VPN Confusion

Posted on 2011-10-15
Last Modified: 2012-05-12

We just set up a new SonicWALL TZ210 Wireless-N firewall. I am a bit comfortable with firewalls, but this device is very intricate to me as it is nice. I have the VPN options enabled according to the default configuration, per Sonic's online tutorial (also, very nice). I am confused with how authentication seems to be working and how IP addresses are being handed-out.

If I make a VPN connection from a Windows 7 box, off of the LAN, through the firewall, with the built-in Windows tools, I can connect to resources and devices. For this I use the SBS domain username and password or a local user and password, specific to the SonicWALL device. The same can be said for a Mac with the built-in OS X tools. On the Mac I log in with the SBS domain username and password, no sweat.

SonicWALL has their own GlobalVPN client software package. When I use that on Windows 7, I can make a connection, but that is it. No IP address seems to be applied to the Virtual NIC, Sonic's VPN client creates on Windows. I do have it set so that DHCP will provide an IP address to VPN clients in the firewall's config. The firewall is the VPN server. I also have to use the local account on the firewall to get in. I don't even think it considers domain logins.

How can I configure it so that Active Directory authenticates the VPN users? Is the SonicWall client software needed?

Question by:Jason Watkins
    LVL 38

    Accepted Solution

    It all kind of depends on what you are comfortable with.  Some people like their VPN connections to terminate at the firewall/VPN server, so that until the connection is established they are unable to even touch the network (LAN) behind it.  Some people also like to have the VPN credentials different from the AD credentials.  If I understand correctly, when you use the Windows VPN client, you have the Sonicwall configured to forward the PPTP, GRE, L2TP traffic to the SBS, is this correct?

    Personally I like to be able to VPN with just the Windows client, as it is always available.  Unfortunately I can't help with the issue of getting an IP when using the GlobalVPN client.  For the authentication, you should be able to configure in the Sonicwall what authentication source you want to use (local accounts, RADIUS, or LDAP).  Set it for LDAP to authenticate against AD.  RADIUS can do the same, but there would be more configuration involved.
    LVL 8

    Assisted Solution

    As for a client for the VPN User authentication your environment would need to already be setup for authentication internally for the VPN to use the same AD information. The firewall uses the SonicWALL Directory Connector utility to bridge the firewall to your AD structure.
    LVL 27

    Author Comment

    by:Jason Watkins
    Existing users can log in to the VPN via AD, providing their account is set to do so from it's properties sheet.

    I'll try the LDAP authentication against AD in the SonicWALL.

    LVL 27

    Author Closing Comment

    by:Jason Watkins
    Thanks guys!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now