SonicWall SSL VPN - Hosted Server

Not sure if anyone has experienced this or not, but looking for some input.

I have a few users that are set up on our TZ-215 as SSL VPN clients. They are able to connect just fine as well as access network resources. I had originally disabled the "tunnel all" mode thinking that anything they wanted to access outside of the network would be available through split-tunneling.

This doesn't appear to be working correctly though. They are able to browse websites and connect to servers that aren't hosted in our network (i.e. they can reach google.com and gmail, etc.) but when they try to access servers on our same network like our company website or webmail service, the address is unreachable.

These servers are hosted in the same subnet which the VPN user is connecting through (same public IP subnet), and are behind the sonicwall with the appropriate ports forwarded as needed.

I am trying to figure out what kind of route or firewall entry I need to make this work but am coming up empty handed.

Any help is appreciated!
FrontDistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi FrontDist,

The SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.

NOTE: All clients can see these routes. Also, here you may enable/disable “Tunnel All Mode” (this is the equivalent of “This gateway only” option while configuring GroupVPN).

The Network access is actually here, Users > Local users, VPN Access Tab:

On the VPN Access Tab allows users to access networks using a VPN tunnel, select one or more networks from the Networks list and click the arrow button -> to move them to the Access List. To remove the user’s access to a network, select the network from the Access List, and click the left arrow button <-.

Make sure your setup matches this KB: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=6461

Configure SSLVPN Client Routes
The SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.
NOTE:  you don't have to add any client routes for the network on which the SSLVPN Client addresses are configured.  That is done automatically for you.

Adding Client Routes
The Add Client Routes pulldown menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. So here select the LAN or whichever Zone the Servers are located in. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page.

Let me know how it goes!
0
FrontDistAuthor Commented:
Hi,

Thank you for your input. When I attempted to do that, what I was trying to do was add the WAN primary subnet to the accessible client routes, and don't seem to be able to do so. That is where all of the servers are hosted as well as the IP used to access the SSL VPN service on the Sonic.

We only have one router acting as the VPN end point as well as main firewall for our network and I'm trying to make this work the way I think it should, I just can't seem to get there...
0
FrontDistAuthor Commented:
Oh an by the way it has worked on my Mac all along, but all other computers on which I am trying to make this work are Windows 7 OS.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Blue Street TechLast KnightCommented:
Adding the WAN client route would create a loop. The idea of a VPN (SSL or otherwise) is to get you into the Firewalled Subnets.

On the Windows 7 boxes disable firewall and AV and retest. Users & some Admins typically don't firewall their Macs probably because they suck to modify. SO the Mac may not have firewall enabled which is why its connecting OK.

Incidentally, I don't understand your topology. Your servers should be behind your main firewall either in the LAN or DMZ, like this:
ISP
|
Firewall
|
LAN or DMZ

Is this how you have it setup? If not please explain or draw as I did. Thanks!
0
FrontDistAuthor Commented:
With "tunnel all" enabled I was able to (from a VPN connection), browse out of the LAN (which I VPN'd into) to other websites on the internet, etc. So from that perspective I was able to get it to work. However, I don't think it should be blocking connections back through the same firewall, I believe it should be able to resolve a dns request and then short circuit at the firewall back to the appropriate location.

Here is the topology:

ISP
|
Sonicwall (assigned /29 public IP subnet)
|
LAN
|
192.168.10.0/24

Note: All of the internal computers, the servers and the VPN DHCP addresses are assigned addresses from the same internal subnet.

Note: No servers are on a DMZ, all are port forwarded based on a specific external IP address to their internal address.

What I was trying to do was allow Outlook on the users remote travel laptops to stay connected to our mail server regardless of being attached to the VPN or not. With the way it is working (or not as I see it) at the moment, I can either set up the server to be the public server (mail.domain.com) and it works when the vpn is disconnected, or set it up as the internal server address (192.168.10.xxx) and they can only get mail when they are connected to the VPN.

I don't think it is unreasonable to think I should be able to leave outlook set with the public domain name and have it work no matter what the connection status of the VPN is.

I hope that helps clarify my intentions a bit? Any thoughts?
0
Blue Street TechLast KnightCommented:
Thanks for the update and clarification.

If the goal is to allow your users to VPN and to gain access to their mail anywhere they are located (inside or outside the network), then the recommended way to do this is to setup the SSL-VPN exactly as specified here (no deviation): https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=6461 and setup the Exchange Server behind the SonicWALL in the LAN by using the Public Server Wizard within the SonicWALL or manually as set forth here: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=4535 and finally by enabling Outlook Anywhere on the Exchange Server.

This way all users regardless of where they are in the world will be able receive their email via Outlook client, OWA and/or mobile phones/tablets, independently, without having to go through the SSL-VPN. They would then use the SSL-VPN for other resource access like RDP, remote printing, Shares and documents, etc.

What version is your Exchange Server?

Does that make sense?
0
FrontDistAuthor Commented:
diverseit,

Thank you for all of your help and input, it just does not appear that what I want is possible. I was originally thinking it would be a simple fix like we had to do in the beginning for our servers.

When I set up our servers on the SonicWall just after we had purchased and installed it, we were unable to browse our own public website from inside the network. It took a bit of digging but somewhere under the firewall in the NAT tables, I had to create rules from the "Firewalled Subnets" pointing back at our own public IP's with the correct ports forwarded. It is kind of a short-circuit/loopback otherwise any services accessible by public IP from outside our network were unavailable inside. This was something new for me but it is exactly what you have in the second link from your last post.

Since the SSL-VPN IP's handed out are within the "firewalled subnets" range of addresses already established, I figured it should work but it just doesn't seem to. All users in our network access the mail server and our company website through the public addresses and the VPN IP's are part of the exact same range, so I just can't imagine why it doesn't work.

Example: If I VPN into the network, it doesn't work, but if I connect inside the network and hard-code the exact same IP address as the VPN would assign, everything works.

Also, we are not using exchange but rather MailEnable.

Thanks again for your input!
0
Blue Street TechLast KnightCommented:
I wish I could have a remote session...I'm positive we could make this work. But I'm sorry we couldn't achieve this on EE.

Yes, you are correct a loopback/lookback NAT policy is the correct way to setup access to your own public resources in networking when you want to access the public IPs internally (from the LAN, etc.) rather than just using the internal IPs for those same resources.

When you say,
...VPN IP's are part of the exact same range...
Just to be clear they should be on the same subnet but not the same range per se. Meaning if your LAN DHCP range was 192.168.0.20-192.168.0.200, your SSL-VPN range should not be within that but rather something like 192.168.0.220-192.168.0.250. Is that correct?

If I can help in any other way please let me know.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FrontDistAuthor Commented:
Hey, thanks again... and yes I meant subnet not range. I was just going over the previous post of mine and noticed that I had done that. I believe the sonic is smart enough that it won't let someone specify overlapping ranges anyways.

Once again, thanks for all of your help and input. We have a support contract with Dell/SonicWall and am still waiting to hear from them re: this issue and a workaround, but turned to EE as I have discovered there are a lot of people on here that are working with this equipment day to day and have often run into the same problems themselves.

Thanks again!
0
FrontDistAuthor Commented:
It took a call to Dell SonicWall support to solve this problem, but after a long session they were able to.

To allow this, there has to be a specific exception put in the firewall for SSLVPN-LAN, an entry was required for each internally hosted server to let the traffic pass.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.