Category: SonicWall

I must remember this one.  Scenario: you have setup SonicWALL’s SSL-VPN to accept external NetExtender client connections.  You have configured the clients in “Tunnel All Mode” which means the external device will browse the Internet from the IP of the SonicWALL (useful for when you’re at a public hotspot or other connection-inhibiting location).  Everything connects properly and yet you cannot browse the Internet.  The fix is simple.

Go to Local Groups, edit the SSLVPN Services group.  Go to the VPN Access tab.  Add the entry WAN RemoteAccess Networks.

You’re welcome.

It’s been a rough day for SIP. Out of nowhere my Asterisk server stopped working properly. I suspected the SonicWALL and began a 2 hour long process of generating the configuration from factory defaults. I did this because a SonicWALL technician in his Indian accent chastised me for loading Beta firmware without having good backups. He blamed this for having a malfunctioning CFS policy. Anyway, I loaded new configuration and as it was it had no effect on the symptoms. Specifically, there was 1-way or no audio and the call disconnected right at about 30 seconds. 

Every Asterisk forum and support post always describes the cause of this issue to be bad NAT-ing. However nothing had changed. I loaded the same configuration into the SonicWALL as was before the wipe. 

Ultimately after much searching I came across a working solution. I added RTP ports UDP 10000-20000 to the firewall. Also I opened up the firewall to All incoming connections instead of my SIP trunk providers IP address. Possibly they changed the IP address for the media gateway but only a call to tech support would determine that. Fortunately I’ll do that tomorrow. 

Side note that I also went through a couple hours worth of free SMTP quota in about 3 seconds. I turned on email alerts on the default SonicWALL configuration. I also had Geo-IP filter engaged for a measly few 12 of the baddest countries in the malware world. Let’s just say it’s a dangerous Internet out there. My SonicWALL sent an email every time someone tried to connect and was blocked yet the Geo-IP filter. 

Last night I decided to tackle the task of enabling the SonicWALL CFS service on my new TZ 500 NFR model.  I had done this with my NSA 240 years ago (circa 2009) and was very impressed with the end results.  Now with another 365 days of free CFS service, better use it, right?

Not using any KB articles, I was able to complete the whole thing without much difficulty.  The TZ 500 paired with LDAP (unsecured) using a non-admin service account and I installed the SonicWALL SSO Agent program on the DC and configured to run as a service.  I tested the functionality pretty thoroughly and wherever I logged in as my account, the SonicWALL figured it out and adjusted the CFS automatically and perfectly.

The only issue is that I could not figure out how to manually log in as a user to authenticate via AD (and get special CFS policy) on non-Windows (or domain joined) devices such as guest systems and handheld devices.  Hopefully I will post about that soon.