Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Upload new Netextender Version for Auto-Upgrade

Hello,

I am looking for a way to update the Netextender version in the current firmware version of the SMA to enable an automatic update (Netextender security Update 10.2.337 to 10.2.338).

Is there a way to do this?

regards, Clemens

Category: Secure Mobile Access Appliances
Reply
Tagged:

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Clemens IMHO it's not possible and we have to deal with it manually to battle CVE-2023-6340.

    Hopefully a new Firmware will be released including 10.2.338, maybe @Community Manager can gather more details?

    --Michael@BWC

  • ClemensClemens Newbie ✭

    But from my point of view it would be a good and quick way to distribute security updates for the VPN client.

    -> Feature request :-)

  • BWCBWC Cybersecurity Overlord ✭✭✭

    +1 for that, but I'am not very hopeful that'll happen, but would love to be proven wrong.

    --Michael@BWC

  • ClemensClemens Newbie ✭
    edited January 17

    Is it also the case with you that the version number in the client is not updated? Or is this a specific problem for me?

    The previously installed version is still displayed - regardless of whether it is v10.1.336 or another version...


    regards, Clemens

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I updated from 10.2.337 and it now shows 10.2.338, maybe the update from different versions do not work properly.

    --Michael@BWC

  • ealleneallen Newbie ✭

    Also following. I have the latest firmware for my TZ570 (7.1.1-7040). I installed NetExtender from the virtual office portal (according to this https://www.sonicwall.com/support/knowledge-base/will-the-netextender-vpn-windows-client-be-automatically-updated-after-upgrading-the-firmware/170502900561773/ if you don't, your client won't update automatically)

    I connected with my NetExtender v10.2.237; no updates were available or performed. I'm assuming that 10.2.338 needs to be wrapped into a firmware update?

    Per the above article, I'm hesitant to manually update everyone's VPN client to 10.2.338 for fear that it will no longer auto-update.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @eallen I did not tested this, but if you define your own SSL VPN Client Download URL in the Server Settings for SSL VPN you might save your auto update. Just make sure to keep this structure at the Web Server:

    ./README.txt
    ./netextender
    ./netextender/linux
    ./netextender/linux/10.2.845
    ./netextender/linux/10.2.845/NetExtender.tgz
    ./netextender/linux/10.2.845/NetExtender64.tgz
    ./netextender/windows
    ./netextender/windows/10.2.331
    ./netextender/windows/10.2.331/NXSetupU.exe
    ./netextender/windows/10.2.330
    ./netextender/windows/10.2.330/NXSetupU.exe
    

    A seperate directory for 10.2.338 with the 64bit.exe in it should work, worth a try at least.

    In the internal settings (/sonicui/7/m/diag) you probably need to set the NetExtender(for Windows) Version.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 17

    @eallen I did some testing, and the full path on your Web Server has to be /applications/netextender/windows/10.2.338/NXSetupU.exe

    You have to define 10.2.338 on the internal settings page, otherwise the appliance is requesting an older version. Or you might create 10.2.331 on the Web Server and put the 10.2.338 exe in it.

    With Firmware 7.1.1-7040 hitting the Download Button for NetExtender immediatly crashed the appliance not sure if this is a bug or my configuration (which is basically a factory default).

    Update: I downgraded to 7.0.1-5145 and custom path and version number is working fine,
    with 7.1.1-7040 it immediately crashed the appliance, so don't do this in production.
    

    --Michael@BWC

  • ealleneallen Newbie ✭

    @BWC , thanks for the follow-up!

  • MSPitGuyMSPitGuy Newbie ✭
    edited January 18

    @BWC Thank you for your posts! Some questions and thoughts for you:

    I figured I would give it a shot using 7040 and yep, my sonicwall did the same thing, froze and had to pull power. I got it downgraded to 5145 and a custom HTTP setup and that part is working. I also set 10.2.338 in Internal Settings. Regarding auto update, I'm only seeing if a client is on 330 or older, it will successfully auto update. I've tried from 331, 336 and 337 and right when it connects it just doesn't think it needs an update and skips it entirely and just connects. All using the default EXE's, not the MSI's as I know those don't auto update.

    Are you seeing that as well or am I missing something? Does the Auto update only work for clients that think they are too far out from most current and are ok with being one or two behind? That sounds a little crazy. I'm a bit disappointed 331 or newer just ignores updating after getting all this setup.

    (Side note on the apache web server, I see clicking the download button in virtual office downloaded NXSetupU.exe. but when NetExtender wanted to auto update and downloads by itself, wanted NXSetupU-64.exe, a different name so I have each in there twice on the custom web server, one with the 64 and one without).

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @MSPitGuy you're right, Auto-Update does not seem to be that simple.

    10.2.331 does not bother to contact the custom web server for the auto update.

    When 10.2.330 tries to auto update it asks for NXSetupU-64.exe (which I linked to NXSetupU.exe) but also for NXSetupU.exe.manifest which I could not find in the applications.zip or at any other place. I created an empty file on the server for this.

    NetExtender throws an error when updating (because of the manifest I guess) but at the end 10.2.338 is installed.

    SNWL should give clear instructions for the different update paths of NetExtender and make it work properly.

    --Michael@BWC

  • ClemensClemens Newbie ✭

    I updated about 100 clients with 10.2.338 exe from mysonicwall.com and all of them show the old version (mostly 10.2.336, some 10.2.337). Also client version at SMA GUI show this (old) version.

    I hope this will be fixed in a future version.

  • MSPitGuyMSPitGuy Newbie ✭

    @BWC Agreed. I also saw the request for the .manifest file.

    Regarding 10.2.331 and above not bothering to update, I think 331 was packaged with the 5145 firmware. Maybe the auto update only kicks in if that is the version the Sonicwall firmware was packaged with. If that is the case, to me that pretty much defeats the purpose of using the custom web server and defining the version in internal settings. I suppose it does let you download your defined version for a fresh install clicking the button in virtual office, but it's the auto update I would think be the higher priority/main purpose of doing that. I ended up turning it all off because I figured what's the point (after spending the day testing).

    I guess learning things is better than not but I don't have much to show for it.🤩

  • MSPitGuyMSPitGuy Newbie ✭

    @Clemens That is odd. Anything I have run the 338 exe update on it did update to the newer version successfully. Mine does say (40) after 10.2.338 hitting the i in the actual netextender app. I'm curious what that means if anyone happens to know.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Clemens SMA (100 series) Firmware 10.2.1.11 got released and it includes NXT 10.2.339 for Windows.

    --Michael@BWC

  • ClemensClemens Newbie ✭

    @BWC Thanks for the info. I will carry out the update as soon as possible and then I will be curious to see if the versioning display corrects itself.

    I have also just read the vulnerability list again (https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0019).

    Do I understand correctly that the Netextender had to be uninstalled before upgrading to 10.2.338? (the problem that was fixed with 339)

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Clemens good point it reads that way that the older version needs to be uninstalled first, which renders an auto update impossible?

    --Michael@BWC

  • ClemensClemens Newbie ✭

    But since it is fixed with v10.2.339, I assume that no reinstallation is necessary (only the upgrade).

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @MustafaA @Community Manager @Simon can you guys clear this up? Does it work properly for auto update or is the uninstall really necessary?

    --Michael@BWC

Sign In or Register to comment.