Allow only company computers to connect using Sonicwall Global VPN Client

Can anyone offer a mechanism for allowing Global VPN Client connections to a Sonicwall NSA 3500 only from company computers?
StrataDecisionITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
yes, you can.

You can deploy a RADIUS server working with your AD and configure the SonicWALL device to authenticate VPN users over RADIUS.

you may setup the RADIUS services using Windows built-in function, which will work seamlessly with your AD where the company users are managed.

see below a SonicWALL official document about this.

UTM: Configuring RADIUS authentic
ation for Global VPN Clients with Network Policy and Access Server from Microsoft Windows 2008 (With video tutorial of Radius Authentication) (SW6591)
https://support.software.dell.com/en-us/kb/sw6591
0
btanExec ConsultantCommented:
you likely to enforce it via the Client PC Network and VPN Access List:
https://support.software.dell.com/kb/sw7823

Further VPN client setting can enforce the intranet setting for only such client access if authorised
https://support.software.dell.com/kb/sw6430
http://help.mysonicwall.com/sw/eng/281/ui1/6600/VPN/Client_Settings.htm
0
StrataDecisionITAuthor Commented:
Thank you bbao and btan for your recommendations.

bbao:  We are in fact using a RADIUS server, but it is only configured to authenticate users.  I know we can add a policy to also confirm the connecting computer is a member of an Active Directory group, but I don't know if the SonicWALL passes computer information to the RADIUS server at the time of authentication.  I can add the policy and find out, but was hoping for confirmation from someone that this will work--or if there is a different/better way to go about this.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

btanExec ConsultantCommented:
Apologies to interject...

Just to share that to identify based on MAC from machine NIC can be spoofed and not really reliable in warrant it is a domain machine, eventually it is the user identity itself that is much more accurate than machine info. Hence RADIUS and AD check is better :) Here is one instance using Windows NPS configuring the RADIUS to be passed btw the AD and sonicwall for verification of the user grp http://itsanity.blogspot.sg/2013/08/how-to-setup-sonicwall-for-radius.html

More info can also be found in the sonicwall pdf (see "RADIUS with LDAP for user groups")
When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the
RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group
memberships for RADIUS users
(see "Configuring the SonicWALL Appliance for LDAP")
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site
with an LDAP/AD server and a central SonicWALL, with remote satellite sites connected into it via
low-end SonicWALL security appliances that may not support LDAP. In that case the central
SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway
between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server
http://www.sonicwall.com/downloads/LDAP_Integration_Feature_Module.pdf
0
StrataDecisionITAuthor Commented:
But we're satisfied with our user authentication...  Our objective is to keep non-company computers from connecting to the company network...

It appears another possibility is to use certificates instead of IKE with a preshared key for the peer-to-peer device authentication -- https://support.software.dell.com/kb/sw10177.  Is this the way to go?

Thanks!
0
btanExec ConsultantCommented:
Definitely, you can catch this step for the user certificate (in local Personal cert store, the example shwow "Administrator" as user login to the machine) and sonicwall provisioning
http://www.sonicwall.com/downloads/How_to_Use_Certificates_for_Additional_Security.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StrataDecisionITAuthor Commented:
I haven't yet had the chance to actually try this out, but I have found no other information suggesting there is a better way to do what we want to do other than by using certificates to have computers authenticate with the firewall.  I'm assuming this is what we're going to end up doing.  I'll post the results here once we put this to the test...  Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.