Solved

dell sonicwall nsa 2600

Posted on 2014-01-17
  • Hardware Firewalls
  • Networking
  • Active Directory
  • Network Operations
  • Network Security
  • +1
8
3,408 Views
Last Modified: 2016-11-23
I have a dell sonicwall 2600 and i am trying to set up what users can / cant access.

Under users / groups i have enabled and set up SSO, LDAP and Radius and users seem to be authenticating to the firewall now.

I have 2 groups in AD that i have created called SW_Admins and SW_users  I am in the admins group and a normal user is in the users group. The groups are being mirrored on the sonicwall.

Looking at the groups on the firewall i cant see any users however? How can i get users in these AD groups to show in the mirrored groups? As i want to be able to add / delete people in ad to change their rights.
0
Comment
Question by:CaptainGiblets
  • 4
  • 3
8 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
You don't see the people in the sonicwall, just the groups. The groups mirror and you set rules based on group.
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
so as long as they are a member of the group in AD and the groups mirror it will work on a per user basis?
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
Comment Utility
Hi CaptainGiblets,

The SonicWALL SSO Agent only communicates with clients and the SonicWALL security appliance. Clients will respond with their respective Client IDs and the SonicWALL security appliance will then check with the LDAP server to determine group membership and permissions.

So yes, it syncs with AD so management of the users is still in AD!

P.S. SonicOS version 5.9.0.3 was just released and includes LDAP Group Membership by
Organizational Unit too.

Let me know if you have any other questions!
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
I do have another question to do with content filtering, if you want me to open another question for that though let me know.

Basically I want to have a set up where pretty much most things are banned apart from a couple of categories, however I would like to relax this even further during lunch hours 12:30-2:30. Is there an easy way to do this? From the videos I am watching on youtube it seems like you can only apply 1 Content filter to each zone and that is it.

Edit - Upon further investigation it seems that I could add the URL's that I needed into an address group by creating individual address objects for each site that I want to restrict access to and then block these at any time and by user however its quite a long task to try and keep all sites blocked at the appropriate time. Is there any easier way to do it?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Yes, I'd be happy yo answer that for you but it should be handled in new question. Questions should be kept to one main issue in order to be most effective for others users that have similar issues in the future. Close this question by selecting an answer if you are all set with SSO and post a link to your new question here and I'll hop over and address it there!
0
 
LVL 6

Author Comment

by:CaptainGiblets
Comment Utility
Ok I shall create another question regarding that but while I have been looking at this my SSO seems to have broken.

I am not able to authenticate users using SSO anymore and I am getting these 2 event logs when restarting the dell SSO agent on my server

Error in Send Reset Cache Request (SendResetCacheRequest) - Source:System Message:An invalid IP address was specified.

I cant see anything on the appliance but the sonicwall logs are being flooded with this - HTTPS Handshake: SSL Handshake failure with error 193

Any ideas? Nothing has changed since Friday when it was working.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
SSL Handshake failure with error 193
this typically occurs when connecting to UTM SSL-VPN using SonicWALL Mobile Connect from a Windows 8.1 PC. The connection fails with Windows error code 2250 (may or may not notify you in Windows).

This error occurs when the SonicWALL UTM appliance has been configured to use only RC4 Ciphers when accepting SSL connections. The option "Enable RC4-Only Cipher Suite Support" is under Encryption Settings of diag page. Disabling this option will restart the appliance immediately. Moreover, this option must remain checked to pass PCI compliance. Instead of disabling this option, follow these steps to change the cipher settings of SSL VPN:

1. Login to the SonicWALL management GUI.
2. Navigate to the SSL VPN > Server settings page.
3. Enable check box Enable Server Cipher Preference (if it isn't already.)
4. From the drop-down under Cipher Methods, select either 3DES_SHA1 or AES256_SHA1.
5. Click on Accept to save the change.
Note: Changing the server settings will reset all active NetExtender connections.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
My pleasure! Hoping over there now!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now