SonicWALL Aventail SSL VPNs Working Together With SonicWALL End Point Security Solutions for Granular End Point Control

Similar documents
Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

BEST PRACTICES FOR SECURE REMOTE ACCESS A GUIDE TO THE FUTURE

Best Practices for Secure Mobile Access

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Hosted Security Quick Start Guide

Dell SonicWALL Aventail Connect Tunnel User Guide

Aventail Connect Client with Smart Tunneling

Dell SonicWALL Secure Virtual Assist: Clientless remote support over SSL VPN

Clean VPN Approach to Secure Remote Access

SSL-VPN 200 Getting Started Guide

Aventail SSL VPN. Installation and Administration Guide. Version 9.0.0

SonicWALL Mobile Connect. Mobile Connect for OS X 3.0. User Guide

IPSec vs. SSL VPN: Transition criteria and methodology

10 Strategies to Optimize IT Spending in an Economic Downturn. Wong Kang Yeong, CISA, CISM, CISSP Regional Security Architect, ASEAN

Citrix Access Gateway

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Best Practices for Secure Remote Access. Aventail Technical White Paper

PRODUCT CATEGORY BROCHURE

IPSec vs. SSL VPN: Transition Criteria and Methodology

Securing the Small Business Network. Keeping up with the changing threat landscape

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

Aventail SSL VPN. Getting Started Guide. Version 8.6

Remote VPN: Remote access for personal devices

Move over, TMG! Replacing TMG with Sophos UTM

SonicWALL Secure Wireless Network

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Release Notes. Platform Compatibility. Supported Operating Systems and Browsers: AMC. WorkPlace

SSL VPN Technical Primer

Hosted Security 2.0 Quick Start Guide

Clean VPN Approach to Secure Remote Access for the SMB

Securing Citrix with SSL VPN Technology

How To Use A Dll Sonicwall Aventail E-Class Secure Remote Access (Sra) From A Pc Or Ipad To Awna (Awna) For A Mobile Device (For Awn) For An Enterprise

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

How To Protect Your Endpoints From Attack

Security 8.0 User Guide

avast! Small Office Administration Console Small Office Administration Console User Guide

Driving Company Security is Challenging. Centralized Management Makes it Simple.

MUNICIPAL WIRELESS NETWORK

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

END-TO-END SECURITY WITH SA SERIES SSL VPN APPLIANCES

Mobile workforce management software solutions. Empowering the evolving workforce with an end-to-end framework

Charter Business Desktop Security Administrator's Guide

Use Host Information in Policy Enforcement

Product Line Brochure

New Trusted Partner Client-Based Access for Windows XP and Windows 7 Includes Juniper Netconnect VPN client and CyberGatekeeper client

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Comodo Endpoint Security Manager SME Software Version 2.1

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

WHITEPAPER IPSEC VPN Vs. SSL VPN

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

icrosoft TMG Replacement with NetScaler

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Deploying Cisco ASA VPN Solutions Exam.

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Accessing TP SSL VPN

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

Reverse Proxy with SSL - ProxySG Technical Brief

SonicWALL SRA Virtual Appliance Getting Started Guide

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Cisco ASA and Cloud Web Security: Best-in-Class Network Security Combined with Best-in-Class Web Security

Check Point NAC and Endpoint Security Martin Koldovský SE Manager Eastern Europe

Dell SonicWALL SRA 7.5 Citrix Access

Secure Remote Access Give users in office remote access anytime, anywhere

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

PortWise Access Management Suite

Citrix Access on SonicWALL SSL VPN

CLEARPASS ONGUARD CONFIGURATION GUIDE

Configuring DHCP for ShoreTel IP Phones

Network protection and UTM Buyers Guide

Enabling Business Beyond the Corporate Network. Secure solutions for mobility, cloud and social media

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Cisco Small Business ISA500 Series Integrated Security Appliances

Mobile Access Software Blade

Release Notes for Websense Web Endpoint (32- and 64-bit OS)

Protecting Your Roaming Workforce With Cloud-Based Security

IT Services. VPN Connectivity Guide. 1 IT Systems

Time Warner Cable Business Class IP VPN & Managed IP VPN User Guide

SafeEnterprise SSL igate Managing Central Access to Resources with VPX Technology

Transcription:

SonicWALL Aventail SSL VPNs Working Together With SonicWALL End Point Security Solutions for Granular End Point Control Step by step guide on how to configure SonicWALL Aventail SSL VPNs to detect the SonicWALL Enforced Client CONTENTS Overview 2 Configuration Steps 2 Zone Options Standard (Allow) Zone for Full Access 5 Default Zone for Limited Access- Download the SonicWALL Enforced Client 9 s Quarantine Zone to Deny Access- Download the SonicWALL Enforced Client 12 a Deny Zone to Deny Access if SonicWALL 15 Enforced Client is Out of Compliance Conclusion 20

Overview SonicWALL Aventail SSL VPN appliances have a feature called End Point Control (EPC) which has the ability to require that incoming clients meet certain criteria before connecting, the most common being that the incoming client be running a valid and up-to-date version of an anti-virus or anti-spyware program. Upon first contact with a SonicWALL Aventail appliance, the endpoint is interrogated against an administrator-defined set of attributes called Device Profiles. If the incoming connection meets said criteria, the client is assigned into a defined Policy Zone. If not, the administrator has a number of options, including assigning the endpoint into a Default Zone or Quarantine Zone for remediation. EPC interrogation and Zone assignment is available for all Aventail access methods, including Connect Tunnel. This white paper is intended to provide step by step instruction on how the SonicWALL Aventail SSL VPN can be configured to enforce that end point devices have the appropriate version and configuration of the SonicWALL Enforced Client anti-virus solution. Both a SonicWALL Aventail SSL VPN (EX-750, EX-1600 or EX-2500) and a SonicWALL Enforced Client running on an end point device are required in order to follow the configuration steps detailed in this paper. The information presented in this paper represents the industry experience of the SonicWALL research and development team and reflects the requirements that can be met by applying SonicWALL Aventail SSL VPN solutions combined with SonicWALL Enforced Client Anti-Virus solutions. The SonicWALL solutions are referenced in the conclusion to this paper and can be reviewed in detail on the SonicWALL Web site: http://www.sonicwall.com. Configuration Steps In order for a SonicWALL Aventail SSL VPN appliance to enforce client usage of the SonicWALL Enforced Client, there are a few prerequisites: 1. The Aventail SSL VPN appliance must run firmware 8.9 or newer. This can be obtained from the Aventail Assurance portal by customers with a current software service contract for their Aventail SSL VPN appliances. You can determine the current firmware version by logging into the Aventail Management Console (AMC); the version will display in the lower-left-hand corner of the AMC home page. The firmware version can also be determined by going to the System Configuration > Maintenance page. For an example, see below. 2

2. The incoming client connection must run version 4.5 or newer of the SonicWALL Enforced Client. In order to determine what version a client connection is running, right-click on the client s taskbar (it s the small red shield with the M in it, on the right of the taskbar) and select About. For an example, see below. 3

3. On the Aventail SSL VPN appliance, in the Device Profile definition for Windows, the McAfee Inc. Vendor name must be selected and the Total Protection for Small Business Product name must be used. (There is no SonicWALL-specific entry at present; this will be resolved in a future firmware release.) Following is an example of the SonicWALL Enforced Client Device Profile: 4

4. The SonicWALL Enforced Client is an OEM version of the Total Protection for Small Business software application and, because of this, is recognized as such by the Aventail SSL VPN appliance. 5. While the SonicWALL Enforced Client is an anti-spyware client as well as an anti-virus client, it only shows up in the Anti-Virus enforcement category on the Aventail SSL VPN appliance. Zone Options On the Aventail SSL VPN appliance, there are a number of options regarding how the administrator can use Aventail End Point Control settings to check the SonicWALL Enforced Client and take various actions if the Client is not running or up to date. For the purpose of this whitepaper, the following scenarios will be covered: 1. Standard (Allow) Zone for Full Access: This scenario assumes that the end user has the SonicWALL Enforced Client present on their end point device and it is configured with the appropriate version 2. Default Zone for Limited Access- Download the SonicWALL Enforced Client: This scenario assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. The policy will allow the user to have limited access to resources. However, in order to gain full access to resources they will need to download and install the SonicWALL Enforced Client from a link that is present on the SSL VPN portal. 3. Quarantine Zone to Deny Access- Download the SonicWALL Enforced Client: This scenario also assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. However, unlike the previous scenario the user is not allowed access to any resources until they download the SonicWALL Enforced Client. They will be placed into a quarantine zone and will be provided instructions on how to download the SonicWALL Enforced Client. 4. Deny Zone to Deny Access if the SonicWALL Enforced Client is Out of Compliance: This scenario assumes that the end user does have the SonicWALL Enforced Client but for some reason it is not the appropriate configuration (version out of date perhaps). They will be denied access until they perform the necessary update to their SonicWALL Enforced Client. 1. Standard (Allow) Zone for Full Access In this scenario, if the endpoint matches the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a Trusted Zone and given full access to all internal applications: a) First, define a Standard Zone named Trusted Zone within the previously-defined Enforce SonicWALL Device Profile: 5

b) Next, in the appropriate Community, under End Point Control Restrictions, place the new Trusted Zone into the In use box in the Standard Zone settings to make the Zone available to the Community: 6

c) In the Access Control rules, modify the appropriate rule and add the Trusted Zone. In this example, any user in the AD Realm will be permitted access to the Corporate Shared Drive, the intranet, OWA, and Terminal Services applications only if the endpoint is classified into the Trusted Zone. 7

d) After an authorized user logs into the WorkPlace from an endpoint that is running the SonicWALL Enforced Client, that endpoint is classified into the Trusted Zone, and the user is allowed access to all applications: 8

2. Default Zone for Limited Access Download SonicWALL Enforced Client In this scenario, if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client then it will be placed into a Default Zone and given access to a subset of internal applications. Also, a link is provided in the Default Zone to download and install the SonicWALL Enforced Client. a) Define a new URL Resource for the SonicWALL Enforced Client installation. The exact syntax of the URL is http://virusscanasap.mcafeeasap.com/vs2/sonicwall/rd.asp?ck=xxxxxx, where CK is the Company Key which is a SonicWALL-generated company designation for an installation of the Enforced Client. Multiple licenses can be applied to the same Company Key. Only the hostname is defined in the URL Resource, while the remainder of the URL can be defined on the Start page option in the Advanced settings of the WorkPlace Shortcut: 9

b) When defining an external URL as Resource, is it important that the hostname gets added to the Resource Exclusion List that is located at the bottom of the Resource table. This tells the Aventail appliance not to translate the URL, so that the endpoint s browser will resolve the URL to the correct public Web site: 10

c) Define a new Access Control rule for endpoints placed into the Default Zone that are not running an Enforced Client or that are not up-to-date (as defined in the Device Profile) that will permit access only to specified applications and the SonicWall Enforced Client download link: d) Note that the Default Zone does not have to be added to the list of Standard Zones in the appropriate Community. The Default Zone is always present and is the last available Zone. In this example, since the endpoint will not match the Trusted Zone, it will fall into the Default Zone. 11

e) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client running, the endpoint is classified into the Default Zone and is allowed access to only a subset of applications and a link to download the SonicWALL Enforced Client: 3. Quarantine Zone to Deny Access- Download SonicWALL Enforced Client Another option is if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a Quarantine Zone and given access to a link to download and install the Client. In the Quarantine Zone, no application access is permitted outside of the remediation links that are defined. a) Under the End Point Control Zone settings, define a new Quarantine Zone. As part of the definition, the administrator can specify any text they would like to appear in the Zone and also any useful Web links that can be used for remediation purposes. In this example, a link is defined to the SonicWall Enforced Client installation URL as described above. 12

b) In the appropriate Community under End Point Control Restrictions, change the Zone fallback options from Place into default zone to Place into quarantine zone and the SonicWALL Quarantine Zone is specified: 13

c) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client running, the endpoint is classified into the SonicWALL Quarantine Zone and is only permitted access to the remediation link specified: 14

4. Deny Zone to Deny Access if SonicWALL Enforced Client is Out of Compliance Finally, the Deny Zone can be used to deny access to an endpoint that matches a specific Device Profile. In this example, assume that a new version (5.0) of the SonicWALL Enforced Client has just been put into production and deployed to all end users. If a user tries to log into the WorkPlace from an endpoint that is running a SonicWALL Enforced Client with a version other then 5.0, they will be placed into the Deny Zone, not allowed any access at all into the internal network, and given a message explaining why they are denied access and whom to contact. a) Under the End Point Control Zone settings, define a new Device Profile called Enforce SonicWALL. This profile will check to see if the endpoint s SonicWALL Enforced Client version is equal to 4.x (and therefore not version 5.0). Other options can be set to check the last time the signatures were updated or the last time the file system was scanned: 15

16

b) Under the End Point Control Zone settings, define a new Deny Zone. In this Zone, we specify the Device Profile that we want to check for (Enforce SonicWALL) and also a custom message that we want to display to the end user: 17

c) In the appropriate Community, make the new Deny Zone available under the End Point Control restrictions: 18

d) After logging into WorkPlace from an endpoint that is not running the correct version of the SonicWALL Enforced Client, the endpoint is placed immediately into the Deny Zone and the predefined message is displayed: 19

Conclusion The SonicWALL E-Class Aventail SSL VPN appliances provide secure access from employees, business partners, and customers to Web applications, client/server applications, and file shares. The Aventail SSL VPN appliances provide remote access control that manages and secures application access based on the ability to identify the following three things: 1) Who is the user? Identify users based on strong authentication. Group users into communities and groups based on admission policy. 2) What is on the end point device? Interrogation of the end point to determine the device identity and device integrity, and allow the results of the interrogation to be leveraged within admission and access control policies 3) What are the resources that the user needs to access? Allow access to individual applications based on who the user is and the trust level for the device used for access. The Aventail SSL VPN appliances makes these resources available from a range of access methods including a standard Web browser, an ActiveX or Java-enabled Web browser, or a native client preinstalled on the device on a wide range of platforms and devices that include Windows, Macintosh, Linux, and PDAs or smartphones. Administrators determine the resources that users will be allowed to access, and the Aventail SSL VPN appliances transparently and dynamically provision the access methods appropriate for those resources. All access control is handled centrally via the Web-based management console. Why SonicWALL Aventail SSL VPNs? 1) More devices, more access points: The pace of innovation in remote access technology has increased dramatically over the past decade. Broadband access to the Internet has become not merely ubiquitous, but an expected standard, at work, at home, and everywhere in between. Mobile devices have proliferated to the point where laptops, PDAs, and smartphones, mobilized with sophisticated wireless and cellular connectivity, are increasing the phase-out of traditional desktop PCs. The rise in VoIP has turned phone calls into data resources, and transformed telephony into yet another network access methodology. 2) Work is increasingly moving beyond the network perimeter: Traditional network boundaries are disappearing, and the office no longer has anything to do with any specific physical location. Work is conducted from field offices and home offices, partner sites and manufacturing sites. Increased access has resulted in increased productivity. Business partners require access to internal enterprise resources from end point locations behind their own firewalls. Remote teleworkers and day extenders in all business capacities connect to business applications and files via WiFi hotspots at their home or neighborhood cafes. Enterprise boundaries are blurring, with outside partners, vendors, and consultants playing an increasingly vital a role in daily operations, often collaborating in cross-functional teams requiring secure access to inside application resources from outside devices, traversing internal and external firewalls. 20

3) IT is facing new challenges for controlling access: The increasingly mobile trends in technology and business operations have accelerated the replacement of traditional network nodes from IT-managed hard-cabled desktops to wireless laptops and mobile devices. Even when these devices are issued by IT, usage has become difficult for IT to control. An end user might use the same mobile computing device at home as in the office, use a personally-owned device for business purposes, or use a corporate-owned device for personal purposes. It is increasingly hard for IT to be able to restrict what users do with access devices, and to limit ways in which users expose these devices to threats that can impact the security of enterprise resources. To learn more about SonicWALL Aventail SSL VPN solutions, visit: http://www.sonicwall.com/products. 21

Contacting SonicWALL If you require technical assistance for your SonicWALL UTM appliance or SonicPoint, check these online SonicWALL resources: The support site: http://www.sonicwall.com/us/support.html The interactive online Knowledge Portal: http://www.nohold.net/noholdcust22/prod_3/articles53234/sw_launch_frames.html If you cannot find the information you need, contact SonicWALL telephone support at one of these numbers: North America Telephone Support U.S./Canada - 888.777.1476 or +1 408.752.7819 International Telephone Support Australia + 1800.35.1642 Austria + 43(0)820.400.105 EMEA + 31(0)411.617.810 France + 33(0)1.4933.7414 Germany + 49(0)1805.0800.22 Hong Kong + 1.800.93.0997 India + 8026556828 Italy + 39.02.7541.9803 Japan + 81(0)3.5460.5356 New Zealand + 0800.446489 Singapore + 800.110.1441 Spain + 34(0)9137.53035 Switzerland + 41.1.308.3.977 UK + 44(0)1344.668.484 Note: If you find that the number appropriate to your geographic region does not work, please visit http://www.sonicwall.com/us/support/3001.html for the latest technical support telephone numbers. More Information on SonicWALL Products Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300 Author: dparry@sonicwall.com and dbuckwald@sonicwall.com Prepared by SonicWALL, Inc Version 1.3, Updated January 2008 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information