Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Netextender Routing using FQDN objects

Hi everyone

This is my first post here but i use the forums quite often to find answers :)

We have a client that uses SSL VPN in split tunnel mode which works great, although they need to route a website via the ssl tunnel and ideally we should be using the fqdn rather than an ip address as the ip changes all the time and creates massive issues.

Does anyone know of a solution for this ? ( Using Full tunnel is not really a solution so ideally routing FQDN objects would be the ideal solution :) )

thanks

Category: SSL VPN
Reply
Tagged:

Best Answers

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Mauricio I checked on Gen6 and Gen7 and it is not possible to add a FQDN object to the Client Routes for SSL-VPN. If static IP Host Object is no way to go, you might be out of luck on that.

    --Michael@BWC

  • MauricioMauricio Newbie ✭

    Hi @BWC - Thanks for checking and for replying as well.

    I tried to find out if this is a feature that will be available in future releases but cant really find anything about it.

    Can't believe i am the only person that has this problem!

    Thanks

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Mauricio it's a relatable request, sadly their is no such thing like a public directory of enhancement requests, I suggested that in the past, but it ended in create a RFE with your sales rep.

    --Michael@BWC

  • prestonpreston Enthusiast ✭✭

    @Mauricio, the reason this isn't supported is not a SonicWall issue but rather a PC Operating System one, it is due to the fact that all the routes do on the SSL VPN settings is tell NetExtender to update the Windows or other OS to update its routing table to use the ones from the SSL VPN connection, and as the Windows routing table doesn't support FQDNS only IP addresses and Networks it won't work.

    The SSL VPN routes from what I believe don't support any Dynamic Address Objects, I think this is is also due to the fact if any change is detected it would log the users out and back in again to push the changes to the clients, so even if you create a PS script to turn the FQDN into an IP and then added it to an External Address Object Group list to the routing tab on the SSL VPN client settings, it still wouldn't work but you can give it a try.

  • prestonpreston Enthusiast ✭✭

    @Mauricio - in fact in addition, even if you don't add any routes in the SSL VPN Client Settings you can still route via the SSL VPN if you manually or automatically via a script (see below) put the routes in your windows routing table, as long as you are allowing the access to like WAN Remote Networks in the User Group VPN access list on the SonicWall and have a NAT policy outbound it will be allowed to go via the SSL VPN connection .

    So in theory you could create a script which checks if the NetExtender's is connected/enabled and what the Interface IP is ( this is dynamic for SSL VPN ), in the script convert the desired FQDNS to IPV4 Addresses and then add to the routing table via the NetExtender IP address, I'm not a programmer but for someone who is good with PS scripts I'm sure this would be a doddle, you would need to make sure the though that the script ran on a loop though in case the FQDNS change IP and also to remove the routes when the NetExtender is disconnected, maybe ask via the Developer section on the Community.

Sign In or Register to comment.