Toggle Nav
My Cart
Search
Contact
Search
Contact
0121 270 1800
enquire@sonicwallonline.co.uk
Menu
Account
  • My Account
  • Sign In
  • Compare Products
  • Create an Account

SonicWall UTM SSL VPN Split Tunnelling and Route to Specific Websites Using FQDNs

08/08/23 11:09:00

 

• This document is created based on 6.5 firmware & ( 6.5.4 onwards - 7.0 firmware for the FQDNs as previous version didn’t include the Dynamic Network Address Object Group - DEAG option) but the procedures are the same with previous versions of SonicOS for the IP method.

• In certain scenarios you may need to have certain public IP addresses routed through the SonicWall SSL VPN due to access to the sites / applications being restricted to your business’ public IP address.  This would mean that any remote user would not be able to access the service or application unless it was routed through the SSL VPN tunnel. Though you could use Tunnel All mode, this isn’t necessary for all other web traffic, it would cause additional overhead on the SonicWall and possibly throughput issues for remote workers.

• Note : If you only need to access a host which has a static IP that does not change, then use the IP address method only below.  For hosts which may change IP addresses, you will still need to perform the steps on Page 2 in addition to Pages 4 onwards for the FQDN method.

 

Setting up the SonicWall for IP Addresses only
 

1. Add the Address objects for the required remote IP addresses as below, making sure the objects are in the SSLVPN Zone.  You can then add to a Group. (Classic GUI - Network/Address Objects, Gen 7 GUI - Objects/Addresses)

 

 

2. Add the individual objects (not the group) to the SSL VPN Client Routes.  In this example I also have the Internal networks added to the routes as we will need access to those via the SSL VPN tunnel. (Classic GUI - SSL VPN Client Settings/Default Profile/Client Routes, Gen7 GUI - Network/SSLVPN/Client Settings/Default Profile/Client Routes)

 

 

3. Add the Firewall rule from SSLVPN to WAN.  In this instance I am using the group for the www.netthreat.co.uk  IP (this is an example please use one of your own domains) and the Ping to 9.9.9.9 IP. (Classic GUI - Firewall/Access Rules, Gen7 GUI - Policy/Access Rules)

 

4. We now need to add the IP addresses to the SSL VPN Services Group VPN Access networks like in the image below on the right. (Classic GUI - Users/Local Users & Groups/Local User Groups, Gen 7 GUI - Device/Users/Local Users & Groups/Local User Groups)

 

 

5. There should already be a NAT policy auto created to translate the traffic out of the WAN IP from the SSL VPN Network.  If not, create one like below. (Classic GUI - Network/NAT Policies, Gen 7 GUI - Policy/NAT Rules)

 

 

6. As we can see when we connect to the SSL VPN, the traffic to the networks is being translated correctly.

 

 

7. NetExtender shows all the Routes:

 

 

8. Also, on the Route Print from the Remote PC you can see the routes created in the route table which will be removed when NetExtender disconnects.

 

 

Setting up the FQDN method

If you need to route to an application where the IP addresses change often, then you will need to use the DEAG method as the SSL VPN routing and the Windows route table cannot work with FQDNs therefore we need to convert them in to IP addresses.

1. To get the SonicWall SSLVPN to work with FQDNs we need to utilise the DEAG (Dynamic External Address Object Groups)

 

2. To do this we need to first save the Powershell script included called Host2IPs.txt edit this with notepad and save the file as Host2IPs.ps1

 

3. On the Server / PC (minimum Server 2012R2 or Windows 8.1) that you will be hosting this on, you will need to enable scripts.  To do this, load PowerShell as an administrator and run the following commands: (we have set this up with a server which is only allowed out to the Internet)

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force;

Also in PowerShell run the command : Import-Module DnsClient

To verify this has been successful enter Get-Command -Module DnsClient you should see the available DNS modules.

 

4. This Script does the following things:

a. resolves the hostnames from the Hostnames.txt file to IP addresses IPV4 only as the SonicWall DEAG only supports IPV4 currently.

b. saves the IP addresses to a text file called ipaddresses.txt (encoded as ANSI/Ascii as this is the format needed for the SonicWall DEAG)

c. adds or removes IPs if any are different from the last scan, removes any duplicates and sorts the order each time the script is run, if changes are found then the file is updated and an email notification is sent to users.

d. it will send the users in the AD group or Local Users used for VPN users a notification email to restart the NetExtender / Mobile Connect client if the IP addresses change so they can pick up the new IP routes.

The example script file is included in separate text file which you will need to change the extension to .ps1, there are also three separate text files to be used for the email parameters depending on which method you require, one file for AD or two files needed for Local Users

The script file includes both the email methods, to use one or the other you will need to comment out the section not required like in the example below, or if needed to you can leave both uncommented and email both AD Users and Local Users at the same time if you have a mix of users on the SonicWall i.e.(some AD Users and some Local Users), by default the script has the Local Users email section commented out.

 

5. Local Users refers to users created in the SonicWall Local Users Database using a 3rd party Email Server like Google mail rather than users synced via LDAP.

Smtp.gmail.com                                  (SMTP Server)

587                                                      (Server Port)

bob@gmail.com                                  (Email Username)

fgdgdgdgddee                                     (Password)

itadmin@domain.co.uk                       (Email From Address)

NetExtender Restart Required           (Email Subject)

Please restart your NetExtender SSL VPN Client - Any issues Please contact Support (Email Body)

 

6. For AD User Groups you will also need to edit the example file called email-params.txt and put it in a separate folder.  In this example, it is in the Root folder C:\.  This will need to include the email parameters as below, substituting these values for those of your mail server, account credentials and desired text (but without the details in the brackets - these are just descriptions for you).

172.16.35.211                                     (Server IP)

25                                                        (Server Port)

Admintest                                            (AD User)

pa55W0rd                                           (AD Password)

itadmin@domain.co.uk                       (Email From Address)

NetExtender Restart Required           (Email Subject)

Please restart your NetExtender SSL VPN Client - Any issues Please contact Support (Email Body)

SSL VPN Users                                  (AD User Group)

 

7. We also need to edit the text file with the FQDN entries to be used called hostnames.txt.

In my example I’ve just added two but you can add whichever FQDNs you require.

 

 

8. Make sure both files are saved in to the same folder as the script is set to run. (as this is hosted via HTTPS I have saved in a new folder called scripts in the wwwroot.)  If you are using FTP you can put in another folder if you wish.

 

 

9. I would recommend using the Task Scheduler to run the Host2IP.ps1 script on the server to run daily every 5 minutes to be in sync with the DEAG refresh time to get the latest resolved IP addresses. Make sure also add the folder path to the file in the Start-in section under the Actions tab. 

 

Setting up the DEAG (Dynamic External Address Object Groups) on the SonicWall
 

1. To use HTTPS, ensure your website is set to enable Directory browsing and is bound to port 443 for HTTPS.

 

2. To Set up the DEAG object in the ( Classic GUI - Firewall/Dynamic External Objects, Gen7 GUI -Object/Dynamic Group), select Add and enter the details.  I am using an internally hosted website so in this case it is pointing to https://172.16.32.181/ipaddresses.txt

 

3. If using FTP method, if the file is in the FTP Root folder then in the Directory Path just enter \

 

 

4. Next select Download.  If there is an error check the URL is correct. 

 

 

5. If you expand, you will see the List of IP addresses from the text file has imported correctly.

 

 

6. Once this has completed you need go to ( Classic GUI - Network/Address Objects/Address Groups, Gen7 GUI - Object/Addresses/Address Groups).  Create a new Address Object Group and add the DEAG group in to the new group.  Here I called mine SSL VPN 2 Group.  The reason for doing this is that you cannot select the DEAG group from the SSL VPN Routes menu but you can select a group of which the DEAG group is a member.

 

 

7. You can now go to Classic GUI - SSL VPN/Client Settings/Default Policy/Client RoutesGen, 7 GUI - Network/SSL VPN/Client Settings/Default Policy/Client Routes, and edit the policy and add the Group we create earlier in to it, as in the image below:

 

 

8. Ensure you also update the User Group settings in (Classic GUI - Users/Local Users & Groups/Local User Groups/SSL VPN Services,  Gen 7GUI - Device/Users/Local Users & Group/Local User Groups/SSL VPN Services) as below:

 

 

9. Before we connect with NetExtender I will go to the website (https://whatismyip.uno/) to show my real local Public address.  I’ve omitted the last two numbers for privacy.

 

 

10. To Test the FQDN to IP is working correctly, we can connect using NetExtender.  As you can see the routes for the FQDNs have been added to the routes in NetExtender.

 

 

11. If we now go to the same website we can see that is showing as the public IP address through the SSLVPN tunnel.

 

 

12. When using this method, be aware that if the FQDNs update on the IPaddresses.txt file then the user will need to reconnect to NetExtender to pull through the new routes.  The script example in this guide will email the AD user group with the sample notification below:

 

 

Note: The maximum number of DEAGs, including both IP address and FQDN types, is 25% of the total number of address groups supported by the device.

 

 

Need help?

Here at NetThreat we offer a full range of professional services so if you would like assistance with setting this up, need to customise it for your environment, or any assistance with your SonicWall device configuration, please do give us a call on 0121 270 1800 or email enquire@netthreat.co.uk and we’ll be happy to discuss how we can help.