Best practises Sonicwall firewall tz100 (latest os)

For the proxy I would install a proxy server and point it to the sonicwall so that the users that enter the proxy IP int their IE settings can have internet access, all other PC's deny LAN > WAN
I would also create groups for all protocols / ports that a specific software update service uses and then create one rule in the firewall from that machines ip to the configure services.

Hope this helps

Sonicwall TZ100 offers great UTM most likely you do not need proxy unless you want caching of the pages. Sonicwall can not do it as as per previous post you have a few options. Read about SSO you may like it to give access to specific users or user groups. It requires AD!

For the home network you can use static IPs on your home computers and build ACL on the sonicwall allowing or denying access for LAN to WAN.

Soncwall supports only 5 VLANs you will need L2 switch that can support VLANs and trunking.
You are looking at another $300-$500.

It is difficult to provide "Best practices" as I do not understand all requirements. Good thing is that sonicwall is pretty flexible and most likely you will be able to build a nice solution for the house.

Good luck!

I'd need a proxy to connect remote vpn-users to connect to Internet or can I solve this differently? I'm not using the Sonicwall VPN, but Openvpn since I have more option (portable Openvpn-client etc).

Hi,

I do not think you need any proxy to connect remote VPN users to internet. They are usually already on the Internet when they are connecting to your head office. You may however scan  give up split tunnel and have all traffic generated by them scanned by sonicwall.

I do not know much about Openvpn-client as most of my customers are commercial institutions and can not afford any security related open technology. Sonicwall offers IPsec VPN with GVC - Windows only, SSLVPN - Windows, Linux, MAC. Mobile Connect (SRA1200) for tablets,  etc and L2TP for everything else. All this with advantage of your gateway security services.

To the PROXY comment. Unless you have very poor internet connection the need for caching proxy does not exist in modern IT. I do not remember when I saw proxy server last time and I 43 ;-) The UTM offers more features and deals with more protocols than any proxy server in the past. Take a look at sonicwalls Application control and visualization along with URL filtering this is most likely what you are looking for. You will need NSA 220 or up to have it.

Another thing that your client will appreciate is reporting with Analyzer. You will be able to justify that the money was well spend.

I hope this answers your questions. If not do not hesitate to contact me.

Good luck!

Regarding the proxy: I'd be happy not to use it. However, when I want remote users to use the Internet of the remote location NOT the one they are connected with throught Internet (and that IS what I want), I don't see another option then setting proxy in Internet Explorer/browser. If you have other suggestions to achieve this, please advise.

This is simple. Then kill your "split tunnel" and have them brows through the sonicwall at the head office. Keep in mind that you have to sort out your DNS and VPN ->WAN ports. So you limit their access. I had the clients who got RBL'd because someone at home had a mass mailer and was using office IP to blast spam. Also, this connection will put some overhead on your ISP at the head office.

Otherwise it works out of the box.

Good luck!

Tom

Not an option. I need the remote users to be able to choose between remote location or vpn location to surf. They should be able to surf both networks.

Then I guess you need your proxy server. You are looking at technology from M86, etc. Keep in mind that you will have to lock down the workstation so users can not change proxy settings on the browser or install  any other browsers (portable apps).
I understand what you are trying to achieve. I is difficult and it will cost some money and require a lot of work.
Perhaps you can look at SOPHOS AV they offer some URL filtering for remote users. Nothing special since it is the first version of the product with this feature but it may work for you.

Let me know what you think about it.

Installed Squid proxy a long time ago and works fine. Not that easy to configure but it does work correctly. Just wanted to be sure/doublecheck  that I really need the proxy.

The Squid will work but you need to know what you are doing and this thing requires a lot of attention. If your client is willing to pay for it, than it makes sense. Also, keep in mind that threads are coming over other channels as well and the AV / URL filtering may not be able to pick them up.
I am not sure how good it the URL list on the squid server. I know that it uses some open source thing. Usually you pay some money for it. Unless you use sonicwall as your URL.AV filter for Squid server.
Also, users will be able to run other browsers circumventing your solution.

Anyway, good luck!