New to Sonicwall - need pointers
I have recently been involved in a network upgrade. We have multiple locations with public IPs and different lans at each location. We put SonicWalls at each location and tied them to the "main" building using IPSEC VPN tunnels. Traffic is working to/from buildings as expected except for:
SSL VPN using NetExtender only allows access to the location that is connected to and not any other locations. I wish to connect to one location and have access to all locations for management. Other users I set up my only need access to the building with the servers. I have experimented with Client Routes in the default device profile, but no luck there. I just noticed the Tunnel All Mode at the top that is off. I will look in to that while I wait. Can someone point me in the right direction?
We have tunnels set for every location back to the building with the servers, so everything is accessible from the main building, but I would like to access any building no matter where I am in the network. Is the best way to set IPSEC tunnels from every location to every other location?
Answers
SSLVPN access is two-fold: Client Routes and User VPN Access. You can add as many Client Routes as you want but if a user isnt granted VPN Access to the subnets it won't ever work.
You must also be aware of how your S2S VPNs are configured, firewall rules, etc.
What you are looking for is commonly done.
I wish to connect to one location and have access to all locations for management
If you mean managing remote firewalls, the VPN policy will need to have management enabled on it as well.
Sorry, I mean servers/devices/etc. I would like to grab any IP from any location to assist in managing a device if needed. Right now I have tunnels from each outer building to the main building. I think I need to add tunnels from each building to every other building. I was just asking if this is the best way to achieve what I am looking for OR if I should be able to get to every building through the main building (right now I can't do this).
I also came across this: https://www.sonicwall.com/support/knowledge-base/implementing-hub-and-spoke-site-to-site-vpn-video-tutorial/170503738192273/
I think I will spend some time on it over the next few days since all of the users will be out of office.
Management access should be restricted and while meshed inter-office connectivity can be convenient it is also a security risk. If any IP at any location can access any IP at any other location than so can a malicious actor.
I think I need to add tunnels from each building to every other building. I was just asking if this is the best way to achieve what I am looking for OR if I should be able to get to every building through the main building (right now I can't do this).
If you mesh everything together [tunnel from every site to every site] it gives the best performance and resilience but has the highest management overhead.
If you route everything via a central site then it is the simplest to manage but less resilient and the traffic has to traverse the central site.
Your choice.
I chose to do tunnels from all locations - to all locations. My next questions are:
Is there a management portal where I can see/manage all of these firewalls in one place?
On that note, is there an easier way to create user logins other than logging in to each firewall and creating users?
NSM [or GMS which I think is EOL now] are the Sonicwall tools for mass-management of firewalls.
I manage multiple sites in a hub and spoke arrangement. Each remote site has an IPSec connection to the main SonicWall. Each remote SonicWall has the WAN interface, X1, configured to allow HTTPS Management ONLY FROM the public IP address of the main SonicWall. So management is done from inside the company at the main site or after Global VPN Client to the main SonicWall and then access the remote site.
The remote site has management configured on one internal interface, X0, so it can be managed from the main site through VPN.
Using a hub minimizes the need to implement remote access authentication at every site.
YMMV.