Allow only company computers to connect using Sonicwall Global VPN Client

Can anyone offer a mechanism for allowing Global VPN Client connections to a Sonicwall NSA 3500 only from company computers?
StrataDecisionITAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Definitely, you can catch this step for the user certificate (in local Personal cert store, the example shwow "Administrator" as user login to the machine) and sonicwall provisioning
http://www.sonicwall.com/downloads/How_to_Use_Certificates_for_Additional_Security.pdf
0
 
bbaoIT ConsultantCommented:
yes, you can.

You can deploy a RADIUS server working with your AD and configure the SonicWALL device to authenticate VPN users over RADIUS.

you may setup the RADIUS services using Windows built-in function, which will work seamlessly with your AD where the company users are managed.

see below a SonicWALL official document about this.

UTM: Configuring RADIUS authentic
ation for Global VPN Clients with Network Policy and Access Server from Microsoft Windows 2008 (With video tutorial of Radius Authentication) (SW6591)
https://support.software.dell.com/en-us/kb/sw6591
0
 
btanExec ConsultantCommented:
you likely to enforce it via the Client PC Network and VPN Access List:
https://support.software.dell.com/kb/sw7823

Further VPN client setting can enforce the intranet setting for only such client access if authorised
https://support.software.dell.com/kb/sw6430
http://help.mysonicwall.com/sw/eng/281/ui1/6600/VPN/Client_Settings.htm
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
StrataDecisionITAuthor Commented:
Thank you bbao and btan for your recommendations.

bbao:  We are in fact using a RADIUS server, but it is only configured to authenticate users.  I know we can add a policy to also confirm the connecting computer is a member of an Active Directory group, but I don't know if the SonicWALL passes computer information to the RADIUS server at the time of authentication.  I can add the policy and find out, but was hoping for confirmation from someone that this will work--or if there is a different/better way to go about this.
0
 
btanExec ConsultantCommented:
Apologies to interject...

Just to share that to identify based on MAC from machine NIC can be spoofed and not really reliable in warrant it is a domain machine, eventually it is the user identity itself that is much more accurate than machine info. Hence RADIUS and AD check is better :) Here is one instance using Windows NPS configuring the RADIUS to be passed btw the AD and sonicwall for verification of the user grp http://itsanity.blogspot.sg/2013/08/how-to-setup-sonicwall-for-radius.html

More info can also be found in the sonicwall pdf (see "RADIUS with LDAP for user groups")
When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the
RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group
memberships for RADIUS users
(see "Configuring the SonicWALL Appliance for LDAP")
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site
with an LDAP/AD server and a central SonicWALL, with remote satellite sites connected into it via
low-end SonicWALL security appliances that may not support LDAP. In that case the central
SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway
between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server
http://www.sonicwall.com/downloads/LDAP_Integration_Feature_Module.pdf
0
 
StrataDecisionITAuthor Commented:
But we're satisfied with our user authentication...  Our objective is to keep non-company computers from connecting to the company network...

It appears another possibility is to use certificates instead of IKE with a preshared key for the peer-to-peer device authentication -- https://support.software.dell.com/kb/sw10177.  Is this the way to go?

Thanks!
0
 
StrataDecisionITAuthor Commented:
I haven't yet had the chance to actually try this out, but I have found no other information suggesting there is a better way to do what we want to do other than by using certificates to have computers authenticate with the firewall.  I'm assuming this is what we're going to end up doing.  I'll post the results here once we put this to the test...  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.