SonicAdmin80

Cybersecurity Overlord ✭✭✭
Default Avatar

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicAdmin80 Cybersecurity Overlord ✭✭✭

About

Username
SonicAdmin80
Joined
Visits
478
Last Active
Roles
Member, Partner
Points
126
Badges
10

Badges (10)

2 Year Anniversary5 Answers5 Helpfuls100 Comments1 Year Anniversary5 LikesFirst Answer10 CommentsName DropperFirst Comment

Comments

  • @geevo I just tested this through SSL-VPN and indeed, if I set the user to require a password change and the new password contains a dash I get the error: "Password change rejected by server. Your new password may have failed password complexity requirement policies." The password meets the requirements but adding a dash…
  • @geevo It's just my hunch that the dashes are the reason, as I think they were the only special character in the password. I've also seen a similar problem with SSL-VPN where the password change isn't successful and if I remember it correctly that was also caused by a dash.
  • In the end I had to factory reset and import the configuration back. Luckily I had a secondary admin account that enabled me to export the latest configuration. If you don't have that I guess you are out of luck unless support has some trick to try,
  • I use LDAPS with a purchased wildcard certificate. Perhaps not even needed since the VPN connection is encrypted and the authentication traffic might not traverse network segments where there's a risk of traffic capture.
  • I have set this up. You need Azure VPN Gateway and an IPsec tunnel to Azure from on-prem, but other than that it works just like any other AD/LDAP connection. No add-ons needed if you just do basic authentication. As said above, with SMA you can use SAML and the AADDS & VPN combo shouldn't be needed.
  • @onax_pf My support case from a year ago was closed unresolved. I guess I got tired of trying to get support to investigate it as they just blamed Microsoft and weren't willing to actually do anything.
  • That's what I'm thinking as well so the KB article is a bit confusing, perhaps erroneous.
  • Yes that was the guide I followed plus I added BGP neighbors following a different article. Exclude from route advertisement is unchecked as that's how I understood the instruction. Should I enable it instead?
  • Let's see if they get a stable version of SonicOS 7 out by 2026. Even if they do there's still the new UI design. I'm still avoiding Gen 7 but Gen 6 service prices were already raised and next month you can't even order new Gen 6 devices anymore. Time to start thinking about strategies. Either hope that investing in Gen 7…
  • If you are using policy based VPN, you have to add the SonicWall side network to the remote VPN networks on the AWS side, and the AWS network to the remote networks on the SonicWall. If it's route based VPN, then you just have to add static routes and access rules.
  • Basic HA is built-in to the products. You only need to have the devices associated in mysonicwall and it works. Stateful HA is an add-on one-time purchase but HA works without it too, stateful just gives a more seamless experience.
  • @CCWaukIT Be aware that Mobile Connect on Windows is EOL and might stop working after some Windows update: https://www.sonicwall.com/support/product-lifecycle-tables/sonicwall-mobile-connect/software/
  • @Larry I left feedback on the articles. I'm not entirely sure how to correct the instructions as it required some poking around to get it working, but seems like a manual cold restart might be needed and SonicOS might not try to find the paired device once it's completely booted up. But SonicWall should know all this…
  • This is how it looks like, so dropped connections isn't active. But since the connections weren't dropped until I disabled the access rule, shouldn't they show up in the AppFlow logs? The web server (NextCloud) was only used for one thing which isn't needed anymore, so I can just keep it offline for now.
  • No there shouldn't be a need to create users manually, at least for SSL-VPN which is where I've used it. I'm not that familiar with using external users in rules, so you might have to use "Mirror LDAP user groups locally" and periodically refresh the users automatically or use the Directory Connector like @BWC said.…