative password. Figure 11 SonicOS Setup Wizard 27

33 The SonicWALL Setup Wizard provides a Wizard-guided configuration of the functions described in Table 2. Table 2 SonicOS Setup Wizard Guided Configuration Functions Function Administrative password Time settings WAN configuration LAN configuration LAN DHCP server settings Description Sets the admin password. Sets the time zone for the system clock. Sets the WAN networking mode to static IP, DHCP client, PPPoE, or PPTP. Configures the WAN interface network settings, depending on the selection of WAN networking mode. Configures the IP address, netmask, and DNS servers for the LAN interface. Configures the DHCP server range for clients connected to the LAN interface. Configure each SonicOS Setup Wizard function to meet your network design requirements, and apply the settings to your SonicWALL security appliance. Note The SonicWALL Setup Wizard does not guide you through configuring the default WLAN zone or creating a new Wireless Zone. Use the Network > Zones page to configure Wireless zone. Configuring a SonicPoint Profile SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a secure distributed wireless architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. SonicOS includes a default SonicPoint profile, named SonicPoint. You can modify this profile or create a new one. The default settings for the SonicPoint profile are listed in Table 3. Table 3 Default SonicPoint Profile Settings a Radio g Radio Enable a Radio Yes Enable g Radio SSID SonicWALL SSID SonicWALL Radio Mode 54Mbps a Radio Mode 2.4 GHz 54Mbps g ACL Enforcement Disabled ACL Enforcement Disabled Authentication Type WEP - Both Open System & Shared Key Authentication Type Data Rate Best Data Rate Best Antenna Diversity Best Antenna Diversity Best Yes WEP - Both Open System & Shared Key 28

34 Adding a SonicPoint Profile You can add any number of SonicPoint profiles in the Wireless SonicPoints page of the management interface. The Add SonicPoint Profile window is divided into five tabs as illustrated in Figure 12: General Tab section on page a Radio Tab section on page a Advanced Tab section on page g Radio Tab section on page g Advanced Tab section on page 34 Figure 12 The Add SonicPoint Profile Window General Tab This section describes configuration elements on the General tab as illustrated in Figure 12. General SonicPoint configuration settings include the following: Enable SonicPoint: When checked, automatically enables each SonicPoint when it is provisioned with this profile. Name Prefix: A prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: SonicPoint Country Code: The country where the SonicPoint is operating. The country code determines which regulatory domain the radio operation falls under. 29

35 802.11a Radio Tab This section describes configuration elements on the a Radio tab as illustrated in Figure 13. Figure 13 The a Radio Tab Radio settings for the a (5GHz band) radio include the following: Enable a Radio: When checked, automatically enables the a radio bands on all SonicPoints provisioned with this profile. When the radio is enabled, the schedule determines when the radio is on. Select Always On, select an existing schedule, or select Create New Schedule to create a custom schedule. Schedules are configured in the System > Schedules page of the SonicOS management interface. SSID: The SSID of each SonicPoint using this profile. This is the name that will appear in clients lists of available wireless connections. Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. Radio Mode: The speed of the wireless connection, 54 Mbps or 108 Mbps (Turbo) mode. Channel: The channel the radio will operate on. The default is AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a reason to use or avoid specific channels. ACL enforcement settings include the following: Enable MAC Filter List: When selected, enforces Access Control by allowing traffic from devices specified in the Allow List and denying traffic from devices specified in the Deny List. 30

36 WEP/WPA encryption settings include the following: Authentication Type: The method of authentication for your wireless network, WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, or WPA - EAP. WEP Key Mode: The size of the WEP encryption key. Default Key: Determines which key in the list below is the default key, which will be tried first when trying to authenticate a user. Key Entry: Determines whether the key is alphanumeric or hexadecimal. Key 1 - Key 4: The encryption keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key a Advanced Tab This section describes configuration elements on the a Advanced tab as illustrated in Figure 14. Figure 14 The a Advanced Tab Performance settings for the a radio. For most a advanced options, the default settings provides optimum performance. Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. Schedule IDS Scan: Select a schedule for the SonicPoint to automatically perform an IDS Scan. IDS Scans can briefly interrupt wireless connectivity, so automatic scans should be scheduled for a time with a lower amount of network activity. You can select an existing schedule or create one of your own. Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. You can select: Best, 6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, or 54 Mbps. 31

37 Transmit Power: Select the transmission power. Transmission power affects the range of the SonicPoint. You can select: Full Power, Half (-3 db), Quarter (-6 db), Eighth (-9 db), or Minimum. Antenna Diversity: Select whether you want to use both antennas, one antenna, or have the SonicPoint automatically select the best setup for the situation. Beacon Interval (milliseconds): Enter the number of milliseconds between sending out wireless beacons. DTIM Interval: The Delivery Traffic Indication Message (DTIM) is a component of the beacon sent by the SonicPoint to alert clients that are in sleep (power saving) mode that there is data waiting for them. The DTIM Interval specifies the number of beacons that are sent between Delivery Traffic Indication Messages. Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. RTS Threshold (bytes): Enter the number of bytes. Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time g Radio Tab These settings affect the operation of the g and b radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the a and g bands at the same time. The settings in the g Radio and g Advanced tabs are similar to the settings in the a Radio and a Advanced tabs. This section describes configuration elements on the g Radio tab as illustrated in Figure 15. Figure 15 The g Radio Tab 32

38 Radio settings for the g (2.4GHz band) radio include the following: Enable g Radio: When checked, automatically enables the g radio bands on all SonicPoints provisioned with this profile. When the radio is enabled, the schedule determines when the radio is on. Select Always On, select an existing schedule, or select Create New Schedule to create a custom schedule. Schedules are configured in the System > Schedules page of the SonicOS management interface. SSID: The SSID of each SonicPoint using this profile. This is the name that will appear in clients lists of available wireless connections. Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. Radio Mode: The speed of the wireless connection, 11 Mbps (802.11b), 54 Mbps (802.11g), or 108 Mbps (Turbo) mode. Channel: The channel the radio will operate on. The default is AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a reason to use or avoid specific channels. ACL enforcement settings include the following: Enable MAC Filter List: When selected, enforces Access Control by allowing traffic from devices specified in the Allow List and denying traffic from devices specified in the Deny List. WEP WPA encryption settings include the following: Authentication Type: The method of authentication for your wireless network, WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, or WPA - EAP. WEP Key Mode: The size of the WEP encryption key. Default Key: Determines which key in the list below is the default key, which will be tried first when trying to authenticate a user. Key Entry: Determines whether the key is alphanumeric or hexadecimal. Key 1 - Key 4: The encryption keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. 33

39 802.11g Advanced Tab This section describes configuration elements on the g Advanced tab as illustrated in Figure 16. Figure 16 The g Advanced Tab Performance settings for the g radio. For most g advanced options, the default settings provide optimum performance. Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. Schedule IDS Scan: Select a schedule for the SonicPoint to automatically perform an IDS Scan. IDS Scans can briefly interrupt wireless connectivity, so automatic scans should be scheduled for a time with a lower amount of network activity. You can select an existing schedule or create one of your own. Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. You can select: Best, 6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, or 54 Mbps. Transmit Power: Select the transmission power. Transmission power affects the range of the SonicPoint. You can select: Full Power, Half (-3 db), Quarter (-6 db), Eighth (-9 db), or Minimum. Antenna Diversity: Select whether you want to use both antennas, one antenna, or have the SonicPoint automatically select the best setup for the situation. Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon. DTIM Interval: The Delivery Traffic Indication Message (DTIM) is a component of the beacon sent by the SonicPoint to alert clients that are in sleep (power saving) mode that there is data waiting for them. The DTIM Interval specifies the number of beacons that are sent between Delivery Traffic Indication Messages. Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. 34

40 Provisioning the SonicPoint RTS Threshold (bytes): Enter the number of bytes. Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. Preamble Length: The preamble is a portion of the wireless frame that is used to define information, such as timing and phase, necessary for a client to synchronize to the SonicPoint. The preamble length of the clients must match that of the SonicPoint. Older wireless client cards used Long Preambles. However most newer client wireless cards use the more efficient Short Preamble standard. Protection Mode: Protection can decrease collisions, particularly where you have two overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it will engage only in the case of overlapping SonicPoints. Protection Rate: The protection rate determines the data rate when protection is on. The slowest rate offers the greatest degree of protection but the slowest data transmission rate. Choose 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. Protection Type: Select the type of handshake used to establish a wireless connection: CTS-only or RTS-CTS b traffic is only compatible with CTS. CCK OFDM Power Delta: This setting determines the difference in transmission power between b (CCK mode) and g (OFDM mode). When both g and b are used simultaneously, g covers a smaller physical area than b. Increasing the CCK OFDM Power Delta lowers the transmission power for b, so the two radio modes will cover the same area. Choose 0 dbm, 1 dbm, or 2 dbm. Enable Short Slot Time: Select Enable Short Slot Time to increase performance if you only expect g traffic b is not compatible with short slot time. Allow Only g Clients to Connect: Select this to block all traffic from b clients, allowing your network to take advantage of the features of g. When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP Address , username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device (such as a SonicWALL PRO Series security appliance) with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless Zone will be used to automatically configure (provision) the newly added SonicPoint unit. Figure 17 Newly Provisioned SonicPoint 35

41 As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and WLAN Zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant WLAN Zone to configure the 2.4GHz and 5GHz radio settings. Configuring the WLAN Zone Adding a Wireless Zone To connect SonicPoints to a SonicWALL security appliance, you must connect them to an interface assigned to a Wireless zone. Wireless is a security type applied to the WLAN zone or any zone intended for Wireless traffic. You can optionally configure a Wireless zone to accept only traffic through SonicPoints, and all other traffic will be dropped. You typically use WiFiSec to secure traffic in a Wireless zone. The Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless Zone activates SonicWALL Discovery Protocol (SDP) and SonicWALL Simple Provisioning Protocol (SSPP) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped. The SonicWALL security appliance comes with a default Wireless zone called WLAN. In most instances you can configure the WLAN zone and assign it to the interface you want to use for SonicPoints. You may want to configure the settings of the WLAN zone to meet your requirements. The Edit Zone window for the WLAN zone, or any zone of the Wireless security type is divided into three tabs, General, Wireless, and Guest Services as illustrated in Figure 18: General Tab section on page 37 Wireless Tab section on page 37 Guest Services Tab section on page 38 Figure 18 Adding a Wireless Zone - the General Tab 36

42 General Tab This section describes configuration elements on the General tab as illustrated in Figure 18. General configuration settings include the following: Allow Interface Trust - Automates the creation of Access Rules to allow traffic to flow between the Interfaces assigned to the same zone. Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public, and WLAN zones. Enforce Network Anti-Virus Service - Enforces anti-virus protection on multiple interfaces in the same Trusted, Public, or WLAN zones. Enforce Gateway Anti-Virus (GAV) Service - Enforces GAV protection on multiple interfaces in the same Trusted, Public, or WLAN zones. Enable Intrusion Protection Service (IPS) - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public, or WLAN zones. Enabling Global Security Clients - Enforces wireless clients to use the SonicWALL Global Security Client for VPN access and security services to the same Trusted, Public, or WLAN zones. Create Group VPN - Creates a GroupVPN policy for the Wireless zone. Note The wireless zone must have GroupVPN configured in order to use WiFiSec. Wireless Tab This section describes configuration elements on the Wireless tab as illustrated in Figure 19. Figure 19 Adding a Wireless Zone - the Wireless Tab 37

43 Wireless settings for the wireless zone include the following: Only allow traffic generated by a SonicPoint - only allows traffic to or from a SonicPoint. All other traffic is dropped. WiFiSec Enforcement - when selected, requires all traffic that enters into the WLAN Zone interface be either IPSec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients are required to use the strong security of IPSec. The VPN connection inherent in WiFiSec terminates at the WLAN GroupVPN. WiFiSec Exception Service - allows you to select one or more services for which WiFiSec is not enforced. Require WiFiSec for Site-to-Site VPN Tunnel Traversal - requires WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN. Trust WPA traffic as WiFiSec - allows WPA as an alternative to IPSec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol) using an external 802.1x/EAP capable RADIUS server are supported on SonicPoints. SonicPoint settings for the wireless zone include the following: The SonicPoint Provisioning Profile - specifies which SonicPoint Profile to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it is automatically provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings. Guest Services Tab This section describes configuration elements on the Guest Services tab as illustrated in Figure 20. Figure 20 Adding a Wireless Zone - the Guest Services Tab Enable Wireless Guest Services - enables WGS on the WLAN zone. Enforce Guest Login over HTTPS - forces guests to use HTTPS to log into WGS. Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly and while wireless with each other. Bypass AV Check for Guests - allows WGS traffic to bypass SonicWALL s GAV Service. 38

44 Enable Dynamic Address Translation (DAT) - WGS provides spur of the moment hotspot access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWALL wireless platform DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the SonicWALL wireless platform WLAN network settings, network connectivity is prevented until the user s settings change to compatible values. DAT is a form of Network Address Translation (NAT) that allows the SonicWALL wireless platform to support any IP addressing scheme for WGS users. For example, the SonicWALL wireless platform WLAN interface is configured with its default address of , and one WGS client has a static IP Address of and a default gateway of , while another has a static IP address of and a gateway of , and DAT enables network communication for both of these clients. Enable External Guest Authentication - redirects guest users to the log in web page of an existing authentication system. Click Configure to set up access to your existing user authentication system. For an example of configuring external guest authentication, refer to the Solution #8: Configuring a Lightweight Hotspot Messaging Network section on page 106. Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field. Bypass Guest Authentication - allows guests connecting from the device or network you select to connect without requiring guest authentication. Select the MAC address, IP Address, or subnet for which to bypass authentication. This allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from. Pass Networks - automatically allows traffic through the WLAN zone from the networks you select. Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is

45 Default WLAN Zone Settings By default, the WLAN zone has the following settings: Table 4 Default WLAN Zone Settings General Name Security Type Allow Interface Trust Enforce Content Filtering Service Enforce Anti-Virus Service Enable IPS WLAN Wireless Enabled Enabled if you have registered CFS for this security appliance Enabled if you have registered Anti-Virus Service for this security appliance Enabled if you have registered IPS for this security appliance Wireless WiFiSec Enforcement Require WiFiSec for Site-to-Site VPN Tunnel Traversal Trust WPA traffic as WiFiSec SonicPoint Provisioning Profile Enabled Enabled Enabled SonicPoint Guest Services Enable Wireless Guest Services Enabled Enforce Guest Login over HTTPS Disabled Enable inter-guest communication Disabled Enable Dynamic Address Translation (DAT) Enabled Bypass Guest Authentication Disabled Redirect SMTP traffic to Disabled Deny Networks Disabled Pass Networks Disabled Custom Authentication Page Disabled Post Authentication Page Disabled Max Guests 10 Configuring the WLAN Zone Interface SonicPoints must be connected to an interface that is assigned to the WLAN or a Wireless network zone. You can assign several interfaces to a single network zone. You assign interfaces to a zone in the Network > Interfaces page of the management interface: Step 1 Step 2 Step 3 Edit an interface. Select WLAN for the zone. Specify an IP address in the range you want for the SonicPoints. Typically, the IP address should be at the beginning of the range. Configure DHCP server IP address ranges in the Network > DHCP Server page of the management interface. 40

46 Deploying SonicPoints Applying Power to the SonicPoint Deploy SonicPoints after you have configured the SonicPoint profiles and the WLAN network zones on your SonicWALL PRO security appliance. Deploying SonicPoints involves the following steps: Applying Power to the SonicPoint section on page 41 Applying Power with the SonicWALL PoE Injector section on page 41 Connecting the SonicPoint to the Network section on page 42 Registering Your SonicPoint section on page 42 Attach the power supply to the power cord. Plug the power adapter into the SonicPoint and plug the other end into a power outlet. The Power light turns green when power is applied to the SonicPoint. Applying Power with the SonicWALL PoE Injector If you are using the SonicWALL PoE Injector, you do not need to plug a separate power cord into the SonicPoint. The SonicPoint has the option of receiving power through the Ethernet cable inserted into its LAN port for enhanced deployment flexibility. To apply power with the SonicWALL PoE injector, plug the power cord of the SonicWALL PoE injector into the power outlet. Connect an Ethernet cable to the Data and Power out port on the SonicWALL PoE Injector, and connect the other end of the Ethernet cable to the LAN port on the back of your SonicPoint as illustrated in Figure 21. Figure 21 Applying Power with the SonicWALL PoE Injector Ethernet cable Data in LAN Data and Power out SonicWALL PoE Injector To SonicPoint 41

47 Connecting the SonicPoint to the Network If you are not using a SonicWALL PoE Injector, connect one end of an Ethernet cable to the WLAN zone interface that your created earlier on the SonicWALL security appliance and the other end of the cable to either the LAN port on the SonicPoint, or any Layer 2 hub or switch. If you are using a SonicWALL PoE Injector, connect one end of the Ethernet cable to the WLAN zone interface on your security appliance and the other end of the cable to the Data In port on the SonicWALL PoE Injector. Connect the Data and Power Out port on the SonicWALL PoE Injector to the LAN port on your SonicPoint. The link LED lights up to indicate an active connection. Note It takes approximately one minute for the SonicWALL security appliance to auto-provision the SonicPoint. At the end of this process, your SonicPoint is configured with the settings in the default SonicPoint provisioning profile. Registering Your SonicPoint Your SonicPoint should automatically display in the list on the Wireless > SonicPoints page. If it does not: Check that the SonicPoint is properly connected to the SonicWALL security appliance. Make sure the interface the SonicPoint is connected to is configured as part of a Wireless zone (WLAN by default). Click the Synchronize SonicPoints button near the top-right corner of the page. Once you have set up your SonicPoint, you can register it at mysonicwall.com. Registering your SonicPoint provides you with access to SonicWALL technical support for the device. You register a SonicPoint on mysonicwall.com as a child device to the registered SonicWALL security appliance with which you are managing the SonicPoint. Therefore, you must have a mysonicwall.com account already set up and have your security appliance registered before you can register your SonicPoint. Note Your mysonicwall.com registration information is not sold or shared with any other company. To register your SonicPoint: Step 1 Step 2 Step 3 Step 4 Step 5 In your web browser, log into your account at < In the list of registered products, click on the link for the SonicWALL security appliance you are using to manage the SonicPoint. At the bottom of the Service Management page under the Child Product Type heading, click the SonicPoint link. In the My Product - Associated Products page, enter the serial number of the SonicPoint. You can also enter a friendly name, which mysonicwall.com uses to communicate with you about the SonicPoint. Click Register and your SonicPoint is registered and associated with the security appliance you are using to manage it. 42

48 Enabling Secure Wireless Connections Enabling a secure wireless connection through your SonicPoint involves the following configuration steps in the management interface of your SonicWALL security appliance and on the wireless clients: Verifying WiFiSec Enforcement is Enabled on the WLAN Zone section on page 43 Enabling the WLAN GroupVPN Policy on Your Wireless Zone section on page 44 Configuring Users with Authenticated Access to the GroupVPN Policy section on page 45 Verifying WiFiSec Enforcement is Enabled on the WLAN Zone WiFiSec is a security protocol that uses IPSec VPN over the wireless connection to maintain security. WiFiSec enforcement is enabled by default on the WLAN zone. Note Enabling WiFiSec enforcement on a WLAN network zone provides the highest level of wireless security possible for your SonicPoint. To verify WiFiSec is enforced on the WLAN zone: Step 1 In the management interface of your SonicWALL security appliance, click on Network in the left-navigation menu, and then click on Zones under Network. Step 2 In the list of zones on the Network > Zones page, click the edit icon in the same line as your Wireless zone. Figure 22 Zone Settings Table 43

49 Step 3 Step 4 In the Edit Zone window, click the Wireless tab. In the Wireless tab, verify that the WiFiSec Enforcement box is checked and click OK. Figure 23 Enabling WiFiSec on the WLAN Zone Enabling the WLAN GroupVPN Policy on Your Wireless Zone Enabling the default WLAN GroupVPN policy on your Wireless zone allows wireless clients to access your network securely using SonicWALL GVC or SonicWALL GSC. Note If you are using a custom Wireless zone, you need to add a GroupVPN policy for the Wireless zone. For detailed instructions on adding GroupVPN policies, refer to the SonicOS Enhanced Administrator s Guide, available from the SonicWALL web site at < To enable the WLAN GroupVPN policy: Step 1 Step 2 In the management interface of your SonicWALL security appliance, click on VPN in the left-navigation menu, and then click on Settings under VPN. In the list of VPN policies on the VPN > Settings page, check the box under Enable for the WLAN GroupVPN policy. 44

50 To make connecting wireless clients to your secure wireless network easier, you can specify that all SonicWALL GVC or SonicWALL GSC connections use the default shared secret value, generated by the SonicWALL security appliance. If you do not configure the WLAN GroupVPN policy with this setting, wireless clients are prompted for the shared secret value, which they must enter before establishing a WiFiSec connection. To enable the automatic downloading of the shared secret to SonicWALL GVC or SonicWALL GSC clients with the WLAN GroupVPN policy: Step 1 In the list of VPN policies on the VPN > Settings page, click the edit icon in the same line as your WLAN GroupVPN policy. Step 2 Step 3 In the VPN Policy window, click on the Client tab. In the Client page, check the Use Default Key for Simple Client Provisioning checkbox and click OK. Configuring Users with Authenticated Access to the GroupVPN Policy You can configure authenticated VPN access for individual users or configure VPN access for a group using the SonicWALL security appliance s local users database or using an external RADIUS, LDAP, or Microsoft Active Directory (AD) server. Note For more information on configuring the SonicWALL security appliance to use RADIUS, LDAP, or Microsoft Active Directory (AD) for authenticating VPN clients, refer to the SonicOS Enhanced Administrator s Guide, located on the SonicWALL web site at < 45

51 Adding Users to the SonicWALL Security Appliance Local User Database for VPN Access To add an individual user to the SonicWALL security appliance s local user database for VPN access: Note If you use Simple Provisioning, use XAUTH to authenticate users. Otherwise, you are providing unauthenticated, open access to your network. Step 1 Step 2 Step 3 In the management interface of your SonicWALL security appliance, click on Users in the left-navigation menu, and then click on Local Users under Users. In the Users > Local Users page, click Add User. In the Add User window: Step 4 Settings - Enter the Name and Password of the user Group - Select the groups the user should belong to. The user automatically has any VPN access configured for the group. VPN Access - Select the networks, subnets, and IP addresses the user should have access to when connected via GroupVPN. For example, All WAN IP, WLAN Subnets, LAN Primary Subnets, and WLAN Remote Access Networks. Click OK. Configuring VPN Access for Local Groups To configure VPN access for a group: Step 1 In the management interface of your SonicWALL security appliance, click on Users in the left-navigation menu, and then click on Local Groups under Users. Step 2 In the Users > Local Groups page, click the edit icon in the same line as any group displayed in the Local Groups table, or click Add Group to create a custom group. For more information on configuring Local Groups, refer to the Managing Local Users and Local Groups section in the SonicOS Enhanced Administrator s Guide. 46

52 Step 3 In the Edit Group window, click the VPN Access tab. Select the networks, subnets, and IP addresses the user should have access to when connected using GroupVPN, for example, WLAN Subnets and WLAN Remote Access Networks. Step 4 Click OK. Connecting SonicWALL Long Range Dual Band Wireless Clients to SonicPoints This section contains the following subsections: Performing a Wireless Client Site Survey Scan for Available SonicPoints section on page 47 Connecting to the SonicWALL Secure Wireless Network section on page 48 Encrypting Wireless Client Communication with WEP section on page 48 Wireless Client Configuration Prerequisites For wireless clients to connect to your WLAN zone, the wireless clients require the following: Install the SonicWALL Long Range Dual Band Wireless Card drivers to your client system (Optional) Configure the SonicWALL Client Utility to add the SonicPoint SSID Install SonicWALL GVC or SonicWALL GSC for a secure wireless connection Performing a Wireless Client Site Survey Scan for Available SonicPoints Browse the available access points in your network environment by clicking Rescan and connect to one of them by clicking Connect on the Site Survey tab. SSID - Service Set Identifier (SSID), a unique identifier for a WLAN. Multiple access points on the same WLAN can share the same SSID RSSID - MAC address of an access point Channel - operating channel number of an access point Link Quality - quality of link status WEP - Y indicates the WEP function enabled in an access point. N indicates the WEP function is disabled in an access point Mode - indicates the mode access points use (Infrastructure or Peer to Peer) 47

53 Connecting to the SonicWALL Secure Wireless Network You connect to the wireless network according to the requirements of your client operating system. Your wireless client may automatically detect and display the SonicPoint s SSID in a list of available wireless networks or you may need to manually configure your wireless card with the SonicPoint s SSID. Encrypting Wireless Client Communication with WEP Encryption allows you to design your network to increase data transmission security. Select from a 64-bit or 128-bit WEP (Wired Equivalent Privacy) key to encrypt data. The default setting is Disable. When you use WEP to communicate with the other wireless clients, wireless devices must share the same encryption key or passphrase. Choose one of the encryption keys (64-bit or 128-bit) from the Encryption (WEP Security) menu to create an encryption key. Select either Create Keys Manually or Create Keys with Passphrase. There are two ways, Alphanumeric and Hexadecimal, to set the different characters. Create Keys Manually - Alphanumeric. Type 5-13 alphanumeric characters in the key field Create Keys Manually - Hexadecimal. Type hexadecimal numbers (1-9; A-F) in the key field Use WEP Key - This drop-down list allows you to specify one of four encryption keys that you want to use. Create Keys with Passphrase - Type a character string in the field Passphrase. Disabled - Select Disabled from the Encryption (WEP security) menu to disable the encryption function. Data Mode Alphanumeric Hexadecimal 64 bit bit

54 Establishing WiFiSec Connections to SonicPoints Using the SonicWALL Global Security Client For a wireless client to securely connect to the SonicPoint using WiFiSec, the SonicWALL Global Security Client (GSC) must be installed and configured. Once installed, use the SonicWALL Global VPN Client (GVC), a part of SonicWALL GSC, to establish a WiFiSec connection. Installing and configuring SonicWALL GSC involves the following procedures: (Prerequisite step) Installing the SonicWALL GSC using the Setup Wizard Creating an Office Gateway Connection Profile Using the New Connection Wizard section on page 49 Establishing a WiFiSec VPN Connection with a SonicPoint Using the WLAN Group VPN Policy section on page 50 Note Perform the instructions in the Setup Wizard to install SonicWALL GSC. For complete product documentation on SonicWALL GVC or SonicWALL GSC, refer to the SonicWALL Web site at < Creating an Office Gateway Connection Profile Using the New Connection Wizard To create an Office Gateway connection profile using the New Connection Wizard: Step 1 In your Windows Start Menu, Choose Start > Programs > SonicWALL Global VPN Client. The first time you open SonicWALL GVC, the New Connection Wizard automatically launches. Note If the New Connection Wizard does not display, click the New Connection Wizard icon on the far left side of the toolbar to launch it. Click Next. Step 2 Step 3 Step 4 In the Choose Scenario page, select Office Gateway. Click Next. In the Completing the New Connection Wizard page select any of the following options: Select Create a desktop shortcut to this connection, if you want to create a shortcut icon on your desktop for this VPN connection. Select Enable this connection when the program is launched, if you want to automatically establish this VPN connection when you launch the SonicWALL GVC. Click Finish. The new VPN connection policy appears in the SonicWALL Global VPN Client window. 49

55 Establishing a WiFiSec VPN Connection with a SonicPoint Using the WLAN Group VPN Policy To establish a WiFiSec VPN connection with a SonicPoint using the WLAN GroupVPN policy: Step 1 In the SonicWALL Global VPN Client window, double-click the Office Gateway profile. The Connection Warning dialog box may display, which informs you that all traffic that is not going to the secured VPN gateway will be blocked. Step 2 Step 3 Click Yes to continue. In the Enter Username/Password dialog box, enter the authentication credentials for the user configured on the SonicWALL security appliance s local user database for access to the WLAN GroupVPN. Step 4 Click OK. You now have secure wireless access to all the networks, subnets, and addresses to which you assigned the user access. Managing SonicPoints After Initial Configuration SonicPoint Profiles This section provides instructions to help you maintain SonicPoint profiles, and provide automatic SonicPoint provisioning. This section contains the following subsections: SonicPoint Profiles section on page 50 Automatic SonicPoint Provisioning section on page 51 SDP and SSPP section on page 51 SonicPoint Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Secure Wireless Architecture. SonicPoint Profile definitions will include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, including SSID s, encryption settings, MAC filters, channels of operation, etc. Once defined, profiles can be applied at the zone level in a fully flexible fashion, meaning that one Wireless zone can use one profile, while a different Wireless zone uses another. 50

56 Automatic SonicPoint Provisioning SDP and SSPP As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: Using manual configuration changes Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. Using un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions. The SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS Enhanced 2.5 and higher. SDP is the foundation for the automatic provisioning of SonicPoint units using the following messages: Advertisement SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed. Discovery SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units. Configure Directive A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for configuration mode. Configure Acknowledgement A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive. Keepalive A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint. If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update. For example, when the governing security appliance has upgraded it s firmware, the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process. 51

57 SonicPoint States SonicPoints function and report in the following states as described in Table 5. Table 5 SonicPoint States SonicPoint State Description Initializing The state when a SonicPoint starts up and advertises itself via SDP prior to it entering into an operational mode. Unprovisioned The SonicPoint has not yet received provisioning information from the managing SonicOS peer device. Operational Once the SonicPoint has peered with a SonicOS device and has its configuration validated, it will enter into an operational state, and will be ready for clients. Provisioning If the SonicPoint configuration requires an update, the SonicOS device will engage an SSPP channel to update the SonicPoint. During this brief process it will enter the provisioning state. Safemode Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, and disables the radios. The SonicPoint must then be rebooted to enter either a Stand-alone, or some other functional state. Non-Responsive If a SonicOS device loses communications with a previously peered SonicPoint, it will report its state as non-responsive. It will remain in this state until either communications are restored, or the SonicPoint is deleted from the SonicOS device s table. Updating Firmware If the SonicOS device detects that it has a firmware update available for a SonicPoint, it will use SSPP to update the SonicPoint s firmware. Over-Limit Based upon the SonicWALL security appliance, anywhere from 2 to 32 SonicPoint devices can be attached to each Wireless Zone interface. If more than the maximum number of units is detected, the over-limit devices will report an over-limit state, and will not enter an operational mode. Rebooting After a firmware or configuration update, the SonicPoint will announce that it is about to reboot, and will then do so. Firmware Update Failed If a firmware update fails, the SonicPoint will report the failure, and will then reboot. Scanning When the SonicPoint first starts up, it will enter an active scanning mode to detect Access Points in its area. The scanning process takes no more than 15 seconds, and the results will be reported to the managing SonicWALL security appliance. Provision Failed In the unlikely event that a provision attempt from a SonicOS device fails, the SonicPoint will report the failure. So as not to enter into an endless loop, it can then be manually rebooted, manually reconfigured, or deleted and re-provisioned. Disabled The radios on the SonicPoint have been manually disabled. Re-enabling will cause the SonicPoint to reboot into a fully operational and enabled mode. Stand-alone Mode (not reported) If a SonicPoint device cannot find or be found by a SonicOS device to peer with, it will enter a stand-alone mode of operation. This will engage the SonicPoint s internal GUI (which is otherwise disabled) and will allow it to be configured as a conventional Access Point. If at any time it is placed on the same layer 2 segment as a SonicOS device that is sending Discovery packets, it will leave stand-alone mode, and will enter into a managed mode. The stand-alone configuration will be retained. Managed Mode and Stand-Alone Mode Transitions Managed Mode requires that the SonicPoint be connected to a Wireless Interface of a SonicWALL security appliance running SonicOS Enhanced 2.5 or greater. When a SonicPoint is in Managed Mode, it senses if a SonicWALL security appliance is present using the SonicWALL Discovery Protocol (SDP). Immediately after a boot, if a SonicWALL security appliance is not detected, the SonicPoint will reboot after a short time interval (approximately 5 seconds) into Stand-alone Mode. If a SonicWALL security appliance is initially detected but then becomes unavailable (such as, it is powered off, or physically disconnected from the SonicPoint), the SonicPoint will poll at a longer interval (approximately 6 minutes), and then revert into Stand-alone Mode. If for any reason a SonicPoint unexpectedly reboots while in Managed Mode, it will reboot into Managed Mode, unless the unexpected reboot occurred while attempting to upload firmware; in this case it will reboot into SafeMode. 52

58 Once entering into SafeMode via this course, if the SonicPoint is still connected to the SonicWALL security appliance, it will automatically attempt to upgrade firmware again. Failing to sense a SonicWALL security appliance using SDP for a time interval greater than 6 minutes, a SonicPoint in Managed Mode will reboot into Stand-alone Mode. In Stand-alone mode, the SonicPoint acts like a standard access point. The SDP protocol continues to run while in Stand-alone Mode, so if a SonicWALL PRO security appliance is ever sensed, the SonicPoint will automatically reboot into Managed Mode. The SonicPoint maintains separate Managed Mode and Stand-alone mode configurations so that neither conflicts with nor overwrites the other. When SafeMode is engaged, either manually or automatically, both Managed Mode and Stand-alone Mode configurations are restored to Factory Defaults. Restoring factory defaults via the Reset Switch only restores Factory Defaults for that mode of operation, such as, depressing the Reset Switch for 5 seconds while in Managed mode will only reset the Managed Mode configuration, but the Stand-alone configuration will be left intact. SafeMode The SafeMode image provides a fail-safe mechanism for the firmware upload process as performed from either the stand-alone GUI using FTP, or via automatic updates performed by a SonicOS device using SDP and SSPP. In the event of firmware image corruption, the SonicPoint will automatically enter into SafeMode, the configuration (both Stand-alone and Managed) will be restored to factory defaults, and a new firmware image can be uploaded using FTP. Note An FTP server hosting the SonicPoint firmware image is required for this process. The SonicPoint firmware is embedded in SonicOS Enhanced version 2.5 and later, and can be retrieved from the SonicOS GUI using the download link at bottom of the Wireless > SonicPoints page. After successfully uploading the new firmware image to the SonicPoint using FTP, the ROM pointer will be updated, and the SonicPoint will reboot using the new firmware image. The default IP address of the Safemode (and Stand-alone) GUI is Safemode does not require a login, while Stand-alone mode employs a default username of admin and a password of password. Stand-Alone Mode The Stand-Alone mode of operation allows a SonicPoint to behave like a standard Access Point. While in Stand-Alone mode, data exiting the SonicPoint is not tagged, nor is it hauled to an aggregation point using the LAN interface. The Stand-Alone GUI is modeled after the SonicOS UI, and provides a nearly complete subset of the functionality available through Managed Mode. 53

59 Adding a Wireless Zone Adding an additional Wireless Zone provides the following benefits to your network: You can have separate GroupVPN policies for the separate Wireless zones. For example you can enable GroupVPN on one and not on another, effectively preventing VPN login to that zone. Separate Wireless zones allow you to create access policies to allow or deny traffic between them. For example, if you have a separate Wireless zone for Wireless Guest Services (WGS), you can create an access policy denying all traffic between that zone and any zone within your network. Multiple Wireless zones allow you to have two distinct sets of operating parameters automated by profiles. For example, you could have one Wireless zone that enables only b/g radio and another that enables only a radio. Multiple Wireless zones allow you to set up SonicWALL Security Services differently for the different Wireless zones. For example, You could have the WLAN zone serving as your wireless LAN connection for employees. You could have a second Wireless zone for WGS, allowing visitors to connect while wireless and access the Internet without interacting with your LAN. You could further secure the access by activating SonicWALL GAV, SonicWALL IPS, and SonicWALL CFS security services on the Wireless zone for WGS, thus preventing anything the guests may encounter on the Internet from infecting your network. You add custom Wireless zones in the Network > Zones page of the SonicWALL management interface. To create a Wireless zone, select Wireless for Security Type in the Add Zone window. The Add Zone window for a Wireless Zone is similar to the Edit Zone window for the WLAN zone. Refer to the Configuring the WLAN Zone section on page

60 Solution #3: Configuring Wireless Guest Services This section contains the following subsections: Wireless Guest Access Overview section on page 55 Defining Wireless Guest Access Using Pass Network and Deny Network Lists section on page 59 Managing Guest Services and Guest Accounts section on page 60 Adding Guest Accounts section on page 62 Wireless Guest Access Overview Guest services allow guest users to have access through your network directly to the Internet without access to your protected network. Wireless Guest Services (WGS) allows guest users to connect wirelessly through your network to the Internet. WGS is used for wireless hotspot applications where users can congregate and have wireless network access. It can be useful to set up WGS in a corporate environment to provide network access to visitors. Figure 24 illustrates WGS for wireless guests connecting to SonicPoints for secure access. This section contains the following subsections: Dynamic Address Translation section on page 57 Bypass Guest Authentication section on page 57 Pass Networks section on page 58 Deny Networks section on page 58 WGS Login Uniqueness section on page 58 Account Lifetime and Auto-Prune Account section on page 58 Automated Account Generation section on page 58 SonicWALL Secure Wireless Guest Services Benefits SonicWALL Secure Wireless Guest Services provides the following benefits: Provide the following SonicWALL Security Services to your Guest Services Gateway Anti-Virus Intrusion Prevention Service Content Filtering Service Global VPN Security Provide Dynamic Address Translation Bypass Guest Authentication Build an URL Allow List Build an IP Address Deny List Provide Wireless Guest Services login uniqueness Manage Wireless Guest Account lifetimes and auto-pruning Automate Wireless Guest Account generation 55

61 Figure 24 SonicWALL Secure Wireless Guest Services 56

62 Dynamic Address Translation One of the key features of WGS is Dynamic Address Translation (DAT), which provides spur of the moment hotspot access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWALL security appliance s DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the wireless network settings, network connectivity is prevented until the user s settings change to compatible values. DAT is a form of NAT that allows the SonicWALL security appliance to support any IP addressing scheme for WGS users. For example, if the wireless interface is configured with its default address of , and one WGS client has a static IP Address of and a default gateway of , while another has a static IP address of and a gateway of , and DAT enables network communication for both of these clients. Figure 25 DAT Hotspots for Wireless Guest Users Bypass Guest Authentication The Bypass Guest Authentication feature is designed to allow WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicWALL security appliance is enforcing authentication. 57

63 Pass Networks Deny Networks WGS Login Uniqueness Pass Networks, when selected, allows WGS users traffic to the selected network resources even before they authenticate. This feature could be used, for example, to allow users to reach advertising pages, disclaimer pages, search engines, etc. Select address objects or address object groups, which can be a specific IP address, and address range, or a Fully Qualified Domain Name (FQDN). When Deny Networks is selected, WGS users are explicitly denied access to the selected network resources. By enforcing login uniqueness, only a single instance of a WGS account is to be used at any one time. By default, this feature is enabled when creating a new WGS account. If you want to allow multiple users to login with a single account, this enforcement is disabled by clearing the Enforce login uniqueness checkbox. Account Lifetime and Auto-Prune Account Automated Account Generation Account Detail Printing This setting defines how long an account remains before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If Auto-Prune is not enabled, the account remains in the list of WGS accounts with an Expired status, allowing easy reactivation. The task of generating a new WGS account is now easier with the introduction of an automated account generation function with the ability to generate (or re-generate) account name and account password information. Clicking Generate in the WGS > Settings page creates a fully populated WGS account dialog box. Alternatively, add an account by clicking Add, and manually entering account name and password information. You can click the separate Generate buttons for account name and account password within this window. Following the generation of an account, it is possible to send the pertinent account details to the active printer on the administrative workstation for easy distribution to WGS users. 58

64 Defining Wireless Guest Access Using Pass Network and Deny Network Lists Figure 26 illustrates how a WGS user is allowed Internet access using an allow list, and a how a wireless client with WiFiSec protection is allowed access to the Internet, the LAN, and to a remote network using a LAN routing device. Figure 26 Defining Wireless Guest Access Using Pass and Deny Network Lists 59

65 Managing Guest Services and Guest Accounts You can create guest accounts manually as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them. Guest accounts are typically limited to a pre-determined life-span. After their life span, by default, the accounts are removed. Users > Guest Services Guest Services determine the limits and configuration of the guest accounts. The Users > Guest Services page displays a list of Guest Profiles. Guest profiles determine the configuration of guest accounts when they are generated. In the Users > Guest Services page, you can add, delete, and configure Guest Profiles. In addition, you can determine if all users who log in to the security appliance see a user login window that displays the amount of time remaining in their current login session. Configuring Users > Guest Services > Global Guest Settings Select the Show guest login status window with logout button checkbox to display a user login status window on the users workstation each time the wireless guest logs in to your WLAN. Guest users must keep open the user login status window during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window. 60

66 Configuring Users > Guest Services > Guest Profiles The Guest Profiles list shows the profiles you have created and enables you to add, edit, and delete profiles. To add a guest profile: Step 1 Click Add below the Guest Profile list to display the Add Guest Profile window. Step 2 In the Add Guest Profile window, configure: Profile Name: Enter the name of the profile. User Name Prefix: Enter the first part of every user account name generated from this profile. Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number. Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string. Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation. Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires. Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox. Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. 61

67 Step 3 Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. Comment: Any text can be entered as a comment in the Comment field. Click OK to add the profile. Adding Guest Accounts Adding an Individual Guest Account You can add guest accounts individually or generate multiple guest accounts automatically. This section contains the following subsections for adding guest accounts: Adding an Individual Guest Account section on page 62 Generating Multiple Guest Accounts section on page 64 Enabling Guest Accounts section on page 65 Enabling Auto-prune for Guest Accounts section on page 65 Printing Guest Account Details section on page 66 Viewing Users > Guest Status section on page 66 Logging Guest Accounts Off the SonicWALL Security Appliance section on page 66 To add an individual guest account: Step 1 Step 2 Under the list of accounts, click Add Guest. In the Settings tab of the Add Guest Account window, configure the following: Profile: Select the Guest Profile to generate this account from. Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number. Comment: Enter a descriptive comment. Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters. Confirm Password: If you did not generate the password, re-enter it. 62

68 Note Make a note of the password. Otherwise you will have to reset it. Step 3 Step 4 In the Guest Services tab, configure: Enable Guest Services Privilege: Check this for the account to be enabled upon creation. Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once. Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires. Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile. Session Lifetime: Defines how long a guest login session remains active after the guest user has logged in. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile. Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime has not expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile. Click OK to generate the account. 63

69 Generating Multiple Guest Accounts To generate multiple guest accounts: Step 1 Step 2 Under the list of accounts, click Generate. In the Settings tab of the Generate Guest Accounts window, configure the following fields: Profile: Select the Guest Profile to generate the accounts from. Number of Accounts: Enter the number of accounts to generate. User Name Prefix: Enter the prefix from which account names are generated. For example, if you enter Guest the generated accounts will have names like Guest 123 and Guest 234. Comment: Enter a descriptive comment. Step 3 In the Guest Services tab, configure the following fields: Enable Guest Services Privilege: Check this for accounts to be enabled upon creation. Enforce login uniqueness: Check this to allow only one instance of each generated account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once. Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires. Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile. 64

70 Step 4 Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile. Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime has not expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile. Click OK to generate the accounts. Enabling Guest Accounts You can enable or disable any number of accounts at one time. To enable one or more guest accounts: Step 1 Step 2 Check the box in the Enable column next to the name of the account you want to enable. Check the Enable box in the table heading to enable all accounts on the page. Click on Apply in the top-right corner of the page. Enabling Auto-prune for Guest Accounts You can enable or disable auto-prune for any number of accounts at one time. When auto-prune is enabled, the account is deleted after it expires. To enable auto-prune: Step 1 Step 2 Check the box in the Auto-Prune column next to the name of the account. Check the Auto-Prune box in the table heading to enable it on all accounts on the page. Click on Apply in the top-right corner of the page. 65

71 Printing Guest Account Details Print a summary of a guest account by clicking on the print icon page to an active printer. to launch a summary account report Viewing Users > Guest Status The Guest Status page reports on all the guest accounts currently logged in to the security appliance. Logging Guest Accounts Off the SonicWALL Security Appliance As administrator, you can log users off the SonicWALL security appliance: To log an individual user out, click the Logout icon in the Logout column for that user. To log multiple users out, click the checkbox in the first column to select individual users, or check the checkbox next to the # in the table heading to select all the guest users listed on the page. Then click Logout below the list. 66

72 Solution #4: Configuring Wireless Intrusion Detection Services This section describes how to configure SonicPoints for Wireless Intrusion Detection Services (IDS). Wireless IDS is automatically enabled and running at startup. You can also manually invoke a task from the SonicPoint > IDS page. Refer to the following subsections on Wireless IDS configuration: Configuring SonicPoints > IDS section on page 68 Configuring Intrusion Detection Settings section on page 69 Scanning for Access Points section on page 69 Viewing Discovered Access Points section on page 70 Authorizing Access Points on Your Network section on page 70 Figure 27 illustrates a SonicPoint scanning and detecting a rogue access point within its WLAN. Figure 27 Wireless IDS Deployment 67

73 Configuring SonicPoints > IDS You can have many wireless access points within reach of the signal of the SonicPoints on your network. Wireless IDS reports on all access points the SonicWALL security appliance can find by scanning the a and g radio bands on the SonicPoints. Figure 28 SonicPoints > IDS Page in SonicOS Management Interface Wireless IDS greatly increases the security capabilities of the SonicWALL security appliances with attached SonicPoints by allowing it to detect rogue access points. Wireless IDS logging and notification can be enabled under Log > Categories by selecting the WLAN IDS checkbox under Log Categories and Alerts. 68

74 Configuring Intrusion Detection Settings Scanning for Access Points Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates an easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this does not represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks. The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all a and g channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation. Check Enable Rogue Access Point Detection to enable the security appliance to search for rogue access points. The Authorized Access Points menu allows you to specify which access points the SonicWALL security appliance will consider authorized when it performs a scan. You can select All Authorized Access Points to allow all SonicPoints, or you can select Create new MAC Address Object Group to create an address object group containing a group of MAC addresses to limit the list to only those SonicPoints whose MAC addresses are contained in the address object group. Select Create Address Object Group to add a new group of MAC address objects to the list. Active scanning occurs when the security appliance starts up, and at any time Scan All is clicked on the SonicPoint > IDS page. When the security appliance performs a scan, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows: Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. Persistent connections (protocols such as FTP) are impaired or severed. WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client. Caution If service disruption is a concern, it is recommended that the Scan Now feature not be used when a brief disruption would not be acceptable. You can also scan on a SonicPoint by SonicPoint basis by choosing from the following options in the Perform SonicWALL Scan menu on the header for the individual SonicPoint: Scan Both Radios Scan a Radio (5GHz) Scan g Radio (2.4GHZ) 69

75 Viewing Discovered Access Points View Style The Discovered Access Points table displays information on every access point that can be detected by all your SonicPoints or on an individual SonicPoint basis: SonicPoint: The SonicPoint that detected the access point. MAC Address (BSSID): The MAC address of the radio interface of the detected access point. SSID: The radio SSID of the access point. Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. Channel: The radio channel used by the access point. Manufacturer: The manufacturer of the access point. Signal Strength: The strength of the detected radio signal. Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps. Authorize: Click the Authorize icon to add the access point to the address object group of authorized access points. If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints. Authorizing Access Points on Your Network Access Points detected by the security appliance are regarded as rogues until they are identified to the security appliance as authorized for operation. To authorize an access point, it can be manually added to the Authorized Access Points list by clicking edit icon in the Authorize column and specifying its MAC address (BSSID) along with an optional comment. Alternatively, if an access point is discovered by the security appliance scanning feature, it can be added to the list by clicking the Authorize icon. 70

76 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP This section describes setting up Microsoft Internet Authentication Services (IAS) on Windows 2000 Server for Wi-Fi Protected Access (WPA) with Protected Extensible Authentication Protocol (PEAP). For PEAP to function, a Trusted Root Certification Authority certificate must also be installed on the server. Windows 2000 Server with Active Directory has a built-in certificate server to provide the Trusted Root Certification Authority certificate. Network Design Considerations Software Versions Windows 2000 Server Service Pack 4 Microsoft IAS service SonicOS Enhanced or newer Deployment Prerequisites On the Microsoft Windows 2000 Server: Microsoft Active Directory is installed and configured The Routing and Remote Access Service must be running Microsoft Certificate Services are installed and configured On the wireless client: The client must be capable of supporting WPA The client must have a WPA supplicant installed, such as that provided by Windows XP with Wireless Rollup ( Figure 29 illustrates a deployment solution where a Microsoft IAS Windows 2000 Server is used for automatic DHCP IP address assignment of wireless clients. Figure 29 Microsoft IAS Server Deployment 71

77 Deployment Tasklist On the Microsoft Windows 2000 Server: Installing and Configuring Microsoft Windows 2000 Server IAS Software section on page 72 Configuring the Microsoft IAS Service for a SonicPoint Client Profile section on page 74 Configuring the Remote Access Policies section on page 76 On the SonicWALL security appliance: Configuring the SonicWALL Security Appliance for WPA-EAP with TKIP section on page 79 On the WLAN client: Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Caution On the Test RADIUS Settings page, the test uses Password Authentication Protocol (PAP) or unencrypted authentication and will fail if the server is setup to only accept encrypted authentication such as MS-CHAPv2. Installing and Configuring Microsoft Windows 2000 Server IAS Software The Microsoft IAS software is included on the Windows 2000 Server compact disc. The Microsoft IAS software is installed from the Add/Remove Programs section of the Control Panel. The Microsoft IAS service is closely tied to Routing and Remote Access (RRAS) in Windows 2000, and the Microsoft IAS dial-in policies can also be edited in the Remote Access Policies section of RRAS. To configure Microsoft Windows 2000 Server IAS software: Step 1 Click Install Add-On Components, and then click Add/Remove Windows Components. 72

78 Step 2 In Windows Components, click Networking Services (but do not select or clear its check box), and then click the Details button. Step 3 Select the Internet Authentication Service check box, and then click OK. Then click Next to finish. 73

79 Configuring the Microsoft IAS Service for a SonicPoint Client Profile To configure the Microsoft IAS service: Step 1 Navigate to Programs > Administrative Tools > Internet Authentication Service. Verify that the service is started by verifying that the green play icon at the top of the window has been depressed. The green icon will be grayed out when the service is running. Step 2 Create a client profile for the SonicPoint. Right click in the window, and select New Client. 74

80 Step 3 In the Add Client window, enter a Friendly name for the SonicPoint, in this example, sonicpoint Select RADIUS as the Protocol and click Next. Enter for the IP address of the SonicPoint and enter the shared secret test. Click on Finish. Note A client entry must be added for every active SonicPoint that will be authenticating clients against the Microsoft IAS server. The SonicPoint client profile has now been created. Repeat this procedure for each SonicPoint that is installed. 75

81 Configuring the Remote Access Policies To configure the Remote Access Policies: Step 1 In this example, modify the default policy by right-clicking on Allow access if dial-in permission is enabled and select Properties. Step 2 Click on the Edit Profile button to modify the profile. On the Edit Dial-in Profile page, select the Authentication tab. Verify only the Extensible Authentication Protocol is selected. Click on Extensible Authentication Protocol and select Protected EAP (PEAP), then click the Configure button. Note Verify MS-CHAP v2, MS-CHAP, CHAP, and PAP, SPAP are not selected. 76

82 Step 3 On the Protected EAP Properties page, verify the server certificate is the correct one and under the Eap Types is Secured Password (EAP-MSCHAPv2). Click OK to finish. Step 4 On the Edit Dial-in Profile page, go to the Advanced tab. Click the Add button, then select Framed-MTU and click Add again. Step 5 The Framed-MTU attribute value is Click OK to add the next attribute. 77

83 Step 6 If not already present, add the Framed-Protocol attribute with the value of PPP. Click OK to add the next attribute. Step 7 If not already present, add the Service-Type attribute with the value of Framed. Click OK to finish. 78

84 Note For this policy to be effective, users must have Dial-In access. This can be granted to the user by a Group Policy or from the Active Directory Users and Computers (dsa.msc) MMC snap-in on the Dial-In tab. Configuring the SonicWALL Security Appliance for WPA-EAP with TKIP The SonicPoint is automatically configured and centrally managed and updated by the SonicWALL PRO Series security appliance. While the SonicPoints are centrally managed by a single SonicWALL PRO Series security appliance, each SonicPoint requires a separate profile on the Microsoft IAS server. This is because the SonicPoint communicates directly with the Microsoft IAS server for RADIUS. authentication. This section contains the following subsections: Configuring the Wireless Zone Settings section on page 80 Configuring the SonicPoint Provisioning Profile section on page 81 Configuring Authentication Type and RADIUS Server Settings section on page 81 Creating an Access Rule Allowing RADIUS Service section on page 83 79

85 Configuring the Wireless Zone Settings The SonicWALL PRO Series security appliance must be configured with a WLAN zone to connect the SonicPoint. This port cannot be the default LAN or WAN port. Configure port X2 or higher as illustrated in Figure 30. Note If WiFiSec Enforcement is enabled on the Wireless Zone, you must also enable WiFiSec Exception Service and select the RADIUS service as an exception so that requests are not dropped by WiFiSec enforcement. Figure 30 Wireless Zone Settings 80

86 Configuring the SonicPoint Provisioning Profile On the SonicPoint > SonicPoints page, previously discovered SonicPoints are displayed in the lower SonicPoints table as illustrated in Figure 31. You can edit the SonicPoint Profile by clicking on the respective profile s Configure icon. You can modify or create a custom SonicPoint Provisioning Profile so all SonicPoints subsequently provisioned with that profile will inherit the WPA settings configured in the next steps. Figure 31 SonicPoint Provisioning Profile Configuring Authentication Type and RADIUS Server Settings On the a Radio tab, under the WEP/WPA Encryption section, select WPA-EAP as the Authentication Type and choose TKIP from the Cipher Type pull-down menu as illustrated in Figure 32. In the Radius Server Settings section, click Configure. The Radius Server Settings page will then appear. Enter the IP address of the Microsoft IAS server for the Radius Server 1 IP, the port that RADIUS services are responding to and the shared secret. Click OK to save the changes. 81

87 Figure a Radio Settings and RADIUS Server Settings On the g Radio tab, under the WEP/WPA Encryption section, select WPA-EAP as the Authentication Type and choose TKIP from the Cipher Type pull-down menu as illustrated in Figure 33. The RADIUS server settings are the same for both radios. Click OK to continue. Figure g Radio Settings Since the Microsoft IAS server is in LAN zone, an access rule must be created to allow the RADIUS request from the SonicPoint to reach the Microsoft IAS server. 82

88 Creating an Access Rule Allowing RADIUS Service Create an Address Object for the SonicPoint or an Address Object group if multiple SonicPoints will be used. Create an Access Rule allowing the RADIUS service (port 1812) from the SonicPoint to the LAN zone. The Destination field can be set to Any, or specifically to an Address Object referring to the Microsoft IAS server. Verify the Allow Fragmented Packets checkbox is selected to allow fragment RADIUS packets to pass. You have now completed the Microsoft IAS server setup for WPA with PEAP. To complete the wireless client setup for WPA with PEAP, refer to Solution #7: Configuring a Wireless Client for WPA with PEAP section on page

89 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP This section describes setting up Steel-Belted RADIUS (SBR) by Funk Software for Wi-Fi Protected Access (WPA) with Protected Extensible Authentication Protocol (PEAP). For PEAP to function, a Trusted Root Certification Authority certificate must also be installed on the server with a matching certificate on the client. Network Design Considerations Recommended Versions Funk Software Steel-Belted RADIUS Enterprise Edition v4.71 Windows 2000 Server Service Pack 4 SonicOS Enhanced or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days. Deployment Prerequisites Windows XP requires patching to function correctly with WPA. A wireless update roll-up package is available from Microsoft at Certificates are required for this configuration to function. The certificates are used to create the secure tunnel between the RADIUS server and client over the access point. Funk Software provides a limited tool to create certificates for testing purposes only. In a production environment, proper certificates will need to be obtained. Figure 34 illustrates a deployment Solution where a SBR server is used for automatic DHCP IP address assignment of wireless clients. Figure 34 SBR Server Deployment 84

90 Configuring SBR for WPA with PEAP Process Task List This section provides a process task list to complete a SonicWALL Secure Wireless network deployment scenario that includes a SBR server. The setup of the SBR software has three main parts. The first part is the installing software. The second part is the Trusted Root Certification Authority certificate that must be installed on the server. The third part is manual editing of various SBR configuration files. Perform the following configuration steps on the SBR server: Installing the Software on the SBR section on page 85 Installing the Certificate on the Server section on page 85 Editing the SBR Configuration Files section on page 87 Steel-Belted RADIUS Enterprise Edition Administrator Graphical Configuration section on page 91 Perform the following configuration steps on the SonicWALL security appliance: Configuring a SonicWALL Security Appliance for WPA-EAP with TKIP section on page 94 Perform the following configuration steps on the WPA Client: Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Installing the Software on the SBR Step 1 Step 2 Step 3 Step 4 Step 5 Double click on the install file, SBRNT_ALL_471.exe. Enter your name and company name, and enter a License key or click on the 30-day trial checkbox. Then click on the Next button. In the License key window, select the SBR Enterprise Edition radio button. Click on the Next button. Click on the Yes button to accept the License agreement. Click on the Next button to continue setup. Make sure both the Radius Admin Program checkbox and Radius Server checkbox are selected. Click on the Next button. This finishes the install. Installing the Certificate on the Server Funk Software provides a limited tool to create test certificates called evalcerts.exe. This tool creates a certificate with the minimum functions for EAP-TTLS or EAP-PEAP to operate. The certificates are also time limited to sixty days. For a production environment a proper public key infrastructure (PKI) is required to handle certificate management functions. The evalcerts certificate will be used in this example as the complexity of PKI is beyond the scope of this document. The evalcerts.exe is available for download at in the Steel-Belted RADIUS Tech Note. Note The evalcerts.exe tool is fairly straightforward, but it must be used in a command window with the proper options. Step 1 Step 2 Create a directory and copy evalcerts.exe into this directory. In a command window, enter the following command: evalcerts save 85

91 This will produce the following files: OdysseyServer.pfx evalrootcertificate.cer The detailed contents of the server certificate is displayed. The following message indicates that the certificates have been created successfully: ROOT CA certificate file [evalrootcertificate.cer] saved for import on client machines in current working directory. SERVER certificate file (OdysseyServer.pfx) saved in current working directory. The password for this certificate is test. The SBR server uses the OdysseyServer.pfx file to obtain user-configured preferences. The location of the file is specified in the certinfo.ini configuration file. 86

92 Editing the SBR Configuration Files SBR relies on a few text-based files for configuration. These files should be in the same directory that the SBR was installed. By default, the directory is c:\radius\service. Edit the SBR configuration files as specified in the following sections: Editing the CertInfo.ini SBR Configuration File section on page 87 Editing the Radius.ini SBR Configuration File section on page 87 Editing the EAP.ini SBR Configuration File section on page 88 Editing the Peapauth.aut SBR Configuration File section on page 89 Editing the CertInfo.ini SBR Configuration File The CertInfo.ini file points to the location of the server certificate file on the server and provides the certificate password. [Certificate_Info] ; Indicates the location (in the file system) of the PKCS#12 file containing ; the certificate and private key of the server and all the certificates ; necessary to establish a chain to the CA that issued the certificate. ; For NT deployments that are running under the service control manager, ; this must be an absolute path. Certificate_And_Private_Key_File=c:\radius\service\OdysseyServer.pfx ; Specifies the password with which the private key contained in the PKCS#12 ; file mentioned above was encrypted. Password=test Editing the Radius.ini SBR Configuration File The Radius.ini file points to the location of the certinfo.ini file and is used to configure the logging levels. For installation is useful to enable debug logging. This is done by the Loglevel and TraceLevel variables, both are set to 0 by default. For debug logging, both need to be set to a value of 2. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; RADIUS.INI file (December 2004) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This file defines operational characteristics of Funk Software's ; Steel-Belted Radius server. [Configuration] LogLevel = 2 TraceLevel = 2 Allow-Unmasked-Password = no Allow-Unmasked-Secret = no Apply-Login-Limits = yes ;PrivateDir = <file system location> FramedIPAddressHint = no HeartBeatTimeout = 180 CheckMessageAuthenticator = 0 FramedIPAddressHint = no AddSourceIPAddressAttrToRequest = 0 ;ClassAttributeStyle = 2 ;LogfileMaxMBytes = 0 ;[Ports] ;UDPAuthPort = 1645 ;UDPAcctPort = 1646 ;[CurrentSessions] ;CaseSensitiveUsernameCompare = 1 [SecurID] CachePasscodes = no SecondsToCachePasscodes = 60 [NTDomain] AllowExpiredPasswordsForUsers = no AllowExpiredPasswordsForGroups = no 87

93 ;ProfileForExpiredUsers = <place_name_of_sbr_profile_here> ;ProfileForExpiredUsersInGroups = <place_name_of_sbr_profile_here> ;PrequalifyChecklist = no [LDAP] Enable = 0 TCPPort = 667 ;[AuthRejectLog] ;Enable = 0 ; most relevant is the default (when enable is set to 1) ;Filter = MostRelevant ; all will cause each auth method instances' rejection result to be logged, but ; only if the auth request was ultimately rejected ;Filter = All ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; The following can be used in isolation (for example, as in uncommenting one and only ; one of the following lines. Or can be strung together separated by any ; combination of spaces and/or commas. ; For example, using both spaces and commas as separators: ; Filter = SystemError, AccessError, UserNotFound ; Stringing all of these together would be equivalent to simply: ; Filter = All ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Filter = SystemError ;Filter = BlacklistedUser ;Filter = InvalidRequest ;Filter = AccessError ;Filter = UserNotFound ;Filter = UnsupportedCredentialType ;Filter = InvalidCredentials ;Filter = InvalidCredentialsOrUser ;Filter = PostProcessRejection [Certificate] ; Indicates the location (in the file system) of a file containing information ; about the server's certificate and its private key - this certificate is ; required if you plan to load the EAP-TTLS, EAP-TLS or EAP-PEAP plug-ins. ; It is suggested that this file be placed in a part of the file system that ; is not generally accessible (such as in a 'my' directory under the server's ; private directory. ;Solaris example: ;Server_Certificate_Info_File = /usr/local/radius/certinfo.ini ;Windows example: Server_Certificate_Info_File = c:\radius\service\certinfo.ini Editing the EAP.ini SBR Configuration File The EAP.ini file is used to configure the EAP methods accepted by the SBR server. Under the Native-User section, modify the file to handle the EAP type MS-CHAP-V2 that is used by the SonicWALL Long Range Dual Band Wireless Card configuration utility. This file handles the routing of the PEAP authentication request to the proper SBR response method. This is configured in the peapauth section of the file which points to the peapauth.aut file. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; EAP.INI file (April 2004) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This file is used to configure authentication methods for EAP support. [Native-User] EAP-Only = 1 First-Handle-Via-Auto-EAP = 0 EAP-Type = MS-CHAP-V2 ;EAP-Type = LEAP ;EAP-Type = MD5-Challenge ;EAP-Type = LEAP, MD5-Challenge ; or ;EAP-Only = 1 ;EAP-Type = TLS ;First-Handle-Via-Auto-EAP = 1 [NT-Domain] ;EAP-Only = 0 ;EAP-Type = LEAP ;First-Handle-Via-Auto-EAP = 1 88

94 [NT-Host] ;EAP-Only = 0 ;EAP-Type = LEAP ;First-Handle-Via-Auto-EAP = 1 [SecurID] ;EAP-Only = 0 ;EAP-Type = Generic-Token ;First-Handle-Via-Auto-EAP = 0 [ldapauth] ;EAP-Type = LEAP, MD5-Challenge ;First-Handle-Via-Auto-EAP = 0 [sqlauth] ; Comment: For Windows Only ;EAP-Type = LEAP, MD5-Challenge ;First-Handle-Via-Auto-EAP = 0 [radsql] ; Comment: For Solaris Only ;EAP-Type = LEAP, MD5-Challenge ;First-Handle-Via-Auto-EAP = 0 [winauth] EAP-Only = 0 ;EAP-Type = LEAP ;EAP-Type = MS-CHAP-V2 EAP-Type = MS-CHAP-V2,LEAP First-Handle-Via-Auto-EAP = 1 [tlsauth] EAP-Only = 1 EAP-Type = TLS First-Handle-Via-Auto-EAP = 0 [ttlsauth] EAP-Only = 1 EAP-Type = TTLS First-Handle-Via-Auto-EAP = 0 [peapauth] EAP-Only = 1 EAP-Type = PEAP First-Handle-Via-Auto-EAP = 0 Editing the Peapauth.aut SBR Configuration File The Peapauth.aut file configures the peap module. First it must be enabled by changing the enable variable to 1. Second it must be configured for the MS-CHAP-V2 from the client side by specifying a PEAP Min_Version and Max_Version of 0 which is most compatible with MS-CHAP-V2. [Bootstrap] LibraryName=peapauth.dll Enable=1 InitializationString=EAP-PEAP [Server_Settings] ; Indicates the maximum TLS Message fragment length EAP-PEAP will handle. If not ; specified, this parameter defaults to It can be set as high as 4096, ; but sizes over 1400 bytes are likely to cause fragmentation of the UDP packet ; carrying the message and some RADIUS client may be incapable of dealing with ; this fragmentation. ;TLS_Message_Fragment_Length = 1020 ; Indicates whether or not the EAP-PEAP module should return the ; MS-MPPE-Send-Key and MS-MPPE-Recv-Key attribute upon successfully ; authenticating the user. The default is to return these attributes. ;Return_MPPE_Keys = 1 ; Specifies the size of the prime to use for DH modular exponentiation. The ; choices are 768, 1024, 1536, 2048, 3072 and The default is 1024 bits. ;DH_Prime_Bits = 1024 ; Specifies the TLS cipher suites (in order of preference) that the server is 89

95 ; to use. These cipher suites are documented in RFC 2246 and other TLS related ; RFCs or draft RFCs. The default is: 0x16, 0x13, 0x66, 0x15, 0x12, 0x0a, 0x05, ; 0x04, 0x07, 0x09 ;Cipher_Suites = 0x16, 0x13, 0x66, 0x15, 0x12, 0x0a, 0x05, 0x04, 0x07, 0x09 ; Specifies the minimum and maximum versions of the PEAP protocol that the server ; should negotiate. Version 0 is compatible with Microsoft's initial PEAP ; implementation (shipped in Microsoft XP Service Pack 1), while version 1 is ; compatible with Cisco's initial PEAP implementation (shipped in Cisco ACU). The ; default is to accept either type of client connection. PEAP_Min_Version = 0 PEAP_Max_Version = 0 [Inner_Authentication] ; Specifies how inner authentication routing is to occur. You can choose to ; use the standard SBR routing logic (by omitting this attribute) or a directed ; realm. The default is to use the standard SBR routing logic. ;Directed_Realm = peap_realm [Request_Filters] ; Specifies attribute filters to apply to the transfer of attributes from the ; outer to the inner authentication request (initial vs. continuations) and ; filters to apply after the inner authentication request attributes have been ; added to the request. These filters must be described in the filter.ini file. ; The default is not to use any filters. ;Transfer_Outer_Attribs_to_New = peap_transfer_outer_to_new ;Transfer_Outer_Attribs_to_Continue = peap_transfer_outer_to_continue ;Edit_New = peap_edit_new ;Edit_Continue = peap_edit_continue [Response_Filters] ; Specifies attribute filters to the final response (accept or reject) ; received from SBR and forwarded to EAP-PEAP originating NAS. These filters must ; be described in the filter.ini file. The default is not to use any filters. Transfer_Inner_Attribs_To_Accept = peap_transfer_inner_to_accept Transfer_Inner_Attribs_To_Reject = peap_transfer_inner_to_reject [Session_Resumption] ; Specifies the maximum length of time (in seconds) the NAS/AP will be ; instructed to allow the session to persist before the client is asked ; to re-authenticate. Specifying a 0 will cause the Session-Timeout attribute ; not to be generated by the plug-in. The default is 0. ;Session_Timeout = 600 ; Specifies the value to return for the Termination-Action attribute ; sent in an accepted client. If omitted in this file, the Termination-Action ; attribute will not be sent. Termination_Action = 0 ; Specifies the length of time (in seconds) during which an authentication ; request that seeks to resume a previous TLS session will be considered ; acceptable. Specifying 0 will cause session resumption support to be ; disabled. The default is 0. ;Resumption_Limit = 0 90

96 Steel-Belted RADIUS Enterprise Edition Administrator Graphical Configuration This section describes the graphical configuration of the SBR Administrator as depicted in Figure 35. Figure 35 SBR Graphical UI Configuration Perform the following steps to complete the SBR Administrator program: Step 1 Launch the SBR Administrator program. At the SBR Administrator window, click on the Connect button to connect to your local RADIUS server. Step 2 Select the RAS Clients radio button to setup your SonicPoint as depicted in Figure 36. Step 3 a. In the Client Name field, enter the name of the SonicWALL device, in this case, SONICWPA. b. Enter the IP address in the field below. Click on the edit authentication shared secret button to set the shared secret. The shared secret should be very hard to guess, such as M8cpXELOk8LomLOg. For testing purposes the password used was test. Then click on the Save button. Figure 36 SBR Configuring RAS Clients 91

97 Step 4 Select the Users radio button to create a new user as depicted in Figure 37. a. Create a new user named test by clicking on the Add button and entering in test in the user name field then click on the OK button. b. Set the password by clicking on the Set Password button. Enter a password and click on the Set button to set your password. Click on the Save button to save the new user. Figure 37 SBR Configuring Users 92

98 Step 5 Select the Configuration radio button to set the order of the authentication methods as depicted in Figure 38. a. For WPA-PEAP to function properly, verify EAP-PEAP is ordered first and Native User is order second. b. Deactivate the other authentication methods, and click on the Save button. Note It is possible to use another method of authentication (such as Windows Domain User) as long as EAP-PEAP is first in order. Refer to the SBR administrator s guide to configure other authentication methods. Figure 38 SBR Configuring Configuration Step 6 Select the Statistics radio button to verify the proper functioning and to confirm the transactions are being accepted as depicted in Figure 39. Figure 39 SBR Configuring Statistics 93

99 Configuring a SonicWALL Security Appliance for WPA-EAP with TKIP This section provides procedures to configure your SonicWALL security appliance for WPA-EAP with TKIP. To configure your SonicWALL security appliance for WPA-EAP with TKIP to the SBR server: Step 1 Log into your SonicWALL security appliance using the SonicOS management console. Navigate to the SonicPoint > SonicPoints console page. Click the Edit icon for the SonicPoint Profile or individual SonicPoint. Step 2 Click on the a Radio tab or g Radio tab depicted in Figure 40. Figure 40 SonicPoint Settings Configuring WPA-EAP 94

100 a. In the Encryption Mode section, choose WPA-EAP from the Authentication Type pull-down menu. b. From the WPA Settings section choose TKIP from the Cipher Type pull-down menu. c. Click Configure under Radius Server Settings, and enter the IP address of the SBR server, the port that RADIUS services are responding to, and the shared secret as depicted in Figure 41. And click on the OK button. Click the Apply button to save the changes. Figure 41 SonicPoint Radius Server Settings You have now completed the SBR server setup for WPA with PEAP. To complete the wireless client setup for WPA with PEAP, refer to the Solution #7: Configuring a Wireless Client for WPA with PEAP section on page

101 Solution #7: Configuring a Wireless Client for WPA with PEAP The client setup uses the SonicWALL Long Range Dual Band Wireless Card and the associated SonicWALL client utility installed on a Windows XP laptop. This section contains the following subsections: Installing the Root CA Certificate on the Client section on page 97 Configuring a Windows XP Service Pack 2 Wireless Client Setup section on page 102 Configuring the Windows XP Wireless Network Wizard section on page 104 Verifying the WLAN Client Connection section on page 105 Tip For proper functioning of WPA, a roll-up patch is required. The patch is located at: < Alternatively, Service Pack 2 for XP includes this patch and includes a major update to the wireless network wizard. For this Solutions Guide, disable the Microsoft Windows Wireless Wizard and use the SonicWALL Client Utility to manage the wireless card. Note The certificate used was created by the evalcerts tool from Funk Software. Because this is a limited functionality certificate for testing purposes, it must be installed on the client so that the server and client match. If you are using a certificate issued by a well-known Certificate Authority (CA) or by a CA whose certificate is already present in the clients Trusted Root Store, this step is not necessary. 96

102 Installing the Root CA Certificate on the Client For this deployment solution, the Root CA certificate used was created by Windows 2000 Active Directory Server. The certificate can be exported from the server and imported on the client. The ROOT CA certificate file must first be imported onto the laptop by copying the file to the laptop. Then right click on the file, and select the Install Certificate option as illustrated in Figure 42. Figure 42 Installing the Root CA Certificate This will bring up the Certificate Import Wizard as illustrated in Figure 43. In the Certificate Import Wizard page, click Next to proceed. Figure 43 Certificate Import Wizard 97

103 Click on the Place all certificates in the following store radio button then click on the Browse button as illustrated in Figure 44. On the Select Certificate Store page, select Trusted Root Certification Authorities and click OK. Figure 44 Certificate Store Click Next to continue. 98

104 Click Finish to complete the import wizard as illustrated in Figure 45. Figure 45 Completing the Certificate Import Wizard Verify the SonicWALL Long Range Dual Band Wireless Card Client Utility Software Version This section provides procedures to configure your SonicWALL Long Range Dual Band Wireless Card Client Utility to enable WPA-EAP wireless client support. Perform the following configuration steps on your SonicWALL Long Range Dual Band Wireless Card Client Utility. To configure your SonicWALL Long Range Dual Band Wireless Card Client Utility to enable WPA-EAP wireless client support: Step 1 Verify that you have the latest version of the client utility. Version of the driver is current. Updated drivers are available on Step 2 Create a new profile by clicking on the New... button as depicted in Figure 46. Figure 46 SonicWALL Long Range Dual Band Wireless Card Client Utility Adding a New Profile 99

105 Step 3 Click on the General tab, enter a Profile Name and the SSID of the wireless network as depicted in Figure 47. Figure 47 SonicWALL Long Range Dual Band Wireless Card Client Utility Configuring the General Tab Step 4 Click on the Security tab, select the WPA-EAP radio button and select PEAP from the WPA EAP Type pull-down menu as depicted on Figure 48. Then click the Configure button. Figure 48 SonicWALL Long Range Dual Band Wireless Card Client Utility Configuring the Security Tab 100

106 Step 5 In the Define Certificate window, select the certificate that matches the server certificate. In this example it is called Evaluation Certificate Tool as depicted in Figure 49. Figure 49 SonicWALL Long Range Dual Band Wireless Card Client Utility Defining the Certificate Step 6 a. In the User Information for MS-ChapV2 section, enter the user name, password and confirm the password. Then click on the Advanced Configuration button. On the Advanced Configuration page, enter the name of the SBR server in the Specific Server or Domain field and enter the user name in the Login Name field as depicted in Figure 50. Click on the OK button to finish. Figure 50 SonicWALL Long Range Dual Band Wireless Card Client Utility Enter Domain Name 101

107 Step 7 Click on the Current Status tab to verify the connection is active as depicted in Figure 51. Figure 51 SonicWALL Long Range Dual Band Wireless Card Client Utility Verify Encryption Type and IP Address Step 8 a. On the Current Status page, verify the Encryption type is TKIP and that you have a valid IP address. To test connectivity, open the administrator page to the SonicPoint, in this example Configuring a Windows XP Service Pack 2 Wireless Client Setup To use the Windows XP wireless wizard instead of the SonicWALL client utility, you must first configure Windows to control the wireless network settings. Perform the following configuration steps to complete the Windows XP wireless wizard: Step 1 In the Network Connections window, right click on the SonicWALL Long Range Dual Band Wireless Card network card and select Properties. Step 2 In the SonicWALL Long Range Dual Band Wireless Card Properties window as depicted in Figure 52, select the Wireless Networks tab. Click on the Use Windows to configure my wireless network settings button. Figure 52 Windows XP Wireless Wizard Configuring LRDBW Properties 102

108 Step 3 Step 4 In the Preferred Networks section select the correct network, sonicwpa in this configuration. Remove any other wireless networks in the list. Select sonicwpa and click on the Properties button. This will bring up the sonicwpa properties window as depicted in Figure 53. On the Association tab, select WPA for Network Authentication and TKIP for Data Encryption. Figure 53 Windows XP Wireless Wizard Selecting WPA for Network Authentication and TKIP for Data Encryption Step 5 Select the Authentication tab, select Protected EAP (PEAP) for the EAP type as depicted in Figure 54. Figure 54 Windows XP Wireless Wizard Selecting PEAP for the EAP Type Step 6 a. Verify both Authenticate as computer when computer information is available and the Authenticate as guest when user or computer information is unavailable checkboxes are not checked. Click on the Properties button. b. In the Protected EAP Properties windows, verify the Validate Server Certificate and the Enable Fast Reconnect checkboxes are unchecked. Select Secured password (EAP-MSCHAP v2) for the Authentication Method. Click on the Configure button. In the EAP MSCHAPv2 Properties window, verify the Automatically use my Windows logon name and password (and domain if any) checkbox is unchecked. Click on the OK button. This completes the configuration of the wireless network properties. 103

109 Configuring the Windows XP Wireless Network Wizard This section provides procedures to select a wireless network from the Windows XP Wireless Network Wizard. To configure a wireless network connection using the Windows XP Wireless Network Wizard: Step 1 From the Wireless Network wizard, select the wireless network, sonicwpa in this example and click on the Connect button. The Wireless Network Connection window displays as depicted in Figure 55. Figure 55 Windows XP Wireless Wizard Configuring a Wireless Network Connection 104

110 When it gets to the Validating identity part, a balloon dialog box will show up on the bottom of the screen and prompt you for user credentials as depicted in Figure 56. Figure 56 Windows XP Wireless Wizard Entering Credentials Step 2 In the Enter Credentials window, enter in the user name and password. In this example, both are test. Click the OK button to continue. This finishes the connection. The wizard displays Connected. To test connectivity, open the admin page on the SonicWALL, in this example: < Verifying the WLAN Client Connection From the WLAN client: Select the SSID of the SonicPoint and configure PEAP properties Attempt to associate with the SonicPoint, get prompted for username/password, enter username/password Authentication and association should succeed Obtain IP address from DHCP Attempt network access by accessing a web site or or connecting to a network file share 105

111 Solution #8: Configuring a Lightweight Hotspot Messaging Network Lightweight Hotspot Messaging (LHM) defines the method and syntax for communications between a SonicWALL wireless access device (such as a SonicWALL TZ 170 Wireless or SonicWALL TZ 170 SP Wireless, or a SonicPoint with a SonicWALL PRO Series security appliance) and an Authentication Back-End (ABE) for the purpose of authenticating Hotspot users and providing them parametrically bound network access. The following illustration depicts a generic configuration: Figure 57 Light-Weight Hotspot Messaging Network LHM allows network operators to provide centralized management of multiple Hotspot locations by providing an interface between SonicWALL s Wireless Guest Services and any existing ABE. LHM is an adaptation of the generalized Wireless Internet Service Project roaming (WISPr) and GIS specifications. LHM was designed to satisfy the requirements of a particularly common operational environment rather than a broad set of environments. Specifically, LHM allows for Hotspot user-management and authentication to occur entirely on the network operator s ABE, supporting any method of account creation and management, and any extent of site customization and branding. This approach enables integration into any existing environment without dependencies upon particular billing, accounting or database systems, and also provides the network operator with unrestricted control of the site s design, from look-and-feel to redirection. Fore more information on configuring LHM Authentication Scripts, refer to the SonicWALL LHM Resource Center: 106

112 Description The ABE consists of a Web Server (WS) to host content for user interaction and an (optional) Authentication Server (AS) to provide directory services authentication. The AS can be any kind of user database, including, but not limited to Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), or Microsoft Windows Active Directory (AD); the only requirement is that the WS can communicate with the AS for authentication purposes. The WS and AS can be administered on a single server or on separate servers. LHM also provides the ability for the AS to use the SonicWALL security appliance s internal user database for user authentication. Refer to the Message Format Local Authentication Request and Reply sections for details on the messaging. The ABE will need to communicate with the Hotspot SonicWALL to exchange result codes and session information. All communications will be HTTPS and can occur either directly (such as to the LAN, WAN, X0 interface of the SonicWALL security appliance) or over a VPN tunnel to one of the SonicWALL security appliance s management interface addresses. The LHM management interface will be selectable, and only the selected interface will accept LHM management messaging through automatically added Access Rules. LHM communications will occur on a specific LHM management port that must be defined on the SonicWALL security appliance, and the LHM management port must be different from the standard HTTPS Management port. A white list of IP addresses (up to 8 entries) must also be defined on the SonicWALL security appliance specifying the IP addresses LHM management communications will allow. At least one address must be specified. Note Note: Although secured by SSL and an IP allow list, a WAN-based LHM listener still creates an exposure relative to the VPN management method. Although the communications remain confidential, this listener introduces the potential for a denial of service attack. As such, the VPN communication method is highly recommended. To allow the ABE to communicate with the SonicWALL, and to redirect clients to the appropriate interface on the SonicWALL, two parameters will be constructed by the SonicWALL and passed to the ABE. The following communication parameters should be used for all communications between the ABE and the SonicWALL. basemgmturl - The IP address and the port that the ABE uses to communicate with the SonicWALL. It will be composed of the HTTPS protocol designator, the IP of the selected LHM management interface, and the LHM port: < clientredirecturl - The IP address (and optionally the port) on the SonicWALL to which clients will be redirected during various phases of the session, for example, the LAN management IP on the SonicWALL security appliance or the WLAN IP on a SonicOS Enhanced device: < 107

113 The parameter values will be passed to the ABE by the SonicWALL during Session Creation and during the Session State Sync, and should be used by the ABE as the base in the construction of all relevant URL s. The following are the pages on the SonicWALL that will be referenced by the ABE: wirelessservicesunavailable.html ABE is unavailable message. This redirect will typically be sent by the SonicWALL, but can also be references by the ABE. Text is configurable. externalguestredirect.html Initial redirect message provided by the SonicWALL on session creation. Text is configurable. externalguestlogin.cgi The page to which the ABE POSTs session creation data. externalguestlogoff.cgi The page to which the ABE POSTs session termination data. localguestlogin.cgi The page to which the ABE POSTs for authenticating user credentials against the SonicWALL s internal user database. createguestaccount.cgi The page to which the ABE POSTs to create a guest account in the SonicWALL s internal user database. For communications from the SonicWALL to the ABE, URLs (including host, port, and page/resource) hosted on the ABE will be fully configurable at the SonicWALL. The host can be specified using either an IP address or FQDN. When using FQDN, the name will be resolved upon first use and will be stored by the SonicWALL as an IP address. The phases of a session lifecycle are described in the following sections: Session Creation Session Window Popup Idle Timeout Session Timeout User Logout Administrator Logout WS Server Status Check Session State Sync The Session Popup Window and WS Server Status Check components will also be described in the following sections. 108

114 Session Creation A session creation occurs when a wireless client attempts to access, and the SonicWALL has no active session information for that client based upon MAC address. Figure 58 Session Creation 109

115 The transactions between the following devices are listed in chronological order: Wireless client SonicWALL security appliance Webserver Authentication server 1. Wireless client associates with SonicWALL security appliance. Obtains IP Address from internal DHCP server, or uses static addressing with DAT feature. 2. Client requests web-resource < The SonicWALL security appliance determines that this is a new session. 3. SonicWALL security appliance redirects the client to internally hosted externalguestredirect.html page. The externalguestredirect.html page provides administrator configurable text explaining that the session is being redirected for authentication. 4. During this redirect, the SonicWALL security appliance checks the availability of the ABE via a JavaScript redirect attempt to the configured target redirect page. a. If the redirect to the WS fails to occur within a specified period (the value will be configurable on the SonicWALL security appliance, between 1 and 30 seconds) the SonicWALL security appliance will redirect the session to the internal wirelessservicesunavailable.html page. 5. In addition to the JavaScript availability check, an optional full WS Server Status Check will be available from the SonicWALL security appliance (see WS Server Status Check ). This option can be configured to run at a configurable interval between 1 and 60 minutes. In the event of an error response code (1, 2, or 255), the SonicWALL security appliance will log the response and will redirect the browser to the internal wirelessservicesunavailable.html page. This page will provide administrator configurable text explaining recourse. 6. If available, the SonicWALL security appliance redirects client to authentication portal hosted on AS at: // tp:// a. sessid A 32 byte hex representation of a 16 byte MD5 hash value generated by the SonicWALL security appliance, which will be used by the SonicWALL security appliance and the WS for indexing clients (such as 11aa3e2f5da3e12ef978ba120d2300ff ). b. ip The client IP address. c. mac is the client MAC address. d. req The originally requested web-site is passed as an argument to the authentication server. e. ufi The SonicWALL Unique Firewall Identifier. To be used for site identification, if desired. f. basemgmturl The protocol, IP address, and port on the SonicWALL security appliance with which the IP will subsequently communicate. g. clientredirecturl The protocol, IP address (and optionally port) on the SonicWALL security appliance that the ABE will use for client redirection. 7. Client provides authentication information (such as username, password, token, etc.). 110

116 Session Popup Window 8. WS validates user against AS. a. AS provides session specific information, namely, Session Timeout and Idle Timeout values. b. Session specific values can optionally be applied globally by the WS rather than obtained from the AS; some value simply needs to be passed to the SonicWALL security appliance. c. Timeout values will be presented in seconds and can range from 1 to 863,913,600 (equal to 9999 days). 9. If authentication fails, the WS should redirect the client to a page explaining the failure. A link should be provided back to http(s):// /externalguestredirect.html to restart the process. 10. If successful, the WS connects to the SonicWALL either via HTTPS or via VPN and POSTs me=1800&idletimeout=600 a. The SonicWALL security appliance will attempt to create the session and will send a result to the WS in the same connection. 11. If failure response is received (such as code 51, 100, or 255), WS should redirect client to a page explaining the failure. A link can be provided back to: http(s):// /externalguestredirect.html to start process over. 12. If successful (code 50), WS can redirect user to the originally requested site (req) or to any site (such as a portal or start page). WS should also instruct on how to logoff from session (such as bookmark a page, popup window, URL, etc.). It is recommended that sessions be managed via a Session Popup window. This should be a browser window initiated at the time of Session Creation providing session time information (such as lifetime, idle timeout value, timer countdowns, etc.) and a Logout button. Sample code will be provided. Clicking the Logout button ends the session and triggers a User Logout event. Attempting to close the window should provide a warning message that closing the window will end the session. Closing the window ends the session and triggers a User Logout event. 111

117 Idle Timeout Event occurs when the idle timeout (specified in Session Creation step 10) is exceeded. Figure 59 Idle Timeout 112

118 The transactions between the following devices are listed in chronological order: Wireless client SonicWALL security appliance Webserver Authentication server 1. Idle timer (as set during Session Creation) expires. 2. Since the client s browser may not be open at this time, we do not initiate this process with a redirect. Instead, the SonicWALL sends a POST to the WS at: a. The resource to which the POST will be sent will be configurable on the SonicWALL. b. The WS hosted page must expect and interpret the sessid and eventid values. 3. The WS will send an XML result to the WS in the same connection. Results are described in the Message Format Logoff Reply section. 4. If the client returns from the idle state and attempts to reach a web resource, the SonicWALL will redirect the user to the internal externalguestredirect.html page, starting the Session Creation process over. Note To conserve resources, it is recommended that the idle timeout be set to a maximum of 10 minutes. Session Timeout Event occurs when the Session lifetime expires. The exchange is the same as the Idle Timeout above, except the Session Timeout eventid value is 3 (instead of 4 for an Idle Timeout). 113

119 User Logout Event occurs when the user actively ends the session by closing their Session Popup window or by using the Logout button provided on the Session Popup window. The Session Popup window is the preferred method for user logout; however, the same result can be achieved without this method by allowing the session s lifetime to expire. The latter removes the dependency on the popup window, but manages resources less efficiently. Figure 60 User Logout The transactions between the following devices are listed in chronological order: Wireless client SonicWALL security appliance Webserver Authentication server 1. Client logs out using, or closes the session popup window. 2. The WS sends a POST to: a. sessid The value generated during Session Creation by the SonicWALL, which is used by the SonicWALL and the WS for indexing clients. b. eventid Describes the logoff request event. 3. The SonicWALL responds with a result to the WS in the same connection. Results are described in the Message Format Logoff Reply section. 4. If the client attempts to reach a web resource, the SonicWALL will redirect the user to the internal page, starting the Session Creation process over. 114

120 Administrator Logout (Optional) Event occurs when the ABE administrator logs out from a Guest session from the management interface. It will not be possible at this time to terminate ABE-established Guest Sessions from the SonicWALL interface itself. ABE-established Guest Sessions will be represented as such (for example, distinctly from internal WGS Guest Sessions) on the SonicWALL management UI, and will not be editable. Figure 61 Administrator Logout The transactions between the following devices are listed in chronological order: Wireless client SonicWALL security appliance Webserver Authentication server 1. ABE administrator terminates the Guest session from the management UI. 2. The WS sends a POST to the SonicWALL: < a. sessid The value generated during Session Creation by the SonicWALL, which is used by the SonicWALL and the WS for indexing clients. b. eventid Describes the logoff request event. 3. The SonicWALL sends a result to the WS in the same connection. 4. If the client returns from the idle state and attempts to reach a web resource, the SonicWALL redirects the user to the internal < page, starting the Session Creation process over. 115

121 WS Server Status Check WS server status check provides more granular ABE status on WS availability using a JavaScript redirect. The SonicWALL security appliance can optionally send a secure HTTP GET operation to the WS in order to determine server operational status. The target URL is configurable as well as the interval of the query (between 1 and 60 minutes). The WS responds back in an XML format listing the server s current state. Note If an error response code (1, 2, or 255) is received (indicating that the WS itself is available, but that some other ABE error condition has occurred), the SonicWALL security appliance logs the response and redirects all subsequent authentication requests to an internal <wirelessservicesunavailable.html> page. Session State Sync The SonicWALL security appliance will continue to attempt to query the ABE at the configured interval and will resume redirection to the WS (rather than to the <wirelessservicesunavailable.html> page) when a response code of 0 ( Server Up ) is received. The session state sync is a configurable interval (between 1 and 60 minutes). The SonicWALL is configurable to optionally send a secure HTTP POST operation to the WS containing an XML list of all currently active guest sessions. 116

122 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions This section describes how to use the power and versatility of SonicOS to configure a SonicWALL SSL-VPN appliance to provide an unparalleled level of effortless, clientless security simultaneously to both remote (Internet) users and local wireless (WLAN) users. This section provides configuration procedures in SonicOS Enhanced. The same principles can be applied for SonicOS Standard. This section contains the following subsections: SonicWALL SSL-VPN Series Platforms section on page 117 Integrating SonicWALL SSL-VPN and Secure Wireless Solutions section on page 119 SonicWALL SSL-VPN Overview section on page 120 SonicWALL LHM and SSL-VPN Integration Overview section on page 121 Configuring the SonicWALL SSL-VPN section on page 122 Configuring the SonicWALL Security Appliance section on page 131 Testing Your Configuration section on page 139 SonicWALL SSL-VPN Series Platforms This section describes the SonicWALL SSL-VPN Series platforms. Refer to the following subsections for more information on the SonicWALL SSL-VPN Series platforms: SonicWALL SSL-VPN 2000 section on page 117 Benefits SonicWALL SSL-VPN 2000 For a list of SonicWALL SSL-VPN Series deployment benefits and latest platform features, refer to the SonicWALL SSL-VPN Series product data sheet located in the Product Datasheets section on page 189. SonicWALL SSL-VPN 2000 appliances are simple to deploy and manage. They provide organizations of all sizes with secure, easy-to-use remote network and application access for their remote and mobile employees at an extremely affordable price. The SonicWALL SSL-VPN 2000 make remote access incredibly simple. Remote users require only a standard browser to launch a personalized Web portal that is unique to that user. From this portal, the user has access to , files, applications and internal Web sites. For more powerful capabilities such as seamless, secure access to any resource on the corporate network including servers and complex or home-grown applications, the appliances transparently push a downloadable thin client (NetExtender) to the user's desktop or laptop. Use Case A mobile employee using any computer can work remotely at an airport computer terminal, a home office or in a hotel room. In addition, the employee does not have to be concerned with installing or configuring the remote connection. The employee simply points the Web browser to a specific URL and the SSL-VPN portal automatically displays only those resources that are available to that individual based on company policy. 117

123 Network administrators will find the SonicWALL SSL-VPN 2000 very simple to deploy and manage. An easy-to-use graphical user interface, Getting Started Guide and set-up wizards guide the administrator quickly through the installation process. Moreover, the capability for granular policy configuration provides the administrator with complete and fine grained control over individual user access to specific network resources. SonicWALL SSL-VPN appliances can provide users with secure remote access to one or more of the following resources: Corporate mail server From their native client (Microsoft Outlook, Outlook Express, Netscape Mail, Lotus Notes, etc.) residing on their laptop Through a Web interface from a non-company computer or terminal Files and file systems on the corporate network (including support for FTP and Windows Network File Sharing) Full network connectivity to the corporate network Access network resources as if they were on the local network Access to corporate desktops, servers and applications Applications installed on desktop machines or hosted on an application server Full remote control of remote desktop or server machines Includes support for Terminal Services, VNC, Telnet, and SSH Corporate Intranet, HTTP and HTTPS sites and Web-based applications Figure 62 displays the front and back panel of the SonicWALL SSL-VPN Figure 62 SonicWALL SSL-VPN

124 Integrating SonicWALL SSL-VPN and Secure Wireless Solutions Despite the availability of numerous secure wireless technologies, including such options as WPA, i, and WiFiSec, delivering and enforcing a secure wireless environment can remain a challenge because of complexity and discontinuity. This is particularly true from the perspective of the client, where there are hardware, operating system, service pack, device driver, and application/supplicant dependencies that must be satisfied before secure wireless operation can be achieved. Using wireless access as a form of remote access, however, encourages the conceptual application of ease-of-use advancements in the securing of remote access to the securing of wireless access. SonicWALL has long endorsed this methodology with WiFiSec on SonicWALL security appliances, whereby you enforce the use of the SonicWALL Global VPN Client (GVC) to provide IPsec security to wireless users for identity-based access control and session confidentiality. While this process is often more secure and less interruptive than most other solutions, it requires that users install the SonicWALL GVC: A practice that is not objectionable in most cases, but which still requires hands-on interaction with the client. The notion of clientless secure remote access, popularized by SSL-VPNs, enables your remote users to use a Web browser to provide the same degree of identity-based security as the SonicWALL GVC to remote access sessions, without the need for hands-on, client installation of new software. Combining these aspects of SonicWALL s SSL-VPN technology with the seamless automation of external wireless user authentication provided by SonicWALL s Lightweight Hotspot Messaging (LHM), delivers the industry s first clientless, completely non-interruptive secure wireless networking experience. Figure 63 SonicWALL SSL-VPN and LHM 119

125 SonicWALL SSL-VPN Overview The SonicWALL SSL-VPN provides clientless, identity-based secure remote access to your protected internal network. Using the Virtual Office environment, SSL-VPN can provide users with secure remote access to your entire private network, or to individual components such as file shares, Web-servers, FTP servers, remote desktops, or even individual applications hosted on Microsoft Terminal Servers. These various methods of secure remote access are provided by the following components: NetExtender NetExtender can provide remote users with full access to your protected internal network. The experience is virtually identical to that delivered by traditional IPsec VPN clients, but NetExtender does not require any manual client installation. Instead, the NetExtender client is automatically installed on remote user s PCs as an ActiveX component which instantiates a virtual adapter for SSL-secure point-to-point access to permitted hosts and subnets on the internal network. NetExtender provides tunnel-all functionality, where all client traffic can be sent through the SSL-VPN, allowing for full security-services enforcement (Intrusion Prevention, Gateway Anti-Virus and Anti-Spyware, etc.) when used in conjunction with an appropriately configured SonicWALL security appliance. File Shares File Shares provide remote users with a secure Web-interface to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols. Using a Web-interface similar in style to Microsoft s familiar Network Neighborhood or My Network Places, File Shares allows users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files, and to create bookmarks for later recall. Network Resources Network Resources are the more finely granular components of a trusted network which can be accessed through the SSL-VPN. Network Resources can be pre-defined by the administrator and assigned to users or groups as bookmarks, or users can define and bookmark their own Network Resources. Network Resources comprise the following remote access capabilities: HTTP (Web) Proxy access to an HTTP server on the internal network, or any other network segment that can be reached by the SonicWALL SSL-VPN appliance, including the Internet. The remote user communicates with the SonicWALL SSL-VPN appliance by HTTPS and requests a URL which is then retrieved over HTTP by the SSL-VPN, transformed as needed, and returned encrypted to the remote user. Web-application session authentication is supported, as are many popular Web applications, including Microsoft Outlook Web Access. HTTPS (Web) - Proxy access to an HTTPS server on the internal network, or any other network segment that can be reached by the SonicWALL SSL-VPN appliance, including the Internet. The remote user communicates with the SonicWALL SSL-VPN appliance by HTTPS and requests a URL which is then retrieved over HTTPS by the SSL-VPN, decrypted, transformed as needed, and returned encrypted to the remote user. Web-application session authentication is supported, as are many popular Web applications, including Microsoft Outlook Web Access. Telnet (Java) A Java based telnet client delivered through the remote user s Web-browser. The remote user can specify the IP address of any accessible telnet server, the SSL-VPN will make a connection to the server, and will then proxy the communications between the user over SSL and the server using native telnet. SSH (Java) - A Java based SSH client delivered through the remote user s Web-browser. The remote user can specify the IP address of any accessible SSH server, the SSL-VPN will make a connection to the server, and will then proxy the communications between the user over SSL and the server using natively encrypted SSH. 120

126 FTP (Web) - Proxy access to an HTTP server on the internal network, or any other network segment that can be reached by the SonicWALL SSL-VPN appliance, including the Internet. The remote user communicates with the SonicWALL SSL-VPN appliance by HTTPS and requests a URL which is then retrieved over HTTP by the SSL-VPN, transformed as needed, and returned encrypted to the remote user. Remote Desktop Remote Desktop provides remote users with access to RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing) capable workstations and servers on the internal network to approximate the experience of being at the computer. Most modern Microsoft workstations and servers have RDP server capabilities which can easily be enabled for remote access, and there are a number of freely available VNC server options that can be easily obtained and installed on most operating systems. The RDP and VNC clients are automatically delivered to authorized remote users through their Web-browser in the following formats, as described in Table 6. Table 6 Remote Desktop Solutions Format RDP4 (Java) RDP5 (ActiveX) VNC (Java) Applications Description RDP4 is an earlier version of Microsoft s Remote Desktop Protocol, and has the advantage of broad platform compatibility because it can be provided in a Java client. RDP4 differs from RDP5 in that RDP4 cannot support full-screen modes, and does not support sound in the RDP session. RDP5 is the current version of Microsoft s Remote Desktop Protocol, and because of its richer set of capabilities (such as session sound and full-screen mode), is only available in an ActiveX client. VNC was originally developed by AT&T, but is today widely available as open source. Any one of the many variants of VNC servers available can be installed on most any workstation or server for remote access. The VNC client to connect to those servers is delivered to remote users through the Web-browser as a Java client. Applications are RDP sessions to a specific application rather than to the entire desktop. This allows administrator and users to define access to an individual application, such as CRM or accounting software, without the need for the remote user to navigate the entire desktop. When the application is closed, the session closes. File Shares File shares (described above) can also be directly bookmarked as Network Resources for simplified access. SonicWALL LHM and SSL-VPN Integration Overview Caveats Lightweight Hotspot Messaging (LHM) offers centralized management of authentication for any number of wireless locations by providing an interface between SonicWALL s Wireless Guest Services and any Authentication Back End. LHM allows for user-management and authentication to occur entirely on an external authentication platform, including SonicWALL s SSL-VPN appliances. LHM can automatically redirect wireless users to a SonicWALL SSL-VPN appliance attached to a SonicWALL security appliance, where they may authenticate against a local user database, RADIUS, LDAP, or Active Directory. After successful authentication, wireless users will be able to access internal network resources securely through the SSL-VPN s proxy capabilities, or using NetExtender, they will be transported from the WLAN Zone to the SSL-VPN Zone where they can access entire servers, subnets, or all networks (including both trusted networks and the Internet) using NetExtender s tunnel-all capabilities. The SonicWALL SSL-VPN appliance currently supports a single global NetExtender range and route configuration. Future SonicWALL SSL-VPN firmware releases will support per-group and per-user NetExtender settings, allowing for different ranges to be assigned to different users, groups and authentication domains. 121

127 Recommended Versions The SonicWALL SSL-VPN appliance does not currently exchange LHM session information with the SonicWALL security appliance providing LHM services. This has the effect of the firewall not regarding the SSL-VPN user session as a Guest Services session, and thus not allowing wireless users direct access to the Internet (access to the Internet is achieved using the tunnel-all capability of NetExtender). The LHM exchange is not required to achieve the functionality described in this Technote, because once SSL-VPN session authentication occurs, the SSL-VPN traffic appears to the firewall as originating from the SSL-VPN Zone rather than the WLAN Zone. Future SonicWALL SSL-VPN firmware releases will support this exchange for the purposes of precise session monitoring and accounting. Simultaneously offering traditional Wireless Guest Services (wherein wireless users authenticate to obtain Internet access only) and SSL-VPN wireless security (where wireless users are effectively transported from the WLAN Zone to the SSL-VPN Zone) is not currently possible on a shared Wireless Zone. At this time, all users will have the full set of access granted to the SSL-VPN Zone. Future SonicWALL SSL-VPN firmware will support the ability to allow subsets of users to be treated as traditional Wireless Guest Services users. NetExtender is an ActiveX component, and requires that the client environment be able to support ActiveX. This generally requires Microsoft Internet Explorer 5.01 or higher with appropriate security settings. Refer to the SonicWALL SSL-VPN technical documentation for a full description of compatibility, requirements and recommended settings. SonicOS Standard or newer SonicOS Enhanced or newer SonicWALL SSL-VPN or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days. Configuring the SonicWALL SSL-VPN It is assumed that the SonicWALL SSL-VPN appliance has been configured (e.g. time settings, DNS, interface addressing, network routes, at least one local user) and connected according to the SonicWALL SSL-VPN Getting Started Guide, and is accessible by the administrator. Refer to the network diagram on page 1 of this document for the sample network used in the following configuration. SonicWALL SSL-VPN Configuration Steps: Step 1 Step 2 Step 3 Configure a Custom Portal from the Portal > Portal Layouts page (optional, but recommended). Configure an authentication Domain from the Portal > Domains page (as needed, example will use LDAP). Configure the NetExtender Client Route (example will use tunnel-all). Step 4 Configure domain specific Group Bookmark for access to Web Server Step 5 Configure domain specific Group Bookmark for access to RDP server

128 Configuring a Custom Portal Layout A custom Portal Layout will allow you to present a customized landing page to your users when they are redirected to the SonicWALL SSL-VPN appliance for authentication. Using a custom portal for wireless has the added benefit of allowing you to configure different portal options for your wireless (WLAN) and remote (Internet) SSL-VPN users. For example: you could provide the NetExtender to WLAN users through their portal, but hide it from remote users; you could choose to not present the File Share option to WLAN SSL-VPN users; or you could simply provide appropriately descriptive text in the Login and Home Page messages for your different portals. The Portal Layout Settings page is illustrated in Figure 64 and field descriptions are provided in Table 7. Figure 64 Portal Layout Settings Page 123

129 Table 7 Portal Layout Settings Page Field Descriptions Field Portal Layout Name: Portal Site Title: Portal Banner Title: Login message: Virtual Host/Domain Name: Portal URL: Display custom login page: Display login message on custom login page: Enable HTTP metadata tags for cache control: Enable ActiveX Web cache cleaner: Display Import self-signed certificate link: Description The title used to refer to this portal. It is for internal reference only, and is not displayed to users. The title that will appear on the Web browser title bar of users accessing this portal. The welcome text that will appear at the top of the portal itself. Optional text that will appear on the portal login page above the authentication area. SSL-VPN 2000 only. Used in environments where multiple portals are offered, allowing simple redirection to the Portal URL using virtual hosts. The URL that is used to access this specific portal. Note the path here, as it must be specified within the LHM configuration so that users are automatically redirected to this portal. Displays the customized login page rather than the default (SonicWALL) login page for this portal. Displays the text specified in the Login Message textbox. Embeds HTTP metadata tags in all HTTP/HTTPS pages served to remote users to prevent their browser from caching content. Loads an ActiveX control (browser support required) that will clean up all session content after the SSL-VPN session is closed. Provides a link to the remote user to import the self-signed certificate into their trusted root store. If you are using a self-signed certificate (i.e. if you have not obtained a certificate from a well-known certificate authority such as Verisign) it is recommended you enable this feature so that users can import the certificate by clicking on the link this will present them. It is not strictly required by all components, but it will provide a more seamless and consistent SSL-VPN experience to your users. The Portal Layout Home Page Settings page is illustrated in Figure 65 and field descriptions are provided in Table 8. Figure 65 Portal Layout Home Page Settings Page 124

130 Table 8 Portal Layout>Home Page Settings Field Descriptions Field Display Home Page Message: Display NetExtender: Display File Shares: Display Bookmark Table: Home Page Message: Bookmark Table Title: Description Displays the customized Home Page message (text defined below) after a user successfully authenticates to the SSL-VPN. Displays the link to NetExtender, allowing users to install and invoke the clientless NetExtender virtual adapter. This configuration example will use the NetExtender to provide tunnel-all access, but the use of NetExtender is optional. Provide a link to the File Share (Windows SMB/CIFS) Web interface so that authenticated SSL-VPN users may use NT file shares according to their domain permissions. Displays the bookmark table containing admin provided bookmarks. Also allows users to define their own bookmarks to network resources. Optional text that can be displayed on the home page presented after successful user authentication. Optional text to describe the bookmark section on the Portal s Home Page. Configuring an Authentication Domain SSL-VPN Domains define the type of authentication that will be used by a portal. Domain options include: Local User Database Users defined on the SonicWALL SSL-VPN appliance. RADIUS - Remote Authentication Dial In User Service. Uses PAP (password authentication protocol) to authenticate against industry standard RADIUS databases, including Microsoft platforms running IAS (Internet Authentication Services), Funk s Steel Belted RADIUS, and FreeRADIUS. NT Domain Uses SMB (server message block, or NT LANMAN style) authentication against a specified Microsoft Server for use with most Microsoft Server platforms. Active Directory Uses Kerberos authentication against a specified Active Directory capable Microsoft Server. Note: Kerberos Authentication is very sensitive to time skew. Time on the SSL-VPN must be synchronized with the time on the Microsoft Server or authentication will fail. It is highly recommended that an NTP server be used for synchronization, particularly if Active Directory authentication is used. LDAP RFC 2251 Lightweight Directory Access Protocol version 3. LDAP authentication is the most versatile of all the authentication methods, supporting fine group matching using up to 4 different LDAP attributes. LDAP authentication can also be used against Microsoft Active Directory (as will be used in the example). Note LDAP authentication binds to the LDAP tree using the same credentials as are supplied for authentication. When used against Active Directory, this requires that the login credentials provided match the cn (common name) attribute the user rather than samaccountname (login name). For example, if your NT/Active Directory login name is lmoose and your full name is larry moose when logging into the SonicWALL SSL-VPN appliance with LDAP authentication, the username larry moose should be provided. This behavior may be modified in subsequent SonicWALL SSL-VPN firmware releases. 125

131 Create your authentication Domain, and bind that portal to the domain. Step 1 From the Portals > Domains page, click Add Domain. The Add Domain page is illustrated in Figure 66 and field descriptions are provided in Table 9. Figure 66 Add Domain Page Table 9 Field Authentication Type: Domain Name: Server Address: LDAP BaseDN: Portal Layout Name: Require client digital certificates: Add Domain Page Field Descriptions Description Select LDAP from the drop-down menu. This is the domain name that will be presented to users on the login page. This name does not have to match your LDAP/Active Directory domain name, but it should be named so that it is clear to your users. It is therefore recommended that you use a name to which they are accustomed, such as the actual LDAP/Active Directory domain name. The authenticating LDAP server s IP address. The base distinguished name for the LDAP tree, for example cn=users,dc=moosifer,dc=com. Note: this must be entered without quotes. The portal that will be presented for this authentication Domain. For this example, we will select the custom Portal we created in the previous step, mycustomportal. Optionally require the client present a client certificate for strong mutual authentication. Step 2 Click Add when done. 126

132 Configuring a NetExtender Client Route This example uses the default NetExtender IP range of to The first address, , will be bound to the terminating internal PPP adapter on the SonicWALL SSL-VPN appliance. Client NetExtender virtual adapter leases will begin with the address The NetExtender client route defines the networks to which NetExtender users will be given access. For example, if you wanted to grant NetExtender users access to the / network only, you would add that network to the destination networks list in the NetExtender > Client Routes page. In our example, we will be taking advantage of NetExtender s tunnel-all capability to send all client traffic through the SonicWALL SSL-VPN appliance. Some operating systems or system environments do not correctly apply the default route. If this is the case, you may also specify tunnel-all operation by using two more specific routes as follows: For route 1, click Add Client Route, enter in Destination Network, in the Subnet Mask field, and click Add. For route 2, click Add Client Route, enter in Destination Network, in the Subnet Mask field, and click Add. Figure 67 Add Client Route Page 127

133 Configuring Domain-Specific Network Resource Bookmarks As part of our example, we will create two Network Resource bookmarks specific to the Domain. Bookmarks can be added from least specific (for the broadest audiences) to most specific (for the narrowest audience) to the following: Global Group Policy Bookmarks All bookmark-enabled SSL-VPN users will receive this bookmark. Global User Policy Bookmarks All bookmark-enabled SSL-VPN users will receive this bookmark. Group Bookmarks All bookmark-enabled SSL-VPN users belonging to the specified group (which can be an automatically created group directly correlated to a domain) will receive this bookmark. User Bookmarks The specific bookmark-enabled SSL-VPN user will receive this bookmark. The first bookmark added will be global group (moosifer.com) policy bookmark to the Web-server located on the (optional) X1 interface on the SonicWALL SSL-VPN appliance. This will be used to demonstrate how to configure routing on the SonicWALL security appliance to support multi-port configurations on the SonicWALL SSL-VPN appliance. Note The use of multiple interfaces on the SonicWALL SSL-VPN appliance is entirely optional. Most configurations will use a single interface (one port mode), but multiple interfaces can be used to offer higher levels of physical segmentation. Despite this additional segmentation, however, administrators should mind that this configuration prevents security services (i.e. deep packet inspection) from being applied to traffic between SSL-VPN users and the destination server (e.g ) since the traffic never traverses the SonicWALL security appliance. This multi-port configuration is provided as only a demonstration, and is not necessarily a recommendation. Step 1 From the Users > Local Groups page, select the Edit icon next to the auto-created group corresponding to the Domain you created in step 2 (e.g. the moosifer.com group). Figure 68 Users > Local Groups Page 128

134 Step 2 In the pop-up window that will appear, click the Add Bookmark button. The Add Bookmark page is illustrated in Figure 69 and field descriptions are provided in Table 10. Figure 69 Add Bookmark Page Table 10 Add Bookmark Page Field Descriptions Field Bookmark Name: Name or IP Address: Service: Description Enter the name you wish to give to the bookmark. This is the name that will appear to all target users. The name (requires successful DNS resolution, or a static Host entry on the Network > Host Resolution page) or IP address of the Network Resource. The type of service provided by this Network Resource, such as HTTP, HTTPS, FTP, Telnet, SSH, RDP4/5, VNC, or File Share. Select HTTP. Step 3 Click Add when done. 129

135 Step 4 Click Add Bookmark again to create the second bookmark. Figure 70 Add Bookmark Page Step 5 Step 6 Step 7 Name and address the bookmark appropriately. For Service select Terminal Services (RDP5). Our example will demonstrate an RDP connection to the Active Directory Server on the LAN, Screen Size: When Terminal Services is selected as service, it is necessary to define the screen size for the session. RDP4 and RDP5 both support 640x480, 800x600, 1024x768, and 1280x1024. RDP5 also supports full screen. Application and Path: An optional argument that can be passed to the RDP session so that a specific application is launched at startup rather than the entire remote desktop. Click Add when done. The Bookmark table should now look as follows: Figure 71 Bookmark Table Step 8 Click the Close button at the bottom of the window. This completes the configuration of the SonicWALL SSL-VPN appliance. We will return to its administrative interface later for connectivity testing. 130

136 Configuring the SonicWALL Security Appliance It is assumed that the SonicWALL security appliance is configured and operational within the network, that the SonicPoints have been configured and that wireless connectivity has been tested, that the desired security services have been activated, and that the SonicWALL security appliance is accessible by the administrator. It is recommended that the SonicWALL SSL-VPN Getting Started Guide be employed in adding the SonicWALL SSL-VPN appliance to the network in either the SSL-VPN on the DMZ or SSL-VPN on an Existing DMZ configuration. Refer to the network diagram on page 1 of this document for the sample network used in the following configuration. SonicWALL Security Appliance Configuration Prerequisites (refer to the SonicWALL SSL-VPN Getting Started Guide): 1. Change the default management ports from 80 and 443 to other values, e.g and 444, to facilitate WAN access to the SonicWALL SSL-VPN appliance. a. Alternatively, you may keep the ports at their defaults and instead disable HTTP and HTTPS management on the WAN interfaces. 2. Configure the X2 interface on the SonicWALL security appliance. a. Create custom Public Zone SSL-VPN, configure security services, and assign the interface to this Zone b. Configure the interface with IP address , activate management options. 3. Use the Public Server Wizard to configure WAN originated access to the SonicWALL SSL-VPN appliance. 4. Configure Dynamic DNS to provide simplified access by FQDN rather than by IP address (as needed). SonicWALL Security Appliance Configuration Steps: Step 1 Configure LHM (external) authentication on the WLAN zone a. Disable WiFiSec b. Enable Dynamic Address Translation (optional) Step 2 Create Host Address Object for the SSL-VPN X0 interface ( ) Step 3 Create Network Address Object for the SSL-VPN X1 subnet ( / ) Step 4 Create a route to the SSL-VPN X1 subnet via Step 5 Step 6 Step 7 Create an SSL-VPN->LAN allow rule for all traffic, all addresses. Verify the presence of auto-created WLAN-> SSL-VPN and SSL-VPN->WAN allow rules Optional: Configure access from SSL-VPN/NetExtender subnet ( /24) to site-to-site IPsec VPN destinations a. Option 1: Add the SSL-VPN subnet to the networks proposed on both sides of the VPN (bi-directional communications). b. Option 2: Use NAT to translate the SSL-VPN subnet to an already proposed network (uni-directional communications). 131

137 Configuring LHM for Redirection of Users to the SSL-VPN Step 1 Step 2 From the Network > Zones page, click the Edit icon for the WLAN Zone. On the Wireless tab, make sure WiFiSec Enforcement is disabled. Note You may continue to use WiFiSec if you so desire, but it would be redundant and inconvenient to do so. Step 3 On the Guest Services tab: a. Select the Enable Wireless Guest Services checkbox. b. Select the Enable Dynamic Address Translation (DAT). This step is optional. c. Change the Max Guests value to the number of concurrent SSL-VPN wireless users you wish to support (up to 255). Note This will not be enforced until a future SonicWALL SSL-VPN firmware release which supports full LHM messaging. d. Select the Enable External Guest Authentication checkbox. e. Click the Configure button to the right of Enable External Guest Authentication. f. A popup window will appear. Configure the General and Auth Pages tabs as shown in Figure 72. Figure 72 General and Authentication Pages 132

138 g. On the General tab, the Web-Server Protocol, Host, and Port settings will point to the X0 interface of the SonicWALL SSL-VPN appliance. This will be the destination to which wireless users will be automatically redirected. h. On the Auth Pages tab, the specified pages should point to the Portal URL specified during the Portal Layout configuration on page 5. This field is case sensitive, and must be entered without quotes, and with the proper use of slashes. Note the syntax for entry: portal/mycustomportal i. Click OK to close the Configuration window. j. Click OK to close the Edit Zone window. Create Host Address Object for the SSL-VPN X0 Interface ( ) Step 1 From the Network > Address Objects page, click Add and create a Host Address Object for the SSL-VPN X0 interface IP address. Figure 73 Edit Address Object Page Step 2 This Address Object will be used to create the route to the (optional) X1 subnet ( / ) Click OK to add the entry. 133

139 Create Network Address Object for the SSL-VPN X1 Subnet ( / ) As Needed Step 1 From the Network > Address Object page, click Add and create a Network Address Object for the SSL-VPN X1 subnet. Figure 74 Edit Address Object Page Create a Route to the SSL-VPN X1 Subnet Using Step 1 Step 2 Step 3 From the Network > Routing page, click the Add button at the bottom on the Route Policies table. Add a route for the / network using the Address Objects you created in steps 2 and 3. This route will allow traffic from the /24 subnet to traverse the firewall. Failure to add this route will result in traffic from this subnet (e.g. the Web Server) to be dropped by the firewall. 134

140 Create an SSL-VPN->LAN Allow Rule for All Traffic (All Addresses) By default, the SSL-VPN Zone (Public-type Zone) will be allowed access to the WAN (Untrusted-type Zone). This will allow SSL-VPN users originating from the WLAN (wireless) or the Internet (remote) to access resources on the Internet. Keep in mind that when SSL-VPN users access a Network Resource or a Bookmark, the access appears to come from the SonicWALL SSL-VPN appliance itself. Also, when using NetExtender to reach an allowed destination network (including tunnel-all / ) the access originates from the NetExtender range (e.g to , which is also on the SSL-VPN Zone). Since we want to allow authenticated SSL-VPN users to access trusted (LAN) resources, in our example the /24 network, we will need to add a Firewall Access Rule to permit this access. The rule we will be creating will be a very general allow any to any rule, but you may create a more specific rule if you so desire. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 From the Firewall > Access Rules page, Matrix View, select the intersection of the SSL-VPN to LAN Zone There will be a default Deny access rule for all traffic. Click the Edit icon to change the configuration of this rule. Under Settings, change the Action from Deny to Permit. Make sure Allow Fragmented Packets is enabled. On the Advanced tab, you may wish to set the TCP Connection Inactivity Timeout to a larger value, such as 30 or 60 minutes to prevent unwanted session interruption (optional). Click OK to commit the changes. Verify the Presence of Auto-created WLAN->SSL-VPN and SSL-VPN->WAN Allow Rules Navigate back to the Firewall > Access Rules matrix view, and verify that auto-created Allow rules are present for all traffic from the WLAN to SSL-VPN Zone, and from the SSL-VPN to WAN Zone. If for any reason they are absent, or are not set to Allow create or modify them accordingly. At this point, the required configuration steps on both the SonicWALL SSL-VPN appliance and the SonicWALL security appliance are complete. If you have a site-to-site VPN configured on the firewall, and you wish to allow SSL-VPN (including NetExtender) access to these remote sites, continue to step 7, otherwise you may proceed directly to the Testing Your Configuration section on page

141 Optional: Configure Access from SSL-VPN/NetExtender Subnet ( /24) to Site-to-Site IPsec VPN Destinations If this network location is linked to other networks by site-to-site IPsec VPNs, you may wish to provide access for SSL-VPN users to those remote networks. This will allow both Wireless SSL-VPN and remote SSL-VPN users to access those remote sites. There are two methods to achieve this: the first will allow bi-directional access (both sides can initiate or respond directly to hosts on either side) but requires configuration changes on both sides of the VPN tunnel, while the second requires changes only on the local firewall, but allows only uni-directional access (only the local network can initiate traffic to hosts on the remote side). Option 1: Add the SSL-VPN Subnet to the Networks Proposed on Both Sides of the VPN (Bi-directional Communications). On the local firewall, modify the Local Networks on the VPN Policy to include the SSL-VPN subnet (e.g. the X2 Subnet, or / ). This can be achieved simply by selecting Firewalled Subnets as the Address Object, or by creating an Address Object group comprising the appropriate local networks. On the remote firewall, modify the Destination Networks on the VPN Policy to include the SSL-VPN subnet (must be explcitly created and specified, e.g. Network Address Object / ). Option 2: Use NAT to Translate the SSL-VPN Subnet to an Already Proposed Network (Uni-directional Communications) This second option assumes that the X0 Subnet on the local network (e.g /24) is already included in the VPN policy. We will create a NAT rule that translates traffic originating from the SSL-VPN subnet ( / ) that is destined to the VPN ( CorporateVPN Nets ) to the IP address of the X0 interface IP ( ) of the local firewall. This will allow access to be initiated from the SSL-VPN subnet (including NetExtender sessions) to the CorporateVPN Nets, but it will not allow access from the remote VPN to be initiated to the SSL-VPN subnet. This option is useful when you most commonly need to access resources at the opposite end of the VPN tunnel (such as a remote office accessing resources at Corporate Headquarters), and is relatively easy to employ because it does not require any reconfiguration on the remote VPN policy. 136

142 To add a NAT policy for traffic originating from the SSL-VPN subnet with a destination to the Corporate VPN, perform the following steps: Step 1 From the Network > NAT Policies page, click the Add button. Step 2 Define a NAT policy as illustrated in Figure 75. Figure 75 Edit NAT Policy Settings Page Step 3 Click OK when done to add the policy. 137

143 To add an Access Rule to allow traffic from the SSL-VPN subnet across the VPN, perform the following steps: Step 1 From the Firewall > Access Rules page, Matrix View, select the intersection between the SSL-VPN and VPN zones. Step 2 Click the Add button, and create an Access Rule as illustrated in Figure 76. Figure 76 Edit Rule Settings Page Step 3 Click OK when done. 138

144 Testing Your Configuration SonicWALL SSL-VPN Appliance Testing Steps: Step 1 Step 2 Step 3 From the System > Diagnostics page, verify that you can ping (the X2 interface on the SonicWALL security appliance). From the System > Diagnostics page, verify that you can resolve and ping Internet host time.nist.gov. Visit the Users > Status page after successfully authenticating a user (next section) to verify session status. Wireless Client Testing Steps: Step 1 Step 2 Step 3 Step 4 Associate with the SSID configured on the SonicPoint. Verify that you obtain a DHCP lease in the appropriate address range (e.g x). Launch a Web-browser, and attempt to request a page. Your session should be redirected to the SSL-VPN Custom Portal page. Login using appropriate credentials. Note: When using LDAP against Active Directory, you must currently use your full name rather than your logon name. Click the Login button. Figure 77 My Custom Portal Login Page 139

145 Step 5 Upon successful authentication, you will be presented with the custom portal page. Figure 78 My Custom Portal Welcome Page Step 6 You should see the two Network Resource Bookmarks you created on Page 7 (Step 3). Step 7 Test both of the Bookmarks. Note Step 8 Step 9 Step 10 Step 11 Step 12 At this point, you will only have access to Network Resources through the SonicWALL SSL-VPN appliance. You will not be able to reach the Internet, or undefined (non-bookmarked) Network Resources on the LAN. Attempts to do so (e.g. if you try to browse to a site on the Internet like will cause Guest Services to redirect you back to the SSL-VPN login page. This is normal. To obtain access to all network resources, including the Internet, click on the Connect with NetExtender link. This will update/install the NetExtender Virtual Adapter (as needed) and will automatically connect to the SSL-VPN using NetExtender. A client route will be added to / (tunnel-all). All traffic from this host will now pass through the SSL-VPN, and through the upstream SonicWALL security appliance. You may close the NetExtender pop-up window. It will be minimized to your System Tray, but will persist, providing continued network access. Attempt to ping or otherwise use network resources on the SonicWALL LAN Network (e.g ). Attempt to browse to or some other Internet site. 140

146 Step 13 Step 14 Attempt to ping or otherwise use network resources on the SSL-VPN X1 subnet (e.g or ). As applicable, test that Security Services are being applied to your traffic (e.g. enable IPS Low Priority Attack Detection and attempt to ping time.nist.gov. Visit the log page on the SonicWALL to verify that IPS has detected the traffic, and see it originating from your NetExtender address (e.g ). Remote Client Testing Steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 From the remote client (e.g. a dial-up connection to the internet, or as performed an actual remote user/assistant) visit to determine your current IP address. Note this address. Now browse to the IP address or FQDN (if registered with DNS or DDNS) of your firewall (e.g. or or to the appropriate address if you have multiple public IP addresses, and used an address other than the Primary WAN IP. You should be presented with the SSL-VPN Virtual Office Portal page (or custom page, if you ve so configured the LocalDomain portal.) Note: Since you are not providing a specific URL, the page presented will by the LocalDomain Portal rather than the mycustomportal portal. Provide the credentials for the local user created during Getting Started Guide setup. If you did not create a local user, you may authenticate as admin and select the Virtual Office button in the navigation panel to launch the Virtual Office. Click the Connect with NetExtender button. This will update/install the NetExtender Virtual Adapter (as needed) and will automatically connect to the SSL-VPN using NetExtender. A client route will be added to / (tunnel-all). All traffic from this host will now pass through the SSL-VPN, and through the upstream SonicWALL security appliance. You may close the NetExtender pop-up window. It will be minimized to your System Tray, but will persist, providing continued network access. Once again, visit Your IP address should now be that of the SonicWALL security appliance in front of the SonicWALL SSL-VPN appliance (e.g ). Attempt to ping or otherwise use network resources on the SonicWALL LAN Network (e.g ). Attempt to ping or otherwise use network resources on the SSL-VPN X1 subnet (e.g or ). As applicable, test that Security Services are being applied to your traffic (e.g. enable IPS Low Priority Attack Detection and attempt to ping time.nist.gov. Visit the log page on the SonicWALL to verify that IPS has detected the traffic, and see it originating from your NetExtender address (e.g ). 141

147 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint This section describes how to configure a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless running (as the Wireless Bridge) through a SonicPoint to a VPN terminated on the Wireless Zone of a SonicWALL security appliance. The described configuration will tunnel all traffic from the local network behind the SonicWALL TZ 170 Wireless to the SonicPoint where Access Rules and NAT Policies will be configured to allow access to the LAN and to the Internet. More restrictive rules and policies can be defined as needed. This section contains the following subsections: SonicWALL TZ Series Platforms section on page 143 Configuring a Secure Wireless Bridge Tasklist section on page 145 Adding a Network Address Object on the SonicWALL PRO Series Security Appliance section on page 147 Configuring the VPN Policy on the SonicWALL PRO Series Security Appliance section on page 148 Secure Wireless Bridging Network Deployment Scenario Figure 79 Secure Wireless Bridging Caveats The VPN tunnel cannot use the WLAN GroupVPN on the SonicWALL PRO Series security appliance. A separate VPN policy must be defined. Turbo Mode is not supported. The actual rate of the wireless link between the two sites will be determined by environmental conditions. 142

148 Recommended SonicOS Software Versions SonicWALL TZ 170 SP Wireless running SonicOS Enhanced or higher SonicWALL TZ 170 Wireless running SonicOS Standard or higher SonicWALL PRO Series security appliance running SonicOS Enhanced or higher SonicPoint with firmware provided by SonicOS Enhanced or higher SonicWALL TZ Series Platforms This section describes the SonicWALL TZ Series wireless platforms. Refer to the following subsections for more information on the SonicWALL TZ Series wireless platforms: SonicWALL TZ 170 SP Wireless section on page 143 SonicWALL TZ 170 Wireless section on page 144 Benefits SonicWALL TZ 170 SP Wireless For a list of SonicWALL TZ Series deployment benefits and latest platform features, refer to the SonicWALL TZ Series product data sheet located in the Product Datasheets section on page 189. The SonicWALL TZ 170 SP Wireless is a total wired and wireless security platform ensuring continuous network uptime for critical, secure data connectivity through integrated and automated failover and failback technologies. Dual broadband WAN connections plus an integrated analog WAN port and secure g wireless make the SonicWALL TZ 170 SP Wireless the first appliance to offer automated broadband-to-broadband-to-analog WAN redundancy for unparalleled uptime on both wired and wireless networks. Designed for small office, Retail/Point-of-Sale and telecommuter applications, this high-performance deep packet inspection firewall/vpn appliance accommodates 6,000 simultaneous connections and comes standard with IPSec VPN and site-to-site VPN. Advanced features such as enforced VPN encryption on the wireless LAN and wireless intrusion detection and prevention services deliver impenetrable wireless security. Network administrators can create multiple zones of access for wired and wireless workers as well as guest wireless users - offering an unprecedented level of control without compromising network security. The SonicWALL TZ 170 SP Wireless also includes an integrated 5-port auto-mdix switch with a designated 802.3af PoE port and a customizable optional port, providing tremendous network configuration flexibility. The SonicWALL TZ 170 SP Wireless supports the industry standard g wireless LAN (WLAN) technology for high-speed wireless performance while delivering up to 90 Mbps of firewall and 30+ Mbps of combined 3DES/AES VPN throughput on the wired and wireless LANs. In addition, the SonicWALL TZ 170 SP Wireless comes standard with SonicOS Standard, enabling advanced networking features such as ISP failover, load balancing, policy-based NAT and object-based management. SonicOS Enhanced also activates the optional port, which is fully customizable as a second LAN, a second WAN, a WLAN, a DMZ or another customized network zone. When the optional port is configured as a WLAN, the SonicWALL TZ 170 SP Wireless can support up to two SonicPoint satellite access points as part of SonicWALL s Secure Wireless Solution. The SonicWALL TZ 170 SP Wireless supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. 143

149 Figure 80 displays the front and back panel of the SonicWALL TZ 170 SP Wireless. Figure 80 SonicWALL TZ 170 SP Wireless SonicWALL TZ 170 Wireless Supports up to 8 SonicPoints. Recommended number of SonicPoints per WLAN interface: 2 The SonicWALL TZ 170 Wireless is a total security platform delivering enterprise-class wireless security to small networks, integrating secure g wireless, firewall and VPN technologies in a cost-effective, easy-to-use solution. This high-performance deep packet inspection firewall/vpn appliance ships in multiple node configurations, accommodates 6,000 simultaneous connections and comes standard with IPSec VPN, site-to-site VPN and a single bundled VPN Client license (25 and Unrestricted node) for easy network access from any location, using any Internet connection, over any IP network. Advanced features such as enforced VPN encryption on the wireless LAN and wireless intrusion detection and prevention services deliver impenetrable wireless security. Network administrators can create multiple zones of access for wired and wireless workers as well as guest wireless users - offering an unprecedented level of control without compromising network security. The SonicWALL TZ 170 Wireless also includes an integrated 5-port auto-mdix switch with a designated 802.3af PoE port and a customizable optional port, providing tremendous network configuration flexibility. The SonicWALL TZ 170 Wireless supports the industry standard g wireless LAN (WLAN) technology for high-speed wireless performance while delivering up to 90 Mbps of firewall and 30+ Mbps of combined 3DES/AES VPN throughput on the wired and wireless LANs. An optional upgrade on the SonicWALL TZ 170 Wireless, SonicOS Enhanced enables business continuity and flexibility features such as ISP failover, WAN redundancy, load balancing, policy-based NAT and object-based management. With the upgrade to SonicOS Enhanced, the optional port is activated and fully customizable as a second LAN, a second WAN, a WLAN, a DMZ or another customized network zone. The SonicWALL TZ 170 Wireless supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. 144

150 Figure 81 displays the front and back panel of the SonicWALL TZ 170 Wireless. Figure 81 SonicWALL TZ 170 Wireless Supports up to 8 SonicPoints. Recommended number of SonicPoints per WLAN interface: 2 Configuring a Secure Wireless Bridge Tasklist Step 1 Step 2 Step 3 Perform basic configuration on the SonicWALL PRO Series security appliance (managing the SonicPoint): a. X0 (LAN) IP: /24 b. X1 (WAN) IP: As assigned by ISP c. X2: Unused d. X3 (WLAN) IP: /24 e. SonicPoint Profile g SSID: spg Perform basic configuration on the SonicWALL TZ 170 Wireless: a. LAN IP: /24 b. WAN IP: Unused Configure Network Address Object on the SonicWALL PRO Series security appliance: a x Address Object for the SonicWALL TZ 170 Wireless LAN Network Network Object / bound to VPN 145

151 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Configure VPN Policy (IKE with PSK) on the SonicWALL PRO Series security appliance: a. Policy name: tz170w-bridge b. Peer Gateway: (the WLAN IP of the SonicWALL TZ 170) c. Shared secret: password d. Local Network: Any Address e. Destination Network: x Network Address Object f. Phase 1 and Phase 2 Proposal configuration g. Advanced Settings: Management and NetBIOS (optional), bind Policy to X3 interface Verify Network Access Rules. Configure NAT Policy on the SonicWALL PRO Series security appliance. a. Translate the x network to the WAN Primary IP for Internet access. Configure the Default Route on the SonicWALL TZ 170 Wireless: a. Default route on WLAN to Configure the Wireless Settings on the SonicWALL TZ 170 Wireless: a. WLAN IP: /24 b. WLAN SSID: spg c. Radio Role: Wireless Bridge Configure VPN Policy on the SonicWALL TZ 170 Wireless: a. Policy name: tosp b. Peer Gateway: c. Shared secret: password d. Use this VPN Tunnel as the default route for all Internet traffic e. Phase 1 and Phase 2 Proposal configuration f. Advanced Settings: NetBIOS (optional) 146

152 Adding a Network Address Object on the SonicWALL PRO Series Security Appliance After performing the basic configuration of the Interfaces on all devices, and the SonicPoint Profile and Wireless Zone settings on the SonicWALL PRO Series security appliance, begin the implementation specific configuration by defining an Address Object on the SonicWALL PRO Series security appliance to represent the Remote Network for the VPN Policy (for example, the LAN Network on the SonicWALL TZ 170 Wireless): Address Object From the Network > Address Object page, click on the Add button, and define a new Network Address Object as follows: Figure 82 Adding an Address Object After the x object has been added, it should appear in the Address Objects table: Figure 83 Address Objects Table 147

153 Configuring the VPN Policy on the SonicWALL PRO Series Security Appliance From the VPN > Settings page, under the VPN Policies section, click the Add button, and define a new VPN Policy as described in Figure 84. Figure 84 Defining a New VPN Policy Note Be certain to bind the VPN policy (on the Advanced tab) to the interface through which your SonicPoint(s) are connected. After adding the VPN policy, it should appear in the VPN Policies table: 148

154 Access Rules (Auto-Created) Access Rules will be auto-created, but you may wish to review them by visiting the Firewall > Access Rules page. Inbound and outbound Access Rules for the VPN policy should be present. By default, they allow Any service, but this can be modified as needed. Inbound and outbound bandwidth management can also be applied to the Access Rules. The inbound access rule should appear as follows: Mousing over the Comment icon will indicate the following mouse-over message: The outbound access rule should appear as follows: Mousing over the Comment icon will indicate the following mouse-over message: NAT Policy (SonicWALL PRO Series Security Appliance) To provide Internet access to the SonicWALL TZ 170 Wireless LAN users (the x network), it will be necessary to add a NAT Policy on the SonicWALL PRO Series security appliance translating the x network to the WAN Primary IP of the SonicWALL PRO Series security appliance. From the Network > NAT Policies page, click the Add button and define the following NAT Policy: 149

155 After adding the NAT Policy, it should appear in the NAT Policies table: Setup Steps (SonicWALL TZ 170 Wireless) Moving back to the SonicWALL TZ 170 Wireless, continue the configuration beginning with setting the default route using the WLAN interface, with a gateway value of (the X3 interface of the SonicWALL PRO Series security appliance). Default Route (SonicWALL TZ 170 Wireless) From the Network > Routing page, click the Configure icon in the Default Route section at the top of the page. Configure the Default Route as follows: Note If WiFiSec enforcement is enabled on the Wireless Zone on the SonicWALL PRO Series security appliance, all traffic must be IPSec traffic (or WPA, if so configured). As such, traffic that travels from the SonicWALL TZ 170 Wireless to the SonicWALL PRO Series security appliance with this default route must be VPN traffic or it will be dropped. 150

156 Wireless Settings (SonicWALL TZ 170 Wireless) From the Wireless > Settings page, configure the SonicWALL TZ 170 Wireless Radio Role as a Wireless Bridge. Confirm the change, as needed. It might take a few moments for this setting to take effect as the radio sets the correct mode of operation. Make certain the WLAN and WiFiSec Enforcement are enabled. Configure the WLAN interface IP address to / Set the SSID to match that of the SonicPoint through which you will be connecting ( spg ). The other settings may be safely left at their default values. Click the Apply button. 151

157 VPN Policy (SonicWALL TZ 170 Wireless) From the VPN > Settings page, click the Add button. Define the VPN Policy as follows: Note Do not enable Secure Wireless Bridging or Apply NAT and Firewall Rules on this policy. This configuration will route all traffic through this VPN tunnel. You may define a more specific Destination Network, as desired. Additionally, you may set Advanced settings such as Keep-alives, authentication, and NetBIOS broadcast support as needed. 152

158 Testing and Troubleshooting Verify Workstation 2 ( ) is configured to use the SonicWALL TZ 170 Wireless LAN interface ( ) as its default gateway. From Workstation 2, attempt to ping Workstation 1 ( ) that sits behind the SonicWALL PRO Series security appliance. This should initiate the VPN tunnel if it has not already been established. From the SonicWALL PRO Series security appliance s management UI VPN > Settings page, verify that the tunnel is established: In the Currently Active VPN Tunnels section of the same page, verify the statistics of the tunnel s traffic by clicking on the statistics icon: The VPN Tunnel Statistics summary should display inbound and outbound traffic: From Workstation 1, attempt to ping to verify that traffic can flow to the SonicWALL PRO Series security appliance s LAN segment to the SonicWALL TZ 170 Wireless LAN segment. From Workstation 2 open a web-browser, and browse to to verify that LAN stations behind the SonicWALL TZ 170 Wireless can reach the Internet through the tunnel. If initial tunnel establishment fails or if any of the traffic fails to behave as expected, verify all settings as described in this document. If that fails to resolve the problem, go to the Log > Categories page, and enable Network Debug (Legacy category on the SonicWALL PRO Series security appliance). Attempt to re-establish the tunnel or re-send the traffic. Verify the Log console on the Log > View page for an indication of the nature of the failure. 153

159 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network This section provides procedures to deploy SonicWALL Global Management System (GMS) for SonicWALL GMS management, reporting, and monitoring features. The SonicWALL GMS is a browser-based application that can configure and manage thousands of SonicWALL Internet security appliances from a central location. SonicWALL GMS provides small organizations, enterprises and service providers with flexible, powerful and intuitive tools to centralize security policy management for anywhere from a few to thousands of remote SonicWALL Internet security appliances, VPN, and advanced security services. SonicWALL GMS scales with growing networks and offers centralized reporting and monitoring. Distributed management, Redundancy, and Load balancing guarantee maximum productivity. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. For Service Providers, SonicWALL GMS simplifies multiple clients security management and creates additional revenue opportunities. SonicWALL GMS is capable of managing large networks that use SonicWALL security appliances. This dramatically lowers the cost of managing a secure distributed network. SonicWALL GMS does this by enabling administrators to monitor the status of and apply configurations to all managed SonicWALL security appliances, groups of SonicWALL security appliances, or individual SonicWALL security appliances. You can also configure multiple site VPNs for SonicWALL security appliances. From the SonicWALL GMS user interface (UI), you can add VPN licenses to SonicWALL security appliances, configure VPN settings, and enable or disable remote-client access for each network. SonicWALL GMS provides monitoring features that enable you to view the current status of SonicWALL security appliances, pending tasks, and log messages. It also provides graphical reporting of firewall and network activities for the SonicWALL security appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events. This section contains the following subsections: SonicWALL GMS Applications section on page 155 Deployment Requirements section on page 156 Configuring and Maintaining SonicWALL Security Appliances Using GMS section on page 160 Configuring the GMS Wireless Policy Panel section on page 162 Configuring GMS Top Intrusions Reports section on page 173 Configuring VPN Monitor section on page 175 Configuring GMS Net Monitor section on page

160 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network SonicWALL Secure Wireless Network Managed with GMS Figure 85 provides a network diagram of a SonicWALL Secure Wireless network GMS-managed deployment. Figure 85 GMS-Managed Network SonicWALL GMS Applications SonicWALL GMS is designed to be used within any organization that needs to centrally manage and configure multiple SonicWALL security appliances. Some of the major uses for SonicWALL GMS include: Remote site management for distributed organizations enables medium- to large-sized enterprises with multiple sites to centrally administer Internet security policies. Managed security services for system integrators enables system integrators to offer turnkey managed security services to small- to medium-sized enterprises. Managed security services for service providers enables service providers to offer managed security services to consumers. GMS Benefits For a list of SonicWALL GMS deployment benefits and latest management and reporting software features, refer to the SonicWALL Global Management System product data sheet located in the Product Datasheets section on page

161 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Deployment Requirements SonicWALL GMS requires a number of deployment components. Before installing SonicWALL GMS, review the following deployment requirements. Supported Platforms Solaris 8 Windows 2000 Windows XP Professional Windows Server 2003 Supported Databases Oracle version Microsoft SQL Server 2000 SP3 Supported Drivers SonicWALL GMS requires a Java database connectivity (JDBC) driver to communicate with the database. For Oracle, the JDBC driver is included with the Oracle database. For Microsoft SQL Server 2000, SonicWALL provides the Sprinta 2000 JDBC driver. Secure Communications Link SonicWALL GMS communicates with the managed SonicWALL security appliances using IPSec VPN tunnels. These tunnels are created between the SGMS gateway that resides between the SonicWALL GMS server(s) and the managed SonicWALL security appliances. An SGMS gateway can be any VPN-enabled SonicWALL appliance. The SGMS gateway can be configured either in the standard or NAT mode. For standard mode, the SGMS Gateway must be running firmware version or later. Supported Firmware The SonicWALL security appliances and the SGMS gateway must run firmware version or later. No earlier versions of the firmware are supported. SonicWALL GMS Installation Installation is available on one server (single installation) or multiple servers (distributed installation). When SonicWALL GMS is installed on one system, firewall management redundancy and load balancing is not available for its SonicWALL security appliances. Windows-based SonicWALL GMS services include the following: SGMS Monitoring Manager SGMS Scheduler SGMS SNMP Manager SGMS Syslog Collector SGMS ViewPoint Scheduler SGMS ViewPoint Summarizer SGMS Web Server Solaris-based SonicWALL GMS daemons include the following: monitord.sh sgmssched.sh sgmssnmpmgr.sh sgmsvp1.sh sgmsvp2.sh 156

162 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network syslogd.sh tomcat.sh When installing SonicWALL GMS on multiple systems, management redundancy and load balancing is available for the managed SonicWALL security appliances. Windows environments use the following services on the SonicWALL GMS Agents: SGMS Scheduler SGMS SNMP Manager SGMS ViewPoint Summarizer SGMS Monitoring Manager SGMS Syslog Collector The SonicWALL GMS Console has the following additional services: SGMS ViewPoint Scheduler SGMS ViewPoint Summarizer SGMS SNMP Manager SGMS Web Server Solaris environments use the sgmssched.sh, sgmsvp2.sh, sgmsnmpmgr.sh, monitord.sh, and syslogd.sh daemons on the SonicWALL GMS Agents; the tomcat.sh and sgmsvp1.sh daemons are additional daemons on the SonicWALL GMS Console systems. Note The SonicWALL GMS console and agent servers must use static IP addresses. Database Installation Installing the database on a separate system is highly recommended. Configuring Your SonicWALL Security Appliances for GMS Network Management Updating Firmware Before an existing SonicWALL appliance can be administered from the SonicWALL GMS UI, the following must occur: The firmware must be updated to a version that is compatible with SonicWALL GMS. Remote management must be enabled on the SonicWALL appliance. Add the SonicWALL appliance to the SonicWALL GMS UI. SonicWALL security appliances that are managed by SonicWALL GMS must be running firmware version or later or SonicOS firmware version or later. For information on updating firmware, refer to the SonicWALL appliance s documentation. 157

163 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Enabling Remote Management To configure the SonicWALL security appliance to be remotely managed by SonicWALL GMS: 1. Log into the SonicWALL security appliance. 2. Click System > Administration page. The Administration page appears (Figure 86). Scroll down to the Advanced Management section. Figure 86 SonicOS System > Advanced Management Administration Page 3. Select the Enable Management using GMS check box. 4. Click Configure. 158

164 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network The Configure GMS Settings dialog box appears as illustrated in Figure 87. Figure 87 Configure GMS Settings Dialog Box 5. Configure the following options: GMS Host Name or IP Address IP address or host name of the SonicWALL GMS server. GMS Syslog Server Port syslog server port (default: 514). GMS behind NAT Device specifies whether the SonicWALL GMS server is behind a NAT device. If so, enter the IP address in the NAT Device IP Address field. 6. Select one of the following from the Management Mode list box: IPSec Management if the SonicWALL appliance will be managed through a VPN management tunnel (default), configure the following fields: Encryption Algorithm select Encrypt and Authenticate (DES MD5). Encryption Key 16-character encryption key. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (for example, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be abcdef. VPN Policy Bound to select Interface WAN. Authentication Key 32-character authentication key. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be abcdef abcdef. 159

165 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Management through Existing VPN Tunnel if the SonicWALL appliance will be managed through an existing tunnel or is on the same network as the SonicWALL GMS server, no further configuration is necessary. Continue to the next step. HTTPS Management if the SonicWALL appliance will be managed using HTTPS, specify whether the SonicWALL GMS uses a separate GMS Reporting server that collects syslog data. If so, select the Send Syslog Messages to a Distributed GMS Reporting Server check box and enter the IP address and port of the server in the GMS Reporting Server IP Address and GMS Reporting Server Port fields. Note If there is a firewall between the SonicWALL security appliance and the SonicWALL GMS Agent, make sure the firewall is configured to allow the default GMS Syslog Server Port: When you are finished, click Update. The SonicWALL appliance is now configured for management by SonicWALL GMS. To clear the settings and start over, click Reset. 8. To add the SonicWALL security appliance to SonicWALL GMS UI using the import option, save the SonicWALL appliance's configuration (preferences) file. Configuring and Maintaining SonicWALL Security Appliances Using GMS SonicWALL GMS UI is similar to the SonicOS UI. However, SonicWALL GMS offers the ability to push configuration settings to a single SonicWALL appliance, a group of SonicWALL security appliances, or all SonicWALL security appliances being managed by the SonicWALL GMS. GMS Maintenance Example To change the time for all SonicWALL security appliances within a group, select the group, expand the General tree, and click Time. The Time page appears (Figure 88). Figure 88 Time Page 160

166 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network When you have finished making changes, click Update. The changes become tasks and are applied to all SonicWALL units within the group. To view the status of these tasks, click the Console tab. Then expand the SonicWALL GMS Tasks tree and click Scheduled Tasks. The Scheduled Tasks page appears (Figure 89). Figure 89 Scheduled Tasks Page The task appears in the Scheduled Tasks page. After a task is successfully applied to a SonicWALL appliance, the task is removed from the page. SonicWALL GMS provides a scheduling engine. Once a configuration policy is defined for a SonicWALL appliance or a group of SonicWALL security appliances, SonicWALL GMS schedules a task for this policy for each SonicWALL appliance. By default, SonicWALL GMS queues and executes tasks immediately. To configure SonicWALL GMS to execute tasks when network activity is low, you can schedule them for a specific window of operation by configuring the default task execution schedule. If you configure tasks to execute at a specific time, but need to execute one or more tasks now, you can execute the tasks immediately from the Scheduled Tasks page. You can also reschedule the tasks for a specific time outside of the scheduled window of operation. 161

167 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring the GMS Wireless Policy Panel Configuring GMS Wireless > Settings This section provides procedures to configure GMS Wireless policy settings. This section contains the following subsections on GMS wireless policy management: Configuring GMS Wireless > Settings section on page 162 Wireless Radio Operating Schedule section on page 164 Configuring WEP Encryption Settings section on page 164 Configuring Advanced Wireless Settings section on page 165 Configuring MAC Filter List Settings section on page 167 Configuring Intrusion Detection Services Settings section on page 168 Configuring Wireless Guest Services section on page 169 Configuring the URL Allow List section on page 170 Denying Access to Networks section on page 170 Configuring the Custom Login Screen section on page 172 This section describes how to configure general wireless settings. To do this, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 162

168 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network 3. Expand the Wireless tree and click Settings. The Settings page appears (Figure 90). Figure 90 Wireless > Settings Page 4. Select whether the SonicWALL appliance will act as an Access Point or a Wireless Bridge from the Radio Role list box. 5. To enable Wireless networking on this device, select the Enable WLAN check box. 6. Enter the IP address and subnet mask of the Wireless LAN port in the WLAN IP Address and WLAN Subnet Mask fields. 7. Enter the Service Set Identifier (SSID) or wireless network name in the SSID field (maximum: 32 characters). 8. Select a wireless channel to use from the Channel list box. 9. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 163

169 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Wireless Radio Operating Schedule Wireless Schedule allows you to specify time periods of operation for the WLAN. This feature is available in the Wireless > Settings screen. In SonicOS Standard, it is available under the section Use Time Constraints, and in SonicOS Enhanced, it is available as Schedule drop-down list and at unit Level this section is displayed depending on whether it is SonicOS Standard or Enhanced. At group level, both options are shown with text in italics indicating which section applies to SonicOS Standard and SonicOS Enhanced. Configuring WEP Encryption Settings This section describes how to configure Wireless Equivalent Privacy (WEP) security settings. To do this, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 3. Expand the Wireless tree and click WEP Encryption. The WEP Encryption page appears (Figure 91). Figure 91 WEP Encryption Page 4. Select whether wireless devices that attempt to connect to the SonicWALL security appliance must first authenticate: If all devices must authenticate, select Shared Key from the Authentication Type list box. If no authentication is required, select Open System from the Authentication Type list box. To support both authenticated and non-authenticated connections, select Both from the Authentication Type list box. 5. Select the size of the authentication key used to authenticate devices that connect to the SonicWALL appliance from the WEP Key Mode field. 164

170 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network 6. If you selected the Shared Key authentication type, do the following: Select the default key from the Default Key list box. This is the first key that will be used to send challenges to wireless devices attempting to communicate with the SonicWALL security appliance. Select whether the encryption keys will be Alphanumeric or Hexadecimal. Enter up to four keys in the Key fields. 7. To specify a client that will have wireless access without additional authentication, enter its information in the MAC Address and Comment fields and click Add. Repeat this step for each client to add. 8. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Advanced Wireless Settings This section describes how to configure advanced wireless settings. To do this, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 3. Expand the Wireless tree and click Advanced. The Advanced page appears (Figure 92). Figure 92 Advanced Page 4. SSIDs are used to logically segment wireless networks. At an interval that you set, the wireless SonicWALL security appliance will send out beacon frames that identify the SSID. Select the following beacon options: To hide the SSID in beacons, select the Hide SSID in Beacon check box. 165

171 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Note This provides marginal security as Probe Responses and other frames contain the SSID. To block responses when a device does not specify an SSID, select the Block Response to Unspecified SSID check box. Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field. 5. Wireless clients are devices that attempt to access the wireless SonicWALL security appliance. Select the following wireless client options: To specify the maximum number of wireless clients, enter the limit in the Maximum Client Associations field. Select whether wireless clients will be able to communicate with each other from the Interclient Communications list box. Enter the URL to the VPN Client software from the VPN Client Download URL field. 6. Select the following Advanced Radio Settings: Enable Antenna Diversity. Select the transmit power of the wireless SonicWALL security appliance from the Transmit Power list box. Select whether wireless clients will be able to communicate with each other from the Interclient Communications list box. Enter the URL to the VPN Client software from the VPN Client Download URL field. Most current wireless equipment supports orthogonal frequency-division multiplexing (OFDM), which uses a short preamble to improve network performance. A preamble is the initial information sent in a frame that announces to other devices in the network the beginning of data transmission. Using a short preamble improves network performance and is recommended unless your wireless network consists of older equipment. Specify the level (in bytes) that the SonicWALL security appliance will begin fragmenting packets in the Fragmentation Threshold field. In environments with high rates of collision, the Request to Send/Clear to Send (RTS/CTS) feature reduces collision rates. The RTS/CTS option is invoked when a wireless device wishes to send a large packet. First, the wireless device sends an RTS/CTS request which is answered by an RTS/CTS response. All other wireless devices receive this response and cease transmitting for the specified period of time. To activate RTS/CTS, specify the size a packet must reach before the RTS/CTS feature is invoked in the RTS Threshold field. A threshold around 500 to 600 kilobytes is generally recommended. Using a threshold larger than the Fragmentation Threshold will essentially disable this feature (default: 2432 or disabled). The delivery traffic indication message (DTIM) is a message that informs power-save devices that a packet is waiting for them. This message is sent with a beacon. To configure this interval, enter a value in the DTIM Interval field (default: 3). For example, if you specify a value of 4 and the Beacon Interval is set to 100 milliseconds, DTIMs will be sent every 400 milliseconds. 166

172 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring MAC Filter List Settings Specify the amount of time in which an authentication must take place in the authentication field (default: 10 seconds). Specify the amount of time (in seconds) within which an authenticated device must establish an association in the Association Timeout field (default: 300 seconds). 7. Select the broadcast rate from the Broadcast Rate field. 8. When you are finished, click Update. The settings are changed for the selected SonicWALL security appliance. To clear all screen settings and start over, click Reset. SonicWALL Wireless security appliances can allow or block wireless devices based on their MAC addresses. To configure the MAC filter list, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL appliance, a group, or the global icon. 3. Expand the Wireless tree and click MAC Filter List. The MAC Filter List page appears (Figure 93). Figure 93 MAC Filter List Page 4. To enable the MAC filter list for the selected device(s), select the Enable MAC Filter List check box. 5. To add a MAC address to the filter list, enter the address in the MAC Address List field, select whether it is allowed or blocked, add any comments to the Comment field, and click Add MAC Address. Repeat this step for each MAC address that you want to add. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset. 167

173 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring Intrusion Detection Services Settings This section describes how to configure Intrusion Detection Services settings (IDS) for SonicWALL Wireless security appliances. To configure the IDS, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a SonicWALL Wireless security appliance, a group, or the global icon. 3. Expand the Wireless tree and click IDS. The IDS page appears (Figure 94). Figure 94 IDS Page 4. Sequence number analysis is used to detect MAC address spoofing. To enable this feature, select the Enable Sequence Number Analysis check box. 5. Hackers can cause a Denial-of-Service (DoS) attack by flooding a wireless network with association requests. To combat this, select the Enable Association Flood Detection check box. The default association flood threshold is 10 association attempts within 5 seconds. To change this setting, enter new flood threshold values. To block the MAC address of a computer or device attempting this attack, select the Block station's MAC address in response to an association flood field. 6. To access a network, hackers can set up a rogue access point that will intercept communications with legitimate users attempting to access a legitimate access point. This man-in-the-middle attack can expose passwords and other network resources. To enable detection of rogue access points, select the Enable Rogue Access Point Detection check box. 7. To prevent rogue access points, you must specify each authorized access point within the network. To do so, enter the MAC address of an access point in the MAC Address field and click Add. Repeat this step for each authorized access point within the network. 8. When you are finished, click Update. The settings are changed for the selected SonicWALL security appliance(s). To clear all screen settings and start over, click Reset. 168

174 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring Wireless Guest Services This section describes how to configure Wireless Guest Services (WGS). Configuring General Wireless Guest Services Settings This section describes how to configure general wireless settings. To do this, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 3. Expand the WGS tree and click Settings. The Settings page appears (Figure 95). Figure 95 WGS > Settings Page 4. To enable Wireless Guest Services on this device, select the Enable Wireless Guest Services check box. 5. To disable filtering for guest accounts, select the Bypass Filters for Guest Accounts check box. 6. To limit the number of concurrent guests, enter the maximum number in the Maximum Concurrent Guests field. 7. DAT saves wireless clients the hassle of reconfiguring their IP address and network settings. To enable DAT, select the Dynamic Address Translation (DAT) check box. 8. To add a new guest, click Add New Wireless Guest and enter the following information: User Name-enter the username of the guest account. User Password-enter the password of the guest account. Confirm Password-reenter the password of the guest account. Account Lifetime-select the maximum lifetime of the guest account. 169

175 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring the URL Allow List Session Timeout-select the session timeout for the guest account. Comment-add any comments. 9. When you are finished, click Update. The settings are changed for the selected SonicWALL security appliance. To clear all screen settings and start over, click Reset. The URL allow list specifies URLs that can be accessed by unauthenticated users. To configure this list, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a SonicWALL wireless security appliance. 3. Expand the WGS tree and click URL Allow List. The URL Allow List page appears (Figure 96). Figure 96 URL Allow List Page Denying Access to Networks 4. To enable the URL Allow List, select the Enable URL Allow List for Unauthenticated Users check box. 5. To add a URL to the URL Allow List, enter a URL and click Add. Repeat this step for each URL that you would like to add. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. To specify networks that authenticated users will not be allowed to access, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 170

176 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network 3. Expand the WGS tree and click IP Deny List. The IP Deny List page appears (Figure 97). Figure 97 IP Deny List Page 4. To enable the IP Deny List, select the Enable IP Address Deny List for Authenticated Users check box. 5. To add a URL to the IP Deny List, enter an IP address and subnet mask and click Add IP Deny Entry. Repeat this step for each URL that you would like to add. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL security appliance. To clear all screen settings and start over, click Reset. 171

177 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring the Custom Login Screen The Custom Login page is used to configure the login page that will be accessed by guest users attempting to connect to the wireless SonicWALL appliance. To configure the Custom Login page, follow these steps: 1. Start and log into SonicWALL GMS. 2. Select a wireless SonicWALL security appliance. 3. Expand the WGS tree and click Custom Login. The Custom Login page appears (Figure 98). Figure 98 Custom Login Page 4. To customize the login page, select the Customize Login Page check box. 5. The body of the login page will contain the username and password fields that the user must access to authenticate with the SonicWALL security appliance. To configure the header and footer text, select from the following: To display custom header and footer URLs, enter the URLs in the Custom Header URL and Custom Footer URL fields. To enter custom text for the header and footer, enter the text in the Custom Header Text and Custom Footer Text fields. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL security appliance. To clear all screen settings and start over, click Reset. 172

178 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring GMS Top Intrusions Reports The GMS Top Intrusions report displays the types of intrusions that occurred on the specified date. To view the Top Intrusions report, follow these steps: 1. Start and log into SonicWALL GMS. 2. Click the Reports tab. 3. Select a SonicWALL security appliance. 4. Expand the Intrusion Prevention tree and click Top Intrusions. The Top Intrusions page appears (Figure 99). Figure 99 Top Intrusions Page 5. The pie chart displays the percentage of each type of intrusion attempt. To view source and destination information on the individual intrusion attempts, expand the category tree (indicated by a + sign). 6. The table contains the following information: Category the type of intrusion. Intrusions number of intrusion attempts. % of Intrusions percentage of this type of intrusion, compared to all other intrusion types. For example, if 5,000 intrusion attempts occurred during the day and Web IIS attempts makes up 3,000 of the intrusion attempts, its % of Intrusions field will display 60%. 173

179 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network 7. By default, the GMS Reporting Module shows today s report, a pie chart, and the ten top categories. To change these settings, click Settings. The Report Settings dialog box appears (Figure 100). Figure 100 Report Settings Dialog Box 8. Select the number of categories that will be displayed from the Number of Categories list box. 9. Select the type of chart from the Chart Type list box. 10. Select the year, month, and day that you would like to view. 11. When you are finished, click Close. The GMS Reporting Module displays the report for the selected day. Note These settings will stay in effect for all similar reports during your active login session. 174

180 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring VPN Monitor The VPN Monitor shows a graphical representation of the VPN network. All devices within the network are displayed and color-coded according to their operational state. To open the VPN Monitor, follow these steps: 1. Start and log into SonicWALL GMS. 2. Click the Monitor tab. 3. Expand the Tools tree and click VPN Monitor. 4. Click Show Navigation Tool Window. The VPN Monitor appears with the configured VPN tunnels displayed (Figure 101). Figure 101 VPN Monitor 5. The VPN Monitor provides a quick way to view the status of VPN connections within the GMS network. The following describes the meaning of link and device colors: Node Status Yellow Device unit is provisioned Blue Device node is operational Red Device node is down Black Device group node Dark Gray Device VPN not enabled Purple Device Non-GMS device White Device expanded tunnel nodes 175

181 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Link Status Blue Link tunnel is operational Red Link tunnel is down Yellow Link tunnel is pending Black Link tunnel is disabled White Link tunnel status unknown Link Thickness 1x Thick link not selected 2x Thick link is selected Solid direct tunnel Dashed indirect tunnel 6. To synchronize the status of a tunnel with the Agent, right-click the SonicWALL security appliance and select Synchronize Tunnel Status. 7. To show the remote units that belong to a SonicWALL security appliance, right-click the agent and select Expand. To hide the remote units, right-click the SonicWALL security appliance and select Collapse. 8. To center a SonicWALL security appliance and remove all other devices from the display, right-click the SonicWALL security appliance and select Center this node. 9. When you are finished monitoring VPNs, close the window. 176

182 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring GMS Net Monitor The SonicWALL GMS Net Monitor periodically tests the status of SonicWALL security appliances and other network devices. Once configured, it enables you to monitor the status of your network and immediately respond when SonicWALL security appliances and other network devices become unavailable. The Net Monitor enables you to categorize different groups of SonicWALL security appliances or other network devices. You can categorize them by device type, geography, or any other organizational scheme. Additionally, you can assign devices within each category a high, medium, or low priority. Figure 102 displays the Net Monitor page. Figure 102 Net Monitor When you add a new device to monitor, you will be able to select a category, priority level, how often the device is tested, and the type of test that is used. The Net Monitor currently supports four types of tests: Ping, TCP Probe, HTTP, and HTTPS. The Status Display shows the status of all devices within the category. If all devices are reachable, all three displays will be green. To change the priority for a device, drag and drop its icon to a new Priority Category. To move a device between categories, drag its icon to the tab of the new category and drop it in the appropriate Priority Category. 177

183 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring Net Monitor Preferences To configure Net Monitor preferences: 1. Start and log into SonicWALL GMS. 2. Click the Monitor tab. 3. Expand the Tools tree and click Monitor Tool. 4. Click Show Net Monitor Window. 5. Select Preferences from the Tools Menu: Figure 103 Net Monitor Preferences Dialog Box 6. To view each category on its own page, select Each from the View Type list box. To view all categories on one page, select All. 7. To configure the Net Monitor to automatically refresh the status of monitored devices, select the Enable auto refresh while loading check box and specify the refresh interval. 8. Select which devices will be displayed in the Show devices by status area. To view all devices, select the Select All check box. 9. To view the default table color, select Default. To pick a custom color, select Custom and choose a color from the color selector. 10. When you are finished, click Apply. To cancel and start over, click Cancel. 178

184 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network Configuring Alert Settings To configure Net Monitor alert settings, follow these steps: 1. From the Monitor Tool window, select Alert Settings from the Tools Menu: Figure 104 Net Monitor Alert Settings 2. To send the SonicWALL GMS administrator(s) when the status of a device changes, select the Notify by check box. 3. To generate an SNMP trap when the status of a device changes, select the Notify by SNMP Trap check box. 4. Select whether the settings are applied to all devices or the selected devices. 5. When you are finished, click Apply. To cancel and start over, click Cancel. 179

185 Device Characteristics Device Characteristics This section provides device characteristics for SonicWALL Secure Wireless Solution enablers, and device characteristics for the SonicWALL PRO Series security appliance platforms and SonicWALL TZ Series Wireless platforms. The following subsections provides device characteristic information in tables: SonicWALL Secure Wireless Solution Enablers Device Characteristics SonicWALL PRO Series Device Characteristics SonicWALL TZ Series Wireless Device Characteristics SonicWALL Secure Wireless Solution Enablers Device Characteristics Table 11 This section provides device characteristics for SonicWALL Secure Wireless Solution enablers. SonicWALL Secure Wireless Solution Enablers Device Characteristics Platform Hardware Standards SonicPoint Dimensions 9.07(L) x 6.63(W) x 1.63(H) in 23.03(L) x 16.84(W) x 4.14(H) cm Weight 1.2 lbs 0.55 kg Power 12 V Antenna 2 dual band 5dBi omni-directional diversity antennas Status Indicators 6 LEDs: power, b/g, a, LAN (10/100/link) Wired Network Ports 1 10/100 auto-sensing RJ-45 port for Ethernet and Power over Ethernet (PoE) 1 serial console port Mechanical Wall or ceiling mount kit Regulatory FCC/ICES Class B, CE, C-Tick, VCCI Class B, BSMI Class B, MIC, NOM, CCC Compliance IEEE a/b/g, d, 802.3af, WPA,TKIP, AES Safety UL, cul, TUV-GS, CB SonicWALL PoE Injector Dimensions 1.75(L) x 4.17(W) x 5.50(H) in 4.4 x 10.6 x14.0 cm Weight 1.0 lbs 450 g Power Over LAN Output 3.3 V to 5 V Connectors Shielded RJ-45, EIA 568A and 568B Number of Ports 2: (1) data in, (1) data and power out Status Indicators System indicator, AC power (green) User indicator, channel power active (green) Data Rates 10/100Mbps Power Over LAN Output Pin Assignment/Polarity 4/5 (+), 7/8 (-) Output Power -48 VDC Voltage User Port Power 15.4 W minimum Input Power Requirements AC Input Voltage 90 to 264 VAC Regulatory CE Electromagnetic Emission and Immunity FCC Part 15, Class B, EN55022 Class B (emissions) Safety UL 1950, CSA C22.2 No. 950 SonicWALL Long Range Dual Band Wireless Card Dimensions 4.65(L) x 2.13(W) x.30(h) in 54.1(W) x 7.6(H) mm Weight 1.4 oz 40 g Power 3.3 V Antenna Integrated, with built-in diversity 118.0(L) x Status Indicators RF link activity System Interface 32-bit CardBus PC card standard, V7.1 Type II Client Software Drivers Windows 98SE/ME/2000/XP Regulatory FCC Part 15/UL, ETSI 300/328/CE 180

186 Device Characteristics Table 11 SonicWALL Secure Wireless Solution Enablers Device Characteristics SonicPoint SonicWALL PoE Injector SonicWALL Long Range Dual Band Wireless Card Radio Specifications Frequency Band a: GHz, GHz, GHz GHz, GHz (Taiwan) GHz no Turbo (Korea) b/g: GHz (US, Canada, Taiwan) GHz (Japan) GHz (Europe ETSI) GHz (Spain) GHz (France) Operating Channel a: US & Canada: 12 channels (FCC) Europe: 11, Japan: 4, Singapore: 4, Taiwan: b/g: US & Canada: 1-11 channels (FCC) Europe: 1-13 (ETSI), Japan: 14, Spain: 2, France: 4 DFS: Dynamic frequency selection supported Transmit Output: Power based on the regulatory domain specified by the system administrator TPC: Transmit power control supported Data Rates Supported a: 6, 9,12,18, 24, 36, 48, 54, 108*Mbps per channel b: 1, 2, 5.5,11 Mbps per channel g: 6, 9,12,18, 24, 36, 48, 54, 108*Mbps per channel Division Multiplex Not applicable Frequency Band a: GHz, GHz, GHz b/g: GHz (US), GHz (Japan), GHz (Europe ETSI), GHz (Spain), GHz (France) Transmit Output a: Up to 18 dbm g: Up to 20 dbm b: Up to 20 dbm Modulation Technology a/g: Orthogonal Frequency Division Multiplexing (OFDM) BPSK, QPSK, 1-QAM, 64-QAM b: Direct Sequence Spread Spectrum (DSSS) CCK, BPSK, QPSK Data Rates Supported a: 6, 9,12,18, 24, 36, 48, 54, 72, 96 & 108Mbps per channel b: 1, 2, 5.5,11Mbps per channel g: 6, 9,12,18, 24, 36, 48, 54 72, 96 & 108Mbps per channel Security Data Encryption WPA, 64/128/152-bit WEP, TKIP, AES, i ready Not applicable Data Encryption WPA, 64/128/152-bit WEP, TKIP, AES, i ready Environment Temperature Range 32 to 104 F, 0 to 40 C Temperature Range 32 to 104 F, 0 to 40 CThermal Rating BTU (-48 VDC Temperature Range 32 to 104 F, 0 to 40 C 181

187 Device Characteristics SonicWALL PRO Series Device Characteristics This section provides device characteristics for the SonicWALL PRO Series security appliances. Table 12 SonicWALL PRO Series Device Characteristics SonicWALL PRO 5060 SonicWALL PRO 4060 SonicWALL PRO 3060 SonicWALL PRO 2040 Platform Hardware Processor: Intel Xeon main processor with Cavium Nitrox cryptographic processor Interfaces: SonicWALL PRO 5060c: (6) 10/100/1000 auto-sensing Ethernet Copper Ports SonicWALL PRO 5060f: (2) SX/SC multimode Fiber and (4) 10/100/1000 auto-sensing Ethernet Copper Ports Console: (1) Serial Port Dimensions: 1U rack-mountable x x 1.75 inches (43.18 x x 4.45 cm) Weight: lbs (7.05 kg) Power: 100V to 240 VAC Max Power Consumption: 120 W Total Heat Dissipation: 409 BTU Security Deep Packet Inspection hardware and firmware architecture Unlimited number of users Concurrent connections: 750,000 Stateful throughput: 1+ Gbps (bi-directional) VPN IPSec VPN, compatible with other IPSec-compliant VPN gateways Bundled with 2,000 VPN client sessions for remote users (6,000 max) Supports up to 4,000 VPN site-to-site VPN policies 3DES and AES Processor: 2GHz Intel with dedicated cryptographic accelerator RAM: 256 MB Flash Memory: 64 MB Interfaces: (6) 10/100Base-T Ports (1 LAN, 1 WAN, 4 Configurable) Console: (1) Serial Port Dimensions: 1U rack-mountable x x 1.75 inches (43.18 x x 4.45 cm) Weight: lbs (5.90 kg) Power: 100V to 240VAC Power Max Power Consumption: 143W Total Heat Dissipation: 530BTU Deep Packet Inspection hardware and firmware architecture Unlimited number of users Concurrent connections: 500,000 Stateful throughput: up to 300+ Mbps (bi-directional) IPSec VPN, compatible with other IPSec-compliant VPN gateways Bundled with 1,000 VPN client sessions for remote users Supports up to 3,000 VPN site-to-site VPN policies 3DES and AES Processor: 2GHz Intel with dedicated cryptographic accelerator RAM: 256 MB Flash Memory: 64 MB Interfaces: (6) (3/6*) 10/100Base-T Ports (1 LAN, 1 WAN, 4 Configurable) Console: (1) Serial Port Dimensions: 1U rack-mountable x x 1.75 inches (43.18 x x 4.45 cm) Weight: lbs (5.90 kg) Power: 100V - 240V AC Max Power Consumption: 143W Total Heat Dissipation: 530 BTU Stateful Packet Inspection firewall Unlimited number of users Concurrent connections: 128,000 Stateful throughput:: 300+ Mbps (bi-directional) IPSec VPN, compatible with other IPSec-compliant VPN gateways Bundled with 25 VPN client sessions for remote users Site-to-Site VPN Policies: 500/1,000 3 DES and AES Processor: 800 Mhz x86 RAM: 128 MB Flash Memory: 64 MB Interfaces: (4) 10/100Base-T Ports (1 LAN, 1 WAN, 1 DMZ, 1 Inactive with SonicOS Standard/ 1 WAN, 1 LAN, 2 Configurable with SonicOS Enhanced) Console: (1) Serial Port Dimensions: 1U rack-mountable x x 1.75 inches (43.18 x x 4.45 cm) Weight: 8.50 lbs (3.86 kg) Power: 100V - 240V AC Max Power Consumption: 65 W Total Heat Dissipation: 241 BTU Stateful Packet Inspection firewall Unlimited number of users Concurrent connections: 32,000 Stateful throughput:: 200 Mbps (bi-directional) IPSec VPN, compatible with other IPSec-compliant VPN gateways Bundled with 10 VPN client sessions for remote users (100 max) Site-to-Site VPN Tunnels: 50 3DES and AES Performance: 500 Mbps Performance: 190 Mbps Performance: 75 Mbps Performance: 50 Mbps 182

188 Device Characteristics Table 12 SonicWALL PRO Series Device Characteristics SonicWALL PRO 5060 SonicWALL PRO 4060 SonicWALL PRO 3060 SonicWALL PRO 2040 Value Added Services SonicWALL Hardware Failover The SonicWALL PRO 5060 ships standard with the following SonicWALL security services: One year of Gateway Anti-Virus***/Intrusion Prevention Service 30 days of Network Anti-Virus (50 user license) 30 days of Content Filtering Service Premium Edition ViewPoint reporting software. SonicWALL Hardware Failover The SonicWALL PRO 4060 ships standard with the following SonicWALL security services: One year of Gateway Anti-Virus***/Intrusion Prevention Service for SonicWALL PRO 4060 appliances registered between 10/1/04 and 12/31/04 30 days of Network Anti-Virus (25 user license) 30 days of Content Filtering Service Premium Edition ViewPoint reporting software. SonicWALL Hardware Failover The SonicWALL PRO 3060 ships standard with the following SonicWALL security services: 30 days of Gateway Anti-Virus***/Intrusion Prevention Service 30 days of Network Anti-Virus (25 user license 30 days of ViewPoint and 30 days of Content Filtering Service Premium Edition. SonicWALL Hardware Failover The SonicWALL PRO 2040 ships standard with the following SonicWALL security services: 30 days of Gateway Anti-Virus***/Intrusion Prevention Service 30 days of Network Anti-Virus (10 user license) 30 days of ViewPoint and 30 days of Content Filtering Service Premium Edition. Network NAT DHCP PPPoE PPTP Warranty One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days support and software updates Access to SonicWALL electronic support tools NAT DHCP PPPoE PPTP One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days 8X5 support and software updates Access to SonicWALL electronic support tools NAT DHCP PPPoE PPTP One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days support and firmware updates Access to SonicWALL electronic support tools NAT DHCP PPPoE PPTP One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days support and firmware updates Access to SonicWALL electronic support tools Standards TCP/IP, UDP, ICMP, HTTP, HTTPS, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP TCP/IP, UDP, ICMP, HTTP, HTTPS, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP TCP/IP, UDP, ICMP, HTTP, HTTPS, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP TCP/IP, UDP, ICMP, HTTP, HTTPS, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP Regulatory Compliance FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, BSMI Class A, MIC, NOM, UL, cul, TUV/GS FCC Class A, ICES Class A, CE, C-Tick, VCCI, BSMI, MIC, NOM, UL, cul, TUV/GS FCC Class A, ICES Class A, CE, C-Tick, VCCI, BSMI, MIC, NOM, UL, cul, TUV/GS FCC Class A, ICES Class A, CE, C-Tick, VCCI Class A, BSMI Class A, MIC, NOM, UL, cul, TUV/GS, CB Certifications ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 Environment Temperature: F, 5-40 C Humidity: 10-90% non-condensing Temperature: F, 5-40 C Humidity: 10-90% non-condensing Temperature: F, 5-40 C Humidity: 10-90% non-condensing Temperature: F, 5-40 C Humidity: 10-90% non-condensing MTBF 6.8 years 6.8 years 9.3 years 11.2 years 183

189 Device Characteristics SonicWALL TZ Series Wireless Device Characteristics This section provides device characteristics for the SonicWALL TZ 170 SP Wireless and the SonicWALL TZ 170 Wireless. Table 13 SonicWALL TZ Series Wireless Device Characteristics Platform Hardware SonicWALL TZ 170 SP Wireless Processor: SonicWALL Security Processor RAM: 64 MB Flash Memory: 8 MB Interfaces: (7) 10/100 Ethernet (1 WAN, 1 Optional, 1 5-Port LAN Switch) (1) v.92 Analog Modem Access Point: b/g WLAN Antennas: Dual, External 5 dbi Diversity Dipole Antennas Console: (1) Serial Port Dimensions: 9.07 x 6.63 x 1.63 inches (23.04 x x 4.14 cm) Weight: 1.40 lbs (.64 kg) Power: 100V to 240V AC Max Power Consumption: 10.6 W Total Heat Dissipation: 36.1 BTU SonicWALL TZ 170 Wireless Processor: SonicWALL Security Processor RAM: 64 MB Flash Memory: 8 MB Interfaces: (7) 10/100 Ethernet (1 WAN, 1 Optional, 1 5-Port LAN Switch) Access Point: b/g WLAN Antennas: Dual, External 5 dbi Diversity Dipole Antennas Console: (1) Serial Port Dimensions: 9.07 x 6.63 x 1.63 inches (23.03 x x 4.14 cm) Weight: 1.40 lbs (.64 kg) Power: 100V to 240V AC Max Power Consumption: 9.4 W Total Heat Dissipation: 32.1 BTU Security Deep Packet Inspection hardware and firmware architecture Ships in 10 node configuration; upgradeable to 25 and Unrestricted nodes Concurrent connections: 6,000 Stateful Throughput: 90 Mbps (bi-directional) VPN IPSec VPN, compatible with other IPSec-compliant VPN gateways Support two site-to-site VPN policies 3DES and AES Performance: 30+ Mbps Deep Packet Inspection hardware and firmware architecture 10/25/Unrestricted Node Configurations Concurrent connections: 6,000 Stateful Throughput: 90 Mbps (bi-directional) IPSec VPN, compatible with other IPSec-compliant VPN gateways Bundled VPN Client Sessions Optional Upgrade with 10 node SonicWALL TZ 170 Wireless (Maximum Sessions: 5) 1 with 25 node SonicWALL TZ 170 Wireless (Maximum Sessions: 50) 1 with Unrestricted node SonicWALL TZ 170 (Maximum Sessions: 50) Site-to-Site VPN Policies 2 with 10 node SonicWALL TZ 170 Wireless 10 with 25 node SonicWALL TZ 170 Wireless 10 with Unrestricted node SonicWALL TZ 170 Wireless 3DES and AES Performance: 30+ Mbps Value Added Services The SonicWALL TZ 170 SP Wireless ships standard with the following SonicWALL security services: 30 days of Gateway Anti-Virus/Intrusion Prevention Service Content Filtering Service Premium Edition Network Anti-Virus (10 user license) and ViewPoint. The SonicWALL TZ 170 Wireless ships standard with the following SonicWALL security services: 30 days of Gateway Anti-Virus/Intrusion Prevention Service Content Filtering Service Premium Edition Network Anti-Virus (10 user license) and ViewPoint. 184

190 Device Characteristics Table 13 SonicWALL TZ Series Wireless Device Characteristics SonicWALL TZ 170 SP Wireless SonicWALL TZ 170 Wireless Network NAT DHCP PPPoE PPTP Warranty One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days support and firmware updates Access to SonicWALL electronic support tools Standards Regulatory Compliance TCP/IP, UDP, ICMP, HTTP, HTTPS, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP FCC Class B, ICES Class B, CE, C-Tick, VCCI, BSMI, MIC, UL, cul, TUV/GS, CB, NOM Certifications ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 Environment Temperature: F, 5-40 C Humidity: 10-90% non-condensing NAT DHCP PPPoE PPTP MTBF 7.5 years 7.9 years One-year warranty for repair or replacement of any defective product due to manufacturer's defects 90 days support and firmware updates Access to SonicWALL electronic support tools TCP/IP, UDP, ICMP, HTTP, RADIUS, IPSec, ISAKMP/IKE, SNMP, L2TP, DHCP, PPPoE, PPTP FCC Class B, ICES Class B, CE, C-Tick, VCCI, BSMI, MIC, UL, cul, TUV/GS, CB, NOM ICSA Firewall 4.0 ICSA IPSec 1.0D FIPS Pending: Common Criteria and EAL-2 Temperature: F, 5-40 C Humidity: 10-90% non-condensing 185

191 Glossary Glossary 3DES: A more secure variant of the Data Encryption Standard for encryption, Triple DES (3DES) extends the DES key to 168 bits in length : A family of IEEE standards for wireless networking (WLANs) b supports transmissions up to 11 Mbps g supports transmissions up to 54 Mbps. Both b and g operate in the 2.4GHz range. access point: A device that primarily performs the wireless-to-wired bridging function by converting frames on a network to another type of network. Advanced Encryption Standard (AES): A recent U.S. government encryption standard designed as the replacement for the aging Data Encryption Standard (DES). Authentication Back End (ABE): Consists of a Web server to host content for user interaction and an authentication server to provide directory services for authenticating wireless hotspot users for managing network access. Deep Packet Inspection (DPI): An advanced form of network packet filtering that examines the data part of passing packets, searching for malicious code embedded in the data. Dynamic Host Configuration Protocol (DHCP): An allocation of IP addresses to computers on the network automatically without assigning a computer a static (fixed) IP address. Commonly deployed in conjunction with NAT to share a single public IP address across a network by assigning private IP addresses to network clients. Extensible Authentication Protocol (EAP): An extension of Point-to-Point Protocol that provides support for multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. In wireless communications using EAP, a user requests connection to a WLAN through and access point, which then requests the identity of the user and transmits that identity to an authentication server, such as RADIUS. EAP enables flexible exchange of authentication protocols. Common EAP types used by WPA include EAP-PEAP, EAP-TLS, and EAP-TTLS. EAP-PEAP (Protected Extensible Authentication Protocol): An authentication for WLAN clients using only server-side digital certificates by creating an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) tunnel between the client and the authentication server. The tunnel then protects the subsequent user authentication exchange. EAP-TLS (Transport Layer Security): An IETF protocol that provides privacy and data integrity between client/server communications with data encryption, encapsulation and authentication between the server and the WLAN client. EAP-TTLS (Tunneled Transport Layer Security): A protocol that provides encapsulated security via an end-to-end tunnel to transfer the client's credentials without having to use a certificate on the client. Faraday cage: An enclosure with no apertures (holes, slits, windows or doors) made of a perfectly conducting material. No electric fields are produced within the Faraday cage by the incidence of external fields upon it or by currents flowing on the perfect conductor; that is, the perfectly conducting enclosure is a perfect electromagnetic shield. If no electrical energy sources are within the Faraday cage, then there will be no electric fields within, since none can penetrate the conducting enclosure. hardware failover: The capability of a mission-critical device, such as a SonicWALL security gateway, to automatically failover to a backup device in the event of a hardware failure on the primary unit. hotspot: A wireless LAN that provides Internet access for wireless clients from a given location. 186

192 Glossary Hypertext Transfer Protocol (HTTP): A set of rules for transferring files (text, graphic, images, sound, video, and other multimedia files) on the World Wide Web. HTTP is an application protocol that runs on top of the TCP/IP suite of protocols. Hypertext Transfer Protocol over Secure Socket Layer (HTTPS): A Web protocol that encrypts and decrypts pages for secure connections. Internet Key Exchange (IKE): A protocol for managing keys in public key cryptography systems. intrusions: Malicious network attacks that exploit network vulnerabilities, such as weaknesses in operating systems or applications. IPSec: An international group organized under the International Engineering Task Force (IETF) developed the Internet Protocol Security (IPSec) protocol. IPSec provides a framework for a set of protocols for security at the network or packet processing layer of network communication. IPSec is especially useful for implementing virtual private networks. IPsec is based on the latest crytographic technologies, ensuring strong authentication and privacy capabilities. Internet Security Association and Key Management Protocol (ISAKMP): A definition for the framework for any number of key-exchange protocols, including Internet Key Exchange (IKE). Lightweight Hotspot Messaging (LHM): A definition for the method and syntax for communications between a wireless access device (such as a SonicWALL TZ 170 Wireless or SonicPoint) with a SonicWALL PRO Series security appliance (such as a SonicWALL PRO 5060) and an Authentication Back-End (ABE) for the purpose of authenticating hotspot users and providing them with managed network access. Network Address Translation (NAT): The translation of an IP address used within one network to a different IP address known within another network. Typically, a company maps its local private IP addresses to one or more public IP addresses. NAT is primarily used to conserve the number of public IP addresses a company needs and provides some security. NAT is included as part of a router or firewall. network access rule: A defined rule created to block or allow specified traffic to pass through a firewall. network address object: A defined entity based on one of four object classes: address, user, service, and schedule. These address objects allow the administrator to create a single reusable object for multiple references throughout the SonicOS Enhanced management interface, such as for network access rules or NAT policies. network gateway: A computer server or security device that acts as an entrance to another network. Typically controls the traffic flows and security protections at the intersection of networks. The Point-to-Point Protocol over Ethernet (PPPoE): A combination of the Point-to-Point Protocol (PPP), commonly used in dial-up connections, with the Ethernet protocol, which supports multiple users in a local area network. PPPoE is commonly used for DSL connections. Point-to-Point Tunneling Protocol (PPTP): A Microsoft encapsulation protocol for virtual private networking based on the Internet standard Point-to-Point Protocol (PPP). Remote Authentication Dial-In User Service (RADIUS): A client/server protocol that enables remote access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service. Service Set Identifier (SSID): A unique string of characters that identifies a wireless network. Virtual Private Network (VPN): A method for providing secure access across the public Internet. A VPN maintains privacy through data encryption and authentication, creating a tunnel between two points. 187

193 Glossary Wired Equivalent Privacy (WEP): An earlier security standard for ciphering individual data frames on IEEE wireless LANs. WEP was intended to provide minimal privacy. Wi-Fi Protected Access (WPA), ratified by the IEEE in 2003, supersedes WEP with enhanced security protection. WiFiSec: A SonicWALL technology that uses IPSec as the basis for WLAN security and beyond. Incorporated in SonicWALL s Global VPN Clients running on wireless clients and SonicWALL wireless gateways, WiFiSec provides the same crytographic technologies used by IPSec for wireless networks. wireless bridge: An access point that allows communication between network segments. wireless client: Any client device on a wireless network. Wireless Guest Service (WGS): A configurable user service to provide guest user accounts with Internet access. WLAN: A wireless local area network in which a user can connect to a LAN through a wireless (radio) connection. The standard specifies the technologies for the wireless LANs. Wi-Fi Protected Access (WPA): A newer security standard for wireless networks designed to replace WEP. WPA provides more sophisticated data encryption that WEP and also provides enhanced user authentication. WPA s encryption method is the TKIP. WPA is a subset of the upcoming IEEE i security standard. 188

194 Related Documents Related Documents This section contains related documentation specific to SonicWALL Secure Wireless Solutions. Product Datasheets This section contains URLs to online SonicWALL product datasheets. SonicWALL Secure Wireless Solution SonicWALL PRO SonicWALL PRO 3060/ SonicWALL PRO SonicWALL PRO SonicWALL TZ SonicWALL TZ SonicWALL Global VPN Client SonicWALL Global Security Client SonicWALL Gateway Anti-Virus/Anti-Spyware/Intrusion Prevention Service SonicWALL Complete Anti-Virus SonicWALL Content Filtering Service SonicWALL Content Security Manager 2100 CF SonicWALL Global Management System SonicWALL ViewPoint 189

195 Related Documents User Guides This section contains URLs to online documentation for SonicWALL user s guides. SonicOS Enhanced 3.1 Administrator s Guide SonicOS Standard 3.1 Administrator s Guide SonicPoint and SonicPoint G Getting Started Guide SonicPoint and SonicPoint G Administrator s Guide SonicWALL PoE Injector User s Guide SonicWALL Long Range Dual Band Wireless Card User s Guide Global VPN Client Administrator s Guide Global VPN Client Quick Start Guide Pocket Global VPN Client User s Guide TechNotes This section contains URLs to online documentation for SonicWALL TechNote application notes. Lightweight Hotspot Messaging Configuring Steel-Belted RADIUS for Wi-Fi Protected Access Authentication Secure Wireless Bridging: Bridging a SonicWALL TZ 170 Wireless to a SonicPoint SonicPoint and SonicOS Enhanced

196 Contributors Contributors Prasad Bevra works as Director of Software Engineering for SonicWALL, in Sunnyvale, California. He is responsible for directing the SonicWALL s development of products in the areas of centralized remote management, reporting and monitoring, which includes SonicWALL GMS (an award winning product) and ViewPoint. Prior to SonicWALL, Prasad worked with Xerox and ScanSoft Corporations, where he has a patent in the area of User Interfaces. He has a B.S. degree in Computer Science from the Indian Institute of Technology, Bombay, and a Masters degree in Computer Science from the University of Iowa. Kevin Cheek has over 13 years in network security and database technical documentation in the Silicon Valley. Kevin has provided documentation solutions for Microsoft--documenting Macintosh Web software, Oracle--documenting Oracle's secure database server, and RSA Security--documenting the Public Key Infrastructure (PKI) Java Developers Kit. He has also worked at General Magic, where he led formal usability studies for both software design and documentation. Kevin earned a B.A. degree in Technical Writing from the University of New Mexico, and he has completed courses and certifications in Software Engineering, Networking, and Technical Writing at UC Santa Cruz, UC Berkeley, and San Jose State. Zhong Chen is manager of the wireless development team at SonicWALL. His team is responsible for SonicWALL's wireless product line development, include TZW, TZ170W, TZ150W and SonicPoint. Zhong is the main contributor to the product line and is the co-author of three pending patents on wireless. Zhong has more than 10 years of software development experience, and holds MS of Electric Engineering from San Jose State University and MS of Physics from Fudan University, Shanghai, China. Poul Frederiksen has over 10 years of Information Technology experience in the Silicon Valley and Fortune 50 companies like DuPont, GE, and Sunoco. He has extensive international experience in the United Kingdom, France and Germany. Frederiksen has led teams with project management with multiple sites and systems engineering. He has headed exchange conversion projects at an international construction company. He is noted for being Technical lead for Enterprise Resource Planning (ERP) project. Frederiksen s Technical background in electrical engineering was earned at Drexel University with 99+% score on the Armed Services Vocational Aptitude Battery (ASVAB). Mary Hwang, SonicWALL Product Manager of Secure Wireless Solutions, has over 5 years of network security experience. Mary has been with SonicWALL since 2000 and is currently responsible for setting the direction and strategy for SonicWALL secure wireless solutions. Mary works closely with SonicWALL engineering, partners, and customers to define features running across SonicWALL security appliances as well as best practices to deploying secure wireless solutions. Mary holds a B.S. degree from the University of Texas at Austin. Joe Levy, SonicWALL Senior Director of Engineering Product Architecture and Publications, has worked in the networking and network security industry for 10 years. Years of designing and implementing solutions for SMB to Fortune 100 companies using products and technologies from myriad vendors led to Joe s drive and determination to enhance the capability, flexibility, and usability of network and security products. Joe has a number of patents pending for innovations in the areas of wireless networking and firewall technologies. Joe holds a B.A. degree in English Literature and Writing from Queens College, New York. Dave Parry has over 12 years experience in MIS/IT/IT field, and has performed network architecture design and deployment for over 100+ companies worldwide. Prior to SonicWALL, Dave served as the senior systems engineer at Ignyte, a leading ASP/MSSP security integrator, focusing on network security audits and distributed Firewall/VPN deployments. Dave has been at SonicWALL since 2001 and works in the firmware architecture group. 191

197 Contributors Vanessa Roman started her apprenticeship in technical writing at SonicWALL documenting Secure Wireless network solutions. Vanessa is attending Foothill Community College. Vanessa is an aspiring writer, network diagram and graphics designer, and an accomplished Webmaster. Crystal Sorensen, SonicWALL Creative Manager and Webmaster, has over 5 years of Web authoring and graphical design experience. Crystal is responsible for the content management and ongoing enhancements to SonicWALL s Corporate on-line presence as well as the creative direction of numerous Marketing Communications collateral and graphical projects. Crystal joined SonicWALL in 2001 and works in the Corporate Communications group. Dave Telehowski is a Manager of Software Engineering at SonicWALL. Dave has worked in the networking and network security industry for the past seven years. He is a key developer of SonicWALL's entire wireless product line and is also responsible for the entire user interface design. Currently Dave is leading the software development of SonicWALL's SSL-VPN product line. Dave holds M.S.E. and B.S.E. degrees in Computer Science and Engineering from the University of Michigan. Khai Tran has over 8 years of networking technical documentation experience. Author of The Cisco IOS Release Model and The Cisco IOS NetFlow Services Solutions Guide, Khai has authored enterprise and service provider best-practice network integrated solution guides for SonicWALL, Cisco Systems, Boeing Aerospace, AOL Time Warner, and Electronic Arts. Khai works closely with SonicWALL engineering, product management, corporate communications, and technical support and customer advocacy organizations to author technical solution guides. Khai has also worked as a Vietnamese bilingual public elementary school teacher in Northern California school districts. Khai holds a B.A. degree in English Pre-and-Early Modern Literature from the University of California, Santa Cruz, a California Bi-lingual Cross-Cultural Language Arts Degree (BCLAD) Teaching Credential from San Jose State University, and an Advanced Project Management (APM) Organizational Mastery certificate from Stanford University. 192

198 Contributors Solution Document Version History Version Number Date Notes 1 8/31/2004 This document was created. 2 11/14/2004 Added SonicOS Enhanced 3.0 features. 3 12/6/2004 Updated Glossary and Related Documents. 4 12/16/2004 Added WGS and WIDS. 5 1/6/2005 Added Wireless LAN Overview 6 1/9/2005 Added GMS 2.9 features. 7 1/31/2005 Updated to Secure Wireless architecture. 8 3/8/2005 Added IAS server support for WPA with PEAP. 9 6/7/05 Added Anti-Spyware Security Service support /4/05 Added SonicPoint G Support /31/05 Added PRO 4100 and SSL-VPN support. 193

199 Contributors 194

200 Index Numerics 3DES 51, , 182, , 5, 13, 15, 166, a 13, 15, 54, 94, antenna diversity 28, 32 beacon interval 32 data rates 31, 34 DTIM interval 32 fragmentation threshold 32 IDS scans 31 32, 35 maximum client associations 32 radio mode 28, 30 radio settings 28, 30 RTS threshold 32 SSID 28, 30, 32, 35 transmission power b 13, 15, , d g 2, 13, 15, 94, , 181 antenna diversity 28, 34 beacon interval 34 DTIM interval 34 fragmentation threshold 34 IDS scans 34 maximum client associations 35 radio mode 28, 33 radio settings 28, 33 RTS threshold 35 SSID 28, 33, 145 transmission power i af 14, 144, 180 A access point 6, 13, 15, 47, 53, 84, 168, 186 rogues 18, 67 69, 168 access rules 37, 107, 142, 146, 149 Active Directory, see AD ActiveX 21, , 124 AD 40, 45, 107 adding an address object 147 adding individual wireless guest accounts 62 AES , , 184 alerts settings 179 allowing interface trust 37, 40 alphanumeric 31, 33, 48, 165 creating keys manually 48 antenna diversity 28, 32, 34, 166 architecture Secure Wireless 5 6 Authentication Back-End, see ABE authentication keys 164 IPSec management 159 authentication page 39 custom 40 post 40 B beacon interval 32, 34, 166 benefits SonicPoint 13 SonicWALL GMS 155 SonicWALL GVC 15 SonicWALL Long Range Dual Band Wireless Cards 15 SonicWALL PoE Injector 14 SonicWALL PRO SonicWALL PRO SonicWALL PRO SonicWALL PRO , 12 SonicWALL PRO Series 6 SonicWALL TZ Series 117, 143 bypass guest authentication 40, 55, 57 C CFS 3, 25, 40, 54, activating 24 enabling 25 channel 4, 28, 30, 33, 47, 50 51, 69 70, 163, 181 Content Filtering Service, see CFS creating keys manually 48 custom authentication page

201 D DAT 39 40, 57, 110, 169 data rates 2, default WLAN zone settings 40 denying incoming traffic 40 design considerations top ten checklist 3 DHCP 18, 27 28, 57, 71, 84, 110, 183, 185 server 18, 27 28, 110 IP address 40 DTIM interval 32, 34, 166 E enabling a WLAN GroupVPN policy 44 enabling DAT 40 enabling inter-guest communication 40 enabling IPS 40 enabling secure wireless connections 43 enabling WGS 40 encryption algorithm IPSec management 159 encryption key IPSec management 159 enforcing Anti-Virus Service 40 enforcing CFS 40 enforcing guest login over HTTPS 40 F firewall 5 7, 18, 110, , 149, 152, 154, 156, 160, fragmentation threshold 32, 34, 166 FTP 21, 53, 69, 118, , 129 server 53 G Gateway Anti-Virus, see GAV/IPS GAV/IPS 3, 19 20, 37, 54, activating 21 configuring 22 enabling 23 overview 19 Global Management System, see SonicWALL GMS Global Security Client, see SonicWALL GSC Global VPN Client, see SonicWALL GVC GMS GroupVPN 18, 37 38, 44 45, 47, 50, 54, 142 authenticated access for users 45 entering username/password 50 shared secret 45 GSC guest login status window 60 H Hardware Failover 18, 183 Help 18 hexadecimal 31, 33, 48, 159, 165 creating keys manually 48 hotspot 16, 39, 55, 57, 106 HTPPS 141 HTTP 118, , 124, 129, 131, 140 HTTPS 38, 84, 102, 105, 107, 111, , 120, 141, 177 https 122 I IDS 4, 18, 67 69, 168 authorizing access points 70 scheduling scans 31, 34 incoming traffic WLAN zone denying incoming traffic 40 passing incoming traffic 40 Intrusion Detection System, see IDS Intrusion Prevention Service, see GAV/IPS IP Address Deny List 55, 171 authenticated users IPSec 2, 7, 15, 43, , 150, 156, 159, 182, IPSec management 159 authentication keys 159 encryption algorithm 159 encryption key 159 HTTPS management 160 management through existing VPN tunnel 160 sending syslog messages to a distributed GMS reporting server 160 VPN policy

202 L LDAP 40, 45, 107 Lightweight Hotspot Messaging 106, 190 ABE 107 Administrator Logout 115 overview 106 session creation 109 session popup window 111 session state sync 116 session timeout 113 user logout 114 WS Server status check 116 link quality 47 load balancing and redundancy Log 18 Logout 18, 60, M MAC address 47, 51, , filter lists 30, 33, 50 Managed Mode (SonicPoint) Management Mode (GMS) 159 max guests 40 maximum client associations 32, 35, 166 N NAT 57, , 146, , 156, 159, 183, 185 NetExtender 117, 120, , 125, 127, , Network 18 DHCP server 40 Interfaces 40 O object-based management P passing incoming traffic 40 portal 84, , 117, , 126, post authentication page 40 PPTP 28, 183, 185 profiles SonicPoints 50 R radio mode 28, 30, 33, 35 radio settings 28, 30, 33, 36, 50 51, 166 RADIUS 85, 87, 91 RDP , redirecting SMTP traffic 40 remote desktop 118, rogue access points 18, 67 69, 168 ROM 53 RSSID 47 RTS threshold 32, 35, 166 S SafeMode SDP 6, Secure Wireless Architecture 5 6, 13 14, 50 security type 40 setting up anti-spyware protection enabling 24 SFTP 4 shared secret GroupVPN 45 SonicWALL GSC 45 SonicWALL GVC 45 site survey 47 SMTP redirecting SMTP traffic to SMTP server 40 traffic 40 SonicOS Management Interface 17 Setup Wizard 28, 49 SonicPoint benefits 13 SonicPoint G

203 SonicPoints 6 9, 11 13, 18, 26, 29 30, 33, 36, 38, 40, 42 43, 47 53, 55, 67, 91, 94, 102, 106, , , 151, 180 applying power 41 applying power with PoE Injector 41 automatic provisioning 51 connecting to network 42 device characteristics 180 IDS 68 profiles 50 MAC filters 50 provisioning profile 40 registering 42 states 52 disabled 52 firmware update failed 52 initializing 52 non-responsive 52 operational 52 over-limit 52 provision failed 52 provisioning 52 rebooting 52 safemode 52 scanning 52 stand-alone mode 52 unprovisioned 52 updating firmware 52 unprovisioning 51 WPA-EAP support 51 SonicWALL Anti-Spyware 10, 19 22, 24, 120 protects against 21 use with other anti-spyware programs 21 SonicWALL Client Utility configuring SonicPoint SSID 47 SonicWALL device characteristics Long Range Dual Band Wireless Cards 180 PoE Injector 180 PRO Series 182 SonicPoint 180 TZ Series 184 SonicWALL Discovery Protocol 51 advertisement 51 configuring acknowledgement 51 configuring directive 51 discovery 51 keepalive 51 SonicWALL GMS 5, benefits 155 deployment requirements 156 secure communications link 156 supported databases 156 supported drivers 156 supported firmware 156 supported platforms 156 features 155 management 160, 162 Management Mode 159 monitoring 176 network applications 155 overview 154 reporting 160, 174 reporting server IP address 160 port 160 syslog server port 159 SonicWALL GSC 44 45, 47 shared secret 45 SonicWALL GVC 14 15, 44 45, 47, benefits 15 New Connection Wizard 49 shared secret 45 SonicWALL Long Range Dual Band Wireless Cards 14 15, 47, 88, 96, 99, 102, 180, 190 benefits 15 connecting to SonicPoints 47 device characteristics 180 SonicWALL PoE Injector 13 14, 42, 180 benefits 14 device characteristics 180 SonicWALL PRO benefits 7 device characteristics

204 SonicWALL PRO benefits 8 device characteristics 182 SonicWALL PRO benefits 9 device characteristics 182 SonicWALL PRO , 12 benefits 10, 12 device characteristics 182 SonicWALL PRO Series 6, 13, 19 benefits 6 device characteristics 182 SonicWALL Secure Wireless Architecture deployment situations 16 overview 5 SonicWALL security appliances configuring for GMS network managment 157 SonicWALL Security Services CFS 3, 25, 40, 54 activating 24 enabling 25 overview 24 enforcing on zones 37 GAV/IPS 3, 20, 54 activating 21 configuring 22 enabling 23 enforcing 37 overview 19 SonicWALL TZ 170 SP Wireless 143 SonicWALL TZ 170 Wireless 144 SonicWALL TZ Series 13, 19 benefits 117, 143 device characteristics 184 SSID 28, 30, 33, 47 48, 50, 70, 100, , 151, 163, 165 hiding SSID in beacon 31, 34 SSL-VPN SSPP 6, stand-alone mode Steel-Belted Radius 84 85, 87, 91 configuring for WPA with PEAP 85 configuring SonicPoint for EAP-PEAP 94 installing 85 using the graphical Administrator 91 syslog System 18 T TelNet 118, 120, 129 TKIP 95, , top ten checklist 3 transmission power 32, U unprovisioning SonicPoints 51 Users 18 authenticated access 45 Guest Services 60 Global Guest Settings 60 Guest Profiles 61 local groups 46 V verifying WiFiSec is enforced on the WLAN zone 43 VPN 7, 15, 18, 43, 45 46, 49 50, 55, 107, 111, , , , 156, 159, 166, , 182, 184, access adding users 46 local groups 46 tab 47 configuring policy 148 connection with a SonicPoint 50 testing 153 troubleshooting 153 tunnel IPSec management

205 W WAN redundancy WEP 48, 164, 181 creating keys manually alphanumeric 48 hexadecimal 48 disabling for wireless client 47 enabling for wireless client 47 encrypting wireless client communication 48 keys 48 with passphrase 48 WGS 13, 54 56, 60 61, 63 64, 106, 169 benefits 55 bypass guest authentication 57 DAT 57 Guest Accounts 60, 62, 64 66, 169 adding 62 adding multiple accounts 64 auto-pruning 65 Bypass Filters 169 enabling 65 printing details 66 Guest Profiles 60 62, 64 Account Lifetime 58, 61, 63 64, 169 adding 61 Session Lifetime 62 63, 65 Guest Status 66 overview 55 WiFiSec 2, 43 45, 49 50, 59, enforcement 40 site-to-site VPN tunnel traversal 40 trust WPA traffic 40 VPN connection 50 wireless 18 IDS 68 wireless client configuration prerequisites 47 site survey scan 47 available SonicPoints 47 channel 47 link quality 47 Wireless IDS 13, 68 wireless radio operating schedule 164 Wizards 18 SonicOS Setup Wizard 49 SonicWALL GVC New Connection Wizard 49 WLAN 2, 5, 8 9, clients 14 deployment scenarios 16 design considerations 3 GroupVPN 45 automatic downloading of the shared secret 45 enabling 44 policies 44 VPN connection to a SonicPoint 50 overview 2 remote access networks 47 subnets 46 WiFiSec VPN connection 50 zones 36 allowing interface trust 37 bypassing AV check for guests 38 bypassing guest authentication 39 configuring interface 40 custom authentication page 39 default settings 40 denying incoming traffic 39 enabling DAT 39 enabling external guest authentication 39 enabling inter-guest communication 38 enabling WGS 38 enforcing CFS 37 enforcing GAV 37 enforcing guest login over HTTPS 38 enforcing IPS 37 enforcing Network Anti-Virus Service 37 enforcing WiFiSec

206 IP address 40 passing incoming traffic 39 post authentication page 39 redirecting incoming SMTP traffic to an SMTP server 39 SonicPoint provisioning profile 38 specifying a maximum number of guests 39 trust WPA traffic as WiFiSec 38 WiFiSec exception service 38 WiFiSec for site-to-site VPN tunnel traversal 38 WPA 71, 84 85, 91, 93 96, , 103, 150, EAP 36, 38, 51, 94, setting up client 96 using Windows XP Wireless Wizard

207 202

208 SonicWALL, Inc Borregas Avenue Sunnyvale CA T F SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice Rev. A