SMA 500v VPN - NECLI - automated connection by script - login/name + certificate
KRu_vys_CZ
Newbie ✭
Hello,
i have issue here to create cmd/bat file for automated connection.
The main goal is, our contractor use some robot on his server which use this bat file and autamtically connect vpn to our organization and use 2 factors login/password + certificate.
I tried to connect by CMD line to our org. from out, and it was sucessfull.
I used this syntax:
"
NECLI connect -s 1xx.xx.xx.xx -d Domain -u User -p Password
Connecting...
There is a problem with the site's security certificate.
Warning: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed? (Y:Yes, N:No, A:Always trust, V:View Certificate)y
Connected successfully.
"
But i need login/pw + certificate.
Do you have idea how it is work?
Which certificate, where generate it, where import certificate to SMA 500V? And how to do it in CMD windows line?
My setup is:
Model: SMA 500v
Firmware Version: 9.0.0.2-13sv
NetExtender Service Version is: 9.0.277
NetExtender Agent Version is: 1.0.53
Best Answers
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
Hi @KRu_vys_CZ
I never did this myself, but please check these options, I guess the relevant certificate has to be stored in the Windows Certificate Store and can be selected by either thumb or name.
SonicWALL NetExtender Windows Client CLI Commands
The following section includes commands for the NetExtender Windows Client CLI (NEClient.exe):
Usage: NECLI [OPTIONS]
connect [OPTIONS]
-s server
-u user name
-p password
-d domain name
-clientcertificatethumb thumb(when server need client
certificate)
-clientcertificatename name(when server need client
certificate)
disconnect
createprofile [OPTIONS]
-s server
-u user name(optional)
-p password(optional)
-d domain name
displayprofile [OPTIONS]
-s server(optional)
-d domain(optional)
-u username(optional)
deleteprofile [OPTIONS]
-s server
-d domain
-u username
showstatus
setproxy [OPTIONS]
-t 1 automatic detect setting; 2 configuration script; 3 proxy server
-s proxy address/URL of automatic configuration script
-o port
-u user name
-p password
-b bypass proxy
-save
queryproxy
reconnect
viewlog
-profile
servername: connect to server directly when password has been saved
Example:
NECLI -version
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatethumb
cf3d20378ba7f2d9a79c536e230a2495d4a46734
NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p
password - clientcertificatename "Admin"
NECLI disconnect
NECLI createprofile -s 10.103.62.208 -d LocalDomain -u admin
NECLI displayprofile -s 10.103.62.208
NECLI deleteprofile -s 10.103.62.208 -d LocalDomain -u admin
NECLI showstatus
NECLI -t 3 -s 10.103.62.201 -o 808 -u user1 -p password -b
10.103.62.101;10.103.62.102
NECLI queryproxy
NECLI viewlog
NECLI reconnect
NECLI -profile 10.103.62.208
--Michael@BWC
5 -
CORRECT ANSWER
Vijay_Kumar_KV
Moderator
In order to totally silently install NX without certificate warning. You need to install sonicwall's certificate to your store before install NX.(This told the machine to trust all sonicwall's cert without popup warning again.) Following steps are show you how to get sonicwall's certificate and how to silently install it to your PC with command.
I am not sure why are your try to silently deploy NESetupU.exe, typically for massive deployment, you should silently deploy NetExtender.msi installer through DC(domain controller) to all members. If you try to install through NESetupU.exe, you need to install it on each PC manually.
1-Install manually NetExtender on a machine Windows Vista/Windows 7 where you never installed it before. (you can use a virtual machine so you can revert back to a vanilla situation to do some testing)
2-When you are prompted to install the device driver mark the checkbox "Always trust software from SonicWALL inc." and then click on Install
3- When the installation is complete open the Certificate Manager issuing the command certmgr.msc from the command line or from the Run menu
4-Locate the SonicWALL certificate under Trusted Publishers -> Certificates
5-Right click on it to export it (choose the default options) and save it as sonicWall.cer
6-To deploy the application silently you will need the MSI and the certificate you have just saved.
The command to install it silently (you put them in a BAT file) are:
"certutil -addstore TrustedPublisher sonicwall.cer"
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
5
Answers
For this:
"
I am not sure why are your try to silently deploy NESetupU.exe, typically for massive deployment, you should silently deploy NetExtender.msi installer through DC(domain controller) to all members. If you try to install through NESetupU.exe, you need to install it on each PC manually.
"
--> We are not trying to mass deploy netextender. We need install 1x necli on some server in diferent developing company, and need to create script for some robot, who automatically connect to our company and do automatic update of diferrent software on some our server, and disconnect. That is all.
The Cert prompt here is the cert for the TLS/SSL connection of netextender. So whatever cert you have configured on the SonicWALL for SSL VPN client to server encryption (similar to how you would have an SSL cert installed on a HTTPS webserver so the client browser and website can encrypt the session).
On the sonicwall go to Manage/SSL VPN/Server Settings - see "Certificate selection" dropdown
If you are using the default "Self Signed" cert then just download that cert and install that on your computer/server which is making the netextender connection.
Or you could launch the full netextender client once and connect it, should prompt to trust the cert and you can choose "always trust" and that should then apply to your necli so it wont ask on connection I would imagine.
Or you could just get a Cert from a provider and use that on the sonicwall for sslvpn instead of the built in self signed one.