Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Silently upgrade NetExtender

stejanistejani Newbie ✭

I've been scrapping my head, as I'm trying to upgrade NetExtender on our workstations silently. Tried .msi based cmd line: msiexec.exe /i "c:\Build\SonicWALL\netextender-x64-10.2.331.msi" SERVER=sonicwall.oldworldind.com:4433 DOMAIN=oldworldind.com EDITABLE=TRUE NETLOGON=TRUE /qn /norestart ALLUSERS=2 but it won't upgrade, unless first NetExtender is uninstalled from the computer, computer restarts and then it will upgrade NetExtender. Therefore, unless it's a fresh install, above doesn't apply. Any help?

Category: SSL VPN
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    IIRC the only way to get NetExtender to do silent upgrades is to install from the users web portal (from where a .exe is downloaded and run). After that, when a firmware update is done to the firewall, the new firmware contains updated NetExtender code which will get downloaded by clients automatically.

    Any other method of installation requires a fresh install.

  • jdubtx96jdubtx96 Newbie ✭

    Sorry to rez this thread, but thought it best instead of creating a new one!

    I reached out to SonicWall support about the quickest way (silently, hopefully) to get each end-user's NetExtender client upgraded to the latest version due to a new vulnerability.

    I spoke with SonicWall support about this method. They sent me to this article (https://www.sonicwall.com/support/knowledge-base/autoupdate-using-netextender/230727055031530/) and stated that the change would "knock everyone off that is currently connected to the VPN", but that is not made clear in the article - it doesn't seem I am making any changes to the firewall itself?

    The other thing not made clear, is what steps exactly the end-user is taking to complete the update. The support article is asking the administrator to download the client from the firewall's management page, from what I can gather. Naturally, the end-user will not have access to the firewall's admin. page, so this step must not be for them.

    So my questions are, what steps does the end user need to take to make this update happen? And is it true that everyone will be disconnected from the VPN?

    Thanks!

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    1. The end user only needs to click Ok on the window notifying them of the update to NetExtender. It does not require admin privileges.
    2. They missed a step in the article: Go to SSLVPN \ Client Settings \ Default Device Profile \ Default Device Profile \ Client Settings \ NetExtender Client Settings, and enable 'Enable Client Autoupdate'.

    Users will only be disconnected from an active session when changes are made to either the SSLVPN Server Settings or Client Settings. They will not be disconnected if you simply download the ZIP file from the admin interface.

  • jdubtx96jdubtx96 Newbie ✭
    edited February 7

    Thanks TKWITS!

    Some quick quick follow-up questions:

    1. When does the user click OK? Is it simply when they are connecting/reconnecting to the VPN via NetExtender client? It will pop up and prompt them?
    2. For the setting, thank you! That makes much more sense. For the download link on the admin interface, is this just basically giving you the same client executable that you can download from SonicWall downloads, but preconfigured? And I assume this is just for new installations, or doing a manual update?
    3. Lastly, must the user have this "special" client installed to benefit from the auto-update feature? Or does any client installation detect the new firewall setting and auto-update accordingly?

    Thanks again!

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    1. When connecting with NetExtender and a new version is found (on the firewalls firmware), the user will see the prompt as shown in the article you linked to.
    2. IIRC the NetExtender downloaded from the Sonicwall VPN Client downloads page is just the base MSI with no config, and the one downloaded from either the admin interface or the user portal is an EXE that includes the config for connections to the specific firewall. I'd err on the side of caution and say the installers from the firewall itself are recommended only for new installs. Id avoid trying to 'upgrade' a MSI-installed NetExtender with the EXE.
    3. AFAIK the client must be installed either from the firewall admin interface or the user portal EXE to benefit from the auto-update feature.

    Unfortunately you'll find that firewall firmware doesn't always include the latest NetExtender versions. Back when Win10 was introduced we had to abandon installs from the firewall because NX versions prior to 8.266 wouldn't work with Win10, and no firmware version out at the time had it. So we were stuck with manually installing using the MSI version, and the arduous task of manual updates.

    Maybe with Gen7 and Win11 you can get away with firewall installs and auto-update again.

    You're welcome.

  • ChojinChojin Enthusiast ✭✭

    Hi, since I read this. I have a question. We are thinking about introducing the NetExtender (SMA) and using always on VPN.


    I have read that always on VPN is only supported with msi version.


    So when msi version is the raw application without config how do i get to realize the always on config/setup?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I've never done an 'always on' config so I cant help you there (i didnt think this was possible unless you are referring to connecting pre-login). With the MSI version you can specify the server parameters during installation, so the user only needs to enter their credentials.

Sign In or Register to comment.