Sonicwall GVPN w/ Simple Client Provisioning

In this post I am going to cover one of the ways that you can configure your Sonicwall device so that it provides secure client access to your internal network using the Sonicwall Global VPN client. There are several different ways that you can connect clients using the Global VPN client, but in this example I will cover one of the easiest and fastest ways to get the job done. For this example I will be using a Sonicwall TZ170 running standard OS. The steps will be nearly identical on other Sonicwalls running the standard OS. This configuration should also work just fine on devices running the enhanced OS provided that you aren’t running some off-the-wall configuration.

Step 1: Firewall configuration

Using your favorite browser login to your Sonicwall by going to https://x.x.x.x (<- Your IP here.) Go to the Users menu item and choose Local Users. Click on add and enter in the desired username and password for this user. Put a check mark in the “Access from VPN client with XAUTH” box and click OK.

Next we need to open the VPN menu item. By default there will be a VPN policy named GroupVPN. Make sure that this policy has the Enable box checked and then click on the edit button under Configure. The first two tabs require zero configuration for this how-to. Select the third tab which is named Advanced and make sure that “Require Authentication of VPN Clients via XAUTH” under Client Authentication is selected. On the client tab look for the setting “Cache XAUTH User Name and Password on Client” and change it to Always. Under Client Initial Provisioning make sure to place a checkmark next to “Use Default Key for Simple Client Provisioning” and click OK.

The final item to complete in this step is to send the GVPN policy to the client. Back on the main VPN page under Configure, click on the Export/Save button (Floppy disk icon). Accept all defaults on the pop-up window and click Yes. Once again, accept any defaults presented and enter a password so that the exported VPN policy is encrypted, this is important for several obvious reasons. Click on Submit and save the file. Now you can send the exported VPN policy to any user that needs it.

Step 2: Client Configuration

Using your MySonicwall account or original Sonicwall media install the Global VPN client on the desired PC and accept all defaults. Open the Global VPN client and press cancel when presented with the connection wizard. Go to the File menu and choose Import Connection. Click on the …Browse box and navigate to the exported GVPN policy. Now enter in that password that we used to encrypt the file earlier and click OK. You should now see the imported policy in the list of connections. Right click on the connection select Enable. Enter in the username and password that we created in step1 under Local Users. Put a checkmark in the “Remember my username and password” box and click OK. After a few moments of provisioning and passing encryption information, you should see the status as connected. Your client is now connected to your internal LAN securely via VPN.

Now you can create additional users as needed and send them the exported GVPN policy.

NOTE: I highly recommend sending the exported GVPN policy and encryption password separately. I generally accomplish this by emailing the policy and then sending a text message of the encryption password to the intended user and/or give it to the user verbally.

–himuraken