Professional Documents
Culture Documents
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
Network Security
e AL
Basic Administration
ar W
sh nic
© 2012 Dell SonicWALL is a registered trademark of Dell SonicWALL, Inc. Other product names mentioned herein may be
ar cu
The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission
of Dell SonicWALL, Inc.
The information in this document is subject to change without notice. Dell SonicWALL, Inc. shall not be liable for any damages
resulting from technical errors or omissions which may be present in this document, or from use of this document.
This document is an unpublished work protected by the United States copyright laws and is proprietary to Dell SonicWALL, inc.
Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than
authorized employees, authorized users, or authorized partners of Dell SonicWALL, Inc. without the prior written consent of Dell
SonicWALL Inc. is prohibited.
Dell SonicWALL, the Dell SonicWALL logo are registered trademarks of Dell SonicWALL Inc. All other trademarked names used
herein are the properties of their respective owners and are used for identification purposes only.
Th
Yo is
u do
ar cu
e m
no m
t a en
ut t c
ho on
riz ta
ed ins
to So
sh nic
ar W
This page left blank intentionally \ Student Notes.
e AL
th L
is In
do te
cu lle
m ct
en ua
tw lP
ith rop
st ert
ud y.
en
ts
.
Table of Contents
Exercise Instructions 3
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ud y.
.
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
ts
st ert
en
Hands-On Exercises for Section 2: Operating System Fundamentals 5
ith rop
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
tw lP
Exercise 2.1 - Updating SonicOS Firmware 6
en ua
Exercise 2.2 - Initial Setup and Configuration 13
m ct
Exercise 2.3 - SonicWALL Administration 26
cu lle
Exercise 2.4 - NAT: Inbound Server Access 33
do te
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
is In
Hands-On Exercises for Section 3: Scalability and Reliability 45
th L
Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing 45
e AL
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
sh nic
Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
ed ins
Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On 121
ar cu
to So
sh nic
ar W
e AL
th L
is In
do te
cu lle
m ct
en ua
tw lP
ith rop
st ert
ud y.
en
ts
.
Hands-On Exercises - Exercise Instructions
Exercise Instructions
The hands-on exercises for this course are designed so that you can select to perform each individual task
on your own with limited help, or follow detailed steps that will walk you through each task step-by-step.
CHALLENGE YOURSELF: If you would like to challenge yourself, you can perform each task by reading the
instructions and using any required information that directly follows the instructions.
ud y.
.
ts
st ert
en
STEP-BY-STEP: If you would prefer to walk through the detailed steps for each task, read the instructions
and then proceed to the procedure following the (OR) DETAILED STEP-BY-STEP INSTRUCTIONS
ith rop
heading.
tw lP
Workstation Setup
en ua
The host workstation is running a VMware computer image known as Coffee. Coffee is a Windows Server
m ct
2003 server running as the training.sonicwall.com domain controller, an internal DNS server, and the
EchoFloor Manufacturing Web and FTP servers. You will need to start this VMware server at the beginning
cu lle
of Exercise 2.3.
do te
is In
Be sure to read each step thoroughly, as it is clearly specified when to use the host management workstation
or the Coffee VMWare image. If you have any questions, be sure to ask your instructor.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Network Topology
The following diagram illustrates the final network architecture for the hands-on exercises:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
EchoFloor Manufacturing, Inc. is a fictitious company used in our training materials to represent an
ho on
enterprise-level organization, whose various network security needs illustrate the effectiveness of Dell
SonicWALL products. For these purposes, we suppose the following organizational information:
ut t c
EchoFloor is in the business of designing, developing, and manufacturing commercial and high-end,
t a en
residential flooring; with over 700 employees, offices worldwide, and conducting business domestically and
internationally, they are a recognized leader in their industry.
no m
EchoFloor, like any such organization, faces challenges securing the networks (both physical and wireless)
e m
of their corporate and branch offices, providing secure remote access for employees and partners,
ar cu
protecting the integrity of corporate e-mail, and maintaining a safe and continuous data protection system.
u do
As part of the addition of a remote office, EchoFloor has purchased a new Dell SonicWALL security appliance.
EchoFloor needs to install the appliance at the remote location, set up access to their Web and FTP servers,
Yo is
configure various forms of VPN access, set up Web content filtering, and enable and configure the unified
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
Hands-On Exercises
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - | 5
Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware
Tasks
ud y.
.
ts
1. Creating a New MySonicWALL User ID
st ert
en
2. Cabling the SonicWALL
ith rop
3. Resetting the SonicWALL to the Factory Default (SafeMode)
4. Connecting to the SonicWALL and Uploading Firmware
tw lP
en ua
m ct
CHALLENGE YOURSELF TASK 1: Creating a New MySonicWALL User ID
cu lle
In order to register the Dell SonicWALL appliance, you will need to create a MySonicWALL user ID.
do te
If you already have a MySonicWALL user ID you can skip this task.
is In
th L
e AL
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
1. Open Internet Explorer and go to http://www.MySonicWALL.com.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
2. If you already have a MySonicWALL user ID, you can skip to Task 2. If
you do not have a MySonicWALL user ID, click Not a registered user.
ud y.
.
ts
st ert
en
ith rop
3. Under Account Information, enter your Email Address, Password,
tw lP
Secret Question, and Answer. Be sure to use an Email Address that
you will be able to access, as a required Subscription Code will be
en ua
emailed to you.
m ct
4. Under Company Information, enter all required fields.
cu lle
5. Under Personal Contact Information, enter all required fields.
do te
6. Click Register.
is In
7. On the Confirm Registration screen, click Submit.
th L
8. The page notifies you that your account will not be created unless you
e AL
specify the Subscription Code that is being emailed to you. Click OK.
ar W
9. Connect to the email account you specified in step 3. Open the email
sh nic
10. Click on the link found in the email to activate your account.
ed ins
11. Using your new username and password, log into mySonicWALL.com.
riz ta
Note: If you are having difficulty registering your security appliance, go to log into it, then go to System > Time
and uncheck NTP setting. Then try to register the unit again.
ut t c
t a en
no m
Remove the Dell SonicWALL appliance from its outer box and connect the power cable and the
ar cu
Ethernet cables.
u do
Yo is
CHALLENGE YOURSELF TASK 3: Resetting the Dell SonicWALL Appliance to the Factory
ud y.
Default
.
ts
(SafeMode)
st ert
en
Modify the IP settings of the management workstation so that you can access the appliance. Use
ith rop
the reset button to return the Dell SonicWALL appliance to the factory default settings.
IP Address 192.168.168.20
tw lP
Subnet Mask 255.255.255.0
en ua
m ct
cu lle
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
do te
1. On your management workstation, go to Start > Settings > Network
is In
Connections.
th L
2. Right-click the Local Area Connection, and then select Properties.
e AL
3. In the This connection uses the following items list, scroll down
and select Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
4. Click the Use the following IP address option.
do te
5. In the IP address box, type: 192.168.168.20
6. is In
In the Subnet mask box, type: 255.255.255.0
th L
e AL
approximately 20 to 30 seconds.
The reset button is in a small hole next to the power supply. The Test
riz ta
light, shaped like a wrench, should be solid amber. Once the Test light
ho on
NOTE If this procedure does not work while the power is on, turn the
unit off and on while pressing and holding the reset button, until the
t a en
ud y.
.
ts
st ert
en
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
ith rop
1. Open a browser (such as Chrome) and go to http://192.168.168.168.
The Dell SonicWALL SafeMode window appears.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
3. Click Browse.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
provide firmware.)
t a en
5. Click Open.
no m
6. Click Upload.
e m
7. In the Firmware Image section, click the Boot icon in the Uploaded
ar cu
ud y.
.
ts
st ert
8. Click OK.
en
The uploaded firmware begins writing to flash.
ith rop
tw lP
en ua
After several minutes, the Dell SonicWALL appliance automatically
m ct
restarts.
cu lle
9. Close the Web browser.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Tasks
1. Configuring the SonicWALL using the Setup Wizard
2. Reconfiguring the Management Workstation for DHCP
ud y.
.
3. Documenting the Management Workstation DHCP Assigned IP Address
ts
st ert
4. Accessing the SonicWALL Management Interface
en
ith rop
5. Verifying Internet Access
6. Modifying the Default Admin Account
tw lP
7. Modifying the Default Admin Account
en ua
8. Registering the SonicWALL Appliance
m ct
cu lle
do te
CHALLENGE YOURSELF TASK 5: Configuring the Dell SonicWALL Appliance using the
Setup Wizard
is In
th L
Use a Web browser to connect to the Dell SonicWALL management interface using factory
e AL
defaults. Use the following default username and password to access the appliance.
ar W
Username admin
to So
Password password
ed ins
riz ta
1. With your pc NIC card connected directly in the X0 LAN port. Open a
ut t c
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
2. In the Username box, type:
do te
admin
3. is In
In the Password box, type:
th L
e AL
password
4. Click Login.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
CHALLENGE YOURSELF TASK 6: Configuring the Dell SonicWALL Appliance with the
Setup Wizard
EchoFloor Manufacturing has the following settings.
Language English
ud y.
.
ts
st ert
Admin Password password
en
Time Zone Local time zone
ith rop
PC Card (if available) None
tw lP
WAN Network Mode DHCP
en ua
LAN IP (gateway) 172.20.__.1 (your student number)
m ct
Subnet Mask 255.255.255.0
cu lle
LAN DHCP Scope 172.20.__.20 to 172.20.__.254
do te
is In
Ports Assignment th L WAN/OPT/LAN Switch
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
Note: If you are configuring a Wireless Device, you will be prompted for additional information.
ar W
sh nic
2. Click Next.
3. On the Change Administrator Password section, Don Not Change
to So
4. On the Change Time Zone section, select the time zone, from the
drop-down list, where we are located.
riz ta
5. Click Next.
ho on
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
8. Click Next. The WAN Network Mode: NAT with DHCP Client page
m ct
appears.
cu lle
9. Click Next.
do te
10. On the WAN Network Mode NAT with DHCP Client page: Click on
the enable HTTPS and Allow Ping on this Interface checkboxes.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
11. On the LAN Settings section, enter your LAN IP 172.20._.1 (your
student number). Leave the 24-bit subnet mask of 255.255.255.0.
u do
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
13. On the LAN DHCP Settings section, change the LAN Address Range
cu lle
(DHCP scope) in the first box to 172.20._.20 and leave the second box
set to 172.20._.254.
do te
14. Click Next.
15. is In
On the Ports Assignment page, select WAN/LAN Switch.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
16. Click Next. The Dell SonicWALL Configuration Summary page appears.
e m
ar cu
u do
Yo is
Th
17. Verify your settings and if correct, click Apply. The Setup Wizard
Complete page appears. Record the appliance URL/IP address.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
Reset the network settings of your management workstation to receive an IP address from the Dell
ho on
Connections.
ar cu
ud y.
.
ts
IP Address
st ert
en
Subnet Mask
ith rop
Default Gateway
tw lP
en ua
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
m ct
1. Go to Start > Run.
cu lle
2. Type cmd and click OK.
do te
3. In the command prompt, type:
is In ipconfig /all
th L
For the Local Area Connection, document the IP Address, Subnet Mask,
e AL
Connect to the Dell SonicWALL appliance using the LAN interface address you previously
riz ta
configured, which is also the default gateway for your management workstation.
ho on
ud y.
.
ts
st ert
en
ith rop
tw lP
2. In the Username box, type:
en ua
admin
m ct
3. In the Password box, type:
cu lle
password
do te
4. Click Login.
5.
is In
If prompted, click Continue to preempt the existing administrator
th L
session. The System > Status page appears.
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
1. From the left navigation menu, go to System > Diagnostics.
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
yahoo.com
u do
4. Click Go.
Yo is
The host name yahoo.com is alive, which means that the Dell
Th
SonicWALL appliance can access the Internet and resolve host names.
5. In Internet Explorer, use a new tab to go to
http://training.sonicwall.com.
ud y.
.
For your convenience during the hands-on exercises, increase the administrator inactivity time-out
ts
st ert
value.
en
Log out the administrator after inactivity of (minutes) 60
ith rop
tw lP
en ua
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
m ct
1. From the left navigation menu, go to System > Administration.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
box to:
ut t c
60
3. Click Accept.
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
1. From the left navigation menu, go to System > Status.
en
2. Click the Register link.
ith rop
Be patient as the page redirects to the Registration.html page. Each of
the rest of the steps of this task may take several seconds to complete.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
You must have a valid, personal, MySonicWALL user ID. If you do not,
you should go back and complete Exercise 2.1, Task 1.
ho on
5. Click Submit.
t a en
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Tasks
1. Creating a SonicWALL Administrators User
2. Validating User Login
ud y.
.
3. Enabling HTTP User Login
ts
st ert
4. Validating User Login
en
ith rop
5. Configuring Management using a Custom Port
6. Documenting the SonicWALL WAN IP Address
tw lP
en ua
m ct
CHALLENGE YOURSELF TASK 1: Creating a Dell SonicWALL Administrators User
cu lle
Create a local user, and then make them a member of the SonicWALL Administrators group.
do te
Name EFAdmin
Password
is In
training
th L
e AL
User Groups SonicWALL Administrators
ar W
sh nic
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
3. In the Name box, type:
cu lle
EFAdmin
do te
4. In the Password and Confirm Password boxes, type:
is In
training
5. Click on the Groups tab.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
7. Click OK.
ar cu
Name EFAdmin
Password training
ud y.
.
ts
st ert
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
en
1. In Internet Explorer, select the Click here to log back in link.
ith rop
2. In the Username box, type:
tw lP
EFAdmin
en ua
3. In the Password box, type:
training
m ct
4. Click Login.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
Note that EFAdmin user is denied access because HTTP user login is not
ed ins
allowed.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
admin
st ert
en
2. In the Password box, type:
ith rop
password
3. Click Login.
tw lP
4. From the left navigation menu, go to Network > Interfaces.
en ua
5. Click on the Configure icon for the X0 interface.
m ct
6. In the User Login row, select the HTTP check box.
cu lle
7. Click OK.
do te
8. In the Dell SonicWALL management console, click Logout.
is In
th L
e AL
Attempt to log in as the full administrator account you created in the previous task. In addition,
sh nic
Name EFAdmin
Password training
ed ins
EFAdmin
u do
training
Th
4. Click Login.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
The User Login Status window appears, displaying your user privileges,
in addition to showing your total login session time.
cu lle
5. Click Manage. You have access to all Dell SonicWALL administration
do te
Web pages.
6.
is In
From the left navigation menu, go to Users > Settings.
th L
7. Edit the Inactivity timeout (minutes) box to:
e AL
30
ar W
120
to So
9. Click Accept.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
1. As EFAdmin, and go to System > Administration.
en
2. Scroll down to the Web Management Settings section.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
4. Click Accept.
riz ta
management using HTTP can no longer use the default port 80.
no m
IP Address
Subnet Mask
ud y.
.
Gateway (Router) Address
ts
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. In the Username box, type:
en ua
admin
2. In the Password box, type:
m ct
password
cu lle
3. From the left navigation menu, go to Networks > Interfaces.
do te
4. Click on the Configure icon for the WAN interface.
is In
Document that the DHCP-assigned IP Address, Subnet Mask, and
th L
Gateway (Router) Address. These settings were set by the local
e AL
5. Click Cancel.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Tasks
ud y.
.
ts
1. (Optional) (Optional) Launching the Coffee VMware Image and Modifying IP Addressing
st ert
en
2. Creating a Web Server Address Object
ith rop
3. Creating an FTP Server Address Object
tw lP
4. Creating a Firewall Service Group
5. Configuring a NAT Policy for the Espresso Web Server
en ua
6. Configuring a NAT Policy for the Latte FTP Server
m ct
cu lle
7. Creating a Firewall Access Rule
8. Validating Access to Web and FTP Servers
do te
9. Deleting NAT Settings
is In
th L
e AL
ar W
CHALLENGE YOURSELF TASK 1: (Optional) Launching the Coffee VMware Image and
Modifying IP Addressing
sh nic
Launch the Coffee VMware image, which will be used as the back-end Web and FTP servers. The IP
to So
addressing will need to be updated to match your IP subnet. Then you will need to change the IIS
Web server and FTP server properties to use the correct IP address on the Coffee server.
ed ins
Password training
ho on
IP address 172.20.__.101
ut t c
Note: This task is not required in every lab environment. Ask your instructor to confirm if this task is
Th
required or optional.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
2. In the Connect to Host window, leave Local host selected and click OK.
m ct
3. In the VMware Server Console, under Inventory, click Coffee.
cu lle
4. Under Commands, click the Start this virtual machine link.
do te
5. In the Coffee - Virtual Machine dialog box, leave the Create option
selected, and then click OK.
is In
The Windows Server 2003 server boots.
th L
e AL
6. If your local workstation does not have an A: drive, you will need to
click OK twice.
ar W
Ctrl + Alt + Insert keyboard combination. (You should NOT use Ctrl +
Alt + Delete.)
to So
training
riz ta
9. Click OK.
ho on
10. On the Coffee VMware server desktop, double-click the Local Area
Connection icon.
ut t c
255.255.255.0
Yo is
ud y.
.
21. Expand Web Sites.
ts
st ert
22. Right-click Espresso Web-server, and then select Properties.
en
23. From the IP address list, select 172.20.__.102 (your number).
ith rop
Ensure that your VMware Home Directory Tab points to the Local Path
for The Espresso directory; if not, you will not have the correct
tw lP
parameters in your IP address list.
The local path is: E:\Expresso\
en ua
24. Click OK.
m ct
25. Expand FTP Sites.
cu lle
26. Right-click Latte FTP Server, and then select Properties.
do te
27. From the IP address list, select 172.20.__.103 (your number).
is In
Ensure that your VMware Home Directory Tab points to the Local Path
th L
for the Latte directory; if not, you will not have the correct parameters
e AL
in your IP address list.
The local path is: E:\Latte\
ar W
31. From the Host PC, make sure you can ping all three IP addresses you
just configured for VMware.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Type Host
ud y.
.
ts
IP Address 172.20.__.102
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. On the management workstation, log into the appliance as admin.
en ua
2. From the left navigation menu, go to Network > Address Objects.
m ct
3. Select the Custom Address Objects view style to hide the default
cu lle
objects.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
4. Scroll down to the Address Objects section, and then click Add. The
Add Address Object window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
5. In the Name box, type:
cu lle
Espresso WS - 172.20.__.102
do te
6. From the Zone Assignment drop-down list, leave LAN selected.
7.
is In
From the Type drop-down list, leave Host selected.
th L
8. In the IP Address box, type:
e AL
172.20.__.102
ar W
9. Click Add.
sh nic
to So
Create and configure an address object for the Latte FTP server.
riz ta
Type Host
t a en
IP Address 172.20.__.103
no m
e m
ar cu
ud y.
.
ts
st ert
Set up a service group for the Espresso Web Server and Latte FTP Server address objects you
en
created in the previous tasks.
ith rop
Service Group Name Web and FTP Service Group
tw lP
Services FTP
en ua
HTTP
m ct
cu lle
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
do te
1. From the left navigation menu, go to Firewall > Service Objects.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
can be accessed either from Firewall > Service Objects or Network >
Services. The page is identical regardless from which tab it is
u do
accessed.
Yo is
Th
2. In the Service Groups section, click Add Group. The Add Service
Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. In the Name box, type:
do te
Web and FTP Service Group
4. is In
In the left-hand list, select FTP (All), and then click the -> button.
th L
e AL
Note: the FTP (All) group includes both the FTP Data and the FTP
ar W
Control streams.
sh nic
5. In the left-hand list, select HTTP, and then click the -> button.
6. Click OK.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
CHALLENGE YOURSELF TASK 5: Configuring a NAT Policy for the Espresso Web Server
Create a NAT policy for all HTTP requests directed to the WAN IP address to be sent to the Espresso
Web Server.
ud y.
Original Destination WAN Interface IP
.
ts
st ert
Translated Destination Espresso WS - 172.20.__.102
en
ith rop
Original Service HTTP
tw lP
Inbound Interface X1
en ua
Outbound Interface Any
m ct
cu lle
do te
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
is In
1. From the left navigation menu, go to Network > NAT Policies.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
3.
is In
From the Original Source drop-down list, select Any.
th L
4. From the Translated Source drop-down list, select Original.
e AL
10. From the Outbound Interface drop-down list, leave Any selected.
ut t c
CHALLENGE YOURSELF TASK 6: Configuring a NAT Policy for the Latte FTP Server
Create a NAT policy for all FTP requests directed to the WAN IP address to be re-directed to the
Latte FTP Server.
ud y.
Original Destination WAN Interface IP
.
ts
st ert
Translated Destination Latte FTP - 172.20.__.103
en
ith rop
Original Service FTP
tw lP
Inbound Interface X1
en ua
Outbound Interface Any
m ct
cu lle
do te
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
is In
1. From the Add NAT Policy window, add a policy for the Latte FTP server.
th L
From the Original Source drop-down list, select Any.
e AL
Source Any
Destination Any
ud y.
.
ts
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
1. From the left navigation menu, go to Firewall > Access Rules.
tw lP
2. Select the Matrix View Style.
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
3. Click the Configure icon for the WAN to LAN access rule. The Access
Rules (WAN > LAN) window appears.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
5. is In
From the Service drop-down list, select Web and FTP Service Group.
th L
6. From the Source drop-down list, select Any.
e AL
ud y.
.
ts
st ert
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
en
1. Open a new Web browser window.
ith rop
1. In the Web browser, go to http://<partner’s WAN IP address>.
tw lP
Your partner’s Espresso Web site appears.
en ua
2. In the Web browser, go to ftp://<partner’s WAN IP address>.
m ct
Your partner’s Latte FTP site appears.
cu lle
3. Close the Web browser.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Student Notes:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 45
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load
The customer has acquired a secondary ISP lease and now requires Internet redundancy if the primary
Internet connection fails.
You will work on this exercise with a partner. Only one student will configure their Dell SonicWALL appliance
to utilize WAN Failover; their partner’s appliance will simply act as the Secondary WAN/ISP Router for this
exercise. If there is time remaining, you can disable the failover settings and trade positions.
Tasks
1. Configuring the X2 Interface as a Secondary WAN
ud y.
.
ts
2. Testing WAN Failover
st ert
en
3. Testing WAN Failover
ith rop
4. Modifying WAN Failover Settings
5. Testing Internet Access over the X2 Port
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
IP Assignment Static
ud y.
IP Address 172.20.__.2 (your partner’s number)
.
ts
st ert
Subnet Mask 255.255.255.0
en
ith rop
Default Gateway 172.20.__.1 (your partner’s number)
tw lP
Note: The only step required by the Secondary WAN/ISP Provider partner is to port shield X2 to the LAN on X0.
en ua
m ct
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
cu lle
1. On the workstation being set up for redundancy, log into the Dell
do te
SonicWALL appliance as admin. Assign X2 interface to the WAN zone,
and assign a static address for that interface, that is within the range of
is In your partner’s LAN.
th L
2. From the left navigation menu, go to Network > Interfaces.
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 47
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load
3. In the Interface Settings section, click the Configure icon for the X2
interface. The Interface “X2” Settings window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
8. Click OK.
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
10. Click the Configure icon for the Default LB Group.
th L
e AL
Note: Probing options and the Global Probing Target are set in the Probing Tab. If Global probing is set, individual
ar W
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 49
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
15. Click Configure icon next to each interface to set individual targets
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
On the workstation being set up for redundancy, test the WAN failover settings using the ping
command. Once the ping command is running, remove the Ethernet cable from your WAN interface.
ed ins
Document the number of unsuccessful ping attempts before WAN failover begins.
riz ta
ping yahoo.com -t
ar cu
2. Refresh the Network > WAN Failover & LB page, and then view the
u do
WAN Load Balancing Statistics. Verify that the X2 Link Status reads
Link Up.
Yo is
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 51
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load
ud y.
.
8. Wait about ten seconds, refresh the Network > WAN Failover & LB
ts
st ert
page, and then view the WAN Load Balancing Statistics. Verify that
en
the X1 Link Status is Link Up, that the X1 Load Balance State is Active -
ith rop
Available, and the X2 Load Balance State is Available.
The Dell SonicWALL appliance automatically recognized that the WAN
tw lP
connection was available and reactivated it as the primary interface.
en ua
Leave the ping command running.
m ct
cu lle
CHALLENGE YOURSELF TASK 3: Modifying WAN Failover Settings
do te
is In
Modify the number of missed intervals before enabling the secondary WAN interface. Test the WAN
failover settings again using the ping command from the primary user’s workstation. Once the ping
th L
command is running, remove the Ethernet cable from your WAN interface. Document the number
e AL
1. On the Network > Failover & LB page, select the Configure option
ho on
for the default Load Balancing group and click on the Probing tab, in
the WAN Interface Monitoring section, edit the Deactivate
ut t c
1 missed intervals
no m
2. Click OK.
e m
appliance.
5. Document the number of Request timed out messages display before
Yo is
ud y.
.
ts
1. On the primary workstation, with the WAN connection unavailable, open
st ert
en
Internet Explorer, and then go to http://training.sonicwall.com.
ith rop
The Dell SonicWALL Product Training page appears. The workstation
can access the Internet using the X2 port as WAN failover.
tw lP
2. Simultaneously, reconnect the X1 port while disconnecting the X2 port.
en ua
3. On the Dell SonicWALL Product Training page, click CLASS
SCHEDULES.
m ct
Depending on how quickly you performed the above step, you may get
cu lle
an Internet Explorer cannot display the webpage error. If that happens,
do te
use the F5 key to refresh the browser.
is In
The schedule page displays, demonstrating that the Dell SonicWALL
appliance has determined the active and inactive ports.
th L
e AL
4. Close the Dell SonicWALL Product Training page.
ar W
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 53
Hands-On Exercises - Exercise 3.2 - Policy-Based Routing
Tasks
1. Configuring a Route for HTTP Traffic
ud y.
.
2. Testing Ping Failover
ts
st ert
3. Testing HTTP Failover
en
4. Changing Partner Positions and Removing Settings
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Destination Any
ud y.
Service HTTP
.
ts
st ert
Gateway Secondary Default Gateway
en
ith rop
Interface X2
tw lP
en ua
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
m ct
1. On the workstation being set up for redundancy, navigation menu, go to
Network > Routing.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
3. From the Source drop-down list, select LAN Subnets.
e AL
8. Set Metric to 1.
riz ta
On the workstation being set up for redundancy, test the WAN failover settings using the ping
e m
command from the primary user’s workstation. Once the ping command is running, remove the
ar cu
2. Remove the Ethernet cable from the WAN interface of your appliance.
Verify that after a couple of Request timed out messages, successful
ping replies resume.
3. Reconnect the Ethernet cable to the X1 interface of your Dell SonicWALL
appliance, and then disconnect the Ethernet cable from the X2
interface.
Verify that after a couple of Request timed out messages, successful
ping replies resume.
ud y.
.
ts
This demonstrates that the ping service is set to use the appliance
st ert
en
failover option of both interfaces.
ith rop
4. Reconnect the Ethernet cable to the X2 interface of your Dell SonicWALL
appliance.
tw lP
5. Close the command prompt.
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 3: Testing HTTP Failover
do te
On the workstation being set up for redundancy, test the WAN failover settings using HTTP from
the primary user’s workstation. Access http://training.sonicwall.com. Remove the X1 primary WAN
is In
connection and browse to other pages. Reconnect the X1 primary WAN connection, remove the
secondary WAN connection, and browse to the other pages.
th L
e AL
ar W
shows that the HTTP service uses only the secondary WAN port. It will
not use the X1 interface for failover.
u do
ud y.
.
ts
1. You will also need to remove the Route Policies that you created in Exercise 3.2, Task 1 and 2.
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. From the left navigation menu, go to Network > Interfaces.
en ua
2. In the Interface Settings section, click the Configure icon for the
secondary WAN interface.
m ct
cu lle
3. From the Zone drop-down list, select Unassigned.
4. Click OK.
do te
5. From the left navigation menu, go to Network > Routing.
is In
6. Select the check boxes for the two route policies you created for the FTP
th L
and HTTP services.
e AL
7. Click Delete.
ar W
sh nic
8. Click OK.
9. Remove the Ethernet cable between your Dell SonicWALL appliance
to So
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
Secure Access
ar cu
u do
Yo is
Th
Tasks
1. Configuring a Site-to-Site VPN
2. Verifying Connectivity Using the Site-to-Site VPN
ud y.
.
ts
st ert
3. Accessing File Shares Across the VPN
en
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Configuring a Site-to-Site VPN
Set up a site-to-site VPN. Perform the following tasks on both management workstations.
en ua
m ct
VPN Policy Name Site __ to Site __ VPN tunnel (the lower
student number should be first, followed by
cu lle
the larger student number)
do te
IPsec Primary Gateway Partner’s WAN interface IP address
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
2.
is In
In the VPN Policies section, click Add. The VPN Policy window
appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
6. From the Local IKE ID drop-down list, select Firewall Identifier.
st ert
en
7. In the Local IKE ID: Firewall Identifier box, type:
ith rop
Site __ (your number)
8. From the Peer IKE ID drop-down list, select Firewall Identifier.
tw lP
9. In the Peer IKE ID: Firewall Identifier box, type:
en ua
Site __ (your partner’s number)
m ct
10. Click the Network tab.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
11. In the Local Networks section, select LAN Subnets from the drop-
riz ta
down list.
ho on
13. In the Add Address Object window, in the Name box, type:
Site __ Network (your partner’s number)
no m
e m
255.255.255.0
18. Click OK.
ud y.
.
ts
Wait for your partner to complete this task before moving on.
st ert
en
ith rop
CHALLENGE YOURSELF TASK 2: Verifying Connectivity Using the Site-to-Site VPN
tw lP
Verify if the VPN tunnel is established yet. Send a ping to your partner’s Espresso Web server at
en ua
172.20.__.102 (your partner’s number).
m ct
cu lle
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
do te
1. Refresh the VPN > Settings page.
is In
In the Currently Active VPN Tunnels section, there are no active VPN
th L
tunnels.
e AL
ar W
sh nic
to So
ed ins
ud y.
.
1. Go to Start > Run.
ts
st ert
2. In the Open box, type:
en
\\172.20.__.101\Shared (your partner’s number)
ith rop
3. Click OK.
tw lP
4. In the Connecting to 172.20.__.101 dialog box, in the User name
box, type:
en ua
salesuser
m ct
5. In the Password box, type:
cu lle
training
do te
6. Click OK.
is InThe shared folder for your partner’s file server appears, demonstrating
that you have shared folder access across the VPN.
th L
e AL
Tasks
1. Configuring a Hub and Spoke VPN
ud y.
.
ts
2. Verifying Connectivity Using the Site-to-Site VPN
st ert
en
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Configuring a Hub and Spoke VPN
Set up a Hub and Spoke A VPN and Hub to Spoke C VPN. Perform the following tasks on the Hub
en ua
management workstation. (Your instructor will assign who will perform the Hub VPN, Spoke A VPN,
m ct
and Spoke C VPN configurations.)
cu lle
Hub VPN Policy Names Hub to Spoke A VPN tunnel
do te
Hub to Spoke C VPN tunnel
Spoke A Network
Yo is
Th
Spoke C Network
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 65
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. In the Name box, type Spoke A Network.
do te
4. In the Zone Assignment drop-down list, select VPN.
5.
is In
In the Type drop-down list, select Network.
th L
6. In the Network box, type the LAN network address for Spoke A
e AL
172.20.__.0 (LAN of spoke A)
ar W
255.255.255.0
8. Click Add.
to So
Spoke C Network
ho on
255.255.255.0
ar cu
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 67
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
18. In the Name box, type:
is In
Hub and Spoke C Group
19. In the left window, select LAN Subnets and Spoke C Network, and
th L
click -> to move the entries to the window on the right.
e AL
23. In the left window, select LAN Subnets and Spoke A Network, and
click -> to move the entries to the window on the right.
riz ta
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
2. In the VPN Policies section, click Add. The VPN Policy window
appears.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
training
6. From the Local IKE ID drop-down list, select Firewall Identifier.
7. In the Local IKE ID: Firewall Identifier box, type:
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 69
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
Hub
8. From the Peer IKE ID drop-down list, select Firewall Identifier.
9. In the Peer IKE ID: Firewall Identifier box, type:
Spoke A
10. Click the Network tab.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
11. In the Local Networks section, click Choose local network from list
do te
Address, and select LAN Subnets and Spoke C from the drop-down
is In
list.
th L
12. In the Destination Networks section, select Spoke A Network from
e AL
13. On the Proposals tab, leave all values at default. (Make sure all Spokes
sh nic
17. In the VPN Policies section, click Add (to add spoke C tunnel).
18. In the Name box, type:
Hub to Spoke C VPN tunnel
19. In the IPsec Primary Gateway Name or Address box, type the IP
address of Spoke C WAN interface.
20. In the Shared Secret and Confirm Shared Secret boxes, type:
training
ud y.
.
ts
21. From the Local IKE ID drop-down list, select Firewall Identifier.
st ert
en
22. In the Local IKE ID: Firewall Identifier box, type:
ith rop
Hub
23. From the Peer IKE ID drop-down list, select Firewall Identifier.
tw lP
24. In the Peer IKE ID: Firewall Identifier box, type:
en ua
Spoke C
m ct
25. Click the Network tab.
cu lle
26. In the Local Networks section, click Choose local network from list
Address, and select Hub and Spoke A Group from the drop-down list.
do te
27. In the Destination Networks section, select Spoke C Network from
is In
the drop-down list.
th L
28. On the Proposals tab, leave all values at default. (Make sure all Spokes
e AL
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 71
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
3. In the Name box, type:
cu lle
Hub Network
do te
4. In the Zone Assignment drop-down list, select VPN.
5.
is In
In the Type drop-down list, select Network.
th L
6. In the Network box, type the LAN network address for the Hub
e AL
255.255.255.0
to So
8. Click Add.
9. Configure the next Address Object for Spoke C.
ed ins
Spoke C Network
ho on
13. In the Network box, type the LAN network address for Spoke C:
no m
255.255.255.0
u do
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
18. In the Name box, type:
Hub and Spoke C Group
do te
19. In the left window, select Hub Network and Spoke C Network and
is In
click -> to move the entries to the window on the right.
th L
20. Click OK.
e AL
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 73
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
22. In the VPN Policies section, click Add. The VPN Policy window
appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
23. In the Name box, type:
do te
Spoke A to Hub VPN Tunnel
24. is In
In the IPsec Primary Gateway Name or Address box, type the IP
th L
address of the Hub WAN interface.
e AL
25. In the Shared Secret and Confirm Shared Secret boxes, type:
ar W
training
sh nic
26. From the Local IKE ID drop-down list, select Firewall Identifier.
to So
Spoke A
28. From the Peer IKE ID drop-down list, select Firewall Identifier.
riz ta
Hub
ut t c
31. In the Local Networks section, click Choose local network from list
Address, and from the drop-down list, select LAN Subnets.
32. In the Destination Networks section, select Hub and Spoke C
Group from the drop-down list.
33. On the Proposals tab, leave all values at default. (Make sure all Spokes
match the Hub values.)
ud y.
.
34. Click the Advanced tab.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
Wait for Hub and Spoke A to complete their task before moving on.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 75
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. In the Name box type:
do te
Hub Network
4. is In
In the Zone Assignment drop-down list select, VPN.
th L
e AL
5. In the Type drop-down list select, Network.
6. In the Network box, type the LAN network address for the Hub:
ar W
sh nic
255.255.255.0
ed ins
8. Click Add.
9. Configure the next Address Object for Spoke A.
riz ta
Spoke A Network
ut t c
13. In the Network box, type the LAN network address for Spoke A:
e m
255.255.255.0
Yo is
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
18. In the Name box, type:
is In
Hub and Spoke A Group
th L
e AL
19. In the left window, select Hub Network and Spoke A Network and
click -> to move the entries to the window on the right.
ar W
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 77
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
22. In the VPN Policies section, click Add. The VPN Policy window
appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
23. In the Name box, type:
do te
Spoke C to Hub VPN Tunnel
24. In the IPsec Primary Gateway Name or Address box, type the IP
is In
address of the Hub WAN interface.
th L
e AL
25. In the Shared Secret and Confirm Shared Secret boxes, type:
training
ar W
26. From the Local IKE ID drop-down list, select Firewall Identifier.
sh nic
Spoke C
ed ins
28. From the Peer IKE ID drop-down list, select Firewall Identifier.
29. In the Peer IKE ID: Firewall Identifier box, type:
riz ta
Hub
ho on
31. In the Local Networks section, click Choose local network from list
Address, and from the drop-down list, select LAN Subnets.
32. In the Destination Networks section, select Hub and Spoke A from
the drop-down list.
33. On the Proposals tab, leave all values at default. (Make sure all Spokes
match the Hub values.)
34. Click the Advanced tab.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
Wait for Hub and Spoke A to complete their task before moving on.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 79
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
CHALLENGE YOURSELF TASK 2: Verifying Connectivity Using the Hub and Spoke VPN
Verify that the VPN tunnel is established. Send a ping to the Hub, Spoke A, and Spoke C Espresso
Web server at 172.20.__.102.
ud y.
.
1. Refresh the VPN > Settings page.
ts
st ert
In the Currently Active VPN Tunnels section, there are no active VPN
en
tunnels.
ith rop
tw lP
en ua
m ct
cu lle
2. Go to Start > Run.
do te
3. Type cmd and click OK.
is In
4. In the command prompt, type:
th L
ping 172.20.__.102 (Hub, Spoke A, Spoke C number)
e AL
CHALLENGE YOURSELF TASK 3: Deleting the Hub and Spoke VPN Tunnel
Delete the Hub to Spoke A VPN and Hub to Spoke C VPN tunnels from the management
workstations.
ud y.
.
1. On the VPN > Settings page, select the Hub and Spoke VPN tunnels
ts
check box.
st ert
en
2. Click Delete.
ith rop
3. Click OK.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 81
Secure Access - Exercise 4.2 - Route Based VPN
ud y.
.
used as the source address of the tunneled packet.
ts
st ert
A Static Route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of
en
overlapping static routes can be added for the tunneled traffic. When networks are added or removed from
ith rop
the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does
not need to be updated.
tw lP
Tasks
en ua
1. Change the existing Site-to-Site VPN to a Route Based VPN
m ct
2. Create a static route for the tunnel interface.
cu lle
3. Verify connectivity through the route based VPN.
do te
4. Delete the existing VPN Tunnel.
is In
th L
e AL
CHALLENGE YOURSELF TASK 1: Change the existing Site-to-site VPN to a Route Based
ar W
VPN
sh nic
In order to create a route based VPN, you will modify the VPN policy created in 4.1, then add a
to So
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
4. Click On Add.
ar W
sh nic
to So
2. Click the Add button. A dialog window appears for adding Static Route.
ut t c
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
Note: If the “Auto-add Access Rule” option is selected, firewall rules are automatically added and traffic is
e AL
allowed between the configured networks using tunnel interface.
ar W
8. Click on OK.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
1. Refresh the VPN > Settings page.
ts
st ert
In the Currently Active VPN Tunnels section, there are no active VPN
en
tunnels.
ith rop
tw lP
en ua
m ct
cu lle
2. Go to Start > Run.
do te
3. Type cmd and click OK.
4.
is In
In the command prompt, type:
th L
ping 172.20.__.102 (Partner number)
e AL
1. On the VPN > Settings page, select the check box for the Site __ to
Site __ VPN tunnel.
u do
2. Click Delete.
Yo is
3. Click OK.
Th
ud y.
.
ts
st ert
Tasks
en
ith rop
1. Installing the Global VPN Client.
2. Configuring a New GVC Connection.
tw lP
3. Configuring the WAN GroupVPN Policy.
en ua
4. Configuring a Local User for GVC Access.
m ct
5. Validating the GVC Connection to the SonicWALL.
cu lle
do te
is In
CHALLENGE YOURSELF TASK 1: Installing the Global VPN Client
th L
On the GVC client workstation, install the Dell SonicWALL Global VPN Client (GVC) from the GVC
e AL
1. On the GVC client workstation, from the desktop, open the Course
Materials\GVC folder.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. Click Next twice.
do te
4. On the License Agreement page, accept the license terms, and then
is In
click Next twice.
th L
5. Click Install.
e AL
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 87
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database
ud y.
Create a desktop shortcut Yes (selected)
.
ts
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. On the GVC client workstation, go to Start > Programs > SonicWALL
Global VPN Client. The New Connection Wizard appears.
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
3. Leave the Remote Access option selected, and then click Next. The
Remote Access page appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
4. In the IP Address or Domain Name box, type the IP address of your
cu lle
partner’s WAN interface.
do te
5. In the Connection Name box, type:
is In
Site __ VPN (your partner’s number)
6. Click Next. The Completing the New Connection Wizard page appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
7. Select the Create a desktop shortcut for this connection check box.
no m
8. Click Finish.
e m
ar cu
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 89
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database
The Dell SonicWALL Global VPN Client Hide Notification window appears.
10. Select the Don’t show me this message again check box.
11. Click OK.
ud y.
On the VPN workstation, set up the SonicWALL WAN GroupVPN policy settings to allow connections
.
ts
from your partner’s GVC.
st ert
en
Enable VPN Yes (selected)
ith rop
Authentication Method IKE using Preshared Secret
tw lP
Shared Secret training
en ua
Require Authentication of VPN Clients via XAUTH Yes (selected)
m ct
User Group for XAUTH users Create a new group
cu lle
New group: Name GVC Group
do te
New group: Networks LAN Subnets
is In
th L
e AL
3. In the VPN Policies section, select the Enable check box for the WAN
GroupVPN policy.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
4. Click the Configure icon for the WAN GroupVPN policy. The VPN
is In
Policy window appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
training
no m
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 91
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database
9. From the User Group for XAUTH users drop-down list, select Create
a new user group. The Add Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
10. In the Name box, type:
en ua
GVC Group
m ct
11. Click the VPN Access tab.
cu lle
12. In the Networks list, select LAN Subnets, and then click the ->
button.
do te
13. Click OK. The new group is created.
14. is In
In the VPN Policy window, click the Client tab.
th L
e AL
15. In the User Name and Password Caching section, verify that Never
is selected in the drop-down list.
ar W
17. From the Allow Connections to drop-down list, select This Gateway
Only.
ed ins
18. Select the Set Default Route as this Gateway check box. Doing so
riz ta
20. From the left navigation menu, go to VPN > DHCP over VPN.
t a en
no m
e m
ar cu
u do
Yo is
Th
21. Click the Configure button. The DHCP Relay settings window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
22. Select the Use Internal DHCP Server check box.
m ct
23. Select the For Global VPN Client check box.
cu lle
24. Click OK.
do te
is In
th L
CHALLENGE YOURSELF TASK 4: Configuring a Local User for GVC Access
e AL
On the VPN workstation, create a local user on the Dell SonicWALL appliance, and then make the
ar W
Name GVCUser
to So
Password training
ed ins
GVCUser
u do
6. In the User Groups list, select GVC Group, and then click the ->
button.
7. Click OK.
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 93
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database
CHALLENGE YOURSELF TASK 5: Validating the GVC Connection to the Dell SonicWALL
Appliance
On the GVC client workstation, launch the Connection to Site __ VPN icon on the desktop. Establish
a connection with your partner’s appliance by logging in as GVCUser, and then access resources by
browsing to the \\172.20.__.101\Shared folder.
ud y.
.
ts
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
st ert
en
1. On the GVC client workstation, double-click the Connection to Site __
VPN icon on the desktop. The Site __ VPN window appears.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
2. In the Pre-Shared Key box, type:
th L
training
e AL
3. Click OK.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
GVCUser
e m
training
u do
6. Click OK.
Yo is
Th
ud y.
.
ts
7. Go to Start > Run.
st ert
en
8. Type cmd and click OK.
ith rop
9. In the command prompt, type:
ping 172.20.__.102 (your partner’s number)
tw lP
Four successful ping responses are returned.
en ua
10. Go to Start > Run.
m ct
11. In the Open box, type:
cu lle
\\172.20.__.101\Shared (using your partner’s number)
do te
12. Click OK.
is In
The shared folder for your partner’s file server appears, demonstrating
that you have shared folder access across the VPN connection.
th L
e AL
15. Right-click the SonicWALL VPN icon is the system tray, and then
select Disable > Site __ VPN.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 95
Secure Access - Exercise 4.4 - SSL VPN with Local Database
Tasks
ud y.
.
ts
1. Enable HTTPS User Login WAN Interface
st ert
en
2. Validating the SSL VPN Connection to the SonicWALL
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Enable HTTPS User Login WAN Interface
en ua
m ct
1. From the left navigation menu, go to Network > Interfaces.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
2. Click the Configure icon for the X1 Interface used for SSL VPN access.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
3. In the WAN Interface Setting for User Login, select the HTTPS box.
sh nic
4. Click OK.
to So
ud y.
.
10. In the NetExtender End IP box, type:
ts
st ert
172.20._.20
en
11. In the DNS Server 1 box, click the Default DNS Settings button.
ith rop
12. In the User Domain box, type
tw lP
LocalDomain
en ua
13. Click Accept.
m ct
14. From the left navigation menu, go to SSLVPN > Client Routes.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
15. In the Add client routes drop-down list, select the LAN Primary
Subnet. *
ut t c
Note: The Lan Primary Subnet is an Address Group specific to TZ appliances. NSA appliances use the
t a en
X0 Subnet.
no m
17. From the left navigation menu, go to SSLVPN > Portal Settings.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
18. Select the Enable HTTP meta tags for cache control
do te
(recommended) check box.
is In
19. Select the Display Import Certificate checkbox (Best Practice).
20. Click Accept.
th L
e AL
21. From the left navigation menu, go to Users > Local Users.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
23. In the Name box, type:
cu lle
joe
do te
24. In the Password and Confirm Password boxes, type:
is In
password
25. Click the Groups tab.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
26. In the left window, select SSLVPN Services, and click -> to move the
u do
28. In the left window, select LAN Subnets, and click -> to move the
entries to the window on the right.
29. Click OK.
CHALLENGE YOURSELF TASK 2: Validating the SSL VPN Connection to the Dell
SonicWALL Appliance
On the SSL VPN client workstation, open a browser window to your partner’s appliance WAN IP.
Log in and click NetExtender. Open a cmd window and ping the Espresso server.
ud y.
.
ts
st ert
1. On the SSL VPN workstation, from the desktop, open a browser session
en
with Internet Explorer.
ith rop
2. Browse to https://Partner_IP_Address:4433.
3. Click the Continue to this website (not recommended) link
tw lP
displayed on the screen.
en ua
4. In the User Name box, type:
m ct
joe
cu lle
5. In the Password box, type:
do te
password
6. Leave LocalDomain for the Domain drop-down list.
7. is In
Click Login. The Dell SonicWALL Virtual Office portal page appears.
th L
e AL
10. Click the NetExtender icon again to launch the SSLVPN session.
to So
Secure Access - Exercise 4.4 - SSL VPN with Local Database | 101
Secure Access - Exercise 4.4 - SSL VPN with Local Database
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
TIP: Configure the silent settings profile under Client Setting > Net Extender
> Create Client Setting profile. This will automatically fill-in client field
ar W
information.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
12. Open a cmd (DOS) window and ping your partner’s Espresso web server
(172.20._.102).
13. From your partner’s left navigation menu, go to SSLVPN > Status.
Note that “joe” has an Active SSLVPN Session with an IP address from
the SSLVPN pool.
ud y.
.
ts
st ert
en
ith rop
tw lP
14. On the SSLVPN host PC, disconnect joe from the SSL VPN session.
en ua
15. From your partner’s left navigation menu, go to SSLVPN > Status and
click the Refresh button. Note that there are no active sessions.
m ct
cu lle
do te
is In
th L
e AL
ar W
16. From the left navigation menu, go to Users > Local Users.
sh nic
17. From the list of Local Users, delete joe. The confirm delete window
appears.
to So
ed ins
riz ta
ho on
ut t c
Secure Access - Exercise 4.4 - SSL VPN with Local Database | 103
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication
ud y.
.
Note: Verify that user “joe” is removed from the local database before doing this lab.
ts
st ert
en
Tasks
ith rop
1. Configuring LDAP Authentication
tw lP
2. Importing LDAP Group
3. Validating SSL VPN Access Using an LDAP User
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 1: Configuring LDAP Authentication
do te
On both workstations, set up the Dell SonicWALL appliance to use LDAP as the authentication
is In
method, and then test the connection to the downstream LDAP server.
th L
Authentication Method LDAP
e AL
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
4. Click No. The LDAP Configuration window appears.
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
administrator
Th
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication | 105
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication
9. Clear the Use TLS (SSL) check box. A warning dialog box appears.
ud y.
.
ts
10. Click OK.
st ert
en
11. Click the Schema tab.
ith rop
12. Leave the default for the LDAP Schema section as Microsoft Active
Directory.
tw lP
13. Click the Directory tab.
en ua
14. In the Primary domain box, type:
m ct
training.sonicwall.com
cu lle
15. Click anywhere in the window. A dialog box appears asking you to
update the domain.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
17. Leave the Referrals, LDAP Users, and LDAP Relay tabs with the
ho on
default values.
ut t c
salesuser
e m
training
u do
The Test Status field will display Awaiting reply from LDAP Server. After
a few seconds, the field will display LDAP authentication succeeded.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
The Returned User Attributes box displays LDAP information about the
do te
user.
22.
is In
Click OK.
th L
e AL
ar W
On both workstations, import a group from the LDAP server to the Dell SonicWALL appliance, and
then configure VPN access.
to So
Sales
riz ta
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication | 107
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
2. Click Import From LDAP. The LDAP Import User Groups window
cu lle
appears.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
5. To configure an SSL VPN LDAP user by the name of Joe, navigate to the
Users > Local Groups page, click the Configure icon for the SSLVPN
Services group. The Edit Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
6. Click on the Members tab.
m ct
7. From the Non-Member Users and Groups window, select the
cu lle
engineering group and click -> to move the entries to the Members
do te
Users and Groups window.
is In
8.
th L Click the VPN Access tab.
9. In the left window, select LAN Subnets, and click -> to move the
e AL
entries to the window on the right.
ar W
CHALLENGE YOURSELF TASK 3: Validating SSL VPN Access Using an LDAP User
ed ins
On the SSL VPN client workstation, test the VPN access of the LDAP users that you imported in the
previous task by logging into the SSL VPN as Joe.
riz ta
ho on
ut t c
1. On the SSL VPN workstation, from the desktop, open a browser session
with Internet Explorer.
no m
2. Browse to https://Partner_IP_Address:4433
e m
ar cu
joe
Th
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication | 109
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication
7. Click Login. The Dell SonicWALL Virtual Office portal page appears.
8. Click the NetExtender icon to launch the SSLVPN session.
9. If the web browser needs to install ActiveX control, click Install
ActiveX Control.
10. Click the NetExtender icon again to launch the SSLVPN session. The
Dell SonicWALL SSL-VPN NetExtender screen appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
11. Open a cmd (DOS) window and ping your partner’s Espresso web server
(172.20._.102).
sh nic
12. From your partner’s left navigation menu, go to SSLVPN > Status.
to So
13. On the SSLVPN host PC, disconnect joe from the SSL VPN session.
ar cu
u do
Yo is
Th
Tasks
ud y.
.
ts
st ert
1. Configuring a Content Filtering Service Policy
en
2. Configuring an Open CFS Policy
ith rop
3. Modifying the Default CFS Policy to Block All Categories
tw lP
4. Applying CFS Policies to the HR and IT Groups
en ua
5. Creating a Firewall Access Rule
m ct
6. Enabling HTTPS User Login
cu lle
7. Validating the CFS Policies
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 111
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
Message to Display when Blocking EchoFloor Manufacturing has blocked this site
using the SonicWALL Content Filter Service.
ud y.
CFS Policy Name HR CFS Policy
.
ts
st ert
Select all Categories Yes (selected)
en
ith rop
Allowed Categories 11. Gambling.
14. Arts/Entertainment
tw lP
15. Business and Economy
en ua
17. Education
m ct
20. Online Banking
cu lle
27. Information Technology/Computers
do te
33. News and Media
is In 40. Real Estate
th L
e AL
45. Travel
ar W
sh nic
Filter.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
5. Click Accept.
st ert
en
6. In the Content Filter Type section, click Configure. The Dell
ith rop
SonicWALL Filter Properties window appears.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
7. Select the Policy tab, and then click Add. The Add CFS Policy window
to So
appears.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 113
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
10.
is In
Leave the Select all Categories check box selected.
th L
11. Clear the 11. Gambling check box.
e AL
ud y.
.
ts
st ert
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
en
1. On the Policy tab, click Add.
ith rop
2. In the Name box, type:
tw lP
IT CFS Policy
en ua
3. Click the URL List tab.
m ct
4. Clear the Select all Categories check box.
cu lle
5. Click OK.
do te
is In
th L
CHALLENGE YOURSELF TASK 3: Modifying the Default CFS Policy to Block All Categories
e AL
Change the default CFS policy on the Dell SonicWALL appliance to block all categories.
ar W
Policy Default
sh nic
1. On the Policy tab, click the Configure icon for the Default policy.
ho on
4. Click OK.
no m
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 115
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
Groups to Import HR
IT
ud y.
.
ts
st ert
IT: CFS Policy IT CFS Policy
en
ith rop
tw lP
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
en ua
1. From the left navigation menu, go to Users > Local Groups.
m ct
2. Click Import from LDAP.
cu lle
3. Select the HR and IT check boxes.
do te
4. Click Save Selected.
is In
5. Click the Configure icon for the HR group.
6. Click the CFS Policy tab.
th L
e AL
8. Click OK.
ho on
Service HTTP
Destination Any
ud y.
.
ts
Users Allowed Trusted Users
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. From the left navigation menu, go to Firewall > Access Rules.
en ua
2. Select the Matrix view style.
m ct
3. Click the Configure icon for the LAN to WAN access rule. The Access
cu lle
Rules (LAN > WAN) page appears.
do te
4. Click Add.
5.
is In
From the Service drop-down list, select HTTP.
th L
6. From the Source drop-down list, select LAN Subnets.
e AL
9. Click Add.
to So
3. In the User Login row, verify that the HTTPS check box is selected.
4. Click OK.
Yo is
Th
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 117
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
salesuser www.microsoft.com
ud y.
.
ts
www.bankofamerica.com
st ert
en
www.hotjobs.com
ith rop
hruser www.microsoft.com
tw lP
www.bankofamerica.com
en ua
www.hotjobs.com
m ct
ituser www.microsoft.com
cu lle
www.bankofamerica.com
do te
www.hotjobs.com
is In
th L
e AL
2. Go to http://www.microsoft.com.
to So
3. If you receive the Microsoft Phishing Filter dialog box, select the
Turn off automatic Phishing Filter option, and then click OK.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
4. Click the Click here to log in link.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
training
ho on
8. Click Login.
ut t c
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 119
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
ud y.
.
12. Restore the User Login Status window, and then click Logout.
ts
st ert
13. Close Internet Explorer, and then go to Start > Log off.
en
14. Click Log Off.
ith rop
15. Repeat steps 3 through 20 for hruser and document the results for
tw lP
each Web site. You may need to retype the URL after authentication.
Hruser is able to view the Microsoft and Bank of America Web pages;
en ua
however, the user is blocked from Web pages with the category Job
m ct
Search due to the HR CFS policy.
cu lle
16. Repeat steps 3 through 20 for ituser and document the results for each
Web site.
do te
Ituser is able to view all Web pages, due to the IT CFS policy.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Tasks
1. Installing the SonicWALL SSO Agent
ud y.
.
ts
2. Configuring the SonicWALL for Single Sign-On
st ert
en
3. Validating LDAP Authentication using Single Sign-On
ith rop
4. Disabling the SSO Agent
tw lP
en ua
CHALLENGE YOURSELF TASK 1: Installing the Dell SonicWALL SSO Agent
m ct
In the Coffee VMware image, install and configure the Dell SonicWALL SSO agent located in the
cu lle
Desktop\Shared\Common Software\SonicWALL\SSO Agent folder.
do te
Username administrator
Password is In training
th L
e AL
4. If an Open File - Security Warning dialog box pops up, click Run.
5. Click Next.
Yo is
7. On the Customer Information page, leave the default settings and click
Next three times.
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On | 121
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-
8. Click Install.
ud y.
.
ts
st ert
en
ith rop
tw lP
The SonicWALL Directory Connector service User Configuration dialog
en ua
box appears.
m ct
9. In the Username box, type:
cu lle
administrator
do te
10. In the Password box, type:
is Intraining
th L
11. In the Domain Name box, type:
e AL
training.sonicwall.com
ar W
ud y.
.
ts
st ert
en
ith rop
A Dell SonicWALL SSO Agent Configurator dialog box appears, because
the Dell SonicWALL SSO Agent service is not running.
tw lP
19. Click No.
en ua
20. Click OK.
m ct
21. Close the Directory Connector Configurator and the SSO Agent
cu lle
folder.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On | 123
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-
CHALLENGE YOURSELF TASK 2: Configuring the Dell SonicWALL Appliance for Single
Sign-On
Configure the appliance to use single sign-on (SSO), and then test the connection.
ud y.
.
Shared Key 1234567890
ts
st ert
en
Workstation IP address 172.20.__.101 (your number)
ith rop
tw lP
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
en ua
1. On the management workstation, from the left navigation menu, go to
Users > Settings.
m ct
2. From the Single-sign-on method drop-down list, select
cu lle
SonicWALL SSO Agent.
do te
3. Click Configure. The Base Dialog -- Webpage Dialog window appears.
is In
4. Click No.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
10. Leave the Check agent connectivity option selected, and then click
riz ta
Test.
ho on
Agent is ready.
t a en
no m
e m
ar cu
172.20.__.101
Th
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On | 125
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-
ud y.
.
14. Click OK.
ts
st ert
en
ith rop
CHALLENGE YOURSELF TASK 3: Validating LDAP Authentication using Single Sign-On
tw lP
Validate both LDAP authentication using single sign-on (SSO) and the CFS policies by using the
Coffee VMware image to attempt connection to www.microsoft.com, www.bankofamerica.com and
en ua
www.hotjobs.com using user accounts. Document whether the user is able to access each site.
m ct
cu lle
User Website Accessible?
do te
hruser www.microsoft.com
is In
www.bankofamerica.com
th L
e AL
ar W
sh nic
3. In the Welcome to Windows dialog box, press the Ctrl + Alt + Insert
keyboard combination.
ho on
hruser
t a en
training
e m
6. Click OK.
ar cu
8. Go to http://www.microsoft.com.
9. If you receive the Microsoft Phishing Filter dialog box, select the Turn
off automatic Phishing Filter option, and then select OK.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
Note that hruser is not blocked from viewing Web pages with the
do te
category Information Technologies/Computers.
10.is In
In Internet Explorer, go to http://www.bankofamerica.com.
th L
e AL
Note that hruser is not blocked from viewing Web pages with the
category Online Banking.
ar W
11. Close Internet Explorer, and then go to Start > Log off.
sh nic
Disable the SSO agent on the Dell SonicWALL appliance and the VMware Coffee image.
ho on
ut t c
t a en
1. From the SonicOS interface, browse to the Users > Settings page.
e m
3. From the Users > Status page, logout hruser by clicking the logout
button.
u do
4. Click Accept.
Yo is
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On | 127
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
Tasks
ts
st ert
en
1. Configuring the Gateway Anti-Virus Service
ith rop
2. Configuring the Intrusion Prevention Service
3. Configuring the Anti-Spyware Service
tw lP
4. Validating the Unified Threat Management Services
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 1: Configuring the Gateway Anti-Virus Service
do te
Set up the Dell SonicWALL appliance to use the Gateway Anti-Virus (GAV) service.
is In
Enable Gateway Anti-Virus Yes (selected)
th L
e AL
Enable Inbound Inspection HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios, and TCP
Stream
ar W
Anti-Virus.
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
3. In the Enable Inbound Inspection row, select the HTTP, FTP, IMAP,
SMTP, POP3, CIFS/Netbios, and TCP Stream check boxes.
4. Click Accept.
5. Click Configure Gateway AV Settings. The Gateway AV Config View
window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
7. Click OK.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
Medium Priority Attacks Prevent All, Detect All
.
ts
st ert
Low Priority Attacks Detect All
en
ith rop
Prevention Enable
Detection Enable
tw lP
en ua
m ct
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
cu lle
1. From the left navigation menu, go to Security Services > Intrusion
Prevention.
do te
is In
th L
e AL
ar W
sh nic
to So
2. In the IPS Global Settings section, select the Enable IPS check box.
ed ins
3. For High Priority Attacks, select the Prevent All and Detect All
check boxes.
riz ta
ho on
4. For Medium Priority Attacks, select the Prevent All and Detect All
check boxes.
ut t c
5. For Low Priority Attacks, select the Detect All check box.
t a en
ud y.
.
ts
Low Danger Level Spyware Detect All
st ert
en
ith rop
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
tw lP
1. From the left navigation menu, go to Security Services > Anti-
en ua
Spyware.
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
4. For Medium Danger Level Spyware, select the Prevent All and
ut t c
6. Click Accept.
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
1. On the Coffee VMware image, open Internet Explorer.
st ert
en
2. Go to http://www.eicar.org. An Authentication Required page
ith rop
appears.
3. Click the Click here to log in link.
tw lP
4. Click Continue to this website (not recommended).
en ua
5. On the Network Security Login page, in the Username box, type:
m ct
ituser
cu lle
6. In the Password box, type:
do te
training
7.
is In
Click Login.
th L
8. Minimize the User Login Status window.
e AL
10. On the eicar Web page, click the Anti-Malware Testfile link.
sh nic
You may receive an Internet Explorer cannot display the webpage error.
to So
11. In SonicOS, browse to Log > View, and notice the virus alert.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Student Notes:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th